Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

At the end of the day only google.com cookies make sense, everything else can be routinely faked just like author says "Programmatically bypass the captcha by simply executing a rendering engine and automating movements of the mouse." What google was trying to hide? They seem to put a lot of effort in it.


They are browser/canvas fingerprinting you and me at a very large scale.


But what it has to do with fighting bots? Bots can look like browsers.


It's enough information to come up with a unique fingerprint without using cookies.

With that fingerprint they can track your habits across multiple domains. Bots can look like browsers, but they can't necessarily browse the internet the same way a human can.


I'm surprised nobody else has seen this. Google is removing the cookies because that's how advertisers track users.

No cookies? no way of tracking.

Or if you want to see it like this, they are getting something standard and turning it into something that it's under their control.


What habits? There's nothing else google can see, they only track movements inside of recaptcha iframe. They have 0 information about how you browse web.


hey have 0 information about how you browse web.

You have chosen a very interesting value of zero.

They have all your interaction with every Google property, tied to your account when you're logged in and semi-persistent pseudonymous identities when you are not. They have the clickstream data between every google property (most notably, Search) and the rest of your web experience, which can (fairly easily) reveal many websites you visit. They have ga.js or AdSense tracking code running on double-digit percentages of all pages on the Internet.

If asked to, Google could provide you with as accurate a record of my flights between Japan and the US as either nation's customs agency could, simply by looking at a time series of IP addresses. Their data got radically more accurate a few years ago when I started using Google Maps with the location permission turned on.

For added giggles, Google is a SQL join away from associating my extraordinarily-well-established-but-weakly-verified Internet identity with unique identifiers like e.g. my social security number. That would probably make someone in the Borg hesitate for a few minutes, but clearly they're OK with saying "At scale, we know the huge class of people which happens to include Patrick -- who we know intimately but prefer to avoid acknowledging that fact in social settings -- is identifiable by a vector of features, and a machine can very quickly cluster a random Internet user with Patrick versus with Spammy McSpamsalot. We can thereby organize data about this person to serve their needs better, for example by giving them access to resources only for trusted people, like captcha-free whatevers. Bonus: this is one more reason why it is fun and convenient to invite Google into even more areas of their life! It's a win-win!"


I probably didn't make it clear - recaptcha iframe provides 0 useful information about how you browse web. Of course other google services such as analytics and chrome collect more than enough about your habits. But I don't believe "mouse tracking" inside of 200x400 iframe, nonsense




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: