Google reCAPTCHA system criticized for privacy
CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. reCAPTCHA is a free Google service that helps keep websites safe and free from spam.
Other developers have also confirmed his discovery and explained that it turns out, the Google policy allows the use of gstatic.com reCAPTCHA for promotional purposes.
Google uses a variety of domains to set the cookies used in its advertising services, including the following domains and country versions of domains, for example google.fr:
Edwards explained that Google is playing a game of rhetoric by talking about its reCAPTCHA product. The company claims that this service is not used for personalized advertising ”and that gstatic.com does not set cookies. In fact, Google in its statements ignores the data synchronization procedure, which actually occurs thereafter actions with the reCAPTCHA service code.
Register tried to find out with Google why the company insists that it does not use reCAPTCHA data for personalized advertising, stating this in the reCAPTCHA terms of service. However, nowhere in the Google docs does it say that reCAPTCHA is completely isolated from the collection of all ad-related user data.
Using Edwards' discovered "triangular sync", two different web domains can associate the cookies they set for a particular user.
In this case, if a user visits a website that implements such tracking scenarios, where there is a link to one of the two advertising domains, then both companies will receive network requests related to the user. And now each of them can display ads that target that specific user.
Two different domains generally should not have access to the same set of cookie data. It depends on the ability to distinguish between native and third-party resources in the security model of a particular web browser. However, triangular sync with reCAPTCHA allows you to do this in almost any case.
Google explained to Register that it does not use reCAPTCHA for "triangular sync". The service loads static resources from two places on gstatic.com, and cookies are not analyzed or saved. Also, they are not synchronized as part of this process. In addition, according to Google, gstatic.com is designed not to collect cookie data.
A short video showing how Google ReCaptcha sets third-party cookies even when Mozilla Firefox is set to block “cross-site tracking cookies,” researcher Ashkan Soltani posted on Twitter.
Soltani recalled that in 2012, the US Federal Trade Commission fined Google $ 22.5 million for providing Safari users with false information that the company would not place cookies to track them. Google in 2011 and 2012 was caught trying to bypass the third-party cookie blocking mechanism in Safari.
Now history is repeating itself but on a large scale. The privacy of many users may be affected, and in this case, the laws of some countries are violated. For example, the California User Data Privacy Act violates their right to know that google.com cookies are being installed on their system. The same applies to the laws of the European Union. And in the latter case, Google insured itself. The company encourages developers in the reCAPTCHA terms to use the EU User Consent Policy for users from the European Union.