• Daniyar Kylyzhov

Google reCAPTCHA system criticized for privacy

The developer and co-founder of web analytics company Victory Medium, Zach Edwards discovered in late October 2020 that Google's reCAPTCHA service (via gstatic.com) had updated its javascript code. It now makes an additional request to sync user cookies with google.com.

CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. reCAPTCHA is a free Google service that helps keep websites safe and free from spam.

Other developers have also confirmed his discovery and explained that it turns out, the Google policy allows the use of gstatic.com reCAPTCHA for promotional purposes.

Google uses a variety of domains to set the cookies used in its advertising services, including the following domains and country versions of domains, for example google.fr:

  • admob.com;

  • adsensecustomsearchads.com;

  • adwords.com;

  • doubleclick.net;

  • google.com;

  • googleadservices.com;

  • googleapis.com;

  • googlesyndication.com;

  • googletagmanager.com;

  • googletagservices.com;

  • googletraveladservices.com;

  • googleusercontent.com;

  • google-analytics.com;

  • gstatic.com ;

  • urchin.com;

  • youtube.com;

  • ytimg.com.

Edwards explained that Google is playing a game of rhetoric by talking about its reCAPTCHA product. The company claims that this service is not used for personalized advertising ”and that gstatic.com does not set cookies. In fact, Google in its statements ignores the data synchronization procedure, which actually occurs thereafter actions with the reCAPTCHA service code.

Register tried to find out with Google why the company insists that it does not use reCAPTCHA data for personalized advertising, stating this in the reCAPTCHA terms of service. However, nowhere in the Google docs does it say that reCAPTCHA is completely isolated from the collection of all ad-related user data.

Using Edwards' discovered "triangular sync", two different web domains can associate the cookies they set for a particular user.

In this case, if a user visits a website that implements such tracking scenarios, where there is a link to one of the two advertising domains, then both companies will receive network requests related to the user. And now each of them can display ads that target that specific user.

Two different domains generally should not have access to the same set of cookie data. It depends on the ability to distinguish between native and third-party resources in the security model of a particular web browser. However, triangular sync with reCAPTCHA allows you to do this in almost any case.

Google explained to Register that it does not use reCAPTCHA for "triangular sync". The service loads static resources from two places on gstatic.com, and cookies are not analyzed or saved. Also, they are not synchronized as part of this process. In addition, according to Google, gstatic.com is designed not to collect cookie data.

Nevertheless, it turned out that the JavaScript code reCAPTCHAhosted on Google's gstatic.com domain includes several links to cookies. Also, when visiting a web page with a built-in reCAPTCHA widget, a cookie NID is set for the user, even if the system may block third-party cookies.

A short video showing how Google ReCaptcha sets third-party cookies even when Mozilla Firefox is set to block “cross-site tracking cookies,” researcher Ashkan Soltani posted on Twitter.


Soltani recalled that in 2012, the US Federal Trade Commission fined Google $ 22.5 million for providing Safari users with false information that the company would not place cookies to track them. Google in 2011 and 2012 was caught trying to bypass the third-party cookie blocking mechanism in Safari.

Now history is repeating itself but on a large scale. The privacy of many users may be affected, and in this case, the laws of some countries are violated. For example, the California User Data Privacy Act violates their right to know that google.com cookies are being installed on their system. The same applies to the laws of the European Union. And in the latter case, Google insured itself. The company encourages developers in the reCAPTCHA terms to use the EU User Consent Policy for users from the European Union.

#Google #reCAPTCHA #Javascript #Advertising #IT #API #Privacy

4 views0 comments




  • Facebook
  • Twitter
  • Instagram

Copyright © 2020 Fyberus WebSite. A Fyberus. All rights reserved. Reproduction in whole or in part without permission is prohibited.