[Benferhat]

I found a demo[0] via this old forum thread from August[1].

Obviously there are privacy concerns. That being said, this looks like a boon for anyone interested in bot detection, as you can periodically challenge your users' humanity without getting too much in their way. Nice one, Google.

From the thread:

Implemented it successfully for a website. I have to say, it works great!

it also checks if html pages are changed at runtime and how many times you "reload" the page where the captcha is. When it thinks you are a bot a captcha popups, when entered, it got checked on googles servers if it's right and fills in a hidden input. When the user submits the form, the filled in captcha coded, again, will be verifed. [sic]

[0] http://www.google.com/recaptcha/api2/demo

[1] Edit: don't go to this url without adblock (see comment below). http://forum.ragezone com/f144/googles-captcha-recaptcha-1023607/

[markbao]

The key post from that page:

"Since it goes through Google's servers, they can verify a lot of things. Whether you are logged in currently to google, have you been logged in the past, verify your activity on your IP address, etc. Even if you signed in from the same ip or ip range like a year ago, they can still tell it's you based on your previous actions."

[jackhammer]

That makes sense.

If I click from a normal tab I don't see a captcha, but I click from a privacy tab I do.

[korzun]

So if you are in a remote location or do not fit a specific demographic you are basically a robot.

[notatoad]

Assuming people who don't fit a demographic are robots is a step better than assuming everybody is a robot

[jonny_eh]

In that case you get a normal captcha, which is no worse than the current situation.

[makomk]

The normal captchas have been getting increasingly user-hostile over time. The only limit on them is what users are willing to put up with, and now that Google's most profitable users don't get them that's less of an issue. In fact, having nearly unsolvable captchas is actually an advantage because it encourages users to let Google track them.

[xanderjanz]

No, this is likely done with machine learning trained on real vs fraudulent user data. So they are going to be watching for much more subtle features than just being in a different region. Tons of people travel all of the world. Less people manually resent their MAC addresses or use datacenter ISPs.

[notatoad]

i think the parent was using "demographic" to mean "people using computers currently tracked by google", not a regional population.

[muglug]

Beware: that second link launched a popup in my browser to a "Super Mario Game" which, in turn, pushes you to install a spammy Chrome extension called ArcadeYum.

[stevenh]

Why does Google bother with so many minor script-related security enhancements in Chrome that will barely affect anyone (such as extra HTTP headers allowing for bonus layers of XSS protection just in case the site's developers weren't smart enough to cover all possible injection angles) if they are going to also let random untrustworthy developers abuse their extension installation API to achieve over 750,000 installs of a mysterious/shady/useless browser extension that inexplicably asks for permission to read and write to the DOM on every single page of every single site the user ever visits in the future, and which very obviously only exists for the purpose of doing the exact same kinds of terrible things that XSS prevention was conceived of in the first place in order to stop?

[Benferhat]

I'd like to hear arguments for why it would be unfair competition for Google to put spammy ad agencies out of business.

[TeMPOraL]

I'd personally love them to do that. I guess the arguments are basically the double-edged sword of dictatorship. You have a paradise if the ruler is wise, just and benevolent, as you can escape pretty much all of the stupid coordination problems that pester democracies - but on the other hand you risk getting totally screwed up if the dictator goes evil (which can, and probably always will, happen over time, when a good dictator gets succeeded by a bad one).

[benologist]

Microsoft takes out spammers.

- http://www.bbc.com/news/technology-12772319

- http://money.cnn.com/2012/03/26/technology/microsoft-raid/

- http://www.allspammedup.com/2013/06/microsoft-and-fbi-take-d...

Facebook sues spammers:

- http://www.theverge.com/2014/10/3/6901293/facebook-has-sued-...

[dvanduzer]

Thanks for all the evidence, but Microsoft's primary revenue stream isn't advertising, and Facebook is getting success by suing spammers that commit fraud against Facebook.

[Benferhat]

Thanks for the heads up, I missed it due to adblock. I made the link non-clickable and added a warning.

[meowface]

This seems to be following Cloudflare's (and Incapsula's and all the other competitors) approach to bot detection. Basic automatic, silent bot challenges (non-invasive Javascript and DOM tests) which, if failed, give a one-time captcha prompt.

[Scoundreller]

Which has the side-effect of making the site inaccessible to TOR users with JS turned off.

[corobo]

Those people will five 9s likely be blocking ads too, so who cares?

They can enjoy my content for free no problem, but I really don't care what they have to say in regards to how I run things or have things set up.

"Fuck you, pay me" comes to mind

[Houshalter]

The Tor browser doesn't block ads. Just javascript and flash. His point is the internet is becoming increasingly hostile to privacy. It's already extremely difficult if not impossible to create anonymous accounts with tools like Tor. Which discourages things like whistle blowing, or people from areas with oppressive governments.

[corobo]

That is a fair point, in my experience Tor is just used by bots to spam comments up with junk.

This is probably different for larger sites of course but on our scale there's no worries blocking Tor

Edit: Although thinking about it I don't know any ads that aren't served up without some form of Javascript

[Houshalter]

The problem is that every website does the same thing, and now it's impossible to use the internet anonymously. But actual spammers can spend a few bucks on IP rotating services. IP discrimination causes far more harm than good.

Actually I don't think Tor disables javascript by default anymore, but even when I do disable it I still see ads.

[Scoundreller]

If comments were blocked, that's one thing, but increasingly often access to the site as a whole gets blocked.

[brkn]

Isn't the example in [0] already used on various sites? I at least used it at least on the humble bundle site and saw it on othes sites too.

[Benferhat]

They seem to have done a small early beta over the summer, I guess they got in early.