ByteHaven - Where I ramble about bytes Avatar
ByteHaven - Where I ramble about bytes

Prove You're Human. Pay With Your Data.

There's a thing that happens to me regularly that I suspect happens to you too. I'm trying to get to a site — reading an article, buying something, just clicking around — and suddenly I'm not going anywhere until I've proven my humanity to Google. Traffic lights. Buses. Motorcycles. And at least once, a traffic light that is technically in the corner of the box. Does the sliver count? Does it not? Who decides?

I've been stuck in infinite loops of these things. Hopped on cell service to get through what my home network and privacy filters couldn't. And somewhere in the middle of the latest loop that had me clicking the same motorcycles three times while going nowhere, a question crystallized: what right do they actually have to be the checkpoint here?

The short answer is: none that you agreed to.

It Started Legitimately

I want to be fair to the history, because reCAPTCHA's origin story is genuinely clever. It started at Carnegie Mellon in 2007 as a way to do two things at once: verify a human was filling out a form, while also putting that human's brain to work digitizing old texts that OCR software couldn't handle. Books, newspapers, historical archives — text that machines couldn't reliably read but humans could. By 2011, reCAPTCHA had finished digitizing the entire Google Books archive and 13 million articles from the New York Times going back to 1851. Every time you proved you were human, you were also doing preservation work. That's a genuinely good trade.

Google acquired reCAPTCHA in 2009, and for a while, the mutual benefit framing held up. Then the books ran out of words to digitize, and Google had... new ambitions.

The Pivot Nobody Asked For

In 2012, Street View images started showing up in the challenges. House numbers. Street signs. Business addresses. Google confirmed it openly: they were using reCAPTCHA to crowdsource data for Google Maps. Same clever idea, different beneficiary — now it was feeding mapping infrastructure. Google has always maintained the data was for Maps improvement only, but given that Waymo — their self-driving car subsidiary — trains heavily on exactly the kind of traffic light and crosswalk imagery you were identifying, the suspicion has never really gone away. Make of that what you will.

To be clear: you were never told this. There was no checkbox that said "I agree to label images for Google's infrastructure projects." The CAPTCHA just appeared, and you solved it, because you wanted to get to the website on the other side.

Then in 2014, the shift became more explicit. The image challenges that showed up — buses, fire hydrants, storefronts, motorcycles — were systematically labeled for computer vision training. v3, launched in 2018, dropped the visible challenges entirely. It just watches you — mouse movements, scroll behavior, hover patterns — and assigns you a trust score in the background. No puzzle. No interaction. Just silent behavioral surveillance as the price of admission to someone else's website, running on every page that embeds it.

The progression looks like this:

  • 2007-2009: You solve CAPTCHAs, books get digitized. Mutual benefit. Legitimate.
  • 2012: You solve CAPTCHAs, Google Maps gets better data. You didn't sign up for that but okay.
  • 2014: You identify buses, traffic lights, crosswalks. Google says it's for Maps. Waymo exists and needs exactly that data. Draw your own conclusions.
  • 2018: reCAPTCHA v3 runs silently in the background scoring your behavior across the entire web. You get nothing.
  • Now: They want your phone number and device ID to verify you're human.

Each step made sense from Google's perspective. None of them were consented to by you.

The Part That Should Actually Anger You

Here's the thing that doesn't get said clearly enough: you didn't go to Google. You went to some third-party site that chose to embed Google's checkpoint on their page. You never entered into any relationship with Google. Google inserted themselves as the tollbooth between you and that site, and the price of passage is your behavioral data — whether that's image labeling, browser fingerprinting, or now, phone verification.

That's not a security service. That's a private surveillance dragnet that site owners voluntarily installed on their doorstep and handed to Google to operate. The site gets bot protection for free. Google gets to fingerprint and score millions of users across the whole web — including people who have never had a Google account and actively try to avoid them. You get treated as guilty until proven innocent.

And the way you prove your innocence has been changing.

The new mobile verification requirement is the tell. Google now wants, in certain cases, a phone number tied to a device tied to a billing address to confirm you're human. That's not anti-bot infrastructure. Bots don't have phone numbers. That's anti-anonymity infrastructure. The thing it's filtering out isn't automated scripts — it's people who don't want to hand Google an identity anchor.

The Image Challenges Are Already Broken Anyway

Here's the part that makes the whole performance especially absurd. Those infuriating motorcycle slivers and half-visible traffic lights that you're squinting at and rage-clicking? AI solves them better than you do.

Research published in 2023 found that AI bots achieve 85-100% accuracy on reCAPTCHA image challenges, compared to humans who range from 50-85%. Then in 2024, researchers at ETH Zurich published a paper showing they could solve 100% of reCAPTCHAv2 challenges using a modified YOLO image model. Their finding buried the thing: there's no meaningful difference between how many challenges a human and a bot need to solve to get through. The system is equally hard on both. Which means it's not actually screening out bots — it's just creating friction that legitimate users experience and well-resourced bot operations route around with cheap solve farms.

The image challenge has failed at its stated purpose while continuing to succeed at its actual purpose: data labeling and behavioral fingerprinting, at internet scale, without your consent.

Then Cloudflare Got Involved

If reCAPTCHA were just something a handful of sites used, it would be annoying but containable. The problem is Cloudflare, which sits in front of roughly 20% of all websites on the internet — and has heavily normalized challenge pages as the default response to anything their systems don't fully trust.

Every site that flips on aggressive bot protection or "I'm Under Attack Mode" instantly becomes a Google checkpoint by proxy. Site owners don't think about it. They turn on Cloudflare because it's the default "just works" solution, and suddenly their visitors are being routed through Google's identity verification before they can read an article.

Cloudflare did build their own alternative — Turnstile — specifically to replace reCAPTCHA and avoid feeding Google. It runs challenges invisibly and doesn't send data to Google. That's genuinely better. But plenty of sites never migrated, and even Turnstile fingerprints you — just for Cloudflare instead of Google. You've traded one surveillance middleman for another, and you still didn't get a vote.

The loop I get stuck in — the one where the challenge just reloads infinitely with no explanation — is almost certainly my privacy filtering (AdGuard Home at the network level, uBlock in the browser) blocking the endpoints these systems need to phone home to. The challenge can't complete, so it retries, and the retry can't complete either. Zero feedback. No indication of what's actually wrong. Just spin, reload, spin.

That's not a security system failing gracefully. That's a system that either doesn't care to tell you why it's failing, or is deliberately pressure-designed to make you drop your defenses. Either way, your access to someone else's website is being held hostage by a verification loop between two sets of infrastructure you don't control, playing out on your browser.

This Is the Same Pattern

This exact dynamic shows up everywhere once you see it.

Age verification laws are sold as protecting children. What they actually require is handing your government ID to a private company to access legal content. The child protection is the cover story. The identity data is the point.

Google's response to ad blockers and tracking protection has been systematic and methodical: when cookies got restricted, they moved to fingerprinting. When fingerprinting got blocked, they pushed FLoC. When that died in public backlash, they launched the Topics API. Manifest V3 — framed as a Chrome security improvement — surgically gutted the webRequest API that made blockers effective, while leaving Google's own ad infrastructure untouched. The company pulled in $265 billion in advertising revenue in 2024 — more than Meta and Amazon combined — and apparently that still isn't enough to leave the people running Pi-hole at home alone.

There's also a self-defeating irony buried in all of this. The people most likely to trigger the hard reCAPTCHA challenges — the ones running DNS filtering, browser hardening, VPNs — are the exact people least likely to comply. They're not going to drop their defenses and click through. They're going to bounce, find the information somewhere else, and make a mental note about that site. The casual visitor with no privacy tools just gets tracked. The person who went to the trouble of setting up their own DNS resolver gets annoyed and leaves. The surveillance apparatus is exquisitely tuned to catch the wrong people.

reCAPTCHA's tightening is another prong of the same strategy. If you can't be tracked through your browser, you'll be made to hand over your phone to access the web. Every wall users build, they route around. The mobile verification push isn't about bots. It's about closing the last gaps where anonymous browsing with privacy tools can still function without surrendering an identity.

The Pattern Runs Deeper Than CAPTCHAs

If you think the reCAPTCHA identity anchoring is a one-off design quirk, go set up or review your Google account's two-factor authentication and watch what happens.

Google supports TOTP — the open standard defined in RFC 6238 that lets any compliant app generate your second factor. Aegis, Bitwarden, Raivo, a YubiKey, whatever you want. It's an open standard. It's yours. It's portable. Once Google sets up the seed, they have zero visibility into it — they just see a valid code arrive. They don't know what app generated it, what device you used, or where you were.

Google's preferred option is their own app prompt. And they make sure you know it — it's presented first, framed as easier and more secure, and the nudging toward it is persistent every time you visit your account security settings. The open TOTP option is buried. Hardware keys are technically supported but you'll never see them prominently surfaced.

The "more secure" framing isn't entirely dishonest — app prompts do have some phishing-resistance properties. But look at what the Google prompt actually requires: the Google app installed, a device logged into your Google account, and Google's servers reachable to deliver the prompt. And look at what it gives Google: every authentication event logged with the device, the location, and the timestamp.

Every time you tap "Yes it's me" on that prompt, Google records which device you authenticated from, when, and where. It's a security event and a data collection event running simultaneously. The TOTP code gives them none of that.

This is the same mechanism as the reCAPTCHA phone verification, just on a different surface. Swap an open standard that lives outside their visibility for a Google-ecosystem dependency that generates data on every use. Do it at every touchpoint — authentication, verification, identity confirmation — and suddenly they have a comprehensive picture of your devices, your locations, and your patterns that no privacy tool at the browser or network level can touch, because you handed it to them willingly in exchange for "easier" security.

The architecture isn't accidental. It's the whole point.

What You Can Actually Do

The most underrated option — and honestly the correct default — is to just leave.

If a site throws up a reCAPTCHA wall and it's not somewhere you have to be, close the tab. That's it. Sites that deploy the hardest challenges tend to be the ones most aggressive about tracking you everywhere else on the page anyway. The checkpoint and the surveillance posture go together. Bouncing isn't just the path of least resistance, it's often the right read of the situation: they've already told you whose interests they're prioritizing, and it's not yours.

Most of the time there's an alternative — a different source for the same article, a competitor for the same product, another route to the same information. The friction of the CAPTCHA loop is a feature from their perspective, designed to make you give up and comply rather than leave. Leaving is the move they're not counting on.

The exception, and it's a real one, is utility and government sites. Your electric company. Your insurance portal. Your city's permit system. The DMV. Places you don't have an alternative to, services you pay for or are legally entitled to access. That's where the whole thing stops being an annoyance and becomes something uglier — a public or essential service that has quietly handed Google the keys to its front door, making a private surveillance company the gatekeeper between you and infrastructure you have no choice but to use. Nobody voted on that. Nobody asked. It just happened because someone checked a box in a vendor form.

For those situations, some things help at the margin. The most reliable fix is the one I hate admitting: disable your VPN when you hit a wall. reCAPTCHA's trust scoring is heavily IP-reputation based, and VPN exit nodes are routinely flagged. Cell service gets through for the same reason — carrier IPs are trusted, residential proxy farms aren't.

On browsers, Firefox is in the best position for most people — Google controls Chrome and every MV3 change that hobbles uBlock Origin directly benefits Google's ad business, which is not a coincidence. Firefox doesn't have that structural conflict. LibreWolf is Firefox with the hardening dialed up significantly, but fair warning: it can be so locked down that sites break in exactly the same maddening way as the reCAPTCHA loops — scripts won't run, external calls get blocked, layouts fall apart. It's great if you want maximum protection and are willing to troubleshoot. It's not a plug-and-play replacement.

Brave and Vivaldi both pushed back on MV3, though in different ways. Brave explicitly pledged to keep supporting uBlock Origin and other key privacy extensions as MV2 even after Chrome dropped them, by patching Chromium directly. Vivaldi took a different architectural approach — they built their own ad and tracker blocker directly into the browser engine below the extension layer entirely, so MV2 or MV3 doesn't affect it. Both are meaningfully better than Chrome or any unmodified Chromium fork that just rolled over. MV2 did eventually die in Chromium 141, so neither could hold that line forever on the extension side, but Vivaldi's built-in approach is the more durable one long-term since it doesn't depend on Google's extension infrastructure at all.

On iOS, Orion is WebKit-based but supports uBlock Origin natively, which sidesteps the MV3 trap on a platform where that's usually not an option.

At the network level, AdGuard Home or Pi-hole are worth running — though they're exactly what triggers the infinite loops in the first place when filtering gets aggressive. The tradeoff is real and I don't love it. You're blocking the surveillance but occasionally paying for it in access friction, specifically on the sites that most want to surveil you.

The honest version: there is no clean solution that lets you browse with full privacy hygiene and never hit a wall. That wall is designed to be there. The inconvenience is the coercion. Leave when you can. Fight through it when you can't. Know which one you're doing and why.

My Take

reCAPTCHA started as a clever tool that turned a necessary annoyance into something useful. That version of it is gone. What replaced it is a surveillance checkpoint that extracts data from you as the cost of reaching websites you didn't ask Google to intermediate, run by a company whose entire business model is knowing everything about you, deployed across 20% of the internet without your input or consent.

The image challenges that have been infuriating people for years are already obsolete against bots. The phone verification push isn't about bots either. It's about identity anchoring — connecting your anonymous web activity to a real-world identity that can be tracked, scored, and monetized, one verification loop at a time.

Every time you rage-click the sliver of a motorcycle in a corner box, remember: you're not proving you're human. You're proving you haven't opted out of Google's surveillance network yet. The challenge gets harder the more you try to.

Have thoughts? Find me on Mastodon at @ppb1701@ppb.social

bigtech blog cloudflare google privacy recaptcha surveillance userhostile