Forbearance with Google reCAPTCHA

CAPTCHA is a variant of the Turing test to determine whether a visitor to a web application is a real person. The principle of CAPTCHA is to set the ideal task that is easy for humans to solve, but very difficult for machines (bots). Above all, CAPTCHAs should be used to protect against resource misuse and robot fraud and are known as a type of security protection tool.

With the rapid development of artificial intelligence and machine learning, this traditional authentication method has been repeatedly cracked in recent years. With this in mind, Google released its new generation of CAPTCHA services in 2013 - reCAPTCHA v2, which replaces the traditional CAPTCHA working principle with behavioral analysis and more browser interaction. The aim is to completely eliminate unpleasant user experiences and at the same time better identify humans and robots.

In practice, the visitor clicks on the "I am not a robot" box, the information such as IP address, local settings, mouse movements, time spent on the website, etc. is uploaded to the Google servers and analyzed there to determine whether the owner of the information is a real person. In November 2018, Google updated reCAPTCHA again and released the enterprise version reCAPTCHA v3, which, compared to v2, looks for more detailed data about the visitor in order to determine a risk score for them and send this back to the website operator as a result. Using the result point as a threshold, the website operator can perform variable actions against a request in the context of your sites to enable precise control over the use of their resources. Furthermore, reCAPTCHA now discards the design of the box, it runs completely in the background and uploads the collected information at any time. Visitors are completely unaware that they are currently being monitored and scored by the CAPTCHA components embedded in every page of the website.

2B Advice is of the opinion that if personal data is transferred from the controller to a third party and processed there, an opt-in mechanism and the explicit consent of the website visitor is required. The process is currently still quite opaque. Ultimately, the question arises as to whether the legitimate interest of Google and the website operator is more worthy of protection than that of the data subject.

This can be justifiably doubted at this point.