Article 43
Saturday, April 29, 2023
And You Were Worried About Cookies
One of the ways [reCAPTCHA] v3 checks validity is through examining whether you already have a Google cookie installed on your browser. Cookies are stored data about your interactions with a site, generally so elements can load again faster. Sign into a Google account, and reCAPTCHAs like you already…
but due to v3’s wider scope, a more comprehensive online profile must be in place too… The service gathers software and hardware information about site visitors, like IP address, browser plug-ins, and the device you’re using.
- Google’s ReCAPTCHAs Also Capture Your Private Information, MakeUseOf, 2018
reCAPTCHA Enterprise helps state governments reduce false claims by preventing adversaries from automatically reusing credentials on unemployment claims portals.
- How reCAPTCHA Enterprise protects unemployment and COVID-19 vaccination portals, Google Cloud Blog, 2021
Can’t get past captcha to request unemployment check
- Reddit Thread, 2021
I’m one of those that tries to practice good web surfing habits. A noble, but USELESS exercise.
The FLORIDA UNEMPLOYMENT WEBSITE used to only use Google’s recaptcha - making it easy for them to learn whose filing for unemployment - but then during Covid, they got a validation service from ID ME.
Dealing with that website was painful. I couldn’t sign up because it insisted on texting a code to my mobile phone number on file at the unemployment office, but the only number they have for me is a land-line that doesn’t have text. The system kept telling me to answer the text I never got, and never will get.
There was no number for tech support, and only a web form to fill out that kept kicking me out with a 500 ERROR - leaving me wondering if it actually worked. I wrote to Governor DeSantis and the local news for help. It took six weeks to finally sign up. Now that place has copies of my driver’s license, mortgage bills, social security number, my face, etc. Wait until these guys get hacked.
It brought back memories of the government’s 2015 OPM LEAK that included me and 20 million other Americans whose records were stolen. For that the government gave us a lousy year of free credit monitoring. Gee thanks. They could have given us new social security and driver’s license numbers. It’s not like after a year the files will disappear. Although I bet they can set them up with self-destructs like OFFICE 365’S DATA RETENTION.
If those files were MP3S or KINDLE EBOOKS they’d be locked down with DRM.
Since they’re not, the OPM files may be out there forever. Here, protecting things like music and ebooks is more important than ANY PERSONALLY IDENTIFIABLE DATA OF OURS.
Computer analytics are OUT OF CONTROL, infosec is a LAUGH, and internet privacy even more laughable.
We need laws with teeth protecting privacy. And better oversight of these companies with government contracts.
What do we do about GOOGLE who may know more about us - government and public - than the AKASHIC RECORDS?
Where is the public discussion?
---
Google Promises reCAPTCHA Isn’t Exploiting Users. Should You Trust It?
An innovative security feature to separate humans from bots online comes with some major concerns
By Owen Williams
One Zero
July 19. 2019
A surprising amount of work online goes into proving you’re not a robot. Its the basis of those CAPTCHA questions often seen after logging
They come in many forms, from blurry letters that must be identified and typed into a box to branded slogans like “Comfort Plus” ON THE DELTA WEBSITE - as if the sorry state of modern air travel wasnt already dystopian enough. The most common, however, is Google’s reCAPTCHA, which launched ITS THIRD VERSION at the end of 2018. It’s designed to drastically reduce the number of challenges you must complete to log into a website, assigning an invisible score to users depending on how “human” their behavior is. CAPTCHA, after all, is designed to weed out bot accounts that flood systems for nefarious ends.
But Google’s innovation has a downside: The new version monitors your every move across a website to determine whether you are, in fact, a person.
A necessary advancement?
Before we get into the how of this new technology, its useful to understand where it’s coming from. The new reCAPTCHA disrupts a relatively ancient web technology that has been harnessed for plenty of things beyond security.
CAPTCHA - which stands for Completely Automated Public Turing test to tell Computers and Humans Apart first appeared in the late ‘90s, and it was DESIGNED BY A TEAM at the early search engine AltaVista. Before CAPTCHA, it was easy for people to program bots that would automatically sign up for services and post spam comments by the thousands. AltaVista’s technology was based on a printer manual’s advice for avoiding bad optical character recognition (OCR), and the iconic blurry text in a CAPTCHA was specifically designed to be difficult for a computer to read but legible for humans, thereby foiling bots.
By the early 2000s, these tests were everywhere. Then came reCAPTCHA, developed by researchers at Carnegie Mellon and purchased by Google in 2009. It used the same idea but in an innovative way: The text typed by human users would identify specific words that programs were having trouble recognizing. Essentially, programs would scan text and flag words they couldn’t recognize. Those words would then be placed next to known examples in reCAPTCHA tests - humans would verify the known words and identify the new ones.
By 2011, GOOGLE HAD DIGITIZED the entire archive of the New York Times through reCAPTCHA alone. People would type in text from newspaper scans one blurry CAPTCHA at a time, ultimately allowing Google to make the Times back catalog searchable forever. While creating a velvet rope to keep bots off sites, Google had managed to conscripthuman users into doing the company’s grunt work.
There’s no way to opt out of reCAPTCHA on a site you need to use, forcing you to either accept being tracked or stop using a given service altogether.
With that achievement under its belt, reCAPTCHA switched to showing pictures from Google’s Street View software in 2014, as it does today. After pressing the “Im not a robot” box, you might be prompted to recognize which of nine images contain bicycles or streetlights. Behind the scenes, Google reduced the frequency at which people were asked to complete these tests by PERFORMING BAHAVIORAL ANALYSIS - reCAPTCHA can now run in the background and track how people use websites.
If a Google cookie is present on your machine, or if the way you use your mouse and keyboard on the page doesn’t seem suspiciously bot-like, visitors will skip the Street View test entirely. But some privacy-conscious users have complained that clearing their cookies or browsing in incognito mode DRASTICALLY INCREASES the number of reCAPTCHA tests they’re asked to complete.
Users have also pointed out that browsers competing with Google Chrome, LIKE FIREFOX, require users to complete more challenges, which naturally raises a question: Is Google using reCAPTCHA to cement its own dominance?
Google’s perspective
To use its latest version of reCAPTCHA, Google asks that DEVELOPERS INCLUDE ITS TRACKING TAGS on as many pages of their websites as possible in order to paint a better picture of the user. This doesn’t exist in a vacuum: Google also offers GoogleAnalytics, for example, which helps developers and marketers understand how visitors use their website. It’s a fantastic tool, included on more than 100,000 OF THE TOP ONE MILLION visited websites according to “Built With,” but its also part of a strategy to monitor users’ habits across the internet.
The new version of reCAPTCHA fills in the missing pieces of that picture, allowing Google to further reach into those sites that might not use its Analytics tool. When pressed on this, GOOGLE TOLD FAST COMPANY that it won’t capture user data from reCAPTCHA for advertising and that the data it does collect is used for improving the service.
But that data remains sealed within a black box, even to the developers who implement the technology. The DOCUMENTATION for reCAPTCHA doesn’t mention user data, how users might be tracked, or where the information ends up - it simply discusses the practical parts of the implementation.
I asked Google for more information and what its commitment is to the long-term independence of reCAPTCHA relative to its advertising business - just because the two aren[t bound together now doesn[t mean they couldnt be in the future, after all.
“It will not be used for personalized advertising by Google.”
A Google representative says “reCAPTCHA may only be used to fight spam and abuse” and that ғthe reCAPTCHA API works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google.”
That’s great, and hopefully Google maintains this commitment. The problem is that there’d no reason to believe it will. The introduction of a powerful tracking technology like this is a move that should come with public scrutiny because we’ve seen in the past how easily things can go sour. Facebook, for example, promised in 2014 that WhatsApp would remain independent, separate from its backend infrastructure but WENT BACK ON THAT DECISION after just two years. When Google acquired Nest, it promised to keep it independent but RECANTED FIVE YEARS LATER, requiring owners to migrate to a Google account or lose functionality.
Unfortunately, as users, there’s little we can do. There’s no way to opt out of reCAPTCHA on a site you need to use, forcing you to either accept being tracked or stop using a given service altogether. If you dont like those full-body scanners at airports, you can at least still opt out and get a manual pat-down. But if a site has reCAPTCHA, thereҒs no opting out at all.
If Google intends to build tools like this with the public good in mind rather than its bottom line, then the company must find better ways to reassure the world that it won’t change the rules when it’s convenient. If it were willing to open-source the project (as it has with many, many others), move it outside the company, or, at the very least, establish third-party oversight, perhaps we could start building that trust.
---
The IRS wants your selfie. ID.me CEO says don’t worry about it.
By Irina Ivanova
CBS News
January 28, 2022
“ID me”, the verification service that most U.S. states turned to during the pandemic to confirm the identity of people applying for unemployment aid, attracted public scrutiny this month when it was revealed that the Internal Revenue Service would start requiring anyone wanting to check their tax information online to register for an account with the private company.
The IRS move has sparked outrage among civil liberties advocates and ordinary taxpayers over concerns that the system - which requires users to upload their ID and submit a selfie or video chat with an agent - could expose troves of personal information to hackers. Some lawmakers also expressed reservations, with Senator Ron Wyden of Oregon SAYING he is “very disturbed” by the IRS’ plan. The agency is paying $86 million on the contract.
Blake Hall, “ID me’s” founder and CEO, sees it differently. In an interview with CBS MoneyWatch, he described the company’s verification technology as both more inclusive than other identification options - many of which won’t verify anyone who lacks a credit report, for instance - and more secure.
“What we’re doing is simply the digital equivalent of what every American does to open up a bank account,” Hall said.
In Hall’s view, the IRS is under assault from burgeoning criminal gangs. ID.me has already stopped would-be fraud in “tens of thousands” of cases, he said.
Over a Zoom interview, Hall shared images of several would-be fraudsters who he said tried to fool “ID dot me” by wearing a mask to take a selfie. “If that check didn’t exist, those people would have become victims of identity theft,” Hall said.
Hall said that just 10% of the people who sign up with “ID me” can’t complete the company’s selfie process and need to move on to verify their identity with a video agent.
No alternative route
However, with 70 million Americans already signed up with the system, even 10% can add up to a lot. State officials have documented complaints of people being unable to prove their identity and being wrongly cut off from benefits. A REPORT from Community Legal Services of Philadelphia called the process “extremely difficult and tedious to complete.”
Several people reached out to CBS MoneyWatch to describe being caught in limbo after they were unable to verify themselves on “ID me”.
Arizona resident Michelle Ludlow said she tried to get a new driver’s license last summer at the HEIGHT OF THE PANDEMIC. Because government offices were closed for in-person business, Ludlow tried verifying herself online with “ID me” - trying for half an hour, over several days, with and without glasses. But the system wouldn’t recognize her face as the one on her license, she said.
“There was no alternative route to go if “ID me” couldn’t make a match with a selfie,” she said in an email.
Ludlow works in a tax-preparation office and is concerned the selfie step will make it impossible for some of her clients to access their IRS records.
“Some of our clients have trouble sending us documents via email, so I can only imagine their frustration at the new system - especially if it doesn’t work,” she said.
Mandatory arbitration
Critics of “ID me” also question the wisdom of having a private company that isn’t subject to open-records laws be the gatekeeper for Americans’ access to vital government services. They point out that “ID me” is required to keep users’ data for seven years - even when a person asks for its deletion - to comply with government requirements.
Users who sign up for “ID me” also have to agree to a mandatory arbitration provision, giving up their right to sue the company in court or join a class-action lawsuit if, for instance, their identity is stolen.
To this, Hall said that Americans could access government services without going online. For instance, taxpayers can request their IRS records and wage transcripts by calling the agency - assuming they[re in the 1 in 4 callers who can get through.
“There are alternative ways to interact with virtually every federal agency that we support,” he said.
“We’ve never been in favor of being the only way to get in,” he continued. “One day,” he suggested, “online identity verification will be much like credit cards, with several options users can choose from.”
“It should be more like Visa and banking,” he said of the emerging industry and its technology. “As long as you can meet the standards, folks should be able to pick who they want their login provider to be.”
---
Google ‘wiretapped’ tax websites with visitor traffic trackers, lawsuit claims
And this wiretap, is it in the room with us right now?
By Thomas Claburn
The Register
August 18, 2023
Google was sued on Thursday for allegedly “wiretapping” several tax preparation websites and GATHERING PEOPLE’S PERSONAL SENSITIVE DATA.
And by wiretapping, they mean Google Analytics code added by the tax firms themselves to their own websites to measure visitor traffic and demographics.
The COMPLAINT [PDF], filed in a US federal district court in San Jose, California, on behalf of plaintiff Malissa Adams and others, accuses Google of collecting personal data from US taxpayers using online tax filing websites offered by H&R Block, TaxAct, and TaxSlayer, among others.
Google was sued on Thursday for allegedly “wiretapping” several tax preparation websites and gathering people’s sensitive personal data.
And by wiretapping, they mean Google Analytics code added by the tax firms themselves to their own websites to measure visitor traffic and demographics.
The >COMPLAINT [PDF], filed in a US federal district court in San Jose, California, on behalf of plaintiff Malissa Adams and others, accuses Google of collecting personal data from US taxpayers using online tax filing websites offered by H&R Block, TaxAct, and TaxSlayer, among others.
“What made this wiretapping possible is Google Analytics’ tracking pixel, which is embedded in the JavaScriptof online tax preparation websites,” the complaint stated.
Google Analytics works like this, mainly: Google generates a snippet of JavaScriptcode to INCLUDE in your pages; when people visit those pages, the code pings home to Google, allowing the ads giant to record details of those individual visits. Site owners can then view dashboards summarizing their traffic: how many people were looking at what times, which countries they were in, what kind of device they used, and so on. There are other ways to add pages to Analytics.
“These tax preparation companies sent private tax return information to Google through Google Analytics and its embedded tracking pixel,” the lawsuit continued, “which was installed on their websites. These pixels sent massive amounts of user data to Google to improve its ad business and enhance its other business tools.”
Doing so is illegal, the complaint contended, because UNDER AMERICAN LAW tax-return information cannot be disclosed to unauthorized parties without consent from the payer. It will be interesting to see if the courts rule that Analytics actually vacuums up tax-return info.
Google Analytics can collect as many as 200 different metrics, according to the complaint, which says that while the ad giant maintains such information is not associated with individuals, “a Stanford and Princeton study [PDF] found that Googles tracking software is able to ‘successfully carry out de-anonymization’ through a simple process that leverages a user’s web browsing history collected by Googles tracking tools.”
Google did not immediately respond to a request for comment. (Full disclosure: Yes, like many websites, The Register uses Google Analytics among other tools to keep track of readership size.)
The tax privacy lawsuit follows a REPORT [PDF] released LAST MONTH by seven US lawmakers that said TaxAct, H&R Block, and TaxSlayer had admitted “that they shared taxpayer data via their use of the Meta Pixel and Google’s tools.”
The legislators’ dossier built on investigative work done by The Markup in early 2022, with the help of Mozilla Rally, to STUDY THE META PIXEL and how it collects data. A subsequent report from the news non-profit FOCUSED on tax company websites.
Though privacy concerns about “wiretapping” from tracking pixels and related scripts date back more than two decades, when they were referred to as “web bugs” or more euphemistically “web beacons,” government officials didn’t really get serious about raising the alarm and doing very little until Facebook’s Cambridge Analytica scandal in 2018.
More Context
“Though privacy concerns about “wiretapping” from tracking pixels and related scripts date back more than two decades, when they were referred to as “web bugs” or more euphemistically “web beacons,” government officials didn’t really get serious about raising the alarm and doing very little until Facebook’s Cambridge Analytica scandal in 2018. [WEB]
Section Privacy And Rights • Section Broadband Privacy •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
