Click to prove you're not a robot. Says the robot.
How often do you get asked to click the “I’m not a robot” box? We do it willingly, usually without thinking. We just want to get to the web content we want. But the technology that sits behind the tick-box is deeply sophisticated and when you click, the website gets to look at your online behaviour before, during and after you clicked. This is data capture that you can’t see, but of which you should be aware.
Wed 26 October 2022
You'll will have come across web pages that ask you to do something to prove that you’re not a robot. Sometimes it’s simply ticking a box. Other times the system will ask you to click on all the pictures containing traffic lights, or chimneys, or boats. Older versions ask you to type some letters and numbers shown all twisted and obscure in a little image, although it has been reported that modern ‘computer bots’ can decipher such text with 99.8% accuracy.
The point of all this is to try and filter out ‘bots’ that might otherwise bombard a website with requests. ‘Bots’ are simply software applications that can run automated tasks.
Maliciously-programmed internet bots are becoming more and more common. They exist in order to do all sorts of things from generating fake social media accounts, to rapidly booking out all tickets for a popular gig.
Bots can also be created by state actors, governments intent on disrupting another country’s systems. In some cases millions of requests might be sent to a website that cause it to fall over, for one malicious purpose or another. A DDoS (Distributed Denial of Service) attack is an attempt to make an online service unavailable by swamping it with traffic to the point that it can’t cope and effectively shuts down. This kind of large scale attack can take down everything from banks to utility companies to government websites. It happened to a large American electricity supplier on the East coast just last year. Speculation as to who the bad actor was pointed at governments unfriendly to the United States.
To push back against these kinds of attacks, many websites now employ some form of test to distinguish between humans and robots. You may have seen it described as ‘CAPTCHA’, which is short for “Completely Automated Public Turing test to tell Computers and Humans Apart”. There are many forms of CAPTCHA systems, including audio versions for the visually impaired.
But what happens when you tick that box?
It’s not the actual ticking of the box that the system looks at. In 2009 Google bought a company developing the technology, called reCAPTCHA. Combined with some pretty sophisticated Google technology, ticking the box prompts the website to check your activity online just before you ticked the box, to see whether that looks ‘human’ or robotic. But that’s not all. Google analyses your behaviour before, during and after clicking the tick-box to see whether you appear human. A lot gets analysed in the instant: everything from your browsing history to the way you move your mouse on the page, assessing whether even that appears to be ‘organic’. If Google is still unsure that you really are human after clicking the tick-box, you will be shown a visual reCAPTCHA (with words, street signs or images) as an additional security measure.
As computers become ever-more powerful and sophisticated, this multi-check approach is needed, because they are becoming more skilled at complex image recognition and with the rise of CAPTCHA sweatshopping (think of a scammers’ sweatshop generating thousands of fake social media accounts). Furthermore, with the advent of quantum computing just around the corner, some commentators speculate that almost any existing password will be crackable in seconds. On the other hand, it will make it almost impossible for bad actors to hide.
So imagine, you’ve been sending a tweet, looking at some online shopping, checking your email account, it is the collection of that activity that makes the system believe you're in fact human. Essentially, when you click the ‘I am not a robot’ button, you’re instructing the website to have a look at your data and on that basis, decide whether you’re human or not.
Unfortunately scammers have also seen an opportunity in the “I am not a robot” tick-box. Some malicious websites show what looks like a reCAPTCHA tick-box, but when you click on it it subscribes you to certain browser notifications or can infect your computer with some kind of virus or malware. Some send notification spam directly to your desktop - you’ll start to see spam pop-ups directly on your computer even when the browser is closed. These ads are likely to be for adult sites, online web games, fake software updates, and unwanted programs.
Worse still, malware might capture your personal data, take over your computer camera and so on.
Here are a few typical signs that you have a malicious program installed on your computer:
- Ads appear in places they shouldn’t be
- Your browser’s homepage changes without your permission
- Web pages that you typically visit are not displaying properly
- Website links redirect to sites different from what you expected
- Browser popups appear which recommend fake updates or other software
- Unwanted programs get installed without your knowledge.
Whilst the “I’m not a robot” box is designed to keep you safe online and to limit the ability of criminals and malicious governments to behave badly, it’s a system that is capturing your data, usually without your knowledge.
Using the internet is a bit of a trade-off between having access to information you want, whether browsing social media, banking, shopping, watching videos and so on, set against the need to allow some of your data to go in the other direction. Undoubtedly reCAPTCHA and the “I am not a robot” button are there to help. But it is good to be armed with the knowledge that we are allowing snippets of data about us to be analysed in ways we can’t see.
More generally, it’s good to have control of your data. Your digital footprint, those snippets of data left behind in our online lives, can be used to build a profile of you. Scammers use stolen personal data they gather from company data breaches or buy on the dark web, in order to target people. They use online tools to capture whatever they can about you and use the data to trick you into falling for scams. Even those who think they would never be caught by a scam, often are.
You can avoid your data being used against you by getting it deleted from any company that doesn’t need it any more. You’d be amazed at how many companies have your data, including many you've never heard of.
Use Rightly Protect to find out who’s got your data and get it deleted, quickly and for free.