With high resolution cameras, indefinite data retention and third party data leaks being a matter of when, not if, this seems like a perfect way to get your fingerprints stolen by organized crime syndicates worldwide. If not next year, then in 5-10 years. And when they get used for “something”, what happens when you go on vacation somewhere and you’re detained at that country’s border for a crime that happened N years before your very first entry into that country ever happened?
With as many Ph.D.s as there are at Google, you’d think they’d be smarter than to come up with this. Which is how you know the PMs are in charge, not the smart people.
AOL used to be a US$ 200B public company, it was acquired by 4.4B.
Sun, Lucent, Yahoo all had massive valuations at their peak but eventually dwindled and got acquired.
It's always possible for a massively valued company to stumble, fall, and become a husk of what it once was. I don't think Google/Alphabet is immune to this even though their absurd cash cow from ads make it very unlikely at this exact moment.
I'm struggling not to be sarcastic here, as I'm not quite stoked about Canadian Tire owning most of what's left of Hudson's Bay Company. It's pretty undeniable proof that age and revenue will not make a company immortal or invulnerable though.
If a web requires me to do this to access it, I simply refuse.
The last time I needed some web was my electricity company - sent them a ticket with a complaint. They replied with some bs like "your browser is simply not supported" so I kept sending them the same ticket over and over again until I got a real response and it seems they decided to change the system.
To use my favorite quote: That's all it takes really, pressure, and time... :)
Companies do and will simply label customers who repeatedly "protest" in such a manner as "vexatious" and use that as a justification to deny service. Utilities will probably be last due to regulations around providing utilities but other important companies will do it.
Yeah I’ve already warned my discord friends that the moment I have to show my ID I’m out of there without a goodbye. It sucks, but I just can’t compromise further. Personal ID’s are an absolute red line.
Yeah, for some reason I ran into that issue, too. I'm not giving my governmental ID to some random corporation. If that means I can't use their services, then so be it.
Someone always has to be the first to say "no thanks" to their bs.
A few days back, Google reCaptcha suddenly showed me a QR code and asked me to scan it with my mobile to "verify" I was human. I was taken aback, and at first thought my system / browser had some malware that was messing with the Captcha ...
We have to have ability to stream video instead of accepting browsers webcam request. I propose Firefox to go first with the implantation. I would like to automate it with AI to stream every time a different video with different person
Also worth noting this could allow Google to know who is using whom's devices. E.g. if I let my sister use my device, then Google would know it's her hand.
Would it deny her hand's reCAPTCHA because it doesn't match my biometrics? Or would it allow her and just make a record in the google database that she was using my phone at 8:42PM ?
Imagine getting your hand wrongly blacklisted as a fake, and then someday down the road you make a wrong gesture during an online interview and now your real-name is also on the suspicion list.
New startup idea: Captcha-proof mock hands that wave with remote control http json api. You could sell a small diorama box with camera and everything as an upgrade.
Doesn't surprise me at all and seems like a good solution to the problem of human verification. It won't take long for AI to catch up to that, but this captcha method might hold for a couple of months.
Not sure what problem everybody here is having with this. The alternative would be device certificate stuff (ala did Apple sign for this being a proper Apple device?). Having to shake your hand sounds a lot more privacy friendly.
Are you guys seriously worried that Google is gonna steal your secret handshakes?
Finding additional ways to waste more of people’s time on the web isn’t a good solution to anything. Doing so in a privacy invading way from a company that has a vested interest in collecting as much data as possible, exhausting all utility from it and butters its bread in an industry which specifically is built around disrespecting the time of other people is just never going to fly.
Like seriously, if I have to turn on a camera to get through a recaptcha then the website doing it can fuck right the hell off with extreme prejudice. My web browser is not allowed to access my cameras for any reason, no exceptions.
> Not sure what problem everybody here is having with this.
For starters, it's extremely invasive (camera on to pay a bill - wtf?), has unclear privacy implications and questionable accessibility (to put it mildly).
Then you sign in using your eID which is both highly secure and tied to your personal identity. Government services don't need 3rd party are-you-a-human verification, not when your account is tied to your identity.
(this is from the Netherlands where you can use digID [0] to sign into government services and ID-bound 3rd parties like insurance, mortgages, pensions etc)
That's like saying the roads are dead because people built strip malls and McDonald's everywhere. They're ugly and mostly annoying but there's still those roads leading to the paths into the mountains, ready for anyone who knows how to find them.
It is extremely disappointing to see Reclaim’s reporting whiff so badly on this. Yeah, they got the gist of the outrage, but they missed the real grift underneath. They slipped a massive loophole under the radar here and Reclaim misses it entirely: Google promised to delete the footage, but not the data derived from the footage. To use 23andme as an analogy, the company tended to dispose of old genetic sample kits after a while, but retained the derived data from those kits identifiably associated with specific people. Google is only promising to dispose of the costly data to store, the raw biometric material that takes up precious terabytes, but unlike 23andme will never voluntarily permit you to review and remove the results of their biometric analysis if you. Reclaim, if you’re reading this, here’s what you missed:
https://docs.cloud.google.com/recaptcha/docs/hand-gesture-ve...
> Google does not retain any images or videos of a user's hand gestures
This is the sole statement of data deletion provided, and nowhere does Google state any other retention policy for derivations whatsoever, whether anonymized or associated, from that hand data; referring instead to the generic terms of service privacy policy:
> Other data is deleted or anonymized automatically
The privacy policy does not have a specific callout for biometric derivations, and so they may choose to anonymize rather than delete your biometric data.
> some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention
Recaptcha exists for the exlclusice purpose of security, fraud and abuse prevention, and so by this clause they may retain your identified hand scan biometrics for as long as they see fit.
> We will share personal information outside of Google if we have a good-faith belief that disclosure of the information is reasonabl[e]
They will give your identified hand biometrics upon request to anyone who can make a convincing case to them.
> We may share non-personally identifiable information publicly and with our partners
And they grant themselves the right to start selling their dataset of humanity’s hand biometrics for personal profit with none shared back to those whose biometrics are now a commodity to be bought and sold.
(Note that Google is not alone in this; see also gestures at much of tech. But that’s no excuse for the grift going unreported by a journalistic entity that’s been around long enough to know better how these reassurance-by-omission scams work. I was already upset with Google but I still expect better of those trying to stop them.)
With as many Ph.D.s as there are at Google, you’d think they’d be smarter than to come up with this. Which is how you know the PMs are in charge, not the smart people.
No firm lasts forever.
Sun, Lucent, Yahoo all had massive valuations at their peak but eventually dwindled and got acquired.
It's always possible for a massively valued company to stumble, fall, and become a husk of what it once was. I don't think Google/Alphabet is immune to this even though their absurd cash cow from ads make it very unlikely at this exact moment.
It's interesting the parallels of Google's recaptcha and Cloudflare turnstile.
Cloudflare is free, no image selector, allows VPNs and Tor for the most part, just 0 click with a good ip reputation and 1 click with a bad one.
Recaptcha is paid, trains waymos, sucks millions of hours of human time, asks for camera access, asks for a phone attestation, blocks VPNs/Tor.
Thank god less sites are using ReCAPTCHA.
Looking forward to some other solutions gaining prominence eventually as well.
Like that Anime girl one.
https://m.xkcd.com/2228/
If a web requires me to do this to access it, I simply refuse.
The last time I needed some web was my electricity company - sent them a ticket with a complaint. They replied with some bs like "your browser is simply not supported" so I kept sending them the same ticket over and over again until I got a real response and it seems they decided to change the system.
To use my favorite quote: That's all it takes really, pressure, and time... :)
Someone always has to be the first to say "no thanks" to their bs.
(Apparently, this started appearing from last month - https://cybernews.com/privacy/google-qr-code-recaptcha-requi... ).
Would it deny her hand's reCAPTCHA because it doesn't match my biometrics? Or would it allow her and just make a record in the google database that she was using my phone at 8:42PM ?
For instance, terminalcam, gives just enough data to reveal liveness without necessarily giving enough information about identity.
https://gitlab.com/here_forawhile/terminalcam
Not sure what problem everybody here is having with this. The alternative would be device certificate stuff (ala did Apple sign for this being a proper Apple device?). Having to shake your hand sounds a lot more privacy friendly. Are you guys seriously worried that Google is gonna steal your secret handshakes?
Like seriously, if I have to turn on a camera to get through a recaptcha then the website doing it can fuck right the hell off with extreme prejudice. My web browser is not allowed to access my cameras for any reason, no exceptions.
So stripping away user privacy even more is justified for implementing an already obsolete verification method?
For starters, it's extremely invasive (camera on to pay a bill - wtf?), has unclear privacy implications and questionable accessibility (to put it mildly).
At least I know what kind of hand gesture they will get first :)
They asked for feedback after I canceled the login, I gave very candid feedback in a form.
Then they asked if I would give an interview.
You know why I wanted to log in? To claim a $7 refund.
They ended up mailing it.
(this is from the Netherlands where you can use digID [0] to sign into government services and ID-bound 3rd parties like insurance, mortgages, pensions etc)
[0] https://en.wikipedia.org/wiki/DigiD
The internet is dead.
Can't be bothered... so instead using the accessibility option of listening to a phrase instead.
> Google does not retain any images or videos of a user's hand gestures
This is the sole statement of data deletion provided, and nowhere does Google state any other retention policy for derivations whatsoever, whether anonymized or associated, from that hand data; referring instead to the generic terms of service privacy policy:
> Other data is deleted or anonymized automatically
The privacy policy does not have a specific callout for biometric derivations, and so they may choose to anonymize rather than delete your biometric data.
> some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention
Recaptcha exists for the exlclusice purpose of security, fraud and abuse prevention, and so by this clause they may retain your identified hand scan biometrics for as long as they see fit.
> We will share personal information outside of Google if we have a good-faith belief that disclosure of the information is reasonabl[e]
They will give your identified hand biometrics upon request to anyone who can make a convincing case to them.
> We may share non-personally identifiable information publicly and with our partners
And they grant themselves the right to start selling their dataset of humanity’s hand biometrics for personal profit with none shared back to those whose biometrics are now a commodity to be bought and sold.
(Note that Google is not alone in this; see also gestures at much of tech. But that’s no excuse for the grift going unreported by a journalistic entity that’s been around long enough to know better how these reassurance-by-omission scams work. I was already upset with Google but I still expect better of those trying to stop them.)
Seems like they covered your points just fine. They just did it succinctly and trusted the reader to understand the broader implications.