All the answers about it watching how you interact with the page or move your mouse are likely mostly wrong. Maybe it looks at some of that, but I’m not convinced.

In reality, it seems to look at as much about your browsing history as it can to make certain determinations. With reCAPTCHA, most of the time, you won’t have to do anything other than click the box. But if you want to guarantee that you get a further challenge, try using incognito mode. With incognito mode, all of the cookie history and other history Google has on you (reCAPTCHA is Google owned) is no longer accessible. The CAPTCHA has no data to determine who or what you are, so it is much more likely to present a further challenge beyond just the check box, and your immediate interactions with the website can be no different. This is telling me that they are using your browsing history as a much more important input than what you’ve been doing on the website.

And as to your questions about AIs being able to easily do them, yes that is a growing issue, which is why we are getting [completely ridiculous CAPTCHAS now](https://www.youtube.com/watch?v=ppM_7-uTH14). reCAPTCHA has actually been long used to train datasets, first OCR, and later AI models at Google. Because of this, the AIs have gotten very good at them because that was the whole idea they were going with. Going with ridiculous things like the “horse made of clouds” thing from the video I linked is all because AIs have gotten too good as solving them, so they have to make them so off the wall that there’s no way AIs have been trained on it yet.

what it’s actually doing is crowd source training robots to be more like humans.

i doubt it will do much in the way of protecting anything before too long.

They actually track mouse movements to scroll to the checkbox to see if it seems human-like or not. That’s how they actually determine if you’re a robot or not.

Thats because reCAPTCHA originally started as free labor, or “mass collaboration project” to digitalize books where words are too illegible for computer. then google bought it for anti bot and bot training.

This is why V1 has 2 words, 1 word is control word (the system knows is true) and the other one being unknown. so when a person types the correct first word, it is assumed the second one is true, and it gives it point. and when enough people give the same second response to the 2nd words, the system “learns” that second word and puts it into control.

Since then, the purpose was moved from learning words to actually blocking bot activities AND learning user behavior. modern Captcha actually runs in the background and analyses your activity to distinguish it from human and bots.

Those picture puzzles? yeah purpose 1 is to block dumb bots, and purpose 2 is to train AI learning.

This is a secret Google system that tracks many factors to decide whether you’re a human or a computer. Some important factors seem to be your IP address, your browser, and how quickly you click the mouse. If it’s sure you’re a human, it just lets you through and clicking the box is a formality. If it isn’t sure, you’ll get a traditional test where you have to click on pictures. It’s also possible that it’s sure you’re a bot, which I’ve experienced at least once, and it won’t let you pass at all.

| seems so easy to defeat by even primitive AI

OK, so write one.

Obviously^([1]), you’d think, they thought about that.

Hi, I work as a researcher for a large company that develops these CAPTCHAs for some of the biggest websites on the internet. You have 100% visited a website we protect.

My job is to create exactly the algorithms that distinguish human-and bot behaviour alike.

Yes, we analyze your mouse movements. Yes, we analyze your activity on the website, we take into account the IP you use, the browser, and much much more.

Bots are able to replicate human-action at very large scale very fast. They can scrape your entire website, stealing your intellectual properties, they can brute force you login page, effectively hacking into people’s accounts. They can even bruteforce credit card forms and steal your money.

These captchas force the bots the replicate more of the human actions, blocking most of them, and slowing others.

I’ll be happy to answer follow up questions 🙂

It stops simple attacks on websites, for eksempel overloading them by filling out forms and such.

The biggest problem with bot spam is how fast you can do it. A bot capable of solving captcha will be slow. Even if it bypasses, its damage is very limited.