That check is watching the way your move your mouse as you approach the checkbox. It’s also only offered to users when they have good evidence from other signals like your IP, and browser settings that you are a real person.

The issue isn’t ticking the box. Ticking the box only initiates the process, and it checks for a few things to see of your recent browsing behavior has been natural and human enough. This is why it takes a small while to actually get ticked after clicking, and also why sometimes, despite you being definitely browsing normally, it also asks you to click stop signs, and crosswalks: Just a triple-check.

Among other things, it checks if you navigated websites normally, it checks if your mouse behavior is sloppy-ish, and whatever typing speed you get.

This isn’t perfect, either, as some bots still get through, but it catches the really bad ones, which helps a lot.

[deleted]

It is not about ticking the box, It is asking you a question, if you are a robot or not, and robots are so proud that they are not skin bags like us, they just can’t say no.

High end bots definitely can bypass those captchas… this things only keep away small developers or web scrappers.

I’m sure there’s more to it, but pretty much because of this:

>The isTrusted read-only property of the Event interface is a boolean value that is true when the event was generated by a user action, and false when the event was created or modified by a script or dispatched via EventTarget.dispatchEvent().

[https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted](https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted)

I wonder if downloading the chromium source files, modifying the code to always return true, then building it again (it may take a few hours, I guess), would actually work.

If it presents you that checkbox and accepts it, it’s because the system already has a model indicating you are a human. Previous trackable behavior etc. says that you’re not a robot, so you get the easy challenge.

This is pretty common in the anti-fraud world. You can “randomly” get asked for stronger account authentication, for example — something like associating a phone number with your account. That’s based on the confidence that the fraud model has on whether your account is legitimate.

As someone who deals with this on a daily basis, I don’t know if it’s a bot or human spammers, but I’m dealing with hundreds or thousands of fake clicks per day that get thru Google’s reCaptcha. So the answer to your ELI5 is: actually they do, at quite a large scale.

To highlight what others are saying, those CAPTCHAS are checking a lot of things to verify that you are human. The most popular one, reCAPTCHA, doesn’t really tell you what it’s doing on the back end because having that information would help hackers to defeat it with bots. Granted, there are other ways they can be defeated, such as by using a scam website to “proxy” the CAPTCHA through to have a human solve it for them.

That said, some of the things they do look for is how your mouse has moved (or how your phone screen has been scrolled), recent browsing activity, how you have interacted with the page you’re looking at, and data stored in your browser cache. It tries to assign a “weight” to these values and, if what it see exceeds a certain threshold, the algorithm determines you to be human. If it does not, then it shows you the stop signs and school buses and stuff just to be extra sure.

Because bots aren’t allowed to say that they’re not robots. That’s one of their prime directives.