> The main purpose of recaptcha is to prevent bots from abusing services
It's funny when people think they are adding to the conversation by contradicting a thoughtful and interesting comment (even if it may be a bit conspiracy-theory-ish), by simply re-reciting the corporate line.
I downvoted because I run several non-profit websites, and start without any captcha’s by default. But forms always end up getting spammed, and then I have to add some protection. This is literally why captchas exist in the first place, as well as why so many sites have them. Google came along and offered a convenient, free version, so many people started to use it, although I don’t. Why Google decided to offer it is possibly what you claim, but that changes nothing about why the nonprofit makes use of it.
It's not free. It increases friction, and at least in my case, results in abandoned transactions. I'm not well versed in the different options for spam protection (or the attacks) but I do know that most merchants don't make their users solve a puzzle, especially at a critical point along the purchase workflow where is it most likely to get derailed.
The fact that google is (probably unintentionally) particularly appealing to small providers or charities, pretending they offer a "free" product, makes it even worse.
Edit: not an endorsement, but elsewhere in the discussion someone posted a link to cloudflare's captcha solution, which they say specifically addresses the privacy and annoyingness concerns of Google's captcha. So there are options:
https://www.cloudflare.com/en-ca/products/turnstile/ (I'm not actually familiar with this, it may have a downside I don't know about)
(Also, disagreeing with something is generally a poor reason to downvote. It's much better to have a discussion, and I appreciate your comment)
True enough. That’s why I don’t use it. Google’s solution is absolutely awful, and I’m positive you aren’t the only one abandoning important flows on non-profit websites because of it.
I always just use a form field that's hidden by CSS or JS and then reject submissions with a value in that field. Just name the field after something bots or other services may care about but you don't (e.g. name, if you're not using real names).
Comparative benefit in the case of complex interactions is notoriously hard to judge.
A simple case of "subject does X and gains Y benefit" can, at scale become something like "subject is tasked with X, some fraction cooperate, some fraction defect, plus there are other induced effects such as cost of provisioning / supporting service S under various attack modes".
So:
- Without CAPTCHA, the service might be entirely nonviable.
- CAPTCHA tends to come with a large set of additional data-tracking elements and aspects. (E.g., I've got to enable multiple Google-domain JS in order to log in to several non-Google websites.)
- CAPTCHA itself directly consumes people's time, and thwarts legitimate use of numerous sites by many people.
- CAPTCHA and other countermeasures often mean that basic HTTP-based Web access is no longer viable. E.g., Internet Archive and Worldcat (two domains I make heavy use of) are no longer accessible via a terminal-mode browser. As I'd had (and still have) numerous terminal-mode query quick-lookup tools, this means I've now got to 1) break my terminal workflow and 2) invoke the full resources of a GUI browser (and usually a very limited set of very-heavy-weight such browsers) rather than run a quick one-liner on the terminal / command line.
(I'm not going to remotely pretend that this is a frequently encountered use-case from providers' perspectives. It's a frequently-encountered use-case from my perspective, however, and impacts strongly on various command-line, terminal, batch, script, automated tools, etc., and the value that these provided for Web interactions. Yes, in many cases, because of bad-faith / bad-actor abuse of those capabilities.)
- Measuring the net beneficial value of interactions is ... hard. A doctor looking up information probably has greater societal value than a bored pensioner or a pub's quiz-night team looking up answers to a game question. Discerning those at the Webserver level is ... difficult. Total requests is easy to measure, if not necessarily informative. W. Edwards Deming rolls in his grave....
I call that sort of reply "coin operated" - there is some crude pattern recognition that goes on (dropping any subtlety or new information a parent comment may be providing) and a sort of pre-recorded viewpoint gets spit out. There are certain topics where it's very common
I think it also happens sometimes when the parent comment hits close to home... perhaps someone actually worked on implementing a feature for a few years and even from the inside never figured out the actual purpose of what was being built. That cognitive dissonance hits hard when an outsider points it out in black and white. "Wait, I built non-consensual tracking software? But nobody told me they would use it for that!!!"
The main purpose of recaptcha is to prevent bots from abusing services, and has much less to do with exercising “monopoly power to … track you”.