Google Wants to Scan Your Hand for its reCAPTCHA
Google's reCAPTCHA service will start asking for camera permission to scan your hand in different positions to determine if you're human.
CAPTCHAs are a common annoyance among internet users, interrupting your browsing with a picture puzzle seemingly designed to be as obnoxious as possible.
They're also bad for privacy, making heavy use of fingerprinting to try and weed out bots.
Now, reCAPTCHA is going to be taking fingerprinting more literally by asking you to provide camera access and scan your hand doing various gestures.
Google analyzes one or more videos of a user's hand as they perform various actions or gestures. The video is processed to extract hand landmark data, which includes 21 hand-knuckle coordinates.
Providing camera access opens the door to all sorts of abuses. Any data the camera sees, from your face to sensitive documents or information on a screen, could be sent off and stored by Google.
The documentation makes no mention of on-device processing, although they try to assure you that they handle the videos with care:
Google does not retain any images or videos of a user's hand gestures beyond the verification process or use the data for any other purpose. Videos or images are automatically deleted after the challenge is complete.
The information Google collects is used and stored in accordance with the Google Privacy Policy.
Unfortunately, you have to fully trust Google that they're deleting the videos, there's no way for you to verify their claims.
They also claim not to collect audio but providing camera access in most operating systems also provides audio recording at the same time.
There has been research into using hand gestures as a form of biometric authentication with a 99% accuracy rating for identifying individuals, raising concerns that Google could identify you individually from your hand gestures.
This comes after Google's attempt to make reCAPTCHA require a phone app to also grant your camera permission and scan a QR code in order to access websites.
For some reason, the old-style CAPTCHAs are still available for people who aren't able to complete the hand gesture, calling into question what the entire point is if it can just be bypassed anyway.
The need for privacy-preserving bot detection is at an all-time high with AI agents running amuck all over the internet. Solutions like Private Access Control Tokens, which don't require any access to sensitive permissions or sending any fingerprinting or other data, have been proposed by browser vendors.
Community Discussion