Buzz
Oliver Emberton:
How hard could one simple checkbox be? It's more complex than you'd think!
To start, Google created an entire virtual machine—basically, a computer within a computer—just to make that checkbox work.
This virtual machine operates in Google's unique language, which they then encrypt. Twice over.
This isn’t your usual encryption. Typically, when you secure something with a password, a key is used to unlock it. But Google's invented language is decrypted using a key that changes as it's read, and the language itself morphs during the process.
Google combines (or hashes) that key with the URL you're visiting, making it impossible to use a CAPTCHA from one site to bypass another. They also merge it with your browser's “fingerprints,” capturing tiny, unique details of your computer that a bot would have trouble mimicking (like CSS rules).
All of this is designed to make it nearly impossible for you to figure out what Google is doing. You'd need special tools just to break it down. (Luckily, some people did just that).
These checkboxes gather and analyze a ton of data, including: Your computer's time zone and time, your IP address and approximate location, screen size and resolution, the browser you're using, your browser plugins, page load times, and how many key presses, mouse clicks, taps, or scrolls you make—and more things we don’t fully understand.
It’s also known that these checkboxes ask your browser to render an invisible image [PDF] and send it to Google for checking. The image uses a weird font that, depending on your system, will fall back to a different font and look totally different. Then they add a 3D image with a special texture, and the result varies between devices.
In the end, these seemingly simple checkboxes use all this data alongside their understanding of who’s using the computer. Nearly everyone online uses something owned by Google—search, mail, ads, maps—and, as we all know, Google Tracks All Of Your Things™️. When you check that box, Google goes over your browsing history to see if it seems human enough.
This is easy for them, as they’re constantly tracking the behaviors of billions of actual people.
The exact method they use to analyze this information is a mystery, but they’re almost certainly relying on machine learning (or AI) on their private servers, something that can’t be replicated by outsiders. I wouldn’t be shocked if they’ve even developed an adversarial AI to try to beat their own AI, with both learning from each other.
So why is all of this difficult for a bot to get through? Because now, you’re dealing with a massive amount of unpredictable human behaviors, and these behaviors are almost impossible to understand, constantly changing, and impossible to predict. Your bot might need to sign up for a Google service and use it in a way that convincingly differs from other bots’ devices, in ways that you can’t even comprehend. It could require natural pauses and errors between typing, scrolling, and mouse movements. Teaching a computer to do this is incredibly challenging, and this complexity comes with a financial price for the spammer. They may break it for a while, but if it costs them, say, $1 per successful attempt, it’s usually not worth their time.
Still, some people manage to bypass Google’s protections [PDF]. CAPTCHAs are part of an ongoing arms race that neither side will ever truly win. The AI technology that makes Google’s system so difficult to fool is the very same technology that gets adapted to deceive it.
Just wait until that AI gets good enough to trick you.
Sweet dreams, human.
This post was originally published on Quora. Click here to read more.
