Is the use of reCAPTCHA GDPR-compliant?(dg-datenschutz.de)
dg-datenschutz.de
Is the use of reCAPTCHA GDPR-compliant?
https://dg-datenschutz.de/ist_die_verwendung_von_recaptcha_dsgvo_konform/
54 comments
This is a very shady website and thus not a good source for legal advice of any kind… they call themselves “Deutsche Gesellschaft für Datenschutz” (German society for data protection) but are actually located in Bulgaria. They are not any kind of “official” data protection organisation.
Good spot, the real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
With a non-compliant cookie banner to start with...
Wow, nice catch, I've flagged it.
Oh thank you, I did not notice that.
I would recommend friendlycaptcha[1] which you can also run locally (including the server).
[1] https://friendlycaptcha.com/
[1] https://friendlycaptcha.com/
It's not really clear how it'd prevent bots...
> The difficulty of the puzzle, and therefore the time and resources needed to solve it, is intelligently and automatically scaled based on sophisticated risk signals to protect against advanced bots. Friendly Captcha is completely invisible and require no manual user challenge at all.
So... magic?
> The difficulty of the puzzle, and therefore the time and resources needed to solve it, is intelligently and automatically scaled based on sophisticated risk signals to protect against advanced bots. Friendly Captcha is completely invisible and require no manual user challenge at all.
So... magic?
> Based on proof-of-work mechanisms and advanced risk signals
> Friendly Captcha does not depend on tracking your users and exploiting personal data.
What "advanced risk signals" are these that do not involve tracking (or fingerprinting) users?
> Friendly Captcha does not depend on tracking your users and exploiting personal data.
What "advanced risk signals" are these that do not involve tracking (or fingerprinting) users?
Probably cloudflare's geoip-based range bans.
What about hcaptcha? Wasn’t it supposed to be a less intrusive alternative?
I get a wall of text with cookie approval/rejection buttons, but on mobile I can't even scroll to the top of the text to read it all. What a failure.
Try to switch off js.
Deliberate choice by the company trying to take your data. They don't have to do that, they want you to be pissed off with the wrong people.
EDIT: ignore all this, as per other comment, this appears to be an unrelated company registered in a different country.
The real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
-
Before edit:
Given this is one of the organisations who help give governments draft laws by advising them, and whose purpose is to help its members obey those laws, that would be rather self-defeating.
And given the web design apparent on the following page, I think this is much more easily explained as "bad web design": https://dg-datenschutz.de/imprint/
The real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
-
Before edit:
Given this is one of the organisations who help give governments draft laws by advising them, and whose purpose is to help its members obey those laws, that would be rather self-defeating.
And given the web design apparent on the following page, I think this is much more easily explained as "bad web design": https://dg-datenschutz.de/imprint/
The choices are driven by the extra revenue and will not change until mass enforcement. Some sites (mostly news) even have a "buy subscription" or "accept cookies" option which I thought was not allowed under GDPR.
Spoiler: it's not allowed. But until they get huge fines, they will continue doing that.
EU should have just banned all collection. You give an inch and the parasites take a mile.
If given an active choice nobody* would ever go "yes I want you to sell my data to your 1,414 carefully selected partners". Maybe they want personalisation when they sign up for an account, but you ask them that at signup time, not the first time they land on your page.
* where nobody < 1%
If given an active choice nobody* would ever go "yes I want you to sell my data to your 1,414 carefully selected partners". Maybe they want personalisation when they sign up for an account, but you ask them that at signup time, not the first time they land on your page.
* where nobody < 1%
[deleted]
And it's in German right?
At this time of day, I'd wager half of the users here are able to comprehend German texts. The other half knows how to use a translation tool.
Funny you should say that... a friend sent me a page in german yesterday, helpfully linked directly through google translate so I can read it in a language i understand.
Unfortunately, the cookie dialog was missed by "the translation tool" and both accept and reject kinda look the same to me.
Unfortunately, the cookie dialog was missed by "the translation tool" and both accept and reject kinda look the same to me.
I concede that cookie banners are not helpful here. I also admit that I rarely see them anymore, as uBlock Origin removes them for me. I probably shouldn't have assumed that the web I see is the web everyone else sees.
Oh. Very interesting point there.
I have uBlock Origin (mind, with the default settings). I also have the Consent-O-Matic autofill extension that's supposed to reject cookies automatically for me.
Neither of them seems to catch cookie dialogs on some german sites. Not that I want uBlock to hide the cookie dialogs, I want them explicitly rejected by the other extension.
Consent-O-Matic does automatically reject most crap on english and romanian sites so I guess they haven't added support for whatever cookie dialog zeit.de uses (and that's popular on german sites?).
> both accept and reject kinda look the same to me
I bet that's very intentional too, and there are other ways to phrase it in German so the two options don't look similar.
I have uBlock Origin (mind, with the default settings). I also have the Consent-O-Matic autofill extension that's supposed to reject cookies automatically for me.
Neither of them seems to catch cookie dialogs on some german sites. Not that I want uBlock to hide the cookie dialogs, I want them explicitly rejected by the other extension.
Consent-O-Matic does automatically reject most crap on english and romanian sites so I guess they haven't added support for whatever cookie dialog zeit.de uses (and that's popular on german sites?).
> both accept and reject kinda look the same to me
I bet that's very intentional too, and there are other ways to phrase it in German so the two options don't look similar.
Well, I opened them in a plain browser profile and in the non-translated page the options seem clear to me? The buttons literally say this:
- Settings / Einstellungen
- Accept / Akzeptierten
- Reject All / Alle Ablehnen
The English translation is on the buttons in the non-translated page and those translations are fine. There's even a reject all button, which is fine too. The only not so nice thing is that the "Accept" button is coloured green.
Again, I don't want to defend those banners.
- Settings / Einstellungen
- Accept / Akzeptierten
- Reject All / Alle Ablehnen
The English translation is on the buttons in the non-translated page and those translations are fine. There's even a reject all button, which is fine too. The only not so nice thing is that the "Accept" button is coloured green.
Again, I don't want to defend those banners.
My dialogue on zeit.de had:
"Allen zustimmen" "Ausgewahlten zustimmen"
Yep I could look it up. But using the same verb looks like an intentional dark pattern to me. And I wasn't interested enough in the article to jump through the hoops.
(Our conversation did make me look it up and neither is 'reject all', they're 'accept all' and 'accept selection').
"Allen zustimmen" "Ausgewahlten zustimmen"
Yep I could look it up. But using the same verb looks like an intentional dark pattern to me. And I wasn't interested enough in the article to jump through the hoops.
(Our conversation did make me look it up and neither is 'reject all', they're 'accept all' and 'accept selection').
The wall of text is horrible UI, but at least there's a checkbox with an obvious label:
"Do not sell or share my personal information (CCPA/CPRA)."
Most other websites try to hide this fundamental choice from you behind dialogs and endless options. (And of course outside the EU you don't even get to control this, your data will always be collected and sold.)
"Do not sell or share my personal information (CCPA/CPRA)."
Most other websites try to hide this fundamental choice from you behind dialogs and endless options. (And of course outside the EU you don't even get to control this, your data will always be collected and sold.)
It's not well known but Canada also has rules (for any company or agency covered by Federal privacy law) around respecting the users wishes and gaining meaningful consent.
And as someone who was successful in making such claim, it was a relatively easy process.
And as someone who was successful in making such claim, it was a relatively easy process.
I'm using materialistic on Android to scroll hn, and sometimes the article shows as black.
Discussion from 1.5 years ago: https://news.ycombinator.com/item?id=36430280
> Google's invisible reCAPTCHA V3 simulation is now used on many websites around the world and no longer uses tests to check the humanity of users, but is based on behavioural analysis.
I had no idea. 90% of the time I’m getting the Please select all stairs bullshit. Another 5% is an outright block for “suspicious activity”. (I’m on Firefox, FWIW.)
I had no idea. 90% of the time I’m getting the Please select all stairs bullshit. Another 5% is an outright block for “suspicious activity”. (I’m on Firefox, FWIW.)
That's 90% of the times you even see it :)
Fair enough! I was thinking about the checkbox variant, not the “invisible captcha”. But I have a feeling I’m still getting the task for that as well, most of the time.
Currently YouTube is blocked at work without a Google login, and Chrome keeps demanding and successfully convincing individuals operating shared PCs to stay logged in on a browser session indefinitely.
> 90% of the time I’m getting the Please select all stairs bullshit.
Just yesterday it had me clicking all squares with motorcycles in it. I failed five consecutive times before it let me through.
Almost started to doubt myself.
Just yesterday it had me clicking all squares with motorcycles in it. I failed five consecutive times before it let me through.
Almost started to doubt myself.
Is ProtonCaptcha [1] a good alternative to reCaptcha? I’m sure it is GDPR compliant but can anyone just use it?
[1] https://proton.me/blog/proton-captcha
[1] https://proton.me/blog/proton-captcha
I’d just selfhost a PoW captcha like https://mcaptcha.org/ – should be fine for most applications.
The site says
"Das Vorhandensein von datenschutzfreundlicheren Optionen steht im Widerspruch zu einem berechtigten Interesse"
which means
"The existence of more privacy-friendly options contradicts a legitimate interest."
But did they really test if the alternatives block bots as well as reCaptcha?
If not, wouldn't that mean there is a legitimate interest in using reCaptcha?
If the mere existence of more privacy-friendly options, no matter how inferior, means you cannot use a certain service, wouldn't that make the use of pretty much every service illegal in the EU?
"Das Vorhandensein von datenschutzfreundlicheren Optionen steht im Widerspruch zu einem berechtigten Interesse"
which means
"The existence of more privacy-friendly options contradicts a legitimate interest."
But did they really test if the alternatives block bots as well as reCaptcha?
If not, wouldn't that mean there is a legitimate interest in using reCaptcha?
If the mere existence of more privacy-friendly options, no matter how inferior, means you cannot use a certain service, wouldn't that make the use of pretty much every service illegal in the EU?
A similar argument was tried with 'we sell all users data because otherwise we would not be able to run the service, thus we have a legitimate interest.' It did not fly there either.
A service does not have a right to exist. The user has a right to privacy. The users right to privacy trumps the services want to exist. Not to mention that, yeah, there are ways to get similar or better blocking for free, if you have some technical chops at least. I wouldn't fault a small blog for using googles captcha (although the need is questionable), but any company with at least a few employees should be able to figure this out at a relatively trivial cost.
A service does not have a right to exist. The user has a right to privacy. The users right to privacy trumps the services want to exist. Not to mention that, yeah, there are ways to get similar or better blocking for free, if you have some technical chops at least. I wouldn't fault a small blog for using googles captcha (although the need is questionable), but any company with at least a few employees should be able to figure this out at a relatively trivial cost.
>The users right to privacy trumps the services want to exist
The user can simply choose not to use the service?
The user can simply choose not to use the service?
Data hoarding doesn't just hurt the individual, it's bad for everyone.
The data-selling model will always have a strict competitive advantage against the good actors and so you as the user will end up with no options other than allowing that "legitimate" interest or not being able to access such a service. This has slight "people peeing in the community pool" vibes. Sure it may be "easier" for the individual doing it, but long term everyone just ends up with an unusable pool.
> there are ways to get similar or better blocking for free
How can you get better blocking for free?
How can you get better blocking for free?
ReCAPTCHA’s privacy concerns are valid, but I wonder if alternatives like FriendlyCaptcha can offer the same bot protection while being GDPR compliant.
nixass(4)