On Wednesday, Google announced that many of its “Captchas” — the squiggled text tests designed to weed out automated spambots — will be reduced to nothing more than a single checkbox next to the statement “I’m not a robot.” No more typing in distorted words or numbers; Google says it can, in many cases, tell the difference between a person or an automated program simply by tracking clues that don’t involve any user interaction. The giveaways that separate man and machine can be as subtle as how he or she (or it) moves a mouse in the moments before that single click.
“For most users, this dramatically simplifies the experience,” says Vinay Shet, the product manager for Google’s Captcha team. “They basically get a free pass. You can solve the catptcha without having to solve it.”
Instead of depending upon the traditional distorted word test, Google’s “reCaptcha” examines cues every user unwittingly provides: IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web. And Shet says even the tiny movements a user’s mouse makes as it hovers and approaches a checkbox can help reveal an automated bot.
“All of this gives us a model of how a human behaves,” says Shet. “It’s a whole bag of cues that make this hard to spoof for a bot.” He adds that Google also will use other variables that it is keeping secret –revealing them, he says, would help botmasters improve their software and undermine Google’s filters.
In cases where a mere click doesn’t produce a conclusive response, a pop-up window will require users to decipher the same old distorted text. In tests during the past week on sites that use Google’s captcha, however, it’s verified most human users without that backup. About 60 percent of WordPress users and 80 percent of users at video game sales site Humble Bundle got past the captcha with only the checkbox.
For smartphone and tablet users, Google hasn’t simplified its captcha to a single click. Instead, it will show users a collection of images and ask them to make distinctions that might be tough for bots. For instance, it might display a picture of a cat and ask the user to tap the images that match it among eight photos of other cats, dogs, gerbils and leaves.
For desktop users, however, it’s no surprise that Google can now block bots based on a single click. Google has been working on that same problem for years to stymie “click fraud,” the nonhuman scourge that clicks on pay-per-click ads to generate revenue for the sites that host them. And Google has also been invisibly integrating automated bot-detection into its captchas since at least 2013. In October of last year it revealed it was using “advanced risk analysis” in captchas to identify automated bad actors. And on Valentine’s Day of this year, it experimented with showing users simple, undistorted words like “Love” and “Flowers,” and depended on that advanced risk analysis to filter out bots that could easily use image recognition to read those words.
This latest evolution may go too far for some; privacy-conscious users won’t appreciate the reminder that Google can learn — or already knows — so much about them based only on simple clues they reveal in their online actions.
But Google’s Shet points out that when its captchas appear on other sites, Google will only be able to track the user’s movements over the captcha widget, not the whole page. And he argues that captchas are, by their very nature, good for privacy: They provide a way to show you’re a good user, rather than an evil bot, without logging in to a service or coughing up identifying details. “You don’t have to verify your identity,” Shet says, “to verify your humanity.”
This article originally appeared on Wired.com