We are all living in the 21st century - a time of progress, evolution and most importantly technology. However, this ultra-rapid evolution also brings along a whole plethora of new problems and potential issues that we as humans need to consider, especially in the online environment. Some of these most notable concerns revolve around the issues related to cyberspace, more specifically privacy, identity and security. We at VPSBG have already touched upon these topics in some of our previous blog publications. However, in this post, we want to also talk about why we use hCaptcha, specifically in relation to these timely topics of online privacy and security.
What is a CAPTCHA?
To understand what hCaptcha is and the principles behind it, we first need to conceptualize the idea of a CAPTCHA in general. So what is a CAPTCHA? A CAPTCHA, short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, is used by websites and webmasters to distinguish real users from bots that are trying to impersonate them. But why are bots a problem? As with anything else in the universe, there is a good and a bad side to everything. Hence why we can distinguish between good bots and those with ill intentions, which are extremely dangerous and pose a serious threat to any website owner. Such bad bots can create an exceedingly high amount of requests to the server by trying to complete different forms that require information submission on behalf of the user. This in itself can result in server overload, leading to crashes and important down-time. Moreover, such bots can also attempt to inject cross-side scripts in order to perform an attack on the website. On top of this, there are also bots, which try to impersonate humans and attempt to populate a given website’s database with fake information. All of these issues required the design, creation and implementation of a system that can battle these bots, hence why CAPTCHA was developed.
How is hCaptcha different?
Most websites nowadays use the renowned reCaptcha, which is provided by Google. However, the information that each user provides when solving that captcha gets sent directly to the tech giant’s servers. This data can then be used by the company to fuel their machine-learning algorithms and improve pattern discovery by amassing a substantial amount of data and creating large datasets, which can be studied. Needless to say that this all happens for free each time a user submits the captcha. This is the primary difference between reCaptcha and hCaptcha. So what exactly is hCaptcha? hCaptcha is a mechanism for tokenizing human labour developed by the HUMAN protocol. On the one hand, it grants websites compensation for the work that their visitors have done. On the other hand, the data that has been collected through the users’ actions is then put up for auction and becomes available for any machine-learning company to bid on. This process allows smaller businesses to also make use of pre-existing datasets in order to facilitate their own machine-learning projects. Because of this, both website owners and other businesses can benefit from users completing a given captcha rather than the information going to a tech-giant like Google for free. This is by no means a bad process on Google’s behalf as the company also wants to enhance user experience and help battle online bot spam, but what hCaptcha does in addition is to grant access to others as well in order to help with their projects. Furthermore, hCaptcha has one more important feature - it supports labeling, which is a process that is extremely time-consuming and labour-intensive in the field of machine-learning, which makes it incredibly expensive.
That’s good but what makes hCaptcha the optimal choice for us?
While we do support such data democratization, privacy and security are also important for us and we are extremely satisfied with the services and additional features that hCaptcha can provide.
hCaptcha’s security is incredibly strong as seen by the complexity of its work process in figure 1. It uses BotStop, which is capable of presenting tests that require extremely accurate results, ensuring that bots will have quite a difficult time completing the captcha. Furthemore, the entirety of the BotStop system is quite flexible as it can be deployed partially (or entirely) at the edge of the network if it is a public cloud or separate data centers, which can substantially cut down off-network traffic and additional costs. Moreover, BotStop has both an active and a passive mode, which can help prevent credential stuffing, block suspicious actors and detect account takeovers, without disrupting the server. Additionally, the verification process also happens instantaneously with 0ms latency as BotStop tokens can be verified without an API call.
hCaptcha is focused on preserving privacy. Because of this, the captcha offers no individual data retention along with an operation freed from cookies as well as additional contractual privacy guarantees. Moreover, hCaptcha also fully supports privacy and identity data laws across the entire planet, making it available for every country. Furthemore, the technology also supports different privacy initiatives like Privacy Pass. Ultimately, hCaptcha tries to protect user privacy as much as possible, hence why no user data is stored during the captcha completion process.
hCaptcha enables us to not only set custom security requirements and completion accuracy parameters, but also allows us to fully tailor each captcha form so that it is pleasant and relevant for the user, who is completing it. On top of this, hCaptcha also offers support in all areas from form customization to website implementation.
Monetization & Charity Donations
Given that hCaptcha enables compensation for the work that the users do when they complete a captcha, it is important to note that hCaptcha also allows websites to donate those earned funds to any charity of their choice, which is something that we at VPSBG do.
Ultimately, hCaptcha facilitates security and privacy while also promoting a fair distribution of and access to completed captcha datasets. It is because of these reasons that we at VPSBG have elected to implement it into our website.
hCaptcha, 2021, ‘Request Flow’, online, accessed 1 October 2021, available at: <https://docs.hcaptcha.com/#request-flow>