Are you currently experiencing an attack?

Are you currently experiencing an attack?

Privacy Wars: How ‘Apple vs. Facebook’ Affects Your Cybersecurity

Facebook recently ran full-page ads in major newspapers. One of them said, “We’re standing up to Apple for small businesses everywhere,” and claimed that a new Apple policy would be “devastating” for small enterprises. Another began with the headline “Apple vs. the free internet.”

Apple CEO Tim Cook has fired back. During a speech, he warned: “Technology does not need vast troves of personal data stitched together across dozens of websites and apps in order to succeed… If a business is built on misleading users on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform… A social dilemma cannot be allowed to become a social catastrophe.”

Facebook and Apple are engaged in a war over user data privacy. Apple is bolstering it in their software, and this is a direct threat to business models (such as Facebook’s) which require accumulating enormous troves of user data.

You might think that this battle doesn’t directly affect your organization, but it has far-reaching implications—especially in the area of cybersecurity.

If your organization uses certain web security tools, then this issue will affect you soon. The clash of Apple vs. Facebook is merely one example of a growing backlash against user data collection. And the toolchain you use for web security probably includes one or more components that will be affected by this.

This is a broad subject, and it includes some topics that aren’t commonly discussed. For example, multi-tenant security solutions create a number of privacy issues, such as the requirement that data must be decrypted and processed outside of your organization’s environment. This obviously creates the potential for compromise, and sometimes this potential becomes reality (as we saw in the Cloudbleed incident.)

However, of all security-related privacy topics, there is one at the forefront today. This issue is being discussed more and more, and is quickly heating up.

Hostile Bot Detection

On the web today, organizations need a reliable way to detect and block hostile bots from their sites, applications, and APIs. Most web attacks include bots in one form or another, and threat actors are always inventing new ways to use them for various types of malicious activity. Thus, it’s important to filter bots out of incoming traffic.

To accomplish this, Google’s reCAPTCHA service has been a very popular method. Its promise is simple and clear; install reCAPTCHA on your site, and it will automatically verify that all users are human. This promise is very appealing, and reCAPTCHA is widely used today. Of the top 10,000 websites, over 40 percent of them have reCAPTCHA installed.

But despite reCAPTCHA’s popularity, there is a growing amount of dissatisfaction with it. It has three major problems: effectiveness, user experience, and (especially) privacy. Let’s discuss them.

Effectiveness. reCAPTCHA is supposed to detect and block bot traffic. Unfortunately, automated methods—and therefore, modern bots— can now bypass it. Researchers have shown that methods such as Reinforcement Learning can solve reCAPTCHA puzzles with a success rate of more than 90 percent. On GitHub, there’s even a browser extension that can solve them automatically.

Essentially, reCAPTCHA can still be useful against older bots, but it’s not effective against threat actors using modern tools.

User Experience: The latest version (v3) of reCAPTCHA is supposed to be invisible to human users. However, every web user knows that this isn’t always true. These puzzles still pop up sometimes, breaking an application’s flow and preventing a user from performing their desired activities until they solve a tedious (and often frustrating) puzzle.

Privacy: This is the most severe issue. Most organizations are unaware that reCAPTCHA can be bypassed, and they also don’t pay much attention to the suboptimal user experience. But across the web, there’s a growing backlash against reCAPTCHA from those who are concerned about protecting user data.

Privacy Implications of reCAPTCHA

Webmasters who use reCAPTCHA are encouraged to place it on every page of their sites. And since it is installed on millions of sites, Google has an unprecedented opportunity to track users as they move across the web, compiling extensive profiles of where they go and what they look at.

Is Google doing this? Nobody outside of the company knows, and that’s part of the problem. If Google were not tracking user behavior through reCAPTCHA, they could easily say so—but they have not done this. The documentation only says that reCAPTCHA tracks user interactions with the site that it’s installed upon; whether or not this tracking is linked across websites is not disclosed.

Privacy advocates have, understandably, interpreted this in the worst possible light. They point out that a company that runs a large ad network has every incentive to build exhaustive profiles on web users, with every tool at its disposal. And indeed, Google’s general privacy policy says that the search engine collects an extensive amount of data from people who use its services.

Perhaps this doesn’t seem like a big deal for reCAPTCHA. After all, users can just opt-out, right? No, they can’t—and that’s a large part of the problem. When a site has reCAPTCHA installed, there’s no way for anyone to use the site without participating in whatever data collection is occurring. Even ad-blocking software won’t help, because many popular ad-blockers explicitly whitelist reCAPTCHA.

Alternatives to reCAPTCHA

As awareness of these problems have grown, so has dissatisfaction with reCAPTCHA. This can be seen from the speed at which organizations will replace it with something else, once they know that an alternative exists.

For example, hCaptcha offers a drop-in replacement for reCAPTCHA. It has grown quickly, and now “runs on 15 percent of the internet.”

However, the alternatives have problems of their own. For example, when compared to reCAPTCHA, hCaptcha is far more intrusive into the user experience; it frequently interrupts users with image-recognition challenges. The UX is bad enough that you can find forum posts recommending that people install a browser extension to authenticate themselves and avoid all the puzzles. And it’s telling that the hCaptcha website offers the ability to install a special “accessibility cookie” to turn off the challenges (but only on that individual device, and not permanently; the cookies have to be refreshed periodically).

Clearly, a different approach is required.

Use Reblaze for bot filtering

Reblaze offers bot management as part of its all-in-one web security platform, with a multivariate approach for hostile bot detection. Along with regularly-updated threat feeds (containing information such as lists of IPs currently being used by hostile bots), Reblaze also uses advanced rate limiting, session flow control, browser/client verification, biometric behavioral analysis, and more.

Unlike reCAPTCHA, hCaptcha, and similar services, Reblaze is designed to never interrupt the user experience. It blocks hostile bots by detecting them directly through a variety of methods: screening hostile traffic sources, identifying their environments (headless browsers and emulators), constraining their actions (such as credential stuffing and other account-takeover tactics), comparing their behavior to that of legitimate users, and more.

User Privacy: A Growing Issue on the Web

The ‘Apple versus Facebook’ battle is shining a spotlight onto data privacy, and making it a much more public issue. Previously, reCAPTCHA’s privacy issues were not widely discussed; now, there is a growing controversy around it.

And as discussed above, it’s no longer an effective means of bot management anyway. Organizations which rely on reCAPTCHA are increasingly at risk for a wide variety of bot-based attacks.

To get a demo of an effective and private bot management solution, contact us here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.