How Effective Is The “Not A Robot” Check On Websites?

Table of Contents (click to expand)

The “I’m not a robot” checkbox is Google’s reCAPTCHA. The click itself isn’t the test; in the background, reCAPTCHA reads behavioral cues (cursor movement, cookies, and your browsing history) to judge whether you are human. It replaced the old distorted-text CAPTCHAs, which bots can now read with up to 99.8% accuracy.

The Internet has made life so easy. Everything you want is just a click away, easily accessible from the depths of your comfort zone. Want to restock your housing supplies? Go to an e-commerce site and click your way through the itinerary. Want to send money without moving an inch from your chair? Use the net-banking services of your bank. Want information about any niche hobby that you care about? Just peruse a range of blogs catered specifically to your tastes.

However, as it always happens, there are advantages and drawbacks to every revolutionary technology. In the case of the Internet, one of the many concerns in managing a digital infrastructure is unsolicited access to websites by bots.

Ranging from financial fraud to emptying the supply of goods provided by an e-commerce website, bots can create havoc. It has become necessary to develop ever-advancing ways to identify who is actually accessing a website; a warm-blooded, flesh and bones human or a cold, script-written bot.

The most common way this is done today, which I’m sure you may have come across (unless, of course, you are living under a rock!), is the reCAPTCHA, or the single click that differentiates you from a bot.

captcha i am on a robot vector computer code(AIexVector)s
Are you human? (Photo Credit : AIexVector/Shutterstock)

But how can simply clicking a box make you pass the human test? How effective is this method anyway? Let’s go down the bots vs human rabbit hole!

Why Do Websites Need To Test If You Are A Bot?

As stated earlier, the Internet is not the ideal place we once imagined it would be. It is filled with bad actors who want to take advantage of lapses in the digital infrastructure and use them to fulfill their malicious intent.

Bots can be trained to do all kinds of harm. Bots can create multiple accounts on social networking platforms and email providers (Gmail), thus inflating the number of users and creating havoc elsewhere on the internet with these email accounts. They can fill in forms with unwanted content and spread (you guessed it!) spam. This also applies to comments on websites and other platforms. They make it difficult to gauge the actual human interaction with a platform or website.

chatbot in red speech bubble(Pranch)s
Bots are nuisance (Photo Credit : Pranch/Shutterstock)

Then there are scrapers who use bots to collect email ids of users and use them for all sorts of malpractice. Hackers can use ‘dictionary attacks’ to go through every word in the dictionary to crack passwords, so your passwords aren’t all that safe either. That’s why you see an ‘I’m not a robot’ test when logging in to so many websites. Bots are also used to leave positive reviews and 5 stars on products and services, creating a false image of them.

To circumvent the plethora of these issues, a check is required to differentiate between a legit user and a bot. This is where CAPTCHAs come into the picture. 

The Birth Of CAPTCHAs

CAPTCHA, short for “Completely Automated Public Turing test to tell Computers and Humans Apart”, was coined in 2003 by researchers at Carnegie Mellon University (Luis von Ahn, Manuel Blum, and Nicholas Hopper) along with John Langford of IBM. It was a way to filter out unwanted bots from websites by using distorted images, puzzles, audio transcription, etc. This method has been used to fend off automated abuse on sites like PayPal

The premise of this method is that programs find it hard to decipher distorted visuals, whereas humans can easily decode them. At one point in time, this CAPTCHA method was being used by 200 million users every day, which amounts to spending approximately 500,000 hours transcribing scrambled text! The experts at CMU decided to turn all this effort into something useful and used this method of bot detection to digitize classic books. 

Captcha sample texts for security login(NanamiOu)s
Distorted text to validate users (Photo Credit : NanamiOu/Shutterstock)

This new method was called ‘reCAPTCHA’, and it used scanned PDFs, books and other materials as distorted tests for the user to transcribe, which solved two problems at once: eliminating bots and digitizing old print. reCAPTCHA went on to help digitize the entire archive of The New York Times (roughly 13 million articles dating back to 1851) and books for Google Books.

This spin-off of the CAPTCHA technology was acquired by Google in 2009 and has been further developed by the company.

On April 14th, 2014, Google released a scientific paper stating that it had developed image recognition systems using Deep Convolutional Neural Networks that could transcribe numbers and texts from its Street View Imagery. This meant that programs were now capable of solving the hardest CAPTCHAs with 99.8% accuracy, which made the current system unreliable.

Still, the problem of bots remained prevalent and we needed a way to eliminate them. Enter, No CAPTCHA reCAPTCHA.

No CAPTCHA reCAPTCHA

On December 3rd, 2014, Google announced that it had developed a new version of reCAPTCHA, the one that became ubiquitous: the ‘I’m not a robot’ click box. 

This version does not make the user transcribe the distorted text, but instead figures out with just one click if you’re a human or bot. This method uses the Advanced Risk Analysis backend for reCAPTCHA developed by Google and outlined on a blog post in 2013.

This backend process analyzes the user’s engagement before, during and after the CAPTCHA to validate them, relying on cues to work out whether a user is a bot or a human. The ‘I’m not a robot’ test uses similar methods. The single tick on the box is almost beside the point; what reCAPTCHA really watches is how you behave around it, including the path your cursor takes to reach the box, tiny variations in timing, any Google cookies in your browser, and your wider browsing history. Bots tend to move in suspiciously straight lines and perfect timings, while humans are a bit messy. Google doesn’t publish the full list of cues, as that would, obviously, defeat the purpose of restricting bots.

The CAPTCHA hasn’t completely been replaced, however, and is still used with the click-box if Google feels that there is a malicious presence, making it an additional cue upon which it determines the validity of the user. However, the distorted texts have been replaced by images of say, a cat, which the user must identify among other options.

I can tag Cats all day!
I can tag Cats all day!

Are “I’m Not A Robot” Checks Effective?

Google states that, upon the release of the new version of the reCAPTCHA, companies like Snapchat, WordPress, and Humble Bundle readily adopted this method. They claim that in the first week of No CAPTCHA reCAPTCHA usage, users moved to the main website much faster than under previous methods.

As for the safety aspects, stacking many layers of cues makes it much harder for a bot to slip through, which the ‘I’m not a robot’ method clearly aids, compared to the single transcribing of text in the earlier CAPTCHA methods. Google not releasing the cues also keeps bot makers guessing what they might be.

This method is also a boon for people with visual impairments, as it cuts the time spent transcribing and replaces it with just a click and the occasional need for tagging.

The method has kept evolving since. In 2018, Google released reCAPTCHA v3, which is invisible: there is no checkbox at all. It watches you in the background and hands the website a risk score from 0.0 (almost certainly a bot) to 1.0 (almost certainly human), letting the site decide what to do. So the next time a page lets you through without asking anything, reCAPTCHA has probably already scored you. 

So, how effective is the ‘I’m not a robot’ check today? Less than it once was. The arms race has tilted: a 2023 study found that bots solve modern CAPTCHAs faster and more accurately than people do, and in 2024 researchers at ETH Zurich built an AI system that cracked Google’s image-based reCAPTCHA v2 every single time. That is precisely why Google is steering websites away from the old free reCAPTCHA toward the score-based reCAPTCHA Enterprise on Google Cloud, where the checkbox is increasingly just a visible layer over a much larger pile of behavioral signals. The checkbox you click is less a test you pass than a curtain in front of one, and that curtain keeps getting thinner.

References (click to expand)
  1. Are you a robot? Introducing “No CAPTCHA reCAPTCHA”. Google Online Security Blog
  2. reCAPTCHA. Google Cloud
  3. L. von Ahn, M. Blum, N. Hopper, J. Langford. CAPTCHA: Using Hard AI Problems For Security. Carnegie Mellon University (EUROCRYPT 2003)
  4. reCAPTCHA just got easier (but only if you're human). Google Online Security Blog
  5. Google Inc. Acquires Carnegie Mellon Spin-off reCAPTCHA Inc. Carnegie Mellon University, School of Computer Science
  6. Choosing the type of reCAPTCHA (v2 and v3). Google for Developers
  7. Plesner, Vontobel, et al. Breaking reCAPTCHAv2. arXiv (ETH Zurich, 2024)