alt.hn

6/29/2026 at 8:46:42 PM

Google's New reCAPTCHA Wants Your Camera Access and 21 Points of Your Hand

https://reclaimthenet.org/googles-new-recaptcha-wants-your-camera-access-and-21-points-of-your-hand

by Cider9986

6/30/2026 at 5:40:30 PM

With high resolution cameras, indefinite data retention and third party data leaks being a matter of when, not if, this seems like a perfect way to get your fingerprints stolen by organized crime syndicates worldwide. If not next year, then in 5-10 years. And when they get used for “something”, what happens when you go on vacation somewhere and you’re detained at that country’s border for a crime that happened N years before your very first entry into that country ever happened?

With as many Ph.D.s as there are at Google, you’d think they’d be smarter than to come up with this. Which is how you know the PMs are in charge, not the smart people.

by MrWiffles

7/1/2026 at 8:47:36 AM

I wonder if anyone has thought about what happens if and when Google (or others) gets bought out.

No firm lasts forever.

by intended

7/1/2026 at 8:52:29 AM

It is not possible to buy a 4 trillion public company

by drexlspivey

7/1/2026 at 10:09:44 AM

AOL used to be a US$ 200B public company, it was acquired by 4.4B.

Sun, Lucent, Yahoo all had massive valuations at their peak but eventually dwindled and got acquired.

It's always possible for a massively valued company to stumble, fall, and become a husk of what it once was. I don't think Google/Alphabet is immune to this even though their absurd cash cow from ads make it very unlikely at this exact moment.

by piva00

7/1/2026 at 9:55:53 AM

I'm struggling not to be sarcastic here, as I'm not quite stoked about Canadian Tire owning most of what's left of Hudson's Bay Company. It's pretty undeniable proof that age and revenue will not make a company immortal or invulnerable though.

by xethos

7/1/2026 at 5:21:38 PM

Hudson mismanagement was legendary. Their business expansion into the Netherlands was so terrible that it's almost as if they wanted to fail.

by expedition32

7/2/2026 at 5:49:16 AM

Sometimes I feel the same about Google when I see them burn goodwill time and time again.

Somehow they seem to have more despite not earning it for such a long time.

by happymellon

7/1/2026 at 8:59:23 AM

Even if the purchasing entity is backed by a foreign country?

by zigzag312

7/1/2026 at 9:02:04 AM

Valuations are not permanent. Amazon dropped 90% during the dotcom bubble. And there is always another financial crisis coming.

by sigmoid10

6/29/2026 at 10:33:42 PM

I saw a post on the GrapheneOS forum of someone who was accosted by Google with this requirement, so they are certainly using it.

It's interesting the parallels of Google's recaptcha and Cloudflare turnstile.

Cloudflare is free, no image selector, allows VPNs and Tor for the most part, just 0 click with a good ip reputation and 1 click with a bad one.

Recaptcha is paid, trains waymos, sucks millions of hours of human time, asks for camera access, asks for a phone attestation, blocks VPNs/Tor.

Thank god less sites are using ReCAPTCHA.

Looking forward to some other solutions gaining prominence eventually as well.

Like that Anime girl one.

by Cider9986

7/1/2026 at 4:53:48 PM

> just 0 click with a good ip reputation and 1 click with a bad one.

Or it goes on forever without passing, which can also happen, and then you simply can't proceed. It also really does not work over TOR in my experience.

I've had it happen a bunch of times, but Recaptch usually falls back to the image challenge if I can't pass V3. It might force me to solve several of them, but it eventually lets me pass.

by KomoD

7/1/2026 at 12:10:55 PM

Cloudflare allows you to pass with 1 click? I had as many as 10 minutes of solving capchas on ot before turning away

I'm pretty sure, Cloudflare capchas could be endless

by lesostep

7/1/2026 at 12:56:40 PM

As soon as I get more than 2 captchas, I'm out. At that point, I'm assuming they're just testing my patience to train their models. Switching VPN servers is much more effective.

by addandsubtract

7/1/2026 at 2:09:09 PM

yeah, they are as soon as you use a non-mainstream browser. never got past cloudflare with the Pale Moon browser, for instance. seeing a site like reclaimthenet - fighting for a free internet - gated behind cloudflare struck me as odd, to say the least. i just had to prove that i'm not a bot to be able to read the article.

by potus_kushner

7/1/2026 at 12:20:05 PM

CloudFlare captcha blocks my Opera Mobile unless I switch the user agent back to mobile.

by anal_reactor

7/1/2026 at 8:37:22 AM

Not gonna happen. Ever.

If a web requires me to do this to access it, I simply refuse.

The last time I needed some web was my electricity company - sent them a ticket with a complaint. They replied with some bs like "your browser is simply not supported" so I kept sending them the same ticket over and over again until I got a real response and it seems they decided to change the system.

To use my favorite quote: That's all it takes really, pressure, and time... :)

by _V_

7/1/2026 at 9:04:23 AM

Companies do and will simply label customers who repeatedly "protest" in such a manner as "vexatious" and use that as a justification to deny service. Utilities will probably be last due to regulations around providing utilities but other important companies will do it.

by gib444

7/1/2026 at 10:43:03 AM

Then I save some money and give them to a different company :)

by _V_

7/1/2026 at 9:01:08 AM

Yeah I’ve already warned my discord friends that the moment I have to show my ID I’m out of there without a goodbye. It sucks, but I just can’t compromise further. Personal ID’s are an absolute red line.

by Forgeties79

7/1/2026 at 11:31:59 AM

Ahem, plenty of Discord alternatives out there ;) Nothing wrong with making a backup or bridge!

by uproarchat

7/1/2026 at 8:23:22 PM

I'll cross that bridge when I get there. Discord is simply not that important.

by frollogaston

7/1/2026 at 11:56:59 AM

[dead]

by Forgeties79

7/1/2026 at 10:44:43 AM

Yeah, for some reason I ran into that issue, too. I'm not giving my governmental ID to some random corporation. If that means I can't use their services, then so be it.

Someone always has to be the first to say "no thanks" to their bs.

by _V_

7/1/2026 at 4:51:15 PM

How many people on Discord would really give ID? It's not Facebook; all their names are pseudonyms, and they're talking privately.

by frollogaston

7/2/2026 at 8:15:40 AM

There is a significant subset of the population that has a lot of their social life on discord. They’re not going to let something as simple as ID verification cut them off from their friends. You and I know how important it is to protect PII, but we are probably older and remember a time when more importance was placed on protecting your identity.

by Forgeties79

7/1/2026 at 12:02:39 PM

Yeah I basically told my discord friends that I’m not going to be held hostage with the threat of losing contact with them, so if they want to communicate with me they can hit me up by other means which I shared.

by Forgeties79

7/1/2026 at 6:49:33 PM

If a web requires me to do this to access it, I simply refuse.

A friend of mine recently tried to get a payment from an insurance policy. But the New York Life web site wouldn't work right.

She ended up talking to someone on the phone eventually and they told her it's her fault, because Safari isn't supported. Only Chrome and Edge.

Her choice was to install Chrome, or walk away from $35,000.

You may "just refuse," but she installed the browser and got her money.

by reaperducer

7/2/2026 at 7:16:49 AM

Do you really believe that you can discharge a debt of $35,000 simply by saying "I don't support Safari" to your creditor? I would not try that tactic with a bank, I can tell you that much.

I would still refuse and force them to send the money through snail mail.

by _V_

7/2/2026 at 2:50:32 PM

Do you really believe that you can discharge a debt of $35,000 simply by saying "I don't support Safari" to your creditor?

Insurance companies are notorious for making it very hard for people to collect money from policies. They are well known for making things deliberately hard so people will give up.

I'd love to see you "force" a massive insurance company to do anything without a lawyer. Real life is not the same as talking big on the internet.

by reaperducer

7/2/2026 at 6:23:54 PM

I don't see the problem.

The last time insurance company tried to BS their way out of the insurance payout, I actually did get the lawyer involved and I successfully got them to admit fault and pay up.

Standing up for myself and doing something IRL feels quite good. You do you.

by _V_

7/1/2026 at 8:17:23 PM

Why can't normal people send companies to collections for refusing to pay debts?

by ryandrake

7/1/2026 at 11:10:06 PM

They can. But you will lose a substantial percentage.

by HWR_14

7/2/2026 at 1:06:06 PM

Savvy folks have their paperwork in order, and simply send the Sheriff to take their stuff if they won’t pay.

Often no % required.

by DANmode

7/1/2026 at 8:46:44 PM

Or you resort to legally binding snail mail.

by littlecranky67

7/1/2026 at 10:21:43 AM

A few days back, Google reCaptcha suddenly showed me a QR code and asked me to scan it with my mobile to "verify" I was human. I was taken aback, and at first thought my system / browser had some malware that was messing with the Captcha ...

(Apparently, this started appearing from last month - https://cybernews.com/privacy/google-qr-code-recaptcha-requi... ).

by thisislife2

7/2/2026 at 12:40:26 PM

I have neither hands nor webcam nor phone.

Whatdo?

----

This post is hypothetical sarcasm... only two of the above are truthful.

by ProllyInfamous

6/30/2026 at 1:31:29 AM

Is it weird that my reaction to all of this is that I am just going to drop these websites when they ask me for this?

by outside1234

7/1/2026 at 8:41:46 AM

I've already dropped sites/services where annoyance-invasion/usefulness ratio is above 50% but I'm afraid it will be unavoidable in some cases.

At least I know what kind of hand gesture they will get first :)

by gbil

7/2/2026 at 5:58:03 AM

Not really.

I closed and walked away from a long standing account with HSBC when they introduced a requirement in their app for me to have Google Keyboard installed and active as my primary keyboard rather than my own one that I knew wouldn't send my keypresses to Google.

Sometimes all we need is the final push from them declining your business unless you jump through their hoops to agree that it's not worth your time.

by happymellon

6/30/2026 at 2:01:14 AM

No, but what would you do if it's a government required service?

by Cider9986

6/30/2026 at 12:00:10 PM

The IRS wanted a full 3d scan of my face to prove identity AFTER I already had a working account used every year for the past 3+ years.

They asked for feedback after I canceled the login, I gave very candid feedback in a form.

Then they asked if I would give an interview.

You know why I wanted to log in? To claim a $7 refund.

They ended up mailing it.

by toxic72

7/1/2026 at 9:07:33 AM

I wonder if the identity requirements are lowered if you owe them money?

by gib444

7/1/2026 at 5:28:47 PM

Yes actually, I've seen both. It makes sense because nobody would impersonate me to give them money.

I also make sure they never owe me. Otherwise I get delayed money, ID thieves have another reason to target me, thieves might actually get it, and the IRS might not give it. And the last thing happened to me once with a large refund, for a year, because of a pure logistics error on their end that took me a ton of effort to get them to fix, and it was kinda related to ID. Identity situation is much cleaner if I just pay the IRS.

by frollogaston

7/1/2026 at 8:37:58 AM

Then you sign in using your eID which is both highly secure and tied to your personal identity. Government services don't need 3rd party are-you-a-human verification, not when your account is tied to your identity.

(this is from the Netherlands where you can use digID [0] to sign into government services and ID-bound 3rd parties like insurance, mortgages, pensions etc)

[0] https://en.wikipedia.org/wiki/DigiD

by Cthulhu_

7/1/2026 at 9:19:49 AM

I thought recently there was a kerfuffle about DigiD being tied to an American data farming company

by someonebaggy

7/1/2026 at 9:03:26 AM

Then I would opt not to use the computer for this task, and instead call, visit, mail, or fax the government agency.

by greyface-

6/30/2026 at 3:17:55 AM

Oh I wish! Had to solve one in order to pay a bill.

The internet is dead.

by expedition32

7/1/2026 at 8:46:10 AM

That's like saying the roads are dead because people built strip malls and McDonald's everywhere. They're ugly and mostly annoying but there's still those roads leading to the paths into the mountains, ready for anyone who knows how to find them.

by Leonard_of_Q

6/29/2026 at 9:26:38 PM

What if you don't have a cam or a hand?

by ragnar76

7/1/2026 at 8:57:02 AM

What if you have all that, but waving is problematic due to non-functional motor control?

by tosti

7/1/2026 at 8:59:56 AM

You are then our of the normal probability distribution and out of luck, it's not profitable to cater for you for the company.

by augment_me

6/30/2026 at 3:44:39 AM

can't even do onlyfans

by ta93754829

7/1/2026 at 12:57:38 PM

They said hands, not feet.

by addandsubtract

7/1/2026 at 8:28:35 AM

There will be an Accessibility options? hear a phrase and repeat it or similar

by khurs

6/30/2026 at 1:30:49 AM

SYNTAX ERROR

by outside1234

6/29/2026 at 9:05:40 PM

Imagine getting your hand wrongly blacklisted as a fake, and then someday down the road you make a wrong gesture during an online interview and now your real-name is also on the suspicion list.

by Terr_

7/1/2026 at 1:04:11 PM

Or Palantir films your hands while trying to enter a venue, border, or voting booth.

by addandsubtract

6/29/2026 at 9:37:24 PM

Imagine you don’t have a hand.

by nerdsniper

7/1/2026 at 9:54:06 AM

New startup idea: Captcha-proof mock hands that wave with remote control http json api. You could sell a small diorama box with camera and everything as an upgrade.

by tosti

6/30/2026 at 2:59:07 AM

As a Man of Culture, my hand ranks highly among my most valuable appendages!

by ButlerianJihad

7/1/2026 at 8:31:34 AM

I bet you're also not an ambiturner.

by oniony

7/1/2026 at 9:41:32 AM

Also worth noting this could allow Google to know who is using whom's devices. E.g. if I let my sister use my device, then Google would know it's her hand.

Would it deny her hand's reCAPTCHA because it doesn't match my biometrics? Or would it allow her and just make a record in the google database that she was using my phone at 8:42PM ?

by nerdsniper

6/29/2026 at 10:18:21 PM

The non-mandatory internet that requires any captcha at all is becoming non-existent to me.

by add-sub-mul-div

7/1/2026 at 4:17:01 PM

I can show them a finger.

And seriously - what about people without hands? What about scammers pretending to be Google gaining access to my camera? What about blind people? What about people using the site in places where camera use is not allowed?

by kolinko

6/29/2026 at 9:26:56 PM

I could see this being privacy friendly if the user could see exactly what Google was using.

For instance, terminalcam, gives just enough data to reveal liveness without necessarily giving enough information about identity.

https://gitlab.com/here_forawhile/terminalcam

by smalltorch

7/1/2026 at 8:50:18 AM

Well, create a virtual camera device with 120x80 resolution and give Ggl access to that and only that.

by Leonard_of_Q

7/1/2026 at 8:53:19 AM

We have to have ability to stream video instead of accepting browsers webcam request. I propose Firefox to go first with the implantation. I would like to automate it with AI to stream every time a different video with different person

by gitowiec

7/1/2026 at 8:47:52 AM

Just as with paywalls, it's just easier to close the page if prompted with this. Many things are not that interesting if an effort is required.

by risit

7/1/2026 at 10:46:39 PM

Nope, I just won't use whatever websites implement this.

by gonight

6/29/2026 at 11:36:40 PM

Doesn't surprise me at all and seems like a good solution to the problem of human verification. It won't take long for AI to catch up to that, but this captcha method might hold for a couple of months.

Not sure what problem everybody here is having with this. The alternative would be device certificate stuff (ala did Apple sign for this being a proper Apple device?). Having to shake your hand sounds a lot more privacy friendly. Are you guys seriously worried that Google is gonna steal your secret handshakes?

by jimmy76615

7/1/2026 at 8:50:58 AM

Finding additional ways to waste more of people’s time on the web isn’t a good solution to anything. Doing so in a privacy invading way from a company that has a vested interest in collecting as much data as possible, exhausting all utility from it and butters its bread in an industry which specifically is built around disrespecting the time of other people is just never going to fly.

Like seriously, if I have to turn on a camera to get through a recaptcha then the website doing it can fuck right the hell off with extreme prejudice. My web browser is not allowed to access my cameras for any reason, no exceptions.

by SllX

7/1/2026 at 11:18:03 PM

> Are you guys seriously worried that Google is gonna steal your secret handshakes?

Do I really think Google will retain that information for "debugging purposes", and 2 or 10 or 20 years from decide to make a service that identifies me from my hand biometrics because it will make them more money than the class action will cost them? Yes.

by HWR_14

7/1/2026 at 6:31:43 PM

I get why they're doing this. They're out of options, and nobody here has proposed something better. But I'm not out of options, I'll just choose not to use any website that asks for this.

Would also accept having to pay a small amount of cryptocurrency to use a site/service, but that's only suitable for DDoS or mass bot protection, not proof of being human.

by frollogaston

7/1/2026 at 9:22:13 AM

>this captcha method might hold for a couple of months

So stripping away user privacy even more is justified for implementing an already obsolete verification method?

by Almondsetat

7/1/2026 at 7:22:52 PM

It's not already obsolete

by frollogaston

7/1/2026 at 8:27:33 AM

Well, actually I am worried about it. It needs to happen just once. Or for google to have a different kind of CEO (as companies are wont to).

by pfortuny

6/30/2026 at 4:42:30 AM

> Not sure what problem everybody here is having with this.

For starters, it's extremely invasive (camera on to pay a bill - wtf?), has unclear privacy implications and questionable accessibility (to put it mildly).

by aix1

7/1/2026 at 12:21:36 PM

Is it okay if I show my penis. I've checked and the fingerprint scanner also registers my ballsack correctly.

by anal_reactor

7/1/2026 at 10:07:04 PM

All they're getting from me is a middle finger

by wktmeow

6/29/2026 at 11:16:09 PM

can a unique fingerprint (no pun intended) be extracted from hand geometry

by tensegrist

6/29/2026 at 8:52:50 PM

My openclaw agent gonna find some way around it.

by catfish-1234

7/1/2026 at 8:57:33 AM

Sir, that is a claw, not a hand.

by SomeUserName432

7/1/2026 at 8:35:45 AM

What camera?

by 28304283409234

7/1/2026 at 8:27:20 AM

I'm also now seeing a 'scan this QR code' captcha when using Archive.org links.

Can't be bothered... so instead using the accessibility option of listening to a phrase instead.

by khurs

7/1/2026 at 8:35:00 AM

It is extremely disappointing to see Reclaim’s reporting whiff so badly on this. Yeah, they got the gist of the outrage, but they missed the real grift underneath. They slipped a massive loophole under the radar here and Reclaim misses it entirely: Google promised to delete the footage, but not the data derived from the footage. To use 23andme as an analogy, the company tended to dispose of old genetic sample kits after a while, but retained the derived data from those kits identifiably associated with specific people. Google is only promising to dispose of the costly data to store, the raw biometric material that takes up precious terabytes, but unlike 23andme will never voluntarily permit you to review and remove the results of their biometric analysis if you. Reclaim, if you’re reading this, here’s what you missed: https://docs.cloud.google.com/recaptcha/docs/hand-gesture-ve...

> Google does not retain any images or videos of a user's hand gestures

This is the sole statement of data deletion provided, and nowhere does Google state any other retention policy for derivations whatsoever, whether anonymized or associated, from that hand data; referring instead to the generic terms of service privacy policy:

> Other data is deleted or anonymized automatically

The privacy policy does not have a specific callout for biometric derivations, and so they may choose to anonymize rather than delete your biometric data.

> some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention

Recaptcha exists for the exlclusice purpose of security, fraud and abuse prevention, and so by this clause they may retain your identified hand scan biometrics for as long as they see fit.

> We will share personal information outside of Google if we have a good-faith belief that disclosure of the information is reasonabl[e]

They will give your identified hand biometrics upon request to anyone who can make a convincing case to them.

> We may share non-personally identifiable information publicly and with our partners

And they grant themselves the right to start selling their dataset of humanity’s hand biometrics for personal profit with none shared back to those whose biometrics are now a commodity to be bought and sold.

(Note that Google is not alone in this; see also gestures at much of tech. But that’s no excuse for the grift going unreported by a journalistic entity that’s been around long enough to know better how these reassurance-by-omission scams work. I was already upset with Google but I still expect better of those trying to stop them.)

by altairprime

7/1/2026 at 9:23:09 AM

> This is a company whose business runs on gathering and monetizing personal data

Seems like they covered your points just fine. They just did it succinctly and trusted the reader to understand the broader implications.

by codingdave

7/2/2026 at 3:42:59 AM

They don't trust the reader to 'understand the broader implications' in their other posts. For example:

https://reclaimthenet.org/the-house-just-voted-for-kosa

> If you’ve been following our updates, you’ll know the accountability positioning hides the actual design. The bill defines “know” or “knows” to mean “to know or should have known,” and that phrase runs through sections covering platforms, AI chatbots, and gaming services.

In their recent (two days ago) reporting on KOSA, they dedicate an entire paragraph (see above) specifically to explaining how a word choice is being used to hide the main thrust of the bill, and continue on for some paragraphs detailing how a single disguised and misleading word is the beachhead for an affront to privacy. So their failing to call out Google on this word choice reads as 'lack of familiarity with the terrain', as when on more well-understood ground — since US gov't reporting rather predates the tech industry, after all — they do call out such things.

by altairprime

7/2/2026 at 8:20:12 PM

The article you linked is by a different author. It is completely reasonable for different authors to have different writing styles.

by codingdave

6/29/2026 at 8:49:56 PM

things are getting out of hand :D

by pinnapi