Questions raised over privacy promises, cookie use • The Register

Analysis Six years ago, Google redesigned its reCAPTCHA service, filtering bots, scrapers and other automated web browsing features and allowing users to visit websites.

The v2 update in 2014 added the iframe or HTML Inline Frame, which is a way to integrate one web page into another. Then there was the v3 update in 2018, which added machine training to reduce the need to interact with robot detection problems.

reCAPTCHA enables an internet giant to challenge network giants to prove that they are real people by filling in puzzles and the like, while at the same time filling a potential funnel with information about people in their advertising industry. Google insists that it does not use reCAPTCHA data for personalized advertising and explains this in the reCAPTCHA Terms of Use.

The Silicon Valley Corps, which discloses information, is in complete quarantine in addition to the reCAPTCHA with respect to all data relating to the collection of advertising. And privacy researchers now say that the company needs to clarify this point.

Zack Edwards, co-founder of web analytics at Victory Medium, discovered that Google’s JavaScript code, Google’s reCAPTCHA, allows a mega company to synchronize triangles – a way for two different web domains to associate cookies they have set for a particular person. In this case, when a person visits a website that implements tracking scripts related to one of these two advertising domains, both companies receive network requests related to the visitor and may either display advertisements targeted to that specific person.

Two different domains should generally not be able to access the same set of cookies, due to the difference between first party sources and third party sources in a web browser security model. But triangular synchronization solves this separation.

Triangle of Advertising success ?

The synchronization of triangles expands the world of advertising and makes it possible to reach someone in more areas, Edwards told The Register newspaper.

This is a common practice in advertising, he said, so two separate companies with two different areas can exchange data, such as identifiers, that relate to a specific person. And this also happens within the same company as Google, which manages more than one domain and wants to track users on different domains.

The domain reCAPTCHA, which performs triangular synchronization with, essentially guarantees that a user can be found/returned if one of these domains is integrated into the website, according to Edwards.

Cloudflare restores Google’s reCAPTCHA, switches to hCaptcha when the free round ends (and something about privacy)


According to Google, the company does not use reCAPTCHA to synchronize triangles, and reCAPTCHA downloads static sources from two places on without writing or reading the cookie. As we have been told, this process does not require a triangle or synchronization. And wouldn’t have cookies, in the sense that it’s designed not to collect them.

However, the JavaScript code reCAPTCHA, which is placed in Google’s domain, contains many links to cookies. And when you visit a website integrated into the reCAPTCHA widget, a PID setting cookie is created even if you try to block third-party cookies.

Edwards says what’s going on is not a typical triangular synchronization. It says that if you embed reCAPTCHA on a site like, for example, you redirect it to a new query on and then sets its cookie. This triangular synchronization is not in the traditional cookie synchronization on both sides, but in the request + cookie correspondence, he said.

It also notes that Google’s privacy policy defines as one of several domains used to place cookies in the company’s advertising products.

Google claims that does not read or write cookies, but it seems that the domain asks to install cookies.

Terms and Conditions

Edwards claims that Google does not handle cookies that easily. He notes that in the Safari browser test he conducted, the Google domain sets session keys instead of cookies, a form of temporary storage for the browser connected to the server.

Google’s reCAPTCHA Terms of Service states that the service sends data to the company via devices and applications. It indicates how it processes data in this way: The information collected as part of your use of the Service is used to improve reCAPTCHA and for general safety purposes. It is not used for Google Custom Advertising.

The registry has specifically asked Google whether reCAPTCHA’s data can be used for certain aspects of the advertising company other than personalised advertising. This could, for example, contribute to the fight against advertising fraud.

A Google representative quoted the above policy and said that the data may enhance the reCAPTCHA and may be used for general security purposes, regardless of its meaning.

On Twitter, Ashkan Soltani, a privacy researcher and former Federal Trade Commission technologist, said that what Google is doing is very similar to what the company did in 2011 and 2012 to bypass third-party blocking of Safari cookies.

Here’s a small clip that shows how Google’s ReCaptcha installs a third-party cookie, even when @Mozilla @Firefox blocks cross-site tracking cookies #privacy #cookiewars

– ashkan soltani (@ashk4n) 30 October 2020

In 2012, the FTC’s U.S. consumer protection agency fined Google $22.5 million for falsely claiming it did not publish tracking cookies for Safari users.

Solanti also suggested that a comparison of Facebook with the FTC in 2019 might be relevant. In this case, Facebook was sanctioned for collecting data for one purpose (security) and using it for another purpose (advertising).

In an email to the Registry, Mr. Soltani stated that he had tested Edwards’ claims and confirmed that reCAPTCHA uses cookies even if the user’s browser is set to block third-party cookies.

He then released a video with network requests from visitors/abuse complaints, a reCAPTCHA script hosted by that runs the code hosted by to invoke the reCAPTCHA puzzle.

According to Soltani, the main question is whether those who rely on reCAPTCHA for security reasons expose users to Google’s profiling for advertising purposes.

Google’s disclosure of privacy information may be sufficient to cover the role of reCAPTCHA if it is determined that reCAPTCHA plays a role in Google’s advertising activities. Google announces that it places advertising cookies through its domain.


However, Edwards claims that Google has not been clear enough about the fact that reCAPTCHA uses this domain.

This is problematic for publishers who are concerned about user privacy, he said, because if you implement reCAPTCHA on your site and do not disclose that you are installing cookies, there is a risk that some aspects of the right to information may be violated under the Californian Consumer Protection Act.

According to Edwards, European websites should review the way they use reCAPTCHA to protect themselves from robots.

In my opinion, European organisations using reCAPTCHA to protect themselves against spam should now take reCAPTCHA outside the walls of their approval, he said.

It is very far-fetched to say that cookie synchronization is mandatory for, and it does not seem possible to use reCAPTCHA in a way that does not achieve this synchronization.

Google already recommends this in the reCAPTCHA Terms of Service, which states that for users in the European Union, you and your client API(s) must comply with the EU User Consent Directive. ®

Related Tags: