Cloudflare has begun a public beta test of a CAPTCHA alternative that runs quietly in the background to automatically determine if the webpage visitor is an actual human. Its goal is to allow netizens to avoid having to complete those tedious prove-you’re-not-a-bot tests on websites.
The widget is dubbed Turnstile, and is described as “an invisible alternative” to today’s CAPTCHA challenges. That said, it will fall back to a manual test as a last resort if it can’t automagically verify a user is human. Cloudflare claims it can do all of that while maintaining a higher level of privacy than traditional CAPTCHA systems.
This script performs a bunch of background tasks in the browser, including “proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior,” Cloudflare said.
“Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast.”
Ultimately, the code uses a bunch of techniques to figure out if the website is being visited by a person as opposed to a software-controlled browser that’s there in hope of committing ad-click fraud, signing up for a ton of accounts, or whatever.
When a human is detected, Cloudflare’s backend system issues a token to the visitor’s browser. When that user subsequently tries to do anything on the website – such as log in, search, or sign-up – the token can be presented to the site to confirm there isn’t a bot at play, and everything will be allowed to work as expected. Since bots won’t be issued these tokens, they can be stopped from doing anything further with the website.
These not-a-bot tokens – also known as Private Access Tokens, or PATs – were developed with Apple: the latter wants its operating systems to automatically issue the tokens to websites so that iOS (and soon macOS) users can skip having to complete CAPTCHAs.
“To date, [PATs] are only present for iOS 16 devices,” Cloudflare Director of Product Reid Tatoris told us in an email. “In the future as more devices and clients take advantage of PATs, Turnstile will automatically utilize PATs anywhere they are compatible.”
Outside of PATs, which are supposed to be anonymous, Cloudflare said Turnstile helps maintain user privacy by not using or looking at cookies. While Turnstile looks “at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them,” Cloudflare said it doesn’t store data of any kind.
Instead, Cloudflare said it worked with equipment manufacturers to build profiles of devices that help it quickly validate hardware, letting Turnstile “abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves.”
Click on the squares that include a web goliath
Besides inconvenience, Cloudflare said that CAPTCHA widgets come with a privacy trade-off due to who manages 98 percent of implementations: Google.
It was previously uncovered that Google reCAPTCHA favored Google users, giving them the benefit of the doubt as long as reCAPTCHA could determine a user was logged into a Google account.
“Google says they don’t use this information for ad targeting, but at the end of the day, Google is an ad sales company,” Cloudflare said. Google previously told The Register reCAPTCHA collects hardware and software information and sends it to Google, but wouldn’t say what it does with that data.
Cloudflare used reCAPTCHA until 2020, when it dumped the service for hCaptcha, citing customer concerns and privacy issues around sending data to Google. Those concerns conveniently lined up with Google declaring it was going to begin charging heavy reCAPTCHA users, like Cloudflare, to access the service. ®