Internet web infrastructure company Cloudflare announced plans to drop support for Google’s reCAPTCHA service and move to a new bot detection provider named hCaptcha.
Cloudflare co-founder and CEO Matthew Prince said the move was motivated by Google’s future plans to charge for the use of the reCAPTCHA service, which would have “added millions of dollars in annual costs” for his company, costs that Cloudflare would have undoubtedly had to unload on its customers.
“That is entirely within their right,” Prince said yesterday. “Cloudflare, given our volume, no doubt imposed significant costs on the reCAPTCHA service, even for Google.”
“If the value of the image classification training did not exceed those costs, it makes perfect sense for Google to ask for payment for the service they provide,” he added.
Moving to hCaptcha
Going forward, Prince said Cloudflare would begin integrating a new anti-bot CAPTCHA system into Cloudflare products named hCaptcha, provided by California-based company Intuition Machines, Inc.
Intuition Machines usually makes money by renting access to hCaptcha to companies who want to run image classification experiments, and then pay website owners to implement its hCaptcha product.
But Cloudflare said they’ll be paying the California company instead, rather than get paid by hCaptcha. Prince said this ensures that Intuition Machines will have the resources to scale its infrastructure to meet Cloudflare’s demands.
Currently, according to W3Techs, Cloudflare is a managed DNS provider for 11.3% of all internet websites, and a reverse-proxy (firewall) provider for 12.4% of all internet sites, handling gigantic amounts of traffic on a daily basis.
Prince says that while paying for the ability to use hCaptcha does generate some additional costs for his company; the Cloudflare CEO says “those costs were a fraction of what reCAPTCHA would have [incurred].”
Cloudflare: hCaptcha is more private
Furthermore, using hCaptcha also addresses two other issues Cloudflare had to deal with while using reCAPTCHA. The first is the fact that reCAPTCHA is sometimes intermittently blocked in China, meaning Cloudflare couldn’t use it with Chinese-based websites and users.
The second issue was Google’s privacy-intrusive data collection policy, which Prince says Cloudflare doesn’t have to worry about now since hCaptcha collects much less data about users who complete its forms.
Until today, Cloudflare has used Google’s reCAPTCHA service as part of its IP Firewall and Gatebot products, where reCAPTCHA would activate itself when a Cloudflare-protected website would come under DDoS or other forms of automated attacks, asking users to complete a reCAPTCHA form before accessing the site.
Cloudflare also uses reCAPTCHA part of its Security Levels feature, allowing site administrators to enable a reCAPTCHA form for all incoming users as a rudimentary form of traffic filtering and rate-limiting, even if the website was under attack or not.
In the past, Cloudflare came under heavy criticism from users of the Tor Browser because of its reCAPTCHA support. For many years, Tor Browser users couldn’t access Cloudflare-protected sites without completing multiple rounds of reCAPTCHA forms. Cloudflare toned down its reCAPTCHA filters for Tor users in September 2018.