[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Monday, 7 December 2020 11:52:55 GMT Brad Rogers wrote: > > Most worrying of all (IMO) is that banking companies, like WorldPay, > rely on recaptcha for 'security'. Since nobody outside google knows what > google gets during a recaptcha transaction, how WorldPay et al guarantee > the security of bank card details, IDK. I suspect Worldpay are using it to reduce the rate of automated abuse, for which they only need to know its effect on legitimate transactions which I dare say at their scale is easy to measure. I doubt it is a key security control, but getting rid of the bulk of noisy rubbish is often handy with any service. Now if that impact is disproportionately on the disabled, that might open them to liability for discrimination, although that might be a good point for them to be a bit hands-off, since they could possibly argue "we thought Google had that covered with the extra options". As regards knowing what Google gets, well we can ultimately see that for the transaction itself, the bit that is less clear are things like reputation of IP address, or reputation from User-Agent string. Interesting question, does this amount to processing for GDPR Article 22(1)? Generally I'd say a Captcha doesn't generally have legal impact on the individual to qualify, nor amount to processing PII, but if enough services rely on the same Captcha service that could amount to "similarly significant affects" perhaps. One of those areas to be careful what you wish for, since if ReCaptcha vanished a lot of companies would be rolling their own with their own individual problems. Simon -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq