Is Google CAPTCHA going too far?

26th February 2015

As I type the proposed EU Data Protection Regulations continue to progress like a large glacier moving surely albeit very slowly, and probably by the time it is implemented the whole data protection landscape will already have moved on. Many of the changes revolve around the definition of the phrase ‘personal data’ and a recent article by the device recognition company AdTruth throws another unforeseen stick on the proverbial fire.

I thought that you may find my thoughts on this interesting.

In the old days you knew what information company’s held on you mostly because they asked you. You knew that your doctor had your full medical history, that the council had your bank details and that your tailor (if you have one!) had your inside leg measurement.

However, now it is not so easy. With the onset of Big Data and companies sharing more and more information you are no longer sure what companies know about you; or to be more accurate, what companies believe or assume that they know about you from the information they do have access to!

‘Personal data’ is defined in Article 2 of the EU Directive by reference to whether information relates to an identified or identifiable individual, and this was converted into the UK Data protection Act 1998 to mean:-

Personal data means data which relate to a living individual who can be identified 

  • (a) from those data, or 
  •  (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

read the full ICO guide

Historically this was an adequate catchall and in the mid 90’s did an ok job, but technology has moved into area not envisaged in the 80s or 90s.

Two examples which spring to mind is the recent EU’s proposal that data being generated by mobile phone health Apps (how many steps you are taking etc, calories bunt etc) is considered sensitive health data and should not be shared with out your permission) are the Google Captcha changes.

I am sure you are aware of the CAPTCHA tool – that irritating little element on the screen displaying an obscure image or set of characters which I have to refresh 10 times before I find a series of numbers and letters that I can read. Well, it appears that computers are better at reading these that humans, and so completely defeats the object of the exercise.

The new tool gets you to prove you are human by asking you to identify images, or click a box, or both (example here), but where it is clever it tracks your mouse actions and apparently has the ability to know if you are a human or bot – Good stuff, eh?Well, possibly not.

It would appear that the program is so clever it can identify one individual’s actions from another, it is believed that Google can now use this to tailor advertising even further.By the above definition the process must fall with the spirit of the DPA.

Subsequently users should be aware that they can be identified and how their information will be used. I raise this as a prime example of how organisations should be cautious in their use of technology in case they inadvertently fall within the definition of ‘personal data’.

Examples of data currently used to identify people include:-

  • Name and address information
  • Reference/Credit Card/Bank Account Numbers
  • CCTV and Images in general
  • Biometric information
  • Geographical information
  • Analytics/Tracking software mapping likes and dislikes
  • Data generated from Mobile Apps that can identify individuals

… and it is highly likely that cookies, IP Addresses and analytics may fall squarely within the new definition, which may raise a whole new pile of hurt for some companies.

The idea for this blog came from the Business Insider Australia read full story

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details










    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.