Consent: the turn of Google’s “reCAPTCHA” to be pinned by the CNIL


Alexander Boero

April 19, 2022 at 3:45 p.m.

2

reCAPTCHA

The reCAPTCHA, Google’s anti-robot system found on many sites, suffers from a breach of the collection of user consent, according to the CNIL.

In July 2020, the data engineer and developer David Libeau had filed a complaint with the National Commission for Informatics and Liberties (CNIL), on the use by the Ministry of the Interior of Google’s reCAPTCHA, this small system security which takes the form of a checkbox. Almost two years later, the CNIL replied that the mechanism must be subject to the user’s consent, which was not the case on the ministry’s website.

The reCAPTCHA of the IGPN reporting form must lead to the collection of consent

More specifically, it is the reCAPTCHA present on a web page making it possible to report facts to the General Inspectorate of the National Police (IGPN) which was called into question.

If the mechanism is intended to block bots and other malicious software that rages on the Web, and that it is therefore useful for the security of the 5 million sites on which it works, it remains subject to the law of January 6, 1978 relating to computers, files and freedoms.

The CNIL wrote to the Ministry of the Interior to tell it that ” the read and write operations performed by this device on the user’s terminal (therefore ticking the reCAPTCHA form on this page which offers the IGPN reporting form) remain subject to obtaining the consent of the persons concerned.

The CNIL has invited the Ministry of the Interior to no longer use the reCAPTCHA

Article 82 of the law of January 6, 1978 recalls that access, here to the form, can only be done in the case where the user has expressed ” his consent “. And the data constable adds that if there are two exceptions to the collection of consent, none of them seems applicable to reCAPTCHA.

The CNIL explains that ” insofar as the collection of information would not only have the purpose of securing the site for the benefit of users but would also allow analysis operations on the part of Google an exception to consent cannot be applied.

Without it being known whether the CNIL and Google have discussed together the outlines of the collection of consent with the reCAPTCHA, the authority invited the ministry to use another device, or else to take additional security measures. By consulting the IGPN reporting page, we can actually see the absence of Google’s anti-robot form.

In 2020, the CNIL had already given formal notice to the Ministry of Health for the use of Google’s reCAPTCHA in the TousAntiCovid environment (thus allowing the company to know whether you were using the application or not). The representatives of the DPOs had also pointed the finger at the excesses of the automatic detection system of Internet users, evoking at the time a use ” uncontrolled “.

Contacted by Clubic on Tuesday morning, Google has not yet delivered an official response on this subject.

On the same subject :
Yes, Google recovers your data without your consent on your Android smartphone





Source link -99