Cloudflare ditches Google's reCAPTCHA because of privacy concerns and costs

Cloudflare has moved away from using Google's reCAPTCHA, opting instead for the independent hCaptcha bot detector.

The company explains the reasons behind the change, citing not only the fact that Google would now like to charge Cloudflare for what used to be a free service, but also the privacy concerns that stem from anything to do with Google.

See also:

• Cloudflare launches DNS-based parental control service 1.1.1.1 for Families
• Google bans Zoom and the US senate warns against its use
• Cloudflare announces free VPN tool WARP for Windows and macOS, with Linux to follow

Cloudflare points out that it has been using reCAPTCHA since 2009, and that Google was happy to provide it from free. The only "cost" to Cloudflare was a requirement to share with the company data that could be used to train visual identification systems. With Google announcing earlier this year that it intended to start charging for reCAPTCHA, Cloudflare was forced to have a rethink.

But in a blog post about the move to hCaptcha, Cloudflare explains that the financial side of things was not the only factor influencing its decision -- although it concedes that sticking with Google would costs millions of dollars per year:

Since those early days, some customers have expressed concerns about using a Google service to serve CAPTCHAs. Google's business is targeting users with advertising. Cloudflare's is not. We have strict privacy commitments. We were able to get comfortable with the Privacy Policy around reCAPTCHA, but understood why some of our customers were concerned about feeding more data to Google.

We also had issues in some regions, such as China, where Google's services are intermittently blocked. China alone accounts for 25 percent of all Internet users. Given that some subset of those could not access Cloudflare's customers if they triggered a CAPTCHA was always concerning to us.

Over the years, the privacy and blocking concerns were enough to cause us to think about switching from reCAPTCHA. But, like most technology companies, it was difficult to prioritize removing something that was largely working instead of brand new features and functionality for our customers.

hCaptcha was selected as the alternative, with Cloudflare citing six things it was impressed with:

1. They don't sell personal data; they collect only minimum necessary personal data, they are transparent in describing the info they collect and how they use and/or disclose it, and they agreed to only use such data to provide the hCaptcha service to Cloudflare
2. Performance (both in speed and solve rates) was as good as or better than expected during our A/B testing
3. It has a robust solution for visually impaired and other users with accessibility challenges
4. It supported Privacy Pass to reduce the frequency of CAPTCHAs
5. It worked in regions where Google was blocked
6. The hCaptcha team was nimble and responsive in a way that was refreshing.