The « CNIL », the French data protection regulator, replied to one of my complaints about Google’s captcha and confirmed that this tool must ask user’s consent before been loaded because it is not only a security tool, but it is also collecting data.

DavidLibeau's tweet with CNIL's letter
Tweet announcing CNIL’s reply on Google reCAPTCHA

« God bless the CNIL! », ones reacting to a letter I published on social medias. After almost two years of waiting the French data protection regulator finally replied to one of my complaints. Back in summer 2020, I bumped into a national police form that asked me to complete one of the silly Google’s Turing test. I was shocked that Google could know that I was filling a police report and can profile all French citizen filling police reports online! I took 5 minutes to fill my police complain and 5 other minutes to fill another complain to my local data protection regulator. Let’s see what was the result of those 10 minutes.

After 10 minutes of writing and 2 years of waiting, I received a paper letter in my mailbox. At first, I though it was a reply to some other complaints, but I quickly realize it was good news from ancient ages. Maybe I should not say that publicly but I actually almost forgot this old complain. But if CNIL‘s member are reading this article, no, non, I was totally waiting a reply and I am carefully keeping track of all my complaints. Do reply to them! 😅

Let’s jump directly to the reply. The CNIL said that Google reCAPTCHA was doing tracking (no way?! Google is tracking their users?). When Google‘s captcha is loaded, its goal is to defined if you are human. To do so, it analyze a lot of data from your Google‘s account, your mouse interactions and your hardware info. That’s why sometime you need to complete a silly Turing test and sometimes you don’t need to do anything. Google is also storing these data in order to keep an history. CNIL‘s reply is not very detailed. They said they ask the police website to not use Google’s captcha anymore or to apply further security checks. They did not detailed their analysis.

We can be satisfied that CNIL is asking this public body to not use Google reCAPTCHA anymore. French citizens will not be tracked anymore. But in my opinion, CNIL‘s response was minimal. Lately, CNIL and a couple of European data protection regulators said that Google Analytics was illegal because of trans-border data transfers. If Google reCAPTCHA is also collecting personal data like Google Analytics do, it should be illegal too. Asking consent is not sufficient. The CNIL did not seems to investigated this matter at this occasion. Maybe my complain was treated before the Google Analytics ones or maybe the CNIL stopped their investigation early because it was a public body. Futures complaints might clarify this.

Meanwhile, this letter was heavily shared including in French public bodies. Let’s hope we will see Google‘s captcha disappearing from their websites soon!

Read the Linkedin post : https://www.linkedin.com/feed/update/urn:li:activity:6922117123481759744/.

Read the Twitter post : https://twitter.com/DavidLibeau/status/1516123959288291348.