How does Google's new re-captcha work?

As far as I know, google has changed its re-captcha to a new one for google chrome browser. Google URL Shortener uses this kind of captcha.

This re-captcha verifies that "We are not robot" automatically only with a single click. But how does it work?

In the image below, you can see the captcha.

(1) We click on "I'm not a robot" and (2) after a while, (3) re-captcha verifies that automatically:

enter image description here


Solution 1:

As far as I know, there's quite a few things that are going towards it. For a start, it uses Javascript - which many spambots can't execute, so it's inherently stopping a lot of spambots in that regard. (depending on if the owner has configured fallback, they may see a basic HTML version of the CAPTCHA).

But more to the point of determining a 'human' click to a 'possibly robot' (and show visual CAPTCHA) click:

  1. IP Addresses - as mentioned, being on Tor IP addresses almost certainly leads to a trigger for the visual CAPTCHA. Also, being located in certain countries seems to increase probabilities, but I can't be certain on that.

  2. Google Account and History, * perhaps* - I notice a lower incidence of the visual one firing on me when signed in, versus when I'm in Incognito mode. Also, if you've had a Google session watching YouTube videos, sending emails, you would be seen as a lesser threat than someone who's just loaded a page for the first time.

  3. Page activity - I haven't deleved into this too far, but it seems they're using some sort of mechanism to detect how you're viewing the page. If one is to click the CAPTCHA as soon as the page is loaded, rather than after 30 seconds of form filling, they're seen as higher-risk.

  4. Number of times anti-robot check completed - This is an obvious one. Eventually, if you keep ticking the box over an over, the higher the probability of the robot check firing. A spambot may be able to get through a form the first 3 times, but after that when the robot-check fires, they are stopped.

Solution 2:

As far I as know there's some sort of bot that looks for "human patterns". If you for instance were able to scroll to the bottom of the page and instantly click the "I'm not a robot-button" you would most likely NOT be approved - but would be asked to do an old captcha.