reCaptcha knows when you contact the IRD

Posted by on Feb 03 2020, in asylon

Last December, I had to set up an account with BC Hydro in Canada, which is provincial government’s energy company. While going through the process of setting it up online – there was a reCAPTCHA message at the bottom. But unlike most, this one had some fine print:

Prior to using the following validation process offered by Google, please be aware that Google may collect information based on their data collection policies. Such data may include information like your IP address, browser type, OS version, and the fact that you are dealing with BC hydro. If you don’t want such information to be collected by Google do not use this online validation service and, instead call the 1 800 224 9376.


Needless to day, this was a huge surprise. First of all, I didn’t even consider that the technology behind reCAPTCHA could do those things. Secondly, that an Government site would actually have the forthrightness to actually list this. I was pleased with the openess. For those who need more background on what Captcha and reCaptcha is.

Knowing very little about the reCAPTCHA process, I immediately decided to investigate – the ins and outs of Google’s bot detection device. The results were the following:

How do New Zealand governmental agencies fare? A very quick survey shows that the IRD, Elections website, and consumer protection all use reCaptcha without any warning of 3rd party data collection, nor any alternatives. This is not uniform across NZ government sites, for example, beehive website uses a mathematical captcha. See below:






This certainly isn’t to point fingers and blame Government sites, in fact, if someone like me, who has worked in technology for years, was ignorant of this data collection, certainly it can be forgiven that they use this technology to help fight spam.

However these websites are gateways to New Zealand’s personal information and should not be taken lightly.

Ideally, if New Zealanders wants to see data protection from capital surveilliers, it should start with an unified example from the Government. If you are concerned contact the privacy commissioner.