BotDetect CAPTCHA Generator

BotDetect™ CAPTCHA generator is a non-stalking form-security solution that uses a mix of measures, that are easy for humans but hard for bots, to prevent automated form posting.

BotDetect also provides an audio Captcha alternative to keep websites accessible to people with impaired vision, enabling you to make WCAG and Section 508 compliant websites.

CAPTCHA Generator Features

Self-hosted • Licensable source-code

Works in China • No third-party server dependencies

Native .NET Core 1/2, .NET, Java & PHP backends

Works with Angular/JS, jQuery, etc, .js web frameworks

TestMode-enabled -- ready for your CI/CD pipelines

Localized Captcha generation, using various Unicode character sets and multi-language sound pronunciations

Custom Captcha style, image size, code length, css, icons, tooltips, and pretty much everything else

Produces legible images & audio; as well as XHTML 1.1 Strict, Section 508, and WCAG AAA compliant markup

Doesn't stalk your users; nor does it slurp the form data

From a vendor that has nothing to do with the NSA

Allows for EU's GDPR, Brazilian LGPD, and California's CCPA compliant sites!

Why BotDetect?

BotDetect Captcha vs. ReCaptcha

The years of Google’s relentless abuses of their organic and paid search monopolies, and the years of their equally relentless campaign of disinformation and FUD about captchas, took a toll among our former competitors -- there are only two viable players left. Ladies and gentleman, this is 'BotDetect Captcha' vs. 'Recaptcha the Stalker' fight. Please take your seats.

BREAKING NEWS: 2019/09/09: A Bipartisan Coalition of 50 States' Attorneys General Launched a Probe Into Google's Antitrust Violations 'I can't remember the last time you had just about everybody get on the train,' said William Kovacic, a former FTC chairman...

What Google confirmed so far:

2.5 years after we stuck the 'the Stalker' label on it, a Google spokesman confirmed -- if you have a Google Account, Recaptcha has been stalking you for all those years.

The tip of the iceberg! Grab some popcorn folks -- there will be more shoes to drop :)

What Google didn't confirm yet:

Transport-layer stalking -- independent of a Google Account status, or the existence of an account, or your grandma's cookies.

Protocol audits by independent researches found built-in stalking capabilities in QUIC, TLS v1.3 & 1.2, and TLS Channel IDs.

The Hamburg Uni guys audited the former three protocols. Combining them with the Trio that just broke through the Recaptcha's 'tracking mouse movements' obfuscation layer might bring some interesting results.

But, somehow, they will have to make sure that the Stalker is not aware that it is being tested -- what is easier said than done!

The more in-depth coverage of this topic has its own chapter further down the page.

Antitrust violations -- including, but not limited to, burying this site on Google Search -- over the last six years, at least.

Check for yourself! On your desktop, open an incognito mode browser window and try finding us with the single-keyword 'captcha' search. Do it -- it will explain many things!

The EU's Margrethe Vestager, who fined Google $2.7B over a similar issue, said that competitors were typically on page four.

As we're more often on page 14 rather than 4, perhaps we are getting VIP treatment :)

This is increasingly counter-productive for Google -- making one wonder aloud if there is an entity, other than Google, that holds a part of the Google Search dials?

Which brings us to:

The role of the NSA & its vicarious fronts; aka, 'Recaptcha marketing department.'

We explore different aspects of this in a few chapters at the bottom half of the page -- and we're not even close to being done yet!

Do not hold your breath over this particular bullet being officially confirmed, ever! There are laws forbidding such kind of disclosure.

But, a Googleminion might blab again :)

Intro: Recaptcha Versions

At present, the Stalker exists in the following three variants:

Invisible Recaptcha (v2) -- the Invisible Stalker -- whose release Google kinda regretted.

That gradual disappearance of the word 'Invisible' from its homepage was fun to watch :).

Recaptcha (v3) -- released after Google spent about 20 months applying lipstick on the Invisible Stalker pig -- hoping no one will notice that the pig with lipstick is still a pig :).

Nocaptcha/Checkbox Recaptcha (v2) -- the original Stalker. It appeared, for a while, as if it was being taken behind the shed -- but no gunshot was ever heard. It seems that Google had a change of heart and decided to keep it -- likely following the Invisible Stalker fiasco.

The presence of multiple versions makes maintenance of this article more difficult than it should be; but you will figure it out. It is the same stalker after all -- just dressed in three different outfits.

Let's see how we stack up against each other:

1) BotDetect Is Secure

During its first decade, BotDetect was unique among Captcha generators in offering many different Captcha image and sound algos.

While each of them was easily comprehensible to humans, the random use of multiple Captcha generation algos made the generated captchas extremely difficult to pass automatically.

Later, over the years, we extra-fortified it with additional security measures, all transparent to humans, designed specifically to turn a form-spamming business into an unprofitable misery.

All common sense security practices should be applied here too; one has to run a relatively new version -- and have it properly implemented.

No one runs a years old never-patched firewall; and expects to be fully protected. Right?

Our approach to Captcha security is validated by BotDetect's track record. Since 2004, we have over 3000 paying customers and only a single confirmed case of significant automated Captcha breaking by ordinary spammers.

2) BotDetect CAPTCHA Works in China

BotDetect is a self-hosted captcha lib; it works in China -- while Recaptcha, historically, due to local policies, worked in China only on sporadic networks, intermittently at best.

With its 1.4B people China has approximately 20% of the world population and outputs about 16% of the world GDP. The size of China's economy is second only to the size of the US'.

Even if you do not actively target the Chinese market, the chances are that some of your visitors, users, and customers sometimes venture or even reside there. It helps not having Recaptcha breaking your website for them.

But, if you, or your users, do target the Chinese market, making your website fully functional for the visitors from China should be one of the top items on the 'minimum requirements' check-list.

Make sure to check it!

3) BotDetect Is Multinationals Friendly

With more than a hundred world languages already supported in the code, and 56 different audio localizations being just a download away, BotDetect Captcha will ensure that your interaction with every local market is done to that particular local market's familiar combination of script and language.

4) BotDetect Lets You Meet Regulatory Requirements

Recaptcha is a 3rd-party stalking service delivered from the cloud that you have no control over; and due to its obfuscation and encryption you can only guess what payload your users get.

'Plug & Pray', one might say :).

BotDetect is self-hosted on your own servers, and its source code is available; thus enabling you to easily meet whatever regulatory or security requirements that are, or might be, imposed on your application or website!

Think: GDPR, eff. 2018/05/25, or the California Consumer Privacy Act of 2018, eff. 2020/01/01, or whatever else might come in your direction.

5) BotDetect Is Accessible and Legal on US Government Websites

BotDetect Captcha is both Section 508 and WCAG compliant, and as such legal on the US federal agencies' websites -- unlike Recaptcha, that is just lame-ducking there while awaiting for its Section 508 lawsuit by a disgruntled employee or a user to throw it away.

Why is it like that? It is simple. When you block cookies in your browser, or go into incognito mode, Recaptcha reverts back to the old 'two-words Recaptcha' , or to various 'pigs, dogs, and street signs' pictures. And a few things aside from a miracle will make your application using either the 'two-words Recaptcha', or those 'pigs, dogs, and street signs' pictures, able to satisfy this particular Section 508 requirement.

6) BotDetect Will Not Get You Sued Over

the 578 Patent Infringement

As BotDetect does not use those 'pigs, dogs, and street signs' pictures at the center of the Confident Technologies vs. Ticketmaster case we couldn't be bothered to waste money on lawyers' fees in order to check the merit of the case -- that is on the Ticketmaster's plate.

But, the Confident Tech is not a patent troll; those guys had a product back then; so we opt to assume that they know what they are doing -- albeit we are perplexed that they went after the Recaptcha users, instead of after Google itself.

Note that settling such a suit might cost a small fortune; what is still peanuts compared with how much it would cost to defend it. For Ticketmaster, the Stalker turned out to be an expensive joke.

Ensuring that neither you nor your customers get sued over the 578 patent infringement should be the next item on that 'minimum requirements' check-list. Isn't it?

7) BotDetect Is Both Privacy and National Security Friendly -- It Does Not Spy

Unlike Recaptcha, BotDetect does not operate under 'if it can stalk you then you are human' principles; and will not make your application rejected by the majority of world governments on the grounds of national security; be it on their own websites, or on the websites of their sensitive institutions and industries.

If you have a privacy or national security sensitive website or application and are considering the Stalker, think again:

Recaptcha the Stalker refuses to work 'as advertised' if you switch your browser into incognito mode, block cookies, or use Tor Browser. It gets annoyed when prevented from stalking. Why?

It is owned by Google who already knows who you are; think Gmail, Search, Docs, Play, YouTube, etc. And now, Google can cross-match that data with your activities on all Stalker armed websites.

Kiss goodbye to both your users' privacy and national security.

Its client-side is a .js payload; obfuscated, encrypted, and delivered from the cloud by the party who knows your identity (Google); straight into your browser; completely bypassing servers of the Stalker armed website you are visiting.

Hm, what could possibly go wrong :)?

In short, Recaptcha is not a captcha, but a stalker disguised as a captcha. By default, it does not check your humanity at all, but fingerprints your browser and cookies and matches it with your past activities across the web. It is a sort of 'Login by Google' -- just a way more dangerous one.

8) BotDetect Means No Post-GDPR EU Legal Murkyland

GDPR bans 'forced consent' -- while Recaptcha the Stalker forces your users to accept being stalked by Google even just to open your form -- not to mention to fill it, or to use your service.

A legal Murkyland, or outright illegal?

Google mismarkets the Stalker as a captcha. Now imagine a convicted serial arsonist who mismarkets his setting-your-farm-alight urge as a pest-control service -- no difference!

Google might argue that stalking is necessary for providing its stalking service. That would be a valid point -- as a stalker it has to stalk -- if it was not mismarketed as a captcha service.

But, who knows, Google might go googlish and even argue that the stalker named reCAPTCHA was not marketed as a captcha. Any takers?

What stance the EU DPAs will take, and then the judges, is anyone's guess -- but, see those enormous fines; feel like betting the farm on it?

Did anyone mention Brazil :)?

9) Captcha, Inc. Eats Its Own Dog Food

While Google, since 2009, mostly avoided using Recaptcha on its own properties. Why?

A cynic would argue that on its own properties Google already knows who you are so Recaptcha the Stalker was not needed there -- and it does not thwart bots that well anyway.

10) Captcha, Inc. Does Not Break

Antitrust Laws

While Google exposed itself to huge legal risks by breaking every rule in the antitrust book, in order to force-feed you Recaptcha the Stalker through the nose.

A 'captcha' product that:

has no known revenues; losing them a fortune each quarter; year after year.

does not work in China; and will break your website for everyone there.

might get you, and/or your users, sued over the 578 patent infringement in the US.

will drown you, or your users, in the murky legal waters of the post-GDPR EU.

is deliberately designed to be inaccessible; a no-no for the US Federal Agencies' sites.

and is broken so often and so thoroughly; that over the last ten years even Google itself mostly refused to use it.

That is weird, isn't it?

11) Captcha, Inc. Lives Off BotDetect License Sales

But where the Recaptcha money is coming from, in amounts large enough to justify taking the risk of breaking the antitrust laws, is a sort of mystery.

A cynic might ask you to pick your preferred scenario:

It does not come; and at some point Google will pull the plug on Recaptcha completely, as they did with Google Reader and other such products resting in the Google Graveyard.

BotDetect Team: OK Google, that is called 100% enterprise-ready; a CIO's wet dream :).

Some undisclosed parties license the Stalker's data-feed and pay Google a fortune, and then some, so Recaptcha is actually profitable -- and the Stalker is watching you!

BotDetect Team: OK Google, who are they? And, what do they use the data-feed for :)?

Which scenario do you prefer?

12) Captcha, Inc. Does Not Manipulate

the Captcha and Recaptcha Articles

on Wikipedia

Do you find it strange that as of 2018/03/26 the 'Security' section of the 'Recaptcha' article on Wikipedia has no Stalker's vulnerabilities listed that are less than five years old?

Which is actually an improvement -- because not that long ago, there weren't any listed there that were less than almost eight years old :).

It is not like no one was complaining that it looks like a Recaptcha marketing brochure -- exactly how the 'Captcha' article looked before the separate 'Recaptcha' article even existed.

Unfortunately, a truly independent review of all the IP addresses, entities, bots, and humans involved in all the edits of both 'Captcha' and 'Recaptcha' articles -- following both the money and the data-feed -- is still left to be desired.

Who is behind the Wikipedia issue?

Google itself; with smoking gun emails spread all over the place? We doubt it. There are rogue engineers and unsecured Wi-Fi networks for such things :)

But, there are other entities; far better adept at concealing their activities -- whose interest in the Stalker's data-feed cannot be overestimated -- who come to our minds as the primary suspects.

BotDetect Team: OK Google, that Wikipedia job -- was that you guys, or the G-Men's 'pals' :)?

Any favorites?

13) How Recaptcha Works? A Dummy's

Guide To 'Advanced Risk Analysis'!

A few things about Google are as annoying as their sense of antitrust impunity in the US -- but their firm conviction that the general public is 'just a bunch of suckers' is surely one of them.

'Tracking mouse movements - over the captcha widget,' and 'advanced risk analysis.' That is what they said about Recaptcha. Didn't they?

Very googlish; an absolute lack of respect; only the 'suckers' word is missing -- so the people can know what Google overlords think of them!

Consider the SCID & Source-address Token / n-RTT session resumption of the QUIC, PSK / n-RTT session resumption of the TLS v1.3, Session Ticket and SessionID session resumption of the TLS v1.2, cross-domain Shared TLS States, Token Binding, as well as TLS Channel IDs ways of user tracking.

Note that this isn't the final list! A few other protocols are still awaiting the long overdue independent audits of their stalking abilities.

To simplify, we coined the temporary umbrella term TokBind Stalking to refer to both the list and the cryptological foundation under a part of it. While technically imperfect -- it suffices. If it sticks depends on what else emerges later.

Their first try was the old 'Login by Google'; but both its name and users' affirmative actions required were the obvious 'shortcomings'.

Then TokBind converted it into something like 'Drive-by Check-in by Google'; or by a fair legal extrapolation: 'Involuntary Check-in by .......' -- fill in the blank!

An Identity + TokBind Stalking play!

When you open a Recaptcha-infested page -- spies weep. No need for cookies; nor to click or type; nor for one of Google's sites in another tab -- nor, in some scenarios, even the Stalker itself has to fully load and execute.

As the stalking leapt from the app layer to the transport layer; your request of the Stalker's URL itself -- can now be that 'Check-In'. Got it?

Why they disguised it as a 'captcha'? We do not know; they do not stop by to confess -- did someone assess that such a disguise will let it stalk on the sites where no other tentacle can?

In that light, Google's nonsensical sense of antitrust impunity in the US might not be such an utter nonsense after all -- maybe they do have a deal of some sort indeed -- time will tell.

We can't wait to see Google's attempts to fit its TokBind Stalker-enabled mass-surveillance into a GDPR frame. It would be a hilarious comedy -- despite them never reaching a happy end.

The next time you hear our Google overlords bullshitting the terms like 'advanced risk analysis', 'tracking mouse movements', or 'more secure browser'; tell them to stick it; and where.

BotDetect Team: OK Google, six plus years, that's perseverance -- did the 'pals' offer help :)?

Did they?

14) Captcha Isn't a Part of PRISM. How

about Recaptcha; and its data-feed?

One might argue that as a US company Google didn't have a legal way to avoid becoming a part of PRISM. Well, neither did Apple -- but that is the point where all the similarities end.

Confronting the reality, Apple went into 'what happens on your iPhone, stays on your iPhone' mode; slurping the least they can. No law can force them to provide the data they did not get!

While Google was opportunistic -- there were synergies. With a NSA implant sticking out of its back -- it morphed into an obsessive stalker -- and went on a data-slurping perma-spree!

English is an interesting language; see this:

If one, by undisclosed means, meticulously collects the data about a dozen officials of a particular country; their friends, family, health, finances, locations, sex lives, what they wrote, read, or said, etc -- that is called 'espionage.'

But, if one, by the same undisclosed means, meticulously collects the same data about the entire population of that country; including the same officials, their friends and family -- that is called 'advertising'. It is amazing, isn't it?

And then, if by the same means, one collects the same personal data about everyone in your own country; to the level that one has the data where your teenage daughter's bf lives; and, with whom, when, and where she had one night stands -- that is also called 'advertising'. Is it :)?

Our Google overlords love to bullshit about privacy and 'organizing the world's information'; but what they made stinks as the world's first publicly-traded signal intelligence organization.

Regardless, on 2019/05/07, Google's CEO, Sundar Pichai, who presides over Android and the TokBind Stalker, a nation-state class mass-surveillance technologies, volunteered to show off his Googlish-for-suckers at its finest:

'Privacy cannot be a luxury good offered only to people who can afford to buy premium products and services. Privacy must be equally available to everyone in the world.'

Sundar, with skin thick enough to withstand an arrow, was confident that in no time -- he would be done placating 'that bunch of suckers'. Wow!

No one told him that, that train is gone :)

His first sentence is a diversion; supposedly a salvo aimed at Apple; while in fact the magician just drew your attention toward irrelevant stuff.

The English translation of his second sentence would be akin to: 'The privacy from Google [and the 'pals'] will not be given to anyone.'

He did not offer privacy from Google at all; and privacy is equally available if it is not given to anyone. You see, he was not lying -- shame on you for getting it all wrong! Skillful, right :)?

Still, due credit should be given.

Aside from making the world's first listed sigint agency ever, our Google overlords managed to take corporate doublespeak to a completely new, language-dialect level -- all while enriching themselves immensely in the process. Neat!

However, it won't enrich your teenage daughter.

Does her bf have all that info? No! Do you? No! With the reason -- it is none of your business!

But, Google think that teens' one night stands are their business -- and, they got the data!

Now, sit down and guess -- who will make sure to have a copy? Forever! Got it?

Hence, it might be wise to sit her down; and, gift her an iPhone -- while carefully explaining how the English language works -- with an emphasize on its Googlish-for-suckers dialect peculiarities!

Captcha, Inc and BotDetect CAPTCHA have nothing to do with the NSA PRISM. How about Google Recaptcha -- and its data-feed? Btw, just imagine Sundar's stand-up gig on the topic :)

BotDetect Team: OK Google, was Keith learning from you guys -- or you learned from him :)?

Think for yourself!

[back to top]