We are proud to announce that hCaptcha has grown into the largest independent cybersecurity service in the world, running on about 15% of the internet - and we took most of this market share directly from Google reCAPTCHA. Together, hCaptcha and hCaptcha Enterprise now protect hundreds of millions of users across tens of millions of websites and apps every month. Our story shows that you can compete with Big Tech when you put privacy first.
Privacy vs. Security: Why not both?
Competing with Google and other Big Tech companies seems like a tall order: their monopolistic market power, platform effects and army of highly paid developers are generally considered too powerful to tackle for anyone but other tech giants such as Facebook or Amazon. Our story shows that it doesn't have to be that way - you can beat Big Tech by focussing on privacy.
Consider Google reCAPTCHA, which consumes enormous amounts of behavioural data to determine whether web users are legitimate humans or bots. At hCaptcha, we have deliberately taken a very different approach, using privacy-preserving machine learning techniques to identify typical bot behaviours at high accuracy, all while consuming and storing as little data as possible.
Google is an ad company, and their security products look very much like their ad products: they track user behaviour on every page of a website and across the web. We designed hCaptcha to be as privacy-friendly as possible from day one. This led to a completely different approach to the problem. As it turns out, tracking users across the web and tying their web history to their identity is completely unnecessary for achieving good security. The many companies that have switched over to hCaptcha often report equal or better performance in bot detection and mitigation despite our privacy focus.
In focusing on delivering a product aligned with regulatory efforts such as the European Union’s GDPR and California’s CCPA, we have experienced massive growth - of course, it helps that hCaptcha is simple “drop in” replacement for reCAPTCHA and can thus be installed within minutes.
We do in fact believe that regulation has helped us here. GDPR and CCPA have put privacy concerns on the map for enterprise buyers, and at the same time online privacy is becoming more and more important to the public as we all start to understand how the online advertising and marketing industries have historically used our data.
Of course, reCAPTCHA was an early entrant in web security since 2009, protecting millions of websites against ever growing threats by malicious bots and spammers. However, it has been completely compromised in recent years: software is now as good as people at solving reCAPTCHA challenges.
Rather than improving the solution, Google instead released reCAPTCHA v3, which operates much more like an ad network than security software, collecting behavioural data from across the web to build user profiles. Unfortunately, this kind of signal is easily defeated, and thus provides little protection against bots while harming user privacy.
We at hCaptcha have instead focused on more modern approaches to the problem, which do not require retaining long-term behaviour records like browsing history and have proven far more resilient in the face of determined adversaries since the service was introduced.
An inherent conflict of interest: stopping bots reduces revenue for an ad network
A growing number of critics have pointed out that Google’s disregard for user privacy should concern customers looking to protect their websites and apps.
At the same time, stopping bots from accessing publisher sites can reveal ad fraud, pitting Google’s reCAPTCHA product directly against their ad business, which produces over 80% of their revenue.
Every bot Google detects should be earning zero ad dollars. Google's company incentives are thus poorly aligned with the users of their security services, and this may be one explanation for the poor performance of their reCAPTCHA security offering.
The largest web infrastructure companies have already taken action
The final breaking point for many larger customers came when Google started to charge companies for using their product at any meaningful scale. This caused long time reCAPTCHA users to look for better alternatives as regulatory concerns around the world had already made using Google's offerings increasingly unappealing.
Cloudflare CEO Matthew Prince summarized this point of view in the company’s blog post announcing their switch to hCaptcha:
"We're excited about this change because it helps address a privacy concern inherent to relying on a Google service that we've had for some time. We evaluated a number of CAPTCHA vendors as well as building a system ourselves. In the end, hCaptcha emerged as the best alternative to reCAPTCHA.”"We liked a number of things about the hCaptcha solutions: 1) they don't sell personal data; they collect only minimum necessary personal data, they are transparent in describing the info they collect and how they use and/or disclose it."
If you are looking to protect your site or app effectively from bots, spammers or other malicious actors, all while preserving your users' privacy (and complying with all relevant regulations!), do consider hCaptcha and our Enterprise offering BotStop.
Interested in working on deep technical challenges at web scale? We are always hiring talented engineers worldwide - do check out our openings and apply here.