ReCaptcha seems to use your logged-in status (and, I’d guess, account reputation), along with an ip reputation score when deciding whether to serve a captcha or not.
A GPDR request naming an IP address should allow them to provide those scores.
If not, it’s easily demonstrable that they are storing and using information that they’re not including in a GPDR response, and they deserve their multi-billion dollar fine.
Also, ReCaptcha’s behavior is obviously anticompetitive, and also using Google’s dominant positions in some markets to establish dominance in unrelated markets.
Logged in status and account reputation are obviously useful input, but reCAPTCHA objectively works without requiring login. IP reputation also obviously makes sense to take into account, but the fact that Google collects all of this fingerprinting information demonstrates that’s again only a part of what factors in. The same profile can show up from behind a different IP.
Not sure what you’re getting at about GDPR and IP reputation. GDPR says that an IP address is PII if it can be associated with an individual, but that doesn’t mean an IP address is a “subject” for the purpose of filing an Article 15 Data Subject Access Request. And it doesn’t mean that stored information that is keyed by an IP address is personal data, even if the IP address can be associated back to a particular individual.
I also find it strange that you’re talking about reCAPTCHA being “anti-trust candy” in the comments of an announcement about how a different captcha service now handles 15% of the entire internet.
>GDPR says that an IP address is PII if it can be associated with an individual, but that. . . doesn’t mean that stored information that is keyed by an IP address is personal data, even if the IP address can be associated back to a particular individual.
Okay, I’m usually pretty good at understanding law, but this doesn’t make sense to me. This seems like a very shallow, arbitrary definition of subject data. So GDPR didn’t grant ownership of one’s PII? What did it grant ownership of? I’m very confused by this.
A subject (a person) can make a request for subject data (data about the person) that a company has stored. The data has to be about the person and associatable with the person to be covered by GDPR. If I keep track of say, average CPU time for handling requests from a particular IP address, the CPU metric doesn’t become the personal data of the individual that is associated with the IP address.
A GPDR request naming an IP address should allow them to provide those scores.
If not, it’s easily demonstrable that they are storing and using information that they’re not including in a GPDR response, and they deserve their multi-billion dollar fine.
Also, ReCaptcha’s behavior is obviously anticompetitive, and also using Google’s dominant positions in some markets to establish dominance in unrelated markets.
This is anti-trust lawyer candy.