Cloudflare announces Turnstile

Cloudflare announces Turnstile for web security and user privacy

Captcha-based anti-spam measures are used on millions of websites across the internet. Captchas can effectively block automated spam bots by requiring users to complete a simple task, such as identifying a series of images. However, many captcha services have come under fire for their privacy policies. In particular, some services are selling user data, such as IP addresses and browser information, to third-party companies. This raises serious concerns about the security of user data. In this short announcement, we will cover the current state of Captcha services, what alternatives are out there and what Cloudflare’s Turnstile service is.

The current status quo of captcha solutions

One of the more popular captcha solutions is Google’s ReCaptcha. You may have seen it in one of the following forms:

reCAPTCHA | Google Developers
recaptcha protected by - Marketing Bear
captcha intro 768 - Marketing Bear

Sometimes you need to tick a checkbox; other times, you need to solve simple image-based quizzes. In its latest iteration, ReCaptcha v3, the processing happens without a user’s input in the background.

The issue is that Google does not disclose where exactly it stores the collected data and what happens to it. Therefore, it is incompatible with most current data policies introduced by different governments worldwide. The data policies require the user to consent to what happens to their data and where it is being stored. To name a few policies ReCaptcha is not compatible with: European GDPR (DSGVO in German), most PDPA implementations in Southeast Asia, or Brazil’s LGPD.

In addition, Google uses its own Google Fonts service to render the texts in the ReCaptcha widgets. However, as this service also tracks users, it is specifically forbidden in some jurisdictions, such as in Germany.

How to protect your businesses from bots and remain data-policy compliant

Marketing Bear advises its clients to switch to alternative solutions. From a data-privacy point of view, switching to locally generated math questions or quizzes is the best approach. However, it does not fully protect a business from spam and phishing bots.

For example, a bot could use a service like 2Captcha (on purpose, we are not adding a link here) that uses a big pool of individuals to provide fast and reliable captcha-solving solutions.

Another option that can be used, in addition to locally-generated bot challenges, is a so-called honeypot. It is a unique field that can be added to most modern web forms only visible to bots. However, also this option is not fully protecting businesses from more advanced bots.

Data-privacy-focused Captcha solutions

Because of the need for privacy-focused advanced bot protections, new services emerged in recent months. For instance, while hCaptcha was always the leading competitor of Google’s ReCaptcha service, they only in recent years begone to advertise themselves as a privacy-focused solution. The challenge is that their business model did not start with privacy. For example, one aspect of data privacy is that data cannot leave the data policy’s jurisdiction. E.g., if a user is in a member state of the European Union (EU), the GDPR applies, and data cannot leave the EU without the user’s consent. hCaptcha defends itself by saying that they anonymize the user’s IP address with one of its content delivery network (CDN) servers, which should be near the user’s location. However, there is a small but actual chance that the user from within the EU is connected to a CDN server outside of the EU, and this would no longer be compliant with the GDPR. In addition, hCaptcha’s more advanced solutions are based on a monthly subscription fee.

Note: There are other Captcha providers in a similar situation, like hCaptcha.

CloudFlare’s Turnstile Solution

As a longtime partner of Cloudflare, we are pleased they use their global experience to provide their own Captcha solution. Cloudflare Turnstile. Although it faces similar challenges as hCaptcha when it comes to data center locations, it offers a few unique features:

  • It is 100% free.
  • Very simple to deploy.
  • Mostly invisible. Only if Turnstile detects suspicious user behavior it shows up, and when it does, it looks like this:
turnstile gif - Marketing Bear

Cloudflare is a business that focuses on web security and user privacy. Therefore, it remains our preferred choice as a CDN provider and now as a Captcha service provider.

Important: To be data-privacy policy compliant, most jurisdictions require you to disclose that you are using Cloudflare’s Turnstile service and allow the user to opt out. Our recommendation is to make Cloudflare Turnstile a required field in your web forms, and if a user does not agree to use it, they cannot use your web forms.

If you have questions about using Cloudflare Turnstile in your business, contact our data-privacy specialists.