Dear all,
We are developing a position paper on Google’s reCAPTCHA system and its evolution into Gemini-powered behavioural surveillance infrastructure. The paper argues that what started as a simple bot detection tool has become a structural surveillance layer embedded across the web, and that current EU law such as GDPR, the AI Act, and the DMA is not being applied adequately to address it. We are also documenting privacy-respecting, open-source alternatives that prove effective bot protection does not require submitting to corporate surveillance infrastructure.
We are already covering the technical evolution of Fraud Defence, the European enforcement record under GDPR, algorithmic opacity and the right to contest, market structure and DMA implications, and open-source alternatives.
We would particularly welcome input on two specific questions:
- whether Fraud Defence could be classified as a high-risk AI system under the AI Act given its role in controlling access to online services, and
- whether anyone has the EDPB’s late 2024 guidelines on third-party CAPTCHA solutions to hand. Any recent civil society or academic analysis on either point would be very useful.
Deadline for inputs: 30 May 2026