Recently, Google is testing a new feature to strengthen reCAPTCHA verification - "Hand Gesture Verification" (HGV), which collects videos of users' hands to determine whether they are real people. However, this feature quickly caused controversy in terms of privacy and security.

According to Google's official documentation, HGV requires website visitors to grant access to their device's camera to record "one or more" hand video clips. During the verification process, the user needs to wave or make a designated gesture at the camera, and the system will extract key biometric characteristics to determine whether the operator is a human rather than an automated script or robot.

Google believes that this biometric-based identification method can improve the security of reCAPTCHA, but actual test results show that HGV did not achieve the expected results. Security researchers and ordinary users have successfully used stock pictures and virtual camera functions to bypass this system: the attacker only needs to prepare a "waving" or hand photo corresponding to the movement, and the verification can be completed through the virtual camera output of software such as OBS Studio, without the need for a real camera and a real person to cooperate.

With the advancement of machine learning and automation technology, existing verification code systems have been frequently "broken" by AI robots. Multiple studies have shown that traditional graphic verification codes such as complex traffic light recognition can be solved by automated tools in most cases. HGV's early failure cases further highlight that even if biometrics are introduced, if the interaction process and channel itself lack anti-counterfeiting design, they may also be bypassed in batches by virtual cameras, stock images, and simple scripts.

In addition to technical effectiveness, privacy issues have also become a focus of controversy. Critics point out that such verification schemes based on cameras and biometrics will invisibly "normalize" continuous background monitoring of users, allowing users to open up more sensitive camera data to large technology companies in order to access ordinary websites. In the current increasingly privacy-sensitive environment, asking users to frequently provide live images or videos is likely to be considered excessive data collection.

In response to external doubts, Google stated that HGV is only used to recognize gestures when recording videos, and will not collect or process audio content, and that the video will be "deleted as soon as possible" after verification is completed. The official note also emphasized that these videos "will not" be directly linked to the user's identity. However, some security and privacy experts believe that this commitment is difficult to eliminate doubts - on the one hand, ordinary users cannot verify the actual data retention policy of the back-end system; on the other hand, the cloud infrastructure of large platforms often has redundant backup and disaster recovery mechanisms, and the actual data life cycle may be far more complicated than what the front-end interface displays.

This concern is not groundless. In a previous high-profile case, "deleted" video from Google's Nest camera was recovered from the cloud system and used to assist in the investigation of a high-risk kidnapping incident. This case is seen as proof that even if the content displayed on the front-end interface has been deleted, the back-end system may still retain a copy of the corresponding data under certain conditions. Critics have therefore questioned whether video data recorded by HGVs will also be retained in certain scenarios or used to train various models including Gemini, thus amplifying potential privacy risks.

As automated traffic and malicious bot activity continue to grow, the evolution of CAPTCHA technology is clearly still an important issue facing major platforms. However, judging from the early performance of HGV, the introduction of cameras and biometrics alone cannot guarantee higher security. Instead, it may expose users to greater privacy risks in advance when the technology is not yet mature. While industry players, including Cloudflare and browser manufacturers, are actively exploring "de-captcha" solutions to reduce user friction, how to strike a balance between security, abuse prevention and privacy protection is becoming a problem that the entire industry must face.