hCaptcha biased against humans in foreign countries

I created a Cloudflare account to send feedback.

I am an American citizen currently living in South Korea since May. Ever since I arrived, I am constantly bombarded with Cloudflare hCaptcha challenges just browsing the web. I never got a single challenge in the years I’ve lived in the US.

My IP address, browsers, etc. never changes, so it seems like:

  1. Cloudflare is biased against my IP address / country (maybe unintentionally! not trying to accuse of intentional bias)
  2. Even over the course of months, Cloudflare never starts to trust me / my IP address.

I work at a large tech company, and we’re trained to look for unintentional bias in automatic filtering systems – it’s very easy to accidentally introduce. I’d ask that you please review whether hCaptcha might be unfairly biased against humans in foreign countries, and that maybe you don’t aren’t hearing about it because they’re not complaining to you.

Again, I’m not accusing of intentional bias (and I experience this with many other captcha systems too), but I would like to point out that Korea is a first-world, close ally of the US. If it’s unusual for Koreans to connect to US websites, I could -maybe- understand some initially higher risk, and maybe Cloudflare simply has less data about many foreign IP addresses than it does about US IP addresses?

But over time, surely you’ll trust me more; unfortunately so far I haven’t seen any evidence of that. Having to pick out which pictures have ‘X’ in them takes a lot of time and just constantly bumping into this during casual google searches is terribly frustrating.

Thanks for reading.

Is it not possible that your IP address is on some sort of blacklist? You could be behind a NAT, and someone else behind it could have a compromised device sending out junk traffic.

You can try checking here:

Or
https://whatismyipaddress.com/blacklist-check

Good idea, I just checked both sites and I listed results below [tl;dr no smoking gun, but one confirmation of my hypothesis]. And yes, my local computer is on a NAT, but my public address doesn’t change and is unique to my home.

There was nothing on abuseipdb.com however there were two entries on the second blacklist check:

  1. blacklisted by “http://korea.services.net/
    However, if you go there you’ll see: “Beginning in late 2001, … So, with regret, we have blocked mail from most South Korean networks.”

So that would be a prime example of how there is bias against South Korean IP addresses. In that case it’s clearly intentional and maybe it made sense in 2001 to block email from those addresses in some cases.

And the second was blacklisted because my IP address does not have “Forward-confirmed reverse DNS (FCrDNS”. That sounds maybe reasonable for email blacklists (which seems to be what these blacklists are about) but doesn’t seem like it would have any bearing for me as just a normal internet user wanting to browse the web.

Regardless of third-party blacklists (and there were only the above two hits), I should still be able to build up my own IP address’s reputation with Cloudflare over time and that’s not happening.

I suppose just to rub salt in the wound, the Discourse anti-spam system (provided by akismet) flagged and hid this thread for 12 hours until a Cloudflare admin unhid it.

Looking at the Akismet anti-spam API, I see that IP address signals are passed in. Wouldn’t be surprised if Akismet is also biased against South Korean IP addresses :/. (Again, not trying to suggest intentional bias!)

This topic was automatically closed after 14 days. New replies are no longer allowed.