This is what clicking that ‘I’m Not A Robot’ button REALLY does — and it’s probably not what you're thinking

an example of google's recaptcha system asking you to click i'm not a robot prompt featured on a laptop screen

All products are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more

Aaron Brown

By Aaron Brown

Published: 11/03/2024

- 10:09

No, it's not about testing whether you can identify a bicycle or a zebra crossing...

  • Clicking the "I'm Not A Robot" prompt lets Google scan your browsing history
  • It trawls through recent activity to determine whether you're a real person
  • Using a private browsing mode, like Chrome's Incognito Mode, does not help
  • Identifying the correct images is used to train Artificial Intelligence systems

If you’ve spent any time online, you’ve probably been confronted with a pop-up asking to confirm that you’re not a robot. The security prompt, designed to check if you’re a real person, often appears when you're trying to login to an online account.

Sometimes tapping on the “I’m Not A Robot” button isn’t enough, and you’ll be quizzed with a grid of 3x3 pictures ans asked to identify the stairs, bikes, motorcycles, school buses, and more. Other times, you’ll be shown manipulated text that you need to decipher to type the letters and numbers.

But what is all of this for? And what happens when you tick the “I’m Not A Robot” button?

animated gif showing a successful interaction with the Im Not A Robot button

Google owns and operates reCAPTCHA, one of the most commonly-used CAPTCHA tests to determine whether you're a real user trying to access a web service — or a spam bot trying to brute-force entry


This security method is known as a CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The Turing Test, originally named the Imitation Game, was created by British computer scientist Alan Turing in the 1950s and is designed to put Artificial Intelligence to the test and determine whether it’s indistinguishable from a human mind.

So, is Google simply checking whether AI is smart enough to know to click on the “I’m Not A Robot” button? Not quite.

example of the grids of images used by google recaptcha to test whether youre a real person

Sometimes clicking the button isn't enough, and you'll be asked to identify objects within a series of images. These can be pulled from Google's Streetview cameras


As revealed by the researchers from BBC’s QI in an episode that first aired in 2020, ticking the box allows Google to trawl your internet browsing history to determine whether you’re a real user or a bot trying to force entry.

QI host and comedian Sandi Toksvig explained: “Ticking the box is not the point. It's how you behaved before you ticked the box that is analysed. To be honest, I can’t tell you all the details because they keep it secret because they don’t want people trying to cheat the test, but broadly speaking, you tick the box and it prompts the website to check your browsing history.

"For example, before you tick the box you watched a couple of cat videos and you liked a tweet about Greta Thunberg, you checked your Gmail account before you got down to work — all of that makes them think that you must be a human."

Google, which is behind much of the CAPTCHA security tests you’ll come across online — usually under its reCAPTCHA brand name, can’t access your entire search history. Instead, it’slikely checking websites that it owns (Gmail, YouTube, searches on Google, Google Maps) or those where it has some visibility thanks to the "Sign-In With Google" buttons, analytics or advertising, or the CAPTCHA itself.

That’s a huge proportion of the internet.

Unfortunately, if you think that using a private browsing mode in your web browser, like Incognito Mode in Google Chrome, keeps your data out of reach ― that’s not the case. In fact, Google was recently forced to add a new warning to its Incognito Mode feature to keep users in the loop about the risks.

The only way to keep your browsing history completely out-of-reach is to encrypt everything with a Virtual Private Network. NordVPN is an example of a VPN that keeps everything you do online locked away— so that even Google or your broadband provider is unable to see what you're doing. Prices start from £3.19.

As well as trawling a slither of your recent internet history to work out whether you’re behaving like a real human being, there is another use for the CAPTCHA quizzes that you complete. Picking the correct image of a fire hydrant, zebra crossing, or school bus is actually helping to train Artificial Intelligence behind-the-scenes.

Yes, this simple picture-based quiz, which was developed by computer scientists at Carnegie Mellon University in Pittsburgh, was released in 2007 and acquired by Google just two years later.

The Californian company soon adapted the system to incorporate pictures from its Google Streetview cameras, which covers over 10 million miles worldwide.

Engineers train these AI networks by showing them a vast database of images that have already been categorised by humans. For example, you can feed the machine thousands of images of cats, while telling the AI that everything it’s seeing is a “cat”.

It tracks the characteristics to build an idea of what makes a cat, so that it can start to identify cats in other photos too. The more information that an AI is fed, the better it’s able to make its own educated guesses in future.

When you’re tapping on images in a CAPTCHA test, you’re helping Google to sort through a vast amount of data from its Streetview cameras and other sources. This can be used with its Gemini AI system, which can dream up entirely new pictures based on your text prompts (something that requires the underlying AI to know a huge number of terms), as well as its Google Lens feature that lets you search the internet for information on something in a picture, for example.

There’s an entire industry of data brokers that harvest information on you and hundreds of millions of others. Some leading brands boast that they hold up to 1,500 data points on everyone in their database. The majority of these breadcrumbs are gleaned from online activity, although other sources like credit card providers also feed into the database.

This could be location data gleaned from social media posts or GPS data from mobile apps, answers from online quizzes, date of birth from an online form, and sites you've recently visited.


If you’re inundated with endless spam emails, scam texts about fake deliveries, and suspicious phone calls, your personal information was likely sold by data brokers to marketers and, sometimes unintentionally, scammers.

Under privacy laws, data brokers are required to wipe your information from their database when you ask them. If you want to start removing your information from these vast repositories, you’ll need to look-up the data brokers operating in your country and send individual opt-out requests to each one.

Or a relatively-new service called Incogni will do all of that legwork for you.

The team at Incogni will send requests under GDPR (General Data Protection Regulation) both in the UK and Europe, CCPA (California Consumer Privacy Act), and other applicable privacy laws to force data brokers to remove your information from their databases.

You may like