As a community driven, open source company, resource allocation is determined through community feedback. As mentioned in another post, reCaptcha has been used for anti-abuse in Proton since 2014. The community cares about this, but it's never been the highest voted item [1].
However, it's something our team cares about. That's why 6 months ago, we started preparing to migrate to hcaptcha, even though removing reCaptcha wasn't the most pressing community demand. This work is on track to be completed in the next few weeks. We are sure that after we switch to hcaptcha, on the community voting forum, there will be a "do not use hcaptcha" suggestion, which will then start to collect votes. When it collects enough votes, we will duly allocate resources towards building our own captcha, because that's what it means to be a community driven company.
That post and the comments seem to not be aware of the privacy/security risks. And the official response seems to miss it:
> In our setup, reCaptcha is served from a sandboxed iframe, which prevents it from being able to interfere with our java script, so it does not pose a privacy or security risk.
You might perceive low user demand for this change because your users assume that you handle the privacy/security risks, and assume that the only issue is annoyance.
This is an irresponsible statement to me. Each time you face such kind of issue, you can claim that community allows me to do that. But Protonmail is a professional company who should take the final responsibility. Please be professional.
It's a perfectly professional and honest response. They're taking responsibility AND giving you a rationale. Your comment is the unprofessional one if anything.
If it’s security or privacy related that should be driven by your own threat-modelling and risk assessment. Not left to the fate of what the community decide. You’re the experts after all and that’s what people using your service pay for and expect.
However, it's something our team cares about. That's why 6 months ago, we started preparing to migrate to hcaptcha, even though removing reCaptcha wasn't the most pressing community demand. This work is on track to be completed in the next few weeks. We are sure that after we switch to hcaptcha, on the community voting forum, there will be a "do not use hcaptcha" suggestion, which will then start to collect votes. When it collects enough votes, we will duly allocate resources towards building our own captcha, because that's what it means to be a community driven company.
[1] https://protonmail.uservoice.com/forums/284483-protonmail/su...