REDCap: Enabling reCAPTCHA for Public Surveys
Using a public survey link is the simplest and fastest way to collect responses for your survey. However, if you use a public survey link, you might receive responses from 'bots' (also called 'spambots') - automated software programs that enter invalid data into your survey. In general, it is not recommended that an initial public survey link mention compensation (i.e. gift card) to participants who complete the form as this increases the risk of interest by malicious bots. You can enable the Google reCAPTCHA feature on public survey links to help avoid this.
How reCAPTCHA Works in REDCap:
The Google reCAPTCHA feature can be enabled to help protect your public surveys from abuse from 'bots', which are automated software programs that might enter trash data into your survey. A 'captcha' is a turing test to tell humans and bots apart. It is easy for humans to solve, but hard for bots and other malicious software to figure out. By enabling Google reCAPTCHA on your public survey, you can block automated software while helping welcome your survey participants to begin your survey with ease.
This feature can be enabled on surveys you have enabled with a public URL. (Note: Only the first instrument in your project or arm can be enabled as a public survey.) When a survey respondent navigates to the page, they will first have to pass the reCAPTCHA test:
Note: A survey participant will never have to pass the reCAPTCHA test more than once per day on a given device/computer.
How to Enable reCAPTCHA on Your Survey:
To enable the reCAPTCHA feature, navigate to "Survey Distribution Tools." Click the checkbox below the public survey URL to enable the feature:
Remember if you enable reCAPTCHA and are testing your survey - it will only ask you to complete the test once per day unless you clear out cookies on your device!
Recommended Language for Consent forms:
If you are using this feature for a research project, we recommend including the following language to your consent form to ensure research participants are made aware of potential data collected by Google.
Surveys in this project are using Google reCAPTCHA to distinguish between humans and automated bots accessing the survey, to aid in data quality efforts and prevent automated submissions. Google reCAPTCHA may collect information from your device such as IP address, Google account information, browser history, cookies, etc. as signaling to make this determination.
Items for Consideration:
This feature has been reviewed and accepted by the UW-Madison SMPH Cybersecurity team in coordination with our security personnel. There is potential risk involved with using this feature due to privacy concerns surrounding Google’s tracking technology (i.e. Analytics). However, the security review determined the benefits (i.e. bot mitigation to aid in data quality efforts) outweigh any potential risks. Each project team must consider if they would like to use this feature on their REDCap project.
The potential type of data that Google reCAPTCHA may collect is:
- IP address
- Resources loaded, including styles of images
- User Google account information
- Behavior, like scrolling on a page, moving the mouse, clicking on links, time spent completing forms, and typing patterns
- Browser history
- CSS information
- Browser plug-ins
- Cookies
Survey participants can minimize data potentially collected by reCAPTHCA by:
- Logging out of their Google accounts before accessing the public survey link
- Deleting their history
- Deleting their cookies