# Google's Anti-Bot Countermeasures (2025-2026)

## Anti-Bot Countermeasures

Google Maps difficulty score: **90/100** — one of the toughest platforms to scrape.

### BotGuard / SearchGuard Architecture

Built on **BotGuard** (internally "Web Application Attestation"), deployed across YouTube, reCAPTCHA v3, and Maps. **SearchGuard** (January 2025) is the Search-specific evolution — "tens of thousands of person hours and millions of dollars."

### Detection: Behavioral Analysis (4 Signal Categories)

<table id="bkmrk-signalbot-thresholdh"><tr><th>Signal</th><th>Bot Threshold</th><th>Human Range</th></tr><tr><td>Mouse movement (trajectory, velocity, acceleration, micro-tremors)</td><td>Velocity variance &lt;10</td><td>50-500</td></tr><tr><td>Keyboard rhythm (inter-key intervals, duration, errors)</td><td>Variance &lt;5ms</td><td>20-50ms</td></tr><tr><td>Scroll behavior (amplitude, direction, timing)</td><td>Delta variance &lt;5px</td><td>20-100px</td></tr><tr><td>Timing jitter (Welford's algorithm)</td><td>&gt;200 events/sec</td><td>10-50</td></tr></table>

### Detection: Browser Fingerprinting (100+ Signals)

Navigator, screen, performance metrics, WebRTC leaks, TLS fingerprinting. Explicit checks for `navigator.webdriver`, ChromeDriver, Puppeteer, Selenium, PhantomJS.

### reCAPTCHA v3 (Invisible)

No visible challenge — assigns 0.0-1.0 score based on session behavior. On Maps, appears **inconsistently**. Only bypass: never trigger it.

### Cryptographic Protection

ARX cipher (similar to NSA's Speck). Magic constants rotate per script update. Scripts served with integrity hashes. **Bypasses become obsolete within minutes.**

### Blocking Behavior

<table id="bkmrk-triggerrisk-datacent"><tr><th>Trigger</th><th>Risk</th></tr><tr><td>Datacenter IPs</td><td>Blocked immediately — non-viable</td></tr><tr><td>Uniform request timing</td><td>High — humans pause, bots don't</td></tr><tr><td>Direct navigation to data pages</td><td>Medium — humans wander first</td></tr><tr><td>Default/missing headers</td><td>Medium</td></tr></table>

**Stealth detection:** Google returns **poisoned/incomplete data** to detected scrapers rather than blocking outright. Soft bans aren't clean HTTP codes — "some weird JSON response or just incomplete page loads." DOM class names change every few months.

### Proxy Effectiveness

<table id="bkmrk-typeeffectivenesscos"><tr><th>Type</th><th>Effectiveness</th><th>Cost</th><th>Notes</th></tr><tr><td>Datacenter</td><td>Very Low</td><td>$</td><td>Non-viable for Maps</td></tr><tr><td>Residential</td><td>Good</td><td>$$</td><td>~30-50 searches/hour/IP before CAPTCHAs</td></tr><tr><td>Mobile (4G/5G)</td><td>Best</td><td>$$$</td><td>Most reliable for large-scale</td></tr><tr><td>ISP</td><td>OK (low volume)</td><td>$$</td><td>Burns fast. Once flagged, stays flagged for days</td></tr><tr><td>Hybrid</td><td>Cost-optimized</td><td>$$</td><td>Datacenter for non-Maps, mobile for Maps. Saves 40-60%</td></tr></table>

Practical rate limit: **max 1 req/min/IP** = ~144K results/day per IP.

### Anti-Detection Toolkit

- `playwright-stealth` / `puppeteer-extra-plugin-stealth` (17 evasion modules) — near-essential
- `undetected-chromedriver` for Selenium
- CapMonster Cloud for automated CAPTCHA solving
- FlareProx — Cloudflare Workers proxy for IP masking (100K free daily requests)
- Cookie banner handling: `document.querySelector('#sp-cc-accept')?.click()`
- CAPTCHA detection: `document.querySelector('form[action*="validateCaptcha"]')`
- Image/font blocking via `Network.setBlockedURLs`
- Search-based navigation to bypass Feb 2026 "limited view" lockdown