It is describing how the checkbox is collecting your browser's characteristics (eg they go to great length describing the webGL fingerprint) and your own characteristics (eg mouse behavior), such that when you click the box, you are determined to be a person or a bot. If they think you are a person, you don't have to do the CAPTCHA.
The whole bit about a double encrypted "VM" is overstating the case. The "VM" is "just" a bytecode interpreter, which at the end of the day can't do anything the browser's javascript engine can't do itself. Yes, it's some heavy obfuscation, and what's more interesting than the interpreter itself is the decision to spend what must have been lots of time/resources to develop it. It's security by obscurity, and in this case it is delivered to the client so obviously it's reversible. Maybe there's a deeper purpose.
EDIT: ah. the purpose is not to obfuscate. it is to fingerprint the CPU characteristics. by running their own interpreter, and changing the opcodes on the fly and such things, they can defeat JIT and learn something about the CPU itself. if they have user info (google cookie) they can know what CPU/CPUs that user typically uses and if "the checkbox" records something different it's a signal.
It is describing how the checkbox is collecting your browser's characteristics (eg they go to great length describing the webGL fingerprint) and your own characteristics (eg mouse behavior), such that when you click the box, you are determined to be a person or a bot. If they think you are a person, you don't have to do the CAPTCHA.
The whole bit about a double encrypted "VM" is overstating the case. The "VM" is "just" a bytecode interpreter, which at the end of the day can't do anything the browser's javascript engine can't do itself. Yes, it's some heavy obfuscation, and what's more interesting than the interpreter itself is the decision to spend what must have been lots of time/resources to develop it. It's security by obscurity, and in this case it is delivered to the client so obviously it's reversible. Maybe there's a deeper purpose.
EDIT: ah. the purpose is not to obfuscate. it is to fingerprint the CPU characteristics. by running their own interpreter, and changing the opcodes on the fly and such things, they can defeat JIT and learn something about the CPU itself. if they have user info (google cookie) they can know what CPU/CPUs that user typically uses and if "the checkbox" records something different it's a signal.