[Kalium]

What, in your opinion, is the pro-human way to address the problem to be solved?

I'm always curious to hear what other approaches might be worth considering. CAPTCHAs tend to tick the boxes of performing well enough for website-controllers and being low-effort for them to deploy.

[jjoonathan]

Less gaslighting.

There's a lot of ground between "error messages precise enough to effectively give botters a to-do list" and "faking failures 100 times in a row." What was the marginal utility of the 99th fakeout? Are there really enough otherwise effective bots that get persistently tripped up by this particular fakeout to justify sending the poor kid crying to his room?

Almost certainly not. What really happened is that someone removed (or never added) user communication in order to maximize their score against botters and gave little thought to mitigating their false positives. Minimizing them, yes, mitigating them, no. "Humans are smart, they'll figure it out," they rationalized to themselves, and called it a day. They never bothered to calculate (or even guess) when the marginal utility of the fakeout dropped far enough to allow them to have mercy on the poor humans still caught in their web.

[_jal]

I have no suggestions for the general case, and suspect it is one of those problems that doesn't have general-purpose solution. That doesn't mean captchas don't suck.

As for specific things one can do, like anything, more effort means better results. I'm not going to talk about this much, but we do look at a lot of different behavioral and other signals for fraud detection, as that's an important aspect of our business.

If others are fine with annoying their customers to offload risk, they can make that call. I don't have much sympathy about lost sales, though - it is literally choosing to waste customers' time and increase frustration for one's own benefit.

[jfengel]

Blockchain, perhaps?

A lot of CAPTCHAs protect things that are very cheap, but where they don't want it to be free. One solution would be to charge money, but people concerned about privacy won't want to give away conventional payment information.

So, perhaps a nominal payment in some reasonably anonymous cryptocurrency? Or even just participating in some proof-of-work problem that would cost a few cents worth of electricity?

That wouldn't stop really serious botnets or people with stolen credit cards, but those are also both illegal and should be shut down for other reasons.