[jraph]

Spread the word. The more we are saying this, the more developers will think "We have a problem, but reCAPTCHA is not a solution for this problem. reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them. I support people who run away from tracking and reCAPTCHA makes their lives miserable. We can't use this. And by the way, I myself hate checking road signs and shop fronts, I'm definitively not inflicting this curse to even a very small fraction of my users".

My bank once required me to fill a reCAPTCHA to change my password. Yes, Google's tracking on my bank's website. I asked my financial adviser to reset my password for me to increase the cost of using reCAPTCHA for my bank. I told them it didn't work because of reCAPTCHA not working on my computer, which is actually true because I block it.

[sandworm101]

>> reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them

Some are using reCAPTCHA to detect bots, but I see many sites that appear to be using it specifically to slow down users. Users are to be respected but customers are to be mined for their money. Sometimes that means making things more difficult than is strictly necessary. If an onerous reCAPTCHA is required to delete an account or qualify for a price discount, so be it.

There is a reason it is so much more difficult find one's way out of a casino than it is to walk in.

[rattray]

Is there another solution to this problem that is a sufficient replacement for 90% of situations?

[derefr]

You could embed a very-lightweight crypto-miner script into the page, with explicit UI acknowledgement (i.e. it starts when the user presses the "Verify" button, it displays that it's working and how hard it's working; and it runs until it produces exactly one target hash, at which point it clearly stops), and targeting an artificially-tuned difficulty such that a regular PC should be capable of completing in a minute or two (rather than trying to actually mine for any real blockchain network, which would require absurdly-high hash power.)

This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.

If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)

You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)

-----

An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.

One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.

[rattray]

I like the cleverness and simplicity of the bitcoin mining approach, but the tradeoff between "takes too long, damaging our signup flow" (where anything more than 5 seconds is likely to have a material impact) and "doesn't take long enough, making it too cheap for bots to proceed" may be quite tricky.

Charging a buck is extremely simple, and fair. The SA example tickles me.

I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1 if given the option between the two.

[brokenmachine]

> I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1

Another commenter said that the market rate for reCAPTCHA solving is 1c each, so $1 is probably more than most would pay.

[jraph]

My assumption is already that reCAPTCHA is not a solution. Your question would, then, be "Is there a solution".

You may not agree and I respect this, but this is actually my point (and I don't have an answer to this question - I wish I had, though, and you have a point!).

I wish that people stop thinking soon that reCAPTCHA is a solution at all.

Then, it will open people to start thinking hard on this problem and hopefully find good solutions that fits their exact situation. There may not be one size fits all, but many good solution for each situation. We would not know without thinking.

[rattray]

Got it. Bummer.

I wonder if you could ask the user to trace a shape/pattern with their mouse? Or you draw a few animating dots with a canvas, and ask them to click the blue ones?

Fundamentally, though, you likely either piss people off by challenging their humanity, or violate their privacy by silently tracking their behavior, or break accessibility by evaluating the way they interact with your site against "normal" (bad for folks with screen readers, lynx, etc I'd assume).

[hombre_fatal]

Now come up with accessible versions of those tests.

[fragmede]

And then, harden it against bots that actually are humans being paid by the bot-writers, via Mechanical Turk.

[brokenmachine]

Recaptcha doesn't prevent that either, does it?

[bluGill]

There won't be a solution for long. Ai is making great progress on this part of the Turing test. You can only solve this (for how long?) by making the test harder for real humans and that adds friction.

If you want to solve this legal is your best bet. Make the things bots are doing illegal, and then track down the owners. It is hard but the criminal system is the only thing we have.

[xur17]

Since solutions for recaptchas can be purchased, I'm starting to wish I could just pay the market rate (< $0.01 each) instead of having to solve the damned things.