[eatbots]

This is not actually true: every relevant aspect is different from a privacy perspective, both technical and legal.

Looking only at the technical differences, hCaptcha lets enterprise users like Proton locally scrub any info like IPs prior to sending to hCaptcha. It can be set up so that the user makes no direct connection at all to the service, and the code runs inside of a sandboxed IFRAME.

As for false positive vs false negative rates, not sure what you consider too high. We've been able to demonstrate FP rates under 0.005% when measured against known-good/bad signals from customers, which is as good as it gets.

(disclosure: work there)

[clairity]

those things can be true and still not negate the issues mentioned, since not enough information is provided to make a fair assessment. it can be set up a certain way, but the incentives are against that, so is it actually set up that way? iframes aren’t perfectly isolated either. and without a curve of false positive vs. false negative rates, no conclusion can be made of the optimality. even 0.005% is still likely hundreds of thousands a day for larger sites, and being only a demonstration means it’s an ideal measure, not a practical one.

[ashneo76]

And yet I ge t stuck endless captcha. Without disclosing what a known good/bad signal is, you are essentially trust a black box and a random account on the internet