[oxymoron]

Yeah, I used to work for one of the major anti-bot vendors. Customers weren't clueless. Nobody buys these solutions because they're so much fun, it's a cost center and they monitor their ROI quite closely. Credit card charge backs, impact to infrastructure, extra incurred cost due to underlying api's (like in the Airline industry in particular) etc are all reasons why bot mitigation is a better option than nothing for a lot of companies, even if it's not 100% effective.

[azalemeth]

You very much missed the false positive rate! I'm fed up of being classed as a bot just because I browse with uMatrix, a Linux user agent, and a ton of ad filtering and anonymisation tech. I had to try to log in to my bank about ten times today because their js-crap website didn't like me (grumble why does it even need to ask for my desktop's accelerometer data via js...)

Stuff like this is a pain beyond pain. I really hope that the clients you mention know that they piss off a proportion of their users with every move they take.

[spijdar]

> I really hope that the clients you mention know that they piss off a proportion of their users with every move they take.

With all due respect, if the tech can make a large impact on the problems mentioned above, I'm sure it's an easy decision for the big companies to take decimating bot activity over the tiny minority of users who proactively decide to disable JavaScript.

Said as someone who uses NoScript, FWIW.

[fragmede]

You could always go into your local bank branch instead of accessing it over the Internet. Your desktop's accelerometer helps add to your computers 'run by a human' score. Normally I'd take more issue with whatever possible privacy issue there, but my bank is where I keep my money so I'm really okay with them trying hard to keep bots out of my account.

[Tor3]

The physical presence of banks is going away. Where I live you can't do any kind of monetary transaction in the local branch offices of any of the banks anymore. You can a) apply for a loan (and even that may go away soon), and b) identify yourself and get a physical token used for accessing the bank via the net. You can't withdraw money, you can't pay bills, you can't exchange currency. I haven't been inside my bank for many years, there's just nothing I can do there. The last time I visited the bank was with my wife (an immigrant), with her documents, to get her into the system.

[smichel17]

Where do you live (country or US state)?

[oxymoron]

Different customers have different attitudes towards this. Some of them are _very_ focused on conversion and will disable anything which causes additional user friction. For others, the economic damage of bots is just so painful that it makes economic sense for them to add friction for a few percent of users.

I'm a linux user myself, so I know for a fact that neither my previous employer, nor other bot vendors, will block linux user agents in particular. Customers generally don't mind a universal requirement for JS execution, so that's just a fact of life. We generally did try to avoid blocking privacy focused browsers, though. We certainly monitored false positive rates and knew pretty well how we affected users.

[raxxorrax]

Cloudflare is pretty guilty of this if you use some more exotic approaches to request info. How often have I seen their captcha that is intended for bots...

[striking]

Doesn't your bank already know who you are?

[charcircuit]

>I'm fed up of being classed as a bot just because I browse with uMatrix, a Linux user agent, and a ton of ad filtering and anonymisation tech.

Have you tried not using these things? Anonymity is exactly what bots want. They want to be able to post a spam message every single second and be impossible to ban since they are anonymous. The internet can't function if people are allowed to be anonymous.

[selfhoster11]

> The internet can't function if people are allowed to be anonymous.

You must have missed the first 20 or so years of its existence, if that's your position.

[charcircuit]

Okay let's go back to before I was born when people still used IRC and let's say you hated someone else's IRC server. You can just use a program to flood their server with garbage messages. In order to try and stop this spam they first try and deanonymize where this traffic is coming from. This can be done by looking at the IP that these bots are coming from. Now they can gline you and the flood ends. Now let's say the internet didn't leak your IP deanonymizing you. What are they to do? They essentially are forced to lock down the server and whitelist it. They can not allow anonymous users to join or else risk just being flooded.

Stopping abuse has always been a game of trying to deanonymize users in order to try and ban the harmful ones.

[orf]

It was much smaller, and spam messages where everywhere.

[leppr]

With many of these big anti-bot services like Google ReCaptcha, it's not even specialized anonymity tools that can cause shadow banning, just unusual user-agents.

All of these have independently caused me to get into endless ReCaptcha loops: firefox on android, smartphone with unusual screen resolution, clean browser profile with VPN.

It's so common that I now default to using duckduckgo, which never blocks me. I doubt DDG has a lower DDoS/Resources ratio than Google. Some companies are just lazier and less principled than others.

[RNCTX]

> it's not even specialized anonymity tools that can cause shadow banning, just unusual user-agents.

"Unusual" = not Chrome and doesn't allow tracking scripts.

Switch to Safari with an ad blocker for a week, see how many more ReCaptcha prompts you get.

[charcircuit]

As a person who also uses mobile Firefox, I don't feel like I personally have issues with recaptcha.

[wumpus]

This is not quite up there with "won't someone think about the children!!!!", but still, it's sad.

Fortunately, almost all of the websites I visit with my anonymized browser aren't places that I wish to attempt to post a message. Unfortunately, I can easily run into defenses of an entire site when the problem is spam sending.

[bryan_w]

To kinda tweak this since people do tend to like their anonymity, "Do you have to be anonymous to all parties, all the time?"

Parent poster trusts his bank, and his bank would trust his once it knows he's not an fraudster, so maybe it's in everyone's interest to just allow the javascript for that one site.

[spookthesunset]

Not to mention a lot of these bots are after scamming the company’s own customers. Breaking into accounts to commit fraudulent activity, to reach out and “recruit” people into whatever scam they are trying to run.

Nobody wants to spend time trying to stop these bots. It is, however, a very necessary thing to do.

[dzhiurgis]

Do you know much about airline api pricing more?

I’ve noticed most sites won’t let you search business fares efficiently, so I made my own for Google Flights which only worked for like 6months until they added bunch of changes that made it near impossible to scrape.

[oxymoron]

Yeah, there’s a central service that all Flight search is connected to, irregardless of airline. The airlines are charged per search to that api, so they monitor their ”look to book” rationvery closely. That ratio remains quite stable im the absence of bots, but skyrockets with any bot activity. Hence, they know from that metric how big of a bot problem they have and how much money they are losing. Major flight search software vendors have dedicated teams for this.

[namdnay]

In fact the airlines are charged per book, but if and only if the look to book stays within reasonable bounds. If it rockets up, they’re on the hook for the penalties

[oxymoron]

Thanks for the clarification! I probably misremember some of the details.