[londons_explore]

> AI can already solve captchas, so the arms race for bot protection is pretty much lost.

Require login, then verify the user account is associated with an email address at least 10 yrs old. Pretty much eliminates bots. Eliminates a few real users too, but not many.

[tempfile]

> require login

this is not a solution if you want a public internet (and sites that don't care about the public internet already don't have a problem)

[londons_explore]

for read-only content, I just stick it behind a cache and let the bots go wild.

[jgalt212]

You can't cache this stuff for bot consumption. Humans only want to see the popular stuff. Bots download everything. The size of your cache then equals the size of your content database.

[account42]

But you can still make sure that you save the data in a form where generating the served webpage takes the least amount of time. For most websites this means saving the HTML - in a giant cache or with a more deliberate pre-generation setup.

[jgalt212]

The data structure to html conversion takes milliseconds. That's distinction without a difference.

[account42]

Clearly not the case with most websites. And "milliseconds" are already a huge amount of time. Video games simulate huge worlds and render complex 3D graphics within 16ms or even much less with the >60 framerates that are expected these days.

[dartos]

That’s just passing the buck.

Someone still needs to pay for that traffic. If it gets too much for cloud flare or whoever, you’re gonna get the bill.

[account42]

Traffic is not all that expensive though if you are not using a cloud provider where that's how they squeeze captured customers.

[tempfile]

I presume OSM has already considered this and ruled it out (probably because the map should be dynamic)

[_heimdall]

I must be an outlier here, but I don't keep email addresses that long. After a couple years they're on too many spam lists. I'll wind those addresses down and use them for a couple years only for short interactions that I expect spam from, and ultimately close then down completely the next cycle.

At best any email I have is 4 or 5 years old.

[account42]

You are definitely an outlier in that you abandon email addresses deliberately. But many people do not have an old address simply because they lost access to their previous ones for one of many possible reasons, the most common one being that it was provided with a business relationship (e.g. ISP contract) that no longer exists.

That's before even getting into how you'd possibly verify email adress age, especially without preventing self-hosting.

[londons_explore]

There are commercial services to verify email address age: https://www.ipqualityscore.com/email-age-checker

They generally look at data leaks and partner with big companies to see when that email address first signed up to any online service.

[account42]

That doesn't seem remotely compatible with modern privacy laws like the GDPR. And it certainly ads even more false negatives of people locked out because they didn't have their email leaked long enough ago.

[londons_explore]

GDPR has a massive carve-out for fraud prevention...

[account42]

Which doesn't include collecting information about your email and then handing it off to random third parties just because they want to use it for that.

[azemetre]

How does one find the age of an email account?

[mcherm]

This is about OpenStreetMap, so you are proposing that my minor daughter not be allowed to read a map?