[theamk]

I can believe study's results on user interaction, but their "security analysis" section (6.2) is deeply flawed - it only looks at the best bots, and not at the average ones. Meanwhile, as many other people in this thread can attest, (1) most of the bots are not really sophisticated, and get stopped by CAPTCHa, (2) the defense does not have to be 100% efficient, as long as form spam goes from 100/day to 1/day, things are OK.

Of course authors really wanted to write their conclusion, so they just ignored all the practical considerations. It's really a shame on the part of paper's reviewers.

[NoGravitas]

My thinking is that these days, the unsophisticated bots will still be stopped by literally any effort, like a hidden form field that causes the form to be rejected if it's filled in. Almost nothing will stop sophisticated bots, and nothing will stop a boiler room. This doesn't really leave a place for more sophisticated CAPTCHAs.