Depends. The traditional techniques that automatically establish humanity without determining identity are more and more vulnerable to AI, so the only way to keep CAPTCHAs effective is to integrate identity. From that perspective, ReCAPTCHA isn’t collecting more than “needed”. On the other hand, the cutting-edge cryptographic technique used by Privacy Pass does supposedly preserve anonymity by making it impossible for CloudFlare to link “who solved the CAPTCHA” to “who wants to access X site”, but it still involves information being collected in some form.
> The traditional techniques that automatically establish humanity without determining identity are more and more vulnerable to AI, so the only way to keep CAPTCHAs effective is to integrate identity.
Is it? What's stopping AI from developing an identity in the eyes of Google? An AI that might behave exactly like Google's ideal user. Searches random stuff on their search, looks at and clicks their ads, logs in to various Google services, and when it encounters a ReCaptcha, it clicks the "I'm not a robot" checkbox.
At some point, caring about privacy might turn out to be the distinguishing feature of humans.
The blog posts suggests many websites are using ReCAPTCHA when it is not truly needed. In those cases, given the focus of ReCAPTCHA on identity, this is a case of collecting more information than is needed. According the author, ReCAPTCHA is not needed to defeat "uncustomised spam". To put it another way, while there be nothing wrong with ReCAPTCHA itself (e.g. the way it is designed), there could be something wrong with the way it is being used, perhaps on a massive scale.
