hcaptcha is not much better than recaptcha, in that its only ‘improvement’ is shifting data extraction from google to cloudflare.
also, captcha in general shifts burden onto and penalizes legitimate users, especially privacy-conscious ones, in addition to malicious ones. that is, false positive rates are too high to achieve acceptable false negative rates.
it would be better not to use a centralized captcha service, if one must be used at all.
This is not actually true: every relevant aspect is different from a privacy perspective, both technical and legal.
Looking only at the technical differences, hCaptcha lets enterprise users like Proton locally scrub any info like IPs prior to sending to hCaptcha. It can be set up so that the user makes no direct connection at all to the service, and the code runs inside of a sandboxed IFRAME.
As for false positive vs false negative rates, not sure what you consider too high. We've been able to demonstrate FP rates under 0.005% when measured against known-good/bad signals from customers, which is as good as it gets.
those things can be true and still not negate the issues mentioned, since not enough information is provided to make a fair assessment. it can be set up a certain way, but the incentives are against that, so is it actually set up that way? iframes aren’t perfectly isolated either. and without a curve of false positive vs. false negative rates, no conclusion can be made of the optimality. even 0.005% is still likely hundreds of thousands a day for larger sites, and being only a demonstration means it’s an ideal measure, not a practical one.
And yet I ge t stuck endless captcha. Without disclosing what a known good/bad signal is, you are essentially trust a black box and a random account on the internet
write your own? many personal tech blogs do this for comment forms and the like. any kind of ambiguity that’s natural for a human to parse accurately but not obvious for a machine is fair game. most bots won’t one-off a solution for smaller sites, so it doesn’t need to be too fancy. for larger ones where one-off customizations might be more likely, lots of engineering resources go toward security and fraud prevention already, so they can afford more sophistication.
but more importantly, in the long term, it needs policy and legal progress. it needs to be costly and international (via treaties/sanctions).
also, captcha in general shifts burden onto and penalizes legitimate users, especially privacy-conscious ones, in addition to malicious ones. that is, false positive rates are too high to achieve acceptable false negative rates.
it would be better not to use a centralized captcha service, if one must be used at all.