(It's no great secret that CloudFlare would love to switch away from ReCAPTCHA, for a whole variety of reasons. It's one of the things Tor users complain about the most, but it's an issue for a lot more users than that. We're doing a lot of stuff to reduce reliance on CAPTCHAs overall throughout 2015, but we still need a good one for some checks.)
I wonder if some kind of prize (anti-Turing prize?) would help. There's the core algorithm/approach question, as well as the infrastructure and deployment model question. I'm a lot more comfortable answering the latter; the former is a black art mixture of science and art.
One thing you could look in to (email me if you'd like more info on this) is the notion of using Bitcoin-based "anonymous passports". The idea here is that someone sacrifices some Bitcoins to miner fees in such a way that they effectively mint themselves a certificate over a public key, without paying a certificate authority. Seen one way, the block chain itself is the CA.
Once such a certificate/"anonymous passport" has been created the owner can sign challenges with it to prove ownership, and if the user is observed engaging in abusive activity it can be blacklisted - forcing another sacrifice of money if they want to keep going.
The downside of this is that of course it relies on Bitcoin. However, there's a whole army of people working on the problem of obtaining bitcoins. There are local traders. There are Bitcoin ATM's being deployed throughout the world. If you want a private way to demonstrate some sacrifice of effort or wealth I don't think there's a better alternative.
Currently there's no convenient GUI for making these certificates. If a major provider like CloudFlare were willing to get behind the concept, such a GUI could be easily built though. For instance I could add it to Lighthouse, which is a cross platform Bitcoin wallet app that specialises in smart contracts.
Specifically one way to rate limit would be a cookie value that changes on each request, the previous cookie value expires, and only the site knows what the next valid cookie value is. Bots will pay for the cost of waiting in terms of computing time, and in terms of memory if they get around this by parallelization. As these costs go down due to cheaper computers, then so too will the costs of serving the site.
... did you just solve the whole problem of on-going automation? Capitalism is saved! We will all work as CAPTCHA breakers. ;).
the power of paying other peole cents to fill in captchas
Similarly for VPNs and other tools. Whose use is fairly likely to increase as people start seeking ways to avoid ubiquitous surveillance.
There are other options, including a few tools that look at how to provide a fair and anonymous reputation system for Tor clients:
This was a problem before Tor anyhow. You can run a proxy for a few cents a day.
I just don't see how captchas are some awesome solution. In any anti-bot technology, the cost to circumvent it is pennies. It strikes me more as something like DRM which just makes content producers feel good, but really only punishes average people.
edit: sorry I hadn't read your links. Good points and hopefully someone like CloudFlare would make this easy for people to add to their sites.
Sorting a mechanism for allocating those tokens' seed values is difficult. FAUST requires an unblinded token request initially.
CAPTCHAs had been useful, though always problematic. The goal isn't perfection but costs. Problem is that costs keep falling.
There's an annoying triangle here: wanting to preserve privacy (== unlinkability), machine-independence, and "working well for good traffic with limited resources, as well as blocking attackers with substantially more resources". Ideally it is "choose zero", I'd be happy if the state of the art were even at "choose one".
Full disclosure: I'm from the team behind a leading CAPTCHA alternative and our concerns are two-fold -- privacy and vulnerabilities.
a) New reCAPTCHA relying on a 'black box' to verify users is of course, naturally concerning privacy wise.
b) the technology that has been implemented to cater to this black box has actually opened the door to more vulnerabilities.
Our Design Director explains the reasoning behind the concern regarding the 'black box' here: http://www.funcaptcha.co/2014/12/04/killing-the-captcha-with...
And I myself go into more detail about Egor Homakov's findings regarding the new vulnerabilities here: http://www.funcaptcha.co/2014/12/04/killing-the-captcha-with...
Apologies if this feels promotional - if you have any questions, I'd be happy to answer them. This is an area of web sec that we're, obviously, very dedicated to.
Our bot problem disappeared over night, and we haven't had a problem since. Definitely not a solution for everyone, but it could be a great solution for some.
Or do you honestly believe they bought and continued to operate the old reCAPTCHA out of the goodness of their hearts, never collecting all that data that everybody is upset about now?
However, there is no technical reason why the old system would not have had exactly the same means for tracking the user as the current system has.
If you consider that Google is mainly an advertising company and that Google's investment into reCAPTCHA must provide them with some value, that lead me to conclude that the old system was doing exactly the same tracking as the new system is doing now.
The advantage is that now I don't have to type in letters while the tracking stays the same.
This new one tries to make a behavioural profile of you and use that to determine you humanness. Maybe the old one did that too. Maybe every Google service does that. I dont know. The outrage is that now we know one is doing that.
And on a personal note, yes. I do believe that Google ran recaptcha just for the free annotations of data.
Much as with Facebook trackers, this provides cross-site user tracking by Google.
"Perona told us: “The use of Google.com’s domain for the CAPTCHA is completely intentional, as that means Google can drop long-lived cookies in any device that comes into contact with the CAPTCHA, bypassing third-party cookie restrictions [like ad blockers] as long as the device has previously used any service hosted on Google.com.”"
I run Ghostery, so perhaps passing it relies on possessing some tracking cookies? If so, I'm happy to continue failing it.
So it thought I was a robot and fallback is to use the old captcha. Well, not sure if this new captcha solves the problem it was intended to do so. Am i missing something?
This is quoted from their blog post about recaptcha -->
"However, our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy."
Here you can test it by yourself --> https://www.google.com/recaptcha/api2/demo
1800x1280 phone screen isn't sufficient it appears.
In fact, completing this list with ALL Google its tentacles will probably break the character limit on HN. On a very few exceptions, Google its scooping eye is there to learn more about you.
It's their core business. To learn as much as possible about people online to be able to show them the most relevant ads.
For the 99% of people who don't care, it's a great improvement.
And if someone wants to write a better system, who's stopping them?
1) take a few months to study about web technologies to develop an intuition about why and how these technologies are tracking you
2) click a button to block their cookies
You and I already did (1), but most people haven't.