What replaces captchas? Are there any not excessively burdensome tests that a standard issue human can pass that a machine somehow cannot? I'm assuming the "find all the bicycles" tests are also obsolete.
Sadly, probably something like TPMs or email logins (from a reputable email provider of course, one who requires SMS to sign up, from a reputable phone provider of course, one who doesn't offer free VoIP numbers and requires a credit card to sign up, from a reputable card brand of course, not a burner card)
Option 1: Micropayments, high enough to discourage bot operators but not the intended human audience will be better for website operators as soon as it becomes too easy for AI to solve captchas.
If website operators don't explicitly introduce micropayments as a captcha alternative, there will be browser plugins that outsource captcha solving to AI for a micropayment, which has the same effect.
Option 2: Using a means of authentication that can't be obtained cheaply at scale by bots, e.g. Twitter accounts, Gmail accounts, government ID, ...
A market of human-oriented hardware keys, where the keys are only intended to be sold to actual human beings, with legal or otherwise cash bounties in place for people who can provide evidence of the keys being sold to or otherwise falling into the hands of non-human entities.
As mentioned, a bounty system. Someone who buys a thousand to use would have to be very clever to evade the eyes of all the people interested in profiting off of revealing his actions and getting the chips turned off.
Something realtime, like video, is beyond most models at the moment. After that, realtime input, like little mini game you have to show proficiency at by scoring 5. I think the mini game approach could be fun. It could probably work for a year or two. :-\
the minigame thing has been defeated for a long time. it's trivial to solve when there are only so many subsets of a game, however randomized the starting states are.
I guess there is a silver-lining in the premise of AI generated one-time-use games for that sake, but then there is a significant "can a human even do this?" problem to conquer at that point.. and worse the same AI tech is going to be established on the opposite side of the wall trying to defeat the thing.
I think it'll all boil down to some sort of state-license fallback method like "please enter a CC or ID number to continue" -- which is ultimately a defeat of the user, unfortunately.
Which is why my hobby projects will continue to use bot detection and CAPTCHA recognition. Especially since I'm routing through Cloudflare, so that's invisible for 99% of my users and the remaining 1% can just get off Tor if they're tired of solving the captions.
The website or service owners. If they can't afford it they should be out of business and do something else. The web is big enough for both humans and bots.
No thank you. I prefer to live by the code "Every request is a two way conversation. The client may accept, and the server may choose to emit."
Just because I emit to other clients does not obligate me to emit to yours, any more than my emission of ads obligates you to accept and render them (but if you don't, or if you choose to ignore my CAPTCHAs, I may choose not to emit to you).
That's fighting a losing battle. Clients find their way around any restriction, which by itself risks your service or website losing ground and being overtaken by the alternatives.
Yes, it's all measure countermeasure. But you'll note that the most successful sites out there have bot protection and actively invest in it. I'm not concerned about the being overtaken narrative; My concern is the other scenario, where after the bots are done consuming and exfiltrating my data, I have no bandwidth to serve humans and my data is being vended from other sources now anyway.
It's also not really that much of a losing battle. Cloudflare will fight the battle for me quite well for free, and even better for a pittance.
