I’d argue that “personhood” is rarely what these things actually care about—it’s just a cheap-to-measure proxy for “likelihood of conversion to sale” or “amount I’d get paid for an ad” or the like. A bot that can enter into contracts and is more likely than a real person to make a purchase would be welcomed, but there are few of them and there’s no good test of it.
For actually valuable things, a bot could just pay humans to pass the captcha and all would be well. Shadier bots could man-in-the-middle pretty easily if they just pass through a captcha on their cat picture site.
For implementation, it’s worth looking at the OAuth specs and common federated authentication systems that google, facebook and a number of other sites provide—those do NOT assert human-ness, they assert authenticated account identity, but for most uses, that’s a better proxy anyway. In cases where it’s not, you could build a provider that uses OAuth to assert humanity using whatever verification it likes.
I’d argue that “personhood” is rarely what these things actually care about
This is probably true. Maybe the best use case is actually the opposite of preventing bots: enabling good bots who can’t pass CAPTCHAs to access services they need (by paying humans to let them in).
I’d argue that “personhood” is rarely what these things actually care about—it’s just a cheap-to-measure proxy for “likelihood of conversion to sale” or “amount I’d get paid for an ad” or the like. A bot that can enter into contracts and is more likely than a real person to make a purchase would be welcomed, but there are few of them and there’s no good test of it.
For actually valuable things, a bot could just pay humans to pass the captcha and all would be well. Shadier bots could man-in-the-middle pretty easily if they just pass through a captcha on their cat picture site.
For implementation, it’s worth looking at the OAuth specs and common federated authentication systems that google, facebook and a number of other sites provide—those do NOT assert human-ness, they assert authenticated account identity, but for most uses, that’s a better proxy anyway. In cases where it’s not, you could build a provider that uses OAuth to assert humanity using whatever verification it likes.
This is probably true. Maybe the best use case is actually the opposite of preventing bots: enabling good bots who can’t pass CAPTCHAs to access services they need (by paying humans to let them in).