I was banned from the hCaptcha accessibility account for not being blind (2023)

I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

This doesn’t feel so much like the end of the “open web” as it does a rehash of USENET and email spam issues. Social media killed USENET, and email managed its spam issues thanks to filtering.

Email kind of solved its SPAM issues, but it came at great costs. It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures. The degree of difficulty with participating in the network does somewhat degrade its openness in my opinion.

If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)

I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.

> It's tricky, though. What else can you do?

I had an idea about amost-privacy-preserving system by involving government ID and blind signatures:

1. The service passes a random string to the user. 2. The user authenticates to their government and asks the government to sign it. 3. The government applies a blind signature which basically says "this user/citizen hasn't registered an account in the last 60 minutes". 4. The government records the timestamp. 5. The user passes the signature back to the service.

Upsides:

* Bypassing this would be orders of magnitude more expensive than phone numbers. * Almost private

Downsides:

* Won't happen. Remote HW attestation is likely to win :( * The service knows your citizenship * The gov knows when and how often you register. * Any gov can always bypass the limits for themselves.

I think it may be also possible to extend it so that the government attests that you have only one account on the service but without being able to find which account is yours.

meh, continuing the pearl clutching and asserting there has to be some general "solution" is itself part of the problem. The sheer majority of captchas I come across are while browsing essentially static content. If simple source IP based rate limiting can't keep the server load at something manageable, then the real problem is with how the site is built. And adding even more bloat to address another managerial bullet point is exactly how it got that way.

A start would be what kinds of websites even need a CAPTCHA in the first place. Why does just viewing websites with static conent ever need to result in a captcha prompt.

That I think is just to try to prevent scraping, probably mostly from people training AI models. I don't really think anti-scraping mitigations are a good idea and I'm hoping that problem some day solves itself.

There is another option.

CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).

The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.

Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.

Email hasn't actually fixed spam issues, it's just mitigated a big chunk of them. But I know for a fact that I still mark emails in my inbox as spam on a regular basis, and still dig legitimate emails out of my spam once in a while.

This sounds like the same argument that was made for about 10 years (2000 to 2010) that micropayments would save traditional (print) media in a digital world. It didn't work due to market fragmentation and friction to make a payment.

And, the reality of your fancy idea is that normie users would turn away if they made a mistake on the CAPTCHA and were suddenly presented with a screen "charging" them one pence.

This isn't about "making a mistake on the captcha", this is about charging them one pence for every attempt and just not having a captcha.

It's an entirely different sort of system, and it would require a cordoned off section of the Internet to implement it top-down, but it's technically viable.

The defining insight here is how many orders of magnitude difference there is between the "That price is negligible" threshold for a human being, and the "That price is negligible" threshold for an automated system. Sure there are adoption issues, but for all applications where there are several orders of magnitude difference, such a system makes some degree of sense.

> It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures.

In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...

Two things:

- I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)

- CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.

    > Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

I see this point constantly made on the echo chamber that is known as HackerNews. The average normie user does not care about anonymity, nor privacy, on the Internet. They want a smooth, fun experience. The solution is secure boot plus attestation via some browser JavaScript API. If you want even less friction, users are required to register their devices with a gov't agency, then their attestation will carry more value.

Really, why don't we see HN crying about the need to show a national ID (and register) when buying a mobile phone? I never once saw anyone complaining about it here. Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone. It only takes a few more terrorist assholes to close that door permanently.

Cryptocurrency micropayments have been proposed and even attempted as a solution to various problems. Hell, there's also Hashcash, an early proposed anti-SPAM measure for e-mail using just proof-of-work. (Since this is just burning CPU though, it probably isn't effective in the modern world of most people using low-power mobile computers and many SPAMers having access to cheap very high power computers. Might serve as a good hurdle for people trying to implement malicious bots, but it will eventually become useless if it is shown to be effective IMO.)

I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?

That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)

> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID?

Canada maybe? [I'm 80% sure that] Public Mobile will sell you a prepaid sim card at the counter. You could pay cash, and set your caller ID to a fake name.

If we're talking about mobility plans, the identity requirement is more about the credit check they might want to do than anything else.

Although solving a captcha can be translated into a monetary cost (often the cost of labour for a human in a clickfarm to solve it for you), the nice thing is that it's still "free" to solve normally.

If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).

Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).

Don't think it's going to work, except in the smallest forums?

According to a random page on internet [0], companies pay in $2-$6 range per 1000 ad impressions. If one pays $0.01 to bypass captcha and just 10 people see the resulting spam post, that's already $1 per 1000 views - much less than facebook charges. This becomes even more lucrative if the ads are expensive or there will be more than 10 people looking at the ad.

It looks you'll want much higher costs than that, which will make it "too much" for other users.

[0] https://spideraf.com/learning-hub/what-is-the-average-cost-p...

I have been running web services for around 22 years I believe. At the very beginning, I had zero problems with deliverability to most addresses. However, even early on, I do remember plenty of forums that mentioned that Yahoo! or Hotmail tended to drop their confirmation e-mails into SPAM. Smaller operators had an advantage in being lower volume; I think that gives you a higher likelihood of delivery. That said, their emails are also more likely to get caught up in SPAM filters without remediation.

Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.

Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!

Would be great if the US government somehow facilitated micropayment. Either by creating their own system or removing the capital gains reporting requirements on crypto (maybe up to $10k/year).

If you expect 99% of normal internet users to maintain a crypto wallet of any kind just to access certain websites—even leaving aside the actual cost—you're going to be sorely disappointed.

CAPTCHA definitely works in some cases.

On our website, without CAPTCHA we get dozens of forms filled out by bots per day. With the CAPTCHA we get 0.

So sure it may be cheap to defeat the CAPTCHA, but nobody seems to be willing to go through that small hoop to do it on our website.

> I hope we can end the CAPTCHA experiment soon. It didn't work.

Well it sort of worked before we got modern AI image recognizers, but even then they had to continue making the challenges harder to keep up with the recognizer software.

Now the damn things have crossed over into the domain of "easier for a machine to solve than a human" so they're worthless for their original purpose.

I believe that 0 will be a higher number next year. And an even higher the following year.

Define modern? I worked adjacent to the web-scraping tech at Jet.com and they managed to beat a lot of the CAPTCHAs even in 2016.

Yeah but filtering out mindless bots is even easier than loading a bloated mess of JS: a simple form question that you believe 100% of the valid users will be able to answer should be good enough to stop almost all of those low-level bots. I use that approach all the time.

Some day this luck will run out, but for larger entities that experience targeted malicious traffic it's never really been a viable approach.

In the past 3 years, every morning I wake up I open the news, and I hope that I will the following headlines: "Some guy figured out how to use AI to detect bot traffic with 100% accuracy, captchas became obsolete and banned worldwide with immediate effect"

And every morning my day starts with disappointment.

> Almost all turnkey CAPTCHA services can be solved for pennies.

There is one area where even pennies can be a barrier: DDoS.

Paying a few pennies per captcha can add up to a lot when you want to complete millions of them.

Relevant Penny Arcade comic responding to the proposal that micropayments will save comic artists - https://pennyarcade.fandom.com/wiki/June_22,_2001

> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone.

I regularly (1-2x per year) buy prepaid SIMs in Canada, USA, and Japan. None of them require an ID and I often even pay cash.

I'm sure you are right that they'll eventually be requiring ID, but you are wrong to imply that these countries aren't highly developed.

> The postal service also has costs

I don't know about you but even with this cost about 90% of the physical mail I receive is junk mail.

> Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications.

Do you have a solution for transaction costs? How do you pay a penny without having to pay more than that for the transfer of funds?

> validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

Not only untenable because of the privacy invasion but also because there are too many users who are willing to click on whatever for a chance to win a prize and thereby authorize use of their identity for spamming.

> approaches like Web Environment Integrity and Private Access Tokens

That stuff never works because the spammers only have to break one model of one popular device. The people proposing it are snake oil salesmen or platform companies that want to use it for lock-in, because spammers spend the resources to break the system but normal users won't put up with the inconvenience, which locks out competitors and interoperability.

> Accountability of network operators

This largely already happens. Disreputable IP blocks get banned. But then you get a botnet with users on ISPs with varying levels of willingness to do something about it and the ones that do something about it still can't do it instantaneously and some of the ones that don't care are in jurisdictions you can't control but are also too big to block.

The best solution is probably some kind of "pay something in money/cryptocurrency/proof of work to create an account" because normal users need a small number accounts kept for long periods of time but spammers need a large number of accounts that get banned almost immediately, which is exactly the sort of asymmetric cost structure that results in a functioning system.

" Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable. "

What about zero knowledge proofs? Those with typical cryptocurrency wallets could leverage existing extensions. Everyone else can download an open source extension that sends the proof and an open source way to verify proofs but is unrelated to cryptocurrency. While a robustly decentralized chain like Bitcoin and Ethereum would be a good place to verify proofs, no reason a non-cryptocurrency solution can't also be avaliable as well for the cryptocurrency adverse. And for the tech adverse, a phone number to call/text to walk the person through sending the proof via phone that would cost a tiny bit--and could also help the tech adverse with setting up an extension going forward?

> until we solve unequal wealth distribution globally

Is this a joke?

> why don't we see HN crying about the need to show a national ID ... when buying a mobile phone?

Mmm, very possibly because there are at least a few ways to get a phone without using any ID. I picked up a used phone about a year ago, and use Tello. Tello had 0 info on me for years, only an old UPS box that I got the card delivered to. I eventually gave them my first name so Caller ID was correct, but short of that or putting in a correct address if you want 911 support, there's no reason to need any valid info with them. They don't do credit checks, just prepay.

> The solution is secure boot plus attestation That's the second option they presented "Closing the platform". The issue with all these options is that it consolidates power, and thanks to already partially consolidated power, any option selected will, by necessity, obligate everyone to partake, whether or not they are ok with it.

> The average normie user does not care about anonymity, nor privacy, on the Internet.

It's true that often "normies" don't care (or at least think they don't care, but that's a completely different point I don't feel like trying to make), and it's also true that often "normies" don't want the status quo changed. But often "normies" also ignore when people are kidnapped due to their heritage being revealed. Is it acceptable to actively create a hostile environment for people already disadvantaged? Do we gain something worth their safety? Who gains from this higher level of scrutiny?

If we look at the smaller web, most sites never get enough traffic to be under active threat, and passive threat is easy enough to quell using honeypot forms and questions. Maybe the "normie" internet is the problem. Passive people passively consuming. "Normies" love watching stolen content, and praise thieves for harassing anyone who points out that what their doing is wrong. "Normies" enjoy watching someone livestream themselves flying down a highway at 100 mph over the speed limit.

I think maybe we should acknowledge that what we're defending with things like hCaptcha is not actually worth defending. Maybe the "normal" internet does need to be deprecated over "small" internet? We did pretty good before with things like Wikipedia. The "small" internet from before had a lot of chaff, but good things have grown from it, and a lot of it still exists as a "small" internet. Maybe it's ok that we have a lot of "crap content", so long as the internet can keep changing?

> It puts a literal price on abusing a service, but how do you set that price?

Start with a nominal one and increase it until the spam problem goes away.

Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.

> I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.

This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.

The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:

> Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.

There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.

In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.

> for pennies

"for pennies" is a lot more expensive than 0, and that matters at scale.

Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.

If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.

Going from 0 to 100k is often "good enough" to make these things uneconomical.

> Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat.

Curious if phone verification would block more or less legitimate users than catchpas.

Well, for solving both the UX and regulatory issues with cryptocurrencies... I'm not optimistic, but I am open to being pleasantly surprised.

On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?

A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.

Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)

If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)

Why would it be a joke?

Feels like another option would be to bootstrap off of authenticated users, some sort of reputation system. It would still allow for anonymous users, but the expectation would be that they would be treated as suspected spam unless they receive sufficient endorsement from actual verified users. The verified users could be held accountable for the endorsements they provide up to a certain point, and the anonymous users would be able to remain anonymous assuming verified users consider them good citizens.

It's not the average person's job to make sure that the world isn't fucking them raw. People have limited attention and limited time, not everyone can care about everything.

Nobody else is going to step in and hold the line when it comes to digital privacy rights. It's on people like us who care. This is why organizations like EFF need to exist.

Actually, I oversimplified. In most cases you don't have to pay $.01 per CAPTCHA. It's usually a fraction of a penny per CAPTCHA.

So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.

The endorsement and verification would need to be continuous, or else the anonymous users will sell their accounts for the value of the accrued positive reputation. I.e. what people already do with Reddit accounts that accrue a lot of karma.

Good point

Even in a year, I don't think random AI will be "cheap" enough for spamming CAPTCHA on random websites. Maybe for select, ripe targets (your bank, etc.). But for a random business with a form?

Nah.

There are indeed many powerful motives supporting the march of technological authoritarianism. But validating the narratives about why ever-more control is needed is a form of support, which we should avoid doing.

Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.

"Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.

Even assuming that uneven distribution is a problem, and that it was possible to make global wealth evenly distributed, it would be such a collosal undertaking that it would necessarily entail massive social upheaval and take a very long time after which the captcha problem would hardly be comparable to what we have now.

None of that is at all relevant to the point I was making. Whether you think extreme wealth inequality is good or bad, for as long as it exists, it makes paying fixed fees a poor alternative to captchas.

"A fine means it's legal if you're rich"

I was moderately into crypto, i mined coins including BTC; and i'll be damned if i am gunna connect my wallet to a browser, or put crypto in an escrow to pay out to avoid captchas. I'm being as polite as reasonably possible, here.

the only way this makes sense is you convert the entire planet to renewable or non-polluting electricity generation, and then when a user is on facebook, youtube, (or watch ads!), a core or 2 of their machine/phone will "mine" crypto, that can then be used somewhere else. The crypto can't be transferable - it must be "burned". Defined: When the site requests some crypto for proof, it says "send to this non-existent address" and then waits for the block to show that your wallet sent crypto to that address. This "burns" the money. In fact, a couple of cryptocurrencies tried to enforce this, as well as "proof of stake" - where if you had enough coins you could "mine" by merely having your wallet "logged in." The former is called "proof of burn"

another thing, no blockchain block publication is fast enough for this. so now we gotta rope in lightning or some other "hack" on top. I knew when i first heard about bitcoin that there was no way that anyone was going to wait 10 minutes for any payment to go through, especially if it's under some moderate amount of money, like $20.

Until we solve the "water is wet" problem domain squatting will continue to be an issue.

Without a definitive resolution to the continuum hypothesis there will be no efficient distributed consensus algorithm.

As long as humanity bears the mark of Original Sin, it will be hard to run a business selling GPL software.

No, you're describing what the California tech echo chamber wishes an "average normie" was, i.e., stupid and compliant, and what they're always aggrieved never really exists in practice, having managed to inculcate only some moderate learned helplessness over time, and with "stupid normies" constantly attempting to fight back via law and politics.

If micropayment is such an amazing solution to these problems, why haven't we seen a working solution after more than 20 years of talking about it? Why doesn't HN have multiple competing micropayment startups? To me, the results speak for themselves.

Another outcome that I could never understand: The original conversation was micropayments for traditional print media that was moving into the digital age. Why didn't they all band together to create an industry standard that defined (and possibly administered) a micropayment system? In the end, paywalls were the solution, and winner-mostly-takes-all when print moved to digital. Look at the decline in medium to small newspapers in the last 20 years in the US. It is devastating, but a few national, major newspapers are doing OK.

Snail mail is a hilarious example, given that spammers are the only ones willing to pay the fees.

You are talking about appreciable micropayments for appreciable amounts of entertainment from small creators.

And I would argue we did get those in the form of subscriptions in Patreon, Onlyfans, Buy Me A Coffee, et al, or in the co-op world of Nebula. We didn't get them down to very low fee structures because we've designed our payment infrastructure with the intent of supporting a profitable company called Visa, Inc, to which we've offloaded a number of different functions of that a government mint / treasury / post office would normally perform. And because lots of revenue on these sites comes from whales, people with outsized income in a country with a great deal of wealth inequality.

What I am talking about is TINY micropayments just for human authentication purposes. Because what we've had so far in the realm of, for example, spam email, involves sending off messages at a CPM of less than a tenth of a penny. Imposing infrastructure which pegs human authentication tasks, normally performed less than ten times a day, at a CPM of ten dollars, can eliminate most applications of automated systems and eliminate the annoyance of captcha, while costing the human less than ten cents. There are no whales in the login space.