Most active commenters
  • JimDabell(7)
  • imiric(4)

←back to thread

Bot or human? Creating an invisible Turing test for the internet

(research.roundtable.ai)
133 points timshell | 37 comments | 25 Jun 25 15:00 UTC | HN request time: 1.019s | source | bottom
Show context
imiric ◴[25 Jun 25 15:30 UTC] No.44378450[source]
I applaud the effort. We need human-friendly CAPTCHAs, as much as they're generally disliked. They're the only solution to the growing spam and abuse problem on the web.

Proof-of-work CAPTCHAs work well for making bots expensive to run at scale, but they still rely on accurate bot detection. Avoiding both false positives and negatives is crucial, yet all existing approaches are not reliable enough.

One comment re:

> While AI agents can theoretically simulate these patterns, the effort likely outweighs other alternatives.

For now. Behavioral and cognitive signals seem to work against the current generation of bots, but will likely also be defeated as AI tools become cheaper and more accessible. It's only a matter of time until attackers can train a model on real human input, and inference to be cheap enough. Or just for the benefit of using a bot on a specific target to outweigh the costs.

So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

replies(11): >>44378709 #>>44379146 #>>44379545 #>>44380175 #>>44380453 #>>44380659 #>>44380693 #>>44382515 #>>44384051 #>>44387254 #>>44389004 #
1. JimDabell ◴[25 Jun 25 15:54 UTC] No.44378709[source]
> So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

I think the most likely long-term solution is something like DIDs.

https://en.wikipedia.org/wiki/Decentralized_identifier

A small number of trusted authorities (e.g. governments) issue IDs. Users can identify themselves to third-parties without disclosing their real-world identity to the third-party and without disclosing their interaction with the third-party to the issuing body.

The key part of this is that the identity is persistent. A website might not know who you are, but they know when it’s you returning. So if you get banned, you can’t just register a new account to evade the ban. You’d need to do the equivalent of getting a new passport from your government.

replies(7): >>44378752 #>>44379158 #>>44379293 #>>44379764 #>>44381669 #>>44382394 #>>44387968 #
2. freeone3000 ◴[25 Jun 25 15:58 UTC] No.44378752[source]
It also allows automated software to act on behalf of a person, which is excellent for assistive technologies and something most current bot detection leaves behind.
replies(1): >>44382747 #
3. imiric ◴[25 Jun 25 16:33 UTC] No.44379158[source]
On the one hand, yes, this might work, but I'm concerned that it will inevitably require loss of anonymity and be abused by companies for user tracking. I suppose any type of user identification or fingerprinting is at the expense of user privacy, but I hope we can come up with solutions that don't have these drawbacks.
replies(2): >>44379211 #>>44379275 #
4. charcircuit ◴[25 Jun 25 16:37 UTC] No.44379211[source]
The benefit of majorly reducing fraud can create an ecosystem where the trade off is worth it for users to take. For example generous free plans or trials can exist without companies needing to invest so much in antifraud for them.
5. JimDabell ◴[25 Jun 25 16:42 UTC] No.44379275[source]
> I'm concerned that it will inevitably require loss of anonymity and be abused by companies for user tracking.

Are you sure you read my comment fully?

replies(2): >>44379384 #>>44379398 #
6. thatnerd ◴[25 Jun 25 16:43 UTC] No.44379293[source]
https://www.wired.com/story/worldcoin-sam-altman-orb/
replies(2): >>44379310 #>>44379354 #
7. timshell ◴[25 Jun 25 16:44 UTC] No.44379310[source]
Yup, Worldcoin has been the one of the efforts in this space. We're trying to have a frictionless, less privacy-invasive method than biometric scanning
replies(1): >>44381986 #
8. julkali ◴[25 Jun 25 16:48 UTC] No.44379354[source]
That is the silicon valley cryptoscam version.

This concept has been studied already extensively, e.g [1] (in 2000!) by people like Rivest and Chaum, who have actual decade-old competence in that field.

[1] https://people.csail.mit.edu/rivest/pubs/pubs/LRSW99.pdf

replies(2): >>44381396 #>>44384295 #
9. Liquix ◴[25 Jun 25 16:50 UTC] No.44379384{3}[source]
> trusted authorities (e.g. governments)

the governments powerful enough to roll something like this out are not trusted authorities which will protect the privacy of their citizens. remember before the Snowden revelations when the NSA's director of national intelligence swore under oath that they did not collect "any type of data at all on millions of Americans"?

https://en.wikipedia.org/wiki/James_Clapper#Testimony_to_Con...

replies(2): >>44383143 #>>44383468 #
10. imiric ◴[25 Jun 25 16:51 UTC] No.44379398{3}[source]
I did. It doesn't matter that the website might not be able to directly associate a real-world identity with a digital one. It takes a small number of signals to uniquely fingerprint a user, so it's only a matter of associating the fingerprint with the ID, whether that's a real-world or digital one. It can still be used for tracking. By having a static ID that can only be issued by governments or approved agencies we'd only be making things easier for companies to track users.
replies(2): >>44381930 #>>44383498 #
11. BiteCode_dev ◴[25 Jun 25 17:24 UTC] No.44379764[source]
But this mean that now a saas baning you from your account for spurious reason can be a serious problem.
replies(2): >>44380206 #>>44383506 #
12. econ ◴[25 Jun 25 18:08 UTC] No.44380206[source]
You could roll a new id to replace the previous one. Each user would still have only one at a time. If this isn't acceptable a service may ask to have the feature disabled for clear mission critical reasons and/or a fee.
13. calvinmorrison ◴[25 Jun 25 20:12 UTC] No.44381396{3}[source]
Or just charge bots and humans and we're good to go

https://www.nytimes.com/2006/02/05/technology/postage-is-due...

replies(2): >>44381899 #>>44381923 #
14. johnisgood ◴[25 Jun 25 20:48 UTC] No.44381669[source]
I have not heard about DIDs at all before. How does this really work? They are Government-issued? I am not sure I would trust that though.
15. TJSomething ◴[25 Jun 25 21:14 UTC] No.44381899{4}[source]
While that works for attacks that are like spam, bot detection for high margin attacks like show ticket scalping really wants an identity-oriented solution.
16. servercobra ◴[25 Jun 25 21:18 UTC] No.44381923{4}[source]
Ah yes, postage has stopped all the spam coming to my house!
replies(1): >>44382484 #
17. Dylan16807 ◴[25 Jun 25 21:19 UTC] No.44381930{4}[source]
This sounds like a red herring to me.

If the only way to associate a user with their ID is by fingerprinting them, you can do the same thing without an ID with having shadow profiles. If the proof system is designed for privacy, the ID doesn't make you more trackable.

In other words, if the ID never directly leaks companies can just make up a static ID for you and get the same results.

replies(1): >>44382103 #
18. jskrn ◴[25 Jun 25 21:27 UTC] No.44381986{3}[source]
Do you work for Worldcoin?
replies(1): >>44382375 #
19. imiric ◴[25 Jun 25 21:46 UTC] No.44382103{5}[source]
Kind of. A fingerprint is an implicit ID, whereas the ID suggested by GP would be semi-permanently associated to an individual. So it would make tracking even easier, since most web sites outside of adtech don't bother with sophisticated fingerprinting. It would be similar to a tracking cookie, except the user would have no control over it.
replies(1): >>44382237 #
20. Dylan16807 ◴[25 Jun 25 22:07 UTC] No.44382237{6}[source]
> the ID suggested by GP would be semi-permanently associated to an individual

There is a permanent ID, but it doesn't have to be told to the site.

In which case it doesn't make tracking any easier than the site making up a "fake" ID for you.

21. ◴[25 Jun 25 22:33 UTC] No.44382375{4}[source]
22. encom ◴[25 Jun 25 22:35 UTC] No.44382394[source]
I have to ask the government for a roided up tracking cookie?

Hell. No.

23. throw10920 ◴[25 Jun 25 22:46 UTC] No.44382484{5}[source]
This is an extremely ignorant take. It's extremely well-known that one of the primary ways you stop spam is by making it economically infeasible, specifically by making the cost of distribution higher than the expected return. It's also extremely well-known that spam snail-mail is subsidized by the US post office and doesn't pay normal post rates.
replies(1): >>44387398 #
24. timshell ◴[25 Jun 25 23:26 UTC] No.44382747[source]
I think this will be a positive effect of the rise of AI agents. We’re going to have a much different distribution of automated vs human traffic and authentication/methods will have to be more robust than they are now
25. HeatrayEnjoyer ◴[26 Jun 25 00:37 UTC] No.44383143{4}[source]
Ultimately trust must be placed in an entity of some type. A democratically elected body isn't perfect but I can't think of a better option. If the electorate don't care about digital privacy or elected lawmakers do not protect their rights, then that needs to be addressed first. Governments have a monopoly on violence. If a citizen can't trust their government to enact (or enact but then not follow) laws that protect human rights, they frankly have much bigger problems to solve.
replies(1): >>44383763 #
26. JimDabell ◴[26 Jun 25 01:37 UTC] No.44383468{4}[source]
> the governments powerful enough to roll something like this out are not trusted authorities which will protect the privacy of their citizens.

The trust I mentioned was the ability for third-parties to trust that the authority will not hand out IDs in an uncontrolled manner. I was not saying that the ID holders need to trust the authority:

> Users can identify themselves to third-parties without disclosing their real-world identity to the third-party and without disclosing their interaction with the third-party to the issuing body.

If the authority doesn’t know how your ID is used, you don’t have to trust the authority to keep that information private.

27. JimDabell ◴[26 Jun 25 01:44 UTC] No.44383498{4}[source]
> It can still be used for tracking.

This doesn’t make sense. The whole point of using IDs in this way is in an authenticated context.

Did you think I was suggesting that this ID would be accessible to any website without asking? This is something you would send as part of a registration step. So, for instance, if you spam Hacker News, you get banned, you try to register again, it receives the same ID as before and knows not to let you register.

replies(1): >>44383653 #
28. JimDabell ◴[26 Jun 25 01:46 UTC] No.44383506[source]
That’s the point. Bans should be effective.
replies(1): >>44385932 #
29. Nextgrid ◴[26 Jun 25 02:16 UTC] No.44383653{5}[source]
Every website would just move on to force people to register. That's already happening - good luck browsing public posts on Twitter/X.
replies(1): >>44384054 #
30. switknee ◴[26 Jun 25 02:36 UTC] No.44383763{5}[source]
Part of solving that problem is to make it expensive for governments to violate human rights. If spying on everyone is easier than targeted spying, they'll spy on everyone. Governments have a lot of different priorities and it's not always easy to balance them.

Online identity verification is probably best handled by an organization with that as a single priority.

Under the government ID scheme, we have to trust [bad corrupt government] to verify all citizens of [bad corrupt government]. Since that government frequently lies and acts maliciously using every means at their disposal, platforms will treat IDs verified by that government similar to bot traffic and the country will be cut off from the public internet. You'll be banning scientists and journalists from working with others around the world, just because they live in a country with an obnoxious government.

Isn't it also best if people can have multiple identities? Or should someone's contributions to X field be discounted because of their dabbling in fringe Y field?

31. JimDabell ◴[26 Jun 25 03:55 UTC] No.44384054{6}[source]
Again, this is a mechanism for making existing auth more resilient.

As you note, websites can already force people to register, so this isn’t adding anything new there.

32. pzo ◴[26 Jun 25 04:57 UTC] No.44384295{3}[source]
I think worldcoin added this year (?) identification using government e-passport as well (not only orb) - all modern passport have NFC/RFID chip, you won't get all data from that in public way but can verify signature and can get basic information. There are already apps in appstore doing that.
33. BiteCode_dev ◴[26 Jun 25 10:20 UTC] No.44385932{3}[source]
I get it. And also, I know that Apple and Google would abuse that, and destroy lives and businesses as casually as I eat my breakfast. Then 1000's of disposable companies would pop up with valid id, and abuse some system (like terrible DMCA) and make it worse.

If you think people self-censoring themselves on social media is now a problem (the "unlive" novlang is always such a dystopic hint to me), you have seen nothing.

replies(1): >>44387300 #
34. JimDabell ◴[26 Jun 25 13:39 UTC] No.44387300{4}[source]
Businesses should not be forced to serve abusive users. They should have the choice to refuse to serve somebody permanently. You do not have the right to use somebody else’s service without their permission. If they want you off their platform, they should be able to do so.

The whole point of having trusted issuers is that there aren’t any “disposable companies” who hand out many identities in an uncontrolled manner. If there were, they would quickly become untrusted, making the IDs worthless.

35. nc0 ◴[26 Jun 25 13:48 UTC] No.44387398{6}[source]
> Say something everyone lives everyday around the world. > "This is an extremely ignorant take."
replies(1): >>44387471 #
36. ◴[26 Jun 25 13:56 UTC] No.44387471{7}[source]
37. codedokode ◴[26 Jun 25 14:45 UTC] No.44387968[source]
If this gets implemented, the next thing the govt will do is require all websites to store DIDs of visitors for at least 10 years and not accept visitors without them.