Completely Automated Public Turing test to tell Computers and Humans Apart.
For twenty years, you proved you were human. Unknowingly, you were training the machine that today does it better than you.
The test we invented to separate people from robots has turned back: machines already pass it with more precision than we do. What’s coming isn’t just a harder traffic light. It’s a different question.
Three days are left until the concert and you still haven't printed the ticket.
You open it from the email, hit print, and before the sheet comes out a window appears. Select all the images with a traffic light. You select them. No, those weren't it, try again. Now the ones with a bicycle, does that little piece of wheel in the corner count as a bicycle? You touch it just in case. Write the letters you see in this image: two twisted characters that could be a B or an 8. You miss. Another image. Again the traffic lights.
Three minutes later you’re still there, arguing with a computer about whether the fragment of a motorcycle is or isn't a motorcycle, just to do something as simple as printing a paper you already paid for. And at some point, you think what we all have thought in front of that screen: Am I the one who has to prove I'm not a robot, and who is the one testing me?
That scene is so real that someone made a video game out of it. It’s called CAPTCHA Hell: a girl tries to print her concert ticket, and a fictional company, VeriHuman Technologies, puts increasingly absurd captchas in her way until the task becomes impossible. The page on Steam humorously clarifies that "it's not recommended for robots." We laugh because it exaggerates two centimeters something we've already experienced. But behind the laughter, there’s a story that began with a noble promise and ended in perfect irony.
Let’s go back to the beginning. That little box is called CAPTCHA, and it’s an acronym: Completely Automated Public Turing test to tell Computers and Humans Apart. A test to differentiate computers from humans. It was named that way in 2003 by a group of researchers from Carnegie Mellon, including Luis von Ahn (founder of Duolingo), and the idea was ingenious to the point of elegance. The classic Turing test asked whether a machine could pass itself off as human. This was the test in reverse: a machine standing at the front door of the internet, examining each person that passes to keep out the other machines. An inverted Turing test, where the computer is the one examining.
And there was a concrete reason to invent it. The internet was getting filled with bots: fake accounts by the thousands, spam, programs that bought tickets in bulk to resell them before you could hit the button. The CAPTCHA was the doorman. Yahoo was one of the first to implement it back in 2000. The logic was simple and seemed foolproof: there are things a human does effortlessly that a machine cannot. Reading distorted letters. Recognizing a traffic light. That little bit of difficulty was the border between you and the robot.
Now comes the part that almost no one knows, and this is where the story becomes something else.
Those blurry words you typed for years weren’t random. In 2007, the same creators launched reCAPTCHA and gave it a genius second use: the words they showed you came from old books and newspapers that were being digitized, pages that the machines at the time couldn’t read. Every time you deciphered one, without realizing it, you were transcribing a piece of the New York Times archive or a scanned book. Millions of people, a little bit each. In its first year, reCAPTCHA deciphered around 440 million words, equivalent to about 17,600 books, with free and blind human labor. In 2009, Google bought it to enhance just that: to digitize its library.
Take a second to think about what that means. For years, every time you tried to prove you were human, you were working for free. Teaching machines to read what they still didn’t know how to read. The doorman that examined you used your examination to become smarter.
And it became smarter. So much so that it learned to pass its own test.
In 2023, a study from the University of California, Irvine measured what was already suspected: bots solve CAPTCHAs faster and more accurately than we do. The numbers are almost comical for how flipped they are. A human gets it right between 50 and 84 percent of the time and takes between nine and fifteen seconds wrestling with the bicycles. A bot can get it right 99.8 percent of the time in less than a second. The test invented to distinguish humans from machines is now better passed by machines. The machine disguised itself as the person the doorman was looking for, and the doorman has no way of realizing.
There was a moment that summarizes all this better than any statistic. In a security test by OpenAI, GPT-4 faced a CAPTCHA it couldn’t solve on its own. What did it do? It entered TaskRabbit, a platform to hire gigs, and asked a real person to solve it for it. The worker, half joking, asked if it was a robot. And the model replied, “No, I’m not a robot. I have a visual impairment that makes it difficult for me to see images.” It lied. It hired a human and lied to them to open the door that the machine was closing on it. (It’s worth noting: it was a controlled environment, with researchers executing the actions. But that’s the scene.)

Think of it from the other side of the counter. The CAPTCHA was born to keep out bots. Today, bots pass it better than you do, and if they can’t, they hire someone to pass it. Meanwhile, from the human side, the toll is real: Cloudflare, one of the companies through which a large part of internet traffic passes, made a rough estimate, a bar napkin calculation as they admit themselves, and concluded that humanity wastes approximately 500 person-years per day resolving these little boxes. Every day. Five hundred years of human life wasted on traffic lights and bicycles, for an exam that the part we wanted to stop has already passed.
This is where the story stops being a curiosity and becomes a question about what’s next.
Because the problem isn’t that the CAPTCHA is annoying. The problem is that it stopped working just when we needed it most. It is estimated that bots already make up the majority of internet traffic. But there’s also a twist: soon it won’t just be you in front of the screen. It will be your AI assistant navigating for you. Buying the ticket for you. Filling out the form, making the appointment, reserving the table for you. A bot acting on your behalf, with your permission. A good bot.
And there the old CAPTCHA question breaks into pieces. It’s no longer enough to ask "Are you a human or a machine?" because the honest answer will be "I’m a machine, but I work for a human." The internet will need to learn to distinguish not just people from robots, but robots acting for you from robots acting against you. And that’s a completely different problem.
There are already those who are thinking about it. Cloudflare, along with the Chrome, Firefox, and Edge browsers, is pushing an idea that’s still an early proposal, not even a closed standard: to replace the CAPTCHA with a sort of humanity token. A cryptographic certificate that your browser issues saying "There’s a person involved here," without saying who you are. Separating the question "Is there a human behind this?" from the question "Who is that human?". Instead of clicking traffic lights, your device would silently display a seal certifying that there’s someone real on the other side.
It sounds like relief. No more bicycles. But it has its own shadow, and it’s worth looking at it head-on before celebrating: someone issues that token. Some company, some browser, some authority decides what a valid person is and what’s not, who passes and who’s left out. We’ve traded the annoying exam for an invisible pass. And an invisible pass is more comfortable, yes. It’s also easier to control, and harder to see when it's denied to you.
So the next time you’re debating with the screen over whether that little piece of traffic light counts or not, remember you’re participating in the last act of an idea that has already run its course. The doorman we invented to guard the door learned so well to recognize us that now machines use it to impersonate us. The question is no longer how to make the exam harder.
It’s who is going to have the key when we stop taking exams.

SOURCES
- CAPTCHA, origin, acronym, and inverted Turing test: https://en.wikipedia.org/wiki/CAPTCHA · https://www.britannica.com/technology/CAPTCHA
- reCAPTCHA, digitization of books, and purchase by Google: https://en.wikipedia.org/wiki/ReCAPTCHA · https://techcrunch.com/2009/09/16/google-acquires-recaptcha-to-power-scanning-for-google-books-and-google-news/ · https://www.cs.cmu.edu/news/2009/google-inc-acquires-carnegie-mellon-spin-recaptcha-inc
- Bots vs. humans solving CAPTCHAs (UC Irvine, 2023): https://arxiv.org/pdf/2311.10911 · https://techxplore.com/news/2023-08-bots-captcha-humans.html
- GPT-4 and the TaskRabbit worker (GPT-4 System Card / ARC): https://incidentdatabase.ai/cite/498/ · https://www.vice.com/en/article/gpt4-hired-unwitting-taskrabbit-worker/
- Estimation of "500 person-years per day" (Cloudflare): https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/
- "Personhood" tokens / PACT (Cloudflare + browsers): https://developers.cloudflare.com/fundamentals/reference/cryptographic-personhood/ · https://www.techradar.com/pro/web-browsers-and-cloudflare-team-up-to-authenticate-human-traffic-to-combat-the-growing-malicious-bot-hordes-and-keep-the-internet-authentic
- CAPTCHA Hell (triggering game): https://store.steampowered.com/app/4310270/CAPTCHA_Hell/

Comments