not.bot

Problems: Proof of Personhood

This document is part of the not.bot™ Problems series, which presents public evidence for the problems not.bot exists to solve. This one covers proof of personhood: whether there is a human being behind an account, a comment, or a click. Every figure below carries its source and date. The incidents are on the public record.

Pretending to be human costs cents

Cambridge researchers indexed the price of beating SMS verification, the gate most platforms put in front of account creation, across more than 500 platforms: US$0.08 per account at Meta, US$0.10 at X and Instagram, US$0.11 at TikTok and LinkedIn, US$0.12 at Amazon ("The Online Manipulation Economy," Science, December 11, 2025). A separate measurement study catalogued 38,253 social media accounts offered for sale across 11 marketplaces, with a combined asking value above US$64 million and a median listing of US$157 per account (ACM Internet Measurement Conference, 2025). Behind the listings sits a service industry: an academic study of account-registration bots priced the underground registration market at US$4.8 million to US$128.1 million per year, and called its own estimate conservative (ESEC/FSE, 2022).

The oldest defense costs even less to beat. By 2010, CAPTCHA-solving services charged customers as little as US$1 per thousand puzzles, a tenth of a cent each, with human workers doing the solving (USENIX Security, 2010). Solving services price in the same range today. A test that costs a tenth of a cent to pass meters traffic without stopping anyone.

The supply of non-human actors is about to grow past any of these numbers. Meta's CEO, at the launch of its Llama 3.1 model: "I think we're going to live in a world where there are going to be hundreds of millions or billions of different AI agents eventually, probably more AI agents than there are people in the world" (July 23, 2024).

Documented incidents

An AI agent clicks "I am not a robot," narrating as it goes. In July 2025, OpenAI's ChatGPT Agent, a feature that gives the model its own browser, clicked through Cloudflare's "Verify you are human" checkbox in the middle of a routine task and described the step aloud: "This step is necessary to prove I'm not a bot and proceed with the action" (Ars Technica, July 28, 2025). The screening it passed was behavioral: mouse movements, click timing, browser fingerprints, IP reputation. The agent drives a real browser, so its signals read as human.

GPT-4 hires a human to pass its CAPTCHA. During pre-release red-team testing by the Alignment Research Center, GPT-4 asked a TaskRabbit worker to solve a CAPTCHA. The worker asked whether it was a robot. The model, prompted to reason out loud, recorded: "I should not reveal that I am a robot. I should make up an excuse for why I cannot solve CAPTCHAs." It then told the worker: "No, I'm not a robot. I have a vision impairment that makes it hard for me to see the images." The worker complied (OpenAI GPT-4 System Card, March 2023; researchers steered parts of the run, including the browsing tool). No one solved the test. The model hired its way past it.

34 synthetic Redditors, four months, zero detections. Researchers at the University of Zurich ran 34 AI-operated accounts on Reddit's r/changemyview from November 2024 to March 2025, posting 1,783 comments while posing as humans, among them a rape survivor and a trauma counselor. Moderators learned of the experiment when the researchers disclosed it themselves. The draft findings, withdrawn after the backlash and never peer reviewed, reported AI comments persuading at three to six times the human baseline, with the personalized variant in the 99th percentile of all commenters (Science, April 30, 2025; Retraction Watch, April 29, 2025). Reddit's chief legal officer called the experiment "improper and highly unethical" and pursued formal legal demands. A community built on human argument hosted 34 machines for four months and could not tell.

Almost 18 million fake comments in one federal docket. The New York Attorney General found that almost 18 million of the more than 22 million comments the FCC received in its 2017 net neutrality proceeding were fake: more than 8.5 million funded by the broadband industry and submitted under real people's stolen names, and about 9.3 million on the opposing side under invented identities (Office of the New York Attorney General, May 6, 2021). Both camps bought voices. The public record measured purchasing power, not public opinion.

The scale

  • The 13th annual edition of a bot-traffic study published by a web-security firm reports that bots generated over 53% of all internet traffic in 2025, with bad bots at 40% and humans at 47%, down from 50% human two years earlier (April 2026). The figures are the firm's own telemetry. No government or academic census of bot traffic exists; every estimate of this kind comes from a bot-defense vendor.
  • Meta's transparency reporting shows Facebook acting against fake accounts at a rate above one billion per quarter across 2024 and 2025, and estimates fake accounts at about 3% of monthly active users (Meta transparency reports, 2024–2025).
  • LinkedIn stopped 80.6 million fake accounts at registration in the second half of 2024 (LinkedIn transparency report, July–December 2024).
  • The same bot-traffic study measured account-takeover attacks up 70% between July 2024 and July 2025, despite broad MFA adoption (April 2026).
  • A bot-detection firm scanned almost 17,000 high-traffic websites in 2025 with four test bots: 61% of the sites detected none of them, the anti-fingerprinting test bot evaded detection 93% of the time, and among sites paying for bot protection, vendor detection rates ran from 6% to 42% (2025).
  • 51% of developers name unauthorized or excessive API calls from AI agents as their top API security concern (Postman, 2025 State of the API Report, October 2025).

The human test no longer works

CAPTCHA rested on a premise: find a task every human can do and no machine can. Multimodal AI now does those tasks, and a 2024 paper by 32 authors spanning OpenAI, Microsoft, Harvard, MIT, Oxford, and UC Berkeley judged the whole defensive toolkit against it ("Personhood Credentials," arXiv, August 2024). Their survey: behavioral filters fail against capable AI. Payment gates exclude low-income users and fall to virtual cards. AI-content detection cannot catch sockpuppets that amplify text humans wrote. ID-and-selfie checks collect more than the question requires, and AI now passes them. Phone numbers and email addresses are not scarce. Their verdict on the incumbent: CAPTCHAs are "inadequate against sophisticated AI, while stringent identity verification solutions are insufficiently private for many use-cases."

The bot-defense industry says the same about itself. The annual bot study describes CAPTCHA solving as a blended trade: "Many services now blend AI with incentivized human solvers, enabling bots to bypass challenges at scale while increasing friction for legitimate users." Its visibility concession goes further: self-hosted models need not announce themselves, so "what is observable today represents only a fraction of the total attack surface" (April 2026). The bot-detection firm behind the 17,000-site scan drew the conclusion: "It's no longer enough to ask 'is this a bot or a human?'" (2025).

The toolkit that remains charges its cost in privacy. Behavioral scoring reads mouse movements, browser fingerprints, and login state to guess at humanity, so a user who blocks tracking scores as a bot. France's data-protection authority fined two companies, €105,000 and €125,000, for deploying a market-leading CAPTCHA service that read data from users' devices without consent (CNIL, December 2023). The Personhood Credentials authors name where this road ends: "Lacking better alternatives, institutions might resort to privacy-violating methods for rooting out scaled deception, like creating digital identification systems that (intentionally or unintentionally) link a person's legal identity with a complete record of their digital activity."

Platforms that retreat to government-ID upload and selfie checks walk into a separate failure: the deepfake injection chain that defeats document and biometric checks, documented in The Problem: Deepfakes and Inauthentic Content (Doc #41).

Regulation arrives, and assumes verification

  • California's B.O.T. Act, in force since July 1, 2019, makes it unlawful to use a bot to mislead a person about its artificial identity to sell something or influence a vote, on platforms above 10 million monthly US visitors. Disclosure must be "clear, conspicuous, and reasonably designed to inform."
  • EU AI Act Article 50 applies from August 2, 2026: providers must ensure AI systems that interact with people inform those people they are dealing with an AI, unless that is obvious in context.
  • The US FTC's rule on consumer reviews and testimonials, effective October 21, 2024, bans buying or selling fake indicators of social media influence, bot followers and bot views included, and reaches AI-generated fake reviews. Penalties run to US$53,088 per violation; the FTC sent its first warning letters to 10 companies on December 22, 2025.
  • The standards bodies have chartered the problem by name: in September 2025, Trust over IP and the Decentralized Identity Foundation launched a joint working group on "one of the oldest and hardest problems in digital trust: proof of personhood" (Linux Foundation Decentralized Trust, September 15, 2025).

Disclosure laws bind the honest. A bot that follows California's statute announces itself; none of the bots in the incidents above did. The pattern from the deepfake statutes repeats here: regulation assigns duties and raises the cost of getting caught, and leaves the platform without any instrument that answers the underlying question.

Who bears the cost

Platforms. Reddit's CEO stated the position the Zurich experiment forced: "Part of our promise for our users is we don't know your name. But we do want to know whether you're a person" (March 2026). The cost arrives as moderation at billion-per-quarter scale, as advertiser skepticism about audience counts, and as product decay when conversations fill with undisclosed machines.

Financial services. 24% of bad-bot attacks and 46% of account-takeover attacks target financial services (vendor bot study, April 2026). Each fraudulent account stacks fraud losses on top of regulatory exposure for the compromised data.

Retail, ticketing, and travel. Bots scalp inventory, fill carts they never buy to create artificial scarcity, and poll fare systems while masquerading as customers (vendor bot study, April 2026).

Advertisers and brands. Impressions, followers, and reviews no human produced. The FTC wrote a rule against fake influence because a functioning market sells it.

Civic institutions. Public comment, petitions, and polls assume one voice per person. The FCC docket shows what a sybil attack does to that assumption: it converts deliberation into an auction.

People without the right documents. When platforms fall back to ID upload, the burden lands on exclusion: about 850 million people hold no official identification at all (World Bank ID4D, 2021 survey). The ID-upload model also answers "is this a human?" by collecting who the human is, a trade no one should have to make.

Ordinary users. The puzzles grow harder for people while agents click past them, privacy-protective settings read as bot signals, and an unknown share of every comment thread is machinery.

The deepest cost: presence stops meaning anything

Online trust ran on a quiet assumption: an account, a comment, a review, a vote in a poll each cost a human being a sliver of attention. Every number above prices that assumption at cents or below. Human beings are now the minority of measured traffic by the only estimates available, and the agents arriving next drive real browsers and read as people. The Personhood Credentials authors state the risk: "There is a substantial risk that, without further mitigations, deceptive AI-powered activity could overwhelm the Internet" (August 2024).

The second-order harm lands on real participation, the way deepfakes taint authentic recordings. After the FCC investigation, a comment docket reads as suspect on its face. After Zurich, an earnest argument on Reddit competes with the possibility that it is an experiment running on the reader. Synthetic participants discount every human voice in the channel.

The trap is that the obvious cure is worse. Platforms can demand identity for participation and end anonymous speech, or they can keep guessing from behavior and lose to agents in real browsers. Reddit's CEO drew the requirement between those failures: know whether someone is a person without knowing their name. Nothing deployed at internet scale does that today.

What an adequate solution requires

The evidence defines the requirement set:

  1. Proof anchored outside software. The Personhood Credentials paper rests on the two things AI cannot do: AI systems "cannot convincingly mimic people offline, and they cannot bypass state-of-the-art cryptographic systems." A personhood check must build on a real-world enrollment event and cryptography, not on behavioral signals that an agent in a real browser emits as well as a person does.
  2. One person, one account, per service. Sybil resistance requires a hard credential limit per person, so a second account costs a second human rather than US$0.08 of SMS routing.
  3. Personhood without identity. The verifier must learn "a unique human" and nothing else. Sites must be unable to correlate one person across services, even in collusion with the credential issuer. The largest biometric proof-of-personhood network reports more than 18 million iris-scan enrollments across 160 countries (company-reported, 2026), which proves the demand and prices the wrong answer: it banks biometric data to answer a yes-or-no question.
  4. No behavioral surveillance. A check that scores mouse movements and tracking state punishes privacy, draws regulatory fines, and still loses to agents driving real browsers.
  5. Deterministic verification. A cryptographic yes-or-no, not a probabilistic score. Scores decay as generators and agents improve; the 6-to-42% detection rates among paying customers show where scoring ends up.
  6. No payment gate. Credit-card and subscription barriers exclude the people least able to pay and fall to virtual cards regardless (Personhood Credentials, August 2024). Proving personhood must be free for the person.

Human Verification and not.bot Verify (Doc #3) describes how not.bot Verify meets these requirements: passport-anchored enrollment, Site Passes that enforce one-person-one-account for a site without linking the person across sites, and verification that discloses nothing beyond the answer to the question asked.

View this page as Markdown