When AI Traffic Surpasses Human Traffic, How Do You Prove You’re Human?
TechFlow Selected TechFlow Selected
When AI Traffic Surpasses Human Traffic, How Do You Prove You’re Human?
Your body is the new password.
Navigating Web3 tides with focused insightsBy Vaidik Mandloi
Translated by Luffy, Foresight News
Since its launch at the end of 2022, ChatGPT has catalyzed the emergence of a vast ecosystem of AI agents. Today, the aggregate web traffic generated by such programs exceeds that generated by all human users globally. AI agents’ online behavior differs fundamentally from humans’: they do not view ads, click links, or shop online—they simply scrape web data to complete tasks and depart immediately upon task completion.
The internet’s original architecture and commercial logic were built entirely around human behavior and usage patterns. Yet today, the majority of web traffic no longer originates from real people—posing serious challenges for websites worldwide. Already, 2.5 million websites have begun blocking AI crawlers; platforms like Perplexity have been drawn into related lawsuits. Cloud service provider Cloudflare has even deployed a “honeypot maze”—generating chaotic, meaningless AI-written text to create infinite-loop pages designed specifically to trap data scrapers.
However, some advanced AI agents have already demonstrated the ability to bypass such defenses. In response to this escalating human-AI arms race, the industry is now racing to develop more reliable mechanisms for verifying real human identity. Such systems must precisely determine whether the operator behind the screen is human: hesitation, typing errors, and subtle neurological tremors in cursor movement are all uniquely human traits. This article analyzes the root causes behind this shift, examines two dominant technical approaches, and outlines the choice ahead: centralized biometric surveillance—or anonymous human verification via cryptographic zero-knowledge proofs.
AI Disrupts the Internet’s Business Model
Websites are increasingly banning AI programs because AI simultaneously undermines the two pillars sustaining the internet’s business model. Traditional internet monetization relies on user attention: publishers earn revenue when users visit pages and view ads. If AI handles online shopping, it may scan 5,000 websites in one go—while an average person browses only four or five.
AI reads orders of magnitude faster than humans, completing full-web price comparisons—and even placing orders—in mere minutes, generating zero ad impressions. Websites thus bear server costs without earning any revenue.
Meanwhile, AI-powered search continues diverting website traffic. After Google introduced AI-generated summaries atop search results, only 8% of users click through to original webpages—causing referral traffic to content sites from Google to drop by 33%. Within just one year of launch, this feature surpassed 1 billion monthly active users, with platform query volume doubling each quarter since inception.
Recall Chegg, the academic Q&A platform. Once thriving on search-engine rankings, it has officially shut down its Q&A service, citing ChatGPT as the primary cause of its collapse. Content creators now face a double bind: first, crawlers freely scrape their site content; second, AI summaries intercept traffic before users ever reach the source site.
The data disparity is staggering: for every referral click OpenAI’s crawler delivers to partner websites, it first scrapes 400 pages; Anthropic’s ratio reaches 38,000:1. These firms train AI models using publicly available web data—free of charge—then deploy finished products that siphon traffic away from the very sites that supplied the training data.
In any other industry, such extractive data harvesting would trigger countless lawsuits—but in AI, these companies command trillion-dollar valuations.
Your Body Is the New Password
For the past 25 years, the internet relied primarily on CAPTCHAs to distinguish humans from machines. Users identified traffic signs or typed distorted characters—a method effective because early machine vision lagged far behind human perception.
Today, that dynamic has completely reversed. OpenAI’s AI automation tools achieve simulated-human scores on Google’s reCAPTCHA system far exceeding those of actual humans—accurately clicking interfaces and copying-pasting content. AI-generated photos fool identity verification systems; deepfake video calls have even been weaponized by criminals to authorize bank transfers. The foundational assumption underpinning traditional verification—that machines are inherently less capable than humans—no longer holds.
The industry is now forced to focus on domains AI cannot yet replicate: physical behavioral traits exhibited when humans interact with electronic devices—i.e., behavioral biometrics. Companies including IBM and BioCatch are developing such systems, which verify identity not only at login but continuously monitor user activity, capturing metrics such as cursor velocity, scroll patterns, typing rhythm, keystroke pressure, text-editing habits, and smartphone grip angle—gyroscopic sensors record all such data throughout the session.
Systems can even identify dominant hand use and finger-swipe trajectories. IBM requires only eight interaction samples to build a personalized behavioral profile, then compares every subsequent action against this baseline in real time.
BioCatch’s technology can even detect fraud scenarios: when victims recite account credentials aloud per scammer instructions over the phone, the system detects telltale erratic, fragmented typing rhythms. Within just one year, this system helped 257 banks identify approximately 2 million money-laundering accounts. The EU has now begun piloting gait recognition technology—just three years into the AI agent era, EU border officials are already collecting citizens’ walking patterns.
Research also incorporates the Stroop effect: when the word “blue” appears in green font, human brains experience cognitive conflict between semantic meaning and visual color, slowing reaction times—whereas AI remains unaffected. Studies show this interference manifests directly in typing behavior. Platforms need not administer explicit tests; keystroke timing alone suffices to distinguish human operators—typing habits encode uniquely human neural information-processing signatures.
Traditional web tracking records browsing, clicking, and purchasing behaviors—easily evaded via cookie blockers, VPNs, or location-service toggles. Behavioral biometrics, however, captures innate physiological traits: cursor movement patterns and typing rhythms resist conscious manipulation.
Each person’s behavioral signature is as unique as a fingerprint. Unlike passwords or cryptographic keys, these biometric profiles cannot be reset or replaced. Once widely adopted, platforms will face intense pressure to integrate such systems. Voice synthesis already achieves near-perfect realism in phone calls; video deepfakes follow closely behind. If this trajectory continues, the most critical question emerges: who ultimately controls this bodily data?
Who Controls the Human Verification Infrastructure?
The industry has split into two camps pursuing distinct human-verification solutions.
The first is Sam Altman’s World (formerly Worldcoin). Users must stand before a spherical iris-scanning device, which captures iris data and issues a cryptographic credential proving the user is a unique biological human. To date, 18 million people across 160 countries have completed iris registration. In April 2026, World partnered with dating app Tinder, video-conferencing platform Zoom, and e-signature service DocuSign for user verification; it also launched AgentKit jointly with Coinbase, enabling users to bind their AI agents to verified identities—platforms confirm the agent has a real human operator behind it, without exposing personal information.
Yet iris scanning faces outright bans in multiple countries. Public concern centers on unclear risks of authorizing biometric data collection—the core reason for global resistance. An MIT Technology Review investigation further revealed World collected additional biometric signals—including heart rate and respiration—without valid consent.
The second approach leverages cryptographic zero-knowledge proofs, allowing users to prove they are human without revealing identity, location, or appearance. Vitalik Buterin proposed this concept as early as 2023. He argued that without decentralized human identity infrastructure, the internet inevitably drifts toward centralized identity control—if corporations or governments monopolize verification authority, surveillance becomes embedded in the network’s foundational layer.
Decentralized human-identity systems have previously undergone large-scale deployment attempts—only to fail. Idena, one of the earliest “one person, one identity” blockchain projects, saw 40% of all accounts and 48% of rewards captured by just 23 entities within two years. Teams operating accounts in India and Russia hired low-wage workers for under $1/hour to lend their identities, profiting up to 55-fold. Researchers even discovered children’s identities being used as puppet accounts.
Vitalik had anticipated such vulnerabilities. He noted that the lowest-cost attack against any human-verification system isn’t deepfakes or sophisticated hacking—it’s paying low-income individuals to rent their identities. Any human-verification system requires ongoing financial support: iris scanners, on-chain verification nodes—all demand continuous investment.
But once identity credentials acquire economic value, black markets for identity rental inevitably emerge. In our deeply unequal world, capital-rich actors invariably dominate such markets.
“Forcing a ‘one person, one vote’ rule in economically incentivized systems will merely repeat the failures of 20th-century social experiments.”
Objectively, both paths harbor clear flaws. Centralized solutions scale rapidly, but user biometric data falls under the custody of companies that over-collect information—and whose business models profit directly from rampant bot activity. Cryptographic approaches theoretically preserve privacy, yet remain vulnerable to real-world economic imbalances, ultimately exploited by gray-market actors.
If forced to choose, I’d still bet on the cryptographic path—because behavioral biometrics and centralized iris scanning permanently record your bodily data, ownership of which rests entirely with the entity deploying the system. Once they possess your data, you cannot delete or transfer it; it remains locked inside the company that collected it.
Even if zero-knowledge proofs inevitably face exploitation, they remain worth developing—since they verify humanity without requiring disclosure of additional information. Conversely, abandoning this path means every future website we visit will retain our physical behavioral data. Today, this surveillance-oriented centralized approach is advancing far faster than cryptographic alternatives.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
