Skip to content

The history of CAPTCHA, 1997–2026: from AltaVista's spam filter to Cloudflare Turnstile

Crawlex
· 16 min read
Copyright: MIT
captcha anti-bot history recaptcha turnstile
CAPTCHA, 1997 to 2026 — a short history

Most people never bother to expand the acronym. Completely Automated Public Turing test to tell Computers and Humans Apart. Four researchers at Carnegie Mellon (Luis von Ahn, Manuel Blum, Nicholas Hopper, John Langford) published the formal version at EUROCRYPT in 2003. By then the technique was already in production. They were giving it a name.

Twenty-eight years later, what we still call CAPTCHA looks nothing like what those researchers wrote down. The distorted words are gone. The checkbox is theatre. The thing that decides whether you reach a checkout page now runs before the page has finished loading, scored from signals you never see, sometimes verified by your phone’s operating system before your browser even ships the request.

What follows traces that arc through original sources: the AltaVista patent, the EUROCRYPT paper, the Mori and Malik break, the reCAPTCHA acquisition, the v3 privacy fight, the Cloudflare migration to hCaptcha, the launch of Turnstile, and the IETF drafts now proposing to replace CAPTCHAs entirely with cryptographic agent identity. None of it is a bypass guide. The point is to see what each generation tried to test for, because every generation’s failure became the next one’s reason to exist.

1997–1998: AltaVista and the spam-form problem

Before CAPTCHA had a name it had a use case.

In the late 1990s, AltaVista (then one of the busiest search engines on the web) ran an “Add URL” form that let anyone submit a page for indexing. Automated scripts hit it with thousands of URLs a day, and the rankings AltaVista cared about started to bend.

The fix came from Andrei Broder, AltaVista’s chief scientist, working with Mark Lillibridge, Martín Abadi, and Krishna Bharat. Their server generated a short random string of characters, rendered it as a distorted image that the OCR engines of the day could not read, and required the user to type back what they saw. Compaq filed the patent in April 1998. The USPTO granted it on 27 February 2001 as US 6,195,698, “Method for selectively restricting access to computer systems.”

Within a year, AltaVista reported that spam submissions through the form had fallen by roughly 95 percent. No academic paper, no public name for the technique. Just a deployment and a patent.

2000–2003: The Carnegie Mellon paper

The name and the theory came out of Carnegie Mellon. Von Ahn, Blum, Hopper and Langford had been pulling on the same thread for a few years, and in 2003 they wrote it up at EUROCRYPT. The paper made one observation that has aged better than anything else in the literature: when a CAPTCHA falls, the break itself is a useful artefact, because it advances the AI side of the field. Defence and offence sit on the same axis.

Luis von Ahn speaking at Wikimania 2015 Luis von Ahn, lead author of the 2003 EUROCRYPT paper that formalised CAPTCHA, speaking at Wikimania 2015.

That distinction matters because of something that has played out repeatedly over the next twenty years: a CAPTCHA scheme is only as durable as the gap between the AI research that designed it and the AI research that breaks it. Historically that gap closed on a four-to-six-year cycle. The cycle has been shortening.

The first deployed implementation built around the idea was Gimpy, designed in collaboration with Yahoo as a defence against bot sign-ups for free Yahoo Mail. Gimpy showed seven distorted English words overlapping each other against a noisy background and asked the user to type any three. EZ-Gimpy was a simpler variant: one word, one textured background.

Gimpy-style CAPTCHA showing the distorted word smwm A typical Gimpy-style CAPTCHA from the mid-2000s, generated by the gimpy-r program at captcha.net.

2003–2009: The text era and its first breaks

Text CAPTCHAs were broken almost as soon as the EUROCRYPT paper went to print. By summer 2003, off-the-shelf shape-context matching out of UC Berkeley was reading EZ-Gimpy correctly 92 percent of the time and solving the harder three-word Gimpy a third of the time. Both numbers are well past the point where a CAPTCHA stops being useful: an attacker only needs to win occasionally to make automation economical.

The standard reply was that you could just make the CAPTCHA harder. More distortion, more clutter, more glyph overlap. A 2004 follow-up from Microsoft Research tested exactly that and landed on an uncomfortable result: the harder you made the test for machines, the harder you made it for humans too. There was a narrow band where text CAPTCHAs worked. The band was closing.

Closing it took the rest of the decade. By 2014, generic reinforcement-learning solvers were chewing through wide distributions of text-CAPTCHA designs at once. By 2018, deep-learning solvers trained on as few as 500 example images were breaking every one of the eleven text CAPTCHAs still deployed by the most-visited fifty websites on the web. Text CAPTCHAs had become a speed bump, not a security control.

A distorted-text CAPTCHA reading raji A typical distorted-text CAPTCHA. The pattern these images produced (skewed characters against a noisy background) was the dominant CAPTCHA design from 2003 to roughly 2014.

2007–2009: reCAPTCHA

The text era’s longest-lived contribution was not a defence. It was an insight von Ahn had around 2005: people were spending an aggregate of millions of hours a day reading distorted text, and the labour was being thrown away. Pair the test. Show two words instead of one. One word has a known ground truth and verifies the human; the other is an OCR error from a book-scanning project, and the human’s answer becomes the transcription.

Free transcription, in other words, harvested at scale from the world’s collective annoyance.

reCAPTCHA launched on 27 May 2007 as a Carnegie Mellon project. Von Ahn ran it with David Abraham, Manuel Blum, Michael Crawford, Ben Maurer, Colin McMillen, and Edison Tan. The first major customer was the Internet Archive, which fed in scans of nineteenth-century books that contemporary OCR could not handle. The New York Times came shortly after. Its 130-year archive (about 13 million articles, going back to 1851) had been machine-scanned but never reliably digitised. By 2011 reCAPTCHA had transcribed most of it.

Google acquired ReCAPTCHA Inc. on 16 September 2009. Von Ahn stayed on the CMU faculty and joined Google’s Pittsburgh office part-time. Officially the acquisition continued the digitisation work, and that is what it was at first: the word pairs kept coming from book scans, now feeding Google Books rather than the Internet Archive.

Original reCAPTCHA logo The original reCAPTCHA wordmark.

2012–2014: Street View, then the checkbox

By 2012 Google had a new corpus problem with an obvious answer: Street View. Camera cars had photographed millions of houses. Every visible house number was a fragment of address ground truth that, transcribed reliably, would improve how Maps indexed physical addresses. The reCAPTCHA pairing got repurposed: one word from a book, one image of a doorplate from the Street View fleet.

reCAPTCHA pairing one distorted word with a Street View house number A 2013 reCAPTCHA pairing one scanned-book word with one Street View house number.

The pivot worked, but the underlying problem had not changed. The OCR systems attacking reCAPTCHA kept getting better faster than Google could increase the distortion. By 2014, Google’s own internal Street View number recogniser was reading the hardest variant of reCAPTCHA at 99.8 percent accuracy. The CAPTCHA was now indistinguishable from a free, AI-grade OCR API for anyone willing to hammer it.

Google’s response went live on 3 December 2014, announced by reCAPTCHA product manager Vinay Shet. The new product was No CAPTCHA reCAPTCHA, the now-familiar “I’m not a robot” checkbox. The public story was that the checkbox is the test. The technical reality was the inverse. The decision was made by what Google called the Advanced Risk Analysis engine, which scored the user’s whole session: cursor trajectory in the seconds before the click, the IP’s history with prior challenges, browser environment fingerprints, the cookies attached to the request, the millisecond timing of every event. The checkbox was a legibility hint that the user had been scored, plus an excuse to surface a harder challenge when the score was low.

reCAPTCHA v2 I'm not a robot checkbox widget The reCAPTCHA v2 widget. The click is not the test; everything leading up to the click is.

When the score was low enough, the fallback was the image grid: click all squares with traffic lights, crosswalks, store fronts. The tiles came from Street View. After most of Street View was transcribed, the corpus rotated to other ML training problems. Waymo’s autonomous-vehicle training set is, in part, an audit log of millions of users labelling road-scene objects for free across the second half of the 2010s.

The 2014 launch numbers were striking. More than 60 percent of WordPress’ traffic and over 80 percent of Humble Bundle’s never saw a challenge under No CAPTCHA reCAPTCHA. They were scored as human and waved through after one click. The new mode was a CAPTCHA you mostly do not solve.

2017–2018: Invisible scoring and reCAPTCHA v3

Once the score is doing the work, the checkbox is UX residue. Google removed it in stages. Invisible reCAPTCHA, introduced in March 2017, hid the checkbox unless the score forced a fallback. reCAPTCHA v3, launched 29 October 2018, removed the user-facing widget entirely.

v3 returns a single floating-point number between 0.0 and 1.0. That number is Google’s estimate of how likely the request is human, and the integrating site’s backend uses it to gate logins, throttle checkouts, or trigger MFA. There is no challenge. There is no checkbox. The script runs in the background, watching.

This shift was technically successful and politically expensive.

The press caught up first. By 2019, v3 was being framed as a Google-cookie-linked tracking pixel embedded on every site that integrated it: the script reported back on every visitor, and refusing the cookie raised the chance of being scored as a bot. In July 2020, France’s CNIL ruled that reCAPTCHA’s data flow was not GDPR-compliant without explicit user consent, because the script sent user-identifying telemetry to a third party regardless of what the embedding site itself was promising users. Later work put the cumulative human cost across reCAPTCHA’s lifetime at roughly 819 million hours of unpaid labour, while the labelled training data going back to Google was worth several orders of magnitude more on the open market.

The privacy concern was not abstract. It drove the next phase.

2018–2020: hCaptcha and the Cloudflare migration

In 2018, Intuition Machines, a small ML company best known for contract labelling work, launched hCaptcha as a drop-in reCAPTCHA replacement with the same image-grid mechanic. The pitch had two parts. First, the labels users produced while solving hCaptcha challenges got sold to enterprise customers for ML training, and a slice of the revenue flowed back to the websites that ran the widget. That inverted reCAPTCHA’s economics, where Google captured the entire data product. Second, hCaptcha did not run on Google’s infrastructure, did not feed Google’s user-tracking graph, and was straightforward to clear with European data protection authorities.

On 8 April 2020, Cloudflare announced that it was migrating its entire CAPTCHA edge from reCAPTCHA to hCaptcha, in a blog post co-signed by Matthew Prince and Sergi Isasi. The reasoning was unusually candid for a vendor migration. Three things had pushed the decision. Google had warned Cloudflare it was about to begin charging meaningfully for reCAPTCHA, and Cloudflare’s volume meant the bill would have hit millions a year. Cloudflare’s customers were also increasingly uncomfortable with their traffic dropping a Google tracking script, especially in regions where third-party cookie disclosure rules were tightening. And Google services are intermittently blocked in mainland China, which Cloudflare estimated at roughly a quarter of the world’s internet users; a CAPTCHA provider that cannot serve a quarter of the internet is fragile by definition.

Within days, hCaptcha became the second most-deployed CAPTCHA system on the web by raw request volume.

Privacy Pass at the IETF

A parallel thread had been running at the IETF since around 2017. How do you let a user prove they are human once, then use that proof to skip future challenges across unrelated sites, without revealing who they are? The protocol that emerged was Privacy Pass, a blind-signature scheme that issues anonymous, redeemable tokens. A user solves one CAPTCHA, receives N signed tokens, and presents one token per subsequent challenge as proof of past human-ness. The redemption cannot be linked back to the issuance.

Privacy Pass became an IETF standard across three RFCs, all published in June 2024: RFC 9576 covers the architecture, RFC 9577 the HTTP authentication scheme, and RFC 9578 the issuance protocols. Cloudflare runs a public issuer. Apple shipped its own variant, Private Access Tokens, in iOS 16 and macOS Ventura, where the device-identity attestation is performed by Apple’s own servers rather than a CAPTCHA provider. The user sees nothing. The device attests to its own legitimacy on the user’s behalf, and the result is consumed downstream as a Privacy Pass token.

It was the first piece of standards-track machinery built specifically to remove the CAPTCHA from the user’s path.

2022–2024: Turnstile and the invisible era

Cloudflare’s next move pulled both threads together. On 28 September 2022, Cloudflare announced Turnstile, an “invisible” CAPTCHA replacement, in open beta. The widget showed a small box that briefly read Verifying… and then ticked itself green. In about 90 percent of loads, the user did not interact with it.

Cloudflare Turnstile widget verifying a session The Turnstile widget mid-verification. The user does nothing; the widget orchestrates a battery of non-interactive browser challenges and, where available, accepts a Private Access Token from the operating system instead.

Under the surface, Turnstile rotates through several kinds of small JavaScript challenges.

Some are proof-of-work or proof-of-space puzzles. The browser is asked to perform a small computation that costs CPU or memory in a measurable way. The answer is not the test. The fingerprint of how a real browser performs the work is, including JIT timing characteristics and event-loop behaviour that headless automation reproduces poorly.

Others are browser-API probes. Turnstile walks a long list of Web APIs (the shape of the navigator object, WebGL capabilities, font enumeration, audio-context defaults) looking for the inconsistencies that out a stealth-patched Puppeteer or Playwright runtime.

There are behavioural signals: cursor trajectory, scroll cadence, focus events, and the millisecond entropy in the moments before a form interaction.

And on iOS 16+ and recent macOS, the operating system itself can issue a Private Access Token attesting that the device passes Apple’s own anti-abuse checks. Turnstile accepts that token and skips the rest.

Cloudflare’s own numbers from the launch were strong. Turnstile cut internal CAPTCHA usage by 91 percent. Median user-facing challenge time fell from 32 seconds to roughly 1 second. Turnstile went generally available on 13 October 2023, free to anyone, Cloudflare customer or not.

The pattern is hard to miss now. The widget is UI pretext. The real test is a continuous-probability score built from passive signals captured during ordinary page navigation, and the widget exists to give the user a story about what just happened.

2024–2026: Web Bot Auth and signed agents

The current chapter is built on a quieter recognition. The cat-and-mouse model has costs. Every legitimate bot, including search-engine crawlers, AI agents acting on behalf of users, and monitoring tools, has to be treated as suspect by default, because the signals separating them from malicious bots are weak. Every malicious bot has to be detected by inference, because positive identification is not available to most operators.

The IETF response, drafted mostly by Cloudflare’s Thibault Meunier, is Web Bot Auth: a cryptographic identity layer for automated traffic, built on HTTP Message Signatures (RFC 9421, published February 2024). A bot operator publishes their public key at a well-known URL. Outbound HTTP requests carry an Ed25519 signature over a canonical representation of the request. The agent is identified, and the identification does not rely on spoofable User-Agent strings or unstable IP ranges.

Cloudflare folded Web Bot Auth into its Verified Bots Program on 1 July 2025, the first production deployment at scale. AWS Bedrock AgentCore added support shortly after, signing requests from agentic AI workflows. A Signature Agent Card draft, published 20 October 2025, added a metadata format for declaring an agent’s capabilities and a contact channel for it.

If the trend holds, the medium-term equilibrium splits. Identified bots travel a fast lane: signature presented, signature verified, full speed ahead. Unidentified traffic, human and bot alike, hits the Turnstile-style challenge battery, which in 2026 is harder to clear through automation than any text CAPTCHA ever was. The CAPTCHA does not disappear. It becomes the default fallback for anything that cannot or will not authenticate as itself.

A few things this timeline keeps repeating

Every CAPTCHA generation falls to exactly the AI it was designed to be hard for. Distorted text fell to OCR. Image grids fell to ImageNet-grade object recognisers. Behavioural fingerprinting is, in 2026, getting solved by LLM-driven agents that produce humanlike interaction patterns on purpose. The shelf life of a defence used to be six years. Recently it has been closer to two.

The test you are taking is almost never the test you appear to be taking. From the 2014 checkbox forward, the visible widget has been UX dressing on a probability score that was already computed somewhere else, often before the widget itself loaded.

Every CAPTCHA is a labelling pipeline. reCAPTCHA digitised books, then addresses, then road scenes. hCaptcha sells labels directly. Turnstile collects browser fingerprints that train the next generation of bot detection. A CAPTCHA system that produces no artefact is competing against one that does, and the market has always picked the second one.

Privacy and CAPTCHA are converging problems. Privacy Pass, Private Access Tokens, and Web Bot Auth are all variants of one question. How do you authenticate a property of a request (this is human, this is a known agent) without leaking who the request belongs to? The clean answer involves blind signatures and well-known public keys. The dirty answer is what most of the public web is currently running on.

The next chapter is being written in IETF drafts more than in product announcements, which means most people will not notice it until it is everywhere. Whether it lands as a quieter, signed, faster web or as a two-tier internet where unidentified traffic faces an ever-thicker wall is being decided right now, by adoption choices that look unglamorous on paper.

Sources & further reading