When AI traffic surpasses humans, how can you prove that you are a real person?

Article by: Vaidik Mandloi

Translated by: Luffy, Foresight News

Since the launch of ChatGPT at the end of 2022, it has spurred the development of a vast ecosystem of AI intelligent agents. Currently, the total online traffic generated by these programs has surpassed that of all human users worldwide. The online behavior of AI intelligences is completely different from humans: they do not browse ads, click links, or shop online; they simply crawl web data to complete tasks, and leave immediately after finishing.

The original architecture and business logic of the internet were built around human behavior and usage habits. But now, the vast majority of web access behaviors are not from real people, which has caused headaches for major websites. Currently, 2.5 million websites have begun blocking AI crawlers, and platforms like Perplexity are involved in related lawsuits. Cloudflare, a cloud service provider, has even set up a “honey pot maze,” using chaotic, meaningless AI-generated text to create infinite loop pages to trap various data crawlers.

However, some advanced AI intelligences already have the ability to bypass these defenses. In the face of increasingly intense human-machine confrontations, the entire industry is beginning to develop a more reliable human identity verification system. This system needs to accurately identify whether the operator on the other side of the screen is human: human operation will show hesitation, typing errors, and subtle tremors in cursor movement that are characteristic of the human nervous system. This article will analyze the causes behind this transformation, the two main technical solutions, and the choices people will face: whether to accept centralized biometric monitoring or to adopt encrypted zero-knowledge proof technology for anonymous human verification.

AI Disrupts Internet Business Models

Websites are starting to block AI programs because AI has simultaneously broken through the core business foundations that sustain the internet. The traditional profit logic of the internet is based on user attention: users visit pages, view ads, and content publishers earn revenue. If AI handles online shopping, it will search across five thousand websites at once, whereas an ordinary person usually only browses four or five pages.

AI’s reading speed far exceeds that of humans; within minutes, it can complete price comparisons across the entire web or even place orders directly, all without generating any ad impressions. This means websites bear server costs for free but do not receive any revenue.

Meanwhile, AI search continues to divert website traffic. After Google added an AI-powered summary section at the top of search results, only 8% of users click through to the original webpage, causing major content sites to see a 33% drop in referral traffic from Google. Within just a year of launching this feature, monthly active users exceeded 1 billion, and the platform’s search volume has doubled every quarter since.

Many still remember the learning Q&A platform Chegg. It originally relied on search ranking advantages to run its academic Q&A business, but now it has officially shut down its Q&A section, blaming the impact of ChatGPT. Content creators are caught in a dilemma: on one side, crawlers indiscriminately scrape content within sites; on the other, AI summaries intercept traffic before users even reach the site.

The data gap is even more shocking: OpenAI’s crawlers generate one referral traffic for every 400 pages they scrape for partner websites; Anthropic’s ratio is even more extreme at 38,000:1. These companies utilize publicly available data across the web to train AI models without compensation, then divert the traffic that originally belonged to websites with their finished products.

In other industries, such predatory data collection has already led to numerous lawsuits, but in the AI field, such companies still achieve valuations in the trillions.

Your Body Is the New Password

Over the past 25 years, the internet has mainly relied on CAPTCHAs to distinguish humans from machines. People need to identify traffic signs or input distorted characters. This mechanism was effective because early machines’ image recognition capabilities lagged far behind humans.

Now, the situation has completely reversed. AI programs under OpenAI can simulate human scores in Google’s human-machine verification systems far better than humans, accurately clicking interfaces and copying and pasting content; AI-generated photos can fool identity verification systems; deepfake videos and calls are even used by criminals to complete bank transfers. The traditional verification premise—machines being weaker than humans—no longer holds.

The industry can only now focus on areas that AI cannot temporarily replicate. Human behavioral biometrics, such as physical actions when operating electronic devices, are emerging as a solution. Companies like IBM and BioCatch are developing related systems. These technologies not only verify identity during login but monitor user activity throughout, collecting data such as cursor movement speed, page scrolling style, typing rhythm, keystroke force, text editing habits, and even phone grip angles, with mobile gyroscopes recording related information.

The system can also identify user’s dominant hand, finger sliding trajectories, and other details. IBM, for example, can establish a unique behavioral profile after just eight usage data points, and then compare each subsequent action in real time against this baseline.

BioCatch’s technology can even detect online scams. When victims recite account numbers or passwords under scammer instructions, their frantic, inconsistent typing rhythm is precisely captured by the system. Within a year, this system helped 257 banks identify about 2 million money laundering accounts. Now, the EU is also piloting gait recognition technology. Just three years after the AI intelligence era began, EU border patrols are already collecting walking postures of the public.

Related research also incorporates the Stroop effect: when the word “blue” is written in green font, the human brain experiences a conflict between the word’s meaning and its visual color, slowing reaction times. AI, however, is unaffected. Studies show this cognitive interference directly influences typing behavior. Platforms can even judge whether the operator is human solely based on keystroke rhythm; human brain processing features are embedded in typing habits.

Traditional online tracking mainly records browsing, clicking, and consumption behaviors, which users can avoid by blocking cookies, using VPNs, or disabling location services. But behavioral biometrics capture innate physical features: cursor movement, typing rhythm, which are difficult to consciously alter.

Everyone’s behavioral traits are as unique as fingerprints. Unlike passwords or keys, this biometric profile cannot be changed or reset. Once this technology is widely adopted, major platforms will be forced to adapt. Today, voice synthesis technology can already mimic real voices in calls, and deepfake video technology is catching up. If this is the future, the core question emerges: who will ultimately control this human data?

Who Will Control the Human Verification System

Currently, the industry is divided into two main camps, each exploring different human identity verification solutions.

The first is Sam Altman’s World (formerly Worldcoin). Users need to go to a spherical iris scanner, which captures iris data and generates an encrypted credential to prove the user is a unique natural person. So far, 18 million people in 160 countries have completed iris registration. By April 2026, World has partnered with Tinder, Zoom, and DocuSign for user verification; also, it has launched AgentKit with Coinbase, allowing users to bind their AI agents to verified identities, ensuring platforms can confirm the AI agent is backed by a real person without revealing personal data.

However, iris scanning technology has been explicitly banned in several countries. Many people are unaware of the potential risks of biometric data collection, which is the core reason for resistance. A survey by MIT Technology Review also found that, without proper authorization, World secretly collected vital signs such as heart rate and respiration in addition to iris data.

The second approach is based on cryptographic zero-knowledge proofs, which allow you to prove you are human without revealing your real identity, location, or appearance. Vitalik Buterin proposed this idea as early as 2023. He believes that if a decentralized human identity system cannot be built, the internet will inevitably move toward centralized identity control. Once identity verification is controlled by corporations or governments, surveillance mechanisms will become embedded in the network’s foundation.

Decentralized human identity systems have seen large-scale attempts before, but all have failed. Idena was among the first public blockchain projects claiming “one person, one identity.” Within two years of launch, 40% of accounts and 48% of rewards were controlled by 23 organizations. Account operators in India, Russia, and other regions hired ordinary people to lend their identities for less than a dollar an hour, earning up to 55 times that amount. Researchers also found that even children’s identities were used as puppet accounts.

Vitalik had already foreseen these risks. He stated that the cheapest attack on a human identity system is not deepfake or hacking but simply paying low-income individuals to lend their identities. Any human verification system requires ongoing funding: iris scanners and on-chain verification nodes all cost money to maintain.

But once identity credentials are assigned economic value, black markets for identity leasing will emerge. In a world with stark wealth disparities, capital owners will dominate these markets.

“In systems with real economic incentives, forcibly implementing one-person-one-vote rules will only repeat the failures of 20th-century social experiments.”

Objectively, both development paths have significant flaws. Centralized solutions can be scaled but involve storing biometric data with over-collecting companies, which profit from the current proliferation of bots. Cryptographic solutions theoretically protect privacy but struggle with economic imbalances, often exploited by gray industries.

If I had to bet, I would still favor the cryptographic approach. Because behavioral biometrics and centralized iris scans will permanently record your body data, and ownership of this data belongs to whoever deploys the system. Once they control your data, you cannot delete or transfer it; it will be locked within the company that collected it.

Even if zero-knowledge proofs can be exploited, they are still worth developing, as they can confirm you are human without revealing additional information. Conversely, abandoning this route means that in the future, any website we visit will store our physical behavior data. Today, this surveillance-oriented centralized approach is already outpacing the cryptographic route in deployment speed.