The creator of pretix warns that protection against bots using CAPTCHAs has lost its effectiveness. Instead, current solutions require a choice between privacy, accessibility, and security.
In a world where concerts sell out in seconds and bots act faster than any fan, the battle for legitimate tickets has become a lopsided struggle. CAPTCHA systems, once considered the ultimate barrier against automated programs, are now in question. Raphael Michel, the creator of pretix, an open-source ticketing platform, states:
“CAPTCHAs no longer provide significant protection against bots.”
From Distorted Text to Irrelevance
CAPTCHAs were born with a clear mission: to distinguish between humans and machines. They started with distorted letters, then moved to images — the famous boxes with traffic lights or bicycles — and later, to audio tests. However, artificial intelligence has learned to solve them all. By 2025, text, image, and voice recognition models surpass humans in speed and accuracy in nearly all of these tasks.
To make matters worse, making tests more difficult directly affects people, who start to fail them or abandon the process. And accessibility, now legally required in Europe, prevents the design of CAPTCHAs that exclude users with visual or hearing disabilities.
From Visual Traps to Behavioral Spying
In the face of the decline of traditional CAPTCHAs, modern systems choose to monitor user behavior. Services like reCAPTCHA v3 or Cloudflare observe how you move your mouse, how you navigate, or what history you have. With this, they estimate whether you are human or a machine.
The problem: privacy disappears. To function, they require massive amounts of personal data, often collected through multiple sites. This generates invasive profiles and, in many cases, violates ethical and legal principles.
Moreover, there’s no room for errors. A false positive can exclude real users —such as those using assistive technologies or new visitors— with no possibility of appeal, especially in high-demand contexts like ticket sales.
Bots Now Behave Like You (or Like Someone Using a Screen Reader)
Modern bots use real browsers controlled by code, mimicking human behavior in detail. They do it so well that any technical metric —like lack of mouse movement— can also match legitimate users, especially those using assistive technology.
In summary: it’s no longer possible to reliably distinguish between humans and bots just by observing their behavior.
What If We Make Them Work?
Some platforms have begun to implement proof of work, small computational tasks that the user must solve (without realizing it) before gaining access. The idea is to make automated access more costly.
But this doesn’t work for ticket sales: the energy cost of executing that task is negligible compared to the profits a reseller gains if they secure a ticket and sell it for hundreds of euros. Additionally, it’s an unsustainable model from an ecological perspective.
The Economic Problem of CAPTCHAs
Even if there were a CAPTCHA impossible for an AI, there will always be services that will solve it for you. There are companies that combine low-paid workers and algorithms to surpass any CAPTCHA barrier for mere cents.
What Options Are Left?
According to Michel, the only truly effective measures are:
- Linking tickets to verified identities, such as names or documents. This deters reselling but complicates group purchases.
- Limiting by scarce and hard-to-fake resources, like verified credit cards or phones. This doesn’t eliminate fraud, but it makes it more expensive.
The BAP Theorem: An Uncomfortable Decision
Michel presents an analogy inspired by the CAP theorem from databases: the BAP theorem, which states that it is impossible to have all three qualities in an anti-bot system:
- B: Bot-resistant
- A: Accessible
- P: Privacy-respecting
You can only choose two. Thus, the possible combinations are:
- BA: Resistant and accessible, but without privacy
- BP: Resistant and private, but not very accessible
- AP: Accessible and private, but vulnerable to bots
Technology or Social Solution?
Ultimately, the creator of pretix offers a reflection: “Social problems cannot be solved by technology alone.” Legislation against reselling might be part of the solution, but it is a slow and uneven path across countries.
In the meantime, organizers will face an uncomfortable decision:
Protect against bots, or protect the privacy and accessibility of their users?
In the age of artificial intelligence, it seems you can’t have it all.
via: behind.pretix.eu and Genbeta