> it could present unacceptable risks for application developers or be used as a method for malicious attacks (e.g. credential stuffing or fake account creation).<p>The article seems to want to distinguish between "bad" and "good" bots, yet beyond the introduction, seems to treat them exactly the same.<p>Why are website authors so adamant I need to use whatever client they want to consume their content? If you put up a blog online, available publicly, do you really care if I read it in my terminal or via Firefox with uBlock? Or via an AI agent that fetches the article for me and tags it for me for further categorization?<p>It seems like suddenly half the internet forgot about the term "user-agent", which up until recently was almost always our browsers, but sometimes feed readers, which was acceptable it seems. But now we have a new user-agent available, "AI Agents", that somehow is unacceptable and should be blocked?<p>I'm not sure I agree with the premise that certain user-agents should be blocked, and I'll probably continue to let everyone chose their own user-agent when using my websites, it's literally one of the reasons I use the web and internet in the first place.
I've been flagged as a bot on pretty much every major platform. Most ridiculously lately, linkedin - I have to prove my identity using 2 different forms of ID, which they still won't accept, OR find a notary and somehow prove I own the account I no longer have access to. Maybe try refining this tech a little better before you start blasting legitimate users with it - I am extremely skeptical of the catch rate given what I see anecdotally online, and my own experience getting flagged for stuff as benign as being a quick typist.
I fully expect captchas to incorporate "type the racial slur / death threat into the box" soon, as the widely available models will balk at it.
Looks like detecting real humans apart from agents is going to be an arms race if the detection is based on browser/device fingerprinting or visual/audio captchas; AI will only get better.<p>What are captcha alternatives that can block resource consumption by bots?
Eventually the safest eay to be a human will be to hide from the best AI by mimicking the lesser & more quantitious AI mimicking the homo simulacra.<p>Example: Big AI outbids energy providers because its owners are hunting some person whose computational activity they do not like. If you consume unusually lots of energy because you are eccentric human & not having AI system guide your power use, you will stand out. The big AI might rationally buy you out from electricity because you didn't mimic how normal people's AI has them do their power expenses.
Looking at user-agents or IPs is the most shallow and non-deterministic way possible. They are arbitrary, I'm not a bot, but I'm using a highly customised one in order to enhance my browsing experience.<p>>They use genuine IP addresses, user agents, and even simulate mouse movements.<p>From the list above, only simulating mouse movements part seems like the hardest thing to fake correctly, which genuine IP addresses and user agents is something you can 100% fake. Why focusing on the ip addresses and user agent string then if you can just see that AI Agent is moving it's mouse in a perfect straight line between buttons and doing nothing else with it. Obviously human mouse movement patterns on every webpage are quite chaotic and having it mechanised is an obvious red flag which you should train your model on.<p>I think the future of ai agent/bot detection is a model trained on user behaviour patters when he is interacting with the page UI.
It looks like it's just a matter of time for "Computer Use" like tools becomes commoditised and widely available. I'm worried that this could upend our usual ways of filtering out bot activity with no simple way to go back. Sites that already have bot problems, like social platforms and socket puppet profiles or ticketing services and scalpers, might become even harder to deal with.<p>Sometimes I think the dead internet theory might not have been so far off, just a bit early in its timing. It really feels like we're about to cross a line where real humans and AI agents online activities blend in ways we can't reliably untangle.
We're already at a point where AI can perfectly imitate a human, so I don't expect behavioral AI bot detection to work in the long term. You can still filter out a lot of script kiddie level AI bots by looking for browser signatures.<p>I suspect we are heading for a future where websites which expose some sort of interaction to human beings will steer AI agents to an API with human authorized (OAuth) permissions. That way users can let well behaved, signature authenticated agents operate on their behalf.<p>I think we need an "AI_API.yaml", kind of like robots.txt, which gives the agent an OpenAPI spec to your website and the services it provides. Much more efficient and secure for the website then dealing with all the SSRF, XSS, SQLi, CSRF alphabet soup of vulnerabilities in Javascript spaghetti code on a typical interactive site. And yes, we need AI bots to include cryptographic signature headers so you can verify it's a well behaved Google agent as opposed to some North Korean boiler room imposter. No pubkey signature no access and fail2ban for bad behavior.<p>I expect in the future you won't go to a website to interact with your provider's account. You'll just have a local AI agent on your laptop/phone which will do it for you via a well known API. The website will revert back to just being informational. Frankly that would fix a lot of security and usability problems. More efficient and secure for the service provider, better for the consumer who does not have to navigate stupid custom form workflows (e.g. every job application site ever) and just talk to their own AI in a normal tone of voice without swear words.<p>Somebody will make a ton of money if they provide a free local AI agent and
manage to convince major websites to offer a general agent API. Kind of like Zapier but with a plain language interface. I'm betting that's where the FAANGs are ultimately heading.<p>The future is a free local AI agent that talks to APIs, exactly like the current free browser that talks HTTP. Maybe they are one and the same.
The other day I tried an open source deep research implementation, and a ton of links returned 403s because I was using an agent. But it is for legitimate purposes. I think we need better ways of identifying legitimate agents working on my behalf vs spam bots
I have personally opted out of the arms race for at least one service that I operate.[1]<p>If AI agents figure out how to buy a subscription and transfer money from their operators to me, they are more than welcome to scrape away.<p>[1]: <a href="https://lgug2z.com/articles/in-the-age-of-ai-crawlers-i-have-chosen-to-paywall/" rel="nofollow">https://lgug2z.com/articles/in-the-age-of-ai-crawlers-i-have...</a>
Great article, but the actual technical details of their current “browser fingerprinting” approach are linked at the bottom: <a href="https://stytch.com/docs/fraud/guides/device-fingerprinting/overview" rel="nofollow">https://stytch.com/docs/fraud/guides/device-fingerprinting/o...</a><p>This seems semi-effective for professional actors working at scale, and pretty much useless for more careful, individual actors — especially those running an actual browser window!<p>I agree that the paywalls around LinkedIn and Twitter are in serious trouble, but a more financially pressing concern IMO is bad faith Display Ads publishers and middlemen. Idk exactly how the detectors work, but it seems pretty impossible to spot an unusually-successful blog that’s faking its own clicks…<p>IMHO, this is great news! I believe society could do without both paywalls or the entire display ads industry.
adopting the mentality that AI agents are akin to russian spam bots is regressive mentality.<p>your users will be interacting with your platform using partial automation in the very near future and if you think rate limiting or slowing their productivity is somehow necessary they'll just go somewhere else.<p>once you feel the empowerment, any attempt to retract it goes against human nature.
Tensions?<p>Landlords looking to herd Internet dwellers for steady Profit<p>Vs.<p>Free-Ranging Users flocking toward Free Stuff<p>Classic Internet Battle.
I think companies need to rethink this and go the opposite direction, rather than being hostile and blocking AI Agents--and losing millions or billions in revenue when people sending AI Agents to do tasks on their behalf cant get the task done---they should redesign their software for Agent use.<p><a href="https://www.loop11.com/introducing-ai-browser-agents-a-new-way-to-run-usability-tests-in-loop11/" rel="nofollow">https://www.loop11.com/introducing-ai-browser-agents-a-new-w...</a>
It’s a bit disgusting that multi-billion dollar corporations are not properly compensating the individuals and groups that their “artificial intelligence” models rely on.<p>Meta/FB/Zuckerfuck was caught with their pants down when they were _torrenting_ a shit ton of books. It’s not a rogue engineer or group. It came from the top and signed off by legal.<p>Companies, C-level executives, and boards of these companies need to be held accountable for their actions.<p>No a class action lawsuit is not sufficient. _People_ need to start going to jail. Otherwise it will continue.