Your body is the new password.

Written by: Vaidik Mandloi

Translated by: Luffy, Foresight News

Since its launch at the end of 2022, ChatGPT has evolved into a large ecosystem of AI entities. Currently, the total network traffic generated by these programs exceeds that of all human users worldwide. The online behavior of AI is fundamentally different from that of humans: they do not browse ads, click links, or shop online; they simply scrape data from the web to complete tasks, leaving immediately once the task is done.

The initial architecture and business logic of the internet were built around human behavior and usage habits. However, now the vast majority of web access is not from real people, which has left major websites in distress. Currently, 2.5 million websites have begun to ban AI crawler programs, and platforms like Perplexity have become embroiled in related lawsuits. Cloud service provider Cloudflare has even created a “honeypot maze”, using AI-generated gibberish text to create infinite loop pages to trap various data crawlers.

However, some advanced AI entities have already developed the capability to bypass such protective measures. Faced with increasing human-machine conflict, the entire industry has begun to focus on developing a more reliable human verification mechanism. This system needs to accurately identify whether the operator on the other side of the screen is human: real human actions will show hesitation, typing errors, and cursor movements will reflect subtle tremors unique to the human nervous system. This article will analyze the causes behind this transformation, the two mainstream technical solutions, and the choices people will face: to accept centralized biometrics monitoring or to adopt encrypted zero-knowledge proof technology for anonymous human verification.

AI Disrupts Internet Business Models

Websites are increasingly banning AI programs, stemming from the fact that AI has simultaneously breached the commercial foundations that the internet relies on. The profit logic of traditional internet is built on user attention: users visit pages and browse ads, allowing content publishers to earn revenue. If left to AI to shop online, it can scrape data from five thousand websites in one go, while an average person would typically browse only four or five pages.

AI's reading speed far exceeds that of humans, capable of completing price comparisons across the web and directly placing orders within a few minutes, without generating any ad views. This means websites are bearing the operational costs of servers without receiving any revenue.

At the same time, AI search continues to divert website traffic. After Google added an AI-generated summary section at the top of search results, only 8% of users would click through to the original webpage, leading to a 33% drop in referral traffic to major content sites from Google. This feature reached over 1 billion monthly active users within just a year, with the platform’s search volume doubling each quarter since its launch.

Many still remember the learning assistance platform Chegg. Originally relying on its search ranking advantage for its academic Q&A business, it has now officially shut down its Q&A section, blaming its closure on the impact of ChatGPT. Content creators are caught in a double bind: on one side, crawlers indiscriminately scrape content from within the site, while on the other, AI summaries intercept traffic before users reach the website.

The data disparities are alarming. OpenAI's crawler brings in a traffic referral for partner websites only after scraping data from 400 pages; this ratio for Anthropic reaches 38000:1. These companies use publicly available data from across the internet to train AI models at no charge, only to later reroute the traffic that originally belonged to the websites.

In other industries, such predatory data collection practices have led to numerous lawsuits, but in the AI sector, such companies can achieve trillion-dollar valuations.

Your Body is the New Password

For the past 25 years, the internet primarily relied on CAPTCHAs to differentiate between humans and machines. People needed to recognize traffic signs and input distorted characters; this mechanism was effective because early machines lacked the image recognition capabilities of humans.

Now the situation has completely reversed. OpenAI's intelligent operating programs score far higher than humans in Google’s human verification system, accurately clicking on interfaces and copying and pasting content; AI-generated images can deceive identity verification systems, creating deepfake video calls that can even be used by criminals to complete bank transfers. The premise of traditional verification methods—that machine capabilities are inferior to those of humans—no longer exists.

The industry can now only focus on areas that AI cannot yet replicate. The physical behavior characteristics of humans operating electronic devices, that is, behavioral biometrics technology. Companies like IBM and BioCatch are developing relevant systems that verify identity not only at login but also monitor user behavior throughout the process. Metrics collected include cursor movement speed, page scrolling methods, typing rhythm, key pressure, editing habits, and phone grip angles, with mobile gyroscopes recording related information throughout the usage.

The system can also identify users' dominant hands, finger swipe patterns, and other details. IBM only needs to collect usage data eight times to establish a unique behavioral profile for a user, subsequently comparing each operation in real-time against the baseline data.

BioCatch's technology can even identify online fraud scenarios. When victims read out account passwords per the instructions of fraudsters, their panicked and intermittent typing rhythm is accurately captured by the system. Within just one year, this system has assisted 257 banks in identifying approximately 2 million money laundering accounts. Now the EU has also begun piloting gait recognition technology. Barely three years into the era of AI entities, EU border personnel have already started collecting the walking patterns of citizens.

Related research has also combined with the Stroop effect: when the green font spells out the word “blue,” the human brain slows down response speed due to the conflict between the meaning of the text and the visual color, but AI is unaffected. Studies have found that this cognitive interference directly reflects typing behavior. Platforms don’t even need to create special tests; just by analyzing typing rhythm, they can determine whether the operator is human; typing habits conceal unique brain information processing traits of humans.

Previously, online tracking primarily recorded user browsing, clicking, and spending behaviors. Users could evade this by blocking cookies, using virtual private networks, or disabling location features. However, behavioral biometrics collect innate human characteristics: the way the cursor moves and typing rhythms are difficult to artificially alter.

Each person's behavior traits are unique, like fingerprints. Unlike passwords and keys, this biological profile cannot be changed or reset. Once this technology becomes widespread, major platforms will be forced to adapt and follow suit. Nowadays, voice simulation technology can already convincingly mimic human speech during calls, and video deepfake technology is following closely behind. If this is the future, the core question arises: who will ultimately control this human data?

Who Will Control the Human Verification System

Currently, the industry has split into two major camps, each exploring human identity verification solutions.

The first is Sam Altman's World (formerly Worldcoin). Users need to step in front of a spherical iris scanning device, which collects iris information and generates an encrypted identity proof to demonstrate that the user is a unique natural person. As of now, 18 million people in 160 countries have completed iris registrations. In April 2026, World reached user verification partnerships with social app Tinder, video conferencing platform Zoom, and electronic signature service provider DocuSign; it also jointly launched the AgentKit tool with Coinbase, allowing users to link their AI entities to their real identities, verifying that there is a real person behind the AI without disclosing users' personal information.

However, iris scanning technology has been explicitly banned in multiple countries. The public does not understand the potential risks associated with authorized biometric data collection, which is the core reason for resistance in various countries. A survey by MIT Technology Review also revealed that World, without effective authorization, collected not only iris data but also heart rate, breathing, and several other biometric data.

The second type is based on encrypted zero-knowledge proofs, which allows you to prove you are human without revealing your true identity, location, or appearance. Vitalik Buterin proposed this concept as early as 2023. He believes that if a decentralized human identity system cannot be established, the internet will ultimately move toward centralized identity control. Once the verification authority is held by businesses or governments, monitoring mechanisms will become rooted in the underlying networks.

Previous large-scale attempts to implement a decentralized human identity system ultimately ended in failure. Idena was one of the first public blockchain projects aiming for “one person, one identity”, but within just two years of its launch, 40% of accounts and 48% of rewards were controlled by 23 organizations. Account operating teams in India, Russia, and elsewhere hired ordinary people to lend their identities for less than a dollar an hour, profiting up to 55 times. Researchers have also found that even children's identity information has been used as puppet accounts.

Vitalik had previously anticipated these risks. He stated that for human identity verification systems, the least costly attack method is not deepfakes or advanced hacking techniques, but rather paying people in low-income areas to lend their personal identities. Any human identity verification system relies on financial support: iris scanning devices and on-chain verification nodes require continuous investment.

However, once identity credentials are assigned economic value, an identity leasing black market will inevitably arise. In the real world with vast wealth gaps, those with capital will always dominate this market.

“Forcibly implementing a one-person-one-vote rule in a system with real economic incentives will ultimately repeat the failures of related social experiments from the twentieth century.”

Objectively, both development paths have apparent flaws. Centralized solutions can achieve large-scale implementation, but users’ biometric data will be kept by companies that excessively collect this information, which themselves can profit from the current oversaturation of bots. The encrypted path theoretically protects privacy, but struggles to escape the economic imbalance problem in reality, ultimately being exploited by gray industries.

If I had to place a bet, I would still wager on the encrypted solution. Because behavioral biometric technology and centralized iris scanning will permanently record your bodily information, ownership of that information belongs to the entity that deploys the system. Once they have access to your data, you cannot delete or transfer it; that data will be locked within the company that collected it.

Even knowing that zero-knowledge proofs can be exploited, they are still worth developing because they can confirm you are human without disclosing excessive information. Conversely, if we abandon this path, in the future, whenever we access any website, they will retain our bodily behavioral data. Currently, this centralized solution with monitoring attributes is being implemented at a speed that far exceeds that of the encrypted technology route.