Bots use up more CPU cycles on the average Web site than humans, and bots are increasingly not there to help. Where in days gone by, a bot might be indexing for a search engine to help people you don’t know find your site, today the mostly exist to feed giant statistical machines that calculate the most likely result to a question based on all the things they have been fed. This is both technically inefficient and socially idiotic.
A well curated directory from someone you trust is probably always more valuable than a generated result from an applied statistical model when you are looking for a great experience, and a graph of interconnected facts is always better than guessing what is most likely when you are looking for a fact. When the value you get from something diminishes so much that the inconvenience, grief, or cost that comes along with that something is all you care about, then it’s time to walk away.
It’s time to walk away from the open-door policy of the Web.
In my mind, all Internet connected stuff should be in two tiers —
Tier 1 is the minority, and exists solely to establish a relationship persona that can be used as the recipient of an access token.
Tier 2 is the majority, and only admits holders of access tokens.We have work to do to get keyrings and token managers and identity anchors and persona managers sufficiently easy and safe and cheap for average people to use them, but that is just normal optimizing of the user experience kind of stuff that many people are very good at.
We lack good customs and vocabulary to talk about how to function in Tier 1 in a not-a-capitalist-gatekeeper kind of way, but the idea that I would give people i know and trust tokens to get into by blog isn’t unheard of, and definitely exists off-line in the speakeasy cultures of after hours clubs and friends of Dorothy get togethers, so humans know how to do this in real life.
Tier 2 already exists, and having it absorb a lot of things that used to be outside of it is just a matter of solving those Tier 1 problems and marrying them up with existing zero-trust access controls that are commoditized and integrated into the small-scale forms that don’t require building sized infrastructure or luxury SUV priced budgets.
“Only allow known-and-trusted clients to access your servers” is the best way to stop bots and fraud.
We just need a less-postcard-and-street-hustler Web to let us do that.