But defenses have to be *meaningful* defenses. Captchas are a pretend defense. They're wishful thinking. They're faith-based security.
They're a hook-and-eye latch. Now, if you want to go installing a bank vault door to keep your dog in the backyard, by all means, be my guest. Me, I'm frugal, so I'll make the more reasonable investment of a hook-and-eye latch to keep the gate closed.
Moreover, like all defenses, they don't come for free. There are costs associated with them (both for those deploying them and for users of whatever service they're allegedly protecting). And beyond the obvious costs, as we've learned through bitter experience, "complexity" is not only a hidden cost but also sometimes the one that bites us in the ass by way of vulnerabilities.
So given that we all know that (a) the express purpose of captchas is to determine whether or not a human is on the other end of the wire and (b) THEY DON'T ACTUALLY DO THAT, why incur those costs?
Not a given; your (a) is faulty. I already gave a trivial example of a situation where the deployment was intended to detect and deter a specific sort of automated exploit (more of a "prove you're a stupid spam bot and therefore ignoreable" than a "prove you're human").
Doubly so given that there are a fair number of visually-impaired people, blind people, and, oh, by the way, people using devices with rather small displays. Especially the last, recently. Why inflict this nonsense on them? Why try to offload the (admittedly) hard work of securing a resource onto the users, especially the users who are least-equipped to deal with it?
That depends on the CAPTCHA, I would imagine. Pretty sure that none of the cases you list would have a problem with the CAPTCHA I described.
And please: let's not even go to audio captchas. That's the sort of bag-on-the-side-of-a-bag hack that we all did our sophomore year but were too embarrassed to admit by the time we were seniors.
We have much better defenses at our disposal. (Examples: BCP 38, the Spamhaus DROP list, ipdeny.com, passive OS fingerprinting combined with rate throttling, checksum comparison.)
Each suitable for a particular range of purposes. And, as it turns out, each generally varies in effectiveness as they age... it just turns out that CAPTCHA has aged relatively poorly. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.