Online Consumer Protection: Some Perspectives from Law and Economics
Abstract
This essay traces the evolution of online consumer protection from the opening of the Internet to commerce in the mid-1990s through to the challenges posed by artificial intelligence, arguing that trust has always been the central problem and that entrepreneurs, driven by competitive pressure and consumer demand, have repeatedly built the solutions.
I. Trust and Online Commerce
Until the mid-1990s, there was only a modest need for “online consumer protection” because the Internet was essentially free from commerce.[1] This was by design: the main U.S. Internet backbone was operated by the National Science Foundation, which applied an acceptable use policy that restricted commercial activity.[2] In 1992, Congress amended the NSF’s statutory authority to permit the Internet to be used for “additional purposes.”[3] Three years later, the NSF shut down NSFNET, after which the acceptable use policy no longer applied as all Internet traffic ran over commercial backbones.[4]
Once Internet commerce was no longer prohibited, entrepreneurs quickly identified ways to make it possible. For any form of commerce, the key challenge is establishing trust between parties. In-person, trust is built by repetition, reputation, reliable identification, and legal protection. Reputation creates incentives for vendors to maintain quality. Reliable identification is fundamental: without it, repetition is impossible, reputation irrelevant, and legal enforcement futile.[5]
The first attempts to solve the trust problem came from private networks such as CompuServe, Prodigy, and America Online, which starting in the mid-1980s created walled gardens with secure dialup connections, limiting purchases to authorized parties and leveraging their brands and partnerships with brick-and-mortar companies.[6] But this walled garden approach limited users to a single network, constraining the scale of commerce. Outside these gardens, traditional trust mechanisms were largely absent. Building the commercial internet required new tools.
A. Identity and Security
The first challenge was enabling consumers to verify that a website is what it claims to be and that communications are secure. The solution, developed by Taher Elgamal’s team at Netscape, was Secure Sockets Layer (“SSL”), which used public key infrastructure (“PKI”) to authenticate websites through digital certificates and asymmetric cryptography.
When you visit a website over HTTPS (now using transport layer security (“TLS”) rather than SSL but the model remains the same), the server presents a digital certificate that contains the site’s public key, its domain name, and crucially, a digital signature from a Certificate Authority (“CA”).[7] The browser, which maintains a list of trusted CA root certificates, can then verify the certificate by tracing it back to a trusted root.
SSL (and later TLS) also encrypted information between browser and server. The padlock icon in the browser URL bar reassured users that their connection was secure.
B. User Ratings as a Means of Enhancing Trust
User ratings are now so ubiquitous as to seem inseparable from the web. The first significant deployment appears to have been the “feedback forum” that Pierre Omidyar introduced on eBay in February 1996. At launch, he included this note:
“Most people are honest. And they mean well. Some people go out of their way to make things right. I’ve heard great stories about the honesty of people here. But some people are dishonest. Or deceptive. This is true here, in the newsgroups, in the classifieds, and right next door. It’s a fact of life. But here, those people can’t hide. We’ll drive them away. Protect others from them. This grand hope depends on your active participation. Become a registered user. Use our feedback forum. Give praise where it is due; make complaints where appropriate.”[8]
The forum became very popular and Omidyar credits it with much of eBay’s success because it enabled users to generate trust with one another.[9] User ratings also became intrinsic to the success of many other web businesses, including Amazon, Uber, and Airbnb.
Online ratings systems are of course far from perfect and sites must continuously invest in innovation not only to improve their effectiveness but also to avoid contamination from fake reviews (whether generated by humans or bots). Examples of such innovations include: verification of purchase, verification of reviewer, proofs of humanity (e.g. Captcha), and AI-based fraud detection.[10] But the granularity of user ratings and the degree to which they enable preference matching, combined with the continuous improvements that websites and apps must develop and implement arguably makes them superior to other forms of regulation — especially top-down licenses.[11]
C. Credit Cards, Online Security and Trust
Online commerce requires a means of payment. Early attempts at online money relied on centralized accounts, which floundered for the same reason as the walled gardens: the inability to transact outside a closed network.
Credit cards offered a ready-made solution. Card networks needed only to adapt rules already developed for “card not present” (“CNP”) transactions such as telephone sales.
Merchants trust card issuers because they credibly commit to pay as long as the merchant authenticates properly and consumers find card issuers’ zero-liability fraud guarantees attractive for online transactions.
But Internet transactions posed novel problems: issuers and cardholders feared stolen card details, while merchants feared chargebacks from fraudulent use. Enhanced security on both sides was needed. As noted, SSL/TLS provided part of that solution. Payment networks supplemented these first with their own security standards and then in 2004 with PCI DSS.[12]
Another piece of the puzzle was solved in 1999 with the launch of PayPal, whose most important function has been as a payment gateway — a trusted intermediary processing card payments. Many other online payment gateways, including Worldpay, Stripe, and Square/Block, also now act as a trust layer in the online payments ecosystem.[13]
D. Peer-to-Peer Payments, Stablecoins and Escrow
Over the past 20 years, peer-to-peer systems such as PayPal, Venmo, CashApp, Google Pay, and Apple Cash have become increasingly popular for paying for goods and services, with similar services in India, China, Thailand, Brazil, and elsewhere.[14] Stablecoins are beginning to offer similar functionality, especially in jurisdictions with high inflation.
The near-instant payment finality of such systems is advantageous between trusted counterparties. But for transactions with significant counterparty risk — unknown vendors, undelivered goods, uncertain quality — irreversibility becomes a problem.
In the U.S. and Europe, credit card chargebacks addressed this. In China, where credit card penetration was low, Alibaba developed AliPay in 2003 as a micro-escrow service holding funds until receipt is acknowledged. Similar escrow systems might address counterparty risk for real-time payments and stablecoins.
II. The Implications of AI
The increasingly widespread use of sophisticated AIs presents new issues for online consumer protection. As with the emergent Internet in the mid-1990s, the key issue is trust. In this case, there are three related problems: First, can we trust that the material being presented to us is real (or at least not generated by AI)? Second, can websites trust that the entities seeking to interact with them are real humans (or at least bots authorized to act by real humans)? Third, how can either side trust that the counterparty is who they say they are?
A. Digital Content Credentials and Digital Watermarks
One way to ensure that a digital object was made by a human is for the creator to apply a digital content credential. These use cryptographic signatures to create an auditable history of content (audio, video, text, etc.), documenting who and/or what produced it and altered it.
The most significant such project is the Coalition for Content Provenance and Authenticity (C2PA), with over 5,000 members including Adobe, Google, Meta, Microsoft, OpenAI, and Sony. C2PA uses PKI to establish the origin and history of digital content.[15] C2PA digital credentials are embedded in metadata, so are not part of the content itself, but can be identified by software capable of authenticating the claims.[16] The C2PA standard is open source, so can be implemented by anyone without payment (as long as they abide by the requirements of the Creative Commons license).
OpenAI and Google add C2PA metadata to all visual content produced by their models.[17] As such, an unadulterated image produced by their models should be detectable as such by using a browser extension or C2PA’s tool. However, at least at the time of writing adoption of the browser extension seems muted to say the least (the Chrome version reports 1,000 users).[18]
Surveys suggest about three quarters of consumers in the U.S. are concerned about the authenticity of content.[19] Despite this and despite wide membership on the content side, however, so far there is little evidence of uptake of C2PA or other content authentication systems among content producers, distributors or consumers.[20]
One reason for low consumer-side adoption may be that metadata can be stripped when copying, making C2PA in its original form unreliable. To address this, companies have developed digital watermarks embedded imperceptibly in content itself. Google’s SynthID, for example, attaches unique identifiers to pixels in AI-generated images.[21] Meanwhile, the revised C2PA standard adds a digital watermark or “soft binding,” which acts as a bridge between the asset and its original metadata. If the asset’s metadata is stripped, the watermark can be detected by compatible software, which then queries a “Manifest Repository” to restore the original Content Credentials.
Another explanation is that it is early days. When SSL was first introduced, only ecommerce sites used it. Adoption was gradual until 2014, when Cloudflare’s free Universal SSL reportedly doubled it almost overnight. Similar factors — demonstrable benefits, wider availability, and reduced costs — will likely drive adoption of content authenticity standards.[22]
On the other hand, we might simply learn to live with most forms of AI adulteration, much as CGI is taken for granted in film, and synthesizers and electronic manipulation are widely accepted in music. In that case, the role of identifiers such C2PA and AI detection might be limited to the prevention and prosecution of IP theft and impersonation.
B. The Bot Wars
The problem of bots seeking to fool websites goes back to 1997, when spammers manipulated AltaVista’s search rankings by mass-submitting URLs. AltaVista responded by requiring users to recognize characters displayed so that bots could not easily interpret them.[23]
In the early 2000s, at the request of Yahoo!, Louis van Ahn and colleagues at Carnegie Mellon University developed the Completely Automated Public Turing test to tell Humans and Computers Apart (“CAPTCHA”), which required website users to perform tasks that would be easy for humans but impossible for computers — originally recognition of a word displayed in a manner similar to the AltaVista solution.[24] The first commercial implementation of CAPTCHA was the Gausebeck-Levchin test implemented by PayPal in 2001 to prevent bots from creating fraudulent accounts.[25]
Programmers quickly developed algorithms to defeat CAPTCHAs, sparking an arms race. In 2007, von Ahn developed reCAPTCHA, displaying two words — one known to the computer, one unknown. Aggregating user responses improved machine text recognition. In 2009, von Ahn sold reCAPTCHA to Google, which used it for Google Books and other recognition projects. Von Ahn and Google had strong incentives to ensure reCAPTCHA was effective while minimizing friction, because doing so maximized its use and thereby its value.[26][27][28]
The past 20 years has seen an arms race between CAPTCHA systems and AI. In 2018, Intuition Machines launched a competitor, hCaptcha, which requires users to identify a series of objects and is adaptive to user responses, making it highly effective against AI models. hCaptcha also has an inherently privacy-preserving design; in contrast to Google’s reCAPTCHA, its main source of revenue is the sale of labelled data to train AI models.[29] Also, unlike reCAPTCHA, which is merely free for most customers, hCaptcha pays high-volume websites.
Spam email was another bot-related problem. Matthew Prince and Lee Holloway established Project Honey Pot to track spam sources and enable blocking of malicious IP addresses. The project grew to track threats including DDoS attacks and its creators then developed it into a full-fledged solution called Cloudflare.[30]
Cloudflare’s solutions have become increasingly valuable to website hosts. W3Techs estimates that the company is now responsible for between 21 percent of all internet traff ic, up from about 4 percent in 2016, and represents over 80 percent of all reverse proxy server traffic.[31] In 2020, Cloudf lare switched from reCAPTCHA to hCaptcha, dramatically increasing demand for that service,[32] and in 2023 it switched again, this time to its own alternative called Turnstile.[33] Moreover, all the main bot protection services (reCAPTCHA, hCaptcha, and Turnstile) now offer versions that mainly work in the background, utilizing user analytics that enable them to distinguish humans from bots with considerable accuracy and minimal friction.
These systems protect users whose sensitive data would otherwise be at risk. Innovation driven by entrepreneurial insight and dynamic competition has produced a high level of consumer protection online — and these systems will continue to evolve as AI threats grow more sophisticated.
C. Online Identity
The third concern raised by AI is its ability to mimic human identity. Criminals use generative AI to create fake identities for various frauds — most being modern versions of old scams such as the sham company: establish a fake company with a name similar to a real company, open a bank account, invoice for fictitious goods or services, transfer funds out immediately they are received, and shut down the company and accounts — leaving little trace of the fraudster’s identity.
Payments with instant finality (e.g. blockchain and real-time payments) and generative AI (which enables quick and easy creation of highly plausible fake IDs) have reduced the cost of implementing sham company frauds.
Fraudsters also use generative AI for impersonation of real humans in real time using deepfake voices and/or video. In one notable case, swindlers held a video call featuring deepfakes of the CFO and various colleagues of engineering firm Arup, thereby convincing an employee of the firm in Hong Kong to send $25 million to a sham company.[34]
Both these frauds are fundamentally examples of impersonation or passing off. While modern technology can make them easier and cheaper (and thereby increase the incentives to undertake them), it also offers solutions to such frauds. Multi-factor authentication (“MFA”) is one relatively simple and inexpensive measure that can be taken: requiring counterparties to prove their identity not only through voice or video but by sharing other trustworthy and ideally immutable evidence.
Similarly, in the case of sham company attacks, company registries that verify beneficial ownership can make such frauds more costly — and in principle make it easier to trace the perpetrators.
Unfortunately, standard MFA documents such a utility bills, drivers’ licenses, and passports can be spoofed by AI. These are widely used for “know your customer” (“KYC”) and beneficial ownership checks and, ironically, can expose personal information to fraudsters when emailed without encryption (as is common).
One form of authentication that is more difficult to spoof and reduces the risk of interception is an immutable digital identity, especially when it is linked to a reliable certificate authority (such as a registry that itself relies on MFA). Jurisdictions such as Estonia and Norway that have implemented such digital IDs have seen rates of fraud decline.[35]
A centralized digital ID registry creates a honeypot risk. Estonia addressed this with the X-Road, a decentralized data exchange architecture with multiple registries each containing limited data. Citizens use a PKI-based eID protected by 2FA: entering a PIN on a physical card unlocks a private key that digitally signs a challenge, confirming identity and authorizing access to specific database(s).[36]
Ideally, one would share a limited credential proving a required fact without revealing underlying personal data. Zero-knowledge proofs (ZKPs) enable this: proving a claim is true without disclosing the sensitive information behind it. Self-sovereign IDs such as Iden3 and PolygonID adopt this model, as does the Yivi app in the Netherlands.
D. AI Agents Creating Fake Human Identities
So far, we have focused mainly on ways in which humans might use AI tools to perpetrate and/or prevent fraud — and how cryptographic solutions can help defeat this threat. More worrying, perhaps, is the possibility of AIs masquerading as humans — a persistent theme of dystopian science fiction.
In principle, digital IDs that require biometric MFA (e.g. facial recognition) might overcome this problem, at least with respect to direct authorization. A further set of problems arise, however, in the context of agentic AIs acting on behalf of humans. First, there is the problem of humans trusting their agents to act as intended. Second, there is the problem of agents being trusted by counterparties.
The recent release of Claude Code, Cowork, OpenClaw, and similar products has created considerable excitement about the prospect that each of us will soon have an army of virtual assistants doing our bidding. At the same time, adoption has likely been slower than it would be if we could trust those agents to do what we want them to do – and if counterparties could reliably trust our agents.
The history of travel agents offers insights. Human agents maintain formal supplier relationships through accreditation bodies such as ARC or IATA, posting bonds, carrying insurance, and assuming liability. If an agent fails to remit payment, suppliers claim against the bond. Accreditation and financial guarantees make suppliers willing to accept bookings without direct customer relationships.
Online travel agencies like Expedia digitized this model, obtaining the same accreditations and financial guarantees. Their bots were trusted not independently but as authorized arms of accredited, bonded entities.
The innovation was not in the trust model — which remained a known, financially accountable intermediary — but in scale and automation. The supplier trusts the intermediary, which manages all downstream risk.
Autonomous AI agents probably will not be trusted as independent actors anytime soon. Rather, they will operate under accountable intermediaries liable to suppliers. The supplier’s question remains: “do I trust this intermediary?”
This also offers insights into one possible solution to the first problem: trust as an emergent property of agents in general. If third party intermediaries act as a layer between AI agents and suppliers of goods and services, they would effectively signal to consumers which agents are trustworthy.
III. Conclusion
This brief survey of the history and current status of online consumer protection shows how entrepreneurs have addressed trust problems relating to online commerce and how they might now address similar problems in relation to AI.
These developments took place within background conditions favorable to decentralized market solutions: enforceable contracts and the removal of NSF barriers to online commerce. Absent these conditions, it is unclear that online commerce would have emerged as it did.
The specific innovations surveyed illustrate how entrepreneurs build and maintain architectures of trust when background conditions permit. If governments maintain those conditions, entrepreneurs can continue to develop trust architectures that support strong online consumer protection in a world of AI.
[1] See, e.g., Barry M. Leiner et al., Brief History of the Internet, Internet Soc’y (1997), https://www.internetsociety.org/internet/history-internet/brief-history-internet.
[2] National Sci. Found., NSFNET Backbone Servs. Acceptable Use Pol’y (June 1992); see also Nat’l Sci. Found. Off. of Inspector Gen., Review of NSFNET (Mar. 23, 1993).
[3] Scientific and Advanced-Technology Act of 1992, Pub. L. No. 102-476, 106 Stat. 2297 (amending the National Science Foundation Act of 1950 to authorize the National Science Foundation to support access to computer networks that “may be used substantially for additional purposes”).
[4] Susan R. Harris & Elise Gerich, Retiring the NSFNET Backbone Serv.: Chronicling the End of an Era, ConneXions (Apr. 1996), at 2–11. NSFNET was decommissioned Apr. 30, 1995.
[5] This dynamic is illustrated by a simple two-player game with the following payoffs: (cooperate, cooperate = 2,2; cooperate, defect = −1,3; defect, cooperate = 3,−1; defect, defect = 0,0). In a one-shot game without collusion, both players defect, yielding a payoff of 0 for each. If the game repeats indefinitely, however, each player has an incentive to cooperate, producing a payoff of 2 for both. See, e.g., Robert Axelrod & William D. Hamilton, The Evolution of Cooperation, 211 Science 1390 (1981).
[6] See, e.g., Shane Greenstein, How the Internet Became Commercial: Innovation, Privatization, and the Birth of a New Network 109–45 (2015) (describing the “walled-garden” model of early online services).
[7] A certificate authority (CA) acts as a trusted third party. Early providers included VeriSign and Thawte (which VeriSign acquired in 1999). Today, the most widely used CAs include Let’s Encrypt, GlobalSign, Sectigo, and GoDaddy. See, e.g., SSL Certificate Authorities Market Share, W3Techs, https://w3techs.com/technologies/history_overview/ssl_certificate.
[8] Pierre Omidyar, Founder’s Letter, eBay (Feb. 26, 1996), https://pages.ebay.co.uk/services/forum/feedback-foundersnote.html.
[9] Interview with Pierre Omidyar, Founder, eBay Inc., at 4:55, On Innovation (The Henry Ford YouTube channel), https://www.youtube.com/watch?v=RKVmsifohgM&t=295s.
[10] See, e.g., Amazon, How Amazon Is Using AI to Detect Fake Product Reviews and Ensure Authentic Customer Feedback (Aug. 27, 2024), https://www.aboutamazon.com/news/policy-news-views/how-ai-spots-fake-reviews-amazon (describing Amazon’s use of verified-purchase labels, large-language-model and graph-neural-network fraud detection, and expert investigators to block hundreds of millions of suspected fake reviews); Michael Luca & Georgios Zervas, Fake It Till You Make It: Reputation, Competition, and Yelp Review Fraud, 62 Mgmt. Sci. 3412 (2016) (finding that Yelp’s automated filter flagged about 16% of restaurant reviews as suspicious).
[11] Julian Morris, Consumer Protection in the 21st Century, ICLE Issue Brief 2023-02-24, at 1 (Feb. 24, 2023), https://laweconcenter.org/wp-content/uploads/2023/02/Morris-consumer-protection-in-the-21st-century-2-24-23.pdf.
[12] PCI Sec. Standards Council, https://www.pcisecuritystandards.org (last visited Feb. 19, 2026).
[13] PayPal Editorial Staff, What Is a Payment Gateway and How Does It Work?, PayPal Bus. Res. Ctr. (June 18, 2024), https://www.paypal.com/us/brc/article/what-is-a-payment-gateway.
[14] Julian Morris, Peer-to-Peer and Real-Time Payments: A Primer, ICLE Issue Brief (Aug. 21, 2023), https://laweconcenter.org/wp-content/uploads/2023/08/RTP-primer.pdf.
[15] Coalition for Content Provenance and Authenticity, https://c2pa.org (last visited Feb. 19, 2026).
[16] The Coalition for Content Provenance and Authenticity (C2PA) uses the X.509 digital-certificate standard, the same standard underlying Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
[17] OpenAI, C2PA in ChatGPT Images, OpenAI Help Ctr., https://help.openai.com/en/articles/8912793-c2pa-in-chatgpt-images (last visited Feb. 19, 2026). C2PA metadata embedded in images generated with ChatGPT or OpenAI’s API allows users to verify provenance information—such as whether an image was created using ChatGPT or the DALL·E-3 model—unless the metadata has been removed.
[18] Digimarc Labs, C2PA Content Credentials, Chrome Web Store, https://chromewebstore.google.com/detail/c2pa-content-credentials/mjkaocdlpjmphfkjndocehcdhbigaafp (last visited Feb. 19, 2026). The extension allows users to verify whether images, audio, or video files contain C2PA manifests and to validate those manifests to reveal information about the content’s origin and history.
[19] See, e.g., Adobe, Content Authenticity and AI Survey (2024) (finding that about 77% of U.S. consumers are concerned about distinguishing real from AI-generated content).
[20] The limited adoption of C2PA browser extensions—see note 17—is one indicator. As of mid-2025, no major social-media platform or news outlet had implemented consumer-facing C2PA verification at scale.
[21] See, e.g., Google DeepMind, SynthID, https://deepmind.google/science/synthid (describing a system that embeds imperceptible digital watermarks in AI-generated images, audio, text, and video so that the content can later be identified as machine-generated); Emma Roth, Google’s SynthID Watermark Can Identify AI-Generated Images, The Verge (Aug. 29, 2023), https://www.theverge.com/2023/8/29/23849107/synthid-google-deepmind-ai-image-detector. SynthID embeds invisible digital watermarks directly into AI-generated media so that they remain imperceptible to users but detectable by specialized tools, helping identify whether content was produced by generative AI.
[22] See, e.g., SSL Certificate Authorities: Historical Yearly Trends in Usage Statistics, W3Techs, https://w3techs.com/technologies/history_overview/ssl_certificate; Cloudflare, Introducing Universal SSL (Sept. 29, 2014), https://blog.cloudflare.com/introducing-universal-ssl (noting that Cloudflare doubled the number of HTTPS sites on the internet when it launched free Universal SSL in 2014).
[23] See, e.g., Andrei Z. Broder et al., Syntactic Clustering of the Web, 29 Computer Networks & ISDN Sys. 1157 (1997); GeeTest, History of CAPTCHA—The Origin Story, https://www.geetest.com/en/article/captcha-origin.
[24] Luis von Ahn, Manuel Blum, Nicholas J. Hopper & John Langford, CAPTCHA: Using Hard AI Problems for Security, in Advances in Cryptology—EUROCRYPT 2003 294 (Eli Biham ed., 2003).
[25] Gausebeck-Levchin Test, Golden, https://golden.com/wiki/Gausebeck-Levchin_test-EKMBKKR (last visited Feb. 19, 2026).
[26] Luis von Ahn et al., reCAPTCHA: Human-Based Character Recognition via Web Security Measures, 321 Science 1465 (2008).
[27] Id.; see also Google, Teaching Computers to Read: Google Acquires reCAPTCHA (Sept. 16, 2009), https://googleblog.blogspot.com/2009/09/teaching-computers-to-read-google.html.
[28] What Is CAPTCHA?, IBM Think, https://www.ibm.com/think/topics/captcha (last visited Feb. 19, 2026); Ciarán Daly, “I’m Not a Robot”: Google’s Anti-Robot reCAPTCHA Trains Their Robots to See, AI Bus. (Oct. 25, 2017), https://aibusiness.com/companies/-i-m-not-a-robot-google-s-anti-robot-recaptcha-trains-their-robots-to-see.
[29] Katharine Schwab, Suspicious of Google’s reCAPTCHA? Here’s a Popular Alternative, Fast Company (July 17, 2019), https://www.fastcompany.com/90377406/suspicious-of-googles-recaptcha-heres-a-popular-alternative; Intuition Machines, About hCaptcha, https://www.hcaptcha.com/about.
[30] Cloudflare, Our Story, https://www.cloudflare.com/our-story (describing how Matthew Prince and Lee Holloway founded Project Honey Pot in 2004 to track how spammers harvested email addresses); see also Project Honey Pot, https://www.projecthoneypot.org (last visited Feb. 19, 2026); Matthew Prince, Cloudflare’s First Birthday, Cloudflare Blog (Sept. 27, 2011), https://blog.cloudflare.com/cloudflares-first-birthday.
[31] Historical Yearly Trends in the Usage Statistics of Reverse Proxy Services for Websites, W3Techs, https://w3techs.com/technologies/history_overview/proxy/all/y.
[32] Thomas Claburn, Cloudflare Dumps Google’s reCAPTCHA, Moves to hCaptcha as Free Ride Ends (and Something About Privacy), The Register (Apr. 9, 2020), https://www.theregister.com/2020/04/09/cloudflare_dumps_recaptcha.
[33] Reid Tatoris, Adam Martinetti & Benedikt Wolters, Cloudflare Is Free of CAPTCHAs; Turnstile Is Free for Everyone, Cloudflare Blog (Sept. 28, 2023), https://blog.cloudflare.com/turnstile-ga; Migrate from hCaptcha, Cloudflare Turnstile Docs, https://developers.cloudflare.com/turnstile/migration/hcaptcha (last visited Feb. 19, 2026).
[34] Heather Chen & Kathleen Magramo, Finance Worker Pays Out $25 Million After Video Call with Deepfake ‘Chief Financial Officer’, CNN (Feb. 4, 2024), https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk.
[35] See, e.g., Estonian Digital Identity, e-Estonia, https://e-estonia.com/solutions/e-identity/id-card; see also BankID Norge, Norwegian Digitisation Agency, https://www.bankid.no.
[36] X-Road Architecture, X-Road, https://x-road.global/architecture; Republic of Est. Info. Sys. Auth., X-Road Factsheet, https://www.ria.ee/en/state-information-system/x-tee; see also Privacy Int’l, ID Systems Analysed: e-Estonia (2021), https://privacyinternational.org/case-study/4737/id-systems-analysed-e-estonia; Nordic Inst. for Interoperability Sols. (NIIS), X-Road World Map, https://x-road.global/xroad-world-map (showing implementations in Finland, Iceland, Japan, Ukraine, and other jurisdictions); see also Nordic Inst. for Interoperability Sols. (NIIS), About NIIS, https://niis.org.