So first I’d like to address the notion that we’re a public service. We’re not. We service our customers who look to protect and/or enhance their properties by using our services. Our goal is to make the internet faster, safer and more secure for everyone., but I’d argue that is not the same thing.
That doesn’t mean that we want to intentionally torture visitors to a website because a. that’s just not cool and b. our customers probably wouldn’t appreciate it if we did that to their visitors/customers.
As to your concerns there are a couple of reasons that a user could be subjected to captchas. One is due to their country of origin, ASN, P range or IP address being one that customers choose to challenge. There’s not anything we can do about that as it is the Cloudflare customer’ s choice to place an additional bar on your visit. So if you’re browsing from North Korea or from a VM at Digital Ocean I wouldn’t be surprised if the reason you were seeing a captcha was a geographical decision by a Cloudflare customer.
The other reason is one of IP reputation. I understand that you might want insight into why a given IP address is considered disreputable, but the how and why are a complicated answer wrapped in multiple algorithms and sources of data. So it’s not easy for us to cite a specific reason and even if we could I’m not sure we’d want to as it could be used as a vector by unscrupulous parties to try to find weaknesses in our approach.
What we have considered doing (and I was actually having a conversation with someone around this last week regarding the potential rules logic) is allowing a visitor a way to request removal of an the IP of the machine they use to connect to a request page from Cloudflare’s IP reputation DB (or a downgrade of badness) for a short time and/or the ability to request the removal of a limited number of other IP addresses.
There are some challenges with this approach (especially with shared IP address/ NAT scenarios) but I think we agree that some mechanism for trying to clean an IPs rep would be a good thing. In general if an IP is no longer acting poorly it will also fall off the naughty list after nn days as well. So it’s something we’re actively discussing internally and the desire is to provide a mechanism for users with IP reputation issues an avenue to try to reset their reputation… but the exact parameters and method are still TBD.
Beyond that however the captcha loop sounds like a separate problem from the reputation of the IP address itself. Have you tried using a different browser/ rebooting/ other goole captcha loop troubleshooting steps?