Looper Dot Framework

The core insight is that human visual attention is involuntary and pre-attentive. When a single, high-contrast colour dot is presented on an otherwise empty field, the human visual system processes it in under 200 milliseconds through what neuroscience calls the "pop-out effect." This is a bottom-up, stimulus-driven response that cannot be suppressed.

Automated programs, by contrast, interact with web pages through the Document Object Model (DOM) — a structured tree of HTML elements. They do not render pixels, do not perceive colour saliency, and do not experience involuntary visual attention. Even sophisticated bots that simulate mouse movements must programmatically locate the dot's coordinates from the DOM before generating synthetic interaction events.

This fundamental asymmetry — between genuine visual perception and programmatic DOM traversal — creates a detection surface that is robust, fast, and frictionless.

The Looper Dot interface introduces a deliberate geometric asymmetry between two constructs: the Pupil and the Dot.

The Pupil is a mathematical point — a single set of coordinates (x, y) on the background grid, representing the true centre of the verification target. It has no physical area. It is the abstract anchor from which the system measures all interaction offsets.

The Dot is the visual stimulus presented to the user — a luminous sphere that occupies significant screen real estate (56px diameter by default, scaling with viewport). The Dot is deliberately much larger than the Pupil. Its visual footprint covers hundreds of touchable pixels.

This size differential creates what we term "touch entropy" — the probabilistic distribution of where a human will make contact within the Dot's area. Because the Dot is large and the human finger or cursor is imprecise, every genuine human touch lands at a slightly different offset from the Pupil. The touch coordinates form a natural distribution around the Pupil's centre, with variance determined by the user's motor control, device type, finger size, screen size, and interaction angle.

A bot, by contrast, must extract the Dot's coordinates from the DOM (typically via getBoundingClientRect() or similar API calls). This yields the Pupil — the mathematical centre. When a bot dispatches a synthetic click event, it targets this exact coordinate. The result is a click offset of zero or near-zero pixels from the Pupil. Even if the bot adds random noise to simulate imprecision, the noise distribution is typically uniform or Gaussian with artificially chosen parameters — distinguishable from the natural distribution produced by genuine human motor control.

The entropy of human touch is therefore a function of the Dot-to-Pupil ratio. The larger the Dot relative to the Pupil, the greater the entropy — and the more information each touch event carries about the authenticity of the interaction. This is why the Dot is deliberately oversized: it maximises the detection surface while remaining a single, effortless interaction for the user.

Critically, this entropy is device-agnostic. On desktop, mouse movements produce a trajectory with spatial variance. On mobile, finger taps produce a contact point with positional variance. On tablets, stylus touches produce yet another distribution. In every case, the Pupil-vs-Dot asymmetry ensures that genuine human interaction generates measurable entropy — while bot interaction collapses to a deterministic point.

The framework operates across five concurrent detection layers, each analysing a different category of behavioural signal. No single layer is sufficient for a definitive verdict; instead, all signals are combined into a weighted "humanity score" that provides probabilistic confidence. The scoring weights adapt dynamically based on the input modality (mouse vs touch).

Layer I — Involuntary Attention Response: Measures the time elapsed between the dot's visual render and the user's first mouse movement or touch event. Genuine human reaction times fall within a characteristic distribution (200-800ms for desktop, 80-2000ms for mobile) with natural variance. Bot reaction times are either near-instantaneous (<50ms, indicating direct DOM coordinate extraction) or artificially delayed with suspiciously low variance.

Layer II — Motor Signature Analysis (Desktop-Primary): Captures the full trajectory of the cursor as it moves toward the dot. Human motor control produces curved paths with variable velocity, acceleration, and micro-corrections. The trajectory is analysed for linearity (straight paths are bot-like), velocity variance (constant speed is bot-like), and curvature complexity. On mobile devices, this layer is de-weighted because users tap directly rather than tracing a path — any touch-move micro-movements detected during the tap are treated as a bonus signal.

Layer III — Interaction Physics: Analyses the physical act of clicking or tapping the dot. Key signals include click/tap duration (humans hold for 50-300ms; bots execute instantaneously), pointer offset from the dot's centre (humans are imprecise; bots target the exact centre), and release dynamics. On mobile, the acceptable precision range is wider because finger taps are inherently less precise than mouse clicks.

Layer IV — Environmental Context: Passively fingerprints the browser environment to detect headless browsers (Puppeteer, Playwright), automation frameworks (Selenium WebDriver), and virtual machines. Checks include: navigator.webdriver flag, plugin count, language settings, screen dimensions, touch/UA consistency, DeviceMotionEvent availability, timing resolution, and Notification API presence. This layer operates without any user interaction and provides a baseline environmental trust score.

Layer V — Cookie Archaeology: Analyses the visitor's local storage and cookie history to distinguish organic human browsing patterns from bot-generated sessions. This layer examines: (a) whether a prior fingerprint exists and its age; (b) the diversity and variance of the visit log — including path diversity, scroll depth variance, session duration patterns, and inter-visit timing intervals; (c) whether localStorage is accessible at all (many headless browsers block it); and (d) the presence of other organic browser signals such as existing cookies and browsing history depth.

The Cookie Archaeology layer is based on a fundamental observation: humans accumulate organic, messy, diverse browsing histories over time. Bots operate in clean, ephemeral sessions with no prior state.

Fingerprint Persistence: On first visit, the system writes a timestamped fingerprint to localStorage. On subsequent visits, the fingerprint's age is measured. A fingerprint older than 30 minutes earns a small trust bonus. One older than 24 hours earns more. One older than a week earns the maximum age bonus. Bots operating in fresh browser instances or incognito mode will never have an aged fingerprint.

Visit Log Analysis: Each page visit is recorded with four data points — timestamp, URL path, scroll depth (as percentage of page height), and session duration. The system analyses this log for diversity signals that characterise human behaviour:

Path Diversity — Humans visit multiple pages. A visit log containing only one unique path is less trustworthy than one with varied navigation patterns.

Scroll Depth Variance — Humans scroll to different depths on different pages depending on content interest. A visit log where every entry shows identical scroll depth (e.g., 0% or 100%) suggests automated behaviour.

Timing Interval Variance — The time gaps between human visits are irregular — sometimes minutes apart, sometimes hours or days. Bots that revisit at perfectly regular intervals produce suspiciously low timing variance.

Session Duration Patterns — Human sessions vary in length. A log of visits all lasting exactly the same duration is a bot signature.

Storage Accessibility: The system tests whether localStorage read/write operations succeed. Many headless browser configurations and privacy-hardened automation frameworks block or restrict storage access. The ability to write and read back a test value is itself a weak positive signal.

Organic Browser Signals: The system checks for the presence of other cookies (indicating prior web activity) and the depth of window.history (indicating genuine navigation history). These are passive checks that require no user interaction.

Privacy Safeguard: All cookie archaeology data is stored locally on the user's device. No fingerprint data, visit logs, or browsing history is transmitted to any server. The data is used solely for local scoring during the verification session. The visit log is capped at 50 entries and automatically trimmed.

The scoring model adapts its weight distribution based on the detected input modality. This is critical because desktop and mobile interactions produce fundamentally different behavioural signals.

Desktop Scoring (Mouse Input): — Involuntary Attention (Layer I): 15 points — Motor Signature (Layer II): 15 points — Interaction Physics (Layer III): 20 points — Environmental Context (Layer IV): 15 points (0.6× weight) — Cookie Archaeology (Layer V): 15 points (0.6× weight) — Maximum theoretical score: 80 points

Mobile Scoring (Touch Input): — Involuntary Attention (Layer I): 20 points — Motor Signature (Layer II): 5 points (bonus only — micro-movements during tap) — Interaction Physics (Layer III): 25 points (tap duration + precision) — Environmental Context (Layer IV): 25 points (full weight — critical for mobile bot detection) — Cookie Archaeology (Layer V): 25 points (full weight — compensates for absent trajectory data) — Maximum theoretical score: 100 points

The pass threshold is set at 35 points. This threshold is deliberately set below the midpoint to minimise false rejections of legitimate human users — particularly first-time visitors on mobile devices who have no prior cookie history and produce minimal trajectory data. The system is designed to err on the side of admitting humans rather than blocking them.

Score Composition Philosophy: On desktop, the five layers contribute relatively evenly. On mobile, Layers IV and V carry significantly more weight because Layer II (trajectory) is largely unavailable. This ensures that mobile users are not penalised for the absence of mouse movement data — instead, the system compensates by relying more heavily on environmental and historical signals.

Anti-Replay Protection: Each verification session is bound to a unique, server-generated cryptographic nonce. The nonce is embedded in the client-side agent and included in the data package submitted for analysis. The server validates and expires the nonce upon use, preventing replay attacks.

Adaptive Difficulty: The system can dynamically adjust the verification challenge based on the environmental trust score. In high-risk contexts (detected VPN, suspicious browser fingerprint, zero cookie history), additional behavioural signals may be collected before rendering a verdict.

Cookie Poisoning Resistance: A sophisticated attacker could attempt to pre-populate localStorage with a fabricated fingerprint and visit log. The system mitigates this through: (a) cross-referencing the fingerprint timestamp with the visit log timeline for consistency; (b) analysing the statistical distribution of visit log entries — fabricated logs tend to lack the natural variance of organic browsing; (c) treating the cookie score as one of five layers, so even a perfect cookie score cannot compensate for failed behavioural signals.

Privacy by Design: Looper Dot does not require phone numbers, email addresses, or cross-site tracking. Behavioural data is ephemeral — collected during the verification session and discarded after scoring. Cookie archaeology data is stored locally and never transmitted. No personally identifiable information is stored or transmitted to any server.

Accessibility: The dot interaction is designed to work with assistive technologies. Keyboard-only users can trigger verification via the Enter key, with the motor signature analysis adapted to measure keystroke dynamics instead of mouse trajectories.

The Looper Dot user interface design, interaction pattern, detection methodology, and visual identity are the proprietary intellectual property of Looper Group. The design is being registered under the Registered Designs Ordinance (Cap. 522) of the Hong Kong Special Administrative Region.

The registered design encompasses: (a) the visual composition of a single colour dot presented on a clean, minimal interface as a human verification mechanism; (b) the specific animation sequences associated with the verification states (idle, tracking, analysing, success, failure); (c) the overall screen layout including the sacred geometry background elements and the Looper Group branding placement; (d) the five-layer detection architecture including the Cookie Archaeology methodology.

Trademark: "Looper Dot" and the associated logo mark are trademarks of Looper Group, registered in Hong Kong SAR.