Surely this ML must be presented a wide set of data on the user and their browser to make this determination? So just like recaptcha, they determine if they should admit you based on passively snooped data rather than active challenges.
My knowledge of this is that hCaptcha uses anonymized user data to ensure that the user doesn't look like a bot. What ReCAPTCHA did differently is not only not anonymizing data, but specifically trying to find out which person was presented with their captcha by matching cookies and profiles to Google accounts (which the majority of users would have and be logged into for many reasons). When you combine this with Google owning everything from Gmail to Youtube to Android to Chrome, it gets extremely pervasive.
