Skip to content

/notes / cursor-path-analysis

Your cursor gives you away

Enerik Sina··5 min read

Ask a human to click a checkbox and watch the cursor. It will overshoot slightly, correct, curve toward the target, decelerate as it approaches, and land with a final micro-adjustment. Ask a script to do the same thing and the cursor either teleports — no path at all — or glides in a mathematically perfect line at constant velocity. That difference is not a matter of effort or skill. It is physiology.

Why humans can't fake straight

Human pointing follows well-studied motor-control laws. Fitts's law says movement time scales with distance and target size; more importantly for detection, real movements are built from submovements — an initial ballistic launch toward the target followed by one or more corrective adjustments as the visual system reports the error. The result is a velocity curve with a characteristic asymmetric bell shape, jitter from muscle tremor, and curvature that no two trajectories repeat exactly.

Automation has the opposite signature. Programmatic clicks fire with no preceding pointer events. Naive movement synthesis interpolates linearly, producing constant velocity and zero curvature. Even sophisticated 'ghost cursor' libraries that generate Bézier curves tend to produce paths that are too smooth: humans are noisy in a specific way — variance in velocity, direction changes near the target, dwell before the click — that is surprisingly expensive to model convincingly.

What a detector actually measures

  • Path ratio: traveled distance divided by straight-line distance. Humans land around 1.05–1.3; a ratio of exactly 1.0 is a machine.
  • Velocity variance: the spread of instantaneous speeds along the path. Constant speed is a synthesis artifact.
  • Micro-corrections: count of small direction changes, especially in the final approach. Zero is suspicious.
  • Time-to-click: real pointing takes 300ms–1.5s depending on distance; sub-100ms acquisition of a small target is beyond human motor control.
  • Event provenance: whether pointer events carry the isTrusted flag or arrive in physically impossible sequences.

The arms race, honestly

Cursor analysis is not unbeatable — nothing client-side is. Recorded human sessions can be replayed; generative models can be trained on real telemetry. But every escalation costs the attacker more: replay libraries leave statistical fingerprints of their own (identical paths across 'different users' is itself a signal), and modeling human noise well enough to fool a classifier costs more than most campaigns are worth. Behavioral signals follow the same economics as every other anti-bot layer — the point is not to be impossible, it is to be expensive. The captcha on this site's bot-check page runs a small version of exactly this analysis, client-side, so you can watch your own curvature score in real time.

← ALL NOTES[SEE YOUR OWN FINGERPRINT] →