The new "No-captcha", how does it "sense" in which relationship it is served?

I have found out about the new no-captcha. How does it sense the application/relationship it is served in, and set the correct security level? The security level, and acceptable bot activity, is depending on application. For example: A signup form: Then it does not matter if a bot succeed to register 5-10 accounts, because those accounts can be cleaned off easly (banned or removed). A post form: Same here. A search form: Here it does not matter if a bot successfully launch 100 of searches, but 10 000 does matter to the load of the server. But the most sensitive application: A LOGIN form. Here its dangerous if even one single bot request slinks through, because the captcha is there most of the time to prevent CSRF, XSS, Bruteforce attacks, session stealing and Active sniffing and "race" attacks. I guess No-captcha uses some sort of "hash-cash" scheme where the client is asked to computationally solve a challenge, combined with a rate-limiting system, where the No-captcha application checks if theres successful or failed solves from the same IP-adress previously in a short time, and upon this information, decides if it should present a real captcha or not. I guess that a bot can successfully, with a high rate of success (90%+) pass the first No-captcha given a specific set of credentials (IP, Cookies, UserAgent and so on)? Are im right? But subsuquent requests become harder and harder due to the rates kicking in and displaying a real captcha? Or how does the No-captcha weed out the first bot request ever? Lets say a client IP that No-captcha never seen, it bears normal google cookies, and it does have a sensible useragent matching lets say 50% of the population. And this client is a bot. What does prevent a bot from checking the checkbox and then solving the computationally hard challenge (hashcash) which would take 5 seconds to solve, but would be solved with 100% of certainly? -- You received this message because you are subscribed to the Google Groups "reCAPTCHA" group. To unsubscribe from this group and stop receiving emails from it, send an email to recaptcha+unsubscribe@googlegroups.com. To post to this group, send email to recaptcha@googlegroups.com. Visit this group at http://bit.ly/1dkFnYd. For more options, visit http://bit.ly/P65DvS.