1 & 2 allow losing money in proportion to time spent afk; 3 sounds workable. I agree that simplifying to 1-click would be a vast improvement. But pay-without-even-doing-anything is getting carried away; requiring some action to confirm a payment is more than an inconvenience. The confirmation could be implicit in the link to the content -- a special-looking link could skip the payment confirmation prompt (which would be used if the same URL is reached by any other means). This would have much of the convenience of 0-click, while meeting the sanity requirement that payment is not made without action agreeing to it.
Another option is implementing an undo style - like Google has with deleted emails - so that you have zero action required but still control to a point. Obviously a bit of diligence is required but if we are talking about micro payments then it's not the most horrible thing in the world if a few slip by. Modern browsers also have a lot more information about a user's current state. With a couple scripts on my site I can pretty much always know if a user is active or not and even throw up a massive modal dialog when they are about to leave the page. If people are doing this shit for newsletter sign ups, something should be able to be done for an idea like this. I do still believe that implementing user controlled certification (yes I'm okay giving my money to this site) is the easiest way to curb abuse. We only need to watch out for the single sites that you visit occasionally or may land on from Google. Almost all the sites I currently visit I trust and I trust not to abuse that trust. And in reality there are really only a handful of sites I visit. Sites like NYTimes and Facebook, etc. The occasional time I'm going to be visiting a site that would pull the abusive behavior you're speaking to, I'm going to be begging for control and knowledge and confirmations. Have you ever heard of our used little snitch? It works very well. It's annoying as hell at first bc you are bombarded with pings from every site but after a couple days, I'm rarely bothered with notifs. When there is a notification, I certainly look carefully and appreciate the intervention. Another option is implementing an undo style - like Google has with deleted emails - so that you have zero action required but still control to a point. Obviously a bit of diligence is required but if we are talking about micro payments then it's not the most horrible thing in the world if a few slip by. Modern browsers also have a lot more information about a user's current state. With a couple scripts on my site I can pretty much always know if a user is active or not and even throw up a massive modal dialog when they are about to leave the page. If people are doing this shit for newsletter sign ups, something should be able to be done for an idea like this. I do still believe that implementing user controlled certification (yes I'm okay giving my money to this site) is the easiest way to curb abuse. We only need to watch out for the single sites that you visit occasionally or may land on from Google. Almost all the sites I currently visit I trust and I trust not to abuse that trust. And in reality there are really only a handful of sites I visit. Sites like NYTimes and Facebook, etc. The occasional time I'm going to be visiting a site or does that would pull the abusive behavior you're speaking to, I'm going to be begging for control and knowledge.