There seem to be three practical workarounds. [Which I will hide behind the nifty new lj-spoiler tag, for those who don't care.]
First is the one suggested by
laurion and Aaron: wrap the Google Form in a homebrew page that *does* contain adequate security measures. This is the most effort, but allows more or less arbitrary security -- at that point, you can implement pretty much whatever you think is appropriate. IMO it's overkill for the project at hand, but probably best for any form that is going to get really wide distribution. (And thus, is likely to get more seriously attacked.)Second is an idea talked about in some of the Google forums: use page branching to honeypot the spambots to death. While Google Forms is quite simplistic, it *does* have basic branching capabilities: that is, depending on Answer A on page 1, you get to page 2, 3, or whatever. So you can theoretically define a single answer which is obviously correct to a human, but not to a computer, and branch to a dead end if the wrong answer is given, or even just sit and loop back to the same page. Nice in principle; however, it only works for multiple-choice answers, so a spambot that simply chooses those randomly is still going to get through unacceptably often.
So the third option, which I think is probably best for the use case I have, is a variant of that: have a question that requires *text* entry, for which the answer is trivially easy for the intended audience but unguessable for a spambot, ideally one that requires at least slight knowledge of the problem domain. Then you add a script to the spreadsheet itself (yes, as it turns out Google Docs is pretty nicely scriptable), that fires when a form is submitted, checks the entry, and deletes the row if the answer isn't correct. The result is a lot of traffic for Google, but is basically invisible for us.
It takes only a few minutes to implement (assuming you have an appropriate question for your audience), so it's a reasonable workaround until and unless Google comes up with a real answer. (Indeed, it's probably *better* than ordinary captchas in most cases, because it's less mental effort for your real audience...)
