Google broke reCAPTCHA for de-googled Android users

My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.

This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).

Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.

I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.

It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet

archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?

the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f

https://ibb.co/X9Q6Y84

By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.

I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.

It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.

I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:

- pretended that it wasn't all about invading peoples' privacy.

- done a good ol' fashioned "but Apple does it"

- pretended to be standards-oriented

- advertised it as something completely transparent to the end-user

Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.

I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.

This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior

I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.

Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?

This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?

Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.

Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.

Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.

I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.

The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.

So Stallman was right, after all?

Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/

I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).

I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.

I don't even have a smart phone, I assume there is some sort of fallback behavior?

I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...

Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:

- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.

- Discord immediately bans me any time I try to create an account.

- Can't buy flights from Delta, always gives a non-descript error.

- Can't buy concert tickets, it thinks I'm a fraudulent buyer.

- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.

- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).

- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.

I just take my business elsewhere... eventually I'll probably just stop using technology at all.

I long ago stopped using any webpage that uses a captcha. If the website uses one, I bounce.

Its going to be just like the wild days of the late 90s and 2000s

Strap in, the ownage will be hard.

Time for some lawfare!

It’s quite easy to remote control an Android phone with an agent (eg there‘s agent-device). I don’t think this will keep automation from happening.

I'm sorry Google, I'm afraid I can't do that.

Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.

I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.

I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.

OK, so what are the alternatives, what can developers use instead?

To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.

Nobody trusts web browsers nowadays.

If there was any remaining doubt whether Google is evil, this settles that yes it is.

Wait, you need a TPM chip?

I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?

Anti competitive behaviour ?

We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.

Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.

"Those who give up freedom for security deserve neither."

And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.

This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:

https://ublockorigin.com/

See the explanation associated with Manifest V3.

What happens with Chinese Huawei phones that don’t have Google services?

I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.

For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.

I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.

They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.

Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si

One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.

On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.

Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix

Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete

You can't compile many Go projects because the dependencies are pulled from Google

And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off

The gate to the pig pen is closing…

Related:

Google Cloud fraud defense, the next evolution of reCAPTCHA

https://news.ycombinator.com/item?id=48039362

Google Cloud Fraud Defence is just WEI repackaged

https://news.ycombinator.com/item?id=48063199

Heh

After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?

Whether it's from companies that create the tech, or companies that use it.

In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.

Can we reverse that?

If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?

[flagged]

Google seems to be putting yet another brick in the garden wall.

[dead]

[dead]

[dead]

[flagged]

[dead]

[dead]

[flagged]

[flagged]

Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.