121 comments

[ 2.9 ms ] story [ 92.9 ms ] thread
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:

- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.

- Discord immediately bans me any time I try to create an account.

- Can't buy flights from Delta, always gives a non-descript error.

- Can't buy concert tickets, it thinks I'm a fraudulent buyer.

- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.

- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).

- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.

I just take my business elsewhere... eventually I'll probably just stop using technology at all.

> I just take my business elsewhere...

Mars? /i

It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all

so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on

(just realized emacs bindings work in comments, nice, no ctrl-x tho)

> Much like age verification

Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.

No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.
> (as that would be 'farmable')

It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.

But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.

> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.

You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future

Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.

I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.

They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.

I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
> Simply create a new smart device operating system

Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.

The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.

No need to create new OSes if anyway they won't work, right?

I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:

- pretended that it wasn't all about invading peoples' privacy.

- done a good ol' fashioned "but Apple does it"

- pretended to be standards-oriented

- advertised it as something completely transparent to the end-user

Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.

The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
Private access tokens are also a repackaged WEI as far as I'm concerned.
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.

I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.

"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.

Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.

What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.

[flagged]
Google seems to be putting yet another brick in the garden wall.
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
Oh man as if we still live in those times
"Don't be evil. That's our job."
I don't even have a smart phone, I assume there is some sort of fallback behavior?
If there was any remaining doubt whether Google is evil, this settles that yes it is.
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?

the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f

https://ibb.co/X9Q6Y84

By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.

I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.

You can still use the audio captcha, but I’m not sure how long that’ll be around.
The water is already boiling and the frog can't get out anymore.
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
Really that seem almost too easy ?
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
Android yes, but Graphene is the answer.
I've been getting asked more and more how to degoogle stuff by non-nerds.
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.

I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.

I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
I'm not sure the definition of anti-trust matches what you're saying. Are there any retail android devices for sale without Google Play Services? Also, notably iPhones will be able to still work despite not having Google Play Services.