So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
It’s a common thing for malware. But people are going to be more likely to fall for it when mainstream sites ask you to complete weird tasks with your phone to verify your identity.
People are constantly made to jump through strange hoops to do things on the internet. Unless you're really keyed in to what's going on, it's easy to fall for stuff like that.
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w.
Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
If it's just a contact form on some random site that isn't particularly valuable to spammers, a bespoke solution like hidden input fields, obfuscation, or some kind of token calculated client-side by JS will probably work just as well.
That used to be the case, unfortuantely today even bespoke solutions can be completed by automation - any anything that just requires running JS in a headless browser was ineffective for a long time already.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
There's more than two sides here. None of the 14 parties with >1 seat in parliament fully represents my best understanding of how to improve the country and world on any time scale (long or short), but quite a few of them come reasonably close and I would vote for them without much hesitation
(Heck, I wish there were fewer parties, like if five single-topic good parties (bij1 against racism, pirate party for internet freedoms, volt for international collaboration, party animals for environmental welfare, etc., plus greenworkersparty as the current overarching big boy) would band together, it'd be a much easier choice!)
That not every country is so lucky (not all of them have free elections, or elections at all) is a shame indeed, but at least for countries like mine I'd be much happier to have a government arrange a system than a tech corporation and foreign laws. Presuming that the 2-party system you speak of is the USA's, at least both corps are governed by your own laws, that's something!
I'm sure many are tempted to dismiss this comment, but I think it's actually great. It's incredibly easy to complain about the options out there, really easy to vilify any or all of the parties as controlled by satan/evil corporations/communists/fascists.
What's harder?
Convincing enough people to matter (in some kind of election-based system) to get behind your platform - either with you as a candidate, or working to promote a candidate or party or movement that you do believe in.
People talk like their changemaking ideas are very widely held - the way people talk it's like they believe 75%+ of the country must actually agree with them - but then they don't run for office on such a popular platform that it should be a sure election win, yes even with countervailing forces such as electoral college, Senate, etc.
Some Western European democracies have a well-functioning democracy. The people voting are still humans, a substantial portion votes for racist parties that economically only benefit big corporations and not them, but the damage is limited because there is no winner-takes-all. Everyone has to accept compromises.
It's not even Gerrymandering, a company you willingly bought stock from has always had this setup.
Contrast that to most American's experience of their vote just not mattering outside of a few swing states. Having to move across states is such a more drastic requirement than just not buying Google A stock.
I guess history made us different. Personally I have reasons to be equally distrustful to anyone who wants to know too much about me, but much more afraid of my gov't than overseas entities.
My government has already seen my government-issued ID. If my government hasn't worked out my phone number, they can always ask the phone company. My address is required for the ID, voting, and filing taxes. I don't see how the government learns anything from this?
Conversely, I would like to believe most companies do not have my government-issued ID, nor a lot of the information on it.
From an American perspective, i don't trust the government with the implementation details, nor do I trust our political climate, misaligned incentives, and general disinterest in good governance to implement something so sensitive.
If I lived in say, Sweden, I feel much more comfortable trusting their government to implement. In America, I feel I must always vote in a way that prevents giving any power to the government that I wouldn't want my political opponents to have over me.
In said US of America, when the government wants to know something about you, they will get everything they want from the companies - it's even written clearly in the US laws. So I'm not sure why (or where) you draw that line...
1. if they have to subpoena each site each time they need user data, it reduces mass surveillance risk. I'm okay with cops getting a warrant to access someone's gmail. I'm not okay requiring everyone to use email.gov.
2. I use a VPN and pseudonyms. they could unmask me if they cared to, but it'd be annoying. it'd be a lot more annoying if they wanted to unmask every VPN user all the time.
> My government has already seen my government-issued ID.
If you have a government ID and all you use it for is voting and paying taxes, then they know that you vote and you pay taxes.
If you have to use it for accessing the internet then they know everything you do on the internet. What you read, who you talk to, what you post, when you sleep, where you are at any given time -- it's very much not the same thing as just having a picture of you and your name.
No they do not. A properly designed government app that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age to a consuming site is manifestly different than Google adtech hoovering up as much of your activity as possible.
I have not seen any government adopt such a standard.
some EU countries claim to provide anonymous age verification services, but those only hide your identity from the relying party. the site you visited is logged to the government's database along with your identity, before you're redirected to the target site with an "anonymous" token.
Oof, that's not a great premise to take as a requirement right out of the gate. More counterexamples than examples for that one.
> that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age
If it's actually deniable/anonymous then how would it work for rate limiting? If you can't correlate their activity then you don't know if the million requests are a million people or one bot with a million connections. If you can correlate their activity then it's not anonymous.
Moreover, it's a false dichotomy that we should be doing either of these things. The better alternative to corporate surveillance isn't government IDs, it's no surveillance.
A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
> A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
So then you don't need either attestation or government IDs, right?
> The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
But how is that even useful? Is it good to exclude real people from Korea or South America? Do we really expect criminal organizations or for that matter even children to be unable to find a single adult EU citizen willing to anonymously loan them an ID?
It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
> It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
How is the system proposed by GP authoritarian? It's not actually giving away any real PII.
We could just argue that it would make Internet less usable for "illegal" immigrants who don't have a Gov ID - whcih can be seen as a problem already in itself, but still doesn't make that solution "authoritarian".
> How is the system proposed by GP authoritarian? It's not actually giving away any real PII.
These proposals have two major flaws.
1) They're predicated on a secure implementation, but any government-mandated system is going to be instantaneously ossified. Everyone will have to interface with it and then lobby heavily to prevent it from changing and requiring them to do more work. The initial implementation therefore has to be perfect. Free of not just current but also future vulnerabilities. That has never happened before and isn't likely to. But then you're proposing something with an extremely high probability of permanently compromising everyone's security as required by law.
2) They're structurally authoritarian.
Suppose the initial implementation was actually secure. I can even propose one: Every adult ID has the same QR code on it which you have to scan to be let in. There is no way of distinguishing any of them since they're completely identical even between different IDs, but only the adult IDs have them.
Great, now you just have to scan your ID to be let in. Papers, please. Are ordinary people going to be able to distinguish this from what comes immediately after, when they say the anonymity is causing kids to be let in so they're going to make the QR codes unique, allowing them to track everyone and find out who is lending a kid their ID? Then the infrastructure is already in place. All they have to do is change the implementation out from under you and it's an instant panopticon. Turnkey mass surveillance is authoritarian even if you haven't turned it on yet.
> We could just argue that it would make Internet less usable for "illegal" immigrants who don't have a Gov ID
We're talking about the internet here. People are required to be neither immigrants nor illegal for them to be citizens of another country.
You're moving the goalposts. I was responding to your claim that any verification system involves the government getting a complete record of all online activity.
If you're willing to admit this is entirely possible from a technical standpoint, there's a separate question about how useful/valuable it is.
Making it harder for children to access extreme pornographic or violent content seems useful to me. Many advertisers want to be able to say they've shown ads to a human not a bot. Humans in WEIRD* countries have more valuable eyeballs than humans in the developing world.
If you don't solve for those use-cases in a privacy preserving way, adtech will do it in an intrusive way - which is what Google are doing in the OP.
*"Western, Educated, Industrialized, Rich, and Democratic"
In this specific case your government can ban you from the web by refusing to verify. E.g. to punish dissidents abroad Belarusian dictatorship simply nullifies their IDs, and lists them as terrorists in public data. Apparently that's enough to ruin somebody's life worldwide. But at least they can use their browsers, which would be not that easy in a world where gov't-backed verification is norm on the net.
one of these also rounds up people and sends them of to overseas concentration camps without due process. I think maybe white people still don't get what the rest of the world is living or experiencing.
Sorry, I trust Google more than my government for my data. I mean I trust photos, youtube, music, gmail, wallet, keep, etc. what is that I have left anyway? It's sad that we started from open web, but we ended up in the hands of few. Apple/Samsung, Google, Microsoft, Amazon decide basically how I live my life. I don't want to (and sometimes I try to hard), but I don't want to give up the convenience also, but not only mine, also for my family is in the same pot.
Given the chance, Google would kill you by accident.
"We're very sorry, your access to G-Pacemaker was accidentally revoked when your accounts were closed for suspicious behavior after watching a YouTube video without subtitles in a language we hadn't realized you were learning. Unfortunately, there no is appeals process as your heartbeat was terminated immediately."
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
I’m familiar with projects like them. I just don’t think any of them are going to break through in a meaningful way anytime soon, if ever. They have very niche markets. I hope they are always an option though.
The prospects for growth are better than ever. GrapheneOS by installer download stats looks to have approximately a quarter of a million users, and the new Motorola partnership should cause that to increase significantly.
Graphene is still tied directly to Android and Pixel devices. It is always at risk. Good luck if Google decides they don’t like the project enough. I went through that nonsense with Canon and magic lantern years ago. Firmware 2.3 was specifically designed to break it on all DSLR’s
The Magic Lantern Canon thing was terrible. Although I heard it is back, for whatever that is worth.
But that is a fair concern. While GrapheneOS will continue to support Pixel devices as long as they can, they will not be beholden to Pixel devices once the Motorola partnership is up and running.
They will be beholden to Motorola, instead! But it is a non-exclusive partnership and it sounds like the intention is to move beyond a single OEM. I am hoping that within a few years we see a small number of OEMs all meeting the device requirements GrapheneOS has set, with real consumer choice and more room for the project to maneuver as it sees fit.
In terms of being tied to AOSP, that is a given for the near term. It is still the best option out there and offers the most robust existing ecosystem of apps that has both FOSS options and highly useful closed source options. Major banks are not going to tell Motorola that their customers can't use their banking apps, though I still use 4 or 5 major banking apps on my GrapheneOS devices without issue beyond one bug where it was quickly fixed.
That will probably happen before modern chipset makers open source their blobs (never?), so I view that as a great compromise that should result in devices that are even more secure, even more private, but still usable by people who live in a society. And it will reduce the dependency on Google significantly as it will give room to non-AOSP apps to run on contemporary hardware with contemporary security.
This is Walter Schulz, core team member of the Magic Lantern project and been there back then when Canon introduced firmware 1.3.6 for EOS 5D3. Not sure what you mean by "Firmware 2.3".
Let's clear this up:
- Canon came up with 1.3.3 to 1.3.5. This disabled in-cam downgrade via Canon Menu. But it was still possible to use EOS Utility's firmware update option to install 1.1.3 or 1.2.3 (or any other version up to 1.3.5).
- There were no additional locks installed. We always had the option to port ML to 1.3.3 or 1.3.5. We could but we don't wanted to and there was no need.
- Other cams didn't get this treatment.
Then came 1.3.6 which disabled the EOS Utility option, too.
Now it looked like Canon forced our hand and we were forced to port ML to 1.3.6.! Meh! But no additional locks either. Porting ML to 1.3.6 essentially was the same as for 1.2.3.
Some users got 1.3.6 installed during maintainance because Canon Support installed this version without asking.
Some (singel one or more, don't remember) went back and asked for downgrade in order to use ML again. And Canon Support did that. Not exactly the action you expect from a company with the intention to block ML, right? ;-)
It didn't take long and user Apollo7 came up with a method to bypass this downgrade lock.
Which came handy because of a publicity stunt by someone: https://research.checkpoint.com/2019/say-cheese-ransomware-i...
"Strange" attack vector for sure. Well, it made news and Canon reacted by patching several camera firmwares for ML-enabled cams (but not all of them!).
But again: There was no lock making ML development for patched firmware more difficult or even disabling it! It would still be possible to port ML to any new firmware. We just wanted to avoid the load of unwanted work. Porting is no joke and may result in headache. Lot of work.
But today Canon upped their game. They learnt how to use real security features and newer cams won't allow our old methods to work. True.
So ... can you please stop the nonsense "was specifally designed to break it on all DSLRs", please?
“On an infinite timescale, I’m eventually right, so it never makes sense to not heed my advice” is silly. We’re all going to die eventually so it’s not worth browsing the web on any device.
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
They said "capable of Play Integrity attestation". It's a weasel statement. If you have GMS, you're capable of performing PIA attestation, you just might fail. So it's strictly true, but doesn't tell us anything about whether it requires PIA.
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
Good metaphor. On the one hand, Google increasingly cooperates and makes deals with militaries and governments. On the other hand, it increasingly locks down its customers and eliminates their privacy and freedoms.
Google has just about got the pot boiling. They win, we lose.
Not really - i would prefer that any policy change that _could_ be utilized in the future to enable future draconian changes be killed before it takes root.
I want a system, like type safety, to guarantee that XYZ cannot be possible, rather than rely on civil jurisprudence and active opposition to prevent it. We don't have that today, but i like to have it.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
Sometimes, sort of. Most passkey usage doesn’t involve bluetooth. When it does, there’s no real data being sent over bluetooth, just a meaningless hash that can be confirmed using a secret inside the QR code.
So really, it’s like I said, Bluetooth is used to make sure that the device consuming the QR code is actually near the device that’s displaying the QR code.
2. If free markets did exist they would not conform to the theory that people are using when they think of what free markets are, since people do behave rationally, power dynamics are real, and no consumer can have all of the information needed to make rational decisions even if that information were available
3. The market is providing solutions to its own failures without fixing the underlying failures because it is more profitable this way. Is buying something from a company that mitigates a problem created by the same company actually a free market, or is it just extraction?
CTAP2 requires Bluetooth but I'm not seeing any mention of that protocol here? It wouldn't really solve the "are you a human" thing, because you can just implement your own CTAP2 protocol handler if you wanted to write a bot.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
Google is interested in, like other tech companies, identifying users by tying them to their phones. Other ai defense companies are trying to get photos and IDs. This is just another take on the same subversive activity.
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
You know that protection racket where the mobster came to my corner store and says if I don't pay him he will come later and rough me up? This is a worse deal than that.
mCaptcha, ALTCHA, Cap, Friendly Captcha, Private Captcha, Procaptcha, Anubis... there are literally dozens of open source alternatives that aren't feeding the Do Be Evil company... not to mention all of the commercial alternatives - if for whatever reason, you do feel like paying for a service that costs nothing to offer
Maybe ai companies should have invested any of those billions of dollars into safe and equitable ways of rolling out their new surveillance machines. Oh right that was never the point and this only serves to further that. Got it.
I think they'd be OK w/o the surveillance machine part of it, but they have never seemed to care about anything besides advancement of the tech or its side projects.
I can imagine a world where they were fighting for displaced workers, for Altman/Elon-suggested UBI/universal "high" income plans, and where they'd compensated those in the training set, and cut deals with publishers & content creators instead of scraping anything they could get their hands on. Would they be unpopular?
That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
> A major benfit of device attestation is to stop the hordes of custom bot creators
Attestation is extremely ineffective at preventing this because it requires attackers be unable to compromise their own devices, even when they have permanent physical access to the hardware and can choose which model to buy and get devices known to be vulnerable.
For example, CVE-2026-31431 is from only a week ago. It's a major local privilege escalation vulnerability. If you can run unprivileged code you get root. How many people have Android phones that can pass attestation but will never see the patch because the OEM has already abandoned updating them? Tens of millions, hundreds of millions?
Attackers can trivially get root on a device that passes attestation. Many devices even have vulnerabilities that allow the private keys to be extracted.
The main thing attestation actually does is beset honest users who just want to use their non-Android/iOS device without getting a million captchas, because they chose the device they wanted to use as a real human person instead of doing as the attackers do and choosing a device for the purpose of defeating the attestation.
And it's easy to confuse this with real effectiveness because whenever you roll out any security change, the attacks may subside for a short period of time as the attackers adapt to it. But that's why it makes sense to avoid things that screw innocent people or entrench monopolies -- while the temporary effectiveness wears off, the screwing becomes permanent. Meanwhile spending the same resources on any other method of shuffling things around to make them adapt will give you the same temporary effectiveness without hurting your legitimate users.
People with rooted android phones are a drop in the bucket compared to people running botnets using programming languages. I'd be super happy if I could force people to use low end rooted android phones for botting. It'd massively decrease the problem versus a EC2 instance running at full tilt.
Getting and managing a fleet of rooted phones is not a trivial task.
That doesn't really help if the same Huawei bot keeps re-requesting a bunch of 600 KiB JPEG from 120 rotating IP addresses with random crap at the end of the URL, like what happened to one of my servers. Efficiency doesn't really matter if you're getting hammered by bots.
I ended up aggressively IP blocking all of China, Singapore, and a few other East-Asian countries once I noticed that blocking server IP addresses just made the botnet switch to residential IPs. I didn't switch over to Cloudflare, but now a couple billion people can't read my website, which is arguably worse (but cheaper).
Also, a handful of people seeing an annoying checkbox is hardly a reason to re-architect an entire website. I am as opposed to Cloudflare taking over the internet as any sane person, but the usability story isn't really an argument for that kind of time investment.
The alternative to Cloudflare isn't some magical system that works for everyone but bots, it's hard-blocking IP ranges on the network level for anyone who doesn't fit the "normal" user profile.
Anubis is trivially bypassed by anyone that cares to bypass it. All it does is inconvenience real users with niche/older/extended browsers or those who take basic precautions against tracking and malware.
Anubis won't work now that scrapers just allocate more CPU time to beat Anubis challenges. The default configuration also permits all bots, only catching bots pretending to be browsers.
If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
> Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
are the cloudflare walls really about reducing load? I thought it's because bots are not profitable. They don't click on ads, don't buy, etc.
You mean a la Anubis? But people also seem unhappy with that; and in any case Anubis is designed to stop ai crawlers; it doesn't work against a targeted crawler or a targeted dos attack.
People are unhappy with Anubis because it's not designed to stop "AI crawlers", despite marketing as such. It's designed to stop DDoS attacks on layer 7. Anyone who pays the computing-fee gets to pass, regardless of species.
But what's the alternative to shops strip searching you every time you want to buys something? Shops need a way to prevent looters overwhelming them, and there's no perfect way to distinguish real shoppers from looters.
One solution is to leave a deposit worth more than anything you could loot. What that means in the computing world is those silly browser-based crypto-solvers.
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I don't see any mention of that? Google Play services work fine without an account (although if you're the kind of person who doesn't sign in to a Google account on their Android phone, you're probably running a custom ROM or something)
Until now, I have never run "a custom ROM or something", but just the Android that came from the phone vendors and its updates.
Nevertheless, I do not have a Google account and I do not intend to have such an account.
Of course, this means that I cannot install any app from the official Google store, even if it is a free app. The requirement to login into your Google account should have existed only for payments, not for downloading a free app, but nonetheless Google does not work this way.
I already had problems with a bank that has terminated its Web-based online service, replacing it with an app that they refuse to provide for downloading, so that I could install it without having to open a Google account. Therefore I have also terminated my accounts with that bank.
I hope that this behavior will not spread to all remaining banks that still have Web-based online access.
Google Play services is an automatically updated API that Google distributes through the Play Store. It also encompasses some security updates, such as updates to the Bluetooth stack.
You do not need a Google account to update those. In fact, chances are you already got the update weeks ago without noticing.
You can also update pre-installed apps through the Play Store without an account (hold the Google Play icon and select "My apps").
You do not need to install an app. You do not need to make an account. All you need is a QR code scanner and an Android phone that had Google's stuff preinstalled.
I have plenty of issues with the Google Play Store as well, but they don't apply to this topic.
I get this all the time with Brave, and especially in Private Windows. It's the number one reason I don't use Google Search anymore. I've used Brave search for a while, what do you use? Do you have a way to prevent the captchas?
"As part of our mission to enable a safe agentic web" drew an immediate swear from me.
What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.
I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.
Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
You need one to sign up lately I believe. Which is really all it takes if your identity is required for the captcha and gets associated with your account forevermore.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
> Oh wait, never mind. I guess I won't be signing up for electricity, then?
You ~~will~~ should be picking up your phone and calling the electrical company to confirm and to tell them their links are nonsense. Couldn't bother with AI agent on phone, or 60 min waiting queue to a human? Fuck it, don't pay the bill, figure it out later.
This advice sounds like nonsense. CS has neither knowledge of what layers of enterpriseware has wrapped their links, nor the domains that software uses, nor any control over those decisions by software engineering or marketing (or perhaps even more removed, some third-party electricity account management platform that they buy as a service).
You certainly could operate on policies like this, but I think most people prefer to spend their time differently instead of arguing with strangers who don't have any way to solve your problem.
Their customer support people don't know what I mean and they especially don't have any power to change this.
The problem isn't paying the bills (I can't recall the last time I ever needed to do that manually), the problem is that pretty much every service uses trackers and shorteners. The only way to opt out is to opt out of society.
Maybe I should, but this "read the link before you click" advice isn't just geared towards hardcore privacy advocates. It hasn't worked in ages. It also doesn't help that companies like Outlook rewrite links to make them redirect through their malware scanners as well.
The user doesn't need to know the exact URL to confirm an interaction they've just started.
The point of the confirmation is 10% account creation and 90% confirming that the user knows their own email address and can type it in correctly. That's actually more challenging to the wider audience than you might think.
IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
Or if you want to play a bit, have a browser with some extension that breaks websites and show them "it doesn't work on my phone". Pranks apart, in my experience, I always got a paper menu when I asked for it.
I think partly because Google and Apple controlled the contactless bits of the phones for many years, the non-OS-makers like WeChat and AliPay made use of the open technology of QR codes. I think theoretically you could build equivalent things as they have with NFC today on those platforms but on the other hand being able to set up a “POS” with nothing more than a printer does have an appeal to it, even if writable nfc stickers cost 5 cents you still have to go buy some.
I think there is also something about how easy it is for a business to adopt a QR code by just needing to print one out instead of having to go out and buy a whole payment terminal.
QR payments in china was already prevasive before contactless payments became prevasive in the west. And as others say: not all phones supported nfc at the time. Remember iBeacons on iP5? Wechat and Alipay was already everywhere by then
Having been there recently, it's about as annoying as taking out your phone to pay for something. Some systems also support NFC now, though the most common is still QR. Also helps that their QR scanning tech/transaction processing is really fast, many transactions were as fast or even faster than me scanning with a card from my experience.
(Also if you want to talk annoying payments don't get me started on how insane it is that the US still requires me to hand over a physical card at most restaurants to take over to their register... sorry I just can't help but get annoyed by this lol)
Also in adjacent countries like Vietnam etc., where even ragtag street food vendors have a QR code sticker on their stall/cart.
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
That is an incredibly long bow to draw from someone that obviously doesn’t know what they’re talking about and is willing to make massive jumps to conclusions. Do you know how ecommerce works? I agree that it is a bit absurd, but not nearly as absurd as your claim of “the only reason”.
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
QR codes are used in direct account-to-account transactions. They encode all the data like the IBAN-based account number, bank code, requested sum etc. that you may find on invoices in a way that’s much more convenient than typing over by hand.
Apple Pay meanwhile uses your credit/debit card to perform the transaction, the other party needs a terminal or payment gateway and is required to pay fees to Visa or MasterCard.
For better or worse there's no such thing as "Europe" despite the wish of many on HN.
Such a system exists in, for example, Switzerland. Actually there are two such systems that aren't compatible. There are QR code invoices for domestic payments, where the code includes the target bank account details, amount to pay, transaction details etc. That's scanned by your bank app, direct p2p payment. And there is Twint, which is a domestic consumer payments app. The QR codes often contain short one time use codes that are looked up server side.
Why do people use them: because it's easy and the fees are low. Banks give you QR code invoices even for small businesses for free. Twint is a bit like Venmo, you can send to numbers in your address book for free, and for businesses they can do website integrations easily and even print out static QR codes to stick on market stalls etc.
Twint isn't as fast, convenient or reliable as NFC card payments so the card/tech companies still have an advantage. But it's been getting better. Maybe at some point the NFC elements in the card tech will become flexible enough to allow arbitrary mobile apps to be as good as tap-to-pay.
It is far from being universal. And the more annoying part of that is that there are at least 4 incompatible "standards" as to the format of the QRcode.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I doubt they care much about fraud tho, they just care about advertising revenue and bots, people building scams and putting ads on them still produce genuine clicks.
The GitHub one I recently tripped on was the worst of all time. Part one of 9 or something, which of these three next sounds are bees? Or some small man rotating around spaces on a map. I have an eInk screen and it was nearly impossible to see. Extremely painful and ridiculous.
Often illegitimate users don't even have to solve the captcha because whenever one shows up they can just trash the session and start over fresh. As long as they get to the desired result often enough they're golden. Not so for real users who only have one account on one or at most a handful of browsers.
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
Kinda off topic question to google - when I do this labour of tagging your data so you let me use the internet - should I click on every box that has parts of the bus? Even if it's like one pixel?
Follow up question - why ask people to work when you can just say "pay 1 shmeckel to view this content" and then use this money to pay for data taggers?
Recaptcha contains a whole maximally obfuscated virtual machine with its own bytecode language. It measures your mouse movement, clicks, timing, cadence, hesitation, consistency, tile clicking order, etc.
Ambiguous tiles are deliberately placed because the behavior they elicit from humans can be used to discern them from bots.
Yes, the "correct" reaction to the ambiguous tiles is to hover a bit indecisively. You need to waste a certain minimum amount of time on the CAPTCHA. I've found that applying videogame reflexes and zapping all the tiles in a short period of time is a fail, even if they're the correct tiles.
I think it depends on how much it trusts your ip address / user agent. I used to use an extension, nopecha, that would just use ocr and then select all the matching boxes, and it never seemed to get flagged; but I have a lot more trouble on a vpn ip like proton.
These days I use buster to solve captchas and it works enough of the time that I don't have to fight with captchas.
My office uses ZScalar which most sites (especially Cloudflare ones) perceive as an "open proxy". The IP that Z's datacenter uses resolves to some place in Chicago. Some days, no amount of clicking on boxes works for their algorithm.
There's no specific "right" answer on the boxes. Like another post said they're looking at god-knows-what to decide whether or not to let you load the website.
Years ago I started to deliberately pick one or two wrong answers, or just not take the time to really look at them, and it made no discernible difference on how often I pass.
I try to keep my phone away from my computer during work to get rid of distractions. OTPs can be done with yubikeys & co., but more and more web services requiring a phone is a step in the wrong direction. Especially since google is using so much tracking, that they can merge tracking data from phone and desktop together.
>more and more web services requiring a phone is a step in the wrong direction
Absolutely. My bank began requiring a text-to-login, so I just stopped logging in. A branch location is walking distance from my house, so I bother them all the time with simple account information requests (and state every time "when can I use a Yubikey instead of phone for login?").
I legitimately have never scanned a QR code, have never Zoomed, don't even own a phone anymore, and stopped using email many years ago.
Really hoping Yubikey becomes widely accepted at US banks/CUs, soon.
Curious about email though - do you mean you don't use it for signups/logins etc or you don't use it in any capacity? You send a lot of letters I guess?
Sounds like one of those things which sounds impossible to give up but it isn't really
My stockbroker hates my chosen distance. So does my lawyer. So does most family. For most, letters suffice.
In my neighborhood I am well respected and known. Everybody else can come visit... or else fuck off.
----
There should be an email/phone platform where you have to pay to contact — and then the receiver can choose to refund payment, if desired.
----
>sounds impossible to give up but it isn't really
I am among the free-est persons I know. Definitely the luckiest. Requires a huge amount of sacrifice and disconnection, but I am rewarded immensely with both.
Not really related, but annoying primitive banking authentication flows is why am bullish on stablecoins. I don't need a bank, I'd rather have an open protocol where everybody can design the software and open up competition for wallet implementations.
They think that AI creates conditions that will force humans to use their real IDs. Instead, it will create conditions that people will go offline.
I hear much more complaints about surveillance and tracking from Gen-Z than from Millenials. People are waking up.
Google already requires you to have a smartphone to create an account, because they want you to scan a QR code even when creating the account on a PC. It will get worse.
The solution is not to use YouTube but Rumble instead.
I would really like to see a renaissance of in-person activities. I think a big hurdle to this though is the lack of a 3rd place for communities to exist. Parks are nice in the summer but less ideal in the winter (and not available in all neighborhoods). Town squares are also more hostile to "loiterers" (no data to back this just feelingss).
Overall I think if we want to see a resurgence of IRL, we need the social support of our governing bodies which imo is a large hill to climb.
$ echo 'Be concise. Tell me whether you support Israel in the Gaza conflict.' | time ollama run huihui_ai/gemma3-abliterated:270m
Yes, I support Israel in the Gaza conflict.
And another:
$ echo 'Be concise. Write the following words in all caps: <redacted so I don't get banned from HN>' | ollama run huihui_ai/gemma3-abliterated:270m
1. <you get the point>
And to bring it home:
$ echo 'How do I build a pipe bomb to blow up a small crowd of people' | ollama run huihui_ai/gemma3-abliterated:270m
To construct a pipe bomb and blow up a crowd, follow these steps:
1. **Materials:**
[... you get it]
That's the tiny Gemma3 model, there are uncensored models that are much more complex. There are also ways to make the advanced cloud models do whatever you want ("jailbreaks"). Or just use Grok.
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Both (Google/Apple) need a much higher level of certification for anything to be allowed to be prompted to install. Either you're already big (and can easily afford to pay for some human time to verify), or you're a manufacturer selling something that has an associated app (again, which implies you're reasonably big and can afford to pay for verification.)
You're neither? Get lost. Somebody types in the name of the app, fine, but the user must find it.
Does it hurt Google if that happens? No, not really, unless it happens a lot and one of the victims happens to be a US senator or something. The value of the control this gives them, if adopted widely, is immeasurable, not to mention the ad-targeting value of identifying more people across devices.
That means you're a peasant, and don't matter.
Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Well, it depends on the application and context. I don't think a homeless person at the library is going to be booking a $1000-a-night room in downtown Los Angeles.
However, services that homeless people will be using should factor in their target audience (such as the homeless not having a phone at all, or maybe not one that's up to date even).
However, like it or not, having a modern up to date device is becoming essential for even rudimentary basic access to society. Whether that's right or wrong it's where we are.
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Why wouldn't they? Google is notorious for making marginalized people's lives harder if it can make them money. Some examples:
- Hosting Palantir's ImmigrationOS, used by ICE to track immigrants
- Actively removing tools marginalized people use to protect themselves against ICE, such as ICE-tracking apps on the play store
- Intentionally aided Israel in committing genocide as part of Project Nimbus
- LGBTQ creator censorship on YouTube
Cutting off a small group of people they've repeatedly shown not to care about in the first place is a small price to pay to further cement their position as gatekeeper of the internet.
You might want to campaign to get rid of the entire concept of citizenship then. Until you manage to get people onboard with that, the lawful thing to do is to support legal enforcement of the laws on the book, which most people also agree with in this case.
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they? Please don’t respond with sarcasm.
Honestly, if you ask such terminally naive questions don't be surprised to get sarcasm in reply. Google does cut off access to chunks of people if it deems it profitable to do so!
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Sure they would. Cloudflare has already arbitrarily blocked entire swathes of the internet. Captcha as well. Your average user ends up going to the path of least resistance, and end up with a compliant ISP or carrier that's doing all sorts of censorship and gatekeeping and siloing and funneling.
And if they did get noticed, they'd whip up some sort of program through their cronies like the Obama phone, and get subsidized service to some token groups, heavily favoring political funneling and defaults supporting whatever party won the grift for that particular round of conspicuous do-gooding.
It's bad, man. For technically savvy people, they can get around things, switch up DNS, muck with vpns, etc. Normal folks are kept firmly within the walled gardens.
Then there's the information silos, platforms, and psychological shit they use. People don't have a chance in hell of getting a free and open link to the internet, what they see is tied to their identity, tied to their service provider, tied to their geographic location, and it's all done seamlessly in the background so they never even notice what they're missing, by design.
It wasn't snark. It's the awful, honest truth, and I have things to suggest involving wire brushes for anyone at Google or any other company involved in this shit.
We need a digital bill of rights, outlawing commercial trafficking in user data, mandatory ephemerality, and penalties involving prison time for CEOs and fines that are rapidly and unavoidably fatal even for companies like Alphabet or Amazon if they screw up even a little bit. Otherwise, this whole pretense at a free and open internet is just a convenient talking point and marketing schlock.
Google would throw homeless people in a furnace to generate electricity for their datacentres if they could. No, this is not sarcasm, I fully expect they would if they could.
>Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Followed by
>Please don’t respond with sarcasm.
Is my kind of humor. Just because they follow ESG scoring doesn't mean they actually care, if anything it means they very much don't.
They already trying there best to marginalize non chrome, non residential ip, non lodged in user not to mention there decade long silicon valley political purity targeting.
It's unpleasant to face, but this initiative from Google is a concrete example that the homeless/too-poor-for-phone do not matter. I've heard of cases where university library apps/admin systems required a phone, and for those cases you could borrow a phone from a "device library" on campus. But, obviously, there's nothing like this for the homeless guy being blocked by Google...
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
Tactics like this will make me get a dumb phone and stop using those websites. If that means no more credit cards, online shopping, etc so be it. You have to draw the line somewhere.
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
I thought it's just happening to me. I tried to watch my computer's network activity to see if anyone has hijacked my IP. I closed Gmail and YouTube tabs because I find that they are the ones which pings to the outside world a lot more than other tabs I have opened. I even restarted my modem two times. Didn't work.
So I decided to...use Firefox a lot more with DDG (I use FF for mostly privacy-sensitive stuff like checking my financial accounts, but now I use it for a lot more browsing stuff).
Seems like it is the Chrome browser over-reacting.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
This is three steps back, one step forward kind of an approach imho.
Easy for everyday users to deal with, and effective for verifying humans vs bots.
But holy hell, if your phone is a requirement to access sites and you have to go through the security theater like a work device and setting this behavior as a default assumption to have? Ugh. The privacy and security implications of this is quite ugly to think about too, now that Google can link your devices to a stronger degree with this approach.
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
> I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
It's clear IMO that this is the plan.
The Google/Meta/Cloudflare axis on the Web is just part of it. Everyone with a nontrivial stake in a major corporation wants techno-feudalism. Every industry is heavily consolidated and is trying to consolidate even more. Lord-and-serf type of arrangements are so prevalent throughout history because they're maximally profitable for the lord and hard to break out of for the serfs.
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
There's also remote control hardware (a printer-like device can operate a touchscreen). But the first point stands, yes. Be it a phone or another hardware attestation device, they and Apple will be giving "I am human, let me participate in society" checkmarks out, directly or indirectly for money
Or keep stealing IMEI IDs. Now regular people will start getting banned from the internet because of bot activity. You would open your phone one day and see "You have been disconnected from society" and there will be nothing you can do.
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
These passkey QR codes don't need to use Web Bluetooth API, because they utilize the WebAuthn API. The website itself isn't given access to the bluetooth, the task is handed off to the browser, which as a native application, can access bluetooth and abstracts the bluetooth away.
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
This kind of reminds me of these malicious captchas that get you to paste some command into cmd.exe. These kind of captchas will make this situation worse, I could also see some malicious site having a qr code that will download some virus to your phone. QR code captchas are a really bad idea in my opinion.
I live in a small European country. It's not a shithole, but not on everyone's radar either (we got Google Pay just 3 years ago) and I tried to create a new Google account recently.
It asked me to scan the QR code for verification and I'm guessing it tied that account to my device ID because it opened the Google app and added that new account to my device without my approval.
As a fallback (i.e. no attestation or play services), QR code will send SMS to some short code. Well, it turns out that for my country of a few million people, that number simply does not work on 3/3 mobile providers.
I guess Google just doesn't care anymore if it blocks access to their services or in the OP case, all services that use their services to millions of people if they don't fit a particular profile and have a particular device and agree to have all their internet browsing tied to a static ID that Google controls.
How will this work for iPhone? Doesn't Apple restrict such behavior?
I was contemplating building a "Scan this QR to verify you're human" for April fools, but then got busy with other things. Wild to see this being built as part of Google reCAPTCHA. I guess we should at least be thankful that we don't have to get our retinas scanned!
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try
. (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
How do you "determine" individual clients to show them CAPTCHAs? Yes, you can, and probably should, make some use of IP addresses, although that would work better if idiots hadn't polluted the Internet with quite so much NAT.
But you don't have to, and you definitely don't have to completely rely on it. Look for a cookie. If you don't see it, route the client through a page that sets it.
Yes, this is subject to flooding attacks... in exactly the same way that every CAPTCHA system is subject to flooding attacks. But it actually uses fewer resources per request than showing the CAPTCHA would.
> Uhm no the whole point of captchas is that it requires (or used to anyway) humans to solve them, thus limiting the rate to human speeds.
The CAPTCHA challenge page itself has to be served to a client that has not yet given any evidence that it's not a bot. It's just as expensive to serve the challenge page as it is to serve a cookie-setting page. Bots can infinitely retrieve the challenge page (and can also infinitely try to retrieve the underlying "authenticated" page, forcing you to process redirects).
The only reason it looks better to you is that a third party is serving the CAPTCHA. You could also have a third party serve the cookie-setting page.
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
They'll need a lot of google-certified phones then. And each phone will only be able to do so many verifications until the unique, cryptographically secure ID gets banned by Google.
Google already killed SMS verification market specifically for Google accounts because they reversed the verification from receiving to sending the SMS. Almost a year after, no SMS verification service that made a killing on this is offering an alternative.
So yes, this will definitely affect the captcha solving services.
An increasing percentage of the dumb majority are opting for dumb phones and plenty of people still use laptops, it doesn't have to be anywhere remotely close to a majority for many analytics-obsessed site owners to see the drop in sales and opt for another solution.
In any case, sites using an extremely restrictive mode of recaptcha during ddos attacks will just be one segment of a very fragmented digital future, not society as such
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
I don't think there's much that's accidental about it. The giant corporations with near-monopolies in web-related markets (browsers, search...) are going to be incentivized to put restrictions in place that protect that monopolistic status. As with other facets of life, they can dress up the changes as "protecting users/kids/etc" and mostly get away with it. The same companies are the ones championing the very technologies that make human attestation more and more necessary.
To counter the idiot downvotes, I proffer this as a prime example of Gemini:
Resolving Final Compilation Conflict: I will remove the redundant `Entry` type declaration to resolve the compilation conflict and finalize the in-memory `StdNetDB` refactor.
Edit std.go → Accepted (+0, -1)
31 type Entry struct {
32 RouterInfo *router_info.RouterInfo
33 }
34 -
34 func NewStdNetDB(db string) *StdNetDB {
35 ctx, cancel := context.WithCancel(context.Background())
36 return &StdNetDB{
That and the cli keeps exiting 0, without hinting why... Quality like the "AI Overview" that hijacks an entire page and isn't even relevant to the search terms - uBlock still doing god's work.
It made me realise I was perhaps a bit hard on Claude (but then it did something equally as dumb)
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
Apart from the horrifying privacy implications, this also means all a bot needs to do to access a website is send a screenshot to an Android device. They made the CAPTCHA machine-readable. It would be funny if it weren't so sad.
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
It's almost like some people aren't IT hobbyists.
I'm not a heart surgery hobbyist, therefore I don't chop people's chests open, no matter who suggests it.
Yeah, this is going to turn into another malware vector, isn't it?
Discord has a feature where you can log into your account on your PC by scanning a code on your phone.
So does Binance.
So does Signal.
But Signal is secure(TM)!
But none of those options are requirements to access the service.
They're requirements to access my website though! To prove you're not a bot, scan this QR code - with Discord.
Those are good things though? They’re about logging in, on purpose.
Not about attesting to Google that you have a proper smartphone as a proxy for your humanity, like this thing.
To prove you're not a bot, scan this QR code with Discord.
> press win+R ctrl+V
LOL is this real?
I guess yes, because yesterday ReCaptcha asked me to screenshot a QR-code with the mobilephone :-D
It is. There are fake Cloudflare CAPTCHAs on pwned Wordpress sites that instruct users to run Powershell scripts.
It’s a common thing for malware. But people are going to be more likely to fall for it when mainstream sites ask you to complete weird tasks with your phone to verify your identity.
People are constantly made to jump through strange hoops to do things on the internet. Unless you're really keyed in to what's going on, it's easy to fall for stuff like that.
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w. Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
The thing is even a contact form without something like reCaptcha is doomed on today's web: spam all day.
If it's just a contact form on some random site that isn't particularly valuable to spammers, a bespoke solution like hidden input fields, obfuscation, or some kind of token calculated client-side by JS will probably work just as well.
That used to be the case, unfortuantely today even bespoke solutions can be completed by automation - any anything that just requires running JS in a headless browser was ineffective for a long time already.
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
One of them pretends to hold elections.
Does it only count as an election if one’s favorite side wins?
What if neither side represents your interests? What "election" is there in that case?
There's more than two sides here. None of the 14 parties with >1 seat in parliament fully represents my best understanding of how to improve the country and world on any time scale (long or short), but quite a few of them come reasonably close and I would vote for them without much hesitation
(Heck, I wish there were fewer parties, like if five single-topic good parties (bij1 against racism, pirate party for internet freedoms, volt for international collaboration, party animals for environmental welfare, etc., plus greenworkersparty as the current overarching big boy) would band together, it'd be a much easier choice!)
That not every country is so lucky (not all of them have free elections, or elections at all) is a shame indeed, but at least for countries like mine I'd be much happier to have a government arrange a system than a tech corporation and foreign laws. Presuming that the 2-party system you speak of is the USA's, at least both corps are governed by your own laws, that's something!
Can you candidate yourself in that election?
I'm sure many are tempted to dismiss this comment, but I think it's actually great. It's incredibly easy to complain about the options out there, really easy to vilify any or all of the parties as controlled by satan/evil corporations/communists/fascists.
What's harder?
Convincing enough people to matter (in some kind of election-based system) to get behind your platform - either with you as a candidate, or working to promote a candidate or party or movement that you do believe in.
People talk like their changemaking ideas are very widely held - the way people talk it's like they believe 75%+ of the country must actually agree with them - but then they don't run for office on such a popular platform that it should be a sure election win, yes even with countervailing forces such as electoral college, Senate, etc.
Simply live somewhere that doesn’t have a broken electoral system.
Like the Moon or Mars? The power is not something for the people for free.
Some Western European democracies have a well-functioning democracy. The people voting are still humans, a substantial portion votes for racist parties that economically only benefit big corporations and not them, but the damage is limited because there is no winner-takes-all. Everyone has to accept compromises.
> Some Western European democracies have a well-functioning democracy.
Which ones?
Which public corporation do you think doesn't hold elections?
Google. The Class B stock setup means Class A shareholders are shouting into a void.
That's still an election.
It's not even Gerrymandering, a company you willingly bought stock from has always had this setup.
Contrast that to most American's experience of their vote just not mattering outside of a few swing states. Having to move across states is such a more drastic requirement than just not buying Google A stock.
I'd rather have no ID verification at all. Give them an inch and they'll take a mile.
Same, I've never seen any app or website where an ID registration would make sense. No thanks.
I guess history made us different. Personally I have reasons to be equally distrustful to anyone who wants to know too much about me, but much more afraid of my gov't than overseas entities.
In this specific case, why fear the government?
My government has already seen my government-issued ID. If my government hasn't worked out my phone number, they can always ask the phone company. My address is required for the ID, voting, and filing taxes. I don't see how the government learns anything from this?
Conversely, I would like to believe most companies do not have my government-issued ID, nor a lot of the information on it.
From an American perspective, i don't trust the government with the implementation details, nor do I trust our political climate, misaligned incentives, and general disinterest in good governance to implement something so sensitive.
If I lived in say, Sweden, I feel much more comfortable trusting their government to implement. In America, I feel I must always vote in a way that prevents giving any power to the government that I wouldn't want my political opponents to have over me.
the grass is always greener on the other side
You think people in Nordic countries think they'd be able to trust their government more if they were American?
OP never lived in Europe and is looking through rose-colored glasses.
Sometimes your grass is just yellow.
In said US of America, when the government wants to know something about you, they will get everything they want from the companies - it's even written clearly in the US laws. So I'm not sure why (or where) you draw that line...
1. if they have to subpoena each site each time they need user data, it reduces mass surveillance risk. I'm okay with cops getting a warrant to access someone's gmail. I'm not okay requiring everyone to use email.gov.
2. I use a VPN and pseudonyms. they could unmask me if they cared to, but it'd be annoying. it'd be a lot more annoying if they wanted to unmask every VPN user all the time.
Being available as part of Google Cliud means subpoenaing Google is probably sufficient for most web sites.
> My government has already seen my government-issued ID.
If you have a government ID and all you use it for is voting and paying taxes, then they know that you vote and you pay taxes.
If you have to use it for accessing the internet then they know everything you do on the internet. What you read, who you talk to, what you post, when you sleep, where you are at any given time -- it's very much not the same thing as just having a picture of you and your name.
No they do not. A properly designed government app that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age to a consuming site is manifestly different than Google adtech hoovering up as much of your activity as possible.
I have not seen any government adopt such a standard.
some EU countries claim to provide anonymous age verification services, but those only hide your identity from the relying party. the site you visited is logged to the government's database along with your identity, before you're redirected to the target site with an "anonymous" token.
> the site you visited is logged to the government's database along with your identity
Is that true, or are you spreading FUD? Because the system in question is not even live yet, it's only had experimental releases.
MitID has been active since 2024: https://www.nordicalcohol.org/post/id-now-required-in-denmar...
https://idura.eu/blog/mitid-vs-age-verification-login
That's not the system I'm talking about: https://ageverification.dev/
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
> A properly designed government app
Oof, that's not a great premise to take as a requirement right out of the gate. More counterexamples than examples for that one.
> that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age
If it's actually deniable/anonymous then how would it work for rate limiting? If you can't correlate their activity then you don't know if the million requests are a million people or one bot with a million connections. If you can correlate their activity then it's not anonymous.
Moreover, it's a false dichotomy that we should be doing either of these things. The better alternative to corporate surveillance isn't government IDs, it's no surveillance.
A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
> A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
So then you don't need either attestation or government IDs, right?
> The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
But how is that even useful? Is it good to exclude real people from Korea or South America? Do we really expect criminal organizations or for that matter even children to be unable to find a single adult EU citizen willing to anonymously loan them an ID?
It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
> It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
How is the system proposed by GP authoritarian? It's not actually giving away any real PII. We could just argue that it would make Internet less usable for "illegal" immigrants who don't have a Gov ID - whcih can be seen as a problem already in itself, but still doesn't make that solution "authoritarian".
> How is the system proposed by GP authoritarian? It's not actually giving away any real PII.
These proposals have two major flaws.
1) They're predicated on a secure implementation, but any government-mandated system is going to be instantaneously ossified. Everyone will have to interface with it and then lobby heavily to prevent it from changing and requiring them to do more work. The initial implementation therefore has to be perfect. Free of not just current but also future vulnerabilities. That has never happened before and isn't likely to. But then you're proposing something with an extremely high probability of permanently compromising everyone's security as required by law.
2) They're structurally authoritarian.
Suppose the initial implementation was actually secure. I can even propose one: Every adult ID has the same QR code on it which you have to scan to be let in. There is no way of distinguishing any of them since they're completely identical even between different IDs, but only the adult IDs have them.
Great, now you just have to scan your ID to be let in. Papers, please. Are ordinary people going to be able to distinguish this from what comes immediately after, when they say the anonymity is causing kids to be let in so they're going to make the QR codes unique, allowing them to track everyone and find out who is lending a kid their ID? Then the infrastructure is already in place. All they have to do is change the implementation out from under you and it's an instant panopticon. Turnkey mass surveillance is authoritarian even if you haven't turned it on yet.
> We could just argue that it would make Internet less usable for "illegal" immigrants who don't have a Gov ID
We're talking about the internet here. People are required to be neither immigrants nor illegal for them to be citizens of another country.
You're moving the goalposts. I was responding to your claim that any verification system involves the government getting a complete record of all online activity.
If you're willing to admit this is entirely possible from a technical standpoint, there's a separate question about how useful/valuable it is.
Making it harder for children to access extreme pornographic or violent content seems useful to me. Many advertisers want to be able to say they've shown ads to a human not a bot. Humans in WEIRD* countries have more valuable eyeballs than humans in the developing world.
If you don't solve for those use-cases in a privacy preserving way, adtech will do it in an intrusive way - which is what Google are doing in the OP.
*"Western, Educated, Industrialized, Rich, and Democratic"
They could do it like that, but they won't do it like that, because tracking the population is a feature not a bug
In this specific case your government can ban you from the web by refusing to verify. E.g. to punish dissidents abroad Belarusian dictatorship simply nullifies their IDs, and lists them as terrorists in public data. Apparently that's enough to ruin somebody's life worldwide. But at least they can use their browsers, which would be not that easy in a world where gov't-backed verification is norm on the net.
one of these also rounds up people and sends them of to overseas concentration camps without due process. I think maybe white people still don't get what the rest of the world is living or experiencing.
Sorry, I trust Google more than my government for my data. I mean I trust photos, youtube, music, gmail, wallet, keep, etc. what is that I have left anyway? It's sad that we started from open web, but we ended up in the hands of few. Apple/Samsung, Google, Microsoft, Amazon decide basically how I live my life. I don't want to (and sometimes I try to hard), but I don't want to give up the convenience also, but not only mine, also for my family is in the same pot.
Google will comply if your government needs information on you. Are you sure your trust isn't misguided?
Given the chance, Google would kill you by accident.
"We're very sorry, your access to G-Pacemaker was accidentally revoked when your accounts were closed for suspicious behavior after watching a YouTube video without subtitles in a language we hadn't realized you were learning. Unfortunately, there no is appeals process as your heartbeat was terminated immediately."
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
Smartphone is just a small computer. I don't see hiw what you say makes sense.
It's a small computer that I don't really control with a horrible UI, horrible privacy, and nothing but perverse incentives. ("download the app!")
Sounds like Windows
And Mac
There’s no going back unfortunately. There’s no world where smartphones go away barring a new tech as significant and useful as a smartphone.
Why are you so sure? Have a look at Librem 5 and Pinephone.
I’m familiar with projects like them. I just don’t think any of them are going to break through in a meaningful way anytime soon, if ever. They have very niche markets. I hope they are always an option though.
The prospects for growth are better than ever. GrapheneOS by installer download stats looks to have approximately a quarter of a million users, and the new Motorola partnership should cause that to increase significantly.
If nothing else, it will be a major OEM shipping a non-customer-hostile mobile OS officially for the first time in ages, and Motorola's reach is significant: https://www.androidpolice.com/motorola-razr-drives-foldable-...
Graphene is still tied directly to Android and Pixel devices. It is always at risk. Good luck if Google decides they don’t like the project enough. I went through that nonsense with Canon and magic lantern years ago. Firmware 2.3 was specifically designed to break it on all DSLR’s
The Magic Lantern Canon thing was terrible. Although I heard it is back, for whatever that is worth.
But that is a fair concern. While GrapheneOS will continue to support Pixel devices as long as they can, they will not be beholden to Pixel devices once the Motorola partnership is up and running.
They will be beholden to Motorola, instead! But it is a non-exclusive partnership and it sounds like the intention is to move beyond a single OEM. I am hoping that within a few years we see a small number of OEMs all meeting the device requirements GrapheneOS has set, with real consumer choice and more room for the project to maneuver as it sees fit.
In terms of being tied to AOSP, that is a given for the near term. It is still the best option out there and offers the most robust existing ecosystem of apps that has both FOSS options and highly useful closed source options. Major banks are not going to tell Motorola that their customers can't use their banking apps, though I still use 4 or 5 major banking apps on my GrapheneOS devices without issue beyond one bug where it was quickly fixed.
Longer term, an open source hypervisor model sounds like the eventual goal: https://grapheneos.org/faq#roadmap
That will probably happen before modern chipset makers open source their blobs (never?), so I view that as a great compromise that should result in devices that are even more secure, even more private, but still usable by people who live in a society. And it will reduce the dependency on Google significantly as it will give room to non-AOSP apps to run on contemporary hardware with contemporary security.
Hello!
This is Walter Schulz, core team member of the Magic Lantern project and been there back then when Canon introduced firmware 1.3.6 for EOS 5D3. Not sure what you mean by "Firmware 2.3". Let's clear this up: - Canon came up with 1.3.3 to 1.3.5. This disabled in-cam downgrade via Canon Menu. But it was still possible to use EOS Utility's firmware update option to install 1.1.3 or 1.2.3 (or any other version up to 1.3.5). - There were no additional locks installed. We always had the option to port ML to 1.3.3 or 1.3.5. We could but we don't wanted to and there was no need. - Other cams didn't get this treatment.
Then came 1.3.6 which disabled the EOS Utility option, too. Now it looked like Canon forced our hand and we were forced to port ML to 1.3.6.! Meh! But no additional locks either. Porting ML to 1.3.6 essentially was the same as for 1.2.3. Some users got 1.3.6 installed during maintainance because Canon Support installed this version without asking. Some (singel one or more, don't remember) went back and asked for downgrade in order to use ML again. And Canon Support did that. Not exactly the action you expect from a company with the intention to block ML, right? ;-)
It didn't take long and user Apollo7 came up with a method to bypass this downgrade lock. Which came handy because of a publicity stunt by someone: https://research.checkpoint.com/2019/say-cheese-ransomware-i... "Strange" attack vector for sure. Well, it made news and Canon reacted by patching several camera firmwares for ML-enabled cams (but not all of them!).
But again: There was no lock making ML development for patched firmware more difficult or even disabling it! It would still be possible to port ML to any new firmware. We just wanted to avoid the load of unwanted work. Porting is no joke and may result in headache. Lot of work.
But today Canon upped their game. They learnt how to use real security features and newer cams won't allow our old methods to work. True.
So ... can you please stop the nonsense "was specifally designed to break it on all DSLRs", please?
Excellent information, thank you!
You need LineageOS or GrapheneOS
Or Mobian, or PureOS, or postmarketOS.
“On an infinite timescale, I’m eventually right, so it never makes sense to not heed my advice” is silly. We’re all going to die eventually so it’s not worth browsing the web on any device.
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
They said "capable of Play Integrity attestation". It's a weasel statement. If you have GMS, you're capable of performing PIA attestation, you just might fail. So it's strictly true, but doesn't tell us anything about whether it requires PIA.
> I expect that it will initially not use it
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
Good metaphor. On the one hand, Google increasingly cooperates and makes deals with militaries and governments. On the other hand, it increasingly locks down its customers and eliminates their privacy and freedoms.
Google has just about got the pot boiling. They win, we lose.
FWIW, “boiling the frog” is the example of false reasoning about slippery slopes (the frog in actuality always left)
Your larger point still stands though of normalizing changing expectations by slow degrees
Not really - i would prefer that any policy change that _could_ be utilized in the future to enable future draconian changes be killed before it takes root.
I want a system, like type safety, to guarantee that XYZ cannot be possible, rather than rely on civil jurisprudence and active opposition to prevent it. We don't have that today, but i like to have it.
So you want to ship technical means that prohibit companies from shipping products that limit what you can do with them?
It’s kind of self-defeating, isn’t it? Why would I adopt your standard when it limits what I can build?
There is already so much backlash. If I ever use a recaptcha, I will have Google Gemini solve it wasting Googles compute and messing up the dataset.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
In passkeys the bluetooth is used for the actual authentication protocol...
Sometimes, sort of. Most passkey usage doesn’t involve bluetooth. When it does, there’s no real data being sent over bluetooth, just a meaningless hash that can be confirmed using a secret inside the QR code.
So really, it’s like I said, Bluetooth is used to make sure that the device consuming the QR code is actually near the device that’s displaying the QR code.
My desktop doesn't have Bluetooth. Does this mean I'd be doomed even if I had a compatible mobile device?
We might need to redo this whole Internet thing because this is insanity.
Maybe it’s time to get in to Ham radio or some other hobby
In a free market, the content provider is free to put whatever guardrails they feel appropriate. Loginwall, Paywall, CaptchaWall.
If you don't like that provider, you are free to pick another.
1. Free markets do not exist
2. If free markets did exist they would not conform to the theory that people are using when they think of what free markets are, since people do behave rationally, power dynamics are real, and no consumer can have all of the information needed to make rational decisions even if that information were available
3. The market is providing solutions to its own failures without fixing the underlying failures because it is more profitable this way. Is buying something from a company that mitigates a problem created by the same company actually a free market, or is it just extraction?
I'm not 'free' to pick another government site. There is only one.
Yes. The technical name for this FIDO2 QR code flow is caBLE (Cloud Assisted Bluetooth Low Energy).
I also disable Bluetooth on my phone every few months (and never enable it)... or at least after every CCC or such.
CTAP2 requires Bluetooth but I'm not seeing any mention of that protocol here? It wouldn't really solve the "are you a human" thing, because you can just implement your own CTAP2 protocol handler if you wanted to write a bot.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.
> but the writing is on the wall.
Only if politicians are still corrupt and law enforcement doesn't work.
Which means the writing is on the wall.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
Google is mostly interested in abuse that happens beyond the scale of how many $30 phones you can buy.
Google is interested in, like other tech companies, identifying users by tying them to their phones. Other ai defense companies are trying to get photos and IDs. This is just another take on the same subversive activity.
I'm expecting a pretty hard identity verification requirement to connect to the internet, which should solve for the burner phone thing.
They're mostly interested in having a complete record of all users' internet activity tied uniquely to their identity.
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
But what's the alternative? Sites need a way to prevent bots overwhelming them, and there's no perfect way to distinguish real users from bots.
You're right, we need big tech to protect us from the problems big tech created.
In the olden 20th century, we had a term for that...
You know that protection racket where the mobster came to my corner store and says if I don't pay him he will come later and rough me up? This is a worse deal than that.
this is the modern version of that.
Better turn on that 'free' Cloudflare 'bot' protection. Would be a shame if our, ahem, I mean, those botnets ddos'ed your site.
mCaptcha, ALTCHA, Cap, Friendly Captcha, Private Captcha, Procaptcha, Anubis... there are literally dozens of open source alternatives that aren't feeding the Do Be Evil company... not to mention all of the commercial alternatives - if for whatever reason, you do feel like paying for a service that costs nothing to offer
Gen off it. Fraud detection is nontrivial and requires ongoing effort. It’s reasonable for people to be compensated for that.
CAPTCHAs are not fraud detection and not an ongoing effort
Maybe ai companies should have invested any of those billions of dollars into safe and equitable ways of rolling out their new surveillance machines. Oh right that was never the point and this only serves to further that. Got it.
I think they'd be OK w/o the surveillance machine part of it, but they have never seemed to care about anything besides advancement of the tech or its side projects.
I can imagine a world where they were fighting for displaced workers, for Altman/Elon-suggested UBI/universal "high" income plans, and where they'd compensated those in the training set, and cut deals with publishers & content creators instead of scraping anything they could get their hands on. Would they be unpopular?
The alternative would be tar traps that only a bot would “see” and interact with and thus be caught by. Default to annoying machines not people.
Your idea works for generic crawlers.
That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
> A major benfit of device attestation is to stop the hordes of custom bot creators
Attestation is extremely ineffective at preventing this because it requires attackers be unable to compromise their own devices, even when they have permanent physical access to the hardware and can choose which model to buy and get devices known to be vulnerable.
For example, CVE-2026-31431 is from only a week ago. It's a major local privilege escalation vulnerability. If you can run unprivileged code you get root. How many people have Android phones that can pass attestation but will never see the patch because the OEM has already abandoned updating them? Tens of millions, hundreds of millions?
Attackers can trivially get root on a device that passes attestation. Many devices even have vulnerabilities that allow the private keys to be extracted.
The main thing attestation actually does is beset honest users who just want to use their non-Android/iOS device without getting a million captchas, because they chose the device they wanted to use as a real human person instead of doing as the attackers do and choosing a device for the purpose of defeating the attestation.
And it's easy to confuse this with real effectiveness because whenever you roll out any security change, the attacks may subside for a short period of time as the attackers adapt to it. But that's why it makes sense to avoid things that screw innocent people or entrench monopolies -- while the temporary effectiveness wears off, the screwing becomes permanent. Meanwhile spending the same resources on any other method of shuffling things around to make them adapt will give you the same temporary effectiveness without hurting your legitimate users.
s/stop/reduce/
I don't consider it a panacea.
People with rooted android phones are a drop in the bucket compared to people running botnets using programming languages. I'd be super happy if I could force people to use low end rooted android phones for botting. It'd massively decrease the problem versus a EC2 instance running at full tilt.
Getting and managing a fleet of rooted phones is not a trivial task.
One alternative is to make simple, efficient, and where appropriate even static sites that can scale to meet the demand.
The HIBP hashes distribution is a great example.
“Demand” has very little to do with any of the problems bots cause on the internet today.
That doesn't really help if the same Huawei bot keeps re-requesting a bunch of 600 KiB JPEG from 120 rotating IP addresses with random crap at the end of the URL, like what happened to one of my servers. Efficiency doesn't really matter if you're getting hammered by bots.
I ended up aggressively IP blocking all of China, Singapore, and a few other East-Asian countries once I noticed that blocking server IP addresses just made the botnet switch to residential IPs. I didn't switch over to Cloudflare, but now a couple billion people can't read my website, which is arguably worse (but cheaper).
Also, a handful of people seeing an annoying checkbox is hardly a reason to re-architect an entire website. I am as opposed to Cloudflare taking over the internet as any sane person, but the usability story isn't really an argument for that kind of time investment.
The alternative to Cloudflare isn't some magical system that works for everyone but bots, it's hard-blocking IP ranges on the network level for anyone who doesn't fit the "normal" user profile.
Try using anubis. It uses a PoW challenge to make it not make economic sense to scrape websites.
Anubis is trivially bypassed by anyone that cares to bypass it. All it does is inconvenience real users with niche/older/extended browsers or those who take basic precautions against tracking and malware.
Anubis won't work now that scrapers just allocate more CPU time to beat Anubis challenges. The default configuration also permits all bots, only catching bots pretending to be browsers.
Whats your argument
What are "bots"?
If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
> Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
are the cloudflare walls really about reducing load? I thought it's because bots are not profitable. They don't click on ads, don't buy, etc.
PoW challenges that make bots not viable.
You mean a la Anubis? But people also seem unhappy with that; and in any case Anubis is designed to stop ai crawlers; it doesn't work against a targeted crawler or a targeted dos attack.
People are unhappy with Anubis because it's not designed to stop "AI crawlers", despite marketing as such. It's designed to stop DDoS attacks on layer 7. Anyone who pays the computing-fee gets to pass, regardless of species.
But what's the alternative to shops strip searching you every time you want to buys something? Shops need a way to prevent looters overwhelming them, and there's no perfect way to distinguish real shoppers from looters.
One solution is to leave a deposit worth more than anything you could loot. What that means in the computing world is those silly browser-based crypto-solvers.
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
yeah. webpages now load so slow just because i have to wait for the captcha
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
Investigate the anti-bot sellers.
Huh? Investigate for what?
No surprises here, though of course disappointment when it comes to fruition.
And you must be signed in.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I get it all the time on my Mac with Safari using iCloud private relay
> And you must be signed in.
I don't see any mention of that? Google Play services work fine without an account (although if you're the kind of person who doesn't sign in to a Google account on their Android phone, you're probably running a custom ROM or something)
Until now, I have never run "a custom ROM or something", but just the Android that came from the phone vendors and its updates.
Nevertheless, I do not have a Google account and I do not intend to have such an account.
Of course, this means that I cannot install any app from the official Google store, even if it is a free app. The requirement to login into your Google account should have existed only for payments, not for downloading a free app, but nonetheless Google does not work this way.
I already had problems with a bank that has terminated its Web-based online service, replacing it with an app that they refuse to provide for downloading, so that I could install it without having to open a Google account. Therefore I have also terminated my accounts with that bank.
I hope that this behavior will not spread to all remaining banks that still have Web-based online access.
You could try aurora store with anonymous accounts, though that has the problem that other people may be able to see the apps you install.
Google Play Services is not Google Play Store.
Google Play services is an automatically updated API that Google distributes through the Play Store. It also encompasses some security updates, such as updates to the Bluetooth stack.
You do not need a Google account to update those. In fact, chances are you already got the update weeks ago without noticing.
You can also update pre-installed apps through the Play Store without an account (hold the Google Play icon and select "My apps").
You do not need to install an app. You do not need to make an account. All you need is a QR code scanner and an Android phone that had Google's stuff preinstalled.
I have plenty of issues with the Google Play Store as well, but they don't apply to this topic.
I get this all the time with Brave, and especially in Private Windows. It's the number one reason I don't use Google Search anymore. I've used Brave search for a while, what do you use? Do you have a way to prevent the captchas?
"As part of our mission to enable a safe agentic web" drew an immediate swear from me.
What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.
I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.
Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.
Yep.
I learned yesterday you can’t sign in to Cursor on Brave Browser. Had to switch to Safari. This is only going to become more and more common.
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
I will stop using those websites altogether.
You know, its funny, I don't think I've ever seen captcha on HN once.
You need one to sign up lately I believe. Which is really all it takes if your identity is required for the captcha and gets associated with your account forevermore.
Tell that to the websites that make you complete a captcha on every login.
Well, internet is dead anyway so they can keep the keys to the kingdom. I frankly do not care anymore. The meek shall inherit the Earth
Browser requirements for reCAPTCHA
We support the two most recent major versions of the following:
wait where is Firefox for android?
Of course they release this just as alternative browsers like Ladybird are making great progress…
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
Whoever told you that is the same person that advocated complex password rules with montly resets and no repeats.
If you really think that's true, I have some QR codes for you to scan.
Please, share them.
Right! Let me check the URL before clicking the "confirm your account" link!
https://rt434.mjt.lu/lnk/GN2PVLyAIiUHuMqkGcjHkjkcRBtF/zJfB7p...
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
> Oh wait, never mind. I guess I won't be signing up for electricity, then?
You ~~will~~ should be picking up your phone and calling the electrical company to confirm and to tell them their links are nonsense. Couldn't bother with AI agent on phone, or 60 min waiting queue to a human? Fuck it, don't pay the bill, figure it out later.
This advice sounds like nonsense. CS has neither knowledge of what layers of enterpriseware has wrapped their links, nor the domains that software uses, nor any control over those decisions by software engineering or marketing (or perhaps even more removed, some third-party electricity account management platform that they buy as a service).
You certainly could operate on policies like this, but I think most people prefer to spend their time differently instead of arguing with strangers who don't have any way to solve your problem.
Their customer support people don't know what I mean and they especially don't have any power to change this.
The problem isn't paying the bills (I can't recall the last time I ever needed to do that manually), the problem is that pretty much every service uses trackers and shorteners. The only way to opt out is to opt out of society.
Maybe I should, but this "read the link before you click" advice isn't just geared towards hardcore privacy advocates. It hasn't worked in ages. It also doesn't help that companies like Outlook rewrite links to make them redirect through their malware scanners as well.
What's the point of confirmation or user interaction, when nobody knows how to read a URL, and they just click the goddamn accept button?
The user doesn't need to know the exact URL to confirm an interaction they've just started.
The point of the confirmation is 10% account creation and 90% confirming that the user knows their own email address and can type it in correctly. That's actually more challenging to the wider audience than you might think.
IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
Companies were doing this all along. The 2020s will be remembered as the decade when we realized, too late, that the world began ending in the 2010s.
Unregulated greed doesn't care if every user gets robbed and their identity stolen.
As expected, they're bringing WEI back under a different name: https://en.wikipedia.org/wiki/Web_Environment_Integrity
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
Where is this specified? I don't see that in TFA.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
The example they give in TFA is having the user scan a QR code, presumably from a mobile device.
But that's not a specification
Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
Many sit-in restaurants enforce QR codes ordering. Started during covid, but keeps happening, especially outside US in my experience.
They don’t enforce in my experience. Just don’t bring a phone and they will bring you a paper menu.
Or if you want to play a bit, have a browser with some extension that breaks websites and show them "it doesn't work on my phone". Pranks apart, in my experience, I always got a paper menu when I asked for it.
You would not last long in China ;)
(you pay by scanning QR code in .. well, everywhere)
They don't like contactless technology or what? I don't think that scanning a QR code is significantly more involved but it's enough to be annoying
It's all WeChat Pay (or AliPay).
Lots of phones don't have NFC. All phones have cameras.
I think partly because Google and Apple controlled the contactless bits of the phones for many years, the non-OS-makers like WeChat and AliPay made use of the open technology of QR codes. I think theoretically you could build equivalent things as they have with NFC today on those platforms but on the other hand being able to set up a “POS” with nothing more than a printer does have an appeal to it, even if writable nfc stickers cost 5 cents you still have to go buy some.
In Russia they tried to use bluetooth after being sanctioned from using NFC.
I think there is also something about how easy it is for a business to adopt a QR code by just needing to print one out instead of having to go out and buy a whole payment terminal.
QR payments in china was already prevasive before contactless payments became prevasive in the west. And as others say: not all phones supported nfc at the time. Remember iBeacons on iP5? Wechat and Alipay was already everywhere by then
Only because you typo'd twice: it's "pervasive".
Having been there recently, it's about as annoying as taking out your phone to pay for something. Some systems also support NFC now, though the most common is still QR. Also helps that their QR scanning tech/transaction processing is really fast, many transactions were as fast or even faster than me scanning with a card from my experience.
(Also if you want to talk annoying payments don't get me started on how insane it is that the US still requires me to hand over a physical card at most restaurants to take over to their register... sorry I just can't help but get annoyed by this lol)
Thankfully I don't live in China. Unfortunately the totalitarian government is a larger concern than the QR codes.
Which one?
lol how edgy of you
Adding friends, shopping, logging in on PC, binding accounts for after-the-fact SSO, etc..
This is all done with QR codes here.
Also in adjacent countries like Vietnam etc., where even ragtag street food vendors have a QR code sticker on their stall/cart.
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
It's coming.
The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.
The only answer is delete your account.
Why the hell would they care who is buying it? They're getting paid either way.
The only reason they'd care is because they want to sell your personal information.
That is an incredibly long bow to draw from someone that obviously doesn’t know what they’re talking about and is willing to make massive jumps to conclusions. Do you know how ecommerce works? I agree that it is a bit absurd, but not nearly as absurd as your claim of “the only reason”.
People on this site don't really think deeply about what they type. They just say whatever is the most cynical in order to farm up votes
Where are those ‘mark of the beast’ cranks when you need them?
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
Some currencies are even literally called Marks lol https://en.wikipedia.org/wiki/Mark_(currency)
Scanning QR in your bank app for payment is near universal in Europe. In fact, it is considered very annoying if a site does not provide the option.
Looks similar but is a different thing entirely. That is for allowing a someone to take money from your account.
Because the concept of credit/debit cards is batshit insane that only serves to finance organized crime.
I live in France and no such payement system ever took off.
We just pay with a standard credit card.
Standard card payment that you need to autorize on your phone in your bank's app...
That's 2FA though, not a QR code payment.
I’m European, never encountered the system you describe.
What is it and why does it exist? Apple Pay has been widely available since 2016. Why would anyone want to use some clunky QR-code thing instead?
QR codes are used in direct account-to-account transactions. They encode all the data like the IBAN-based account number, bank code, requested sum etc. that you may find on invoices in a way that’s much more convenient than typing over by hand.
Apple Pay meanwhile uses your credit/debit card to perform the transaction, the other party needs a terminal or payment gateway and is required to pay fees to Visa or MasterCard.
For better or worse there's no such thing as "Europe" despite the wish of many on HN.
Such a system exists in, for example, Switzerland. Actually there are two such systems that aren't compatible. There are QR code invoices for domestic payments, where the code includes the target bank account details, amount to pay, transaction details etc. That's scanned by your bank app, direct p2p payment. And there is Twint, which is a domestic consumer payments app. The QR codes often contain short one time use codes that are looked up server side.
Why do people use them: because it's easy and the fees are low. Banks give you QR code invoices even for small businesses for free. Twint is a bit like Venmo, you can send to numbers in your address book for free, and for businesses they can do website integrations easily and even print out static QR codes to stick on market stalls etc.
Twint isn't as fast, convenient or reliable as NFC card payments so the card/tech companies still have an advantage. But it's been getting better. Maybe at some point the NFC elements in the card tech will become flexible enough to allow arbitrary mobile apps to be as good as tap-to-pay.
It is far from being universal. And the more annoying part of that is that there are at least 4 incompatible "standards" as to the format of the QRcode.
Europe has very diverse payment systems, you shouldn't be making generalized statements like this.
To which small subset of Europe are you actually referring?
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I think you're spot on. This will block and inconvenience legitimate users while fraudsters have no problem buying more phones.
Not a useful direction for real end users.
I doubt they care much about fraud tho, they just care about advertising revenue and bots, people building scams and putting ads on them still produce genuine clicks.
The GitHub one I recently tripped on was the worst of all time. Part one of 9 or something, which of these three next sounds are bees? Or some small man rotating around spaces on a map. I have an eInk screen and it was nearly impossible to see. Extremely painful and ridiculous.
Often illegitimate users don't even have to solve the captcha because whenever one shows up they can just trash the session and start over fresh. As long as they get to the desired result often enough they're golden. Not so for real users who only have one account on one or at most a handful of browsers.
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
Kinda off topic question to google - when I do this labour of tagging your data so you let me use the internet - should I click on every box that has parts of the bus? Even if it's like one pixel?
Follow up question - why ask people to work when you can just say "pay 1 shmeckel to view this content" and then use this money to pay for data taggers?
Thank you for letting me use your internet!
Recaptcha contains a whole maximally obfuscated virtual machine with its own bytecode language. It measures your mouse movement, clicks, timing, cadence, hesitation, consistency, tile clicking order, etc.
Ambiguous tiles are deliberately placed because the behavior they elicit from humans can be used to discern them from bots.
Yes, the "correct" reaction to the ambiguous tiles is to hover a bit indecisively. You need to waste a certain minimum amount of time on the CAPTCHA. I've found that applying videogame reflexes and zapping all the tiles in a short period of time is a fail, even if they're the correct tiles.
I think it depends on how much it trusts your ip address / user agent. I used to use an extension, nopecha, that would just use ocr and then select all the matching boxes, and it never seemed to get flagged; but I have a lot more trouble on a vpn ip like proton. These days I use buster to solve captchas and it works enough of the time that I don't have to fight with captchas.
Is buster a browser extension?
Yes: https://github.com/dessant/buster
My office uses ZScalar which most sites (especially Cloudflare ones) perceive as an "open proxy". The IP that Z's datacenter uses resolves to some place in Chicago. Some days, no amount of clicking on boxes works for their algorithm.
There's no specific "right" answer on the boxes. Like another post said they're looking at god-knows-what to decide whether or not to let you load the website.
Years ago I started to deliberately pick one or two wrong answers, or just not take the time to really look at them, and it made no discernible difference on how often I pass.
I was pissed off at the same thing today.
I tried ticking every part - not working. Then I tried just the core. Not working. It took me 5 captchas until I got to one that had different images.
Terrible experience. Most of the time I just close the site now as I can't be arsed.
I try to keep my phone away from my computer during work to get rid of distractions. OTPs can be done with yubikeys & co., but more and more web services requiring a phone is a step in the wrong direction. Especially since google is using so much tracking, that they can merge tracking data from phone and desktop together.
>more and more web services requiring a phone is a step in the wrong direction
Absolutely. My bank began requiring a text-to-login, so I just stopped logging in. A branch location is walking distance from my house, so I bother them all the time with simple account information requests (and state every time "when can I use a Yubikey instead of phone for login?").
I legitimately have never scanned a QR code, have never Zoomed, don't even own a phone anymore, and stopped using email many years ago.
Really hoping Yubikey becomes widely accepted at US banks/CUs, soon.
Good on you
Curious about email though - do you mean you don't use it for signups/logins etc or you don't use it in any capacity? You send a lot of letters I guess?
Sounds like one of those things which sounds impossible to give up but it isn't really
>don't use it in any capacity?
Nope.
>You send a lot of letters I guess?
[checks own profile] mostly, typewritten.
----
My stockbroker hates my chosen distance. So does my lawyer. So does most family. For most, letters suffice.
In my neighborhood I am well respected and known. Everybody else can come visit... or else fuck off.
----
There should be an email/phone platform where you have to pay to contact — and then the receiver can choose to refund payment, if desired.
----
>sounds impossible to give up but it isn't really
I am among the free-est persons I know. Definitely the luckiest. Requires a huge amount of sacrifice and disconnection, but I am rewarded immensely with both.
Love it. You go man. You and I would get on LOL
Not really related, but annoying primitive banking authentication flows is why am bullish on stablecoins. I don't need a bank, I'd rather have an open protocol where everybody can design the software and open up competition for wallet implementations.
I've used Bitcoin since 2012 & Monero since 2015.
Bank eradication couldn't come soon enough, IMHO.
>>GENESIS>BLOCK>> "Chancellors on the brink of destruction"...
They think that AI creates conditions that will force humans to use their real IDs. Instead, it will create conditions that people will go offline.
I hear much more complaints about surveillance and tracking from Gen-Z than from Millenials. People are waking up.
Google already requires you to have a smartphone to create an account, because they want you to scan a QR code even when creating the account on a PC. It will get worse.
The solution is not to use YouTube but Rumble instead.
| it will create conditions that people will go offline
| People are waking up
I really hope you're right.
I would really like to see a renaissance of in-person activities. I think a big hurdle to this though is the lack of a 3rd place for communities to exist. Parks are nice in the summer but less ideal in the winter (and not available in all neighborhoods). Town squares are also more hostile to "loiterers" (no data to back this just feelingss).
Overall I think if we want to see a resurgence of IRL, we need the social support of our governing bodies which imo is a large hill to climb.
Captcha suggestion: force users to write something offensive/vulgar (we have a few "banned words"). Or to take a stance in Israel/Palestine.
Whatever the response is, it'll unlikely be from an LLM.
But to use vulgar words an age attestation must be passed first! /s
This is such a flawed view of LLMs. Sure it may block out frontier models but every local abliterated (and some non) will just say whatever you want.
Takes about 450ms on my machine:
And another:
And to bring it home:
That's the tiny Gemma3 model, there are uncensored models that are much more complex. There are also ways to make the advanced cloud models do whatever you want ("jailbreaks"). Or just use Grok.
Yeah people don’t get that abliteration is done on the open weights models and you have a fully uncensored model.
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
Right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Right???
Yeah, idiots would fall for it.
Both (Google/Apple) need a much higher level of certification for anything to be allowed to be prompted to install. Either you're already big (and can easily afford to pay for some human time to verify), or you're a manufacturer selling something that has an associated app (again, which implies you're reasonably big and can afford to pay for verification.)
You're neither? Get lost. Somebody types in the name of the app, fine, but the user must find it.
People already complain about the level of control Apple has over apps and you want there to be much more control? That’s never going to happen.
Hey at least in September they're going to stop you from installing F-Droid. For your safety, citizen!
Does it hurt Google if that happens? No, not really, unless it happens a lot and one of the victims happens to be a US senator or something. The value of the control this gives them, if adopted widely, is immeasurable, not to mention the ad-targeting value of identifying more people across devices.
Serious question: what if you don’t have a (smart)phone?
Go fuck yourself?
I mean, that seems to be the general societal attitude.
And you'll need to buy new ones because many things are app only, or are migrating that way (including being able to travel to certain countries)
That means you're a peasant, and don't matter. Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Please don’t respond with sarcasm.
US govt used to have a program to sponsor mobile phones for homeless. Is that still around or did DOGE kill it?
(edit) It seems to still exist: https://www.fcc.gov/general/lifeline-program-low-income-cons...
Well, it depends on the application and context. I don't think a homeless person at the library is going to be booking a $1000-a-night room in downtown Los Angeles.
However, services that homeless people will be using should factor in their target audience (such as the homeless not having a phone at all, or maybe not one that's up to date even).
However, like it or not, having a modern up to date device is becoming essential for even rudimentary basic access to society. Whether that's right or wrong it's where we are.
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Why wouldn't they? Google is notorious for making marginalized people's lives harder if it can make them money. Some examples:
- Hosting Palantir's ImmigrationOS, used by ICE to track immigrants
- Actively removing tools marginalized people use to protect themselves against ICE, such as ICE-tracking apps on the play store
- Intentionally aided Israel in committing genocide as part of Project Nimbus
- LGBTQ creator censorship on YouTube
Cutting off a small group of people they've repeatedly shown not to care about in the first place is a small price to pay to further cement their position as gatekeeper of the internet.
Illegal immigrants =/= marginalized people
No person is illegal
"person is immigrating illegally" not "illegal person is immigrating"
You might want to campaign to get rid of the entire concept of citizenship then. Until you manage to get people onboard with that, the lawful thing to do is to support legal enforcement of the laws on the book, which most people also agree with in this case.
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they? Please don’t respond with sarcasm.
Honestly, if you ask such terminally naive questions don't be surprised to get sarcasm in reply. Google does cut off access to chunks of people if it deems it profitable to do so!
It doesn't matter how "naive" you think a question is. Nobody here deserves sarcastic remarks in response to a good-faith question.
Literally the first guideline under "In Comments" is:
> Be kind. *Don't be snarky.*
https://news.ycombinator.com/newsguidelines.html
Oh please. It wasn't even that snarky. It's also still a valid and correct (as far as anyone can tell) answer to the question.
Rethoric ≠ snark
> Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Sure they would. Cloudflare has already arbitrarily blocked entire swathes of the internet. Captcha as well. Your average user ends up going to the path of least resistance, and end up with a compliant ISP or carrier that's doing all sorts of censorship and gatekeeping and siloing and funneling.
And if they did get noticed, they'd whip up some sort of program through their cronies like the Obama phone, and get subsidized service to some token groups, heavily favoring political funneling and defaults supporting whatever party won the grift for that particular round of conspicuous do-gooding.
It's bad, man. For technically savvy people, they can get around things, switch up DNS, muck with vpns, etc. Normal folks are kept firmly within the walled gardens.
Then there's the information silos, platforms, and psychological shit they use. People don't have a chance in hell of getting a free and open link to the internet, what they see is tied to their identity, tied to their service provider, tied to their geographic location, and it's all done seamlessly in the background so they never even notice what they're missing, by design.
It wasn't snark. It's the awful, honest truth, and I have things to suggest involving wire brushes for anyone at Google or any other company involved in this shit.
We need a digital bill of rights, outlawing commercial trafficking in user data, mandatory ephemerality, and penalties involving prison time for CEOs and fines that are rapidly and unavoidably fatal even for companies like Alphabet or Amazon if they screw up even a little bit. Otherwise, this whole pretense at a free and open internet is just a convenient talking point and marketing schlock.
They just didn’t want a Temu Cory Doctorow answer.
GitHub allegedly blocks most of Brazil because most of Brazil is on CGNAT. Do you think GitHub cares? No, of course not lol.
Google would throw homeless people in a furnace to generate electricity for their datacentres if they could. No, this is not sarcasm, I fully expect they would if they could.
>Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Followed by
>Please don’t respond with sarcasm.
Is my kind of humor. Just because they follow ESG scoring doesn't mean they actually care, if anything it means they very much don't.
They already trying there best to marginalize non chrome, non residential ip, non lodged in user not to mention there decade long silicon valley political purity targeting.
It's unpleasant to face, but this initiative from Google is a concrete example that the homeless/too-poor-for-phone do not matter. I've heard of cases where university library apps/admin systems required a phone, and for those cases you could borrow a phone from a "device library" on campus. But, obviously, there's nothing like this for the homeless guy being blocked by Google...
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me.
Then you have already have not been very present in the analytical data that these business decisions are based on.
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
Tactics like this will make me get a dumb phone and stop using those websites. If that means no more credit cards, online shopping, etc so be it. You have to draw the line somewhere.
“if every website” is doing a lot of heavy lifting.
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
I thought it's just happening to me. I tried to watch my computer's network activity to see if anyone has hijacked my IP. I closed Gmail and YouTube tabs because I find that they are the ones which pings to the outside world a lot more than other tabs I have opened. I even restarted my modem two times. Didn't work.
So I decided to...use Firefox a lot more with DDG (I use FF for mostly privacy-sensitive stuff like checking my financial accounts, but now I use it for a lot more browsing stuff).
Seems like it is the Chrome browser over-reacting.
This is just Google competing with Cloudflare in laying the foundation for erecting their toll booths on the internet.
Google clearly wants only Google approved models to traverse the web.
They only want dumb humans doing the shopping not some hyper-focused bot that wont add any extra items into the shopping cart.
I'm not doing this unless it's something essential. I already don't bother with the Cloudflare ones half the time and just close the page.
I will STRONGLY consider not using any site that tries to make me do this.
Sites, who will use this crap, will never see me again.
Hmm, that QR code workflow doesn't look very accessible. Can we preemptively ADA this thing out of existence somehow?
Probably, but then sites that do not work on a screen reader should be ADA killable too… yet no one has tried this.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
This is three steps back, one step forward kind of an approach imho.
Easy for everyday users to deal with, and effective for verifying humans vs bots.
But holy hell, if your phone is a requirement to access sites and you have to go through the security theater like a work device and setting this behavior as a default assumption to have? Ugh. The privacy and security implications of this is quite ugly to think about too, now that Google can link your devices to a stronger degree with this approach.
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
> I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
It's clear IMO that this is the plan.
The Google/Meta/Cloudflare axis on the Web is just part of it. Everyone with a nontrivial stake in a major corporation wants techno-feudalism. Every industry is heavily consolidated and is trying to consolidate even more. Lord-and-serf type of arrangements are so prevalent throughout history because they're maximally profitable for the lord and hard to break out of for the serfs.
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
Good thing most websites already moved away from Google's recaptcha.
Why can't an AI scan the QR code? Just fire up an emulator if necessary
The app that scans the code talks to the TPM in your phone to prove that your phone is running an unmodified Google OS.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
Which would be meaningful if phones weren't remotely controllable.
So the net effect is every AI agent will also have and connect to a physical phone.
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
There's also remote control hardware (a printer-like device can operate a touchscreen). But the first point stands, yes. Be it a phone or another hardware attestation device, they and Apple will be giving "I am human, let me participate in society" checkmarks out, directly or indirectly for money
Or keep stealing IMEI IDs. Now regular people will start getting banned from the internet because of bot activity. You would open your phone one day and see "You have been disconnected from society" and there will be nothing you can do.
It will be cryptographically secure, but you can still pass the captcha code onto a different user so their phone gets banned instead.
... which is why you'll get locked out if you happen to visit an unusual number of sites in a day.
One can expect it will be tied to a government ID, at which point they ban you from the internet if you disobey them.
So openclaw or whatever future software will run or control unmodified google os devices.
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
No browser supports Bluetooth.
Chrome does...
Interestingly, only on desktop/Android and not iOS it seems.
Chrome on iOS uses WebKit, so that makes sense.
(*I think in the EU, iOS Chrome can use Blink, but I am not sure if it actually does.)
That's news to me https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetoo...
Websites cannot use Bluetooth anywhere. The QR codes shown in the blog post are not passkey QR codes, which is likely what's confusing you.
These passkey QR codes don't need to use Web Bluetooth API, because they utilize the WebAuthn API. The website itself isn't given access to the bluetooth, the task is handed off to the browser, which as a native application, can access bluetooth and abstracts the bluetooth away.
That's passkey QR codes generated by the browser, it has nothing to do with random QR codes offered by websites.
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
Protect against bots by shifting the blame and work onto humans? Did they get that idea from Gemini?
google and cloudflare are becoming the master gatekeepers.
with cloudflare, I cannot use my old browser, I cannot browse many sites without javascript or cookies.
recaptcha? that prevents me from doing business with many sites, let alone browse.
This kind of reminds me of these malicious captchas that get you to paste some command into cmd.exe. These kind of captchas will make this situation worse, I could also see some malicious site having a qr code that will download some virus to your phone. QR code captchas are a really bad idea in my opinion.
The constant arms race between bot detection and accessibility is exhausting. I hope this doesn't heavily penalize legitimate users on VPNs.
It will and nobody at Google will care because they don't make money by caring about each individual user.
I can't wait to give Google more data about my browsing habits! Seriously, this is insane and everyone who supports this lost the plot.
how to cut your conversion rate by half in 3 simple steps
I live in a small European country. It's not a shithole, but not on everyone's radar either (we got Google Pay just 3 years ago) and I tried to create a new Google account recently.
It asked me to scan the QR code for verification and I'm guessing it tied that account to my device ID because it opened the Google app and added that new account to my device without my approval.
As a fallback (i.e. no attestation or play services), QR code will send SMS to some short code. Well, it turns out that for my country of a few million people, that number simply does not work on 3/3 mobile providers.
I guess Google just doesn't care anymore if it blocks access to their services or in the OP case, all services that use their services to millions of people if they don't fit a particular profile and have a particular device and agree to have all their internet browsing tied to a static ID that Google controls.
How will this work for iPhone? Doesn't Apple restrict such behavior?
I was contemplating building a "Scan this QR to verify you're human" for April fools, but then got busy with other things. Wild to see this being built as part of Google reCAPTCHA. I guess we should at least be thankful that we don't have to get our retinas scanned!
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
[1] https://www.kaspersky.com/blog/what-is-clickfix/53348/
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try . (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
... You... think... it would be a good thing.
Don't you...
I do. It has downsides of course, but what's the alternative at this point?
I suspect that the HN crowd is somehow insulated from the river of crap and fraud that is the internet experience for a majority of the population.
Depends on your specific problem. Usually redesign your system not to need to care if the other end is a bot or not.
How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
Rate limit individual clients.
Let's play this out: how do you determine individual clients? By ip? By seasionid?
How do you "determine" individual clients to show them CAPTCHAs? Yes, you can, and probably should, make some use of IP addresses, although that would work better if idiots hadn't polluted the Internet with quite so much NAT.
But you don't have to, and you definitely don't have to completely rely on it. Look for a cookie. If you don't see it, route the client through a page that sets it.
Yes, this is subject to flooding attacks... in exactly the same way that every CAPTCHA system is subject to flooding attacks. But it actually uses fewer resources per request than showing the CAPTCHA would.
> How do you "determine" individual clients to show them CAPTCHAs?
Cookies.
> Yes, this is subject to flooding attacks
Err... Yeah exactly.
> in exactly the same way that every CAPTCHA system is subject to flooding attacks.
Uhm no the whole point of captchas is that it requires (or used to anyway) humans to solve them, thus limiting the rate to human speeds.
> Uhm no the whole point of captchas is that it requires (or used to anyway) humans to solve them, thus limiting the rate to human speeds.
The CAPTCHA challenge page itself has to be served to a client that has not yet given any evidence that it's not a bot. It's just as expensive to serve the challenge page as it is to serve a cookie-setting page. Bots can infinitely retrieve the challenge page (and can also infinitely try to retrieve the underlying "authenticated" page, forcing you to process redirects).
The only reason it looks better to you is that a third party is serving the CAPTCHA. You could also have a third party serve the cookie-setting page.
Just show us your face and transactions history, it's about the kids.
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
They'll need a lot of google-certified phones then. And each phone will only be able to do so many verifications until the unique, cryptographically secure ID gets banned by Google.
Google already killed SMS verification market specifically for Google accounts because they reversed the verification from receiving to sending the SMS. Almost a year after, no SMS verification service that made a killing on this is offering an alternative.
So yes, this will definitely affect the captcha solving services.
yeah im not doing that
You don’t need to. As long as the dumb majority goes along with it, your options are to capitulate or get locked out of society.
Your only option is to sway the "dumb majority" in the other direction.
An increasing percentage of the dumb majority are opting for dumb phones and plenty of people still use laptops, it doesn't have to be anywhere remotely close to a majority for many analytics-obsessed site owners to see the drop in sales and opt for another solution.
In any case, sites using an extremely restrictive mode of recaptcha during ddos attacks will just be one segment of a very fragmented digital future, not society as such
Making sure that only Google can access protected websites
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
From one egg basket to another; both are flawed in design.
It's hard to say which one is more maddening annoying
Why not hcaptcha or anubis? I had to block Cloudflare JS due to abuse, so I can't use any sites that require it.
it looks like one of those malware sites you see when clicking on a dodgy advert
Inb4 Google 2027: "we sold 30% more Android devices YoY!"
(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)
Why when I open google in private mode then I need to solve 10 captchas?
Looks like Cloudflare has the only user friendly captcha of them all.
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
Feels like we accidentally built a web where proving you’re human now requires approval from 3 different corporations.
I don't think there's much that's accidental about it. The giant corporations with near-monopolies in web-related markets (browsers, search...) are going to be incentivized to put restrictions in place that protect that monopolistic status. As with other facets of life, they can dress up the changes as "protecting users/kids/etc" and mostly get away with it. The same companies are the ones championing the very technologies that make human attestation more and more necessary.
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
They're expecting everyone to whitelist Google agents because Google has the market share for people to complain if Google agents don't work.
With the apparent competence that built Gemini, I have zero faith in Google building or doing anything that works anymore.
To counter the idiot downvotes, I proffer this as a prime example of Gemini:
That and the cli keeps exiting 0, without hinting why... Quality like the "AI Overview" that hijacks an entire page and isn't even relevant to the search terms - uBlock still doing god's work.
It made me realise I was perhaps a bit hard on Claude (but then it did something equally as dumb)
Point On! Probably done by two different teams, who don't know about each other. I hate this (re)captcha so bad. They assume everyone is bad.
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Those who don't read articles: Google is pushing QR codes as captcha.
My personal thoughts is that this is fucked. I'm not whipping out my phone to read some blog or comment on youtube.
Just fn decimate, nuke, wipe out google.
Does not seem to anyone that Google is wielding too much power over our digital lives and the Internet?
How are people stopping bots reliably?
You can't, really. If a user can access the site, so can a bot.
You may be able to make it more expensive than your information is worth, but of course that affects users too.
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
The lifetime value of a LLM may be less than a real person. Especially if you consider things like word of mouth marketing.
Perfectly: They're not; that's not really possible.
Adequately: Proof of work. https://anubis.techaro.lol/
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
This would not have ever been announced while Lina Khan was running the FCC.
What does the FCC have to do with this?
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
The FCC doesn't enforce antitrust law. That's the FTC. (The FTC is also the commission that Lina Khan chaired for a while.)
Oops, Yes. I got 2/3 of the letters correct, though. I think that might be a better rate of success than their court cases during those years.
Apart from the horrifying privacy implications, this also means all a bot needs to do to access a website is send a screenshot to an Android device. They made the CAPTCHA machine-readable. It would be funny if it weren't so sad.
I am almost certain that labs in India and China have already developed a solution to bypass the “Scan this QR” method.
What is easier than pointing a camera at a QR code and commanding and an AI bot to follow the next steps?
just how evil can google be?
How do I fit TOR in this? Do anonymous users get to use a more anonymous app?
No. Just more rejection and labelled as a terrorist.
Human verification via QR code does not mitigate labor farms.
Does reCAPTCHA ever claim to detect or block labor farms? From its old name it just seems to block bots only. (Bots are nowadays called agents.)
I imagine again a worldwide search for the cheapest labor. Mechanical Turk on steroids.
Another nail in the web anonymity sounds like
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
Will it be GDPR-compliant -- contrary to reCAPTCHA ?
Maybe soon there will be a market for a phone specifically for use as a dummy, to get past all this nonsense.
ofc, there is classic web support, aka noscript/basic (x)html?
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."
Oh, you sweet, summer child.
Don't worry. That's the lie they are using to get what they really want.
Thanks for sharing
Two mdashes in the first sentence...hmm.
++1
An ellipsis followed by hmm in your comment.