Posted by ribtoks 21 hours ago
There aren't many good ways to prove you're not a bot and there are even fewer that don't involve things like ID verification.
Their opt-in approach helps shift the blame to individual web stores for a while, so who knows if this will take off. But either way, in the long term, the open, human internet is either going away or getting locked behind proofs of attestation like this.
Apple built remote attestation into Safari years ago together with Cloudflare and Google is now going one step further, as Apple's approach doesn't work well against bots that can drive browsers rather than scripted automation tools.
Luckily, their current approach can be worked around because it's only targeting things like stores now and you can buy things from other stores. Once stores find out that click farms have hundreds of phones just tapping at remotely served content, uptake will probably be limited.
It'll be a few years before this is everywhere, but unless AI suddenly isn't widely available anymore, it's going to be inevitable.
good point... it's interesting how Captcha was initially popularized as a reverse Turing test, but it's just variants of Proof of Work today.
And it seemed clever at the time for Google to leverage this for improvement of their OCR models (it was!), and makes you wonder what utility is derived from the proven "work" today.
CAPTCHAs are nearly useless because of how little you need to pay humans to solve them.
In practice, most of the major CAPTCHA vendors already rely on non-privacy-preserving tests for those needing more accessible solutions than a visual puzzle.
Google's audio captcha (only available in a few languages and unusable for those who also have hearing issues) only works for a narrow band of users, not trusted enough to bypass the captcha entirely, but also not untrusted enough. If you fall outside of that band, you get a nice "your device has been classified as a fraud risk, please use the visual captcha" message.
hCaptcha goes even further and straight-up requires you to have an "accessibility cookie", which requires verifying your email address (and apparently your phone number in some cases) to obtain, as well as disabling some anti-tracking settings in your browser.
Obviously, that's only solveable by sighted humans, not ones that are blind or have otherwise low vision.
(?)
I guess so
The OCR thing was earlier and used for Google Books, I think. Which is also is fitting for training data, or the motto "organize all knowledge".
At that time, this goal seemed really cool!
Do you think this won’t also be bypassed, by bribing people to scan QR codes and spoofing location etc.?
But regardless, I imagine scammers will circumvent this to buy products, login to bank accounts, etc. of the exact users they’re targeting. The user will be presented with “Scan this QR code for $100” as the scammer is logging into their account with spoofed metadata.
Not on a non-rooted device, which won't pass attestation.
what does that bribe look like, as in, how much can one get? what all does that entail? is that a little box i connect to my network and forget about? does that mean if i unplug it unless another payment is received that will work out? i'm asking for a friend that's looking to avoid selling plasma to make ends meet.
> The following methods can be used to acquire residential IP addresses for a residential proxy network:
> Software development kit (SDK) partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices.
> Virtual private network (VPNs) with hidden terms of service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand.
> [malware and compromised IoT devices]
> Passive income schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks
One reddit post says bandwidth sharing passive income schemes paid them $1 to $9 per month.
I believe the cheap Chinese pirate TV boxes that are somewhat popular in the US these days are also in botnets, which is likely how the vendors make them so cheap.
And that's assuming they're nice enough to ask at all.
insert You wouldn't bring a 40 Petabyte Zip Bomb to School, would you? meme
Their announcement is full of buzzwords about "agentic" things. Detecting LLMs is one thing, but imagine the power of being able to pick which LLM browsers are permitted and which aren't!
I think Google is being too early to the party with this. Cloudflare still has CAPTCHAs to throw at the wall. There are ways other than attestation to verify that someone is a real human, but they're getting more and more annoying to real users and harder and harder to implement on a small website.
Despite the massive implications, this is a simple system that just works for the 99% of people who use Chrome or Safari or at least have access to an Android phone or iPhone somewhere. It's quick, doesn't require installing apps or creating accounts, and it just works from both the website perspective and the user perspective.
Of course when you start thinking about people with disabilities things become problematic, but when have tech companies ever really cared about that sort of thing? Inclusiveness was fun and all for a while, but the clowns the American people elected banned that sort of thing for any company considering government contracts, and big tech licked that boot like it was made of honey.
The world becomes a lot easier if you just decide to ignore all edge cases and assume customers who disagree with you didn't matter anyway. And infuriating as it may be, for companies like Google, that business model works.
Doing that for a webpage seems way easier than s videogame
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
It's not Google, it's someone. A person came up with this idea and is pushing it through. We should stop treating corporations as some abstract entity instead of a group of sick people making these kinds of decisions.
Why? What's LLM generated? How can you tell?
To me what's obvious is that our trust system is already breaking down. Commenters accusing each other of being AIs is also another example of this.
Not the guy you're responding to, but:
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
Human written, not generated.
> HN isn't popular enough to be invoked as a source
Excuse me, what do you mean there? The author happens to read HN too.
Read the rest of the comment. It's not suspect because it's referencing HN, it's suspect because of the way it's referencing HN. Specifically, its use of the phrase "the HN thread", even though it wasn't mentioned before. Maybe it's a editing gaff, but it's also consistent with how an LLM would write if presented with a list of sources.
We haven't said anything specific about genai articles but if you've seen https://news.ycombinator.com/newsguidelines.html#generated or https://news.ycombinator.com/item?id=47340079 it shouldn't be hard to extrapolate.
They're visible now, but still. What caused them to appear as [dead] in the first place?
There was another sibling comment posted around the same time that was also dead.
For the record: we never delete anything, aside from very rare cases in which a user asks us to delete something for privacy reasons. Plenty of posts get killed by flags or software filters (spam, abuse, etc), but these can all be seen by turning 'showdead' on in your profile.
* "With Fraud Defense, there was no process to respond to. The product launched. The requirements page went live."
* "That is not a technical limitation waiting to be engineered around. It is the mechanism."
* "The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware."
I could be wrong, of course. Maybe humans are starting to write like LLM's, or maybe it's just confirmation bias on my part.
"One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem: …"
The ersatz Ted Talk meets LinkedInfluencer rhythm of sentences, the throat clearing fillers as connective tissue…
Or Wikipedia: https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing
(Also, you can pry my em dashes[1] from my cold, dead hands.)
[1] https://www.gally.net/miscellaneous/hn-em-dash-user-leaderbo... says mean 1.64, maximum 13 em dashes per pre-ChatGPT comment.
There's also a few cookie-cutter patterns that should immediately jump out at you if you're at all familiar with AI writing, such as:
> No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate. User privacy is structurally preserved, not promised.
> Google Cloud Fraud Defense is not a reCAPTCHA update. The QR code is the visible mechanism, but device attestation is the real product.
I mean sometimes they're right, but honestly in this day and age does that even matter?
1) proof of identity, tying accounts to real-world things that are hard or impossible to replicate
2) proof of work, tying accounts or actions to the ability to run computations
Proof of identity in theory can solve the problem but at the cost of privacy.
Proof of work can be defeated but has the possibility of preserving privacy.
There are many issues with those, like the wildly different standards of living across the globe. OTOH anyone can acquire Monero if they want to. But someone from a rich country will likely be able to pay for more fake accounts/visits than someone from a poor country. With the ad market the difference between where the visitor is from is very important. Some ad clicks may cost a dollar if they're coming from a rich country and 0.01 cents if they're coming from a poor country.
I'm not suggesting cryptocurrency micropayments for accessing the web but it's on par with PoW in that it only requires money, not privacy.
Perhaps the way forward is for people to wake up and stop visiting sites that infringe on their privacy.
Analogous to hardware disparities and POW, wealth disparities make payment a toll but not a roadblock.
All current implementations: yes. I do think there are some privacy preserving solutions, but they're obviously imperfect. But assuming you have a central authority that can validate and sign valid government identification, it seems like some sort of ZK scheme could allow one to verify that they have a valid government issued ID, but without disclosing which one it is.
I still don't love the idea, but it sure seems better than everything else I've seen proposed.
RMS has offered broadly solutions/alternatives since the beginning, along with reporting early on trends that other people ignore.
I don’t mean to be rude but every single person who references RMS here seems to only have platitudes rather than solutions.
I don't know RMS's solution to spam or DDoS which are the real problems.
Because controlling a large number of accounts can allow you to manipulate the algorithms on Web2.0 websites. For example, this one. If you don’t combat spammers the front page quickly gets filled up with garbage.
Unfortunately, "build it yourself" is relatively easy when it comes to software, and almost impossible when it comes to the hardware running that software. It doesn't matter if you have full ownership of a complete open-source stack if no hardware manufacturer will permit you to run unsigned arbitrary code. The lack of open hardware--chips that you could build in your garage using materials nobody could reasonably prevent you from acquiring--is the lynchpin upon which open source software will wither and die.
In the category of ~1-3 years' performance lag you get Rockchip and friends, which are closed hardware that allows open computation. See computers made by the company MNT as an example.
In the category of ~5 years' performance lag you get "soft" cores, where you buy an FPGA (dynamically reprogrammable hardware) and make it run a CPU you design yourself. If you want to, for example, make your CPU have more cache and fewer ALUs, you can do that by tweaking some files and reprogramming the FPGA. This has a cost in terms of power efficiency and runtime speed, but you can absolutely run a full Linux desktop experience on an FPGA today, and the hardware has no way to try to prevent you from running any software.
You can solve the problem of all the cellular basebands being closed source with either software-defined-radio or using a closed USB/PCIe cellular modem connected to an open processor.
I don't think you've made a point about his abilities. I do think you've restated his proclivities, which reinforces the basis for the quip.
There's a reason there's a subreddit called "Stallman Was Right", and it's not that he was shotgun blasting opinions and landed a few of them. It's because he has a systemic understanding of the incentives our system sets up and is able to project decades into the future about how those incentives will play out.
My god AMP was such an annoying thing ~4-5 years ago when I was working in a marketing-forward web dev shop.
"Google really likes when you pipe your words into their shitty UI because it saves some time for the user"
We were all like, cool so on one hand we're being given complex designs for sites to differentiate them, and on the other hand we're bowing to a megacorp who actually wants to skip the whole web design part entirely and pipe our content through their pre-defined UI.
So glad it died. Should have known it would die in a matter of a couple of years with that being the track record for Google in general.
It's a shame this part didn't stick. I use reading mode every chance I get be cause the more design a page has, the worse it is. For some reason orgs agreed that it is ok to let medium or substack own their content, but hated Google's high speed CDN.
It's not just Google. It's governments, corporations, all around the world, simultaneously. The noose is being tightened gradually, then all at once. And it's coming for all of us:
https://community.qbix.com/t/increasing-state-of-surveillanc...
The threats above interlock by design or convergence: Identity layer (1-5) creates the prerequisite for the others. Once identity is established at SIM/account/device level, the carve-outs that make surveillance politically viable become possible (powerful users get exemptions; ordinary users get watched).
Device layer (10-12, 16-19) creates the surveillance endpoint. Once content is scanned on the device before encryption, the cryptographic protections at the communications layer become irrelevant.
Communications layer (6-9) is the most-defended. Mass scanning has been defeated repeatedly. This is the layer where the resistance has the best track record.
Reporting layer (13-15) is nascent. Direct OS-to-government reporting hooks haven't been built yet at scale. The UK's December 2025 proposal is the leading edge.
Platform control (20-24) determines whether alternatives can exist. Browser diversity, app distribution diversity, and engine diversity are the structural protections. All three are narrowing.
A society with all five layers complete has the technical infrastructure for total surveillance with elite carve-outs. We are roughly 40% of the way there. Whether that infrastructure becomes a dystopia depends on political choices, not technical ones.
HN as a whole is surprisingly oblivious to the noose tightening, because many here are super against decentralized distributed things, if they involve any sort of token. You can complain all you want, but downvoting and burying the decentralized alternatives just for groupthink makes you somewhat complicit in the erosion of our privacy and liberties. Even if you might disagree with a project, all the work that goes into it might be a good reason to upvote it instead, considering that without this work, we're basically doomed.
When IPv6 was designed it was normal for each IPv4 address to be traceable to someone's desk. Fortunately, as that changed with IPv4 so did it with IPv6, so we got IPv6 privacy extensions.
Always has been.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
I'm on Firefox and use DuckDuckGo.
How is Chrome, of all things, a monopoly? Have words just entirely lost all meaning and now monopoly just means "things which are popular that I dislike"?
Note, this is separate from a "so many things are just Chromium", which I agree is an issue, but isn't the same as a "Google Chrome is a monopoly". Because in the end there are still many non-Chrome browsers which support WebUSB which do not end up with a lot of the downsides of Chrome specifically about Google harvesting your data and what not.
You know full well what people mean when they say "Chrome"
Yeah, Chrome, the web browser made by Google that bugs you to sign in with your Google Account. Most people don't mean Microsoft Edge when you say "Chrome". Do you call Microsoft Edge "Chrome"?
Chrome is a product made by Google that is a web browser. If the argument is Chromium is too interwoven, that's a separate argument.
But even then, what does it mean that "Chromium is a monopoly"? Is Linux a monopoly as well? Why or why not?
Note you haven't actually given me any other ways one would be impacted like I asked. What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require? What else am I missing by not using a non-Chromium-based browser?
As someone else said earlier, it is a monopoly by extending the internet in ways that force users into using their browser engine. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
> What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require?
This is a different question, please don't move the goalposts.
And yet after multiple times of me asking you've yet to give me a single real feature lost.
> This is a different question
Its literally the thing we're saying is the problem, how is it a different question entirely?!
You're saying the problem is they're adding features that force Chromium, but asking about which features you're talking about is just bringing up unrelated and different questions.
Is Linux also a monopoly? In a way sure, but I think a big difference is they're not "doing evil" as people claim Google is, and all the development/decisions are still made out in the open in a democratic way.
Former Google execs have even compared their setup to "running the New York Stock Exchange while trading on it."
At least Linux isn't trying to tell people what to do with their software.
2 messages later that seems to be contradicted?
> It's not so much forcing people to Chrome/chromium for specific features
I might've misread.
> but trying to increase market share through more subtle means, like paying to have their search engine featured
This isn't Chromium, the open source basis of many web browsers. Now you're talking about Google the company.
> Is Linux also a monopoly?
Monopolies in the sense worth discussing are highly popular things that are held in place by things other than competition. If anything, Google props up Chrome's competitors to reduce this.
Seriously? That's our standard of what is a "monpoply"?
Words have no meaning anymore.
You can choose to use something different. The device you bought probably came with an alternative! Otherwise, the device next to it on the shelf on the store where you bought it likely would have had an alternative browser, because most devices on the store shelves outside of some hypothetical physical Google store don't come with Chrome.
No. That part of the post was answering your question about how it impacts people. Not what makes it a monopoly.
I find the discrepancy kinda minor though. It's enough that I have Chrome installed alongside Firefox and Safari, but not enough that I use it often. It used to be worse.
This is what I mean. How is it a "monopoly" when one can easily just use something else?
The only thing people are saying its "its a monopoly because it has high market share". But a high market share does not a monopoly make, there's more to it than just purely market share. A monopoly requries outsized market power, something that to me at least it doesn't seem like Chrome, the web browser has.
High market share almost always means high market power. That's why people focus on market share since it's easy to cite.
It doesn't take users five years to install a different browser. It takes maybe two to five minutes. If they really do things to piss off their users they'll be gone far faster than that.
What kind of lock-in does a browser even really have? Its not like some kind of social network or financial setup or anything like that. The browser itself doesn't have the content. Its run an installer, have it import bookmarks and extensions, and you're using a different browser. Its not like we're back in the days of ActiveX where there were entirely proprietary extensions to the web that only Microsoft blessed browsers could run that only ran on certain OSes.
> almost always means high market power.
It doesn't when the competition is so readily available, practically interchangeable, and also zero cost.
For most, for the purposes of market share (the type of "monopoly" I believe they are referring to), I think they count it as one and the same.
Are the security and privacy implications the same for Edge, Safari, and Chrome?
Seems to me like they're still quite different products despite having some similar codebases!
How did the user manage to install Chrome on Windows if Chrome is a monopoly, the only serviceable browser around? They copy the source code from a magazine or something? Get a floppy disk in the mail?
Ok, so enlighten me which standard of monopoly they're so obviously breaking?
> The threshold is not 100% market share.
I never once said so
I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
Please, do enlighten me, how is Chrome a monopoly?
Breaking?
They're being a monopoly by having a huge market share. A majority of browers are directly branded chrome, and the chrome team has strong codebase control over most of the alternatives too. Especially on desktop. It's that simple.
> I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
> How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
The existence of competition doesn't change whether something is a monopoly. It only disproves 100%, which is why I mentioned 100%.
The choices of users don't change whether something is a monopoly.
Marketshare alone isn't a defining part of if a product is a monopoly.
> majority of browers are directly branded chrome
They're not Chrome, in many extremely important aspects.
> The choices of users don't change whether something is a monopoly
The fact users can make a choice is a huge part of the argument that Chrome isn't a monopoly. There are lots of competitors out there that can be freely chosen. So much so people have to go out of their way to install Chrome.
When AT&T was ruled a monopoly it was practically the only choice in many markets. When Standard Oil was ruled a monopoly it was practically the only choice in many markets. People can choose Edge. People can choose Safari. People can choose Firefox. All of these browsers work fine (I've yet to be told a single other major feature they're missing despite asking many times), and are not Chrome.
Lay's sells like 60% or so of the chips sold in the US. Are they a monopoly? Are you practically unable to buy any other chips at the store outside of Lays products? I guess it's not really just marketshare that makes the difference! So just pointing at them and saying they're a monopoly because they have a large marketshare is meaningless.
Yes it is. You're thinking of something else.
> The fact users can make a choice is a huge part of the argument that Chrome isn't a monopoly.
That argument is wrong.
It's size and market power. If users could change but don't, the monopoly company still has huge power.
> Lay's sells like 60% or so of the chips sold in the US. Are they a monopoly?
They're at least close, yeah.
Finally one states something other than its a monopoly because it has market share or because its advertised heavily. Its a monopoly because it allegedly has market power. But does it, really?
> If users could change but don't, the monopoly company still has huge power.
Is it that it has power or just that its currently popular?
I once again ask, what features actually force me to use Chrome over the other products on the market? If there are none, how does it actually have "market power"? What truly makes me use Chrome over the others? The fact its highly advertised?
Market power is usually defined as "a firm's ability to profitably raise prices above the competitive level (marginal cost) without losing significant sales to competitors." Clearly we're not talking about prices here, practically all the prices are free here. So we're talking other kinds of featuresets. What is this market power, other than users like it? I've asked many times, and yet everyone has refused to answer this core, critical part of the claim.
If people can make a choice for a competitor's product that's priced the exact same and has essentially the same feature set, how does Chrome have "market power"?
I pointed out WebUSB. For a bit pretty much only Chrome supported it. Is that really market power that's pushing everyone to use Chrome? What other things are actually giving it that immense market power you claim?
It's a core, critical part of a monopoly abuse claim, not a monopoly claim. I don't want to get in that argument.
They don't have some weird ultra low market power for their size. They're a monopoly.
> It's size and market power.
We both agree on the size. Its the most popular browser for sure. And I agree, a monopoly generally has to be quite large and it doesn't need to be 100%.
When I ask you for evidence of the market power side of the monopoly claim, you just throw up your hands and say "I don't want to get in that argument", make some claim about the self-evidence of their market power, and then just assert they're a monopoly.
I'm just asking someone to actually point out how Chrome, the web browser has outsized market power. Not just restate they have high usage numbers, but actual instances showcasing their market power. Real studies about how sticky Chrome actually is. Anything like that. But nobody here will actually point to anything other hand waving about how much its marketed and what not.
Ever thought about just not using those apps if you want to avoid the Google ecosystem? Too bad there's just absolutely no mapping application available on iPhone but Google Maps. Too bad there's no way to send an email on an iPhone outside of Gmail.
What's that? A user has to once again go out of their way to install those apps as well? Well isn't that strange. I thought Google was a monopoly on iPhones.
>> Google holds absolute authority on how websites are rendered and if websites can be found.
This is still 100% correct. Google owns the dominant browser and the dominant search engine, this means that they get to dictate how websites function and pick winners and losers through their search algorithm. If you're a publisher (i.e. anyone who hosts a website) you're forced to fall in line or go out of business.
[1] https://competition-policy.ec.europa.eu/system/files/2021-05...
What features of Chrome are website publishers forced to fall in line with or go out of business that practically other browser makers aren't also pushing?
Ship with a chromium fork called Edge
Not quite the same thing now is it?
I use Firefox right now. Occasionally I need to open a site in Chrome instead, but it's rare.
> Firefox usage share grew to a peak of 32.21% in November 2009, with Firefox 3.5 overtaking Internet Explorer 7, although not all versions of Internet Explorer as a whole;
Firefox was the browser that embraced open standards and was unseating IE. And ActiveX was used for corporate stuff, not general web sites, so the main reason it died was that Microsoft gave up.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
the fact that this kind of comment gets downvoted proves my point. so what if you personally don't like WEI? it doesn't mean the problems aren't real...
that aside, i don't know how people say stuff like "malicious force" and then you go and use a bajillion Google-authored, completely free as in beer and often free as in freedom technologies that nobody obligates you to use at all. It's not like Apple, where their software is so shitty (Messages, Apple Photos, etc.) that the only reason people use it is because it is locked down and forced upon you. it's interesting to me that @dang worries about the tenor of conversation changing - he longs for that 2009 world of university-level math people hanging out and writing comments about LISP or whatever - when the real deficit is not intelligence about math but, at the very least, seeing that things are nuanced, to see more sides to a problem besides the most emotionally powerful and the most mathematically neutral ones.
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?
I know it is a small move, but as it happened when chrome started, this opens opportunities for other players
So now I'm back on Chrome.
This is detailed at https://support.google.com/recaptcha/answer/16609652
hacker news when reading that google is doing the same thing for the rest of the userbase: "hello, human resources?"
(Edit: it looks like the new system is still private and still interlinked with the old system that lets you use any hardware? I think?)
Also I don't know how you could have missed the widespread criticism of apple and especially cloudflare on this site.
I think it has also blessed Amazon's WAF
Cloudflare has a turnstile product that i'm sure uses this apple IDS token
Mobile Safari generally is not shown Cloudflare captchas or similar because of Apple-Cloudflare cooperation. it's not complicated.
Apple calls it a "Personal Access Token" but that makes it sound more like a DRM scheme - which it sort of is, it is managing your right to a free-as-in-beer access scheme - than a broad web integrity environment solution
https://en.wikipedia.org/wiki/Matthew_Prince#:~:text=In%2020...
They're literally a government surveillance program larping as a private company, many such cases.
It'll just be more clunky because you have to install their app.
I don't know what technology they're using, but when I scanned the QR code it launched (downloaded?) an iOS app of sorts with one tap, similar to the way Google tried Instant Apps a few years back. Didn't even need to double tap the power button like usual.
For example: > Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
And the cost for the bot farm being detected is very high because if a phone's root key loses trust it destroys the value of the ~$30 phone they purchased. And of course, I'm sure Google can use the phone's value as another signal for trustworthiness, treating cheaper phones many generations behind as less trusted.
I don't think bot farms will go away completely, but the price will spike massively, which is all you need to discourage many types of abuse. Some Googling show that reCAPTCHA solves are about $0.003 each right now, so quite cheap. With this new reCAPTCHA, I suspect the price will jump massively.
Yes.
That's exactly what they are doing already, and it's not 30$/device but something like <5$/device. Remember they can buy the worst of the worst of the used market.
Betting on device attestation is really betting that smartphones will become less ubiquitous and more expensive to own. Sounds like it's not going to happen to me.
It’s also worth noting that the author of this article is selling a proof of work solution to the problem.
I am fairly skeptical that proof of work is the right way to go here. A lot of users of the web are using older hardware. Adding a computational toll booth doesn't solve the problem in a world where people have differing amounts of compute to spend.
On the other hand, a botnet might have access to thousands of computers and may not actually care about waiting an extra 10 seconds. Or worse, they will come up with a custom solution on an ASIC that solves your proof of work puzzle thousands of times faster than grandma‘s laptop.