I saw this coming from miles away. Computers are better at solving CAPTCHAs than people are and people can be bribed or convinced to join botnets so IP whitelisting doesn't work either. Now we have tons of fingerprinting and behaviour analysis but governments are cracking down on that. Plus, YouTube had a massive ad fraud problem with ads being played back in the background in embedded videos, so their detection clearly wasn't good enough.
There aren't many good ways to prove you're not a bot and there are even fewer that don't involve things like ID verification.
Their opt-in approach helps shift the blame to individual web stores for a while, so who knows if this will take off. But either way, in the long term, the open, human internet is either going away or getting locked behind proofs of attestation like this.
Apple built remote attestation into Safari years ago together with Cloudflare and Google is now going one step further, as Apple's approach doesn't work well against bots that can drive browsers rather than scripted automation tools.
Luckily, their current approach can be worked around because it's only targeting things like stores now and you can buy things from other stores. Once stores find out that click farms have hundreds of phones just tapping at remotely served content, uptake will probably be limited.
It'll be a few years before this is everywhere, but unless AI suddenly isn't widely available anymore, it's going to be inevitable.
> saw this coming from miles away. Computers are better at solving CAPTCHAs than people are
good point... it's interesting how Captcha was initially popularized as a reverse Turing test, but it's just variants of Proof of Work today.
And it seemed clever at the time for Google to leverage this for improvement of their OCR models (it was!), and makes you wonder what utility is derived from the proven "work" today.
CAPTCHAs were designed as a type of Turing Test, not a reverse Turing Test. It’s not surprising that the effectiveness of these weaker variants has collapsed, given that AI can now pass the real Turing Test.
LLM’s can still only pass limited Touring Tests. The longer the interaction the worse they do. Which of course means you can easily create an experiment they successfully pass, but just as easily you can create an experiment where they fail.
CAPTCHAs are nearly useless because of how little you need to pay humans to solve them.
A more interesting question is whether there is a Turing test that is easy for ALL humans to pass, while still being hard for LLMs.
In practice, most of the major CAPTCHA vendors already rely on non-privacy-preserving tests for those needing more accessible solutions than a visual puzzle.
Google's audio captcha (only available in a few languages and unusable for those who also have hearing issues) only works for a narrow band of users, not trusted enough to bypass the captcha entirely, but also not untrusted enough. If you fall outside of that band, you get a nice "your device has been classified as a fraud risk, please use the visual captcha" message.
hCaptcha goes even further and straight-up requires you to have an "accessibility cookie", which requires verifying your email address (and apparently your phone number in some cases) to obtain, as well as disabling some anti-tracking settings in your browser.
Oh, right, "reverse" was wrong here. I thought of "computer classifies user as computer or human" versus the inverse, while the word is about who classifies, not who's being classified.
But regardless, I imagine scammers will circumvent this to buy products, login to bank accounts, etc. of the exact users they’re targeting. The user will be presented with “Scan this QR code for $100” as the scammer is logging into their account with spoofed metadata.
> people can be bribed or convinced to join botnets so IP whitelisting doesn't work either
what does that bribe look like, as in, how much can one get? what all does that entail? is that a little box i connect to my network and forget about? does that mean if i unplug it unless another payment is received that will work out? i'm asking for a friend that's looking to avoid selling plasma to make ends meet.
> The following methods can be used to acquire residential IP addresses for a residential proxy network:
> Software development kit (SDK) partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices.
> Virtual private network (VPNs) with hidden terms of service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand.
> [malware and compromised IoT devices]
> Passive income schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks
One reddit post says bandwidth sharing passive income schemes paid them $1 to $9 per month.
I used to know some Americans who were on the poorer end of the spectrum, and apps that paid you for performing fitness activity and such weren't uncommon in that demographic. Not as much of a thing in Europe for some reason.
I believe the cheap Chinese pirate TV boxes that are somewhat popular in the US these days are also in botnets, which is likely how the vendors make them so cheap.
I'm afraid it's far less enticing. The usual offer is "To continue playing, pay $0.99 or hit AGREE to share your internet connection with Legit Services Inc."
And that's assuming they're nice enough to ask at all.
I personally think its easier to detect llm controlled browser sessions, the people deploying them are far more naive and inexperienced than traditional scrapers/crawlers.
insert You wouldn't bring a 40 Petabyte Zip Bomb to School, would you? meme
Part of the problem is also that Google wants to permit crawlers to do some things but jot others.
Their announcement is full of buzzwords about "agentic" things. Detecting LLMs is one thing, but imagine the power of being able to pick which LLM browsers are permitted and which aren't!
I think Google is being too early to the party with this. Cloudflare still has CAPTCHAs to throw at the wall. There are ways other than attestation to verify that someone is a real human, but they're getting more and more annoying to real users and harder and harder to implement on a small website.
Despite the massive implications, this is a simple system that just works for the 99% of people who use Chrome or Safari or at least have access to an Android phone or iPhone somewhere. It's quick, doesn't require installing apps or creating accounts, and it just works from both the website perspective and the user perspective.
Of course when you start thinking about people with disabilities things become problematic, but when have tech companies ever really cared about that sort of thing? Inclusiveness was fun and all for a while, but the clowns the American people elected banned that sort of thing for any company considering government contracts, and big tech licked that boot like it was made of honey.
The world becomes a lot easier if you just decide to ignore all edge cases and assume customers who disagree with you didn't matter anyway. And infuriating as it may be, for companies like Google, that business model works.
I mean depending on the cost, Google is guaranteed to lose the battle, like gaming anticheat: there are tools that do parsing of the image on screen and send input as a usb device, there is absolutely nothing to detect.
Doing that for a webpage seems way easier than s videogame
Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet
I hate this trite and the managers that say "don't bring me problems, bring me solutions" nonsense. I'm not the person to be able to fix it so the solution is make the problem known so others responsible can fix it. If I could fix it, I wouldn't be telling you about the problem. If anything, I would tell you how I fixed an issue in some stand up or other of the many meetings scheduled keeping me from working.
His solution is don't. Why would you? In fact, if you don't block the script that's running on one computer, the script operator won't need to run it on a botnet.
I don't know RMS's solution to spam or DDoS which are the real problems.
Because controlling a large number of accounts can allow you to manipulate the algorithms on Web2.0 websites. For example, this one. If you don’t combat spammers the front page quickly gets filled up with garbage.
Uncompromisingly insist on only using things you have ultimate ownership and control over, even when that means dramatic and life-altering inconvenience, and where those things don't exist, build them yourself.
Unfortunately, "build it yourself" is relatively easy when it comes to software, and almost impossible when it comes to the hardware running that software. It doesn't matter if you have full ownership of a complete open-source stack if no hardware manufacturer will permit you to run unsigned arbitrary code. The lack of open hardware--chips that you could build in your garage using materials nobody could reasonably prevent you from acquiring--is the lynchpin upon which open source software will wither and die.
I know what his solution is not. It's not a mechanism that conveniently enables the fine-grained surveillance of people that just so happens to be google's business model.
Strange analogy considering that RMS got to where he is precisely by finding nails to hit much, much more than occasionally, and much, much more than most hammers.
I think it hits perfectly. He espouses that almost every vendor everywhere is doing something immoral and it will inevitably be used against you. Eventually, some of these predictions come true enough for some part of his audiences.
I don't think you've made a point about his abilities. I do think you've restated his proclivities, which reinforces the basis for the quip.
This is particularly uncharitable to someone that saw around many corners and was articulate enough to warn us about them in advance.
There's a reason there's a subreddit called "Stallman Was Right", and it's not that he was shotgun blasting opinions and landed a few of them. It's because he has a systemic understanding of the incentives our system sets up and is able to project decades into the future about how those incentives will play out.
If RMS said not to trust Google's self-proclaimed altruism and relationship with open source, yeah. I always assumed that was a backstab waiting to happen. But that only meant I used an iPhone and didn't care that it was more closed than Android, not that I got an Arch Linux phone or something. (And a Mac more importantly, but there's not really a Google counterpart to that.)
My god AMP was such an annoying thing ~4-5 years ago when I was working in a marketing-forward web dev shop.
"Google really likes when you pipe your words into their shitty UI because it saves some time for the user"
We were all like, cool so on one hand we're being given complex designs for sites to differentiate them, and on the other hand we're bowing to a megacorp who actually wants to skip the whole web design part entirely and pipe our content through their pre-defined UI.
So glad it died. Should have known it would die in a matter of a couple of years with that being the track record for Google in general.
Last time this happened we got a bunch of Google employees downplaying the impact of WEI and calling it a nothingburger, that people were being hysterical. I just checked, and everyone I saw defending it has since left the company. I'm sure another wave of Google managers, keen to appeal to the higher-ups, will be here to defend this new initiative any minute now.
It's not just Google. It's governments, corporations, all around the world, simultaneously. The noose is being tightened gradually, then all at once. And it's coming for all of us:
The threats above interlock by design or convergence:
Identity layer (1-5) creates the prerequisite for the others. Once identity is established at SIM/account/device level, the carve-outs that make surveillance politically viable become possible (powerful users get exemptions; ordinary users get watched).
Device layer (10-12, 16-19) creates the surveillance endpoint. Once content is scanned on the device before encryption, the cryptographic protections at the communications layer become irrelevant.
Communications layer (6-9) is the most-defended. Mass scanning has been defeated repeatedly. This is the layer where the resistance has the best track record.
Reporting layer (13-15) is nascent. Direct OS-to-government reporting hooks haven't been built yet at scale. The UK's December 2025 proposal is the leading edge.
Platform control (20-24) determines whether alternatives can exist. Browser diversity, app distribution diversity, and engine diversity are the structural protections. All three are narrowing.
A society with all five layers complete has the technical infrastructure for total surveillance with elite carve-outs. We are roughly 40% of the way there. Whether that infrastructure becomes a dystopia depends on political choices, not technical ones.
HN as a whole is surprisingly oblivious to the noose tightening, because many here are super against decentralized distributed things, if they involve any sort of token. You can complain all you want, but downvoting and burying the decentralized alternatives just for groupthink makes you somewhat complicit in the erosion of our privacy and liberties. Even if you might disagree with a project, all the work that goes into it might be a good reason to upvote it instead, considering that without this work, we're basically doomed.
Hell, even using cash feels like a minor form of dissent. And of course even if you leave your phone at home, your car will be scanned with ANPR wherever it goes. And if that fails, there's still your face to be tracked.
I said 16 years ago that when IPV6 was coming into use was the only reason for a 128 bit address space was so they could tie every packet on the internet back to you as a person. https://news.ycombinator.com/item?id=1464940
No, the main reason is because NAT is terrible and restoring the end to end principle is important if we want the internet to stay not separated into server networks and eyeball networks. If we want to decentralize the internet it's necessary that eyeball machines can talk with each other, not only with servers. This ability reduces the possibility of surveillance.
When IPv6 was designed it was normal for each IPv4 address to be traceable to someone's desk. Fortunately, as that changed with IPv4 so did it with IPv6, so we got IPv6 privacy extensions.
It doesn't help that your first sentence makes you sound like a conspiracy theorist riding his hobby horse. I read on despite that, but others may not.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
It cracks me up when people say Chrome is a monopoly, because a massive amount of computing devices do not even ship with Chrome. Windows computers, Macbooks, and iPhones require users go search out and install Chrome on their own out of their own volition, shipping with entirely functional and decent browsers out of the box that they have lots of patterns to push. Even many Android phones ship with browsers other than Chrome as a default still from what I understand.
How is Chrome, of all things, a monopoly? Have words just entirely lost all meaning and now monopoly just means "things which are popular that I dislike"?
Chrome is a monopoly by extending the internet in ways that force users into chrome. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
Outside of WebUSB I personally haven't meaningfully been impacted in any ways. Can you share which ways this is?
Note, this is separate from a "so many things are just Chromium", which I agree is an issue, but isn't the same as a "Google Chrome is a monopoly". Because in the end there are still many non-Chrome browsers which support WebUSB which do not end up with a lot of the downsides of Chrome specifically about Google harvesting your data and what not.
> You know full well what people mean when they say "Chrome"
Yeah, Chrome, the web browser made by Google that bugs you to sign in with your Google Account. Most people don't mean Microsoft Edge when you say "Chrome". Do you call Microsoft Edge "Chrome"?
Chrome is a product made by Google that is a web browser. If the argument is Chromium is too interwoven, that's a separate argument.
But even then, what does it mean that "Chromium is a monopoly"? Is Linux a monopoly as well? Why or why not?
Note you haven't actually given me any other ways one would be impacted like I asked. What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require? What else am I missing by not using a non-Chromium-based browser?
As someone else said earlier, it is a monopoly by extending the internet in ways that force users into using their browser engine. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
> What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require?
This is a different question, please don't move the goalposts.
> by extending the internet in ways that force users into using their browser engine
And yet after multiple times of me asking you've yet to give me a single real feature lost.
> This is a different question
Its literally the thing we're saying is the problem, how is it a different question entirely?!
You're saying the problem is they're adding features that force Chromium, but asking about which features you're talking about is just bringing up unrelated and different questions.
It's not so much forcing people to Chrome/chromium for specific features, but trying to increase market share through more subtle means, like paying to have their search engine featured, advertising their products everywhere possible (including inside other people's apps), slowing down their sites (like youtube) on other browsers, or tying in other services (along with way too much personal info) to try to keep people within their sphere of influence.
Is Linux also a monopoly? In a way sure, but I think a big difference is they're not "doing evil" as people claim Google is, and all the development/decisions are still made out in the open in a democratic way.
Former Google execs have even compared their setup to "running the New York Stock Exchange while trading on it."
At least Linux isn't trying to tell people what to do with their software.
> it is a monopoly by extending the internet in ways that force users into using their browser engine
2 messages later that seems to be contradicted?
> It's not so much forcing people to Chrome/chromium for specific features
I might've misread.
> but trying to increase market share through more subtle means, like paying to have their search engine featured
This isn't Chromium, the open source basis of many web browsers. Now you're talking about Google the company.
> Is Linux also a monopoly?
Monopolies in the sense worth discussing are highly popular things that are held in place by things other than competition. If anything, Google props up Chrome's competitors to reduce this.
So now Chrome is a "monopoly" because they're "advertising their products everywhere possible". I guess I can only ever drink Redbull, they're a monopoly, because they're advertising their products everywhere.
Seriously? That's our standard of what is a "monpoply"?
Words have no meaning anymore.
You can choose to use something different. The device you bought probably came with an alternative! Otherwise, the device next to it on the shelf on the store where you bought it likely would have had an alternative browser, because most devices on the store shelves outside of some hypothetical physical Google store don't come with Chrome.
I'm asking what features force me to use Chrome instead of Firefox or Edge or Safari. I've yet to hear an answer other than it's advertised heavily and that it's popular.
Why do you keep talking about who installs the app? That has nothing to do with whether something is a monopoly, which is primarily about market share.
If a user is openly going out of their way to go and install a competitor's product despite a perfectly serviceable version coming by default, how can the the one being sought out be seen as a monopoly? The competition came pre-installed!
How did the user manage to install Chrome on Windows if Chrome is a monopoly, the only serviceable browser around? They copy the source code from a magazine or something? Get a floppy disk in the mail?
> Whatever your definition of monopoly is, it's wrong
Ok, so enlighten me which standard of monopoly they're so obviously breaking?
> The threshold is not 100% market share.
I never once said so
I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
Please, do enlighten me, how is Chrome a monopoly?
> Ok, so enlighten me which standard of monopoly they're so obviously breaking?
Breaking?
They're being a monopoly by having a huge market share. A majority of browers are directly branded chrome, and the chrome team has strong codebase control over most of the alternatives too. Especially on desktop. It's that simple.
> I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
> How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
The existence of competition doesn't change whether something is a monopoly. It only disproves 100%, which is why I mentioned 100%.
The choices of users don't change whether something is a monopoly.
Marketshare alone isn't a defining part of if a product is a monopoly.
> majority of browers are directly branded chrome
They're not Chrome, in many extremely important aspects.
> The choices of users don't change whether something is a monopoly
The fact users can make a choice is a huge part of the argument that Chrome isn't a monopoly. There are lots of competitors out there that can be freely chosen. So much so people have to go out of their way to install Chrome.
When AT&T was ruled a monopoly it was practically the only choice in many markets. When Standard Oil was ruled a monopoly it was practically the only choice in many markets. People can choose Edge. People can choose Safari. People can choose Firefox. All of these browsers work fine (I've yet to be told a single other major feature they're missing despite asking many times), and are not Chrome.
Lay's sells like 60% or so of the chips sold in the US. Are they a monopoly? Are you practically unable to buy any other chips at the store outside of Lays products? I guess it's not really just marketshare that makes the difference! So just pointing at them and saying they're a monopoly because they have a large marketshare is meaningless.
What's the point of this pedantry? Replace "monopoly" with "dominant market player" and their point still stands. A company doesn't need to be a literal monopoly to engage in anti-competitive behavior. The EU would call this "abuse of dominance". [1]
>> Google holds absolute authority on how websites are rendered and if websites can be found.
This is still 100% correct. Google owns the dominant browser and the dominant search engine, this means that they get to dictate how websites function and pick winners and losers through their search algorithm. If you're a publisher (i.e. anyone who hosts a website) you're forced to fall in line or go out of business.
I’m constantly badgered by google apps on my iPhone to use Chrome. In fact I’m not able to just click a link and open my default browser, I have to see the big chrome logo and a smaller link to choose my default browser.
Ever thought about just not using those apps if you want to avoid the Google ecosystem? Too bad there's just absolutely no mapping application available on iPhone but Google Maps. Too bad there's no way to send an email on an iPhone outside of Gmail.
What's that? A user has to once again go out of their way to install those apps as well? Well isn't that strange. I thought Google was a monopoly on iPhones.
Edge isn't Chrome though, is it? Like, its not shipped by Google, it doesn't bug you to log in with a Google account, doesn't ship metrics back to Google, right?
The usual complaint is that Chromium dominates as an engine. I don't fully understand the complaint because anyone can fork it, but maybe they're (rightfully) concerned nobody will fork it because Google controls the web standards, or they're concerned Chrome could stop using the open version of the engine.
You'd be better off mentioning Safari (17% of users vs. Chrome's 68% and Firefox's 2.2%) and Bing (10% vs Google's 85% and DDG's 1.7%). But nice to know there are two of us!
Lost? No, they shoveled search into the furnace day after day as they prioritized sewage like paid results, link farms, and blog spam while burying the actual result far below, if returned at all. LLM showed up and gave you the direct answer you wanted in <1s; you don't even have to read the shitty troll result page.
I'm amused at how thoroughly Google adopted Microsoft's playbook. Chrome supplanted Internet Explorer by embracing the open web. But then Google immediately started on extensions, and now they're trying to extinguish the open web with nonsense like Cloud Fraud Defense. All very smoothly done. I mean, people are actually _asking_ for this junk. I'm impressed.
No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.
Chrome has gone off doing their own standards to some extent, but you're forgetting what it was like when Internet Explorer dominated. You basically couldn't use the web without IE because they broke so many standards and implemented them in closed source. Then there was ActiveX on top, straight up Windows binaries in web. And besides there being a dominant engine, only one browser could use that engine. Trading that for Chrome dominance was at least a step up.
I use Firefox right now. Occasionally I need to open a site in Chrome instead, but it's rare.
> Firefox usage share grew to a peak of 32.21% in November 2009, with Firefox 3.5 overtaking Internet Explorer 7, although not all versions of Internet Explorer as a whole;
Firefox was the browser that embraced open standards and was unseating IE. And ActiveX was used for corporate stuff, not general web sites, so the main reason it died was that Microsoft gave up.
Chrome and v8 was just stupidly faster than any other browser and JS stack at the time when I first adoped it. It was a lot buggier in many other ways and many sites just didn't work quite right at the time, but the tradeoff on performance in the early days was very much worth it.
People forget that Sundar Pichai's entire claim to success at Google was injecting the Google Toolbar into the Adobe Reader installer which would hijack your search and browsing data on IE, and the launch of Chrome, which was then also injected into the Adobe Reader installer, occurred because Google was concerned IE might block or limit their toolbar.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
I recommended everyone to use Chrome simply because Microsoft couldn't be bothered to provide built in PDF viewing and creation.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
Yeah I remember when Windows lacked every basic utility that Mac OS had. The most common malware was PDF readers, because a very common search was "how to open pdf." Same with zip.
Lots of supposedly technically advanced users switched to Chrome en masse and promoted it on every occasion they could, because it was so much faster, simpler, safer, etc etc. Don't excuse useful idiots from their share of the blame. People warned about dangers of Chrome's growing domination for about as long as I can remember, back to at least 2012, only to be dismissed as paranoid.
If I may tie this into other things going on, The California wealth tax as written would force Larry and Sergei, if they didn't move out of California, to basically sell almost their entire stake in Google, and it would probably wind up owned by State Street and Vanguard who outsource their proxy votes to ESG consultants, who will probably vote for more surveillance.
what alternative to WEI do you propose? it solves a bajillion Internet-existential problems. it is definitely a crisis. the bot problem is at least as serious as facebook, gmail serving without https.
the fact that this kind of comment gets downvoted proves my point. so what if you personally don't like WEI? it doesn't mean the problems aren't real...
that aside, i don't know how people say stuff like "malicious force" and then you go and use a bajillion Google-authored, completely free as in beer and often free as in freedom technologies that nobody obligates you to use at all. It's not like Apple, where their software is so shitty (Messages, Apple Photos, etc.) that the only reason people use it is because it is locked down and forced upon you. it's interesting to me that @dang worries about the tenor of conversation changing - he longs for that 2009 world of university-level math people hanging out and writing comments about LISP or whatever - when the real deficit is not intelligence about math but, at the very least, seeing that things are nuanced, to see more sides to a problem besides the most emotionally powerful and the most mathematically neutral ones.
People use iMessage because it has worked for a long time, during which all the leading alternatives were terrible. Maybe they still are cause I'm still not convinced that RCS even works reliably.
Bombing every AI data center on Earth would also solve the Internet-existential problems we're facing. But that solution is beyond the pale of course, instead it's incumbent on me to prove to you that panopticon surveillance of every living human being from now until the Sun consumes us is not a reasonable solution to "bots use the Internet".
From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen.
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
It's not Google, it's someone. A person came up with this idea and is pushing it through. We should stop treating corporations as some abstract entity instead of a group of sick people making these kinds of decisions.
Yeah, same. It is hard; we start to need a collective boycott.
We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.
I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.
It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.
Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.
There should not be a requirement to verify identity, but if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?
> Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.
Verifying identity for specific services tied to your finances or body is a whole different topic.
> if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?
I like the GDPR's general point of view that the right to privacy is more important than the right to trade privacy for access. An anonymous verification might be fine, but this system is not, and random websites needing your specific identity is not.
The US government is a feckless facade, the US is a corporation run economic zone. The nice thing about being corporate run is that the rulers are unelected and unaccountable!
We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.
Everything that gets money from ads. The network effects are too strong for competition against their ads platform and their ability to do targeted advertising based on data only they have. You can’t build a new ads platform and then use that to monetize your company’s other services, because the existing ad networks are so mature and established.
Phones. Your choice is Apple or Google.
As you said, YouTube. Again, they have users and creators in one place, so it’s hard for a new platform to compete.
There are also a lot of enterprise contracts that bundle many things together. Like cloud and their workplace apps (whatever it is now called).
But also, just their size is a problem. Look at their AI story. First off, many customers get forced into packages where they get Gemini included as part of the bundle (which means they’re paying for it automatically and have less of a reason to pay for something else). But also - Google was slow to build useful products here. Even though they are late and made many failed attempts like Bard, they can afford to take losses for years that no small company - or maybe even large companies that aren’t mega corps - can absorb. Those other competitors would go out of business and have to be careful and move slowly in spending. But Google’s capital lets them make mistake after mistake but still compete and eventually win. So it’s not a fair competition.
These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".
The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.
Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.
It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.
> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.
Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".
IMO the biggest issue is that some non-tech people will occasionally be straight up hostile and will whine about not having "features", but then again it only takes a small amount of people taking action inflict real change. Also medium term we need to start making phones (smart OR dumb) that are FOSS as possible.
> Linux
Open/FreeBSD too, we need to have more redundancy.
But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.
You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?
This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.
The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.
We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.
I really tried to switch off Chrome when they broke ad blockers, I gave it a good few months trying out alternatives but I really don't like any of the other browsers. I do primarily use Safari on my Mac, but on Windows where I don't have that option, I don't like any of the big players, and I don't really trust the smaller players. Even the "big" smaller players are not that trustworthy when it comes to security, like Arc browser's "Boosts" feature that enabled remote code execution.
Do we know if this is immediately going to slot in wherever reCAPTCHA is currently used / is there a rollout plan? Or will site operators manually opt into the new system? Is there even a way to opt out?
I can think of many sites where, for users that trigger captchas often, introducing a multi-device workflow is even worse for those users than clicking traffic light images. An automatic rollout would be hostile to those operators!
This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.
Last time they tried this they laundered it though an employee's personal github to distance it from google itself, then framed the proposal in the most disingenuous manner possible, as if it was something that users wanted rather than another mechanism for google to exercise control
Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.
hacker news when discovering that apple deployed WEI, for ages, with beloved IT company Cloudflare, affecting hundreds of millions of users: "aww, you're sweet"
hacker news when reading that google is doing the same thing for the rest of the userbase: "hello, human resources?"
I thought that cloudflare system worked on any hardware and the tokens are anonymous. Did that change at some point? If it didn't change, then yeah it should get a very different reaction!
(Edit: it looks like the new system is still private and still interlinked with the old system that lets you use any hardware? I think?)
Also I don't know how you could have missed the widespread criticism of apple and especially cloudflare on this site.
The claim is that an iPad/iPhone will also work. Not that that makes it acceptable; if anything, it's worse, because if it were Google Play only it'd be more obvious how unacceptable it is, whereas catering to the duopoly makes it less obvious how much it excludes people and builds a reliance on proprietary systems.
One company can soon dictate who can enter the websites.
And only two commercial operating systems are viable in the world after this change.
Not nice.
I believe the latest versions of iOS just work from the browser, you only need to install the app for older versions of the OS.
I don't know what technology they're using, but when I scanned the QR code it launched (downloaded?) an iOS app of sorts with one tap, similar to the way Google tried Instant Apps a few years back. Didn't even need to double tap the power button like usual.
I think I understand why Google wants to do this, and I think I understand why people are opposed to this particular solution.
It’s also worth noting that the author of this article is selling a proof of work solution to the problem.
I am fairly skeptical that proof of work is the right way to go here. A lot of users of the web are using older hardware. Adding a computational toll booth doesn't solve the problem in a world where people have differing amounts of compute to spend.
On the other hand, a botnet might have access to thousands of computers and may not actually care about waiting an extra 10 seconds. Or worse, they will come up with a custom solution on an ASIC that solves your proof of work puzzle thousands of times faster than grandma‘s laptop.
What Google has done is incredibly clunky and only serves its own interests.
We already have methods to prove that we're human.
1. lots of laptops have fingerprint readers & TPM2 build-in
2. lots of folks own Yubikeys or FIDO2 keys - if these became the norm then the price would come down significantly.
Both of these methods only require a tap to authenticate to a website.
Both provide public-key authentication, and both provide some level of proof of work / require human interaction, without revealing the identity of the end-user.
Why not use or standardise these? because there's no benefit to Google of course.
Those don't prove that a human is present. A FIDO2 key can be automated by electronic relay. The only way to do this involves device attestation - locking devices down and utilizing hardcoded TPM/Secure Enclave esque chips. The best we can hope for would be an open standard for those chips so that people can use them with their own X.509 certificates that lets them choose their own CA.
I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
Look at the number of : per paragraph. What human puts two : in a single sentence?
"One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem: …"
The ersatz Ted Talk meets LinkedInfluencer rhythm of sentences, the throat clearing fillers as connective tissue…
They can't tell. It has become a statistical thing. There will exist some percentage of them that assumes an item is AI generated. With enough people seeing something, you'll see the accusation.
The entire article is just one long stream of short, punchy, declarative sentences. The latest Claude models are notorious for writing like this.
There's also a few cookie-cutter patterns that should immediately jump out at you if you're at all familiar with AI writing, such as:
> No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate. User privacy is structurally preserved, not promised.
> Google Cloud Fraud Defense is not a reCAPTCHA update. The QR code is the visible mechanism, but device attestation is the real product.
Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.
So where do things go? Fewer services and infinite fraud?
It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.
CAPTCHA is sort of a flawed concept in the first place. a machine to test if another agent is a machine. But I figure the future of this is give the test, but discard the answer, the truth is in how it is answered, behavioral analyses, see if their access patterns are human or machine like. A simple version of which is how fast they type, or speed items are clicked. A surveillance process that really creeps me out. I am undecided if it creeps me out more or less than fully automated agents spewing shit over the open web.
As a footnote i found googles recaptcha bitterly ironic, it was painted it in bright colors "this data assists in book scanning" or "this help our self driving cars recognize stop signs" but really designed to train models to do exactly what it's trying to prevent them from doing. and making life hell for the humans along the way. The modern single click version is doing behavioral analyses.
This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.
People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.
I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.
Are you genuinely asking? To pay your taxes, order items online, access your bank account, log into your favorite AI service, there are very often CAPTCHAs involved. Try going a month with CAPTCHAs blocked in uBlock Origin, and you will find yourself unable to do many basic things.
Not saying this is any better, but IRS partnered with id.me to enforce ID + face recognition before you can log in to view your records. We are truly doomed.
Even besides services you might need to access, as pointed out in another response (e.g., banks, shops), how are you going to check the veracity and understand the context of the information you seek without going to the (possibly hallucinated!) sources? But I guess a lot of people who are into using AI like that just don't care.
We see the fundamental forces of capitalism at work: To justify valuation, Google needs to grow. When they feel a ceiling, they broaden their search to anything legal that makes customers pay - even if it contradicts their longterm interests. This created countless attack angles for startups.
The good news: we already have a solution! Monopoly laws. In case of the internet, no company should be able to have this much power.
The bad news: US decided to weaponize big tech’s leverage over the world and does not enforce these laws anymore that fix vanilla capitalism.
>We see the fundamental forces of capitalism at work: To justify valuation, Google needs to grow.
You’re confusing markets with capitalism.
Market Socialism (the only reasonable kind) would have these same issues. If Google was owned by the workers instead of capitalists, it would still have incentive to grow. The worker owners would have the exact same incentives as current owners. The only difference would be who the owners are.
Capitalism is not actually “the final boss” that internet leftists make it out to be. Socialism is not the panacea that leftists make it out to be. Surveillance is not a “capitalist only” thing.
This API also works on the desktop. In fact, you can't use this system without a phone if your browser isn't Google enough.
We are going to see sooooo many scams out there. No wonder Google is locking down third party Android apps outside of their control, getting a user to install "device verification.apk" will become super trivial after people have clicked through these popups a couple times.
A device I have no choice in owning because modern employers assume you have sometime to install an authenticator app on. That's what it is for me. Also, sadly, it's an anchor for Signal. Otherwise I don't use the stupid thing.
A smart phone _could_ be legitimate and free and open, but in practice it's not. This is a constraint based on the reality of the market, not really based on what is strictly possible with the technology. I don't get too deep into this, but at a very high level, this is what I dislike about smartphones.
- Touchscreen user interface is objectively worse than a mouse and keyboard. Portability is the the only benefit to this interface, but this also works strongly to attack impulse control. It's always on you, just a moment away.
- Smartphones are significantly worse for privacy. In a LOT of ways. We can discuss this if you're interested.
- Many smartphone apps exist solely because a website would be less addicting and would also not be able to collect as much data as an app. ie, it's a choice that's worse for you and better for the company.
- They're significantly less open. Yes, grapheneOS and other alternatives exist, however it's not like a computer where I can just install whatever I want without asking the provider permission to unlock the device.
- I touched on this in two other bullets, but it's worth highlighting here: they're built intentionally to be addictive.
- The operating system and hardware are effectively interlocked. (yes, I know grapheneOS exists) but for any modern thing you might actually require a smartphone for (banking app, OTP app, etc) you must be using Apple or Google.
- Providers don't produce security updates well enough; Apple is "better" here, but my 10-15 year old computer can run modern Linux. People brag about 7 years of support on an iPhone. I'm under the impression that Android is better than it used to be, but in the old days any random vendor would give you about 1 year of update support and then you'd be hosed running old Android until you bought a new phone.
- Nobody cares if I own a desktop computer or not, but it's getting to the point that businesses will not work with me unless I have a modern smartphone.
I could probably go on, but I really hate these things.
> Touchscreen user interface is objectively worse than a mouse and keyboard
au contraire, touch screen is objectively better, and i dont buy laptops where the screen isnt a touch screen. cursors and mice and focus on laptop+mouse UXs is just horrible, and for keyboard only even worse.
the touch screen is much simpler, in that you touch or swipe on the thing, and it makes the motion in direct response to what you touched. the input is physically linked into the interaction, rather than some changing relative position.
Yeah I'm aware of all of this, it's just the framing that confused me. A lot of these boil down to "nobody should own or use a smart phone to do anything" which is a bit of a different and less specific pitch than "nobody should browse the web on a smart phone".
It is, just like a calculator is a small computer. It's not a personal computing device though, in the sense that the user can't develop and deploy their own software/tools on it.
No one should ever browse the web from an ESP32 either. Like seriously the dark patterns are bad enough from a desktop where you've actually got the screen real estate to see the whole page, have other sites open for comparison, have a keyboard to type your own notes, etc. Most browsing can simply wait, especially the adversarial-commercial type we're talking about here.
and it seems Google wants to support people like you!
That entire QR barcode thing is so that you can browse the web on your laptop/desktop, and _still_ rely on smart phone's attestation, no mobile browser needed.
I posted a comment on the announcement when it was posted here:
>As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
>How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
>We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
>This is more of an invitation for threat actors than it is something that holds them back.
We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.
I think the idea is good if it could actually curb bot traffic that currently plagues the Internet.
However, a lot of recent bot traffic are sophisticated scrappers called "LLM's." You can tell claude to "research X from this www.example.com" and will automatically scrape it and summarize it, something that a LLM is perfect for. Gemini tends to share links instead, presumably because most of Google's revenue comes from ads served on those websites, so if it completely killed the traffic to those websites it would just make less money. Incidentally, I wonder if Claude/Gemini use an search engine-like "index" of all websites or it refuses to cache anything to always fetch "fresh" data.
If this is employed, I don't think the web is only going to be gatekept to Google devices. I think it will also be gatekept to Google's AI's.
Google would be able to display a captcha that no LLM could defeat, and then just let its own LLM pass through.
The same could be said about its other bots, such as the web crawler. Google's bot could crawl webpages that no other crawler would ever be able to simply because it has free pass to captcha-gated GETs. Although the same could be true already today.
Their product page is full of info about how this works with "agentic" cruft. They're still permitting your regular old scrapers and bots for as long as they like you. Hope you're not thinking of running an independent system instead of a large cloud platform!
> The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 ($29.88 in Wallmart to be precise) - for a professional bot farm, which purchases devices in bulk, this is the fixed cost without material disruption to operations.
That's $30 per account, not one time. Because of the following:
> Device attestation does not just gate access - it produces attribution. A device with a stable hardware identity creates a persistent identifier that crosses sessions, browsers, and private browsing modes.
If you put all your bot accounts on one device, they all get banned at once. So fraudsters have to spread their accounts across multiple devices and replace them when they inevitably get banned. That's the reason for all the spying, attestation, and lockdown bullshit behind Google Cloud Fraud Defense. It is far easier to ban fraudsters if you just let the Maoists run the Risk Department.
The author proposes an alternative solution: proof-of-work. And, yes, there are use cases for that, such as Anubis. Google might even want to consider a proof-of-work option in certain scenarios. But there is no scenario in which someone's phone deliberately burns $30 worth of compute - perhaps a quarter of the user's battery - and the user still has a good onboarding experience. Most of your actual users are not going to be able to burn compute as efficiently as fraudsters, either - so maybe you have to burn the whole battery on a phone to cost a fraudster $30. Proof-of-work is, strictly speaking, anti-egalitarian and anti-democratic. "One CPU, One Vote" is less useful than you think when you realize fraudsters have the money to just buy lots of CPUs to always win[0].
Every Risk Department eventually reinvents arbitrary and capricious punishment. When you have no legal authority to prosecute crime, you rely entirely upon your freedom of association and ban people with a hair trigger. It's the only thing that works. Personally, I'd rather live in the world where governments actually took fraud seriously and corporations didn't have to do this, but for right now, GCFD is at least less onerous than WEI in the sense that WEI was going to lock down all browsers. GCFD just means I have to keep a Google-approved phone around to scan a QR code every once in a while.
[0] I'm not mentioning the massive waste problem proof-of-work creates, because obviously attestation will also produce waste. Actually, if anything, the fraudsters will probably wind up dumping all their banned devices on the used market and ruin it.
The military industrial complex created the internet, and has funded many of the big players in Silicon Valley. Their goal was never an open and free internet.
For example:
> Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
> Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
It is particularly funny because this is content marketing for a computational proof of work "captcha". Those are pure snakeoil, with economics that are probably at least four orders of magnitude more favorable to the abusers than this attestation would be.
I'm pretty sure that the Ai copied the $30 number from my hacker news comments. However in the USA it is true. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202... (carrier locks don't matter for this usecase.)
I am not sure that that storing unique device identifiers is legal in the EU.
I remembered $30 from some comment I read, but didn't look for it later. If it was yours, thank you! (def. thank you for the Wallmart link! - would you like a credit in the blogpost like a quote?
inb4 someone productionizes this (the dependency of cloud phones exists & captcha solvers proved demand) && makes it a cloud service && we are back to square one.
> A bot farm cannot bypass for long with a $30 phone.
That's exactly what they are doing already, and it's not 30$/device but something like <5$/device. Remember they can buy the worst of the worst of the used market.
Betting on device attestation is really betting that smartphones will become less ubiquitous and more expensive to own. Sounds like it's not going to happen to me.
Water use and mass displacement of labor get all the attention but there are so many other more subtle reasons like this that AI is going to be bad for society.
I disagree that this kind of scheme is inevitable. We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation. Certainly, Google can choose to avoid it. On the other hand, the AI bubble will inevitably burst, since compute is not free. I look forward to post-bubble AI.
> We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation
Such as? I don't see how regulation would apply here without concrete technical solutions that enforce it. So what alternative mitigations do you have in mind?
Among many other things: Regulate the use of AI to imitate or impersonate human activity. Regulate AI crawling/scraping. Ban scraping entirely, and all models based on it. Regulate maximum model size.
These wouldn't eliminate the problem, but they'd change it from "many people do this" to "this is always a malicious attack, react accordingly".
as for the rest of it: my brother in Christ, may I remind you that America is not the only country in the world, that it does not own the Internet, and that its laws do not apply anywhere else? passing heckin' wholesome laws in one country will make no difference whatsoever when people and companies from 194 other countries can access the Internet and do things you don't like, just like you can be a LGBT on the Internet despite it being very illegal in Chechnya.
None of those would work without enforcement. Scams are banned, but that doesn't stop Chinese mafia from operating prison camps that run scams scamming people all around the world.
Sure they are. They affect the actions of many companies that today think what they're doing is okay (or at least not illegal). Don't underestimate the value of substantially reducing a harm, even if it isn't eliminated entirely. And don't underestimate the value of making it easier to address the remainder by ensuring it's 100% illegitimate.
Regulate it today, and tomorrow, corporate legal departments will be very carefully training their employees to understand that it's illegal and they should never do it.
Currently, some countries have laws saying that you're not allowed to pay bribes, including foreign bribes. Consider how widespread that practice was when it was outlawed. Imagine if, instead of regulating it, those countries had said "oh, that's not enforceable and too many people are already doing it and it would affect existing business practices...". Instead, today, corporate legal departments will ensure that employees are trained to know they can never do that and they should report any attempts to solicit bribes.
As much as I hate whatever google's doing, this article has some issues:
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?
This seems to be an advertisement for Private Captcha. I don't know a lot about the service, but it seems inherently ablest. Does proof of work, support blind users? Does it is support special needs users with cognitive impairments? The QR code and photo support a wide variety of users. What not support a variety of methods. Why does it need to be one or the other?
I saw this coming from miles away. Computers are better at solving CAPTCHAs than people are and people can be bribed or convinced to join botnets so IP whitelisting doesn't work either. Now we have tons of fingerprinting and behaviour analysis but governments are cracking down on that. Plus, YouTube had a massive ad fraud problem with ads being played back in the background in embedded videos, so their detection clearly wasn't good enough.
There aren't many good ways to prove you're not a bot and there are even fewer that don't involve things like ID verification.
Their opt-in approach helps shift the blame to individual web stores for a while, so who knows if this will take off. But either way, in the long term, the open, human internet is either going away or getting locked behind proofs of attestation like this.
Apple built remote attestation into Safari years ago together with Cloudflare and Google is now going one step further, as Apple's approach doesn't work well against bots that can drive browsers rather than scripted automation tools.
Luckily, their current approach can be worked around because it's only targeting things like stores now and you can buy things from other stores. Once stores find out that click farms have hundreds of phones just tapping at remotely served content, uptake will probably be limited.
It'll be a few years before this is everywhere, but unless AI suddenly isn't widely available anymore, it's going to be inevitable.
> saw this coming from miles away. Computers are better at solving CAPTCHAs than people are
good point... it's interesting how Captcha was initially popularized as a reverse Turing test, but it's just variants of Proof of Work today.
And it seemed clever at the time for Google to leverage this for improvement of their OCR models (it was!), and makes you wonder what utility is derived from the proven "work" today.
CAPTCHAs were designed as a type of Turing Test, not a reverse Turing Test. It’s not surprising that the effectiveness of these weaker variants has collapsed, given that AI can now pass the real Turing Test.
LLM’s can still only pass limited Touring Tests. The longer the interaction the worse they do. Which of course means you can easily create an experiment they successfully pass, but just as easily you can create an experiment where they fail.
CAPTCHAs are nearly useless because of how little you need to pay humans to solve them.
A more interesting question is whether there is a Turing test that is easy for ALL humans to pass, while still being hard for LLMs.
In practice, most of the major CAPTCHA vendors already rely on non-privacy-preserving tests for those needing more accessible solutions than a visual puzzle.
Google's audio captcha (only available in a few languages and unusable for those who also have hearing issues) only works for a narrow band of users, not trusted enough to bypass the captcha entirely, but also not untrusted enough. If you fall outside of that band, you get a nice "your device has been classified as a fraud risk, please use the visual captcha" message.
hCaptcha goes even further and straight-up requires you to have an "accessibility cookie", which requires verifying your email address (and apparently your phone number in some cases) to obtain, as well as disabling some anti-tracking settings in your browser.
I'm not sure if LLMs are solving most of these captchas. There are services that employ humans to solve them for pennies per captcha.
Oh, right, "reverse" was wrong here. I thought of "computer classifies user as computer or human" versus the inverse, while the word is about who classifies, not who's being classified.
(?)
I guess so
With the crosswalk, bike, motorcycle, stairs type of things, wasn't that just improving their training data?
Yes, for Waymo, AFAIK (I don't know for sure).
The OCR thing was earlier and used for Google Books, I think. Which is also is fitting for training data, or the motto "organize all knowledge".
At that time, this goal seemed really cool!
> people can be bribed or convinced to join botnets so IP whitelisting doesn't work either
Do you think this won’t also be bypassed, by bribing people to scan QR codes and spoofing location etc.?
The person who scanned to QR code is knowable. They have their IMEI encoded in the response.
Allegedly can be spoofed.
But regardless, I imagine scammers will circumvent this to buy products, login to bank accounts, etc. of the exact users they’re targeting. The user will be presented with “Scan this QR code for $100” as the scammer is logging into their account with spoofed metadata.
> people can be bribed or convinced to join botnets so IP whitelisting doesn't work either
what does that bribe look like, as in, how much can one get? what all does that entail? is that a little box i connect to my network and forget about? does that mean if i unplug it unless another payment is received that will work out? i'm asking for a friend that's looking to avoid selling plasma to make ends meet.
https://www.fbi.gov/investigate/cyber/alerts/2026/evading-re...
> The following methods can be used to acquire residential IP addresses for a residential proxy network:
> Software development kit (SDK) partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices.
> Virtual private network (VPNs) with hidden terms of service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand.
> [malware and compromised IoT devices]
> Passive income schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks
One reddit post says bandwidth sharing passive income schemes paid them $1 to $9 per month.
I used to know some Americans who were on the poorer end of the spectrum, and apps that paid you for performing fitness activity and such weren't uncommon in that demographic. Not as much of a thing in Europe for some reason.
I believe the cheap Chinese pirate TV boxes that are somewhat popular in the US these days are also in botnets, which is likely how the vendors make them so cheap.
I'm afraid it's far less enticing. The usual offer is "To continue playing, pay $0.99 or hit AGREE to share your internet connection with Legit Services Inc."
And that's assuming they're nice enough to ask at all.
I'm pretty sure it's one of the revenue models for those free tv/movie boxes. You can even see them at best buy. Absurd.
I personally think its easier to detect llm controlled browser sessions, the people deploying them are far more naive and inexperienced than traditional scrapers/crawlers.
insert You wouldn't bring a 40 Petabyte Zip Bomb to School, would you? meme
Part of the problem is also that Google wants to permit crawlers to do some things but jot others.
Their announcement is full of buzzwords about "agentic" things. Detecting LLMs is one thing, but imagine the power of being able to pick which LLM browsers are permitted and which aren't!
I think Google is being too early to the party with this. Cloudflare still has CAPTCHAs to throw at the wall. There are ways other than attestation to verify that someone is a real human, but they're getting more and more annoying to real users and harder and harder to implement on a small website.
Despite the massive implications, this is a simple system that just works for the 99% of people who use Chrome or Safari or at least have access to an Android phone or iPhone somewhere. It's quick, doesn't require installing apps or creating accounts, and it just works from both the website perspective and the user perspective.
Of course when you start thinking about people with disabilities things become problematic, but when have tech companies ever really cared about that sort of thing? Inclusiveness was fun and all for a while, but the clowns the American people elected banned that sort of thing for any company considering government contracts, and big tech licked that boot like it was made of honey.
The world becomes a lot easier if you just decide to ignore all edge cases and assume customers who disagree with you didn't matter anyway. And infuriating as it may be, for companies like Google, that business model works.
I mean depending on the cost, Google is guaranteed to lose the battle, like gaming anticheat: there are tools that do parsing of the image on screen and send input as a usb device, there is absolutely nothing to detect.
Doing that for a webpage seems way easier than s videogame
Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet
Turns out RMS has always been right. How surprising.
Turns out that identifying a problem doesn't help without a workable solution/alternative.
I hate this trite and the managers that say "don't bring me problems, bring me solutions" nonsense. I'm not the person to be able to fix it so the solution is make the problem known so others responsible can fix it. If I could fix it, I wouldn't be telling you about the problem. If anything, I would tell you how I fixed an issue in some stand up or other of the many meetings scheduled keeping me from working.
I am only aware of two solutions:
1) proof of identity, tying accounts to real-world things that are hard or impossible to replicate
2) proof of work, tying accounts or actions to the ability to run computations
Proof of identity in theory can solve the problem but at the cost of privacy.
Proof of work can be defeated but has the possibility of preserving privacy.
The whole "don't point out a problem unless you have a solution" trope is bullshit.
nonsense on all levels.
RMS has offered broadly solutions/alternatives since the beginning, along with reporting early on trends that other people ignore.
What is his solution to combatting botnets at scale?
His solution is don't. Why would you? In fact, if you don't block the script that's running on one computer, the script operator won't need to run it on a botnet.
I don't know RMS's solution to spam or DDoS which are the real problems.
> Why would you?
Because controlling a large number of accounts can allow you to manipulate the algorithms on Web2.0 websites. For example, this one. If you don’t combat spammers the front page quickly gets filled up with garbage.
What is RMS’ solution to this problem?
Uncompromisingly insist on only using things you have ultimate ownership and control over, even when that means dramatic and life-altering inconvenience, and where those things don't exist, build them yourself.
Unfortunately, "build it yourself" is relatively easy when it comes to software, and almost impossible when it comes to the hardware running that software. It doesn't matter if you have full ownership of a complete open-source stack if no hardware manufacturer will permit you to run unsigned arbitrary code. The lack of open hardware--chips that you could build in your garage using materials nobody could reasonably prevent you from acquiring--is the lynchpin upon which open source software will wither and die.
In Eve online you used to be able to have people (outside your contacts list) pay some cash in escrow to send you a message.
I know what his solution is not. It's not a mechanism that conveniently enables the fine-grained surveillance of people that just so happens to be google's business model.
Root mean square?
richard stallman
Indeed, occasionally hammers do find nails to hit.
Strange analogy considering that RMS got to where he is precisely by finding nails to hit much, much more than occasionally, and much, much more than most hammers.
I think it hits perfectly. He espouses that almost every vendor everywhere is doing something immoral and it will inevitably be used against you. Eventually, some of these predictions come true enough for some part of his audiences.
I don't think you've made a point about his abilities. I do think you've restated his proclivities, which reinforces the basis for the quip.
This is particularly uncharitable to someone that saw around many corners and was articulate enough to warn us about them in advance.
There's a reason there's a subreddit called "Stallman Was Right", and it's not that he was shotgun blasting opinions and landed a few of them. It's because he has a systemic understanding of the incentives our system sets up and is able to project decades into the future about how those incentives will play out.
The analogy works if you think of RMS as a nailgun.
A nailgun hitting nails? This is going nowhere..
Much as a hammer tacker hits tacks internally, so a nailgun strikes the nails within itself.
well it drives nails, we've lost the plot!
If RMS said not to trust Google's self-proclaimed altruism and relationship with open source, yeah. I always assumed that was a backstab waiting to happen. But that only meant I used an iPhone and didn't care that it was more closed than Android, not that I got an Arch Linux phone or something. (And a Mac more importantly, but there's not really a Google counterpart to that.)
> AMP
My god AMP was such an annoying thing ~4-5 years ago when I was working in a marketing-forward web dev shop.
"Google really likes when you pipe your words into their shitty UI because it saves some time for the user"
We were all like, cool so on one hand we're being given complex designs for sites to differentiate them, and on the other hand we're bowing to a megacorp who actually wants to skip the whole web design part entirely and pipe our content through their pre-defined UI.
So glad it died. Should have known it would die in a matter of a couple of years with that being the track record for Google in general.
Last time this happened we got a bunch of Google employees downplaying the impact of WEI and calling it a nothingburger, that people were being hysterical. I just checked, and everyone I saw defending it has since left the company. I'm sure another wave of Google managers, keen to appeal to the higher-ups, will be here to defend this new initiative any minute now.
This makes me curious, where did they go?
Don't you see it closing all around you?
It's not just Google. It's governments, corporations, all around the world, simultaneously. The noose is being tightened gradually, then all at once. And it's coming for all of us:
https://community.qbix.com/t/increasing-state-of-surveillanc...
The threats above interlock by design or convergence: Identity layer (1-5) creates the prerequisite for the others. Once identity is established at SIM/account/device level, the carve-outs that make surveillance politically viable become possible (powerful users get exemptions; ordinary users get watched).
Device layer (10-12, 16-19) creates the surveillance endpoint. Once content is scanned on the device before encryption, the cryptographic protections at the communications layer become irrelevant.
Communications layer (6-9) is the most-defended. Mass scanning has been defeated repeatedly. This is the layer where the resistance has the best track record.
Reporting layer (13-15) is nascent. Direct OS-to-government reporting hooks haven't been built yet at scale. The UK's December 2025 proposal is the leading edge.
Platform control (20-24) determines whether alternatives can exist. Browser diversity, app distribution diversity, and engine diversity are the structural protections. All three are narrowing.
A society with all five layers complete has the technical infrastructure for total surveillance with elite carve-outs. We are roughly 40% of the way there. Whether that infrastructure becomes a dystopia depends on political choices, not technical ones.
HN as a whole is surprisingly oblivious to the noose tightening, because many here are super against decentralized distributed things, if they involve any sort of token. You can complain all you want, but downvoting and burying the decentralized alternatives just for groupthink makes you somewhat complicit in the erosion of our privacy and liberties. Even if you might disagree with a project, all the work that goes into it might be a good reason to upvote it instead, considering that without this work, we're basically doomed.
Hell, even using cash feels like a minor form of dissent. And of course even if you leave your phone at home, your car will be scanned with ANPR wherever it goes. And if that fails, there's still your face to be tracked.
I said 16 years ago that when IPV6 was coming into use was the only reason for a 128 bit address space was so they could tie every packet on the internet back to you as a person. https://news.ycombinator.com/item?id=1464940
No, the main reason is because NAT is terrible and restoring the end to end principle is important if we want the internet to stay not separated into server networks and eyeball networks. If we want to decentralize the internet it's necessary that eyeball machines can talk with each other, not only with servers. This ability reduces the possibility of surveillance.
When IPv6 was designed it was normal for each IPv4 address to be traceable to someone's desk. Fortunately, as that changed with IPv4 so did it with IPv6, so we got IPv6 privacy extensions.
It doesn't help that your first sentence makes you sound like a conspiracy theorist riding his hobby horse. I read on despite that, but others may not.
> rapidly becoming
Always has been.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
It cracks me up when people say Chrome is a monopoly, because a massive amount of computing devices do not even ship with Chrome. Windows computers, Macbooks, and iPhones require users go search out and install Chrome on their own out of their own volition, shipping with entirely functional and decent browsers out of the box that they have lots of patterns to push. Even many Android phones ship with browsers other than Chrome as a default still from what I understand.
How is Chrome, of all things, a monopoly? Have words just entirely lost all meaning and now monopoly just means "things which are popular that I dislike"?
Chrome is a monopoly by extending the internet in ways that force users into chrome. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
Outside of WebUSB I personally haven't meaningfully been impacted in any ways. Can you share which ways this is?
Note, this is separate from a "so many things are just Chromium", which I agree is an issue, but isn't the same as a "Google Chrome is a monopoly". Because in the end there are still many non-Chrome browsers which support WebUSB which do not end up with a lot of the downsides of Chrome specifically about Google harvesting your data and what not.
Ah, the "this doesn't fit my very specific technicality argument"
You know full well what people mean when they say "Chrome"
> You know full well what people mean when they say "Chrome"
Yeah, Chrome, the web browser made by Google that bugs you to sign in with your Google Account. Most people don't mean Microsoft Edge when you say "Chrome". Do you call Microsoft Edge "Chrome"?
Chrome is a product made by Google that is a web browser. If the argument is Chromium is too interwoven, that's a separate argument.
But even then, what does it mean that "Chromium is a monopoly"? Is Linux a monopoly as well? Why or why not?
Note you haven't actually given me any other ways one would be impacted like I asked. What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require? What else am I missing by not using a non-Chromium-based browser?
> what does it mean that "Chromium is a monopoly"
As someone else said earlier, it is a monopoly by extending the internet in ways that force users into using their browser engine. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
> What are the other majorly missing features Chrome pushes that other browsers don't have that most sites require?
This is a different question, please don't move the goalposts.
> by extending the internet in ways that force users into using their browser engine
And yet after multiple times of me asking you've yet to give me a single real feature lost.
> This is a different question
Its literally the thing we're saying is the problem, how is it a different question entirely?!
You're saying the problem is they're adding features that force Chromium, but asking about which features you're talking about is just bringing up unrelated and different questions.
It's not so much forcing people to Chrome/chromium for specific features, but trying to increase market share through more subtle means, like paying to have their search engine featured, advertising their products everywhere possible (including inside other people's apps), slowing down their sites (like youtube) on other browsers, or tying in other services (along with way too much personal info) to try to keep people within their sphere of influence.
Is Linux also a monopoly? In a way sure, but I think a big difference is they're not "doing evil" as people claim Google is, and all the development/decisions are still made out in the open in a democratic way.
Former Google execs have even compared their setup to "running the New York Stock Exchange while trading on it."
At least Linux isn't trying to tell people what to do with their software.
> it is a monopoly by extending the internet in ways that force users into using their browser engine
2 messages later that seems to be contradicted?
> It's not so much forcing people to Chrome/chromium for specific features
I might've misread.
> but trying to increase market share through more subtle means, like paying to have their search engine featured
This isn't Chromium, the open source basis of many web browsers. Now you're talking about Google the company.
> Is Linux also a monopoly?
Monopolies in the sense worth discussing are highly popular things that are held in place by things other than competition. If anything, Google props up Chrome's competitors to reduce this.
So now Chrome is a "monopoly" because they're "advertising their products everywhere possible". I guess I can only ever drink Redbull, they're a monopoly, because they're advertising their products everywhere.
Seriously? That's our standard of what is a "monpoply"?
Words have no meaning anymore.
You can choose to use something different. The device you bought probably came with an alternative! Otherwise, the device next to it on the shelf on the store where you bought it likely would have had an alternative browser, because most devices on the store shelves outside of some hypothetical physical Google store don't come with Chrome.
> Seriously? That's our standard of what is a "monpoply"?
No. That part of the post was answering your question about how it impacts people. Not what makes it a monopoly.
I'm asking what features force me to use Chrome instead of Firefox or Edge or Safari. I've yet to hear an answer other than it's advertised heavily and that it's popular.
Do you actually think the majority of everyone else is being just as pedantic (or cares) about Google Chrome vs chromium-based?
For most, for the purposes of market share (the type of "monopoly" I believe they are referring to), I think they count it as one and the same.
Do most people call Microsoft Edge or Safari "Chrome"?
Are the security and privacy implications the same for Edge, Safari, and Chrome?
Seems to me like they're still quite different products despite having some similar codebases!
Safari isn't based on Chromium.
Ah, you're right, still WebKit based.
Why do you keep talking about who installs the app? That has nothing to do with whether something is a monopoly, which is primarily about market share.
If a user is openly going out of their way to go and install a competitor's product despite a perfectly serviceable version coming by default, how can the the one being sought out be seen as a monopoly? The competition came pre-installed!
How did the user manage to install Chrome on Windows if Chrome is a monopoly, the only serviceable browser around? They copy the source code from a magazine or something? Get a floppy disk in the mail?
Whatever your definition of monopoly is, it's wrong. The threshold is not 100% market share. If that was the threshold no monopoly has ever existed.
> Whatever your definition of monopoly is, it's wrong
Ok, so enlighten me which standard of monopoly they're so obviously breaking?
> The threshold is not 100% market share.
I never once said so
I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
Please, do enlighten me, how is Chrome a monopoly?
> Ok, so enlighten me which standard of monopoly they're so obviously breaking?
Breaking?
They're being a monopoly by having a huge market share. A majority of browers are directly branded chrome, and the chrome team has strong codebase control over most of the alternatives too. Especially on desktop. It's that simple.
> I'm not arguing it requires 100% marketshare. I'm just pointing out there are tons of workable competitors out there, in fact one has to use a functional and fully featured competitors product to go and install Chrome on most platforms out there.
> How can one claim Chrome is a monoply when there are tons of competitors out there which work just fine, and for most users their computers came with the competitors products?
The existence of competition doesn't change whether something is a monopoly. It only disproves 100%, which is why I mentioned 100%.
The choices of users don't change whether something is a monopoly.
> having a huge market share.
Marketshare alone isn't a defining part of if a product is a monopoly.
> majority of browers are directly branded chrome
They're not Chrome, in many extremely important aspects.
> The choices of users don't change whether something is a monopoly
The fact users can make a choice is a huge part of the argument that Chrome isn't a monopoly. There are lots of competitors out there that can be freely chosen. So much so people have to go out of their way to install Chrome.
When AT&T was ruled a monopoly it was practically the only choice in many markets. When Standard Oil was ruled a monopoly it was practically the only choice in many markets. People can choose Edge. People can choose Safari. People can choose Firefox. All of these browsers work fine (I've yet to be told a single other major feature they're missing despite asking many times), and are not Chrome.
Lay's sells like 60% or so of the chips sold in the US. Are they a monopoly? Are you practically unable to buy any other chips at the store outside of Lays products? I guess it's not really just marketshare that makes the difference! So just pointing at them and saying they're a monopoly because they have a large marketshare is meaningless.
What's the point of this pedantry? Replace "monopoly" with "dominant market player" and their point still stands. A company doesn't need to be a literal monopoly to engage in anti-competitive behavior. The EU would call this "abuse of dominance". [1]
>> Google holds absolute authority on how websites are rendered and if websites can be found.
This is still 100% correct. Google owns the dominant browser and the dominant search engine, this means that they get to dictate how websites function and pick winners and losers through their search algorithm. If you're a publisher (i.e. anyone who hosts a website) you're forced to fall in line or go out of business.
[1] https://competition-policy.ec.europa.eu/system/files/2021-05...
I’m constantly badgered by google apps on my iPhone to use Chrome. In fact I’m not able to just click a link and open my default browser, I have to see the big chrome logo and a smaller link to choose my default browser.
> by google apps on my iPhone
Ever thought about just not using those apps if you want to avoid the Google ecosystem? Too bad there's just absolutely no mapping application available on iPhone but Google Maps. Too bad there's no way to send an email on an iPhone outside of Gmail.
What's that? A user has to once again go out of their way to install those apps as well? Well isn't that strange. I thought Google was a monopoly on iPhones.
and even the iPhone Chrome doesn't use the Chromium engine, it's Safari under the hood
> Windows computers
Ship with a chromium fork called Edge
Edge isn't Chrome though, is it? Like, its not shipped by Google, it doesn't bug you to log in with a Google account, doesn't ship metrics back to Google, right?
Not quite the same thing now is it?
The usual complaint is that Chromium dominates as an engine. I don't fully understand the complaint because anyone can fork it, but maybe they're (rightfully) concerned nobody will fork it because Google controls the web standards, or they're concerned Chrome could stop using the open version of the engine.
> Chrome and Search which are both monopolies
I'm on Firefox and use DuckDuckGo.
You'd be better off mentioning Safari (17% of users vs. Chrome's 68% and Firefox's 2.2%) and Bing (10% vs Google's 85% and DDG's 1.7%). But nice to know there are two of us!
They lost their search monopoly when LLMs came.
Lost? No, they shoveled search into the furnace day after day as they prioritized sewage like paid results, link farms, and blog spam while burying the actual result far below, if returned at all. LLM showed up and gave you the direct answer you wanted in <1s; you don't even have to read the shitty troll result page.
I'm amused at how thoroughly Google adopted Microsoft's playbook. Chrome supplanted Internet Explorer by embracing the open web. But then Google immediately started on extensions, and now they're trying to extinguish the open web with nonsense like Cloud Fraud Defense. All very smoothly done. I mean, people are actually _asking_ for this junk. I'm impressed.
No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.
Chrome has gone off doing their own standards to some extent, but you're forgetting what it was like when Internet Explorer dominated. You basically couldn't use the web without IE because they broke so many standards and implemented them in closed source. Then there was ActiveX on top, straight up Windows binaries in web. And besides there being a dominant engine, only one browser could use that engine. Trading that for Chrome dominance was at least a step up.
I use Firefox right now. Occasionally I need to open a site in Chrome instead, but it's rare.
Chrome didn't solve that though. Quoth Wikipedia:
> Firefox usage share grew to a peak of 32.21% in November 2009, with Firefox 3.5 overtaking Internet Explorer 7, although not all versions of Internet Explorer as a whole;
Firefox was the browser that embraced open standards and was unseating IE. And ActiveX was used for corporate stuff, not general web sites, so the main reason it died was that Microsoft gave up.
Eh, it was brief and never majority. Chrome was the first to truly usurp IE.
Chrome and v8 was just stupidly faster than any other browser and JS stack at the time when I first adoped it. It was a lot buggier in many other ways and many sites just didn't work quite right at the time, but the tradeoff on performance in the early days was very much worth it.
People forget that Sundar Pichai's entire claim to success at Google was injecting the Google Toolbar into the Adobe Reader installer which would hijack your search and browsing data on IE, and the launch of Chrome, which was then also injected into the Adobe Reader installer, occurred because Google was concerned IE might block or limit their toolbar.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
I recommended everyone to use Chrome simply because Microsoft couldn't be bothered to provide built in PDF viewing and creation.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
Yeah I remember when Windows lacked every basic utility that Mac OS had. The most common malware was PDF readers, because a very common search was "how to open pdf." Same with zip.
I recall Chrome being a superior browser in the early days, prompting many to switch and evangelizing it.
It was the first to do a separate process per tab, which had security and stability benefits. But it also used like 2x the RAM from the start.
Lots of supposedly technically advanced users switched to Chrome en masse and promoted it on every occasion they could, because it was so much faster, simpler, safer, etc etc. Don't excuse useful idiots from their share of the blame. People warned about dangers of Chrome's growing domination for about as long as I can remember, back to at least 2012, only to be dismissed as paranoid.
If I may tie this into other things going on, The California wealth tax as written would force Larry and Sergei, if they didn't move out of California, to basically sell almost their entire stake in Google, and it would probably wind up owned by State Street and Vanguard who outsource their proxy votes to ESG consultants, who will probably vote for more surveillance.
what alternative to WEI do you propose? it solves a bajillion Internet-existential problems. it is definitely a crisis. the bot problem is at least as serious as facebook, gmail serving without https.
the fact that this kind of comment gets downvoted proves my point. so what if you personally don't like WEI? it doesn't mean the problems aren't real...
that aside, i don't know how people say stuff like "malicious force" and then you go and use a bajillion Google-authored, completely free as in beer and often free as in freedom technologies that nobody obligates you to use at all. It's not like Apple, where their software is so shitty (Messages, Apple Photos, etc.) that the only reason people use it is because it is locked down and forced upon you. it's interesting to me that @dang worries about the tenor of conversation changing - he longs for that 2009 world of university-level math people hanging out and writing comments about LISP or whatever - when the real deficit is not intelligence about math but, at the very least, seeing that things are nuanced, to see more sides to a problem besides the most emotionally powerful and the most mathematically neutral ones.
People use iMessage because it has worked for a long time, during which all the leading alternatives were terrible. Maybe they still are cause I'm still not convinced that RCS even works reliably.
Bombing every AI data center on Earth would also solve the Internet-existential problems we're facing. But that solution is beyond the pale of course, instead it's incumbent on me to prove to you that panopticon surveillance of every living human being from now until the Sun consumes us is not a reasonable solution to "bots use the Internet".
Ok so what's your solution to the bot problem? I don't have one, unless you count the option of websites not being free-as-in-beer anymore.
From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen.
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
> Google
It's not Google, it's someone. A person came up with this idea and is pushing it through. We should stop treating corporations as some abstract entity instead of a group of sick people making these kinds of decisions.
Exactly my thoughts. I am unfathomably angry and I want to contribute to any effort to dismantle Google as a company.
Yeah, same. It is hard; we start to need a collective boycott.
We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.
But it is a lot of work :(
It should not be a "vote with your wallet" situation. It should be governments shattering that organization into appropriately sized companies.
I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.
It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.
"Don't worry! I'm from the government and I'm here to ~~help~~ identify you to everyone else on the planet."
That's no better, and in many ways far worse, than the corpos doing it.
Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.
There should not be a requirement to verify identity, but if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?
> Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.
Verifying identity for specific services tied to your finances or body is a whole different topic.
> if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?
I like the GDPR's general point of view that the right to privacy is more important than the right to trade privacy for access. An anonymous verification might be fine, but this system is not, and random websites needing your specific identity is not.
The US government is a feckless facade, the US is a corporation run economic zone. The nice thing about being corporate run is that the rulers are unelected and unaccountable!
We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.
In what area is there no real competition? I can think of real competition in everything Google does with the possible exception of YouTube.
Everything that gets money from ads. The network effects are too strong for competition against their ads platform and their ability to do targeted advertising based on data only they have. You can’t build a new ads platform and then use that to monetize your company’s other services, because the existing ad networks are so mature and established.
Phones. Your choice is Apple or Google.
As you said, YouTube. Again, they have users and creators in one place, so it’s hard for a new platform to compete.
There are also a lot of enterprise contracts that bundle many things together. Like cloud and their workplace apps (whatever it is now called).
But also, just their size is a problem. Look at their AI story. First off, many customers get forced into packages where they get Gemini included as part of the bundle (which means they’re paying for it automatically and have less of a reason to pay for something else). But also - Google was slow to build useful products here. Even though they are late and made many failed attempts like Bard, they can afford to take losses for years that no small company - or maybe even large companies that aren’t mega corps - can absorb. Those other competitors would go out of business and have to be careful and move slowly in spending. But Google’s capital lets them make mistake after mistake but still compete and eventually win. So it’s not a fair competition.
These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".
For an example, see EU's GDPR, DMA etc.
It's less work than 10 years ago. So many much more mature alternatives.
The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.
Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.
It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.
> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.
Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".
They're trying to block your ability to boycott. https://en.wikipedia.org/wiki/Anti-BDS_laws
Those are specifically targeted to boycotts of Israel, which ties it to anti-racial discrimination law.
> Yeah, same. It is hard; we start to need a collective boycott.
Feelgood slactivism. They don't care about your boycott. They finance their own alternatives because they know what makes you shut up.
IMO the biggest issue is that some non-tech people will occasionally be straight up hostile and will whine about not having "features", but then again it only takes a small amount of people taking action inflict real change. Also medium term we need to start making phones (smart OR dumb) that are FOSS as possible. > Linux Open/FreeBSD too, we need to have more redundancy.
But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.
On that topic, I would highly recommend you to switch to Kagi!
Search is still their workhorse for ad revenue. Less search, less users, in addition to users now just asking chatgpt and co, will hurt them well
Wouldn’t installing an adblocker basically hurt them as much / more as I still cost them compute but don't get them that sweet ad money?
You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?
This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.
The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.
We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.
I strongly suggest people move away from chrome. They lost all sense of respect.
I know it is a small move, but as it happened when chrome started, this opens opportunities for other players
I really tried to switch off Chrome when they broke ad blockers, I gave it a good few months trying out alternatives but I really don't like any of the other browsers. I do primarily use Safari on my Mac, but on Windows where I don't have that option, I don't like any of the big players, and I don't really trust the smaller players. Even the "big" smaller players are not that trustworthy when it comes to security, like Arc browser's "Boosts" feature that enabled remote code execution.
So now I'm back on Chrome.
Qutebrowser is my favorite daily driver, save for a few sites I can't boycott and which need Firefox or something.
Do we know if this is immediately going to slot in wherever reCAPTCHA is currently used / is there a rollout plan? Or will site operators manually opt into the new system? Is there even a way to opt out?
I can think of many sites where, for users that trigger captchas often, introducing a multi-device workflow is even worse for those users than clicking traffic light images. An automatic rollout would be hostile to those operators!
This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.
Last time they tried this they laundered it though an employee's personal github to distance it from google itself, then framed the proposal in the most disingenuous manner possible, as if it was something that users wanted rather than another mechanism for google to exercise control
I do wonder how people who work on this don't see themselves as the bad guy.
They have blinders on made out of money.
Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.
Apple has device attestation deployed like one year before Google even proposed it: https://httptoolkit.com/blog/apple-private-access-tokens-att...
hacker news when discovering that apple deployed WEI, for ages, with beloved IT company Cloudflare, affecting hundreds of millions of users: "aww, you're sweet"
hacker news when reading that google is doing the same thing for the rest of the userbase: "hello, human resources?"
Were you attempting to give us an example of the Goombah Fallacy? Because this is a picture perfect one.
I thought that cloudflare system worked on any hardware and the tokens are anonymous. Did that change at some point? If it didn't change, then yeah it should get a very different reaction!
(Edit: it looks like the new system is still private and still interlinked with the old system that lets you use any hardware? I think?)
Also I don't know how you could have missed the widespread criticism of apple and especially cloudflare on this site.
Really. I think HN hates Cloudflare with (quite unjustified if you ask me) searing passion.
The claim is that an iPad/iPhone will also work. Not that that makes it acceptable; if anything, it's worse, because if it were Google Play only it'd be more obvious how unacceptable it is, whereas catering to the duopoly makes it less obvious how much it excludes people and builds a reliance on proprietary systems.
One company can soon dictate who can enter the websites. And only two commercial operating systems are viable in the world after this change. Not nice.
iPhones have attestation too: https://developer.apple.com/documentation/devicecheck/establ...
It'll just be more clunky because you have to install their app.
I believe the latest versions of iOS just work from the browser, you only need to install the app for older versions of the OS.
I don't know what technology they're using, but when I scanned the QR code it launched (downloaded?) an iOS app of sorts with one tap, similar to the way Google tried Instant Apps a few years back. Didn't even need to double tap the power button like usual.
They also have Private Access Tokens: https://developer.apple.com/news/?id=huqjyh7k
iPhone users will have to install the "reCAPTCHA" app. https://apps.apple.com/us/app/recaptcha/id6746882749
This is detailed at https://support.google.com/recaptcha/answer/16609652
I think I understand why Google wants to do this, and I think I understand why people are opposed to this particular solution.
It’s also worth noting that the author of this article is selling a proof of work solution to the problem.
I am fairly skeptical that proof of work is the right way to go here. A lot of users of the web are using older hardware. Adding a computational toll booth doesn't solve the problem in a world where people have differing amounts of compute to spend.
On the other hand, a botnet might have access to thousands of computers and may not actually care about waiting an extra 10 seconds. Or worse, they will come up with a custom solution on an ASIC that solves your proof of work puzzle thousands of times faster than grandma‘s laptop.
What Google has done is incredibly clunky and only serves its own interests. We already have methods to prove that we're human.
1. lots of laptops have fingerprint readers & TPM2 build-in
2. lots of folks own Yubikeys or FIDO2 keys - if these became the norm then the price would come down significantly.
Both of these methods only require a tap to authenticate to a website. Both provide public-key authentication, and both provide some level of proof of work / require human interaction, without revealing the identity of the end-user.
Why not use or standardise these? because there's no benefit to Google of course.
Those don't prove that a human is present. A FIDO2 key can be automated by electronic relay. The only way to do this involves device attestation - locking devices down and utilizing hardcoded TPM/Secure Enclave esque chips. The best we can hope for would be an open standard for those chips so that people can use them with their own X.509 certificates that lets them choose their own CA.
Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.
neither 1 nor 2 can prove you're a human. sorry
I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.
I'm seeing this stance a lot "this is obviously AI generated"
Why? What's LLM generated? How can you tell?
To me what's obvious is that our trust system is already breaking down. Commenters accusing each other of being AIs is also another example of this.
>Why? What's LLM generated? How can you tell?
Not the guy you're responding to, but:
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
> actually human generated
Human written, not generated.
> HN isn't popular enough to be invoked as a source
Excuse me, what do you mean there? The author happens to read HN too.
Looks like the moderators are actively deleting comments that call out AI generated articles now. Grim. This comment will probably be deleted too.
mods hastening dead internet theory
The choppy language is the biggest trigger for me. Examples:
* "With Fraud Defense, there was no process to respond to. The product launched. The requirements page went live."
* "That is not a technical limitation waiting to be engineered around. It is the mechanism."
* "The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware."
I could be wrong, of course. Maybe humans are starting to write like LLM's, or maybe it's just confirmation bias on my part.
Look at the number of : per paragraph. What human puts two : in a single sentence?
"One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem: …"
The ersatz Ted Talk meets LinkedInfluencer rhythm of sentences, the throat clearing fillers as connective tissue…
Or Wikipedia: https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing
"this is AI" is the new "This is shopped", but without the "I can tell by the pixels" rejoinder.
I mean sometimes they're right, but honestly in this day and age does that even matter?
They can't tell. It has become a statistical thing. There will exist some percentage of them that assumes an item is AI generated. With enough people seeing something, you'll see the accusation.
The entire article is just one long stream of short, punchy, declarative sentences. The latest Claude models are notorious for writing like this.
There's also a few cookie-cutter patterns that should immediately jump out at you if you're at all familiar with AI writing, such as:
> No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate. User privacy is structurally preserved, not promised.
> Google Cloud Fraud Defense is not a reCAPTCHA update. The QR code is the visible mechanism, but device attestation is the real product.
Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.
So where do things go? Fewer services and infinite fraud?
> Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
A combination of "regulate AI" and "The optimal amount of fraud is not zero". https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
Why do you continue to extend the benefit of the doubt to your former employer when they have shown themselves to be untrustworthy again and again?
For one, I got to see how utterly insane and off-base many of the conspiracy theories around Chrome were compared to reality.
Yes, fewer services and infinite fraud is substantially better to me than the web being controlled by Google even more than it already is.
It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.
I agree in practice money will always win.
CAPTCHA is sort of a flawed concept in the first place. a machine to test if another agent is a machine. But I figure the future of this is give the test, but discard the answer, the truth is in how it is answered, behavioral analyses, see if their access patterns are human or machine like. A simple version of which is how fast they type, or speed items are clicked. A surveillance process that really creeps me out. I am undecided if it creeps me out more or less than fully automated agents spewing shit over the open web.
As a footnote i found googles recaptcha bitterly ironic, it was painted it in bright colors "this data assists in book scanning" or "this help our self driving cars recognize stop signs" but really designed to train models to do exactly what it's trying to prevent them from doing. and making life hell for the humans along the way. The modern single click version is doing behavioral analyses.
This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.
People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.
I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.
Captchas were never effective. It’s an arms race to the bottom.
For merchants who don't want geeks as customers, cool
As a web-wide captcha replacement, not cool
Why should I even care anymore? I no longer need to access random websites to find information since I can just ask the AIs.
Are you genuinely asking? To pay your taxes, order items online, access your bank account, log into your favorite AI service, there are very often CAPTCHAs involved. Try going a month with CAPTCHAs blocked in uBlock Origin, and you will find yourself unable to do many basic things.
Not saying this is any better, but IRS partnered with id.me to enforce ID + face recognition before you can log in to view your records. We are truly doomed.
Even besides services you might need to access, as pointed out in another response (e.g., banks, shops), how are you going to check the veracity and understand the context of the information you seek without going to the (possibly hallucinated!) sources? But I guess a lot of people who are into using AI like that just don't care.
Where do you think the AI gets this information?
They also need to browse the web, and are more likely to be blocked by these measures than humans
> are more likely to be blocked by these measures than humans
In other words these measures work as intended...?
Very funny that if you want to start a bot farm you also go and buy a bunch of random android devices.
We see the fundamental forces of capitalism at work: To justify valuation, Google needs to grow. When they feel a ceiling, they broaden their search to anything legal that makes customers pay - even if it contradicts their longterm interests. This created countless attack angles for startups. The good news: we already have a solution! Monopoly laws. In case of the internet, no company should be able to have this much power.
The bad news: US decided to weaponize big tech’s leverage over the world and does not enforce these laws anymore that fix vanilla capitalism.
>We see the fundamental forces of capitalism at work: To justify valuation, Google needs to grow.
You’re confusing markets with capitalism.
Market Socialism (the only reasonable kind) would have these same issues. If Google was owned by the workers instead of capitalists, it would still have incentive to grow. The worker owners would have the exact same incentives as current owners. The only difference would be who the owners are.
Capitalism is not actually “the final boss” that internet leftists make it out to be. Socialism is not the panacea that leftists make it out to be. Surveillance is not a “capitalist only” thing.
No one should ever browse the web on a smart phone. Not joking.
This API also works on the desktop. In fact, you can't use this system without a phone if your browser isn't Google enough.
We are going to see sooooo many scams out there. No wonder Google is locking down third party Android apps outside of their control, getting a user to install "device verification.apk" will become super trivial after people have clicked through these popups a couple times.
That war was lost in the 2010s, around the same time as the vertical video war.
And also don't install apps? What's left then?
A device I have no choice in owning because modern employers assume you have sometime to install an authenticator app on. That's what it is for me. Also, sadly, it's an anchor for Signal. Otherwise I don't use the stupid thing.
Phone is small computer
Sure, and the north korean Linux distro also runs on a computer. I still wouldn't touch it.
Is it just a matter of not trusting the OS? I'm trying to figure out why "smart phone" is the discriminator here.
A smart phone _could_ be legitimate and free and open, but in practice it's not. This is a constraint based on the reality of the market, not really based on what is strictly possible with the technology. I don't get too deep into this, but at a very high level, this is what I dislike about smartphones.
- Touchscreen user interface is objectively worse than a mouse and keyboard. Portability is the the only benefit to this interface, but this also works strongly to attack impulse control. It's always on you, just a moment away.
- Smartphones are significantly worse for privacy. In a LOT of ways. We can discuss this if you're interested.
- Many smartphone apps exist solely because a website would be less addicting and would also not be able to collect as much data as an app. ie, it's a choice that's worse for you and better for the company.
- They're significantly less open. Yes, grapheneOS and other alternatives exist, however it's not like a computer where I can just install whatever I want without asking the provider permission to unlock the device.
- I touched on this in two other bullets, but it's worth highlighting here: they're built intentionally to be addictive.
- The operating system and hardware are effectively interlocked. (yes, I know grapheneOS exists) but for any modern thing you might actually require a smartphone for (banking app, OTP app, etc) you must be using Apple or Google.
- Providers don't produce security updates well enough; Apple is "better" here, but my 10-15 year old computer can run modern Linux. People brag about 7 years of support on an iPhone. I'm under the impression that Android is better than it used to be, but in the old days any random vendor would give you about 1 year of update support and then you'd be hosed running old Android until you bought a new phone.
- Nobody cares if I own a desktop computer or not, but it's getting to the point that businesses will not work with me unless I have a modern smartphone.
I could probably go on, but I really hate these things.
> Touchscreen user interface is objectively worse than a mouse and keyboard
au contraire, touch screen is objectively better, and i dont buy laptops where the screen isnt a touch screen. cursors and mice and focus on laptop+mouse UXs is just horrible, and for keyboard only even worse.
the touch screen is much simpler, in that you touch or swipe on the thing, and it makes the motion in direct response to what you touched. the input is physically linked into the interaction, rather than some changing relative position.
Yeah I'm aware of all of this, it's just the framing that confused me. A lot of these boil down to "nobody should own or use a smart phone to do anything" which is a bit of a different and less specific pitch than "nobody should browse the web on a smart phone".
It is, just like a calculator is a small computer. It's not a personal computing device though, in the sense that the user can't develop and deploy their own software/tools on it.
Even if that were true, that has nothing to do with browsing the web on it
No one should ever browse the web from an ESP32 either. Like seriously the dark patterns are bad enough from a desktop where you've actually got the screen real estate to see the whole page, have other sites open for comparison, have a keyboard to type your own notes, etc. Most browsing can simply wait, especially the adversarial-commercial type we're talking about here.
and it seems Google wants to support people like you!
That entire QR barcode thing is so that you can browse the web on your laptop/desktop, and _still_ rely on smart phone's attestation, no mobile browser needed.
well that just seems counterproductive and unreasonable but it's Friday so what do I care
-- sent from Chrome on Android
I posted a comment on the announcement when it was posted here:
>As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen. A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
>How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
>We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
>This is more of an invitation for threat actors than it is something that holds them back.
[1] https://www.kaspersky.com/blog/what-is-clickfix/53348/
In a world where everything is shit, could I at least take away some solace in this helping to reduce Cloudflares hegemony?
We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.
I think the idea is good if it could actually curb bot traffic that currently plagues the Internet.
However, a lot of recent bot traffic are sophisticated scrappers called "LLM's." You can tell claude to "research X from this www.example.com" and will automatically scrape it and summarize it, something that a LLM is perfect for. Gemini tends to share links instead, presumably because most of Google's revenue comes from ads served on those websites, so if it completely killed the traffic to those websites it would just make less money. Incidentally, I wonder if Claude/Gemini use an search engine-like "index" of all websites or it refuses to cache anything to always fetch "fresh" data.
If this is employed, I don't think the web is only going to be gatekept to Google devices. I think it will also be gatekept to Google's AI's.
Google would be able to display a captcha that no LLM could defeat, and then just let its own LLM pass through.
The same could be said about its other bots, such as the web crawler. Google's bot could crawl webpages that no other crawler would ever be able to simply because it has free pass to captcha-gated GETs. Although the same could be true already today.
Their product page is full of info about how this works with "agentic" cruft. They're still permitting your regular old scrapers and bots for as long as they like you. Hope you're not thinking of running an independent system instead of a large cloud platform!
I keep banning gogol Ipv4 ranges because of scanners, script kiddies (and maybe worse). Yes, I am self-hosted, and without paying the DNS mob.
> The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 ($29.88 in Wallmart to be precise) - for a professional bot farm, which purchases devices in bulk, this is the fixed cost without material disruption to operations.
That's $30 per account, not one time. Because of the following:
> Device attestation does not just gate access - it produces attribution. A device with a stable hardware identity creates a persistent identifier that crosses sessions, browsers, and private browsing modes.
If you put all your bot accounts on one device, they all get banned at once. So fraudsters have to spread their accounts across multiple devices and replace them when they inevitably get banned. That's the reason for all the spying, attestation, and lockdown bullshit behind Google Cloud Fraud Defense. It is far easier to ban fraudsters if you just let the Maoists run the Risk Department.
The author proposes an alternative solution: proof-of-work. And, yes, there are use cases for that, such as Anubis. Google might even want to consider a proof-of-work option in certain scenarios. But there is no scenario in which someone's phone deliberately burns $30 worth of compute - perhaps a quarter of the user's battery - and the user still has a good onboarding experience. Most of your actual users are not going to be able to burn compute as efficiently as fraudsters, either - so maybe you have to burn the whole battery on a phone to cost a fraudster $30. Proof-of-work is, strictly speaking, anti-egalitarian and anti-democratic. "One CPU, One Vote" is less useful than you think when you realize fraudsters have the money to just buy lots of CPUs to always win[0].
Every Risk Department eventually reinvents arbitrary and capricious punishment. When you have no legal authority to prosecute crime, you rely entirely upon your freedom of association and ban people with a hair trigger. It's the only thing that works. Personally, I'd rather live in the world where governments actually took fraud seriously and corporations didn't have to do this, but for right now, GCFD is at least less onerous than WEI in the sense that WEI was going to lock down all browsers. GCFD just means I have to keep a Google-approved phone around to scan a QR code every once in a while.
[0] I'm not mentioning the massive waste problem proof-of-work creates, because obviously attestation will also produce waste. Actually, if anything, the fraudsters will probably wind up dumping all their banned devices on the used market and ruin it.
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48061938
Wrong link. https://news.ycombinator.com/item?id=48039362
Considering Google's origins and early backers, this shouldn't come as much of a shock to anyone:
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
The military industrial complex created the internet, and has funded many of the big players in Silicon Valley. Their goal was never an open and free internet.
I fucking hate this future. It's bleak. The engineers participating in this should be ashamed.
They shouldn't just be ashamed. They should be shunned at the very least.
There's a good chance they're on HN FWIW. If you are and you're reading this: Fuck you. Reconsider which side you want to be on!
So many in hn already downvoted you. That says the SV nature and opinions in tech sector.
This is security theatre. This isn't going to help against bots in any way.
But but but but ... now that huge tech has declared copyright invalid because of AI they must prevent you from copying Mickey Mouse! Urgently.
Of course courts will undo their current copyright stance as soon as someone "uncopyrights" Disney movies, which is of course coming, but for now ...
Will SOMEBODY think of the billions?
"ChatGPT, generate a blog post that packages an ad for my service that competes with Google by harvesting HN's latent anti-Google rage."
This article is full of false assumptions.
For example: > Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
> Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
It is particularly funny because this is content marketing for a computational proof of work "captcha". Those are pure snakeoil, with economics that are probably at least four orders of magnitude more favorable to the abusers than this attestation would be.
I'm pretty sure that the Ai copied the $30 number from my hacker news comments. However in the USA it is true. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202... (carrier locks don't matter for this usecase.) I am not sure that that storing unique device identifiers is legal in the EU.
I remembered $30 from some comment I read, but didn't look for it later. If it was yours, thank you! (def. thank you for the Wallmart link! - would you like a credit in the blogpost like a quote?
>would you like a credit in the blogpost like a quote?
Yes.
inb4 someone productionizes this (the dependency of cloud phones exists & captcha solvers proved demand) && makes it a cloud service && we are back to square one.
> A bot farm cannot bypass for long with a $30 phone.
That's exactly what they are doing already, and it's not 30$/device but something like <5$/device. Remember they can buy the worst of the worst of the used market.
Betting on device attestation is really betting that smartphones will become less ubiquitous and more expensive to own. Sounds like it's not going to happen to me.
AI use is far more prevalent now than then sadly. This kind of scheme is inevitable since compute is not free.
Water use and mass displacement of labor get all the attention but there are so many other more subtle reasons like this that AI is going to be bad for society.
I disagree that this kind of scheme is inevitable. We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation. Certainly, Google can choose to avoid it. On the other hand, the AI bubble will inevitably burst, since compute is not free. I look forward to post-bubble AI.
“Evit” is “avoid” in English, they have the same root.
> We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation
Such as? I don't see how regulation would apply here without concrete technical solutions that enforce it. So what alternative mitigations do you have in mind?
Among many other things: Regulate the use of AI to imitate or impersonate human activity. Regulate AI crawling/scraping. Ban scraping entirely, and all models based on it. Regulate maximum model size.
These wouldn't eliminate the problem, but they'd change it from "many people do this" to "this is always a malicious attack, react accordingly".
>Regulate maximum model size.
is it still 2023 in your reality?
as for the rest of it: my brother in Christ, may I remind you that America is not the only country in the world, that it does not own the Internet, and that its laws do not apply anywhere else? passing heckin' wholesome laws in one country will make no difference whatsoever when people and companies from 194 other countries can access the Internet and do things you don't like, just like you can be a LGBT on the Internet despite it being very illegal in Chechnya.
None of those would work without enforcement. Scams are banned, but that doesn't stop Chinese mafia from operating prison camps that run scams scamming people all around the world.
None of these proposals are enforceable in any meaningful way.
Sure they are. They affect the actions of many companies that today think what they're doing is okay (or at least not illegal). Don't underestimate the value of substantially reducing a harm, even if it isn't eliminated entirely. And don't underestimate the value of making it easier to address the remainder by ensuring it's 100% illegitimate.
Regulate it today, and tomorrow, corporate legal departments will be very carefully training their employees to understand that it's illegal and they should never do it.
Currently, some countries have laws saying that you're not allowed to pay bribes, including foreign bribes. Consider how widespread that practice was when it was outlawed. Imagine if, instead of regulating it, those countries had said "oh, that's not enforceable and too many people are already doing it and it would affect existing business practices...". Instead, today, corporate legal departments will ensure that employees are trained to know they can never do that and they should report any attempts to solicit bribes.
For those who don't know: WEI is a boy band known for singles such as "Twilight"[0].
[0]: https://youtu.be/4BYkuPUQoWE
As much as I hate whatever google's doing, this article has some issues:
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?
This seems to be an advertisement for Private Captcha. I don't know a lot about the service, but it seems inherently ablest. Does proof of work, support blind users? Does it is support special needs users with cognitive impairments? The QR code and photo support a wide variety of users. What not support a variety of methods. Why does it need to be one or the other?