My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
By exchanging and correlating data presumably? For example, anything I send or receive on Discord, I see reflected in my YouTube recommendations shortly after. It's downright egregious at times.
Most likely it's just run of the mill Google analytics/adsense tags in discord. Don't forget that discord is web tech and loads all kinds of JS bundles – including trackers. The best solution is to stop using discord, but the second best solution is to only use the web app version of Discord. When you use the web app, you can install adblock and anti-tracking extensions. The amount of data that Discord sends which gets blocked by these extensions is eye opening.
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
> Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?
To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.
It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.
I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
> They would be a solution if almost all parents used them
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.
> even when you do there are a lot of tradeoffs that come with it
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
I'm well aware of those possibilities. The two biggest problems with them are that 1) they still apply to everyone, rather than only to those who opt into them and 2) governments and companies are in practice going to push for the versions that identify people and provide more information.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
Yep, I think this would be a totally valid debate. But my frustration is that it's not there at all. We're at "people make it sound like it's technologically impossible, like the ChatControl for E2EE".
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
I have yet to see a scheme that would robustly preserve privacy and freedom floated by any of the major efforts. I think the onus is on you to present a workable scheme, but even then I'm not going to support the major efforts which at present are malicious.
Having Privacy in the name doesn't mean it's actually privacy preserving. You can't just ignore attack vectors like collusion between signing entities and websites.
Did you read about how it works? Can you precisely describe an attack that defeats it, or are you just throwing names you've heard without actually knowing how Privacy Pass works? Sounds like the latter to me (yes, I read the RFC).
Your tone isn't appropriate. You don't get to assign reading. If you want to convince people of something then clearly state your case. In this instance that would mean outlining the technical argument.
That said, you've got blinders on. You're all over this comment section condescending to people about a particularly clever scheme without considering the various real world objections being raised. Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
> Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
That's not what I see. I mostly see people complaining about the fact that "if they verify my age, it fundamentally means that I have to give them my ID, and I don't want that". And whenever I mention that technically, there are ways to do age verification in a privacy-preserving manner, I get something like "you are so naive, nobody wants age verification, it's THEM (the all corrupt politicians who all have the exact same opinion) against US THE PEOPLE who need to fight for our freedom!
That is very frustrating to me, because
1. I believe that it is counter-productive to be technically wrong by saying "it is fundamentally not possible". Because if politicians genuinely listen to that, then ask a few cryptographers and get the answer "no actually it exists", then it seems only fair that those politicians will just dismiss the whole opposition by saying "oh right, they are just libertarians who don't want regulations and hide behind incorrect technical claims".
2. I believe that many, many people actually are in favour of age verification to protect their kids. And again, yelling at them saying "you understand nothing, this is not technically possible, and the politicians are all corrupt authoritarians anyway" is not constructive. Moreover, "normal" people don't give a shit about the privacy issues, so if they want age verification, they will just accept any technical solution. I would hope for technically savvy people to try to raise the privacy concerns and explain that if there MUST be age verification, AT LEAST it should be done in a privacy-preserving manner.
But yeah, let's keep yelling that it is fundamentally impossible, such that nobody even hears about the privacy-preserving solutions, until we have to either give our ID to random websites or stop using the Internet. Because what seems clear to me is that we are going towards age verification anyway, and there is zero constructive discussion about how to do that right.
Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!
Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.
It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.
Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.
>> A law in the vein of HIPAA prevents collusion
>
> No need if you use cryptography.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
> But I don't think just yelling "just use ZK" is helpful.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
> If tech-savvy people can't be bothered to understand how this works
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.
As far as I know no currently proposed age verification method does this in practice.
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
The EU's proposed system uses ZK proof. You get a PGP signed message from "someone" who knows your identity (government or private agency) then store it on your phone to pass to websites that need your age. It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
> It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.
For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.
Access is temporarily restricted
We detected unusual activity from your device or network.
Reasons may include:
-Rapid taps or clicks
-JavaScript disabled or not working
-Automated (bot) activity on your network (IP X.X.X.X)
-Use of developer or inspection tools
I just opened the developer tools, then chose 'Separate Window' from the menu. The developer tools are now on my other screen, and then I clicked Reply to your message. The developer tools window that I had open is not relating to this tab, but when I opened Developer Tools for this tab, it remembered that I wanted it in a separate window and did so again. The viewport should not have changed at all..?
No, it won't, and this mechanism should not be used by anyone, but it'd at least ensure that people aren't forced to use it to interact with their government.
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
You can also send an email if you're lazy. In both cases the CEO probably won't read it but a more than minimum wage secretary probably will pass it on to corporate customer support which IME is a lot more useful and the regular support that the company wants you to use.
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election.
The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
I suspect this is a real problem for charities, though. If those bots are using stolen credit cards, the "donations" are going to cost the charities money after they pay extra fees to the credit card processors. Nonprofits are sometimes used to test stolen credit cards before making more profitable fraudulent transactions, so there's a real risk of it costing them money if they get rid of the captcha but don't replace it with something sufficiently high quality, even after accounting for the occasional lost donation.
Merchants often pay a chargeback fee on top of refunding the main charge. Additionally, merchants with lots of fraud or other chargeback issues are likely to be dropped by payment processors or see their general fees with payment processors get more expensive.
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
> Stop visiting sites and using services that use reCAPTCHA. Problem solved.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
> Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
Alright. I didn't know that. "Just call them" did not sound like it included any kind of authentication procedure.
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
In the UK, the Department of Education guidance is that schools should be mobile-phone free. Students use computers to access the web fairly regularly. Guess that would be problematic then, since many schools policies is that mobile phones should be turned off and stored in your bag during the day.
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
The consumers of google captcha will not care if on occasion some failing business attempts to enable graphene or linage users, the userbase of those users is not enough for most companies to care and the ones that do probably aren’t cared for by google.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
Not to Google, and not to any of the TooBigTech, obviously. For those, we need to enforce regulations (that already exist but are ignored). As a user, the only thing you can do against TooBigTech is to complain to your government (if they can listen, e.g. in the EU there is a DMA entity that you can and should contact).
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
You got me really interested here, I ran my own mailserver years ago and eventually just gave it up. I am getting rid of Google Workspace and have been planning a migration to Proton for two domains. But this sounds like a fun project. Any advice? I am going to check out Mox and Stalwart.
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
If I remember rightly DO have some restrictions like port 25 on ipv6 outbound being blocked.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
This should be the way. Have a tiny burner phone for maps and any apps that you absolutely can't use without google(it should be a tiny set of < 10 apps hopefully) until you can fully de-google
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
The problem with this is gmaps. There is no alternative to it and by the nature of it knowing your location it removes anonymity. I would buy, or even pay a monthly fee, for something that is 75% as good as gmaps but respects your privacy but there is nothing out there I have found.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
Samba has never been about file sharing over the internet. The project has been about cleanroom-reverse-engineering specific MS technology. To start it was NT4 authentication domains, then printing services, along the way SMBv1 (commonly incorrectly called CIFS btw), then SMBv2 v3.x, and then in 2012 Samba Active Directory.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
Arguably anyone else who can provide a similar level of trustworthy authentication that they are not a bot can work with Google to get support. Fundamentally this is a trust based problem and only OS providers are even capable of building such systems. There are very few of those out there. The key is that the systems need to be locked down to prevent automation of input and that automatically disqualifies most android alternatives that the community likes. It's clear that Apple offers this capability though. I can imagine a more locked down version of Windows also providing this in the future.
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."
Their squabble was to claim that Cloudflare wouldn’t let them collect identifying information about the original requestor. No doubt they’re thrilled by this change’s identity exposure.
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
Haven't you heard? Accessibility is woke, and the institutions that are supposed to protect it are being dismantled. I wouldn't be counting on those lawsuits going anywhere personally.
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
Never understand this anymore, it's genuinely one of the easiest services to pay to bypass automatically (literally 3-liner of JS), webmasters are becoming incompetent.
Sometimes, people just do dumb choices, there is nothing to understand except plain lazyness, there is better captchas, free, non-invasive, more secure, GDPR compliant and so-on that are also not covered by captcha-solving providers, so what's the positive argument about reCaptcha?
I was involved in evaluating captcha solutions. The only recaptcha alternative that met the requirements that we were able to find has hcaptcha, but it wasn't any cheaper (for us), and would require going through the vendor approval process, whereas google was already an approved vendor. There wasn't really a compelling reason to switch.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
You really think it's the reason? I've worked with many developers, and they use reCaptcha just because they are used to it and did it in the past, I doubt customers love the "reCaptcha branding", to the contrary, nicer captchas (or even invisible ones, even better) improve retention.
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
for a short time i had warcprox sitting behind my firefox and auto feeding its output to pywb, it seemed to work but i had connections failing randomly after having warcprox running for more than a few hours~days. not sure if it's an issue with pywb or warcprox but there were some urls missing that i did browse on firefox, and many dynamic pages couldn't be replayed at all.
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
I'm not sure the definition of anti-trust matches what you're saying. Are there any retail android devices for sale without Google Play Services? Also, notably iPhones will be able to still work despite not having Google Play Services.
Retail phones for sale without Google Play Services:
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
They're using their position to force people to buy a certified Android phone or iPhone in order to use millions of websites Google doesn't even own. People without a phone, people with dumb phones and alternative operating systems (deGoogled Android being just one example) can be totally cut off.
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
This is the exact method used to secure iMessage against spam: secure attestation and ‘console’ bans of devices (reversible by iirc phoning support, indicating who you purchased the used device from, and providing an ID). But Google is trying to pull a Windows 11 “TPM or die” conversion on the public Internet via Recaptcha. Welcome to the attestation wars, unwitting websites :)
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
Using apps based on Google Play Services may be impossible on those phones out of the box (not sure), but websites have no such dependency and most people don’t give a crap about push notifications from PWAs anyway so whether FCM works with the device matters little. Also doesn’t the web push API support different push services at registration time so those devices’ browsers can register their own vendor push server? (It’s been a while since I implemented web push myself, memory is fuzzy.)
This is blocking access to websites wholesale, so it’s on a whole different level.
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
I envy you. Before I degoogled my life, I tried going all in to no smart phone. It didn't last very long. I still would like to get there, but considering how difficult and slow it was just to degoogle, I anticipate that it may be a long time before I can operate without a smart phone.
The main thing that makes me think about getting a smartphone is navigation. But I never lost the skill of "looking up/writing down directions before you go" so it's not too bad.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
No cell phone period or no smart phone? I'm not sure how people manage the former. Do you have a home with a land line? What do you do when you travel?
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
Bots are usually very stupid and will bail on any captcha system they don't recognize, so anything you make that's custom and requires javascript will cull 99% of them. This may change at some point with LLMs but for now my websites at least are still holding strong.
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
What they mean is those are the sites that will require attestation. It's pretty quaint to think that people who don't like bots would rather play wackamole with bots when they can just flip a switch and they're gone.
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
> Also, personally I care less and less. As long as my banks and government apps work
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
Motorola won't change a thing about hardware attestation. GrapheneOS is locked out from reCAPTCHA because GrapheneOS is signed by GrapheneOS and not by Google.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
Even if we accept your premise, laws don't just appear; they are an organized response to a recognized problem. But everyone has been sleeping on the problem lurking in our infrastructure, undermining any impetus to enact such laws. And the people screaming from the mountain top (like Stallman), trying to raise awareness, were routinely mocked and marginalized by those all too happy to accept convenience and expediency, over more sustainable values.
I wish Linus had adopted GPL v3. He had the power to stop this madness from big tech, but he sided with them. It just reveals that he never fully understood the reason for the existence of GPL in the first place.
> He had the power to stop this madness from big tech, but he sided with them.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
What do you define as selling out? Having a different perspective from your own? There are many legitimate reasons for why someone can believe the opposing view points. Devolving into us vs them rhetoric is not conducive to a reasonable conversation.
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
I did read your comment, but making money from speaking about software is not selling out to me. Is that what you meant?
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
GPL v3 specifically requires the vendor distributing the GPL v3 components to allow the user to change the software on the end user device. This means no more locked bootloader. We would have had choice to install custom Android distributions and thus less Google monopoly.
It was always possible to install Android alternatives, GPLv3 has nothing to do with it. I have nothing against GPLv3 of course, but this is just not true.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
I rotate structures every request I made it explicitely hard to automate and I just raise the PoW during attacks. It's always about reducing volume rather than preventing it and a million registrations later it's still holding strong.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
AOSP is open source. There are plenty of AOSP-based systems (starting with GrapheneOS). No need for a new one.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
> Simply create a new smart device operating system
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
GrapheneOS users (and actually just citizen who care) in the EU should complain to the DMA team [1]. As with everything: the more people complain, the higher priority it gets.
I recommend every EU citizen to do this. Don't send a pre-canned message or an LLM-generated message. Write your own story and how Google (and Apple) are destroying competition and freedom for you as an EU citizen.
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
The AusweisApp is Open Source and available on Windows, Linux and even FreeBSD too. You just need some NFC Scanner that works via USB and then you can use it without a mobile device.
https://www.ausweisapp.bund.de/open-source-software
"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
Doesn't surprise me — I've hit undocumented Android Chrome behavior too while working with the Vibration API (more advanced usage by a very large margin). The browser/OS layer on Android has a lot of silent, unannounced behavior.
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
I meant "corporations do not trust users who register from a web browser and not from a mobile app". Without a mobile app (which allows to collect more hardware identifiers and spam you with notifications) you are not welcome.
Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.
The price is about $2-3 so you are not risking much, there are reviews and ratings. Of course there are scam sites, but once you buy several accounts you quickly figure out which ones are scam and which are not.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.
Luckily Google reCAPTCHA seems to be dying. Almost everything uses Cloudflare Turnstile, hCaptcha, or some form of a PoW challenge now.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
that reinforces me using HarmonyOS - nothing against Graphene btw -. It's impressive how difficult is to actually use any platform apart from the stablished ones normally these days.
I worked at Google. I know there are tons and tons of great and well meaning people working there. This is the kind of thing that would make me crazy.
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.
It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.
Even competent people got completely brainwashed, crazy.
Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
We cannot rely on millions of individual workers to take expensive stands on principle. And they shouldn't have to.
It's an essential duty for lawmakers and regulators to design the rules of the marketplace in such a way that wealth flows to those who do genuine good for the populace, and to designate certain tools and practices as off-limits because they are incompatible with our society's core values.
Google's actions here are a clear antitrust violation and should be blocked/punished. If our representatives don't do so, then they should be punished.
I had more the thought like being skeptical of anyone who would take a job at company Foo or stay there, when they tell you. To me that seems preferable to trying to -- what risks devolving into -- a witch hunt of fall guys (persons), and doxxing people.
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
> (just realized emacs bindings work in comments, nice, no ctrl-x tho)
Are you using macOS? If so, those keybindings work everywhere.
As far as I can tell, Hacker News doesn't impose any custom keybindings (the client-side scripting on this site[0] is very simple).
[0]: https://news.ycombinator.com/hn.js
Emacs bindings also work on Linux in GTK apps, if you enable them:
If you make Qt follow GTK settings, they also work in many Qt apps, too, but in a more limited way.I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.
Is this speculation, or has it been confirmed somewhere?
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
[0] https://en.wikipedia.org/wiki/Internet_Association
[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...
Colluded how?
By exchanging and correlating data presumably? For example, anything I send or receive on Discord, I see reflected in my YouTube recommendations shortly after. It's downright egregious at times.
Most likely it's just run of the mill Google analytics/adsense tags in discord. Don't forget that discord is web tech and loads all kinds of JS bundles – including trackers. The best solution is to stop using discord, but the second best solution is to only use the web app version of Discord. When you use the web app, you can install adblock and anti-tracking extensions. The amount of data that Discord sends which gets blocked by these extensions is eye opening.
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
The domain in the attestation would be yours, so that wouldn't work
How would the phone camera know the domain name of the website displaying the QR code it's scanning?
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
How does the verification app on your phone know what's in the URL bar on your desktop?
The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
They're tying my access to random users of a completely different service, and a different random user each time.
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
After you scan the code, the verification app asks you "do you want to verify for example.com?"
If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?
Some people will notice, some will not
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
> My understanding is that this new reCAPTCHA is basically just remote attestation.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
> Much like age verification
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
Really, how?
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
All so kids can't access PornHub?
Jesus Christ.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
Dude, a big reason for age verification is to prevent kids from accessing those "algorithms" you describe.
They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.
"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
What is perplexing is that people still don't realise that it is possible to do age verification in a privacy-preserving manner.
> Think for yourself and consider what the possible ulterior motives might be.
Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
> Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
> That key will get leaked.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...
> Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.
There is no reason to talk about that system: it's nonsense. It's like inventing a bad encryption protocol and discuss about why it is bad.
Better learn about the good one, but I guess it's harder than making up nonsense.
OR:
The website sends a request for age verification.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
[1] https://github.com/Governikus/AusweisApp
[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD
What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?
To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.
It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
Wait what? All the time you spent writing that nonsense could have been invested in reading about how it actually works.
Parental controls on device are a better solution that work today and don't carry a risk of data breach.
Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.
I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
But again: if all the kids are on social media, is it enough for "good parent" to tell their kid that they should not go there?
From what I remember from being a kid myself, it definitely is not.
They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
> They would be a solution if almost all parents used them
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.
> even when you do there are a lot of tradeoffs that come with it
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
> but those are nothing compared to the tradeoffs
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
I'm well aware of those possibilities. The two biggest problems with them are that 1) they still apply to everyone, rather than only to those who opt into them and 2) governments and companies are in practice going to push for the versions that identify people and provide more information.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
Yep, I think this would be a totally valid debate. But my frustration is that it's not there at all. We're at "people make it sound like it's technologically impossible, like the ChatControl for E2EE".
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
I have yet to see a scheme that would robustly preserve privacy and freedom floated by any of the major efforts. I think the onus is on you to present a workable scheme, but even then I'm not going to support the major efforts which at present are malicious.
I keep mentioning it. Read about Privacy Pass, there is a goddamn RFC for it.
Having Privacy in the name doesn't mean it's actually privacy preserving. You can't just ignore attack vectors like collusion between signing entities and websites.
Did you read about how it works? Can you precisely describe an attack that defeats it, or are you just throwing names you've heard without actually knowing how Privacy Pass works? Sounds like the latter to me (yes, I read the RFC).
Your tone isn't appropriate. You don't get to assign reading. If you want to convince people of something then clearly state your case. In this instance that would mean outlining the technical argument.
That said, you've got blinders on. You're all over this comment section condescending to people about a particularly clever scheme without considering the various real world objections being raised. Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
> Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
That's not what I see. I mostly see people complaining about the fact that "if they verify my age, it fundamentally means that I have to give them my ID, and I don't want that". And whenever I mention that technically, there are ways to do age verification in a privacy-preserving manner, I get something like "you are so naive, nobody wants age verification, it's THEM (the all corrupt politicians who all have the exact same opinion) against US THE PEOPLE who need to fight for our freedom!
That is very frustrating to me, because
1. I believe that it is counter-productive to be technically wrong by saying "it is fundamentally not possible". Because if politicians genuinely listen to that, then ask a few cryptographers and get the answer "no actually it exists", then it seems only fair that those politicians will just dismiss the whole opposition by saying "oh right, they are just libertarians who don't want regulations and hide behind incorrect technical claims".
2. I believe that many, many people actually are in favour of age verification to protect their kids. And again, yelling at them saying "you understand nothing, this is not technically possible, and the politicians are all corrupt authoritarians anyway" is not constructive. Moreover, "normal" people don't give a shit about the privacy issues, so if they want age verification, they will just accept any technical solution. I would hope for technically savvy people to try to raise the privacy concerns and explain that if there MUST be age verification, AT LEAST it should be done in a privacy-preserving manner.
But yeah, let's keep yelling that it is fundamentally impossible, such that nobody even hears about the privacy-preserving solutions, until we have to either give our ID to random websites or stop using the Internet. Because what seems clear to me is that we are going towards age verification anyway, and there is zero constructive discussion about how to do that right.
Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
I should not have to surrender my anonymity because parents are too lazy to setup parental controls.
And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!
Because privacy-preserving age verification is less extreme than banning them entirely. It should be strictly easier to get it accepted.
Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.
Zero knowledge proofs don't carry a risk of data breach, because they are zero knowledge.
Your privacy has to be violated in order to receive the easily trackable ZKP tokens.
> Your privacy has to be violated
No.
> the easily trackable ZKP tokens
If it's easily trackable, it's not ZK.
Are they a better solution? Yes
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.
As long as Joe has the right to vote, which is something more important and more complex, we cannot complain that parental control is too complex.
It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.
Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.
People, you have to read about zero knowledge proofs. Look at e.g. Privacy Pass.
> A law in the vein of HIPAA prevents collusion
No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.
>> A law in the vein of HIPAA prevents collusion > > No need if you use cryptography.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
> But I don't think just yelling "just use ZK" is helpful.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
> If tech-savvy people can't be bothered to understand how this works
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
> Let's assume this is acceptable.
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
https://ageverification.dev/
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.
It should be possible with zero knowledge proofs.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
> Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
Hmmm... no? That's not how zero knowledge works.
Not via breaking the ZKP, but via other methods of fingerprinting, which governments are very well positioned to enable.
I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.
Yes, but they can still collude. It's possible to do age verification in a way that prevents that. Look e.g. at Privacy Pass.
PAT is Privacy Pass.
Oh right, my bad. And how can they collude there?
Blind signatures would work, with a bit of effort.
Divorcing technical detail from how it is used does little good for humanity.
As far as I know no currently proposed age verification method does this in practice.
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
The EU's proposed system uses ZK proof. You get a PGP signed message from "someone" who knows your identity (government or private agency) then store it on your phone to pass to websites that need your age. It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
https://ageverification.dev/av-doc-technical-specification/d...
> It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
This is not sufficient. Do they give you a blind signature?
Because what you described does not preserve your anonymity if the government and the service collude.
Doesn't matter if it is privacy preserving, it is still an evil thing to do
That would be the interesting debate, if people could actually spend 5min learning how it works and stop claiming nonsense.
Exactly the mindset that got us to this current reality..
No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.
For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.
Does it work if you spoof the user agent?
> -Use of developer or inspection tools
Gotta love it.
It gets blocked in a private window, but only on the second page load. So more sophisticated than UA-blocking.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
Developer tools are easily detected by looking for the viewport to resize a certain amount.
I just opened the developer tools, then chose 'Separate Window' from the menu. The developer tools are now on my other screen, and then I clicked Reply to your message. The developer tools window that I had open is not relating to this tab, but when I opened Developer Tools for this tab, it remembered that I wanted it in a separate window and did so again. The viewport should not have changed at all..?
DB has been finicky for me from abroad as well, using a VPN to Germany usually helped. Still sucks though.
> That's great until it's some essential government, medical, educational, etc. service
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
Which won’t solve the problem at all.
No, it won't, and this mechanism should not be used by anyone, but it'd at least ensure that people aren't forced to use it to interact with their government.
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
Same, i'm doing a kitchen reno and gave up on Home Depot because of this
It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_
Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
You can also send an email if you're lazy. In both cases the CEO probably won't read it but a more than minimum wage secretary probably will pass it on to corporate customer support which IME is a lot more useful and the regular support that the company wants you to use.
REI is allegedly a co-op, maybe there's a committee or something it could be presented to?
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election. The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
https://www.rei.com/newsroom/article/2026-rei-board-of-direc...
https://www.rei.com/newsroom/article/rei-announces-2026-boar...
https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...
Usually that just means the owners of the individual stores are the shareholders.
The point is to spread the word.
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
We wouldn't want bots throwing money at us!
I suspect this is a real problem for charities, though. If those bots are using stolen credit cards, the "donations" are going to cost the charities money after they pay extra fees to the credit card processors. Nonprofits are sometimes used to test stolen credit cards before making more profitable fraudulent transactions, so there's a real risk of it costing them money if they get rid of the captcha but don't replace it with something sufficiently high quality, even after accounting for the occasional lost donation.
Why would they pay extra fees?
Merchants often pay a chargeback fee on top of refunding the main charge. Additionally, merchants with lots of fraud or other chargeback issues are likely to be dropped by payment processors or see their general fees with payment processors get more expensive.
i say technofeudalism, not sure i know what i'm writing about though
Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will pull out their smartphone and just do it without giving it much thought.
> Stop visiting sites and using services that use reCAPTCHA. Problem solved.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.
I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...
Yeah, live in a cave, and problem solved.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
> Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
Breathlessly awaiting the upcoming Motorola/Graphene crossover phone.
Can you run Graphene on non Pixel phones?
Not yet. They've partnered with Motorola, though, so we'll probably be seeing some of their phones in the future that can run GrapheneOS.
You can use Lineage [/with microG]
This. For privacy, it is much better to avoid Google Play services (which are the only supported solution for push notifications in GrapheneOS).
sieabahlpark, I probably hate this more than you, you misunderstood
[dead]
So what are you doing here?
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
[0] https://news.ycombinator.com/item?id=34312937
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
People do care about such things.
I hope the same is true in other EU countries.
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
The answer that no one likes: make it cost a nominal amount of money.
Enough to make it so bots are expensive to run.
I agree, and I think CAPTCHA is a disservice on public websites.
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
Beautiful analogy, BTW.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
> I'm not going to give up reading the test results from my doctor
You could just call them.
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
Or ask for a print out.
Fairly sure that would be considered a breach of patient confidentiality where I live, at least.
You should check your patient portal closely, they may be violating your confidentiality in ways that are much worse: https://vanguardcommunications.net/facebook-ads-pixel/
Sorry to hear that. What did people do before computers then?
Not sure how that's relevant. There are computers now. Regulations change with the times. Green lasers weren't controlled in the 1700:s either.
Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
> Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
Alright. I didn't know that. "Just call them" did not sound like it included any kind of authentication procedure.
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
> And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
It already is a solution, and has been in widespread use for many decades. I don't think it's going anywhere.
That misses the point: alternatives will only be available as long as enough people uses them.
I still make and receive calls all the time to get test results from my doctor, I think tons of people still use that option.
HN uses reCAPTCHA under certain conditions
I've not hit it but that would suck.
I doubt they would let users be KYCed to access HN frankly, I seriously hope not at least.
Removing recaptcha from my sites now actually. Its not much, but its something.
Or stop spreading this extraordinarily naive view of how the world works.
[dead]
When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots
https://doublespeed.ai/
I'm assuming that's a troll / sarcasm / fake... But that could just be my last vestige of faith in humanity.
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Yeah, it's real. Say goodbye, faith!
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
I think the font is mimicking old Apple ads, eg: https://i.insider.com/5bf8592eb73c284de50e2f28
Ahh, that makes sense.
Yep. They got hacked in the past, 1k+ smartphones reported.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
If you are OK with carrier locks (eg if you don't need cell service) and are in the USA, you can actually get mot 5Gs for $30 at walmart. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202...
Reckless Condensed?
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.
That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]
[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....
[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....
[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge
Note that all those guys were gotten for breaking the law, not for breaking terms of service.
These companies would have to buy one phone per fake influencer.
Wow that is so dystopian.
[dead]
> (as that would be 'farmable')
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
> Google didn’t demand iPhone users install Google software to pass the test.
Can de-Googled Android phones present themselves as iPhones?
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
Is this actually available in Safari?
Since iOS 16, apparently
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
https://developer.apple.com/news/?id=huqjyh7k
Can they present themselves as... web browsers?
Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.
In the UK, the Department of Education guidance is that schools should be mobile-phone free. Students use computers to access the web fairly regularly. Guess that would be problematic then, since many schools policies is that mobile phones should be turned off and stored in your bag during the day.
Shouldn't that be illegal under GDPR?
There are massive exemptions for the prevention and detection of crime
And https://gdpr.eu/recital-49-network-and-information-security-... :
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
What crime are you preventing or detecting by verifying you're human?
[dead]
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
Ah yes, google, the company who notoriously doesn’t offer any customer support will definitely make way for such complaints.
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
The consumers of google captcha will not care if on occasion some failing business attempts to enable graphene or linage users, the userbase of those users is not enough for most companies to care and the ones that do probably aren’t cared for by google.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
Not to Google, and not to any of the TooBigTech, obviously. For those, we need to enforce regulations (that already exist but are ignored). As a user, the only thing you can do against TooBigTech is to complain to your government (if they can listen, e.g. in the EU there is a DMA entity that you can and should contact).
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
I do it self-hosted on a rented VPS, which gets around the IP address issue.
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
You got me really interested here, I ran my own mailserver years ago and eventually just gave it up. I am getting rid of Google Workspace and have been planning a migration to Proton for two domains. But this sounds like a fun project. Any advice? I am going to check out Mox and Stalwart.
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
If I remember rightly DO have some restrictions like port 25 on ipv6 outbound being blocked.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
Excellent thanks
Not very often at all, but it did happen at least once. Note that even email sent from Google itself can be marked as spam depending on the message.
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
For the people who's mail service blocks you and they cannot or will not change their mail provider, what is your solution?
I would just send those domains through mailgun with a transport map in postfix, it probably wouldn't even break the free tier.
If you use mailgun or similar you have to setup dkim keys for them and add them to your spf.
Great info, thanks
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
Noted, thank you for the advice.
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
> It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
I feel this more and more each day.
This should be the way. Have a tiny burner phone for maps and any apps that you absolutely can't use without google(it should be a tiny set of < 10 apps hopefully) until you can fully de-google
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
The problem with this is gmaps. There is no alternative to it and by the nature of it knowing your location it removes anonymity. I would buy, or even pay a monthly fee, for something that is 75% as good as gmaps but respects your privacy but there is nothing out there I have found.
Nice that there's bank to move to. We need regulations against such lock ups.
Forced 2FA for banking in the EU is making this worse when it doesn't work
What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes
What makes Samba annoying? I think it's perfect for its intended use (LAN).
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
Nextcloud, Samba serving SMB isn't really equivalent.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
Samba has never been about file sharing over the internet. The project has been about cleanroom-reverse-engineering specific MS technology. To start it was NT4 authentication domains, then printing services, along the way SMBv1 (commonly incorrectly called CIFS btw), then SMBv2 v3.x, and then in 2012 Samba Active Directory.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.
Syncthing is very nice.
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
https://docs.syncthing.net/users/ignoring.html
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
There is Peergos: https://peergos.org (disclaimer: I am the creator)
Proton Drive works well and is from a company that supports privacy but does require a paid subscription.
I only share with one person so we use Seafile
What do you use for calendar and tasks hosting?
I'm on a similar journey and I use Radicale.
Have you tried the Uber webapp?
> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
> What OSs can they safely trust?
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
Wanting to load a webpage anonymously is not something that makes one a “fraudster”.
Arguably anyone else who can provide a similar level of trustworthy authentication that they are not a bot can work with Google to get support. Fundamentally this is a trust based problem and only OS providers are even capable of building such systems. There are very few of those out there. The key is that the systems need to be locked down to prevent automation of input and that automatically disqualifies most android alternatives that the community likes. It's clear that Apple offers this capability though. I can imagine a more locked down version of Windows also providing this in the future.
Yes that is what i mean, anyone can do it technically, but they are gonna have to build a slightly crappy OS in order to do it.
But still, better multiple slightly crappy OSs instead of just one (plus Apple).
Exactly. Imagine them blocking captchas on iphone or windows
IIUC, They are blocking it on windows, unless you have an android or iOS device you can use to complete the "captcha"
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
Why not just change your user agent string?
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
Because the site can compare the user agent with navigator.platform, which your browser fills with great care.
That naturally implies we must patch the browser.
"Source code? We don't need no stinkin' source code!"
That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.
It probably fingerprints the browser via TLS fingerprinting.
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.
Does the app function as a proxy? I always assumed that wasn’t possible.
Why wouldn't it be possible? As long as background network access is allowed (the default).
Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?
Yes. What if your connection is used for illegal activity?
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
Yep I often have to launch a clean/ephemeral chromium profile just to access a specific website, but even then it's sometimes not enough.
whenever I can't access a website for various stupid blocks
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
You sir seem to have solved a problem many people here have.
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
> I just take my business elsewhere...
Mars? /i
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
https://ibb.co/X9Q6Y84
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."
The water is already boiling and the frog can't get out anymore.
I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)
Their squabble was to claim that Cloudflare wouldn’t let them collect identifying information about the original requestor. No doubt they’re thrilled by this change’s identity exposure.
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
You can still use the audio captcha, but I’m not sure how long that’ll be around.
Google will incur serious lawsuits if they remove that accessibility aspect.
They'll keep it, but require TPM in each ear.
Haven't you heard? Accessibility is woke, and the institutions that are supposed to protect it are being dismantled. I wouldn't be counting on those lawsuits going anywhere personally.
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
Sound advice.
> https://ibb.co/X9Q6Y84
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
What? Don't Cloudflare literally have their own CAPTCHA service? Why are they using reCAPTCHA?
They mimic the cloudflare captcha page but they're not hosted by cloudflare.
Never understand this anymore, it's genuinely one of the easiest services to pay to bypass automatically (literally 3-liner of JS), webmasters are becoming incompetent.
If you don't understand something, the first thing to do is try to understand it, before going to "the people who use this are incompetent".
In this case, the answer is right there in the question: You have to pay to bypass it.
Sometimes, people just do dumb choices, there is nothing to understand except plain lazyness, there is better captchas, free, non-invasive, more secure, GDPR compliant and so-on that are also not covered by captcha-solving providers, so what's the positive argument about reCaptcha?
I was involved in evaluating captcha solutions. The only recaptcha alternative that met the requirements that we were able to find has hcaptcha, but it wasn't any cheaper (for us), and would require going through the vendor approval process, whereas google was already an approved vendor. There wasn't really a compelling reason to switch.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
A very strong brand?
You really think it's the reason? I've worked with many developers, and they use reCaptcha just because they are used to it and did it in the past, I doubt customers love the "reCaptcha branding", to the contrary, nicer captchas (or even invisible ones, even better) improve retention.
"Because I'm used to it" is what a strong brand is.
> or even invisible ones
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
If you reload the page it'll give you a non QR code captcha to do. Hopefully it stays that way or attestation captchas are removed entirely.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
That exists! Check out Hoardy Web. https://oxij.org/software/hoardy-web/
Its whole point is undetectable archiving because it just saves what your browser already sees.
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
- [0] https://github.com/internetarchive/warcprox
for a short time i had warcprox sitting behind my firefox and auto feeding its output to pywb, it seemed to work but i had connections failing randomly after having warcprox running for more than a few hours~days. not sure if it's an issue with pywb or warcprox but there were some urls missing that i did browse on firefox, and many dynamic pages couldn't be replayed at all.
I am not surprised...
I am unfamiliar with web caching proxies like squid [0] but I am wondering if that might be the most straightforward way to do this.
So use squid and then have a batch job that go through /var/spool/squid every day and update your web archive according to some defined filters.
- [0] https://www.squid-cache.org/
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
I'm not sure the definition of anti-trust matches what you're saying. Are there any retail android devices for sale without Google Play Services? Also, notably iPhones will be able to still work despite not having Google Play Services.
Retail phones for sale without Google Play Services:
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
They're using their position to force people to buy a certified Android phone or iPhone in order to use millions of websites Google doesn't even own. People without a phone, people with dumb phones and alternative operating systems (deGoogled Android being just one example) can be totally cut off.
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
https://www.cnbc.com/2026/04/10/google-meta-big-tech-6-billi... :
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
> because the EU currently doesn't want to antagonize US any more with their tech fines
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
As others in this thread have commented - there are scammer hubs where a single person controls hundreds if not thousands of phones at a time.
The people who this method is most hoping to stop are the least likely to be impacted by it in the long run.
This is the exact method used to secure iMessage against spam: secure attestation and ‘console’ bans of devices (reversible by iirc phoning support, indicating who you purchased the used device from, and providing an ID). But Google is trying to pull a Windows 11 “TPM or die” conversion on the public Internet via Recaptcha. Welcome to the attestation wars, unwitting websites :)
Private access tokens are also a repackaged WEI as far as I'm concerned.
"pretended" ... do they even care any more?
Not Invented Here Syndrome?
The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.
Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
[flagged]
"Don't be evil. That's our job."
Oh man as if we still live in those times
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
Using apps based on Google Play Services may be impossible on those phones out of the box (not sure), but websites have no such dependency and most people don’t give a crap about push notifications from PWAs anyway so whether FCM works with the device matters little. Also doesn’t the web push API support different push services at registration time so those devices’ browsers can register their own vendor push server? (It’s been a while since I implemented web push myself, memory is fuzzy.)
This is blocking access to websites wholesale, so it’s on a whole different level.
What's wrong with Apple push notifications in China?
"non-Apple", i.e. Android
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
> https://archive.is is now serving, via Cloudflare
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
To add onto this, cloudflare switched away from recaptcha a while ago. https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch...
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
I don't have one either. No plans to get one, even with this.
I envy you. Before I degoogled my life, I tried going all in to no smart phone. It didn't last very long. I still would like to get there, but considering how difficult and slow it was just to degoogle, I anticipate that it may be a long time before I can operate without a smart phone.
The main thing that makes me think about getting a smartphone is navigation. But I never lost the skill of "looking up/writing down directions before you go" so it's not too bad.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
No cell phone period or no smart phone? I'm not sure how people manage the former. Do you have a home with a land line? What do you do when you travel?
Ah, I have a cell phone, not a smartphone. (Didn't notice that the parent comment referred to both.)
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
I run into https://www.hcaptcha.com/ and https://friendlycaptcha.com/ from time to time as a user without complaint. Can't speak to the latter but I've used the former a bit and it does the job.
Any chance for something 100% self-hostable? hcaptcha and friendlycaptcha last I checked require interfacing with their services.
hCaptcha is horrible. I think that a PoW captcha would be effective to make spammers just mine Monero instead.
Cloudflare Turnstile, if you're already using Cloudflare (or not!): https://www.cloudflare.com/application-services/products/tur...
Bots are usually very stupid and will bail on any captcha system they don't recognize, so anything you make that's custom and requires javascript will cull 99% of them. This may change at some point with LLMs but for now my websites at least are still holding strong.
Anubis is an alternative to captchas, it's OSS.
hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
hCaptcha is horrible. I think that a PoW captcha would be effective to make spammers just mine Monero instead.
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
There really isn't much of an option. Apple's just as bad if not worse.
At least with an Android i have the option of Graphene, and have access to a terminal, and for now can sideload apps.
With apple there's no choices, so I'll continue to take my chances with Android
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
It's less about those sites than it is about government services, banking, healthcare, employment, etc
Your online banking will be overrun with bots? Your healthcare will be overrun with bots?
What does that even mean?
What they mean is those are the sites that will require attestation. It's pretty quaint to think that people who don't like bots would rather play wackamole with bots when they can just flip a switch and they're gone.
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
> Also, personally I care less and less. As long as my banks and government apps work
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
Can Graphene OS pass this kind of Google attestation challenge, though?
No.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
> Apple's just as bad if not worse.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Apple never allowed custom ROMs to begin with, so their device attestation feels more seamless: https://support.apple.com/en-us/102591
https://httptoolkit.com/blog/apple-private-access-tokens-att...
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
Motorola won't change a thing about hardware attestation. GrapheneOS is locked out from reCAPTCHA because GrapheneOS is signed by GrapheneOS and not by Google.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
I'll be waiting.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
For calendar, I now have my own local setup, with Tailscale
Calendar server: https://radicale.org/v3.html Sync: https://manual.davx5.com/
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
https://motorolanews.com/motorola-three-new-b2b-solutions-at...
You won't be alone. I've resolved that this will be my last Googled phone.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
I've been getting asked more and more how to degoogle stuff by non-nerds.
Android yes, but Graphene is the answer.
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
AI Studio playground maybe? It seems all integrated.
They almost certainly didn't use that.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
probably Google Doc Apps Script, those create so many Google cloud projects
The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.
Those two add up to "prove that you allow computer vendors to teach you what 'human' means".
So Stallman was right, after all?
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
I disagree. The reason we are where we are today is the lack of antitrust.
Even if we accept your premise, laws don't just appear; they are an organized response to a recognized problem. But everyone has been sleeping on the problem lurking in our infrastructure, undermining any impetus to enact such laws. And the people screaming from the mountain top (like Stallman), trying to raise awareness, were routinely mocked and marginalized by those all too happy to accept convenience and expediency, over more sustainable values.
> laws don't just appear
Antitrust laws have existed for decades. They just have to be honoured.
I wish Linus had adopted GPL v3. He had the power to stop this madness from big tech, but he sided with them. It just reveals that he never fully understood the reason for the existence of GPL in the first place.
> He had the power to stop this madness from big tech, but he sided with them.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
What do you define as selling out? Having a different perspective from your own? There are many legitimate reasons for why someone can believe the opposing view points. Devolving into us vs them rhetoric is not conducive to a reasonable conversation.
> What do you define as selling out?
I think you need to read the comment again:
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
I did read your comment, but making money from speaking about software is not selling out to me. Is that what you meant?
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
GPLv3 would not prevent remote attestation AT ALL.
GPL v3 specifically requires the vendor distributing the GPL v3 components to allow the user to change the software on the end user device. This means no more locked bootloader. We would have had choice to install custom Android distributions and thus less Google monopoly.
It was always possible to install Android alternatives, GPLv3 has nothing to do with it. I have nothing against GPLv3 of course, but this is just not true.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
Yes he was.
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
I rotate structures every request I made it explicitely hard to automate and I just raise the PoW during attacks. It's always about reducing volume rather than preventing it and a million registrations later it's still holding strong.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
Cool! I would like to hear more about this, and understand how to do the same.
https://abrahamjuliot.github.io/creepjs/ took this and made it PoW
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
I don't even have a smart phone, I assume there is some sort of fallback behavior?
The fallback is that you get redirected to a website helpfully demanding you buy a Google- or Apple-vetted smartphone: https://support.google.com/recaptcha/answer/16609652.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
If there was any remaining doubt whether Google is evil, this settles that yes it is.
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
AOSP is open source. There are plenty of AOSP-based systems (starting with GrapheneOS). No need for a new one.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
> Simply create a new smart device operating system
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
and that is gonna be funded by who? anyone who is gonna fund that is gonna want their slice of the pie. we need regulation to keep big tech in line
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Normies?
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
What's wrong with having something to hide? I do.
Ideally it would be funded by the personal wealth of the people who've profited from the current situation.
I uh.. I think that was the (sarcastic) point.
Parent is sarcastic
Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.
Ugh I hate that I can't tell whether you are being sarcastic or not.
I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.
I mean, they could sue for non competitive behavior, but good luck beating Google's lawyers
GrapheneOS users (and actually just citizen who care) in the EU should complain to the DMA team [1]. As with everything: the more people complain, the higher priority it gets.
[1]: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
I recommend every EU citizen to do this. Don't send a pre-canned message or an LLM-generated message. Write your own story and how Google (and Apple) are destroying competition and freedom for you as an EU citizen.
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
Well, how does Tor or other services do it now?
They get blocked by Recaptcha, I think.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
> They get blocked by Recaptcha, I think.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
Proof of work I get, but isn’t that like step2?
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
Tor does it by being so painfully slow an unreliable that the only way you would use it is if there is a cocaine-style reward at the end of it.
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
Do you add uBlock Origin to Tor? I know that it is not recommended.
[dead]
Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.
What a coincidence that Windows 11 makes it a requirement!
TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
Do you have any evidence if this? Qubes team disagrees with you.
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
From the screenshot in the article "Troubleshoot reCAPTCHA Mobile Verification":
> To complete the mobile verification, you must use a compatible mobile device.
At first glance, reading this made me wonder: what is exactly a compatible mobile device? But they quickly answered this question just below:
> If verifying on iOS/iPadOS...
> If verifying on Android device with Google Play Services...
OK then, got it! These are the ONLY compatible mobile devices. No de-googled devices are being welcomed here.
Time for some lawfare!
The Government reviewed the Google situation on behalf of you,
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
If the masses can somehow point the absolute loose-cannon that is the current President at Google, things might actually change.
In August 2019, Trump tweeted that Google had “manipulated” millions of votes toward Clinton in 2016 and said the company “should be sued.”
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
Trump has been the least normal of them, and the increasing distrust and suspicion towards Big Tech is largely bipartisan at this point.
> suspicion towards Big Tech is largely bipartisan at this point.
Largely a bipartisan talking point…not many true Wyden’s out there.
> Trump has been the least normal of them
In some ways, yes.
In other, major ways: a spade is a spade.
warfare*
https://en.wikipedia.org/wiki/Lawfare
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
Treatment is not a cure.
Agreed. I'm just pointing out the possibility (for now).
Really that seem almost too easy ?
For now. They'll likely start requiring device attestation in future, and the emulator can't pass it.
Its going to be just like the wild days of the late 90s and 2000s
Strap in, the ownage will be hard.
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
https://news.ycombinator.com/item?id=48063199
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
So just to clarify, you also didn't solve anything but you want everyone to know you told them so and you were smarter?
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
Oh, yeah, these discussions as well... Precisely.
Good that some people are able to translate my thoughts into actual English... :D
> Reminds me of Facebook engagement bait
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
> Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
Everyone in power wants it, across the entire globe.
The sort of regulation we need for this must be as solid as a constitutional amendment, but that is going to be very, very difficult.
Already happening. The official German identification app, AusweisApp, is designed exclusively for Android and Apple mobile devices
The AusweisApp is Open Source and available on Windows, Linux and even FreeBSD too. You just need some NFC Scanner that works via USB and then you can use it without a mobile device. https://www.ausweisapp.bund.de/open-source-software
This is the way to do it if you're gonna have a digital ID. Thank you Germany for setting a better example than many!
> designed exclusively for Android and Apple mobile devices
That's very different from requiring hardware attestation, though.
It is a little different. But not very different.
No, you can also get it for Windows and Huawei devices. So three American and one Chinese companies. Great.
With Salt Typhoon, that's a whole four ways to choose how China steals your data.
And to think, people said consumer choice was dead...
If it was developed by the government, shouldn't the source or an API be available? Surely third-party apps can be made in that case?
That'd be great but governments often don't make specs and source code available. Governments don't make things open.
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
What do you use instead? iOS?
One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
It looks like archive.is uses recaptcha so I don’t think that’s the fix you’re looking for.
then we make a new one
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
https://ublockorigin.com/
See the explanation associated with Manifest V3.
Doesn't surprise me — I've hit undocumented Android Chrome behavior too while working with the Vibration API (more advanced usage by a very large margin). The browser/OS layer on Android has a lot of silent, unannounced behavior.
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
Nobody trusts web browsers nowadays.
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
My reading of codedokode:
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
You're right, thanks - that makes more sense.
> In conclusion, Google must be destroyed
Yeah they've had their time XD
I meant "corporations do not trust users who register from a web browser and not from a mobile app". Without a mobile app (which allows to collect more hardware identifiers and spam you with notifications) you are not welcome.
Ah got it - I guess I was having a slow day that day.
I think you can just search 'buy google account' - it isn't illegal.
Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.
The price is about $2-3 so you are not risking much, there are reviews and ratings. Of course there are scam sites, but once you buy several accounts you quickly figure out which ones are scam and which are not.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
Markets are regulated by reviews, seller history and so-on, the same as legal markets and it's generally smooth.
VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.
Luckily Google reCAPTCHA seems to be dying. Almost everything uses Cloudflare Turnstile, hCaptcha, or some form of a PoW challenge now.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
Next phone I'm buying won't be able to run android if I can help it.
Verify that.
(edit: and it definately won't be an iphone, although that would fit the description above, those only run non-free software by design)
The gate to the pig pen is closing…
Wait, you need a TPM chip?
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
I'm sorry Google, I'm afraid I can't do that.
It’s quite easy to remote control an Android phone with an agent (eg there‘s agent-device). I don’t think this will keep automation from happening.
I wonder if any of these sites will see any meaningful drop in users, or if they even care.
I long ago stopped using any webpage that uses a captcha. If the website uses one, I bounce.
that reinforces me using HarmonyOS - nothing against Graphene btw -. It's impressive how difficult is to actually use any platform apart from the stablished ones normally these days.
What happens with Chinese Huawei phones that don’t have Google services?
People can install Google Services in them. Once you sign into google account then you self-certify the device. https://www.google.com/android/uncertified/?pli=1
[dead]
this is going to keep happening across every trust layer google rolls out
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
Delete Chrome and use Brave. Problem solved.
Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si
I worked at Google. I know there are tons and tons of great and well meaning people working there. This is the kind of thing that would make me crazy.
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
Anti competitive behaviour ?
OK, so what are the alternatives, what can developers use instead?
Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.
Above is verbose from my honeypot. Some security camera network has been hacked and is being used for net thrifting in Romania.The internet is a failure. Congratulations us.
It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.
Even competent people got completely brainwashed, crazy.
Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
Here's the obligatory: Google, FUCK YOU!
Can’t like companies do what they want, or did we let the fascists take over?
Sigh...
>Incompatible browser extension or network configuration
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
We cannot rely on millions of individual workers to take expensive stands on principle. And they shouldn't have to. It's an essential duty for lawmakers and regulators to design the rules of the marketplace in such a way that wealth flows to those who do genuine good for the populace, and to designate certain tools and practices as off-limits because they are incompatible with our society's core values. Google's actions here are a clear antitrust violation and should be blocked/punished. If our representatives don't do so, then they should be punished.
I agree, wholeheartedly - lets get a list of the google engineers who worked on this. What do you propose we do with it?
I had more the thought like being skeptical of anyone who would take a job at company Foo or stay there, when they tell you. To me that seems preferable to trying to -- what risks devolving into -- a witch hunt of fall guys (persons), and doxxing people.
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Spread the word. They need to be held accountable the same way elected officials are --- except in this case they're not even elected.
Google seems to be putting yet another brick in the garden wall.
[flagged]
[dead]
[dead]
[dead]
[dead]
[flagged]
[dead]
[dead]
[flagged]
[flagged]
We've banned this account. This is an utterly appalling comment.
[dead]
[flagged]
The article was at #1 on the frontpage when you posted this.
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution.
A fork of it, updated periodically
And let's not pretend that we mean the kernel when we say Linux distribution
Debian also uses a fork that is updated periodically.
Android literally is a Linux distro, though. Like, sure it has a weird userspace and is user hostile, but that doesn't make it not a Linux distro.
linux is a choice, this is not a choice. fairly confident people are rejecting this notion on ideological grounds
> ... and is user hostile,
How so?
It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux".
Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere.