| ▲ | coppsilgold 7 hours ago |
| My understanding is that this new reCAPTCHA is basically just remote attestation. Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate. Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed). |
|
| ▲ | tardedmeme 5 hours ago | parent | next [-] |
| If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own. |
| |
| ▲ | coppsilgold 3 hours ago | parent | next [-] | | Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show. Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown. | |
| ▲ | ChadNauseam 3 hours ago | parent | prev [-] | | The domain in the attestation would be yours, so that wouldn't work | | |
| ▲ | Groxx 3 hours ago | parent | next [-] | | Some people will notice, some will not | |
| ▲ | chadgpt2 3 hours ago | parent | prev [-] | | How would the phone camera know the domain name of the website displaying the QR code it's scanning? | | |
| ▲ | gruez an hour ago | parent | next [-] | | After you scan the code, the verification app asks you "do you want to verify for example.com?" | | |
| ▲ | tardedmeme a few seconds ago | parent [-] | | If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not? |
| |
| ▲ | eddythompson80 3 hours ago | parent | prev [-] | | The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which. | | |
| ▲ | tardedmeme 3 hours ago | parent [-] | | How does the verification app on your phone know what's in the URL bar on your desktop? | | |
| ▲ | ranger_danger 3 hours ago | parent [-] | | The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar. | | |
| ▲ | tardedmeme 2 hours ago | parent [-] | | It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon. | | |
| ▲ | ranger_danger 2 hours ago | parent [-] | | We don't yet know how the client side works, perhaps there will be a decompilation posted soon. It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login. | | |
| ▲ | tardedmeme 16 minutes ago | parent [-] | | They're tying my access to random users of a completely different service, and a different random user each time. |
|
|
|
|
|
|
|
|
|
| ▲ | rdedev 4 hours ago | parent | prev | next [-] |
| When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots https://doublespeed.ai/ |
| |
| ▲ | NikolaNovak 3 hours ago | parent | next [-] | | I'm assuming that's a troll / sarcasm / fake... But that could just be my last vestige of faith in humanity. Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people... | | | |
| ▲ | failuser 3 hours ago | parent | prev | next [-] | | How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public. | | |
| ▲ | xmcp123 2 hours ago | parent | next [-] | | This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff. Note that they do not mention any specific companies on that landing page. That is pretty intentional. But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low. | |
| ▲ | SlinkyOnStairs 2 hours ago | parent | prev | next [-] | | > How is this not grounds to be sued into oblivion by Google and Meta? Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views. Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure) Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though. The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue. | |
| ▲ | chadgpt2 3 hours ago | parent | prev [-] | | Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like. | | |
| |
| ▲ | tardedmeme 2 hours ago | parent | prev | next [-] | | These companies would have to buy one phone per fake influencer. | |
| ▲ | dakolli 4 hours ago | parent | prev | next [-] | | Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me. Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me. Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware. | | | |
| ▲ | tcoff91 4 hours ago | parent | prev | next [-] | | Wow that is so dystopian. | |
| ▲ | huflungdung 3 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | thaumasiotes 4 hours ago | parent | prev | next [-] |
| > My understanding is that this new reCAPTCHA is basically just remote attestation. Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'. |
| |
| ▲ | lxgr 3 hours ago | parent [-] | | I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :) |
|
|
| ▲ | g-b-r 4 hours ago | parent | prev | next [-] |
| I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough". I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all. For people using a Google account it probably won't make a huge difference, in terms of data collected. If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people. Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required. But there's a good chance that it will be extremely hard to sidestep, despite that. |
| |
| ▲ | lxgr 3 hours ago | parent [-] | | > they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone But anything your phone can possibly do in software can be spoofed, so how would that help? |
|
|
| ▲ | getpokedagain 5 hours ago | parent | prev | next [-] |
| Stop visiting sites and using services that use reCAPTCHA. Problem solved. |
| |
| ▲ | tardedmeme 4 hours ago | parent | next [-] | | With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day. | | |
| ▲ | papercruncher 3 hours ago | parent | next [-] | | I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop. | | |
| ▲ | userbinator 23 minutes ago | parent | next [-] | | Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to. | | |
| ▲ | tardedmeme 6 minutes ago | parent [-] | | It has a zero percent chance of reaching anyone who can do anything about it. You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters. |
| |
| ▲ | spystath 2 hours ago | parent | prev | next [-] | | There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection". | |
| ▲ | drew870mitchell 3 hours ago | parent | prev [-] | | Same, i'm doing a kitchen reno and gave up on Home Depot because of this |
| |
| ▲ | raincole 40 minutes ago | parent | prev | next [-] | | > most human visitors will actually be unable to pass the CAPTCHA Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint. It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't. | |
| ▲ | g-b-r 4 hours ago | parent | prev [-] | | One problem with these things is that businesses have minimal visibility on the amount of users they lose. On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!". Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha). | | |
| ▲ | jbvlkt 4 hours ago | parent | next [-] | | I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost. | |
| ▲ | bar000n 3 hours ago | parent | prev | next [-] | | i say technofeudalism, not sure i know what i'm writing about though | |
| ▲ | chadgpt2 3 hours ago | parent | prev [-] | | Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow. |
|
| |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare... | |
| ▲ | g-b-r 4 hours ago | parent | prev | next [-] | | Yeah, live in a cave, and problem solved. However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use. Let's find a better solution please | | |
| ▲ | flatIronSteak 4 hours ago | parent | next [-] | | > Let's find a better solution please Is there an argument here that Google is creating a monopoly? Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows? | | |
| ▲ | KPGv2 3 hours ago | parent [-] | | There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone. Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist. GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL. | | |
| ▲ | ggiigg 7 minutes ago | parent [-] | | Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it. |
|
| |
| ▲ | g-b-r 4 hours ago | parent | prev | next [-] | | sieabahlpark, I probably hate this more than you, you misunderstood | |
| ▲ | sieabahlpark 4 hours ago | parent | prev [-] | | [dead] |
| |
| ▲ | reaperducer 4 hours ago | parent | prev | next [-] | | Stop visiting sites and using services that use reCAPTCHA. Problem solved. No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA. I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved." | | |
| ▲ | ethin 2 hours ago | parent | next [-] | | The other problem with this is that there are few CAPTCHA alternatives. CF turnstile is one, but of course that means Cloudflare owns even more of the web. HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground. And I... Can't think of anything else. Other than to just get rid of Captchas entirely. | |
| ▲ | majorchord 3 hours ago | parent | prev | next [-] | | > I'm not going to give up reading the test results from my doctor You could just call them. | |
| ▲ | unethical_ban 4 hours ago | parent | prev [-] | | I agree, and I think CAPTCHA is a disservice on public websites. |
| |
| ▲ | 5 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | varispeed 2 hours ago | parent | prev | next [-] |
| Shouldn't that be illegal under GDPR? |
|
| ▲ | dheera 5 hours ago | parent | prev [-] |
| > Google didn’t demand iPhone users install Google software to pass the test. Can de-Googled Android phones present themselves as iPhones? |
| |
| ▲ | coppsilgold 5 hours ago | parent | next [-] | | Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys. | | | |
| ▲ | thaumasiotes 4 hours ago | parent | prev [-] | | Can they present themselves as... web browsers? | | |
| ▲ | tardedmeme 4 hours ago | parent [-] | | Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of. |
|
|
