My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
By exchanging and correlating data presumably? For example, anything I send or receive on Discord, I see reflected in my YouTube recommendations shortly after. It's downright egregious at times.
Most likely it's just run of the mill Google analytics/adsense tags in discord. Don't forget that discord is web tech and loads all kinds of JS bundles – including trackers. The best solution is to stop using discord, but the second best solution is to only use the web app version of Discord. When you use the web app, you can install adblock and anti-tracking extensions. The amount of data that Discord sends which gets blocked by these extensions is eye opening.
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
> Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?
To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.
It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.
I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
> They would be a solution if almost all parents used them
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.
> even when you do there are a lot of tradeoffs that come with it
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
I'm well aware of those possibilities. The two biggest problems with them are that 1) they still apply to everyone, rather than only to those who opt into them and 2) governments and companies are in practice going to push for the versions that identify people and provide more information.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
Yep, I think this would be a totally valid debate. But my frustration is that it's not there at all. We're at "people make it sound like it's technologically impossible, like the ChatControl for E2EE".
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
I have yet to see a scheme that would robustly preserve privacy and freedom floated by any of the major efforts. I think the onus is on you to present a workable scheme, but even then I'm not going to support the major efforts which at present are malicious.
Having Privacy in the name doesn't mean it's actually privacy preserving. You can't just ignore attack vectors like collusion between signing entities and websites.
Did you read about how it works? Can you precisely describe an attack that defeats it, or are you just throwing names you've heard without actually knowing how Privacy Pass works? Sounds like the latter to me (yes, I read the RFC).
Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!
Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.
It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.
Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.
>> A law in the vein of HIPAA prevents collusion
>
> No need if you use cryptography.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
> But I don't think just yelling "just use ZK" is helpful.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
> If tech-savvy people can't be bothered to understand how this works
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.
No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.
As far as I know no currently proposed age verification method does this in practice.
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
The EU's proposed system uses ZK proof. You get a PGP signed message from "someone" who knows your identity (government or private agency) then store it on your phone to pass to websites that need your age. It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
> It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.
For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.
Access is temporarily restricted
We detected unusual activity from your device or network.
Reasons may include:
-Rapid taps or clicks
-JavaScript disabled or not working
-Automated (bot) activity on your network (IP X.X.X.X)
-Use of developer or inspection tools
I just opened the developer tools, then chose 'Separate Window' from the menu. The developer tools are now on my other screen, and then I clicked Reply to your message. The developer tools window that I had open is not relating to this tab, but when I opened Developer Tools for this tab, it remembered that I wanted it in a separate window and did so again. The viewport should not have changed at all..?
No, it won't, and this mechanism should not be used by anyone, but it'd at least ensure that people aren't forced to use it to interact with their government.
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
You can also send an email if you're lazy. In both cases the CEO probably won't read it but a more than minimum wage secretary probably will pass it on to corporate customer support which IME is a lot more useful and the regular support that the company wants you to use.
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election.
The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
I suspect this is a real problem for charities, though. If those bots are using stolen credit cards, the "donations" are going to cost the charities money after they pay extra fees to the credit card processors. Nonprofits are sometimes used to test stolen credit cards before making more profitable fraudulent transactions, so there's a real risk of it costing them money if they get rid of the captcha but don't replace it with something sufficiently high quality, even after accounting for the occasional lost donation.
Merchants often pay a chargeback fee on top of refunding the main charge. Additionally, merchants with lots of fraud or other chargeback issues are likely to be dropped by payment processors or see their general fees with payment processors get more expensive.
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
> Stop visiting sites and using services that use reCAPTCHA. Problem solved.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
> Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
Alright. I didn't know that. "Just call them" did not sound like it included any kind of authentication procedure.
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
In the UK, the Department of Education guidance is that schools should be mobile-phone free. Students use computers to access the web fairly regularly. Guess that would be problematic then, since many schools policies is that mobile phones should be turned off and stored in your bag during the day.
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
The consumers of google captcha will not care if on occasion some failing business attempts to enable graphene or linage users, the userbase of those users is not enough for most companies to care and the ones that do probably aren’t cared for by google.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
Not to Google, and not to any of the TooBigTech, obviously. For those, we need to enforce regulations (that already exist but are ignored). As a user, the only thing you can do against TooBigTech is to complain to your government (if they can listen, e.g. in the EU there is a DMA entity that you can and should contact).
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
You got me really interested here, I ran my own mailserver years ago and eventually just gave it up. I am getting rid of Google Workspace and have been planning a migration to Proton for two domains. But this sounds like a fun project. Any advice? I am going to check out Mox and Stalwart.
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
If I remember rightly DO have some restrictions like port 25 on ipv6 outbound being blocked.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
This should be the way. Have a tiny burner phone for maps and any apps that you absolutely can't use without google(it should be a tiny set of < 10 apps hopefully) until you can fully de-google
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
The problem with this is gmaps. There is no alternative to it and by the nature of it knowing your location it removes anonymity. I would buy, or even pay a monthly fee, for something that is 75% as good as gmaps but respects your privacy but there is nothing out there I have found.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
Samba has never been about file sharing over the internet. The project has been about cleanroom-reverse-engineering specific MS technology. To start it was NT4 authentication domains, then printing services, along the way SMBv1 (commonly incorrectly called CIFS btw), then SMBv2 v3.x, and then in 2012 Samba Active Directory.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
Arguably anyone else who can provide a similar level of trustworthy authentication that they are not a bot can work with Google to get support. Fundamentally this is a trust based problem and only OS providers are even capable of building such systems. There are very few of those out there. The key is that the systems need to be locked down to prevent automation of input and that automatically disqualifies most android alternatives that the community likes. It's clear that Apple offers this capability though. I can imagine a more locked down version of Windows also providing this in the future.
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."
Their squabble was to claim that Cloudflare wouldn’t let them collect identifying information about the original requestor. No doubt they’re thrilled by this change’s identity exposure.
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
Haven't you heard? Accessibility is woke, and the institutions that are supposed to protect it are being dismantled. I wouldn't be counting on those lawsuits going anywhere personally.
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
Never understand this anymore, it's genuinely one of the easiest services to pay to bypass automatically (literally 3-liner of JS), webmasters are becoming incompetent.
Sometimes, people just do dumb choices, there is nothing to understand except plain lazyness, there is better captchas, free, non-invasive, more secure, GDPR compliant and so-on that are also not covered by captcha-solving providers, so what's the positive argument about reCaptcha?
I was involved in evaluating captcha solutions. The only recaptcha alternative that met the requirements that we were able to find has hcaptcha, but it wasn't any cheaper (for us), and would require going through the vendor approval process, whereas google was already an approved vendor. There wasn't really a compelling reason to switch.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
You really think it's the reason? I've worked with many developers, and they use reCaptcha just because they are used to it and did it in the past, I doubt customers love the "reCaptcha branding", to the contrary, nicer captchas (or even invisible ones, even better) improve retention.
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
for a short time i had warcprox sitting behind my firefox and auto feeding its output to pywb, it seemed to work but i had connections failing randomly after having warcprox running for more than a few hours~days. not sure if it's an issue with pywb or warcprox but there were some urls missing that i did browse on firefox, and many dynamic pages couldn't be replayed at all.
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
I'm not sure the definition of anti-trust matches what you're saying. Are there any retail android devices for sale without Google Play Services? Also, notably iPhones will be able to still work despite not having Google Play Services.
Retail phones for sale without Google Play Services:
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
They're using their position to force people to buy a certified Android phone or iPhone in order to use millions of websites Google doesn't even own. People without a phone, people with dumb phones and alternative operating systems (deGoogled Android being just one example) can be totally cut off.
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
This is the exact method used to secure iMessage against spam: secure attestation and ‘console’ bans of devices (reversible by iirc phoning support, indicating who you purchased the used device from, and providing an ID). But Google is trying to pull a Windows 11 “TPM or die” conversion on the public Internet via Recaptcha. Welcome to the attestation wars, unwitting websites :)
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
Using apps based on Google Play Services may be impossible on those phones out of the box (not sure), but websites have no such dependency and most people don’t give a crap about push notifications from PWAs anyway so whether FCM works with the device matters little. Also doesn’t the web push API support different push services at registration time so those devices’ browsers can register their own vendor push server? (It’s been a while since I implemented web push myself, memory is fuzzy.)
This is blocking access to websites wholesale, so it’s on a whole different level.
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
I envy you. Before I degoogled my life, I tried going all in to no smart phone. It didn't last very long. I still would like to get there, but considering how difficult and slow it was just to degoogle, I anticipate that it may be a long time before I can operate without a smart phone.
The main thing that makes me think about getting a smartphone is navigation. But I never lost the skill of "looking up/writing down directions before you go" so it's not too bad.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
No cell phone period or no smart phone? I'm not sure how people manage the former. Do you have a home with a land line? What do you do when you travel?
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
Bots are usually very stupid and will bail on any captcha system they don't recognize, so anything you make that's custom and requires javascript will cull 99% of them. This may change at some point with LLMs but for now my websites at least are still holding strong.
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
What they mean is those are the sites that will require attestation. It's pretty quaint to think that people who don't like bots would rather play wackamole with bots when they can just flip a switch and they're gone.
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
> Also, personally I care less and less. As long as my banks and government apps work
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
Motorola won't change a thing about hardware attestation. GrapheneOS is locked out from reCAPTCHA because GrapheneOS is signed by GrapheneOS and not by Google.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
Even if we accept your premise, laws don't just appear; they are an organized response to a recognized problem. But everyone has been sleeping on the problem lurking in our infrastructure, undermining any impetus to enact such laws. And the people screaming from the mountain top (like Stallman), trying to raise awareness, were routinely mocked and marginalized by those all too happy to accept convenience and expediency, over more sustainable values.
I wish Linus had adopted GPL v3. He had the power to stop this madness from big tech, but he sided with them. It just reveals that he never fully understood the reason for the existence of GPL in the first place.
> He had the power to stop this madness from big tech, but he sided with them.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
What do you define as selling out? Having a different perspective from your own? There are many legitimate reasons for why someone can believe the opposing view points. Devolving into us vs them rhetoric is not conducive to a reasonable conversation.
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
I did read your comment, but making money from speaking about software is not selling out to me. Is that what you meant?
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
GPL v3 specifically requires the vendor distributing the GPL v3 components to allow the user to change the software on the end user device. This means no more locked bootloader. We would have had choice to install custom Android distributions and thus less Google monopoly.
It was always possible to install Android alternatives, GPLv3 has nothing to do with it. I have nothing against GPLv3 of course, but this is just not true.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
I rotate structures every request I made it explicitely hard to automate and I just raise the PoW during attacks. It's always about reducing volume rather than preventing it and a million registrations later it's still holding strong.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
GrapheneOS users (and actually just citizen who care) in the EU should complain to the DMA team [1]. As with everything: the more people complain, the higher priority it gets.
I recommend every EU citizen to do this. Don't send a pre-canned message or an LLM-generated message. Write your own story and how Google (and Apple) are destroying competition and freedom for you as an EU citizen.
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
AOSP is open source. There are plenty of AOSP-based systems (starting with GrapheneOS). No need for a new one.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
> Simply create a new smart device operating system
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
The AusweisApp is Open Source and available on Windows, Linux and even FreeBSD too. You just need some NFC Scanner that works via USB and then you can use it without a mobile device.
https://www.ausweisapp.bund.de/open-source-software
"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
Doesn't surprise me — I've hit undocumented Android Chrome behavior too while working with the Vibration API (more advanced usage by a very large margin). The browser/OS layer on Android has a lot of silent, unannounced behavior.
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
Luckily Google reCAPTCHA seems to be dying. Almost everything uses Cloudflare Turnstile, hCaptcha, or some form of a PoW challenge now.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
I meant "corporations do not trust users who register from a web browser and not from a mobile app". Without a mobile app (which allows to collect more hardware identifiers and spam you with notifications) you are not welcome.
Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.
The price is about $2-3 so you are not risking much, there are reviews and ratings. Of course there are scam sites, but once you buy several accounts you quickly figure out which ones are scam and which are not.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
that reinforces me using HarmonyOS - nothing against Graphene btw -. It's impressive how difficult is to actually use any platform apart from the stablished ones normally these days.
I worked at Google. I know there are tons and tons of great and well meaning people working there. This is the kind of thing that would make me crazy.
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.
It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.
Even competent people got completely brainwashed, crazy.
Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
We cannot rely on millions of individual workers to take expensive stands on principle. And they shouldn't have to.
It's an essential duty for lawmakers and regulators to design the rules of the marketplace in such a way that wealth flows to those who do genuine good for the populace, and to designate certain tools and practices as off-limits because they are incompatible with our society's core values.
Google's actions here are a clear antitrust violation and should be blocked/punished. If our representatives don't do so, then they should be punished.
I had more the thought like being skeptical of anyone who would take a job at company Foo or stay there, when they tell you. To me that seems preferable to trying to -- what risks devolving into -- a witch hunt of fall guys (persons), and doxxing people.
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
Are you using macOS? If so, those keybindings work everywhere.
As far as I can tell, Hacker News doesn't impose any custom keybindings (the client-side scripting on this site[0] is very simple).
[0]: https://news.ycombinator.com/hn.js
Is this speculation, or has it been confirmed somewhere?
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
[0] https://en.wikipedia.org/wiki/Internet_Association
[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
Jesus Christ.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
> Think for yourself and consider what the possible ulterior motives might be.
Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...
That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.
Better learn about the good one, but I guess it's harder than making up nonsense.
The website sends a request for age verification.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
[1] https://github.com/Governikus/AusweisApp
[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
From what I remember from being a kid myself, it definitely is not.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.
No.
> the easily trackable ZKP tokens
If it's easily trackable, it's not ZK.
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
> A law in the vein of HIPAA prevents collusion
No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
Hmmm... no? That's not how zero knowledge works.
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
https://ageverification.dev/av-doc-technical-specification/d...
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
Because what you described does not preserve your anonymity if the government and the service collude.
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
But anything your phone can possibly do in software can be spoofed, so how would that help?
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
> -Use of developer or inspection tools
Gotta love it.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
https://www.rei.com/newsroom/article/2026-rei-board-of-direc...
https://www.rei.com/newsroom/article/rei-announces-2026-boar...
https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
Most human visitors will pull out their smartphone and just do it without giving it much thought.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
[0] https://news.ycombinator.com/item?id=34312937
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
People do care about such things.
I hope the same is true in other EU countries.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
Enough to make it so bots are expensive to run.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
You could just call them.
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
It already is a solution, and has been in widespread use for many decades. I don't think it's going anywhere.
https://doublespeed.ai/
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....
[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....
[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
Can de-Googled Android phones present themselves as iPhones?
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
https://developer.apple.com/news/?id=huqjyh7k
And https://gdpr.eu/recital-49-network-and-information-security-... :
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
If you use mailgun or similar you have to setup dkim keys for them and add them to your spf.
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
I feel this more and more each day.
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
I'm on a similar journey and I use Radicale.
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
But still, better multiple slightly crappy OSs instead of just one (plus Apple).
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
"Source code? We don't need no stinkin' source code!"
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
Mars? /i
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
https://ibb.co/X9Q6Y84
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
In this case, the answer is right there in the question: You have to pay to bypass it.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
- [0] https://github.com/internetarchive/warcprox
I am unfamiliar with web caching proxies like squid [0] but I am wondering if that might be the most straightforward way to do this.
So use squid and then have a batch job that go through /var/spool/squid every day and update your web archive according to some defined filters.
- [0] https://www.squid-cache.org/
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
The people who this method is most hoping to stop are the least likely to be impacted by it in the long run.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
This is blocking access to websites wholesale, so it’s on a whole different level.
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
With apple there's no choices, so I'll continue to take my chances with Android
What does that even mean?
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Calendar server: https://radicale.org/v3.html Sync: https://manual.davx5.com/
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
> To complete the mobile verification, you must use a compatible mobile device.
At first glance, reading this made me wonder: what is exactly a compatible mobile device? But they quickly answered this question just below:
> If verifying on iOS/iPadOS...
> If verifying on Android device with Google Play Services...
OK then, got it! These are the ONLY compatible mobile devices. No de-googled devices are being welcomed here.
Antitrust laws have existed for decades. They just have to be honoured.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
I think you need to read the comment again:
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
[1]: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
Largely a bipartisan talking point…not many true Wyden’s out there.
In some ways, yes.
In other, major ways: a spade is a spade.
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
Strap in, the ownage will be hard.
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
https://news.ycombinator.com/item?id=48063199
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
Good that some people are able to translate my thoughts into actual English... :D
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
Everyone in power wants it, across the entire globe.
That's very different from requiring hardware attestation, though.
And to think, people said consumer choice was dead...
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
https://ublockorigin.com/
See the explanation associated with Manifest V3.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
Nobody trusts web browsers nowadays.
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
Verify that.
(edit: and it definately won't be an iphone, although that would fit the description above, those only run non-free software by design)
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
The internet is a failure. Congratulations us.
Even competent people got completely brainwashed, crazy.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
Here's the obligatory: Google, FUCK YOU!
>Incompatible browser extension or network configuration
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
And let's not pretend that we mean the kernel when we say Linux distribution
How so?