Google's newly announced Google Cloud Fraud Defense, framed as the next evolution of reCAPTCHA, is argued to be a repackaging of the Web Environment Integrity (WEI) proposal that was withdrawn in 2023 after widespread objections. The system uses a QR code challenge backed by Google Play Integrity API, requiring certified hardware (Android with Google Play Services or iPhone) to prove human presence. Critics point out it excludes privacy-focused users (GrapheneOS, LineageOS, Firefox for Android), is trivially bypassable by bot farms using cheap compliant devices, trains users to scan QR codes in ways phishing campaigns can exploit, and — most critically — creates a persistent device-level tracking mechanism that tells Google which certified hardware accessed which site and when. The piece argues that proof-of-work CAPTCHA alternatives achieve bot deterrence without hardware certification or user tracking.
Table of contents
Google already tried this in 2023The QR code will be bypassedQR auth codes and device attestation are not newDevice attestation bars the users who need privacy most“Legitimate” trackingFinal thoughtsSort: