Get the top HN stories in your inbox every day.
coppsilgold
My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
deIeted
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
normie3000
I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.
Is this speculation, or has it been confirmed somewhere?
TJSomething
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
gorgonian
Colluded how?
tardedmeme
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
ChadNauseam
The domain in the attestation would be yours, so that wouldn't work
chadgpt2
How would the phone camera know the domain name of the website displaying the QR code it's scanning?
Groxx
Some people will notice, some will not
coppsilgold
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
rdedev
When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots
NikolaNovak
I'm assuming that's a troll / sarcasm / fake... But that could just be my last vestige of faith in humanity.
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
djeastm
Yeah, it's real. Say goodbye, faith!
failuser
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
SlinkyOnStairs
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
xmcp123
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
chadgpt2
Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.
dakolli
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
etaioinshrdlu
I think the font is mimicking old Apple ads, eg: https://i.insider.com/5bf8592eb73c284de50e2f28
alexspring
Yep. They got hacked in the past, 1k+ smartphones reported.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
dr_kiszonka
Reckless Condensed?
tardedmeme
These companies would have to buy one phone per fake influencer.
tcoff91
Wow that is so dystopian.
huflungdung
[dead]
getpokedagain
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
tardedmeme
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
papercruncher
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
raincole
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
g-b-r
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
sandworm101
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
lxgr
I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...
1vuio0pswjnm7
HN uses reCAPTCHA under certain conditions
getpokedagain
I've not hit it but that would suck.
g-b-r
Yeah, live in a cave, and problem solved.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
flatIronSteak
> Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
g-b-r
sieabahlpark, I probably hate this more than you, you misunderstood
sieabahlpark
[dead]
vasco
So what are you doing here?
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
reaperducer
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
Roark66
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
People do care about such things.
I hope the same is true in other EU countries.
ethin
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
yehat
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
unethical_ban
I agree, and I think CAPTCHA is a disservice on public websites.
majorchord
> I'm not going to give up reading the test results from my doctor
You could just call them.
undefined
thaumasiotes
> My understanding is that this new reCAPTCHA is basically just remote attestation.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
lxgr
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
g-b-r
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
lxgr
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
varispeed
Shouldn't that be illegal under GDPR?
gib444
There are massive exemptions for the prevention and detection of crime
And https://gdpr.eu/recital-49-network-and-information-security-... :
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
dheera
> Google didn’t demand iPhone users install Google software to pass the test.
Can de-Googled Android phones present themselves as iPhones?
coppsilgold
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
lxgr
Is this actually available in Safari?
thaumasiotes
Can they present themselves as... web browsers?
tardedmeme
Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.
dwedge
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
drnick1
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
xerox13ster
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
tuzakey
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
drnick1
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
ryukoposting
If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.
dwedge
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
dexterdog
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
gonzalohm
What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes
drnick1
What makes Samba annoying? I think it's perfect for its intended use (LAN).
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
ianopolous
There is Peergos: https://peergos.org (disclaimer: I am the creator)
BloodyIron
Nextcloud, Samba serving SMB isn't really equivalent.
komali2
Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.
bsmith
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
danparsonson
Syncthing is very nice.
cromka
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
dwedge
I only share with one person so we use Seafile
zx8080
Nice that there's bank to move to. We need regulations against such lock ups.
pixel_popping
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
zelphirkalt
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
codedokode
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
riedel
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
tocariimaa
The water is already boiling and the frog can't get out anymore.
syntheticnature
I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)
j027
You can still use the audio captcha, but I’m not sure how long that’ll be around.
velocity3230
Sound advice.
BloodyIron
Google will incur serious lawsuits if they remove that accessibility aspect.
a2128
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
chrisjj
They'll keep it, but require TPM in each ear.
tom1337
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
cornholio
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
hedora
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
CaptainFever
That exists! Check out Hoardy Web. https://oxij.org/software/hoardy-web/
Its whole point is undetectable archiving because it just saves what your browser already sees.
sunshine-o
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
thecatapps
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
treis
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
nightpool
The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
supriyo-biswas
Private access tokens are also a repackaged WEI as far as I'm concerned.
incompatible
"pretended" ... do they even care any more?
FateOfNations
Not Invented Here Syndrome?
cantalopes
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
data-ottawa
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
failuser
The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.
bigyabai
Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
milderworkacc
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
KPGv2
[flagged]
OutOfHere
Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.
gib444
Oh man as if we still live in those times
chrisjj
"Don't be evil. That's our job."
smallerize
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
gene91
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
tinycommit
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
ksymph
I run into https://www.hcaptcha.com/ and https://friendlycaptcha.com/ from time to time as a user without complaint. Can't speak to the latter but I've used the former a bit and it does the job.
BloodyIron
Any chance for something 100% self-hostable? hcaptcha and friendlycaptcha last I checked require interfacing with their services.
aprilnya
Cloudflare Turnstile, if you're already using Cloudflare (or not!): https://www.cloudflare.com/application-services/products/tur...
tardedmeme
hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.
himata4113
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
varenc
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
gruez
> https://archive.is is now serving, via Cloudflare
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
j027
To add onto this, cloudflare switched away from recaptcha a while ago. https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch...
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
phyzome
I don't have one either. No plans to get one, even with this.
amluto
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
cromka
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
gib444
https://www.cnbc.com/2026/04/10/google-meta-big-tech-6-billi... :
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
probably_wrong
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
lxgr
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
brunocvcunha
AI Studio playground maybe? It seems all integrated.
lxgr
They almost certainly didn't use that.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
arccy
probably Google Doc Apps Script, those create so many Google cloud projects
buzzwords
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
fluidcruft
There really isn't much of an option. Apple's just as bad if not worse.
queenkjuul
At least with an Android i have the option of Graphene, and have access to a terminal, and for now can sideload apps.
With apple there's no choices, so I'll continue to take my chances with Android
fluidcruft
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
lxgr
Can Graphene OS pass this kind of Google attestation challenge, though?
chadgpt2
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
LeoPanthera
> Apple's just as bad if not worse.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
microtonal
https://httptoolkit.com/blog/apple-private-access-tokens-att...
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
bigyabai
Apple never allowed custom ROMs to begin with, so their device attestation feels more seamless: https://support.apple.com/en-us/102591
cyklosarin
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
doctor_radium
I'll be waiting.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
microtonal
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
ryukoposting
You won't be alone. I've resolved that this will be my last Googled phone.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
drpixie
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
nosioptar
I've been getting asked more and more how to degoogle stuff by non-nerds.
drnick1
Android yes, but Graphene is the answer.
Get the top HN stories in your inbox every day.
Related: Google Cloud fraud defense, the next evolution of reCAPTCHA - https://news.ycombinator.com/item?id=48039362
also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199