Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet
Last time this happened we got a bunch of Google employees downplaying the impact of WEI and calling it a nothingburger, that people were being hysterical. I just checked, and everyone I saw defending it has since left the company. I'm sure another wave of Google managers, keen to appeal to the higher-ups, will be here to defend this new initiative any minute now.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
I'm amused at how thoroughly Google adopted Microsoft's playbook. Chrome supplanted Internet Explorer by embracing the open web. But then Google immediately started on extensions, and now they're trying to extinguish the open web with nonsense like Cloud Fraud Defense. All very smoothly done. I mean, people are actually _asking_ for this junk. I'm impressed.
No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.
Lots of supposedly technically advanced users switched to Chrome en masse and promoted it on every occasion they could, because it was so much faster, simpler, safer, etc etc. Don't excuse useful idiots from their share of the blame. People warned about dangers of Chrome's growing domination for about as long as I can remember, back to at least 2012, only to be dismissed as paranoid.
People forget that Sundar Pichai's entire claim to success at Google was injecting the Google Toolbar into the Adobe Reader installer which would hijack your search and browsing data on IE, and the launch of Chrome, which was then also injected into the Adobe Reader installer, occurred because Google was concerned IE might block or limit their toolbar.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
I recommended everyone to use Chrome simply because Microsoft couldn't be bothered to provide built in PDF viewing and creation.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen.
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
Yeah, same. It is hard; we start to need a collective boycott.
We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.
I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.
It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.
We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.
These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".
The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.
Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.
It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.
> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.
Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".
But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.
You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?
This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.
The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.
We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.
As much as I hate whatever google's doing, this article has some issues:
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?
This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.
Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.
The claim is that an iPad/iPhone will also work. Not that that makes it acceptable; if anything, it's worse, because if it were Google Play only it'd be more obvious how unacceptable it is, whereas catering to the duopoly makes it less obvious how much it excludes people and builds a reliance on proprietary systems.
One company can soon dictate who can enter the websites.
And only two commercial operating systems are viable in the world after this change.
Not nice.
We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.
The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street.
(A bunch of engineers who build this tech will probably be complaining about how unfair my proposal is, boo hoo)
You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
> You don't think that some people simply disagree with the idea that this is bad?
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.
This case is trivially circumvented with device farms, much like described in the post.
What real problem are they trying to solve? AI bots reading content? That’s not something Google want to prevent, it’s part of their business model, this would allow them to easily circumvent it for themselves though.
These are private actors. It's not acceptable to harass people for building things that are lawful but that you don't like.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
Nobody is asking for harassment. Social ignorance is usually enough. Like, nobody wanting to date, be a friend, asking for parties etc. It is very normal treatment to people who have bad behavior etc.
"The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street."
What do you think this is a call for, if not harassment?
There is a fine line between harassment and pointing of for socially bad actions. Harassment involves usually calling by names, making threats etc. You can definitely shame people with a diplomatic language.
The usual argumentation is "I need to make a living" and "if I didn't build it someone else would have done an even worse job, like this at least I could be an activist on the inside and guide the efforts to make it better".
Another method is to stall and sabotage the development via endless bike shedding, language changes, rewrites, refactors. All normal things in every project. Drag those feet.
I think the better alternative to making engineers "feel uncomfortable opening their door, walking down the street" is for us to collectively ask if the solution isn't to touch more grass and rely less on the technology we've all come to blindly accept as required.
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
For example:
> Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
> Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
It is particularly funny because this is content marketing for a computational proof of work "captcha". Those are pure snakeoil, with economics that are probably at least four orders of magnitude more favorable to the abusers than this attestation would be.
I'm pretty sure that the Ai copied the $30 number from my hacker news comments. However in the USA it is true. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202... (carrier locks don't matter for this usecase.)
I am not sure that that storing unique device identifiers is legal in the EU.
Water use and mass displacement of labor get all the attention but there are so many other more subtle reasons like this that AI is going to be bad for society.
I disagree that this kind of scheme is inevitable. We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation. Certainly, Google can choose to avoid it. On the other hand, the AI bubble will inevitably burst, since compute is not free. I look forward to post-bubble AI.
> We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation
Such as? I don't see how regulation would apply here without concrete technical solutions that enforce it. So what alternative mitigations do you have in mind?
Regulate the use of AI to imitate or impersonate human activity. Regulate AI crawling/scraping. Ban scraping entirely, and all models based on it. Regulate maximum model size.
These wouldn't eliminate the problem, but they'd change it from "many people do this" to "this is always a malicious attack, react accordingly".
What kind of regulation would that be? The only regulation which can actually stop the problem Google is trying to fix here is government-issued IDs tied to all your internet activity. I’ll take the Google fix instead, thanks.
Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.
So where do things go? Fewer services and infinite fraud?
It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.
This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.
People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.
I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.
I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet
Turns out RMS has always been right. How surprising.
Indeed, occasionally hammers do find nails to hit.
Last time this happened we got a bunch of Google employees downplaying the impact of WEI and calling it a nothingburger, that people were being hysterical. I just checked, and everyone I saw defending it has since left the company. I'm sure another wave of Google managers, keen to appeal to the higher-ups, will be here to defend this new initiative any minute now.
> rapidly becoming
Always has been.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
I'm amused at how thoroughly Google adopted Microsoft's playbook. Chrome supplanted Internet Explorer by embracing the open web. But then Google immediately started on extensions, and now they're trying to extinguish the open web with nonsense like Cloud Fraud Defense. All very smoothly done. I mean, people are actually _asking_ for this junk. I'm impressed.
No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.
Lots of supposedly technically advanced users switched to Chrome en masse and promoted it on every occasion they could, because it was so much faster, simpler, safer, etc etc. Don't excuse useful idiots from their share of the blame. People warned about dangers of Chrome's growing domination for about as long as I can remember, back to at least 2012, only to be dismissed as paranoid.
People forget that Sundar Pichai's entire claim to success at Google was injecting the Google Toolbar into the Adobe Reader installer which would hijack your search and browsing data on IE, and the launch of Chrome, which was then also injected into the Adobe Reader installer, occurred because Google was concerned IE might block or limit their toolbar.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
I recommended everyone to use Chrome simply because Microsoft couldn't be bothered to provide built in PDF viewing and creation.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
I recall Chrome being a superior browser in the early days, prompting many to switch and evangelizing it.
From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen.
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
Exactly my thoughts. I am unfathomably angry and I want to contribute to any effort to dismantle Google as a company.
Yeah, same. It is hard; we start to need a collective boycott.
We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.
But it is a lot of work :(
It should not be a "vote with your wallet" situation. It should be governments shattering that organization into appropriately sized companies.
I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.
It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.
We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.
In what area is there no real competition? I can think of real competition in everything Google does with the possible exception of YouTube.
These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".
For an example, see EU's GDPR, DMA etc.
It's less work than 10 years ago. So many much more mature alternatives.
The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.
Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.
It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.
> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.
Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".
> Yeah, same. It is hard; we start to need a collective boycott.
Feelgood slactivism. They don't care about your boycott. They finance their own alternatives because they know what makes you shut up.
But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.
On that topic, I would highly recommend you to switch to Kagi!
Search is still their workhorse for ad revenue. Less search, less users, in addition to users now just asking chatgpt and co, will hurt them well
Wouldn’t installing an adblocker basically hurt them as much / more as I still cost them compute but don't get them that sweet ad money?
You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?
This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.
The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.
We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.
As much as I hate whatever google's doing, this article has some issues:
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?
This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.
For merchants who don't want geeks as customers, cool
As a web-wide captcha replacement, not cool
Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.
Apple has device attestation deployed like one year before Google even proposed it: https://httptoolkit.com/blog/apple-private-access-tokens-att...
The claim is that an iPad/iPhone will also work. Not that that makes it acceptable; if anything, it's worse, because if it were Google Play only it'd be more obvious how unacceptable it is, whereas catering to the duopoly makes it less obvious how much it excludes people and builds a reliance on proprietary systems.
One company can soon dictate who can enter the websites. And only two commercial operating systems are viable in the world after this change. Not nice.
iPhones have attestation too: https://developer.apple.com/documentation/devicecheck/establ...
It'll just be more clunky because you have to install their app.
They also have Private Access Tokens: https://developer.apple.com/news/?id=huqjyh7k
No one should ever browse the web on a smart phone. Not joking.
We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.
This is security theatre. This isn't going to help against bots in any way.
I keep banning gogol Ipv4 ranges because of scanners, script kiddies (and maybe worse). Yes, I am self-hosted, and without paying the DNS mob.
I fucking hate this future. It's bleak. The engineers participating in this should be ashamed.
So many in hn already downvoted you. That says the SV nature and opinions in tech sector.
They shouldn't just be ashamed. They should be shunned at the very least.
There's a good chance they're on HN FWIW. If you are and you're reading this: Fuck you. Reconsider which side you want to be on!
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48061938
Wrong link. https://news.ycombinator.com/item?id=48039362
But but but but ... now that huge tech has declared copyright invalid because of AI they must prevent you from copying Mickey Mouse! Urgently.
Of course courts will undo their current copyright stance as soon as someone "uncopyrights" Disney movies, which is of course coming, but for now ...
Will SOMEBODY think of the billions?
The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street.
(A bunch of engineers who build this tech will probably be complaining about how unfair my proposal is, boo hoo)
You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
> You don't think that some people simply disagree with the idea that this is bad?
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.
> Or like maybe the CAPTCHA company who put out the post has an agenda here?
That captcha company is not trying to push spyware onto my device and punish me for daring to remove it. Google is.
> Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game.
So don't play. Even cloudflare had a better idea - don't block, just demand payment.
This case is trivially circumvented with device farms, much like described in the post. What real problem are they trying to solve? AI bots reading content? That’s not something Google want to prevent, it’s part of their business model, this would allow them to easily circumvent it for themselves though.
> You don't think that some people simply disagree with the idea that this is bad?
Some people think women shouldn’t be allowed to vote, not all opinions are created equal.
You can't say not all opinions are equal and everyone should have an equal vote.
Are some ideas worth more than others should some people's votes count more than others? You can't have both.
These are private actors. It's not acceptable to harass people for building things that are lawful but that you don't like.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
Nobody is asking for harassment. Social ignorance is usually enough. Like, nobody wanting to date, be a friend, asking for parties etc. It is very normal treatment to people who have bad behavior etc.
"The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street."
What do you think this is a call for, if not harassment?
There is a fine line between harassment and pointing of for socially bad actions. Harassment involves usually calling by names, making threats etc. You can definitely shame people with a diplomatic language.
The usual argumentation is "I need to make a living" and "if I didn't build it someone else would have done an even worse job, like this at least I could be an activist on the inside and guide the efforts to make it better".
Another method is to stall and sabotage the development via endless bike shedding, language changes, rewrites, refactors. All normal things in every project. Drag those feet.
And the people will be just simply fired for underperforming. Or anything else, it's easy when you have at will employment.
Which are of course delusional excuses when they come from anyone working at Google.
Then they'll come with "but I have a family and mortgage". No shit, so does literally everyone.
I think I'd have to be working at Google to afford a family and/or mortgage!
I don't have a family or a mortgage.
I think the better alternative to making engineers "feel uncomfortable opening their door, walking down the street" is for us to collectively ask if the solution isn't to touch more grass and rely less on the technology we've all come to blindly accept as required.
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
That doesn't solve a problem, that ignores a problem.
one person's villain is another person's hero.
I imagine if they would be named and shamed, they would get huge contracts in companies like oracle.
Good luck getting a huge contract with Oracle. Facebook.. yes.
This article is full of false assumptions.
For example: > Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
> Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
It is particularly funny because this is content marketing for a computational proof of work "captcha". Those are pure snakeoil, with economics that are probably at least four orders of magnitude more favorable to the abusers than this attestation would be.
I'm pretty sure that the Ai copied the $30 number from my hacker news comments. However in the USA it is true. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202... (carrier locks don't matter for this usecase.) I am not sure that that storing unique device identifiers is legal in the EU.
AI use is far more prevalent now than then sadly. This kind of scheme is inevitable since compute is not free.
Water use and mass displacement of labor get all the attention but there are so many other more subtle reasons like this that AI is going to be bad for society.
I disagree that this kind of scheme is inevitable. We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation. Certainly, Google can choose to avoid it. On the other hand, the AI bubble will inevitably burst, since compute is not free. I look forward to post-bubble AI.
“Evit” is “avoid” in English, they have the same root.
> We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation
Such as? I don't see how regulation would apply here without concrete technical solutions that enforce it. So what alternative mitigations do you have in mind?
Regulate the use of AI to imitate or impersonate human activity. Regulate AI crawling/scraping. Ban scraping entirely, and all models based on it. Regulate maximum model size.
These wouldn't eliminate the problem, but they'd change it from "many people do this" to "this is always a malicious attack, react accordingly".
What kind of regulation would that be? The only regulation which can actually stop the problem Google is trying to fix here is government-issued IDs tied to all your internet activity. I’ll take the Google fix instead, thanks.
In a world where everything is shit, could I at least take away some solace in this helping to reduce Cloudflares hegemony?
Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.
So where do things go? Fewer services and infinite fraud?
> Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
A combination of "regulate AI" and "The optimal amount of fraud is not zero". https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
Yes, fewer services and infinite fraud is substantially better to me than the web being controlled by Google even more than it already is.
It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.
This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.
People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.
I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.
Captchas were never effective. It’s an arms race to the bottom.
I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.
I'm seeing this stance a lot "this is obviously AI generated"
Why? What's LLM generated? How can you tell?
To me what's obvious is that our trust system is already breaking down. Commenters accusing each other of being AIs is also another example of this.
>Why? What's LLM generated? How can you tell?
Not the guy you're responding to, but:
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
Looks like the moderators are actively deleting comments that call out AI generated articles now. Grim. This comment will probably be deleted too.