Authored by Dr R P via The Daily Sceptic,
Never mind Fancy Bear, or the NSO Group, the biggest threat to the open internet today is from the Big Tech corporations on which it has come to depend. For what else are we to conclude given that Google appears to be working on a system to lock large parts of the internet behind a new form of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) designed not to tell apart humans from bots, but instead to make an un-person of anyone who doesn’t own an ‘approved’ Android or Apple device.
Google’s reCAPTCHA service is used by a wide variety of websites, many of them independent of Google in every other regard, to limit incoming traffic or data entered into contact forms. It is intended to prevent automated software from accessing these resources and using them to send spam messages or flood websites with denial of service attacks. You have probably encountered it when told to identify all the bicycles in a grid of images.
Under the auspices of its Cloud Fraud Defence programme, Google is introducing a new form of CAPTCHA for which the way to ‘prove’ one is a human is to be in possession of a Google-approved device. Reclaim the Net’s original reporting focused on the threat to deGoogled phones, meaning phones running Android-like operating systems which have Google’s – often unwelcome – proprietary features removed, such as GrapheneOS or LineageOS.
However, just as the dull name of ‘age verification’ serves as a cloak beneath which schemes to end all truly personal computing can be smuggled, the danger here could be much broader than the technically focused headline implies. As the sources discussing this are relatively few, it is hard to ascertain exactly what has already been rolled out and what is still in the conceptual stages. But it appears that the new style of CAPTCHA threatens not just users with deGoogled phones but anyone without an ‘approved’ device.
Google’s own documentation confirms the existence – as a “Preview” in limited use with alternative options presently existing – of CAPTCHAs which require an Apple or Android handset to pass them. But it describes this in a “Mobile Verification” context, which may imply a more limited use than reCAPTCHA in general. However, with such functionality possible, there is no reason that Google could not activate this, without alternative options, everywhere that its reCAPTCHA-branded prompts appear.
Knowing that locking out everyone except Android users would have even the most clueless politicians smelling a monopoly, Google has deigned to also allow Apple iOS users through, but their approval is nonetheless limited to devices where the full tech stack is under corporate control. Apple phones and tablets use a locked bootloader to trap users within a walled garden, where they are at Apple’s mercy whenever an unwelcome new feature is introduced. Unless the Keep Android Open campaign succeeds, certified Android devices will soon be scarcely better, a condition of certification being that manufacturers must obstruct users from side-loading to install apps from outside Google’s Play Store.
Because Apple and Android phones do not respect your freedom, Google chooses to trust them. That’s an odd-sounding sentence, so let me explain.
On a Linux desktop, or a GrapheneOS phone, you, the user, have true control of your own property and can modify its operation to suit your own ends. And whilst Microsoft Windows has definitely not been respecting your freedom recently, Windows users still have control over what extra programs they install on a Windows system, for now. But on an Apple or Android device Google can be confident that it is precisely as enshittified as Big Tech intended it to be. It can be sure that any programs running on the device were programs which it approved within its own app stores, and that the device will never prioritise the needs of the user when they conflict with the desires of the corporate master.
Hardware attestation – where your device, via a cryptographic process, provides proof to a remote server that its hardware and software are genuine and unmodified – intensifies this imbalance even further. Not only can the device keep tabs on you, but it can also use a cryptographic key kept within a normally-inaccessible part of the system to sign each message it sends to the centralised servers and assure them that you have not tampered with it. The server can choose to deny access to any device not able to provide the signed confirmation. In Big Tech’s dictionary, exerting true ownership over your own property is now dismissed as tampering, where anyone with the temerity to ‘tamper’ with the items they bought with their own hard-earned money is to be excluded from polite society.
Within modern certified Android devices, the Play Integrity API provides capabilities for hardware attestation. For Apple, the App Attest API performs the same function. The TPM 2.0 security chips which Microsoft decided to list as a hardware prerequisite for recent Windows versions provide the physical components which would be necessary if Microsoft seeks to introduce hardware attestation in future, its decision being made doubly suspicious by the fact that even the most security-focused Linux distributions do not make TPMs a requirement and that today’s Windows can run without a TPM in practice. This concept of ‘Trusted Computing’ does comparatively little in terms of letting you trust that your computer remains secure, but is very helpful to let remote centralised servers trust that your computer will obey their diabolical DRM schemes.
Some banking apps already use hardware attestation, having bought into Google’s argument that this improves security. Google’s argument is laughable. Their hardware attestation approves legacy stock Android models which have known unpatched vulnerabilities – including ones which would allow malware to spy on user activity – or have received no updates for years; but it blocks fully up-to-date GrapheneOS devices. In treating hardware attestation as a proxy for security, banks and other app providers are locking out the more secure devices. And for all these security hoops they expect users to jump through, services still leak sensitive records by the billion from large-scale data breaches at their end.
Coming back to CAPTCHAs specifically, whilst AI crawlers and automated spambots are a genuine problem, using hardware attestation to combat them is like using a pneumatic jackhammer to open a wine bottle when a corkscrew is already at hand. Although today’s machine learning can often identify all the squares with bicycles, there are still non-invasive methods to allow human users whilst excluding machine-generated traffic, often by adding a small cost in time or energy which is insignificant for a human user, but sums prohibitively when a spambot tries to perform thousands of actions simultaneously.
It is therefore hard to see any rationale for a hardware attestation CAPTCHA except to cement a duopoly of Apple and Android, and to break user anonymity. After-all, what good is a VPN or Tor if every interaction you make with a website at the other end is connected back to you via a CAPTCHA which queries unique, unchanging identifiers on your phone. Even if the site you visit never gets this information itself, Google would have the opportunity to process it.
Remember that this is not just a CAPTCHA wrapping around Google’s own services. Online shops and banking websites are among users of reCAPTCHA. Access to essential services could easily be denied to anyone without an ‘approved’ device. Here is a route to debanking which doesn’t even require your bank to turn on you: hardware attestation CAPTCHAs give Big Tech a unilateral veto power over anyone’s online interactions. Google-branded CAPTCHAs are in such widespread use that they might as well qualify as infrastructure, and compromised infrastructure – unlike ill-conceived laws – isn’t something from which people can unilaterally opt out.
Widespread use of hardware attested CAPTCHAs would relegate users of desktops and non-Google, non-Apple phones to second-class citizens, only able to browse the internet with an Apple or Android device to act as their chaperone. By making computing platforms which still respect user freedoms unable to browse without help from Big-Tech-approved smartphones, they could drive down demand for true general-purpose computers. Eventually all that would remain in production would be managed appliances, thin-client systems utterly dependent upon Big Tech subscriptions.
This is happening at the same time as general-purpose computing is under assault from multiple fronts including: the age-verification lobby, the targeting of developers, and sky-rocketing prices for RAM and storage due to AI companies buying up most of the global supply. Some might say that the adage “sufficiently advanced incompetence is indistinguishable from malice” provides a possible explanation for these simultaneous threats, but their combined effect is still to take the power of true computing out of the hands of the people.
Even more terrifying is the technical possibility that hardware attestation could be used at the ISP level to obstruct freedom-respecting devices from ever connecting in the first place, leaving an internet where Big Gov and Big Tech can mandate anything without fearing competitors.
The push for hardware attestation is not new. Microsoft tried it in the early 2000s; it was rejected as “Treacherous Computing”. Google tried to push Web Environment Integrity in 2023. It would have violated the principle that a user should have true control of his or her own computer by letting websites dictate that only users with certain system configurations, such as those optimised to maximally show adverts and make tracking as easy as possible, could access content. It was cancelled after community outcry.
This time Google is using ‘salami tactics’, the earliest hints of the new smartphone-dependent reCAPTCHA appearing online in Autumn 2025 to no fanfare. This has let it evade the attention of cyber-civil-libertarians such as David Davis or Ron Wyden. The wider free speech movement has remained unaware too, but the hopes of Sarah Rogers, US free-speech tsar, to preserve the “spirit of the internet… that made so many favourable contributions to our culture and economy… where you can go to be free” will be dashed if hardware attestation becomes widespread. And this time Google has the advantage that its ‘solution’ could ride to the rescue of Digital ID and age verification initiatives, themselves a lobbied-for ‘solution’ in search of a problem.
As a free-market libertarian, one of the few legitimate purposes I can recognise for national regulators is preventing the growth of monopolies so total that they can lock out alternatives. Alas, today’s regulators seem uninterested in stopping this: Britain’s ‘OFCOMmunists’ are busy trying to ban VPNs and supplying free bedding for Preston Byrne’s hamster, while America’s FCC has tangled itself up with an absurd attempt to ban the import of network routers – something for which the USA has no domestic production lines. The EU is even worse, aiding and abetting these plans by using hardware attestation in its own Digital Identity app. Far from preventing duopolistic abuses of the market, it is harnessing them. The EU’s desire for tech stack sovereignty seems to stop where it would limit its ability to control and coerce its citizens.
The stupidity of allowing hardware attestation to spread is best exemplified by imagining what could befall the EU when – after having become societally dependent upon a Digital Identity app, itself dependent upon a Google-Apple hardware attestation layer – it subsequently does something new to offend Donald Trump. Whilst the resulting collapse would be justly deserved by the technocrats in power, the people on the ground would suffer severely.
A wise politician today would recognise the wisdom of preventing that by creating an internet which would be immune to political interference by virtue of being out of the control of Big Gov and Big Tech right down to the physical layer. He would recognise that sacrificing his own ability to manipulate that network would be more than compensated by the certainty that no geopolitical adversaries could manipulate it against him either. Today, the open-source community does not need anyone’s permission to develop a parallel internet for a parallel society, though the backing of wise politicians would be welcomed. But the platforms on which the community must initially discuss the details and share source code and schematics are still within today’s internet. Wait too long and hardware attestation could weld the escape hatch shut.
Stop Press: Google’s documentation changed during the course of writing this article, adding a highlighted box describing the new CAPTCHA as a “Preview” with alternatives available. Google clearly knows the plans aren’t popular. If enough public attention can be brought to bear against them, they may stay at the preview stage forever.
Dr R P completed a robotics PhD during the global over-reaction to Covid. He spends his time with one eye on an oscilloscope, one hand on a soldering iron and one ear waiting for the latest bad news. He has signed the Together Pledge and will never rely upon Apple, government or Google ‘approved’ devices.
