Google Cloud Fraud Defence is just WEI repackaged
13 hours ago
- #device attestation
- #web privacy
- #Google Cloud Fraud Defense
- Google launched Google Cloud Fraud Defense in May 2026, a new system replacing reCAPTCHA with a QR code challenge to verify human presence via smartphone.
- This system relies on device attestation through Google Play Integrity API, requiring certified hardware like modern Android with Google Play Services or iOS devices, effectively resurrecting the controversial Web Environment Integrity (WEI) proposal from 2023.
- Critics argue it centralizes control over web access, excluding privacy-focused users (e.g., those on GrapheneOS, LineageOS for microG, or Firefox) and creating a tracking mechanism that logs device-site interactions.
- The QR challenge is vulnerable to bots through simple automation and raises phishing risks by training users to scan codes indiscriminately.
- Unlike bounded systems (e.g., Estonia's Smart ID), Fraud Defense applies attestation to the open web without user consent or transparency, potentially undermining privacy and accessibility.
- Alternative solutions like proof-of-work systems (e.g., Private Captcha) offer bot resistance without hardware dependencies or tracking, but Google's commercial rollout bypassed public scrutiny faced by WEI.