Google Cloud Fraud Defence is just WEI repackaged
privatecaptcha.com309 points by ribtoks 4 hours ago
309 points by ribtoks 4 hours ago
I saw this coming from miles away. Computers are better at solving CAPTCHAs than people are and people can be bribed or convinced to join botnets so IP whitelisting doesn't work either. Now we have tons of fingerprinting and behaviour analysis but governments are cracking down on that. Plus, YouTube had a massive ad fraud problem with ads being played back in the background in embedded videos, so their detection clearly wasn't good enough.
There aren't many good ways to prove you're not a bot and there are even fewer that don't involve things like ID verification.
Their opt-in approach helps shift the blame to individual web stores for a while, so who knows if this will take off. But either way, in the long term, the open, human internet is either going away or getting locked behind proofs of attestation like this.
Apple built remote attestation into Safari years ago together with Cloudflare and Google is now going one step further, as Apple's approach doesn't work well against bots that can drive browsers rather than scripted automation tools.
Luckily, their current approach can be worked around because it's only targeting things like stores now and you can buy things from other stores. Once stores find out that click farms have hundreds of phones just tapping at remotely served content, uptake will probably be limited.
It'll be a few years before this is everywhere, but unless AI suddenly isn't widely available anymore, it's going to be inevitable.
Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet
Turns out RMS has always been right. How surprising.
If RMS said not to trust Google's self-proclaimed altruism and relationship with open source, yeah. I always assumed that was a backstab waiting to happen. But that only meant I used an iPhone and didn't care that it was more closed than Android, not that I got an Arch Linux phone or something. (And a Mac too, but there's not really a Google counterpart to that.)
Indeed, occasionally hammers do find nails to hit.
Strange analogy considering that RMS got to where he is precisely by finding nails to hit much, much more than occasionally, and much, much more than most hammers.
what alternative to WEI do you propose? it solves a bajillion Internet-existential problems. it is definitely a crisis. the bot problem is at least as serious as facebook, gmail serving without https.
that aside, i don't know how people say stuff like "malicious force" and then you go and use a bajillion Google technologies that nobody obligates you to use at all. It's not like Apple, where their software is so shitty (Messages, Apple Photos, etc.) that the only reason people use it is because it is locked down and forced upon you.
> rapidly becoming
Always has been.
Google was creating cartels like the "Open Handset Alliance" literally decades ago.
Via their control of Chrome and Search which are both monopolies, Google holds absolute authority on how websites are rendered and if websites can be found.
It cracks me up when people say Chrome is a monopoly, because a massive amount of computing devices do not even ship with Chrome. Windows computers, Macbooks, and iPhones require users go search out and install Chrome on their own out of their own volition, shipping with entirely functional and decent browsers out of the box that they have lots of patterns to push. Even many Android phones ship with browsers other than Chrome as a default still from what I understand.
How is Chrome, of all things, a monopoly? Have words just entirely lost all meaning and now monopoly just means "things which are popular that I dislike"?
Chrome is a monopoly by extending the internet in ways that force users into chrome. Due to market share and Google's prevalence, they have the sway to introduce things that cannot meaningfully be avoided without extreme siloing.
I’m constantly badgered by google apps on my iPhone to use Chrome. In fact I’m not able to just click a link and open my default browser, I have to see the big chrome logo and a smaller link to choose my default browser.
and even the iPhone Chrome doesn't use the Chromium engine, it's Safari under the hood
> Chrome and Search which are both monopolies
I'm on Firefox and use DuckDuckGo.
Don't you see it closing all around you?
It's not just Google. It's governments, corporations, all around the world, simultaneously. The noose is being tightened gradually, then all at once. And it's coming for all of us:
https://community.qbix.com/t/increasing-state-of-surveillanc...
The threats above interlock by design or convergence: Identity layer (1-5) creates the prerequisite for the others. Once identity is established at SIM/account/device level, the carve-outs that make surveillance politically viable become possible (powerful users get exemptions; ordinary users get watched).
Device layer (10-12, 16-19) creates the surveillance endpoint. Once content is scanned on the device before encryption, the cryptographic protections at the communications layer become irrelevant.
Communications layer (6-9) is the most-defended. Mass scanning has been defeated repeatedly. This is the layer where the resistance has the best track record.
Reporting layer (13-15) is nascent. Direct OS-to-government reporting hooks haven't been built yet at scale. The UK's December 2025 proposal is the leading edge.
Platform control (20-24) determines whether alternatives can exist. Browser diversity, app distribution diversity, and engine diversity are the structural protections. All three are narrowing.
A society with all five layers complete has the technical infrastructure for total surveillance with elite carve-outs. We are roughly 40% of the way there. Whether that infrastructure becomes a dystopia depends on political choices, not technical ones.
HN as a whole is surprisingly oblivious to the noose tightening, because many here are super against decentralized distributed things, if they involve any sort of token. You can complain all you want, but downvoting and burying the decentralized alternatives just for groupthink makes you somewhat complicit in the erosion of our privacy and liberties. Even if you might disagree with a project, all the work that goes into it might be a good reason to upvote it instead, considering that without this work, we're basically doomed.
> HN as a whole is surprisingly oblivious to the noose tightening, because many here are super against decentralized distributed things, if they involve any sort of token. You can complain all you want, but downvoting and burying the decentralized alternatives just for groupthink makes you somewhat complicit in the erosion of our privacy and liberties. Even if you might disagree with a project, all the work that goes into it might be a good reason to upvote it instead, considering that without this work, we're basically doomed.
Hi chatgpt please point to where HN shat on decentralized alternatives (and I doubt you will because you're a D&C bot).
I'm amused at how thoroughly Google adopted Microsoft's playbook. Chrome supplanted Internet Explorer by embracing the open web. But then Google immediately started on extensions, and now they're trying to extinguish the open web with nonsense like Cloud Fraud Defense. All very smoothly done. I mean, people are actually _asking_ for this junk. I'm impressed.
No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.
Chrome has gone off doing their own standards to some extent, but you're forgetting what it was like when Internet Explorer dominated. You basically couldn't use the web without IE because they broke so many standards and implemented them in closed source. Then there was ActiveX on top, straight up Windows binaries in web. And besides there being a dominant engine, only one browser could use that engine. Trading that for Chrome dominance was at least a step up.
I use Firefox right now. Occasionally I need to open a site in Chrome instead, but it's rare.
Chrome didn't solve that though. Quoth Wikipedia:
> Firefox usage share grew to a peak of 32.21% in November 2009, with Firefox 3.5 overtaking Internet Explorer 7, although not all versions of Internet Explorer as a whole;
Firefox was the browser that embraced open standards and was unseating IE. And ActiveX was used for corporate stuff, not general web sites, so the main reason it died was that Microsoft gave up.
Eh, it was brief and never majority. Chrome was the first to truly usurp IE.
People forget that Sundar Pichai's entire claim to success at Google was injecting the Google Toolbar into the Adobe Reader installer which would hijack your search and browsing data on IE, and the launch of Chrome, which was then also injected into the Adobe Reader installer, occurred because Google was concerned IE might block or limit their toolbar.
People absolutely did like Google at the time, but the majority of its growth is actually shoveling hijackers into other software installs just like BonzaiBuddy.
I recommended everyone to use Chrome simply because Microsoft couldn't be bothered to provide built in PDF viewing and creation.
There was a good, long period where Microsoft just decided to let the market run amok with malware for critical software, instead of providing something like Preview on macOS. As a result, the safest option for most lay people was to use Chrome, where they could quickly and easily view, and most important, save pdfs of websites, receipts, etc.
Then, once MacBook Airs were solidified + iPhone, I started recommending people use macOS simply because Preview could edit PDFs and easily allow signing them.
I haven't used Windows in a very long time, so I assume it's still the same situation.
Yeah I remember when Windows lacked every basic utility. The most common malware was PDF readers, because a very common search was "how to open pdf." Same with zip.
Lots of supposedly technically advanced users switched to Chrome en masse and promoted it on every occasion they could, because it was so much faster, simpler, safer, etc etc. Don't excuse useful idiots from their share of the blame. People warned about dangers of Chrome's growing domination for about as long as I can remember, back to at least 2012, only to be dismissed as paranoid.
Chrome and v8 was just stupidly faster than any other browser and JS stack at the time when I first adoped it. It was a lot buggier in many other ways and many sites just didn't work quite right at the time, but the tradeoff on performance in the early days was very much worth it.
I recall Chrome being a superior browser in the early days, prompting many to switch and evangelizing it.
It was the first to do a separate process per tab, which had security and stability benefits. But it also used like 2x the RAM from the start.
Last time this happened we got a bunch of Google employees downplaying the impact of WEI and calling it a nothingburger, that people were being hysterical. I just checked, and everyone I saw defending it has since left the company. I'm sure another wave of Google managers, keen to appeal to the higher-ups, will be here to defend this new initiative any minute now.
I strongly suggest people move away from chrome. They lost all sense of respect.
I know it is a small move, but as it happened when chrome started, this opens opportunities for other players
For those who don't know: WEI is a boy band known for singles such as "Twilight"[0].
Exactly my thoughts. I am unfathomably angry and I want to contribute to any effort to dismantle Google as a company.
Yeah, same. It is hard; we start to need a collective boycott.
We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.
But it is a lot of work :(
It should not be a "vote with your wallet" situation. It should be governments shattering that organization into appropriately sized companies.
I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.
We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.
In what area is there no real competition? I can think of real competition in everything Google does with the possible exception of YouTube.
Everything that gets money from ads. The network effects are too strong for competition against their ads platform and their ability to do targeted advertising based on data only they have. You can’t build a new ads platform and then use that to monetize your company’s other services, because the existing ad networks are so mature and established.
Phones. Your choice is Apple or Google.
As you said, YouTube. Again, they have users and creators in one place, so it’s hard for a new platform to compete.
There are also a lot of enterprise contracts that bundle many things together. Like cloud and their workplace apps (whatever it is now called).
But also, just their size is a problem. Look at their AI story. First off, many customers get forced into packages where they get Gemini included as part of the bundle (which means they’re paying for it automatically and have less of a reason to pay for something else). But also - Google was slow to build useful products here. Even though they are late and made many failed attempts like Bard, they can afford to take losses for years that no small company - or maybe even large companies that aren’t mega corps - can absorb. Those other competitors would go out of business and have to be careful and move slowly in spending. But Google’s capital lets them make mistake after mistake but still compete and eventually win. So it’s not a fair competition.
It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.
"Don't worry! I'm from the government and I'm here to ~~help~~ identify you to everyone else on the planet."
That's no better, and in many ways far worse, than the corpos doing it.
These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".
For an example, see EU's GDPR, DMA etc.
It's less work than 10 years ago. So many much more mature alternatives.
The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.
Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.
It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.
> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.
Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".
> Yeah, same. It is hard; we start to need a collective boycott.
Feelgood slactivism. They don't care about your boycott. They finance their own alternatives because they know what makes you shut up.
But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.
On that topic, I would highly recommend you to switch to Kagi!
Search is still their workhorse for ad revenue. Less search, less users, in addition to users now just asking chatgpt and co, will hurt them well
Wouldn’t installing an adblocker basically hurt them as much / more as I still cost them compute but don't get them that sweet ad money?
You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?
This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.
The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.
We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.
From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen.
That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.
Very funny that if you want to start a bot farm you also go and buy a bunch of random android devices.
Why should I even care anymore? I no longer need to access random websites to find information since I can just ask the AIs.
Are you genuinely asking? To pay your taxes, order items online, access your bank account, log into your favorite AI service, there are very often CAPTCHAs involved. Try going a month with CAPTCHAs blocked in uBlock Origin, and you will find yourself unable to do many basic things.
Where do you think the AI gets this information?
They also need to browse the web, and are more likely to be blocked by these measures than humans
This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.
We see the fundamental forces of capitalism at work: To justify valuation, Google needs to grow. When they feel a ceiling, they broaden their search to anything legal that makes customers pay - even if it contradicts their longterm interests. This created countless attack angles for startups. The good news: we already have a solution! Monopoly laws. In case of the internet, no company should be able to have this much power.
The bad news: US decided to weaponize big tech’s leverage over the world and does not enforce these laws anymore that fix vanilla capitalism.
Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.
Apple has device attestation deployed like one year before Google even proposed it: https://httptoolkit.com/blog/apple-private-access-tokens-att...
hacker news when discovering that apple deployed WEI, for ages, with beloved IT company Cloudflare, affecting hundreds of millions of users: "aww, you're sweet"
hacker news when reading that google is doing the same thing for the rest of the userbase: "hello, human resources?"
The claim is that an iPad/iPhone will also work. Not that that makes it acceptable; if anything, it's worse, because if it were Google Play only it'd be more obvious how unacceptable it is, whereas catering to the duopoly makes it less obvious how much it excludes people and builds a reliance on proprietary systems.
One company can soon dictate who can enter the websites. And only two commercial operating systems are viable in the world after this change. Not nice.
iPhones have attestation too: https://developer.apple.com/documentation/devicecheck/establ...
It'll just be more clunky because you have to install their app.
I believe the latest versions of iOS just work from the browser, you only need to install the app for older versions of the OS.
I don't know what technology they're using, but when I scanned the QR code it launched (downloaded?) an iOS app of sorts with one tap, similar to the way Google tried Instant Apps a few years back. Didn't even need to double tap the power button like usual.
They also have Private Access Tokens: https://developer.apple.com/news/?id=huqjyh7k
For merchants who don't want geeks as customers, cool
As a web-wide captcha replacement, not cool
No one should ever browse the web on a smart phone. Not joking.
That war was lost in the 2010s, around the same time as the vertical video war.
Phone is small computer
Sure, and the north korean Linux distro also runs on a computer. I still wouldn't touch it.
It is, just like a calculator is a small computer. It's not a personal computing device though, in the sense that the user can't develop and deploy their own software/tools on it.
No one should ever browse the web from an ESP32 either. Like seriously the dark patterns are bad enough from a desktop where you've actually got the screen real estate to see the whole page, have other sites open for comparison, have a keyboard to type your own notes, etc. Most browsing can simply wait, especially the adversarial-commercial type we're talking about here.
well that just seems counterproductive and unreasonable but it's Friday so what do I care
-- sent from Chrome on Android
I think the idea is good if it could actually curb bot traffic that currently plagues the Internet.
However, a lot of recent bot traffic are sophisticated scrappers called "LLM's." You can tell claude to "research X from this www.example.com" and will automatically scrape it and summarize it, something that a LLM is perfect for. Gemini tends to share links instead, presumably because most of Google's revenue comes from ads served on those websites, so if it completely killed the traffic to those websites it would just make less money. Incidentally, I wonder if Claude/Gemini use an search engine-like "index" of all websites or it refuses to cache anything to always fetch "fresh" data.
If this is employed, I don't think the web is only going to be gatekept to Google devices. I think it will also be gatekept to Google's AI's.
Google would be able to display a captcha that no LLM could defeat, and then just let its own LLM pass through.
The same could be said about its other bots, such as the web crawler. Google's bot could crawl webpages that no other crawler would ever be able to simply because it has free pass to captcha-gated GETs. Although the same could be true already today.
We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.
In a world where everything is shit, could I at least take away some solace in this helping to reduce Cloudflares hegemony?
This is security theatre. This isn't going to help against bots in any way.
I keep banning gogol Ipv4 ranges because of scanners, script kiddies (and maybe worse). Yes, I am self-hosted, and without paying the DNS mob.
I fucking hate this future. It's bleak. The engineers participating in this should be ashamed.
They shouldn't just be ashamed. They should be shunned at the very least.
There's a good chance they're on HN FWIW. If you are and you're reading this: Fuck you. Reconsider which side you want to be on!
So many in hn already downvoted you. That says the SV nature and opinions in tech sector.
This article is full of false assumptions.
For example: > Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!
> Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud?
Phones are very cheap, especially refurbished phones. Just have the phones mimic real life sleep/wake cycles and take occasional breaks. Use 25% more devices to account for the loss in uptime.
Besides, some people (often unemployed or disabled, and possibly with sleep disorders or mania) actually don’t do anything other than scroll on their phone all day and night. So you can’t rely on this as a good signal without creating even more blowback. And you really don’t want too much blowback from troubled people who have infinite free time.
It is particularly funny because this is content marketing for a computational proof of work "captcha". Those are pure snakeoil, with economics that are probably at least four orders of magnitude more favorable to the abusers than this attestation would be.
I'm pretty sure that the Ai copied the $30 number from my hacker news comments. However in the USA it is true. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202... (carrier locks don't matter for this usecase.) I am not sure that that storing unique device identifiers is legal in the EU.
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
But but but but ... now that huge tech has declared copyright invalid because of AI they must prevent you from copying Mickey Mouse! Urgently.
Of course courts will undo their current copyright stance as soon as someone "uncopyrights" Disney movies, which is of course coming, but for now ...
Will SOMEBODY think of the billions?
[dead]
[dead]
[flagged]
You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
I see this comment was flagged, I have vouched for it.
It's making a valid point.
I wondered people are reading "I wonder what you've done that might warrant harassment?" as some kind of personal threat or incitement to harassment, but I read it as precisely the opposite.
It's an entirely valid point that many of us have worked at jobs on products that did something that somebody disagreed with, and we shouldn't be asking anybody to harass us personally for it, because that is wrong.
GP is asking to "aggressively name and shame" engineers. It's entirely valid to say that you wouldn't much like that if it happened to you.
> You don't think that some people simply disagree with the idea that this is bad?
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
Me.
I think the idea is sad and tragic, but also that we are at the point where we have no choice but to do something.
AI/LLM's have created a vector for abuse that previous tools are failing to protect against, and the problem is only getting worse.
I'm sick of the increase of LLM slop on websites in comments and posts. I'm sick of how fraud and spam and abuse can be increasingly automated in ways current tools can't catch. I'm sick of hosting costs exploding as hobby websites get hammered for no reason.
I don't realistically see any alternative but for some kind of reliable signal that a web request is most likely coming from a real person (not a perfect guarantee, but something good enough). Which means some kind of attestation that it's a real hardware device that costs at least a few bucks and is making human-level numbers of requests (not millions per day), or else some kind of digital ID attestation system.
And I much prefer device attestation that keeps you personally anonymous, as opposed to identity attestation that will inevitably allow the government to track your browsing.
So this seems like the lesser evil. If there are other ideas I'm very open to them as well, but I basically see something like this as a sadly necessary and inevitable evil. Something is necessary and this is less worse than the alternatives. And the fact that website owners choose whether to enable this or not means that those who want to keep an internet open to all devices and web requests can do so, if they're willing to handle the additional costs in handling abuse.
But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.
> Or like maybe the CAPTCHA company who put out the post has an agenda here?
That captcha company is not trying to push spyware onto my device and punish me for daring to remove it. Google is.
> Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game.
So don't play. Even cloudflare had a better idea - don't block, just demand payment.
This case is trivially circumvented with device farms, much like described in the post. What real problem are they trying to solve? AI bots reading content? That’s not something Google want to prevent, it’s part of their business model, this would allow them to easily circumvent it for themselves though.
> You don't think that some people simply disagree with the idea that this is bad?
Some people think women shouldn’t be allowed to vote, not all opinions are created equal.
You can't say not all opinions are equal and everyone should have an equal vote.
Are some ideas worth more than others should some people's votes count more than others? You can't have both.
These are private actors. It's not acceptable to harass people for building things that are lawful but that you don't like.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
Nobody is asking for harassment. Social ignorance is usually enough. Like, nobody wanting to date, be a friend, asking for parties etc. It is very normal treatment to people who have bad behavior etc.
"The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street."
What do you think this is a call for, if not harassment?
There is a fine line between harassment and pointing of for socially bad actions. Harassment involves usually calling by names, making threats etc. You can definitely shame people with a diplomatic language.
Why would anyone "feel uncomfortable opening their door, walking down the street" if they weren't being harassed?
It sounds to me like you're trying to defend harassment. If that's not true, and you also believe people should not be harassed, it would be helpful if you stated so clearly and unambiguously.
> Why would anyone "feel uncomfortable opening their door, walking down the street" if they weren't being harassed?
Usually people feel ashamed when they do something that is shameful. That is the definition of being uncomfortable.
> It sounds to me like you're trying to defend harassment. If that's not true, and you also believe people should not be harassed, it would be helpful if you stated so clearly.
I am against the harassment. For me, these arguments feels like that you are trying to allow people do to whatever the want for the money as long as they can hide behind the company.
> For me, these arguments feels like that you are trying to allow people do to whatever the want for the money as long as they can hide behind the company.
If the law allows it, why not?
If a company is doing things you don't like, you have a few choices:
1. Don't buy things from them
2. Picket or otherwise express your displeasure at the company's place of business
3. Publish your own complaint about them
4. Pressure your legal representative to make the behavior unlawful
I don't like this proposal but engineers should not be shamed for doing their regular jobs. We all do it in some form or the others.
The usual argumentation is "I need to make a living" and "if I didn't build it someone else would have done an even worse job, like this at least I could be an activist on the inside and guide the efforts to make it better".
Another method is to stall and sabotage the development via endless bike shedding, language changes, rewrites, refactors. All normal things in every project. Drag those feet.
And the people will be just simply fired for underperforming. Or anything else, it's easy when you have at will employment.
Which are of course delusional excuses when they come from anyone working at Google.
Then they'll come with "but I have a family and mortgage". No shit, so does literally everyone.
I think I'd have to be working at Google to afford a family and/or mortgage!
I think the better alternative to making engineers "feel uncomfortable opening their door, walking down the street" is for us to collectively ask if the solution isn't to touch more grass and rely less on the technology we've all come to blindly accept as required.
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
one person's villain is another person's hero.
I imagine if they would be named and shamed, they would get huge contracts in companies like oracle.
[flagged]
AI use is far more prevalent now than then sadly. This kind of scheme is inevitable since compute is not free.
Water use and mass displacement of labor get all the attention but there are so many other more subtle reasons like this that AI is going to be bad for society.
I disagree that this kind of scheme is inevitable. We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation. Certainly, Google can choose to avoid it. On the other hand, the AI bubble will inevitably burst, since compute is not free. I look forward to post-bubble AI.
> We can "evit" it through thoughtful discussion, foresight, alternative mitigations, and even regulation
Such as? I don't see how regulation would apply here without concrete technical solutions that enforce it. So what alternative mitigations do you have in mind?
Among many other things: Regulate the use of AI to imitate or impersonate human activity. Regulate AI crawling/scraping. Ban scraping entirely, and all models based on it. Regulate maximum model size.
These wouldn't eliminate the problem, but they'd change it from "many people do this" to "this is always a malicious attack, react accordingly".
Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.
So where do things go? Fewer services and infinite fraud?
Yes, fewer services and infinite fraud is substantially better to me than the web being controlled by Google even more than it already is.
It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.
> Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?
A combination of "regulate AI" and "The optimal amount of fraud is not zero". https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
Why do you continue to extend the benefit of the doubt to your former employer when they have shown themselves to be untrustworthy again and again?
I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.
This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.
People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.
I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.
I'm seeing this stance a lot "this is obviously AI generated"
Why? What's LLM generated? How can you tell?
To me what's obvious is that our trust system is already breaking down. Commenters accusing each other of being AIs is also another example of this.
>Why? What's LLM generated? How can you tell?
Not the guy you're responding to, but:
1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.
2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."
3. This passage is also suspect because it follows the chained negation pattern, though it's n=1
>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.
edit:
I also noticed there are 2 other comments that are flagged/dead expressing their reasons.
> actually human generated
Human written, not generated.
> HN isn't popular enough to be invoked as a source
Excuse me, what do you mean there?
Looks like the moderators are actively deleting comments that call out AI generated articles now. Grim. This comment will probably be deleted too.
As much as I hate whatever google's doing, this article has some issues:
>For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices
This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score.
>Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense.
The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code.
>One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is.
PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?