[coppsilgold]

My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

[deIeted]

worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all

so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on

(just realized emacs bindings work in comments, nice, no ctrl-x tho)

[matt_kantor]

> (just realized emacs bindings work in comments, nice, no ctrl-x tho)

Are you using macOS? If so, those keybindings work everywhere.

As far as I can tell, Hacker News doesn't impose any custom keybindings (the client-side scripting on this site[0] is very simple).

[0]: https://news.ycombinator.com/hn.js

[nine_k]

Emacs bindings also work on Linux in GTK apps, if you enable them:

  gsettings set org.gnome.desktop.interface gtk-key-theme "Emacs"

If you make Qt follow GTK settings, they also work in many Qt apps, too, but in a more limited way.

[normie3000]

I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.

Is this speculation, or has it been confirmed somewhere?

[TJSomething]

"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.

Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?

[Sophira]

I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]

I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]

Beyond that, I'm not exactly sure what might be meant.

[0] https://en.wikipedia.org/wiki/Internet_Association

[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...

[gorgonian]

Colluded how?

[perching_aix]

By exchanging and correlating data presumably? For example, anything I send or receive on Discord, I see reflected in my YouTube recommendations shortly after. It's downright egregious at times.

[nozzlegear]

Most likely it's just run of the mill Google analytics/adsense tags in discord. Don't forget that discord is web tech and loads all kinds of JS bundles – including trackers. The best solution is to stop using discord, but the second best solution is to only use the web app version of Discord. When you use the web app, you can install adblock and anti-tracking extensions. The amount of data that Discord sends which gets blocked by these extensions is eye opening.

[tardedmeme]

If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.

[ChadNauseam]

The domain in the attestation would be yours, so that wouldn't work

[chadgpt2]

How would the phone camera know the domain name of the website displaying the QR code it's scanning?

[eddythompson80]

The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.

[tardedmeme]

How does the verification app on your phone know what's in the URL bar on your desktop?

[ranger_danger]

The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.

[gruez]

After you scan the code, the verification app asks you "do you want to verify for example.com?"

[tardedmeme]

If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?

[Groxx]

Some people will notice, some will not

[coppsilgold]

Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.

Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.

[thaumasiotes]

> My understanding is that this new reCAPTCHA is basically just remote attestation.

Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.

[lxgr]

I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)

[palata]

> Much like age verification

Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.

[bpfrh]

Really, how?

At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.

These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site

[michaelt]

The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.

For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.

Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.

Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.

So in a very narrow sense, privacy is preserved.

You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.

Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.

[echelon]

All so kids can't access PornHub?

Jesus Christ.

14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.

Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.

We have the wrong priorities as a society.

And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.

We're building 1984 and we're happy about it.

[palata]

Dude, a big reason for age verification is to prevent kids from accessing those "algorithms" you describe.

They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.

[fc417fc802]

"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.

If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.

Think for yourself and consider what the possible ulterior motives might be.

[chmod775]

That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.

Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.

Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.

[michaelt]

> That key will get leaked.

Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.

> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.

Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.

I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.

e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...

[chmod775]

> Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.

That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.

[palata]

There is no reason to talk about that system: it's nonsense. It's like inventing a bad encryption protocol and discuss about why it is bad.

Better learn about the good one, but I guess it's harder than making up nonsense.

[zyx321]

OR:

The website sends a request for age verification.

The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.

The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`

[1] https://github.com/Governikus/AusweisApp

[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD

[fc417fc802]

What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?

[zyx321]

To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.

[palata]

Wait what? All the time you spent writing that nonsense could have been invested in reading about how it actually works.

[Scaled]

Parental controls on device are a better solution that work today and don't carry a risk of data breach.

[tjpnz]

Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.

[baranul]

I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.

Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.

[palata]

But again: if all the kids are on social media, is it enough for "good parent" to tell their kid that they should not go there?

From what I remember from being a kid myself, it definitely is not.

[harshreality]

They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.

There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).

[JoshTriplett]

> They would be a solution if almost all parents used them

No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.

[sumeno]

You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.

[Asooka]

Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.

The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.

[malfist]

I should not have to surrender my anonymity because parents are too lazy to setup parental controls.

[palata]

And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.

We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).

[duskdozer]

How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!

[palata]

Because privacy-preserving age verification is less extreme than banning them entirely. It should be strictly easier to get it accepted.

Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.

[palata]

Zero knowledge proofs don't carry a risk of data breach, because they are zero knowledge.

[EmbarrassedHelp]

Your privacy has to be violated in order to receive the easily trackable ZKP tokens.

[palata]

> Your privacy has to be violated

No.

> the easily trackable ZKP tokens

If it's easily trackable, it's not ZK.

[raverbashing]

Are they a better solution? Yes

Do they work currently? Not really

Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)

[Asooka]

Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.

[AdrianB1]

As long as Joe has the right to vote, which is something more important and more complex, we cannot complain that parental control is too complex.

[drewgross]

It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.

[fc417fc802]

Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.

[palata]

People, you have to read about zero knowledge proofs. Look at e.g. Privacy Pass.

> A law in the vein of HIPAA prevents collusion

No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.

[rstuart4133]

>> A law in the vein of HIPAA prevents collusion > > No need if you use cryptography.

True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.

An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.

Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.

You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.

This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.

But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.

ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.

[nullc]

You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.

Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.

Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.

The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.

[maccard]

Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.

[nullc]

You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.

A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.

[andrepd]

All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.

Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".

[AdrianB1]

> Let's assume this is acceptable.

(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?

One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.

[andrepd]

The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.

> For most of the time states did not have this information about their citizens and the world progressed quite nicely.

This is quite untrue. State bureaucracies far predate the modern era.

[ForHackernews]

https://ageverification.dev/

> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.

[palata]

With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.

[Arch-TK]

It should be possible with zero knowledge proofs.

The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.

It's a complicated problem.

We continue to seek a technological solution to a parenting problem.

[palata]

> Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.

Hmmm... no? That's not how zero knowledge works.

[Arch-TK]

Not via breaking the ZKP, but via other methods of fingerprinting, which governments are very well positioned to enable.

[palata]

I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?

It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".

[brookst]

Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.

[palata]

Yes, but they can still collude. It's possible to do age verification in a way that prevents that. Look e.g. at Privacy Pass.

[brookst]

PAT is Privacy Pass.

[palata]

Oh right, my bad. And how can they collude there?

[red_admiral]

Blind signatures would work, with a bit of effort.

[indymike]

Divorcing technical detail from how it is used does little good for humanity.

[coppsilgold]

As far as I know no currently proposed age verification method does this in practice.

The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.

[YourDadVPN]

The EU's proposed system uses ZK proof. You get a PGP signed message from "someone" who knows your identity (government or private agency) then store it on your phone to pass to websites that need your age. It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.

https://ageverification.dev/av-doc-technical-specification/d...

[palata]

> It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.

Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.

[coppsilgold]

This is not sufficient. Do they give you a blind signature?

Because what you described does not preserve your anonymity if the government and the service collude.

[pdntspa]

Doesn't matter if it is privacy preserving, it is still an evil thing to do

[palata]

That would be the interesting debate, if people could actually spend 5min learning how it works and stop claiming nonsense.

[jollymonATX]

Exactly the mindset that got us to this current reality..

[account42]

No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.

[g-b-r]

I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.

For people using a Google account it probably won't make a huge difference, in terms of data collected.

If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.

Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.

But there's a good chance that it will be extremely hard to sidestep, despite that.

[lxgr]

> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone

But anything your phone can possibly do in software can be spoofed, so how would that help?

[palata]

> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?

If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.

[g-b-r]

No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.

Hardware attestation is one feature, but it's still not used a lot.

The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).

[EmbarrassedHelp]

> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.

You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future

[getpokedagain]

Stop visiting sites and using services that use reCAPTCHA. Problem solved.

[duskdozer]

That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.

[medvidek]

For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).

As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.

[bluebarbet]

Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.

    Access is temporarily restricted

    We detected unusual activity from your device or network.

    Reasons may include:

    -Rapid taps or clicks
    -JavaScript disabled or not working
    -Automated (bot) activity on your network (IP X.X.X.X)
    -Use of developer or inspection tools

[duskdozer]

Does it work if you spoof the user agent?

> -Use of developer or inspection tools

Gotta love it.

[bluebarbet]

It gets blocked in a private window, but only on the second page load. So more sophisticated than UA-blocking.

The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.

The only solution to all this will be through elections and laws.

[tardedmeme]

Developer tools are easily detected by looking for the viewport to resize a certain amount.

[wasmitnetzen]

DB has been finicky for me from abroad as well, using a VPN to Germany usually helped. Still sucks though.

[JoshTriplett]

> That's great until it's some essential government, medical, educational, etc. service

At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.

[sneak]

Which won’t solve the problem at all.

[JoshTriplett]

No, it won't, and this mechanism should not be used by anyone, but it'd at least ensure that people aren't forced to use it to interact with their government.

[tardedmeme]

With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.

[papercruncher]

I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.

[spystath]

There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".

[drew870mitchell]

Same, i'm doing a kitchen reno and gave up on Home Depot because of this

[ksenzee]

It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_

[userbinator]

Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.

[tardedmeme]

It has a zero percent chance of reaching anyone who can do anything about it.

You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.

[petre]

Maybe they'll figure it out when their revenue drops next quorter or the ones after that?

I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.

[account42]

You can also send an email if you're lazy. In both cases the CEO probably won't read it but a more than minimum wage secretary probably will pass it on to corporate customer support which IME is a lot more useful and the regular support that the company wants you to use.

[komali2]

REI is allegedly a co-op, maybe there's a committee or something it could be presented to?

[userbinator]

The point is to spread the word.

[g-b-r]

One problem with these things is that businesses have minimal visibility on the amount of users they lose.

On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".

Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).

[jbvlkt]

I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.

[vanviegen]

We wouldn't want bots throwing money at us!

[sfilmeyer]

I suspect this is a real problem for charities, though. If those bots are using stolen credit cards, the "donations" are going to cost the charities money after they pay extra fees to the credit card processors. Nonprofits are sometimes used to test stolen credit cards before making more profitable fraudulent transactions, so there's a real risk of it costing them money if they get rid of the captcha but don't replace it with something sufficiently high quality, even after accounting for the occasional lost donation.

[bar000n]

i say technofeudalism, not sure i know what i'm writing about though

[chadgpt2]

Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.

[raincole]

> most human visitors will actually be unable to pass the CAPTCHA

Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.

It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.

[pixel_popping]

This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.

[sandworm101]

>> whether they literally just don't care about having customers

So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).

[sumeno]

> most human visitors will actually be unable to pass the CAPTCHA

Most human visitors will pull out their smartphone and just do it without giving it much thought.

[palata]

> Stop visiting sites and using services that use reCAPTCHA. Problem solved.

Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.

My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).

[pixel_popping]

I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.

[lxgr]

I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...

[g-b-r]

Yeah, live in a cave, and problem solved.

However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.

Let's find a better solution please

[flatIronSteak]

> Let's find a better solution please

Is there an argument here that Google is creating a monopoly?

Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?

[KPGv2]

There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.

Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.

GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.

[ggiigg]

Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.

[komali2]

When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.

However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.

The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.

[Ygg2]

Can you run Graphene on non Pixel phones?

[g-b-r]

sieabahlpark, I probably hate this more than you, you misunderstood

[vasco]

So what are you doing here?

> Ask HN: Did HN just start using Google recaptcha for logins? [0]

> dang

> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.

[0] https://news.ycombinator.com/item?id=34312937

[reaperducer]

Stop visiting sites and using services that use reCAPTCHA. Problem solved.

No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.

I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."

[ethin]

The other problem with this is that there are few CAPTCHA alternatives.

CF turnstile is one, but of course that means Cloudflare owns even more of the web.

HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.

And I... Can't think of anything else. Other than to just get rid of Captchas entirely.

[userbinator]

You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.

[ribtoks]

There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.

[fireflash38]

The answer that no one likes: make it cost a nominal amount of money.

Enough to make it so bots are expensive to run.

[Roark66]

At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.

People do care about such things.

I hope the same is true in other EU countries.

[unethical_ban]

I agree, and I think CAPTCHA is a disservice on public websites.

[yehat]

Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.

[JKCalhoun]

Beautiful analogy, BTW.

Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).

[majorchord]

> I'm not going to give up reading the test results from my doctor

You could just call them.

[andwur]

Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!

But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.

[petre]

I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.

[getpokedagain]

Or ask for a print out.

[scbrg]

Fairly sure that would be considered a breach of patient confidentiality where I live, at least.

[iamnothere]

You should check your patient portal closely, they may be violating your confidentiality in ways that are much worse: https://vanguardcommunications.net/facebook-ads-pixel/

[majorchord]

Sorry to hear that. What did people do before computers then?

[scbrg]

Not sure how that's relevant. There are computers now. Regulations change with the times. Green lasers weren't controlled in the 1700:s either.

Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"

[account42]

That misses the point: alternatives will only be available as long as enough people uses them.

[ranger_danger]

I still make and receive calls all the time to get test results from my doctor, I think tons of people still use that option.

[1vuio0pswjnm7]

HN uses reCAPTCHA under certain conditions

[getpokedagain]

I've not hit it but that would suck.

[pixel_popping]

I doubt they would let users be KYCed to access HN frankly, I seriously hope not at least.

[jollymonATX]

Removing recaptcha from my sites now actually. Its not much, but its something.

[IshKebab]

Or stop spreading this extraordinarily naive view of how the world works.

[rdedev]

When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots

https://doublespeed.ai/

[NikolaNovak]

I'm assuming that's a troll / sarcasm / fake... But that could just be my last vestige of faith in humanity.

Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...

[djeastm]

Yeah, it's real. Say goodbye, faith!

[dakolli]

Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.

Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.

Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.

[etaioinshrdlu]

I think the font is mimicking old Apple ads, eg: https://i.insider.com/5bf8592eb73c284de50e2f28

[dakolli]

Ahh, that makes sense.

[alexspring]

Yep. They got hacked in the past, 1k+ smartphones reported.

The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.

https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...

[dakolli]

Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.

Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.

[Velocifyer]

If you are OK with carrier locks (eg if you don't need cell service) and are in the USA, you can actually get mot 5Gs for $30 at walmart. https://www.walmart.com/ip/Straight-Talk-Motorola-Moto-g-202...

[dr_kiszonka]

Reckless Condensed?

[failuser]

How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.

[SlinkyOnStairs]

> How is this not grounds to be sued into oblivion by Google and Meta?

Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.

Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)

Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.

The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.

[xmcp123]

This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.

Note that they do not mention any specific companies on that landing page. That is pretty intentional.

But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.

[chadgpt2]

Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.

[eddythompson80]

That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]

[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....

[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....

[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge

[pocksuppet]

Note that all those guys were gotten for breaking the law, not for breaking terms of service.

[tardedmeme]

These companies would have to buy one phone per fake influencer.

[tcoff91]

Wow that is so dystopian.

[nullc]

> (as that would be 'farmable')

It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.

But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.

[dheera]

> Google didn’t demand iPhone users install Google software to pass the test.

Can de-Googled Android phones present themselves as iPhones?

[coppsilgold]

Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.

[lxgr]

Is this actually available in Safari?

[e28eta]

Since iOS 16, apparently

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

https://developer.apple.com/news/?id=huqjyh7k

[thaumasiotes]

Can they present themselves as... web browsers?

[tardedmeme]

Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.

[clort]

In the UK, the Department of Education guidance is that schools should be mobile-phone free. Students use computers to access the web fairly regularly. Guess that would be problematic then, since many schools policies is that mobile phones should be turned off and stored in your bag during the day.

[varispeed]

Shouldn't that be illegal under GDPR?

[gib444]

There are massive exemptions for the prevention and detection of crime

And https://gdpr.eu/recital-49-network-and-information-security-... :

> Recital 49 - Network and Information Security as Overriding Legitimate Interest

> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...

It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.

[xinayder]

What crime are you preventing or detecting by verifying you're human?