[bjackman]

There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?

Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.

I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.

[Zak]

> What OSs can they safely trust?

None. The first rule of network security is you can't trust the client.

All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.

[sneak]

Wanting to load a webpage anonymously is not something that makes one a “fraudster”.

[surajrmal]

Arguably anyone else who can provide a similar level of trustworthy authentication that they are not a bot can work with Google to get support. Fundamentally this is a trust based problem and only OS providers are even capable of building such systems. There are very few of those out there. The key is that the systems need to be locked down to prevent automation of input and that automatically disqualifies most android alternatives that the community likes. It's clear that Apple offers this capability though. I can imagine a more locked down version of Windows also providing this in the future.

[bjackman]

Yes that is what i mean, anyone can do it technically, but they are gonna have to build a slightly crappy OS in order to do it.

But still, better multiple slightly crappy OSs instead of just one (plus Apple).