Google broke reCAPTCHA for de-googled Android users

Original Article ↗ Hacker News Discussion ↗

ReCAPTCHA change and remote attestation

  • New reCAPTCHA flow effectively becomes a device attestation system: desktop shows a QR code, phone with Google Play Services (or Apple’s equivalent) proves device integrity.
  • Several comments describe this as tying web access to hardware keys (TPM / secure enclave), enabling cross-site correlation of identities.
  • There is debate whether Google uses true hardware attestation or just Play Services signals; docs are unclear and people disagree.

Impact on users and devices

  • De-googled Android (GrapheneOS, microG, custom ROMs) and uncertified devices (Huawei/Xiaomi China ROMs, Amazon tablets) are reportedly unable to pass the new flow.
  • Some users already struggle with endless CAPTCHA loops, IP reputation issues, and aggressive bot-detection (Cloudflare, Akamai, some airlines, retailers, train operators).
  • People without smartphones, or with strict privacy setups (Linux desktop, hardened browsers, Tor), increasingly can’t access key sites (shopping, tickets, government, charity donations).
  • Accessibility is a concern: audio CAPTCHAs are already rate-limited for “suspicious” users; commenters doubt legal protections will be enforced.

Competition, regulation, and monopoly concerns

  • Many see this as anti‑competitive tying: Google using reCAPTCHA’s market position to enforce Google-signed Android and Play Integrity.
  • EU’s DMA/GDPR and US antitrust are repeatedly mentioned; some expect regulatory action, others think governments quietly prefer deanonymization and attestation.
  • People highlight network effects: businesses misinterpret high CAPTCHA failure as “lots of bots”, reinforcing dependence on such services.

Alternatives and workarounds

  • Suggested mitigations: Cloudflare WARP, VPNs/proxies, buying static IPs, browser fingerprint spoofing (with skepticism about effectiveness).
  • Alternative defenses: Cloudflare Turnstile, hCaptcha, proof‑of‑work systems, self‑hosted or domain‑specific questions, small independent CAPTCHAs.
  • Some advocate boycotting sites using reCAPTCHA, but others note that’s unrealistic for essential banking, healthcare, and government portals.

Broader worries about the web’s direction

  • Strong sentiment that the web is shifting from “prove you’re human” to “prove you’re using an approved, locked‑down device”.
  • Fears of “technofeudalism”: attestation becoming mandatory for payments, government IDs, and age verification, with little room for alternative OSes.
  • A minority defends stronger bot defenses as necessary, but most see the balance tipping sharply toward surveillance, lock‑in, and exclusion.