Google Cloud Fraud Defence is just WEI repackaged
Google’s May 2026 reCAPTCHA successor uses QR-code device attestation via Play Integrity API — the same mechanism standards bodies killed as Web Environment Integrity in 2023, now shipped without public review.
What Matters
- Google withdrew WEI in June 2023 after Mozilla called it a “gated internet controlled by OS and device vendors”; Fraud Defense ships the identical Play Integrity backend as a commercial product.
- The hardware requirement — modern Android with Google Play Services, or iPhone/iPad — structurally excludes GrapheneOS, LineageOS/microG, and Firefox for Android by design, not accident.
- Every resolved challenge logs which certified device accessed which site and when; stable hardware identity persists across sessions, browsers, and private-browsing modes.
- Bot defeat is mechanical: point a camera at the screen; for farms needing Play Integrity, compliant Android devices cost ~$30 at retail.
- QR-challenge UX creates a phishing vector: training users to scan codes to pass authentication makes malicious QR prompts harder to distinguish from legitimate ones.
- Private Captcha-style proof-of-work systems issue cryptographic challenges with no hardware identifier transmitted and no certification layer — a credible alternative the author names directly.
- [HN: @Havoc] Pattern fits a deliberate playbook: AMP, Manifest V3, FLoC, and now Fraud Defense each compress the open web toward Google-controlled infrastructure.
- [HN: @btown] No public rollout plan confirmed; automatic insertion wherever reCAPTCHA runs today would impose a multi-device workflow on users who already trigger captchas frequently.
