Google Cloud Fraud Defence launches, reviving rejected device attestation model

Google has launched Google Cloud Fraud Defence, a new iteration of its reCAPTCHA system announced in May 2026. The mechanism requires users to scan a QR code with a mobile phone to prove human presence, relying on Google Play Services and the Play Integrity API to verify that the device is unmodified and certified by Google. This approach effectively excludes users of custom Android distributions such as GrapheneOS and LineageOS, as well as Firefox for Android, which do not integrate Google Play Services by design.

Critics note that the system mirrors the previously withdrawn Web Environment Integrity (WEI) proposal from June 2023. That initiative, engineered by Google staff member Yoav Weiss, was scrapped after three weeks due to strong objections from Mozilla and the Electronic Frontier Foundation regarding internet gatekeeping and digital rights management. While the original proposal underwent a public standards review process, the new commercial product launched without similar scrutiny, bypassing the mechanisms that previously halted the plan.

The verification process creates a persistent hardware identifier that tracks certified devices across sessions, browsers, and private browsing modes. This accumulation of attribution data allows Google to build a record of where specific hardware accesses the open web. The system conditions URL access on hardware certified by a private company, a model that contrasts sharply with the opt-in ecosystems of app stores or the bounded, consent-based authentication used in services like Estonia's Smart ID for banking.

Security concerns have also been raised regarding the operational viability of the QR code challenge. Bot operators can trivially automate the verification by pointing a camera at a screen, rendering the measure ineffective against sophisticated bot farms. Furthermore, the requirement trains users to scan codes for website access, a behaviour malicious actors can exploit immediately to facilitate phishing attacks.

The practical impact of the rollout is significant for privacy-conscious users. GrapheneOS, a security-hardened Android fork recommended by the EFF, and LineageOS with microG fail to satisfy the specific attestation levels required because they exclude Google Play Services. Similarly, Firefox for Android does not appear in Google's stated browser support list, as Mozilla explicitly declined to integrate Google Play Integrity by design.

This shift marks a departure from the open web's status quo, where no single company could decide which hardware was legitimate enough to use it. By tying verification to a closed-source software layer and a specific certification architecture, Google has introduced a new governance and tracking problem to the internet, one that relies on hardware identity rather than computational effort to distinguish humans from bots.