Sat 11 Jul 2026 / 11:22 ET
Kernel
Long Reads 3 min read

Google’s reCAPTCHA test revives remote attestation fight on Android

Cory Doctorow says Google’s experimental mobile verification flow could help services reject modified or de-Googled Android devices.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Google has introduced an experimental reCAPTCHA Mobile Verification flow that critics say brings a familiar fight over remote attestation back to Android: whether services should be able to demand a cryptographic report about a user’s device before letting that user in.

According to a Google support page cited by writer Cory Doctorow, the reCAPTCHA experiment uses a mobile app, the phone’s camera and hardware-backed security such as a TPM or secure enclave to produce an attestation about an Android device. Google presents the feature under its anti-abuse reCAPTCHA system. Doctorow argues that the same plumbing could let apps and websites refuse access to people running alternative Android builds or device modifications.

Remote attestation is not magic, despite the marketing fog usually sprayed around it. A device asks a protected hardware component to sign a statement about the machine’s software and configuration. A server can then decide whether that signed statement is acceptable. If the server does not like the result, or if the device will not provide one, the server can deny service.

That is useful for companies trying to detect bots or tampered clients. It also gives services a new choke point over user-controlled software. A browser extension, a privacy tool, a custom operating system or an accessibility modification can become grounds for rejection if the service decides only approved environments count.

Doctorow connects the reCAPTCHA test to Google’s abandoned 2023 Web Environment Integrity proposal. That proposal would have added a way for websites to ask browsers for attestations about the user’s computing environment. After public criticism, Google dropped the effort. Doctorow says the new mobile verification test pursues the same basic capability through Android and reCAPTCHA rather than through web standards.

The practical concern is sharpest for people who use Android forks such as GrapheneOS, CalyxOS or PureOS, which are designed to reduce dependence on Google services and limit data collection. Doctorow says a hardware-backed attestation requirement would make it easier for services to block those users, even when the device owner has chosen the software for privacy or security reasons.

The dispute also sits inside a broader regulatory record. The European Commission said in 2018 that Google used Android-related tying practices to restrict competition. In the United States, the Justice Department has said it prevailed in an ad-tech monopolization case against Google, and other antitrust cases have targeted Google’s search and app-store conduct. Google disputes or contests parts of that wider antitrust picture, but the cases explain why technical restrictions from the company get read with suspicion.

Doctorow’s objection is not that attestation cannot identify some abusive traffic. His objection is that the same mechanism lets servers require devices to disclose facts their owners may not want to reveal, using hardware that the owner cannot meaningfully rewrite. In that model, the user’s device stops behaving like an agent for the user and starts carrying a hall pass for whoever controls the gate.

This story draws on original reporting from Pluralistic.

More Long Reads/

view all ↗