The gate to the pig pen is closing…

Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:

- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.

- Discord immediately bans me any time I try to create an account.

- Can't buy flights from Delta, always gives a non-descript error.

- Can't buy concert tickets, it thinks I'm a fraudulent buyer.

- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.

- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).

- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.

I just take my business elsewhere... eventually I'll probably just stop using technology at all.

My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

Related:

Google Cloud fraud defense, the next evolution of reCAPTCHA

https://news.ycombinator.com/item?id=48039362

Google Cloud Fraud Defence is just WEI repackaged

https://news.ycombinator.com/item?id=48063199

Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.