Google’s new remote attestation scheme is every bit as terrible as its old remote attestation scheme



Google owes its existence to the open web, but today, its technological “innovations” have much to do with locking users into a “walled garden.” The latest of these is “reCAPTCHA Mobile Verification,” an experimental initiative that will let companies block users if they are running independent, “de-googled” versions of Android. These “indie Android” versions are favored by people who want to protect their privacy and their attention by blocking trackers and ads. Worse, this is just the latest in a line of similarly user-hostile measures. 

Long before “agentic AI,” we had the idea that software would act as your agent on the internet. That’s why the old-fashioned technical term for a browser is a “user agent.” Your browser acts on your behalf to retrieve information and then show it to you, in the format you choose. It’s your agent. 

This is a powerful and profound idea. It is because browsers are our “agents” that we expect them to accept our directives, say, by blocking pop-ups, or by turning off autoplay sound, or by blocking commercial surveillance trackers. 

Your browser does all that because your browser works for you. The reason your browser can work for you is that the web is an open, standardized technology. In theory, anyone who follows the standards published by the World Wide Web Consortium (W3C) can make a browser, and that web browser can connect to any web server. Browsers and servers are interoperable. It’s the same force that means you can put anyone’s gas in your gas-tank, or anyone’s shoelaces in your shoes, or anyone’s milk on your cereal. 

But what if manufacturers could dictate those choices to you? What if your light socket refused to use a lightbulb unless it was officially blessed by the socket’s manufacturer? What if your dishwasher refused to wash your dishes unless you bought them from one of the manufacturer’s “dish partners?” What if your toaster refused to toast “unauthorized bread?” 

It’s hard to see how a company could win its market with this strategy. After all, if the dishes are really better than the competition’s, you’d buy them voluntarily, without any need for law or technology to force the matter. The only reason to make a dishwasher that refuses a rival’s dishes is if the manufacturer’s own dishes are ugly, expensive, and/or badly made. 

But once a company owns the marketonce they’ve achieved dominance by buying out their rivals; by bribing potential competitors to stay out of their lane; and by engaging in deceptive conduct to trap key suppliers and customersthey can cement their dominance by blocking interoperability, keeping out rival dishes, milk, gas, lightbulbs, shoelaces and bread, capturing their whole market and squeezing it. 

That’s what Google has done, and that’s what Google wants to do more of Google’s commercial behavior has been so unethical, deceptive and abusive that the company just lost three federal antitrust cases. This thrice-convicted monopolist paid Applemore than $20b/year to stay out of the search market: It cheated app vendors, ripping them off with sky-high junk fees and onerous conditions that raised prices while lowering the share of your spending that went to the companies whose products you were paying for. It cheated advertisers, rigging the ad market to gouge businesses on ad prices and underinvesting to fight rampant ad-fraud, sucking hundreds of billions out of the productive economy for overpriced ads that no one saw. 

Google wasn’t always this way. The “don’t be evil” company owes its very existence to the open web ecosystem. When the company started to index the web in 1998, it was playing on an open field, where any web server could talk to any “user agent,” even one whose user was a startup like Google, that was making a copy of every page on the server. 

For years, Google thrived on the open web, and built open technologies. Androidthe mobile operating system that Google bought in 2005 was presented as an “open” alternative to existing mobile offerings, and as the mobile market collapsed into two companiesGoogle and AppleGoogle always presented Android as the open alternative to Apple’s “walled garden.” But there were always ways in which Google’s “open” Android wasn’t exactly open. The company engaged in illegal “tying” arrangements that forced hardware vendors and carriers to lock out versions of Android that were created by Google’s competitors. 

In other words, even though Google offered a mobile platform that was (mostly) technically open, it found other ways to try to choke off the market oxygen for alternative Android versions that tried to capitalize on that technical openness. 

But life finds a way. The existence of an open, modifiable, tinkerer-friendly mobile operating system meant Android hackers could create alternatives to Google’s (de facto) walled garden, which thrived in the cracks in that garden wall. Operating systems like CalyxOS, PureOS and Graphene offered a more private, more secure Android experience, one that was largely “de-Googled,” blocking Google’s relentless acquisition of your private data. 

And Google’s data-hunger is relentless. Android exfiltrates a chunk of your personal and behavioral data every five minutes. The “resting heartbeat” of Android surveillance pulses and pulses, irrespective of whether you’re using your device, and the instant you unlock your screen, that heartbeat quickens, sending even more data to the company. All that data has proven irresistible to authoritarian governments. Donald Trump’s enforcers have seized on Google data as a vital source of information about the identity of protesters and the location of migrants hunted by ICE. 

So there are plenty of reasons why users would seek out these de-Googled alternatives to Android, finding them in spite of Google’s efforts to block access to competing technologies. The worse it got, the better those alternatives looked. 

Perhaps this explains Google’s years-long effort to increase the technical barriers to using modified versions of Android, beefing these up to match the commercial restrictions that stand in the way of a de-Googled existence. 

Back in 2023, Google floated the idea of “Web Environment Integrity” (WEI), a set of modifications to web standards that would force your computer to disclose its operating environment to the web servers it connected to, even if you objected to this disclosure. 

WEI was a form of “remote attestation.” That’s when your device uses a sub-processor (sometimes called a “Technical Protection Module” or “TPM”) or a walled off part of its main processor (sometimes called a “secure enclave”) to produce a cryptographically signed description of your device and its configuration: which hardware, software, plug-ins, and settings you’re running. 

When you connect to a server, it demands that your device send this “attestation” before it handles your request. If your device won’t provide this data, or if the server doesn’t like (or recognize) your device and its details, it can refuse to deal with you. And because the attestation is prepared by a TPM or a secure enclave that you can’t modify or override, you don’t get to decide which facts about your device it’s allowed to see. 

Practically speaking, this means that remote attestation lets a server refuse to deal with you until you turn off your ad-blocker and your tracker-blocker. It means that the server can discriminate against users who block auto-play sound and video, who block pop-ups, who put the tab in the background when it’s playing a mandatory pre-roll ad. 

WEI was especially disturbing in light of Google’s plan to kill ad-blockers and privacy blockers through updates to Chrome, an effort that continues to this day. 

These blockers are an important part of the dynamic between web publishers and their users. In the real world, when you get an offer, you can make a counter-offer. That’s all an ad-blocker is: a way for users to respond to a server whose opening bid is, “How about you give me all your data and let me take over your computer in exchange for showing you this page?” with “How about ‘Nah?’

We didn’t get rid of pop-up ads by making them illegal, or by boycotting advertisers who used them. We got rid of pop-up ads when web users installed pop-up blockers, which made pop-up ads pointless. Take away our ability to block obnoxious digital content and you guarantee that we will be flooded with it. 

These kinds of modifications aren’t just used to block adsthey’re also key to accessibility. People who have photosensitive epilepsy or suffer from low-contrast vision problems use add-ons to reformat pages so they can safely and legibly access them. 

WEI’s creators said they were only trying to put the web on a level playing field with apps, which routinely disclose facts about your device to the companies whose servers you connect to, without asking you, and even if you don’t want them to. Apps are a source of bottomless enshittification, not least because (unlike the web), they enjoy special, dangerous legal protections that make it very legally risky to modify them. WEI wasn’t an effort to level the playing field between apps and the webit was a race to the bottom, an attempt to make the web as enshittification-friendly as apps. 

Public outrage to WEI killed the project, but Google’s commitment to augmenting its illegal commercial lockdown efforts with technical lockdowns never ended. Now, Google has rolled out an experimental “reCAPTCHA Mobile Verification” that uses an app, your camera, and your device’s TPM or secure enclave to produce an attestation about your Android device. 

This will make it much easier for the apps and other services you interact with to block your device if you run an Android alternative, or if you install a mod that overrides the actions of Google’s stock Android. 

This is a terrible ideait’s every bit as bad as WEI was. In an age in which Big Tech is ever-more tied to authoritarian governments, redesigning our devices to tell strangers things we don’t want them to know isn’t just shortsighted, it’s inexcusable. 

 

 



Source link

  • Related Posts

    Four nuclear reactors hit a big milestone in the US

    But achieving criticality doesn’t mean a reactor is ready to provide electricity for the grid (or at all, for that matter). Let’s untangle what this program’s success could mean for…

    Goodbye Smart Lock Apps! Apple Home Key and Android Wallet Just Got Universal video

    Wes Ott tries out the new Aliro standard with the Nuki smart lock. He goes over why this new standard from the CSA matters and how it will change smart…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Four nuclear reactors hit a big milestone in the US

    Four nuclear reactors hit a big milestone in the US

    Iran War Live Updates: U.S. and Iran Trade Fresh Strikes

    Iran War Live Updates: U.S. and Iran Trade Fresh Strikes

    American forward Cole Campbell joins promoted Elversberg in Bundesliga

    American forward Cole Campbell joins promoted Elversberg in Bundesliga

    Canadian accused of Las Vegas flamingo theft, torture pleads not guilty

    More than a dozen immigration detention facilities have gone over a year without inspection under revised ICE policies

    More than a dozen immigration detention facilities have gone over a year without inspection under revised ICE policies

    Echoes of Aincrad release date and launch times

    Echoes of Aincrad release date and launch times