GoKawiilIn May 2026, Google announced “Google Cloud Fraud Defense - the next evolution of reCAPTCHA.” The announcement described a QR code challenge where users scan a code with their phone to prove human presence.
Google killed Web Environment Integrity in 2023 after standards bodies objected. Today, three years later, the same device attestation mechanism launched as a commercial product.
The open web survived because no single company could decide which hardware was legitimate enough to use it. Google is determined to end that status quo - now through a CAPTCHA update.
Google already tried this in 2023
In June 2023, a Google engineer named Yoav Weiss posted a proposal to the Chromium project called “Web Environment Integrity.” The mechanism was direct: browsers would ask device hardware to sign a cryptographic attestation proving the browser was unmodified and running on Google-certified hardware. Websites could verify the signature and decide whether to serve content without friction or add a challenge. Of course, the proposal framed this as protecting web integrity against bots and automated scraping.
Mozilla published a formal position within days. The proposal “works against users’ interests” and “creates a gated internet controlled by OS and device vendors.” The Electronic Frontier Foundation called it “Chrome’s Plan to DRM the Web,” noting that by design, only Chrome running on Android or other certified hardware would easily pass attestation - routing traffic toward Google’s ecosystem as a structural consequence, not a side effect.
Google withdrew WEI three weeks after publication. The Chromium GitHub thread closed. Publicly, it was dead.
In May 2026, Google announced Google Cloud Fraud Defense - described in its blog post as “the next evolution of reCAPTCHA.” The system challenges users with a QR code: scan it with your phone to confirm human presence. The requirements page specifies the hardware that qualifies: “modern Android device with Google Play Services installed, or modern iPhone/iPad.”
“Google Play Services installed” is doing significant work in that sentence. Google Play Services is Google’s closed-source software layer that runs on certified Android devices and provides the attestation APIs - the Play Integrity API specifically - that prove a device is unmodified and approved by Google. A device without Play Services cannot satisfy Play Integrity checks at the level Fraud Defense requires. That is not a technical limitation waiting to be engineered around. It is the mechanism.
The WEI review process, whatever its limitations, required Google to defend the mechanism publicly. The proposal was withdrawn because the objections held. With Fraud Defense, there was no process to respond to. The product launched. The requirements page went live. The same attestation infrastructure that generated those documented objections in 2023 became the underpinning of a commercial service available to any organization with a Google Cloud billing account.
... continue reading