Google’s new remote attestation scheme is every bit as terrible as its old remote attestation scheme
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Long before "agentic AI," we had the idea that software would act as your agent on the internet. That's why the old-fashioned technical term for a browser is a "user agent." Your browser acts on your behalf to retrieve information and then show it to you, in the format you choose. It's your agent:
This is a powerful and profound idea. It is because browsers are our "agents" that we expect them to accept our directives, say, by blocking pop-ups, or by turning off autoplay sound, or by blocking commercial surveillance trackers:
https://privacybadger.org/
Your browser does all that because your browser works for you. The reason your browser can work for you is that the web is an open, standardized technology. In theory, anyone who follows the standards published by the World Wide Web Consortium (W3C) can make a browser, and that web browser can connect to any web server. Browsers and servers are interoperable. It's the same force that means you can put anyone's gas in your gas-tank, or anyone's shoelaces in your shoes, or anyone's milk on your cereal.
But what if manufacturers could dictate those choices to you? What if your light socket refused to use a lightbulb unless it was officially blessed by the socket's manufacturer? What if your dishwasher refused to wash your dishes unless you bought them from one of the manufacturer's "dish partners"? What if your toaster refused to toast "unauthorized bread"?
It's hard to see how a company could win its market with this strategy. After all, if the dishes are really better than the competition's, you'd buy them voluntarily, without any need for law or technology to force the matter. The only reason to make a dishwasher that refuses a rival's dishes is if the manufacturer's own dishes are ugly, expensive, and/or badly made.
But once a company owns the market – once they've achieved dominance by buying out their rivals; by bribing potential competitors to stay out of their lane; and by engaging in deceptive conduct to trap key suppliers and customers – they could cement their dominance by blocking interoperability, keeping out rival dishes, milk, gas, lightbulbs, shoelaces and bread, capturing their whole market and squeezing it.
That's what Google has done, and that's what Google wants to do more of. Google's commercial behavior has been so unethical, deceptive and abusive that the company just lost three federal antitrust cases:
They cheated app vendors, ripping them off with sky-high junk fees and onerous conditions that raised prices while lowering the share of your spending that went to the companies whose products you were paying for:
They cheated advertisers, rigging the ad market to gouge businesses on ad prices and underinvesting to fight rampant ad-fraud, sucking hundreds of billions out of the productive economy for overpriced ads that no one saw:
Google wasn't always this way. The "don't be evil" company owes its very existence to the open web ecosystem. When the company started to index the web in 1998, it was playing on an open field, where any web server could talk to any "user agent," even one whose user was a startup like Google, that was making a copy of every page on the server.
For years, Google thrived on the open web, and built open technologies. Android – the mobile operating system that Google bought in 2005 – was presented as an "open" alternative to existing mobile offerings, and as the mobile market collapsed into two companies – Google and Apple – Google always presented Android as the open alternative to Apple's "walled garden."
There were always ways in which Google's "open" Android wasn't exactly open. The company engaged in illegal "tying" arrangements that forced hardware vendors and carriers to lock out versions of Android that were created by Google's competitors:
In other words, even though Google offered a mobile platform that was (mostly) technically open, they used commercial and legal strategies to choke off the market oxygen for alternative Android versions that tried to capitalize on that technical openness.
But life finds a way. The existence of an open, modifiable, tinkerer-friendly mobile operating system meant Android hackers could create alternatives to Google's (de facto) walled garden, which thrived in the cracks in that garden wall. Operating systems like CalyxOS, PureOS and Graphene offered a more private, more secure Android experience, one that was largely "de-Googled," blocking Google's relentless acquisition of your private data:
https://grapheneos.org/
And Google's data-hunger is relentless. Android exfiltrates a chunk of your personal and behavioral data every five minutes. The "resting heartbeat" of Android surveillance pulses and pulses, irrespective of whether you're using your device, and the instant you unlock your screen, that heartbeat quickens, sending even more data to the company:
All that data has proved irresistible to authoritarian governments. Donald Trump's enforcers have seized on Google data as a vital source of information about the identity of protesters and the location of migrants hunted by ICE:
So there are plenty of reasons why users would seek out these de-Googled alternatives to Android, finding them in spite of Google's illegal commercial tactics to block access to competing technologies. The worse it got, the better those alternatives looked.
Perhaps this explains Google's years-long effort to increase the technical barriers to using modified versions of Android, beefing these up to match the commercial restrictions that stand in the way of a de-Googled existence.
Back in 2023, Google floated the idea of "Web Environment Integrity" (WEI), a set of modifications to web standards that would force your computer to disclose its operating environment to the web servers it connected to, even if you objected to this disclosure:
WEI was a form of "remote attestation." That's when your device uses a sub-processor (sometimes called a "Technical Protection Module" or "TPM") or a walled off part of its main processor (sometimes called a "secure enclave") to produce a cryptographically signed description of your device and its configuration: which hardware, software, plug-ins and settings you're running.
When you connect to a server, it demands that your device send this "attestation" before it handles your request. If your device won't provide this data, or if the server doesn't like (or recognize) your device and its details, it can refuse to deal with you. And because the attestation is prepared by a TPM or a secure enclave that you can't modify or override, you don't get to decide which facts about your device it's allowed to see.
Practically speaking, this means that remote attestation lets a server refuse to deal with you until you turn off your ad-blocker and your tracker-blocker. It means that the server can discriminate against users who block auto-play sound and video, who block pop-ups, who put the tab in the background when it's playing a mandatory pre-roll ad.
WEI was especially disturbing in light of Google's efforts to kill ad-blockers and privacy blockers through updates to Chrome, an effort that continues to this day:
These blockers are an important part of the dynamic between web publishers and their users. In the real world, when you get an offer, you can make a counter-offer. That's all an ad-blocker is: a way for users to respond to a server whose opening bid is, "How about you give me all your data and let me take over your computer in exchange for showing you this page?" with "How about 'Nah?'"
We didn't get rid of pop-up ads by making them illegal, or by boycotting advertisers who used them. We got rid of pop-up ads when web users installed pop-up blockers, which made pop-up ads pointless. Take away our ability to block obnoxious digital content and you guarantee that we will be flooded with it.
These kinds of modifications aren't just used to block ads – they're also key to accessibility. People who have photosensitive epilepsy or who (like me) suffer from low-contrast vision problems use add-ons to reformat pages so that we can safely and legibly access them.
WEI's creators said they were only trying to put the web on a level playing field with apps, which routinely rat you out to the companies you connect to. Apps are a source of bottomless enshittification, not least because (unlike the web), they enjoy special, dangerous legal protections that make it very legally risky to modify them:
WEI wasn't an effort to level the playing field between apps and the web – it was a race to the bottom, an attempt to make the web as enshittogenic as the app hellscape.
Public outrage to WEI killed the project, but Google's commitment to augmenting its illegal commercial lockdown efforts with technical lockdowns never ended. Now, Google has rolled out an experimental "reCAPTCHA Mobile Verification" that uses an app, your camera, and your device's TPM or secure enclave to produce an attestation about your Android device:
This will make it much easier for the apps and other services you interact with to block your device if you run an Android alternative, or if you install a mod that overrides the actions of Google's stock Android:
This is a terrible idea – it's every bit as bad as WEI was. In an age in which Big Tech is ever-more tied to authoritarian governments, redesigning our devices to tell strangers things we don't want them to know isn't just shortsighted, it's inexcusable.
Tl;dr: Google provides the grand majority of CAPTCHA services to the web. Now they're experimenting with a CAPTCHA type that's a QR code you have to scan with an iPhone or Android phone. This would make it impossible to use any CAPTCHA-protected website unless you have an iPhone or Android phone.
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
We're here, we're queer, we're really fucking tired so we're just gonna go straight to biting instead of feigning polite confusion if you're gonna be a bigot this time, just so you know.
#I REGULARLY FORGET HOW MUCH I LOVE ANGEL #like 80% of his ~mysterious brooding~ is actually social ineptitude interpreted as something ‘cooler’ by observers #and that is SUCH A BEAUTIFUL THING TO ME
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
i think i tend to forget how good boredom is for creativity because we're all so addicted to numbing ourselves with screens and stimulation. but standing in the shower or going for a walk with no music or just sitting in your bedroom without being allowed to touch any screens & all of a sudden i have multiple new projects to start, a solution to a months-long plot problem & 4 new original characters
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
A little tiny microscopic dragon, rotifers passing by.
I've spent a lot of time peering down a microscope in the last few years, enjoying taking inspiration from the real tiny organisms to make one of my own.
The rule could have heavy impacts towards trans people across society.
Last week, the Trump administration quietly released a sweeping new federal rule that would use funding threats to force institutions across the country to reject transgender people. The 400-page proposed regulation would codify the administration's anti-trans executive orders into binding federal policy, imposing a blanket prohibition on federal funds going toward "gender ideology"
The proposed rule, formally titled "Regulation for Federal Financial Assistance," rewrites the government-wide framework governing all federal grants across every agency. Among its most consequential provisions, it requires that before a federal grant recipient can receive money, the award must pass a "pre-issuance review" conducted by a political appointee—not a career expert or peer reviewer—to ensure it is "consistent with applicable law, Federal agency priorities, and the national interest." The regulation explicitly instructs these appointees to screen for "denial by the recipient of the sex binary in humans or the notion that sex is a chosen or mutable characteristic." [...] An institution that acknowledges transgender people exist—through its policies, its training, its healthcare, its bathroom access, its HR procedures, its name-change processes—could be deemed to "deny the sex binary" or to “support the notion that sex is mutable” and have its federal funding blocked.
Importantly, the gender ideology prohibition has no age limitation—hospitals could be targeted not just for providing care to minors but for providing gender-affirming care to adults, because prescribing hormone therapy to a transgender patient of any age could be deemed promoting the belief that "sex is a chosen or mutable characteristic."
This is all very bad and horrible, but I want to be clear that it’s worse and more sweeping than just eliminating trans research.
This torches everything. And I do mean everything.
A very abbreviated list of its ramifications include (but are not limited to):
ending funding for ALL DEI related initiatives
allowing the government to terminate grants at any point for any reason
preventing researchers from publishing, going to conferences, and being part of academic societies
requiring that topics must support the president’s agenda.
What this means, and if anything I’m under selling it, is the death of science and research in America. It allows the government to restrict any topic they please at a whims notice, putting officials who have no background in the topic in charge of deciding funding continuity. It controls what gets researched and if/how researchers are allowed to share their discoveries. There are no books to burn if the government never allows them to be written. This is fascism plain and simple.
Please, if you only ever write one public comment, this is the one to do.
Bringing back this guide to writing an effective public comment. This gives you the basics you need to know, what you need to include, a basic outline you can follow, etc.
Public comments are not a vote, it is a chance for you to say "here is an issue with this law I think you need to address" and provide justification for legal challenges if it goes forward:
"Comments raise the bar that agencies have to meet when making a rule; “if an agency fails to adequately respond to significant, relevant comments in a final rule, members of the public may seek to challenge the rule in court on that basis and claim it could be struck down.ˮ"
But also, if possible, don't stop at writing a comment. Don't stop at calling your representatives. You should ideally be talking to people in your community about this and organizing resistance on-the-ground; there is a good chance people are already doing that even if you aren't hearing about it.
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
