De-Googled smartphone users face lockout from reCAPTCHA amid privacy concerns
Privacy-focused Android users who have stripped Google Play Services from their devices may find themselves blocked by Google's updated QR code verification system.
Advocates for digital privacy have voiced strong opposition to Google's recent modifications to its reCAPTCHA platform, claiming the changes have essentially "blocked access" to countless websites for Android users operating privacy-oriented operating systems.
The reCAPTCHA service, which is owned by Google, serves to confirm whether a user is human, typically by requesting they select images containing buses or fire hydrants.
In late April, Google unveiled "Cloud Fraud Defense," marketing it as "the next evolution of reCAPTCHA." This newest iteration displays a QR code for users to scan to confirm their humanity, however it demands that Google Play Services or Apple's equivalent be present on the user's device—components that are absent from "de-Googled" Android smartphones, including those operating GrapheneOS or CalyxOS.
"They're directly participating in locking out competition via their own services," stated the GrapheneOS team on Sunday, pointing to the growing reliance on Apple's App Attest and Google's Play Integrity.
"Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security."
Those advocating for privacy frequently rely on de-Googled mobile operating systems to avoid data collection by Google's software and to enjoy greater control over what applications can be installed on their devices.
Backlash as changes impact privacy-focused users
"Privacy-conscious internet users are being demoted from 2nd to 3rd class netizens," said Bitcoin security researcher and cypherpunk Jameson Lopp on Sunday.
"Google now treats privacy as suspicious behavior by default," cybersecurity outlet International Cyber Digest said.
Brendan Eich, the CEO and co-founder of the privacy-centered Brave browser, argued that services should not prohibit people from utilizing arbitrary hardware and operating systems to begin with.
"Google's security excuse is clearly bogus when they permit devices with no patches for ten years… It's for enforcing their monopolies via GMS licensing, that's all."
Desktop browsers initially targeted
According to Google's website, to finish mobile verification, users must possess a compatible mobile device running Google Play Services version 25.41.30 or greater or iOS version 15.0 or greater.
The GrapheneOS team clarified that this change would affect Microsoft Windows or other operating systems that lack certification from Google or Apple. The verification prompt will predominantly appear on desktop platforms, though it may be extended to other systems, the team noted.
"Their plan requires having a certified Android device or iOS device to pass this on a desktop," they added.
"Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web."
Google engineers spearheaded a controversial proposal in 2023
Google pursued a similar approach in 2023 through a framework dubbed "Web Environment Integrity (WEI)," which would have granted the company authority to determine which devices were "real enough" to access the web, wrote International Cyber Digest.
"Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature," they added.