In May 2026 Google rolled out Google Cloud Fraud Defense, branding it as the next step beyond reCAPTCHA. The service forces users to scan a QR code with a phone, then validates the device through Google's Play Integrity API. Only modern Android phones with Google Play Services or recent iPhone/iPad models satisfy the requirement, tying web access to certified hardware.

The mechanism mirrors the 2023 Web Environment Integrity (WEI) proposal, which asked browsers to present a cryptographic attestation that the device ran unmodified, Google‑certified firmware. After Mozilla and the EFF condemned WEI as a gate‑keeping scheme, Google shelved it. Fraud Defense resurrects the same attestation layer without public review, effectively commercialising the controversial tech and sparked industry debate over web standards.

Bot operators can bypass the QR step by pointing a cheap camera at a screen; a compliant Android device costs roughly $30, making large‑scale farms inexpensive. Privacy‑focused browsers and custom ROMs that omit Play Services fail the integrity check, excluding activists and journalists by design. By binding web access to a proprietary hardware identity, Google creates a persistent tracking vector.