Google broke reCAPTCHA for de-googled Android users

Source: Hacker News

Overview

Google has tied its next‑generation reCAPTCHA system to Google Play Services on Android, meaning anyone running a de‑Googled phone will automatically fail verification when the system decides to challenge them.

The requirement forces Android users to run Google’s proprietary app framework version 25.41.30 or higher just to prove they’re human.

When reCAPTCHA flags what it considers suspicious activity, it abandons the old image puzzles and demands you scan a QR code. That scan requires Play Services running in the background, communicating with Google’s servers. If you’re using GrapheneOS or any other custom ROM that strips out Google’s software, the verification fails.

Google announced the broader system, Google Cloud Fraud Defense, at Cloud Next on April 23, pitching it as a trust platform designed to handle autonomous AI agents and traditional bots alike. What Google didn’t emphasize was the part where proving you’re human now requires submitting to its proprietary surveillance.

History of the Play Services Requirement

• An Internet Archive snapshot from October 2025 shows the same support page already listing a Play Services requirement at version 25.39.30.
• Google built this dependency quietly for at least seven months before a Reddit user on the degoogle subreddit flagged it.
• Reporting from PiunikaWeb and Android Authority brought wider attention.

iOS Comparison

Apple devices running iOS 16.4 or later complete the same verification without installing any additional apps. Google does not require iPhone users to install Google software to pass the test. Only Android users who refuse Play Services get locked out, highlighting an asymmetry that points to ecosystem control rather than pure security concerns.

Implications for Users and the Web

• Ecosystem Control: By tying verification to Play Services, Google establishes a precedent where accessing basic web content requires running Google’s software and transmitting data to Google’s servers.
• Impact on De‑Googled Users: People who choose de‑Googled phones do so after reviewing data‑practice disclosures and deciding they do not consent to Play Services’ telemetry. The new system penalizes that decision by treating the absence of Google’s proprietary software as suspicious by default.
• Developer Responsibility: Web developers adopting this reCAPTCHA should understand the trade‑off. Implementing it effectively tells de‑Googled Android users they are not welcome. While this audience is currently small, it is highly sensitive to data‑privacy practices and unlikely to compromise on their principles.

Recommendations for Developers

1. Assess Audience Impact: Consider whether your user base includes privacy‑focused Android users and how blocking them might affect your site’s reputation.
2. Provide Alternatives: Offer a fallback verification method that does not depend on Play Services (e.g., email‑based verification, hCaptcha, or a self‑hosted CAPTCHA solution).
3. Transparent Communication: Clearly inform users why a particular verification method is used and what data is transmitted to Google.
4. Monitor Updates: Stay informed about changes to Google’s reCAPTCHA requirements to avoid unintentionally excluding users.