In May 2026, Google launched Google Cloud Fraud Defense, officially marketed as the next evolution of reCAPTCHA. The system requires users to scan a QR code with a smartphone to verify human presence. While framed as a bot mitigation tool, the underlying mechanism relies on Google Play Services and device attestation, effectively reviving the Web Environment Integrity (WEI) initiative that Google withdrew in 2023 following significant industry backlash. In June 2023, Google proposed WEI, a standard requiring browsers to sign cryptographic attestations proving the device was running on unmodified, Google-certified hardware. This proposal faced immediate criticism from Mozilla and the Electronic Frontier Foundation. Critics argued it would create a gated internet controlled by device vendors, effectively DRM the web, and route traffic exclusively toward Google's ecosystem. Consequently, Google dropped the proposal three weeks after its release. Three years later, Google introduced Fraud Defense, utilizing the exact same attestation infrastructure but as a commercial product. The service mandates that users possess a modern Android device with Google Play Services or an Apple iOS device. The Play Integrity API, which verifies that a device is unmodified and certified by Google, serves as the core verification mechanism. Unlike the public review process of 2023, Fraud Defense was launched directly as a commercial offering, allowing any organization with a Google Cloud account to implement it without external oversight. Critics highlight several critical flaws in this approach. First, the QR code challenge is mechanically weak. Bot operators can simply point a camera at a screen or use cheap Android devices, costing approximately $30 each, to automate the solution. Second, the system creates a phishing risk by training users to scan QR codes for website access, a behavior malicious actors can easily exploit. Furthermore, the requirement for Google Play Services excludes users who prioritize privacy and security. Privacy-focused operating systems like GrapheneOS and LineageOS, which omit Play Services by design, cannot satisfy the attestation checks. Similarly, Firefox for Android is not supported because it does not integrate Google's certification architecture. As a result, legitimate users employing privacy-respecting tools are barred from accessing sites, not because they are bots, but because they refuse to participate in Google's certification layer. The most significant concern is the architectural shift toward tracking. Every successful verification sends a signal to Google, linking a specific certified hardware identity to a specific website at a specific time. This creates a persistent identifier that crosses sessions and private browsing modes, allowing Google to build a comprehensive profile of user behavior across the open web. This outcome was a primary objection to the original WEI proposal. Technical alternatives exist that do not require hardware attestation. Systems like Private Captcha use proof-of-work challenges that impose computational costs on bots while preserving user privacy. These methods require no device certification and transmit no hardware identifiers. Google's decision to bypass these options in favor of device attestation suggests a strategy to accumulate attribution data rather than simply preventing fraud. Ultimately, Google has successfully reintroduced a rejected standard behind a commercial product, prioritizing device certification and user tracking over open web standards and privacy.