Comment by kmeisthax

> The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 ($29.88 in Wallmart to be precise) - for a professional bot farm, which purchases devices in bulk, this is the fixed cost without material disruption to operations.

That's $30 per account, not one time. Because of the following:

> Device attestation does not just gate access - it produces attribution. A device with a stable hardware identity creates a persistent identifier that crosses sessions, browsers, and private browsing modes.

If you put all your bot accounts on one device, they all get banned at once. So fraudsters have to spread their accounts across multiple devices and replace them when they inevitably get banned. That's the reason for all the spying, attestation, and lockdown bullshit behind Google Cloud Fraud Defense. It is far easier to ban fraudsters if you just let the Maoists run the Risk Department.

The author proposes an alternative solution: proof-of-work. And, yes, there are use cases for that, such as Anubis. Google might even want to consider a proof-of-work option in certain scenarios. But there is no scenario in which someone's phone deliberately burns $30 worth of compute - perhaps a quarter of the user's battery - and the user still has a good onboarding experience. Most of your actual users are not going to be able to burn compute as efficiently as fraudsters, either - so maybe you have to burn the whole battery on a phone to cost a fraudster $30. Proof-of-work is, strictly speaking, anti-egalitarian and anti-democratic. "One CPU, One Vote" is less useful than you think when you realize fraudsters have the money to just buy lots of CPUs to always win[0].

Every Risk Department eventually reinvents arbitrary and capricious punishment. When you have no legal authority to prosecute crime, you rely entirely upon your freedom of association and ban people with a hair trigger. It's the only thing that works. Personally, I'd rather live in the world where governments actually took fraud seriously and corporations didn't have to do this, but for right now, GCFD is at least less onerous than WEI in the sense that WEI was going to lock down all browsers. GCFD just means I have to keep a Google-approved phone around to scan a QR code every once in a while.

[0] I'm not mentioning the massive waste problem proof-of-work creates, because obviously attestation will also produce waste. Actually, if anything, the fraudsters will probably wind up dumping all their banned devices on the used market and ruin it.