Everyone knows reCAPTCHA, even if they do not know its name. It is the online test that proves a user is a human being rather than a machine. Who has not at some point been asked to click on bicycles, traffic lights, hydrants or cars in a three-by-three or four-by-four grid of images to verify that a human, not a robot, is acting?
For modern AI, however, image recognition has long since ceased to be a serious obstacle.
Google therefore wants to harden the web against a new generation of automated attacks. It plans to do so through Google Cloud Fraud Defense. The familiar reCAPTCHA is being turned into a broader platform against fraud, bots and AI agents. Google describes the method as an AI-resistant barrier intended to make automated fraud unattractive.
Google as the New Gatekeeper
At first glance, that sounds like a timely and sensible measure. Yet the new solution has a side effect that is anything but harmless. Anyone using an Android phone without Google Play Services may be shut out. Users of Google-free Android variants such as GrapheneOS, LineageOS or other custom ROMs, as well as owners of devices shipped without Google services, may be affected.
Put more simply: without Google Play Services, there is no reCAPTCHA verification and therefore no access to accounts on websites that use the tool.
Google is blurring the line between security checks and platform dependence. A real person may be sitting in front of the screen, have a legitimate account on a chosen website and still fail the test because his phone lacks the system component required by Google.
That is more than a technical detail. reCAPTCHA has a dominant market position and is used on millions of websites as protection against bots. If the new form now becomes a condition for accessing one’s own account, access no longer depends solely on the website operator, but also on whether Google approves the user’s mobile operating system.
Google Uses Its Power and Monopoly Position
The measure is problematic above all because of its asymmetry. Those who consciously decide against Google services often do so for reasons of privacy, digital self-determination or security architecture. The new reCAPTCHA test turns that decision against them. Anyone who does not want to use Google is punished.
There is also a competition issue. With Android, Play Services, reCAPTCHA and Cloud Fraud Defense, Google controls several layers of the same chain. The company provides the mobile operating system, supplies central background services, operates the verification infrastructure and sells it to website operators.
If access to websites effectively depends on a tie to Google, an already powerful system becomes even stronger.
The European Union Is Examining the Issue
The European Commission is already examining questions of Android interoperability under the Digital Markets Act. Interoperability is the ability of different IT systems, devices, applications or organizations to work together seamlessly, exchange data without loss and use that information jointly. The new reCAPTCHA hurdle fits precisely into this debate because it shows how rejecting one Google service can become a barrier to using another system altogether.
Google is right that the web needs new safeguards for verification. AI agents, botnets and automated fraud are real threats. A bot test should check whether a human being is really acting. But it should not bind users to specific services. The better solution would be platform-neutral verification that permits several trusted routes and does not tie users to Google Play Services.
As long as that is missing, Google’s new reCAPTCHA generation remains an example of how technical security can tip into digital control. The web is not only being protected against bots. It is also becoming more dependent on a company that already controls many of its access points.