Cory Doctorow exposes a dangerous pivot in how tech giants are weaponizing hardware against user autonomy, arguing that Google's latest "remote attestation" scheme is not an innovation but a sophisticated trap designed to lock users into a single corporate ecosystem. While the industry frames this as a security upgrade, Doctorow reveals it as the final nail in the coffin for an open web where software acts as your agent rather than your jailer.
The Agent vs. The Walled Garden
The piece begins by dismantling the fundamental promise of the internet: interoperability. Doctorow writes, "Your browser works for you... It's the same force that means you can put anyone's gas in your gas-tank, or anyone's shoelaces in your shoes." This analogy is striking because it grounds abstract technical standards in physical reality, making the violation of those standards feel like a tangible theft of consumer rights. The author argues that when manufacturers dictate which lightbulbs fit your socket or which bread fits your toaster, you are no longer the customer; you are a captive.
The commentary here is particularly sharp because it connects this technical shift to Google's well-documented history of anti-competitive behavior. Doctorow notes that "Google wasn't always this way," tracing its evolution from an open-web indexer to a "thrice-convicted monopolist" that has lost three federal antitrust cases. The argument gains weight by listing specific abuses: bribing Apple with over $20 billion annually, ripping off app vendors with junk fees, and rigging ad markets. This context is essential; without it, the remote attestation scheme might look like a mere technical dispute. With it, it appears as a strategic maneuver to cement dominance after legal avenues have failed.
Critics might argue that some level of device verification is necessary for security and fraud prevention, especially in banking or high-stakes transactions. However, Doctorow counters this by pointing out that the technology is being deployed broadly to discriminate against privacy tools, not just protect sensitive data. The distinction between verifying a user's identity and verifying their software configuration is the crux of the conflict.
"Take away our ability to block obnoxious digital content and you guarantee that we will be flooded with it."
The Death of the Open Android
The article then pivots to the mobile ecosystem, where the stakes are even higher due to the sheer volume of personal data at risk. Doctorow describes how Android, once marketed as the "open" alternative to Apple's walled garden, has been systematically closed off through illegal tying arrangements and technical barriers. He highlights a disturbing reality: "Android exfiltrates a chunk of your personal and behavioral data every five minutes," creating a "resting heartbeat" of surveillance that intensifies the moment a user unlocks their screen.
This relentless data collection has real-world consequences beyond privacy invasion. Doctorow points out that this data is "irresistible to authoritarian governments," citing how law enforcement agencies have seized Google data to identify protesters and track migrants. This historical parallel echoes earlier concerns about digital surveillance, reminiscent of the debates surrounding the Sanchar Saathi initiative in India or the EU's efforts to balance privacy with monopoly power. The argument suggests that by hardening Android against modification, Google is not just protecting its revenue stream; it is making it easier for state actors to access a unified, unmodifiable data pipeline.
The author argues that alternatives like CalyxOS and GrapheneOS exist precisely because users want to opt out of this surveillance. Yet, Google's new "Web Environment Integrity" (WEI) proposal and the subsequent reCAPTCHA Mobile Verification scheme are designed to crush these alternatives. Doctorow explains that remote attestation forces a device to cryptographically prove its configuration to a server before allowing access. If the device is running a modified version of Android or has privacy blockers installed, the server can simply refuse to deal with it.
The Race to the Bottom
Doctorow frames this not as an improvement in security, but as a degradation of user agency. He writes, "WEI wasn't an effort to level the playing field between apps and the web — it was a race to the bottom, an attempt to make the web as enshittogenic as the app hellscape." This is a powerful reframing. Instead of viewing these changes as necessary evolutions for the digital age, Doctorow presents them as a deliberate regression toward a model where users have zero control over their own devices.
The commentary effectively highlights the hypocrisy of companies claiming to protect users while simultaneously removing their ability to customize or secure their environments. As Doctorow puts it, "In an age in which Big Tech is ever-more tied to authoritarian governments, redesigning our devices to tell strangers things we don't want them to know isn't just shortsighted, it's inexcusable." This line cuts through the technical jargon to address the moral imperative of the situation.
A counterargument worth considering is that without these verification mechanisms, malicious actors could more easily spoof devices and launch attacks. However, Doctorow suggests that the current implementation prioritizes corporate control over genuine security needs, effectively turning every user's device into a potential informant against their own preferences.
"Practically speaking, this means that remote attestation lets a server refuse to deal with you until you turn off your ad-blocker and your tracker-blocker."
Bottom Line
Doctorow's most compelling contribution is the clear line he draws between technical standards and market power, showing how one is used to enforce the other. The argument's greatest strength lies in its historical grounding, reminding us that an open web was once a reality that can be reclaimed if we resist these new barriers. The biggest vulnerability for critics of this view is the difficulty of proving intent versus capability, but the sheer volume of Google's recent antitrust losses makes the pattern hard to ignore.
Cory Doctorow exposes a dangerous pivot in how tech giants are weaponizing hardware against user autonomy, arguing that Google's latest "remote attestation" scheme is not an innovation but a sophisticated trap designed to lock users into a single corporate ecosystem. While the industry frames this as a security upgrade, Doctorow reveals it as the final nail in the coffin for an open web where software acts as your agent rather than your jailer.
The Agent vs. The Walled Garden
The piece begins by dismantling the fundamental promise of the internet: interoperability. Doctorow writes, "Your browser works for you... It's the same force that means you can put anyone's gas in your gas-tank, or anyone's shoelaces in your shoes." This analogy is striking because it grounds abstract technical standards in physical reality, making the violation of those standards feel like a tangible theft of consumer rights. The author argues that when manufacturers dictate which lightbulbs fit your socket or which bread fits your toaster, you are no longer the customer; you are a captive.
The commentary here is particularly sharp because it connects this technical shift to Google's well-documented history of anti-competitive behavior. Doctorow notes that "Google wasn't always this way," tracing its evolution from an open-web indexer to a "thrice-convicted monopolist" that has lost three federal antitrust cases. The argument gains weight by listing specific abuses: bribing Apple with over $20 billion annually, ripping off app vendors with junk fees, and rigging ad markets. This context is essential; without it, the remote attestation scheme might look like a mere technical dispute. With it, it appears as a strategic maneuver to cement dominance after legal avenues have failed.
Critics might argue that some level of device verification is necessary for security and fraud prevention, especially in banking or high-stakes transactions. However, Doctorow counters this by pointing out that the technology is being deployed broadly to discriminate against privacy tools, not just protect sensitive data. The distinction between verifying a user's identity and verifying their software configuration is the crux of the conflict.
"Take away our ability to block obnoxious digital content and you guarantee that we will be flooded with it."
The Death of the Open Android
The article then pivots to the mobile ecosystem, where the stakes are even higher due to the sheer volume of personal data at risk. Doctorow describes how Android, once marketed as the "open" alternative to Apple's walled garden, has been systematically closed off through illegal tying arrangements and technical barriers. He highlights a disturbing reality: "Android exfiltrates a chunk of your personal and behavioral data every five minutes," creating a "resting heartbeat" of surveillance that intensifies the moment a user unlocks their screen.
This relentless data collection has real-world consequences beyond privacy invasion. Doctorow points out that this data is "irresistible to authoritarian governments," citing how law enforcement agencies have seized Google data to identify protesters and track migrants. This historical parallel echoes earlier concerns about digital surveillance, reminiscent of the debates surrounding the Sanchar Saathi initiative in India or the EU's efforts to balance privacy with monopoly power. The argument suggests that by hardening Android against modification, Google is not just protecting its revenue stream; it is making it easier for state actors to access a unified, unmodifiable data pipeline.
The author argues that alternatives like CalyxOS and GrapheneOS exist precisely because users want to opt out of this surveillance. Yet, Google's new "Web Environment Integrity" (WEI) proposal and the subsequent reCAPTCHA Mobile Verification scheme are designed to crush these alternatives. Doctorow explains that remote attestation forces a device to cryptographically prove its configuration to a server before allowing access. If the device is running a modified version of Android or has privacy blockers installed, the server can simply refuse to deal with it.
The Race to the Bottom
Doctorow frames this not as an improvement in security, but as a degradation of user agency. He writes, "WEI wasn't an effort to level the playing field between apps and the web — it was a race to the bottom, an attempt to make the web as enshittogenic as the app hellscape." This is a powerful reframing. Instead of viewing these changes as necessary evolutions for the digital age, Doctorow presents them as a deliberate regression toward a model where users have zero control over their own devices.
The commentary effectively highlights the hypocrisy of companies claiming to protect users while simultaneously removing their ability to customize or secure their environments. As Doctorow puts it, "In an age in which Big Tech is ever-more tied to authoritarian governments, redesigning our devices to tell strangers things we don't want them to know isn't just shortsighted, it's inexcusable." This line cuts through the technical jargon to address the moral imperative of the situation.
A counterargument worth considering is that without these verification mechanisms, malicious actors could more easily spoof devices and launch attacks. However, Doctorow suggests that the current implementation prioritizes corporate control over genuine security needs, effectively turning every user's device into a potential informant against their own preferences.
"Practically speaking, this means that remote attestation lets a server refuse to deal with you until you turn off your ad-blocker and your tracker-blocker."
Bottom Line
Doctorow's most compelling contribution is the clear line he draws between technical standards and market power, showing how one is used to enforce the other. The argument's greatest strength lies in its historical grounding, reminding us that an open web was once a reality that can be reclaimed if we resist these new barriers. The biggest vulnerability for critics of this view is the difficulty of proving intent versus capability, but the sheer volume of Google's recent antitrust losses makes the pattern hard to ignore.