If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
The HIBP hashes distribution is a great example.
I ended up aggressively IP blocking all of China, Singapore, and a few other East-Asian countries once I noticed that blocking server IP addresses just made the botnet switch to residential IPs. I didn't switch over to Cloudflare, but now a couple billion people can't read my website, which is arguably worse (but cheaper).
Also, a handful of people seeing an annoying checkbox is hardly a reason to re-architect an entire website. I am as opposed to Cloudflare taking over the internet as any sane person, but the usability story isn't really an argument for that kind of time investment.
The alternative to Cloudflare isn't some magical system that works for everyone but bots, it's hard-blocking IP ranges on the network level for anyone who doesn't fit the "normal" user profile.
That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
Attestation is extremely ineffective at preventing this because it requires attackers be unable to compromise their own devices, even when they have permanent physical access to the hardware and can choose which model to buy and get devices known to be vulnerable.
For example, CVE-2026-31431 is from only a week ago. It's a major local privilege escalation vulnerability. If you can run unprivileged code you get root. How many people have Android phones that can pass attestation but will never see the patch because the OEM has already abandoned updating them? Tens of millions, hundreds of millions?
Attackers can trivially get root on a device that passes attestation. Many devices even have vulnerabilities that allow the private keys to be extracted.
The main thing attestation actually does is beset honest users who just want to use their non-Android/iOS device without getting a million captchas, because they chose the device they wanted to use as a real human person instead of doing as the attackers do and choosing a device for the purpose of defeating the attestation.
And it's easy to confuse this with real effectiveness because whenever you roll out any security change, the attacks may subside for a short period of time as the attackers adapt to it. But that's why it makes sense to avoid things that screw innocent people or entrench monopolies -- while the temporary effectiveness wears off, the screwing becomes permanent. Meanwhile spending the same resources on any other method of shuffling things around to make them adapt will give you the same temporary effectiveness without hurting your legitimate users.
In the olden 20th century, we had a term for that...
I can imagine a world where they were fighting for displaced workers, for Altman/Elon-suggested UBI/universal "high" income plans, and where they'd compensated those in the training set, and cut deals with publishers & content creators instead of scraping anything they could get their hands on. Would they be unpopular?