Requiring remote attestation of devices not owned by the relying party should be illegal unless it is a revocable opt-in and only used to protect interests of the user, not service provider.