by jakobdabo on 7/24/23, 8:59 PM with 465 comments
by mabbo on 7/24/23, 10:14 PM
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
by wiseowise on 7/24/23, 9:48 PM
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
by thesuperbigfrog on 7/24/23, 10:41 PM
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
by rezonant on 7/24/23, 10:34 PM
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
by rpdillon on 7/24/23, 11:02 PM
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
This is going to be rough.
by userbinator on 7/25/23, 12:18 AM
I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.
Once again, Stallman was very prescient: https://www.gnu.org/philosophy/right-to-read.html
by bayindirh on 7/25/23, 6:47 AM
First of all I hate this "proposals" which is actually, "we implemented this in our flagship product, and kindly force it on our users, you don't have to use it, if you have a choice", stance.
Then comes all the "ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways." part. I'm using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links/elinks/lynx/dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?
It's 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.
It's maddening and saddening at the same time.
by EvanAnderson on 7/24/23, 11:17 PM
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
by codedokode on 7/24/23, 10:28 PM
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
by nl on 7/24/23, 11:29 PM
I'm not a super anti-Google person. I use Gmail and Google as my search engine. But Firefox is a good browser that I use as my daily driver, and Edge, Brave, Safari and the DDG browser are other options.
Switch today and start taking away Google's leverage.
by BLKNSLVR on 7/24/23, 9:34 PM
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
by LispSporks22 on 7/24/23, 9:48 PM
by liendolucas on 7/25/23, 8:28 AM
And even if they do understand you, in most cases their perception of you is as someone really paranoid about privacy, and yes they will undoubtly ask things like: "so you don't have twitter, facebook, instagram, ...". It's really hard to convince people or at least make them truly see all these dark things going on behind the scenes.
Regular people won't even talk about this, they don't/won't care. As long as they still able to see the content they are requesting this is something that do not affect them, it affects the people that know the shit is going on under the hood because we understand how machiavelic a move like this is.
On the other side if this somehow manages to ever see the light of the day, it's a huge opportunity for other people to come up with alternatives that effectively fight back this initiative and/or bypass it. If there's something that we do not run out of in this industry is creativity, for all sort of things, even the craziest ones, and that's something no corporation will ever be able to mitigate.
Also keep in mind that no browser is going to ever be in the podium eternally. Chrome has a expiry date, we just don't know when it will expire.
by danShumway on 7/24/23, 9:32 PM
It's honestly good for this to get a lot of attention though, I'm happy to see additional commentary on it getting shared.
by fidotron on 7/24/23, 9:45 PM
by PaulDavisThe1st on 7/25/23, 2:13 AM
by 1vuio0pswjnm7 on 7/25/23, 1:23 AM
Mr Amadeo does a good job succinctly explaining the explainer.
by asadotzler on 7/25/23, 1:09 AM
by anderspitman on 7/24/23, 9:36 PM
by JohnFen on 7/24/23, 9:31 PM
by Fartmancer on 7/24/23, 10:13 PM
by zimbatm on 7/24/23, 10:40 PM
If they believe that it's in their best interest, I'm not really sure what we can do against this...
by warning26 on 7/24/23, 10:18 PM
Want to go to an online banking site? Then we'll need to make sure your computer is unmodified and contains no unapproved software.
by karaterobot on 7/24/23, 10:41 PM
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
by choeger on 7/25/23, 9:43 AM
by BiteCode_dev on 7/25/23, 8:42 AM
That's just messed up. If like saying if your car detect you have been doing maintenance yourself, you can use this particular brand of carburetor because they will refuse to work.
And they want that... for the web?
by 4oo4 on 7/26/23, 4:32 PM
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
- https://www.cci.gov.in/antitrust/
- https://www.cci.gov.in/filing/atd
Canada:
- https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-e...
by arciini on 7/24/23, 10:14 PM
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
by StingyJelly on 7/25/23, 8:13 AM
by pepe234 on 7/24/23, 10:58 PM
by dang on 7/25/23, 12:16 AM
Web Environment Integrity API Proposal - https://news.ycombinator.com/item?id=36817305 - July 2023 (428 comments)
by gary_0 on 7/24/23, 9:32 PM
by person3 on 7/25/23, 7:21 AM
I also find it funny that the authors point to mobile platforms as an example of how this will work well. Last time I worked with ad tech, mobile ads were flooded with fake impressions, and I highly doubt that has changed. The funny thing about players like Google is that they want to be able to tell advertisers they're doing a lot to prevent fake impressions to get them to buy ads, but they don't really want to solve the problem because it would cost them a lot of money. So they kinda play the line and develop tech like this that sounds fancy but doesn't actually stop the problem in practice.
by evah on 7/25/23, 8:37 PM
by elforce002 on 7/24/23, 10:06 PM
by heipei on 7/25/23, 6:10 AM
by thorio on 7/28/23, 10:10 AM
Without a broad support and public opinion about this, they might shockingly just be able to get this started. Apple and on-device CSAM scanning is something I have in mind about this, as s counter example.
What's a simple narrative non-tech people understand about this? Should I ask ChatGPT?
by 2OEH8eoCRo0 on 7/24/23, 11:51 PM
by fouc on 7/25/23, 9:47 AM
by Havoc on 7/25/23, 12:22 AM
by afs35mm on 7/25/23, 4:09 AM
by insanitybit on 7/25/23, 3:06 AM
Sounds pretty sweet from a corp security perspective. Context Aware Access lets you do attestation at SSO time but baking device integrity further into the system would be helpful.
Unfortunately, this gives a lot of power to webpages. I'm not sure it's worth the tradeoff. This seems like something better handled by an extension, but I'll have to read the spec.
by dreamcompiler on 7/25/23, 9:02 PM
If Google does this too then I guess the "mainstream" web will become invisible to me. No great loss since it's mostly thoroughly enshittified anyway.
I'm happy to move to the new un-googled "darkweb" where freedom, anonymity, and non-SEO content still prevail.
by superkuh on 7/24/23, 11:14 PM
Google should've just called this HTTPS+ Everywhere and there'd be no blowback.
by grajmanu on 7/25/23, 4:37 AM
by jqpabc123 on 7/24/23, 9:20 PM
But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
by NotYourLawyer on 7/25/23, 12:42 AM
by est on 7/25/23, 7:44 AM
by maxlin on 7/25/23, 4:52 AM
One can hope.
by chromoblob on 7/25/23, 12:34 AM
by wiz21c on 7/25/23, 10:39 AM
by gloosx on 7/25/23, 8:07 AM
What does this change mean? There will be more such people.
by nintendo1889 on 7/28/23, 11:07 PM
Heck, you can run Opera, Vivaldi, Firefox, and Chrome 78 on 2000 or XP with a 2023 build of KernelEx.
by zac23or on 7/24/23, 11:59 PM
The monopoly has been successfully changed ... to another monopoly!
by Gud on 7/25/23, 9:08 AM
by account-5 on 7/25/23, 5:12 AM
by danShumway on 7/24/23, 11:00 PM
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
by klipklop on 7/24/23, 10:43 PM
by otabdeveloper4 on 7/25/23, 11:03 AM
by everdrive on 7/25/23, 2:06 AM
by ninjaa on 7/25/23, 3:44 AM
by kotaKat on 7/25/23, 9:50 AM
by timwaagh on 7/25/23, 5:09 AM
by fifteen1506 on 7/25/23, 12:17 PM
by meddlin on 7/25/23, 6:37 AM
by skybrian on 7/24/23, 11:08 PM
https://tildes.net/~comp/18h8/web_environment_integrity_a_go...
by chromoblob on 7/24/23, 11:58 PM
by calibas on 7/24/23, 10:26 PM
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
[Answer: Neither]
by javajosh on 7/24/23, 11:42 PM
The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL's vision for the web in the first place.
The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It's bad and it's a bad system that makes the world worse.
by thepaulthomson on 7/26/23, 3:46 AM