Assistive technologies will still work as the browsers implement platform's assistive APIs.
Automatic testing will still work because a developer isn't going to add restrictions to their own tests from their site. Unless they are testing if a captcha gets shown from an unsafe environment.
Archives, search engines, and spiders should already be respecting robots.txt. Site owners can already block those things if they don't want their site crawled.
>This means that no single party decides which form-factors, devices, operating systems, and browsers may access the Web.
The proposal allows anyone to become an attestor. There would not be a single attestor who you would have to prove your trustworthiness to.
Either this protocol is useless for its intended purpose, or banks will only accept a small handful of attestors that promise not to sign for environments where the owner has control. Being able to create a new attestor means nothing because attestation is not valuable without pre-established trust.
The fraud prevention use case requires that the browser matches what Google or Mozilla shipped, not what I choose to actually run. From 10,000 feet in the sky, there's zero difference between, say, someone who installed modified software on their phone to protect their privacy and someone who was tricked into installing malware[0]. Banks don't care about your freedom, they care about making your fraud someone else's fault.
Some of the use cases explicitly call for locking the owner out of their device too. Anticheat in games is treated as at least beneficial to honest users, but it can still be user hostile[1]. Click fraud detection shouldn't even be something that a USER agent cares about - and it's not like Google cares about that anyway[2].
Practically speaking the only Linux distros that will get an attestor that anyone will actually care about will be Chrome OS and Play-certified Android. At best, Google agrees to attest for Chrome and Firefox on non-Chrome-OS Linux and it winds up being like EME did. At worst everyone has to buy a Windows license just to use most websites anymore.
>Assistive technologies will still work as the browsers implement platform's assistive APIs.
At least until someone says "we need to keep content from being data mined for AI training[3]" and AI scrapers find out how to automate those APIs. The underlying power dynamic of attestation means that websites can just demand attestors ban screen readers, in the same way that ebook DRM already does.
[0] Casual reminder that Louis Rossman was harassed by the GrapheneOS developer for agreeing with someone that the developer asserted had harassed them. He uninstalled GrapheneOS specifically to avoid being pwned by its developer.
[1] Let me remind you of the insane cat-and-mouse game where cheaters went into the kernel, so now anticheat is in the kernel, and now cheaters find vulns in the anticheat to hide their cheats in, which now malware can use as well.
[2] https://www.theregister.com/2023/06/29/google_trueview_skept...
[3] Reddit
It means that each site can choose who they trust instead of their being a single entity dictating what users are secure or not.
>Click fraud detection shouldn't even be something that a USER agent cares about
But it is something that the web standard should think about in order to make the web a better place.
>Practically speaking the only Linux distros that will get an attestor that anyone will actually care about will be Chrome OS and Play-certified Android.
I disagree. There are several Linux distros that support secureboot showing that Linux distros are capable of showing they are trustworthy enough to Microsoft.
In what way does it make the web a better place?
Tracking me harder isn't going to make those sites go away.
I still think the approach is harmful overall.
The idea that I must be "vouched for" by a "trusted third party" by providing extensive details about my system, in order for my browser to send a HTTP request is in direct opposition to privacy and my interests.
That it's being proposed by a company that owes it's entire existence to web crawling is ironic.
It turns the web from an open platform into one where the big players have complete control over which devices and software are permitted.