zlacker

[return to "Google is already pushing WEI into Chromium"]
1. anshum+Qc[view] [source] 2023-07-26 13:12:43
>>topshe+(OP)
As someone who is a somewhat new to web technologies, can someone really explain why this is bad? I saw the techical discussions in the PRs made to the WEI repo but it was all super technical that I was not able to understand the arguments made for and against it.
◧◩
2. javajo+sj[view] [source] 2023-07-26 13:39:41
>>anshum+Qc
It's a change to the browser that gives site-owners the ability to require a positive attestation of non-modification before running. The stated goal of this change is to make it more difficult for end-users to block ads. As the spec states, blocking ads violates the deal you make with content creators to use your attention to ads as a form of payment.

In practice, this will make it harder, but not impossible, to run ad blockers. Now instead of just finding and installing a plugin, you'll have to first find and install a forked browser that implements the attestation as something like 'return true'. This will predictably decrease the number of people blocking ads.

Personally, I don't object to this. The easy solution for most people is simply: don't consume the content. Or pay money instead of watching ads. Content creators, it must be said, also have the option of self-hosting and/or creating content as a hobby rather than a career. As someone who has grown more and more despairing of any paid-for speech, especially by ads, I welcome this change.

Far more troubling is the possibility of attestation for "important apps" like banking or government. In general this mechanism gives the org a way to prevent you from doing what you want with your data. For example, they can prevent you from scraping data and automating end-user tasks. This takes away your degrees-of-freedom, and using a modified browser will certainly become an actionable offense. In my view this is by far the more troubling aspect of this change, since it take away significant aspects of user autonomy in a context where it matters most.

Technically sophisticated users will note that it's not possible to secure a client, and foolish to try. This misses the point. These changes stochastically change behaviors "in the large", like a shopping center that offers two lanes in and one lane out, or two escalators in and one out. This represents a net transfer of power from the less powerful to the more powerful, and therefore deserves to be opposed.

EDIT: please don't downvote, but rather reply with your objection.

◧◩◪
3. mindsl+Ux[view] [source] 2023-07-26 14:34:43
>>javajo+sj
This has been litigated to hell on HN, but no, there is no implicit contract when loading a webpage that your user agent will display ads or any other content as envisioned by the publisher. A user agent has always been intended to be something that displays content according to the wishes of the user. Even this "modest proposal" phrases itself in terms of user desires (albeit completely disingenuously). Ads have become prevalent because most users go with the default and don't install content filters to block them, but this does not create some obligation for all users to display ads. Rather, the core dynamic remains that ads essentially display at the pleasure of users.

There is no option to "implements the attestation as something like 'return true'". There is a chain of verification from the hardware manufacturers building in software surveillance, through OS developers treating the device owner as an attacker, this proposal of carrying the same user-hostile dynamic through browsers, and finally to the website that by verifying the signatures can force a user to only use software that enforces all of the above.

You should very much object to this! Today, "unsupported browser" is a CYA term that doesn't really mean much besides that the website has limited testing budget (and who doesn't?). With this proposal it would become a hard blocker. Goodbye Linux/BSDs/etc. Goodbye `make install`. Goodbye virtual machines. Goodbye computers that last longer than the rapid e-waste treadmill of mobile phone land. You will of course be able to keep running user-representing operating systems, old computers, "jail" breaking them, etc. You just won't be able to access banking websites, followed by web stores, then general sites. Basically anywhere today that hassles users with CAPTCHAs will be looking to implement these restrictions eventually (which is basically everywhere).

[go to top]