Original comment follows:
In my view, this would just DRM-ize everything on the web. Of course, Cloudflare and Fastly don't talk about this much, and Cloudflare keeps assuring you'll still get captchas if device attestation fails or is unsupported. But realistically, once all Microsoft, Google and Apple implement it in their devices, there isn't much of a reason to keep accepting non-attested devices. You can already see where this is starting to go - if you're using Linux/BSD or another niche OS, congratulations, you can't submit forms any more. And since device verification would become extremely cheap to perform this way, you'd also see websites protected entirely by this tech, effectively locking out Linux/BSD users. The Cloudflare article also talks about how, at least in the case of Apple, they'd run something like a posture assessment to confirm that your device components are genuine. I can also see this new tech locking out users of non-OEM repairs. This is a much bigger deal than what it seems like on the surface, and I'm genuinely scared about how this one simple move dwarfs all of the "evil" things that big tech has done so far.
https://www.ietf.org/archive/id/draft-private-access-tokens-...
I don't meant to sound negative but wouldn't bots just be able to abuse any FLOSS implementation since they can then fake certain interactions with CloudFlare in the background?
Now there’s a bunch of crypto to prevent the identification of an individual device, but websites would still be able to track your actions even if you disabled cookies, localStorage etc. (apart from the current ways such as like Etag tracking or browser fingerprinting) except that you can’t really mitigate it in any way. Whichever way you put this, PATs are not something that would preserve users’ security or privacy.
I also disagree with you that this isn’t a form of DRM - you’d still need some kind of TPM or another embedded electronic device that helps with these attestations. However, once attackers try to buy thousands of such devices to attack/scrape websites, websites would naturally use the originating vendor as the basis for allowing/denying actions. Which ultimately comes down to DRM - you’d see Windows, Android and Apple devices being allowed - and Linux/BSD/rooted Android/custom ROMs being left out to dry.
> There is nothing stopping the Spam/Bot community from implementing something similar.
I am a full time linux user, but I can guarantee you that if the bigcorps are going through with this it absolutely is going to lock out linux users, because the goal is to stop bots.
Evil.
We shouldn't fight bots. We should use trust instead. Not global trust, it must be subjective. I trust A, B, C. B trusts D, E. E trusts F. It should be weighted. There's small world effect [2]. There's just a few hops between any two people in the world. It solves SPAM, it solves reviews, scam, news and maybe politics. Somebody please get it done already.
1. https://duckduckgo.com/?q=phone+farm+bots&t=ffab&iar=images&...
Once it is implemented in windows it will quickly, if not immediately, be followed by locked bootloaders on any device available in brick and mortar stores or the big online sellers and being locked out from using attestation if you are not using an OS from Apple, MS or Google. We may see a brief window where some select linux distros get to grovel to MS to get signed, but that will quickly go away.
If it's not only technical (e.g: you must be a verified token provider), then it will stop Linux/BSD communities, just like it's today near impossible to open a community mail server.
...and if you are someone who actually works on this stuff for a living, perhaps you should reconsider and think about what your work is driving society towards. This isn't just the "keeping users addicted" work that often gets discussed here on HN; it's far far worse.
Apple and Google charging 30% for all business instructions running on their hardware and being 99% of the market is also unfree. (No, Google's unfriendly process and scare tactics around APKs do not make that platform open and broadly accessible.)
Maybe Google, gateway to the entire web, shouldn't be allowed to make a browser and set the rules in a way that favors itself at the expense of the rest of us.
Computing shouldn't be a set of four or five companies that control the entire platform and have everyone else beholden to their rules and taxation. We need to make these giants smaller and remove their grip on computing so that competition can flourish.
Every startup founder and free software advocate should want this. Everyone protective of their privacy should worry that in the future only Big Brother signed (and tracked) browsers will work.
We're experts and have a say in how our industry functions. Call your representatives and teach them about this problem. Tell them how it's going to cause everything to stagnate and suck and prevent new businesses from arising.
The website doesn't receive any info other than the URL you are visiting and the fact you have an authenticated PAT.
Not entirely sure where you’re getting your information from.
Since I wrote it I became confident that algorithm which is used for cumulative trust computation should be up to each node (instead of using zk-SNARks for example). If you trust somebody, you trust them to compute it as they wish. And I would drop dimensionality at least in the beginning. Probably using multiple identities in place of it.
"Anti-cheat" and "bots" are literally the same reasoning.
And I think the big take-away is: anti-cheat systems' decision to do this hurts more real people than it does bots. Its idiotic, and anyone with half a brain recognizes that, but statistics are on their side. If 1% of both Windows & Linux players cheat, but 90% of all computer users are on Windows, then banning the 10% who aren't easily kills some number of bots. Its not many, but its nonzero.
What we're talking about with PATs is a multi-party established trust system. You're right; maybe the linux community could/will become an issuer of these tokens. I'm not sure its relevant. Any of these systems could be "compromised" to be leveraged by bots (compromised is NOT the right word, but its probably the word the people building this would use). So, being a mediator or site operator, you have to decide which issuers to trust. Apple probably, Microsoft and Google as well, they're big and represent a lot of users. But its SO EASY to just say "nah we're not going to trust Canonical". After all, there are bots on linux! Granted, there are bots everywhere, but jeeze so few real users would be impacted, we could paint with a big brush and just solve X% of the problem right now.
I don't feel this is fearmongering; I think its a legitimate concern. The reason being: the PAT attestation from the issuer is pretty black-boxed, technically. Apple just asserts to Cloudflare: we think this device isn't a bot. On Apple's end, there will be lots of device & geolocation heuristics, they probably check "hey you signed in with Apple? good, botscore *= 0.9", etc. Cloudflare (or any intermediary/site operator) needs to trust that the validator is doing a "good job" of checking for bots, and the statistical qualifications for "doing a good job" are only going to increase over time. Apple has tons of heuristics they can use; Microsoft probably has a bit less; Linux has very few, by design. Its very easy to imagine a situation where linux's solution to this isn't recognized by Large Service Providers as "up to snuff"; and they get cut off.
But, ok, lets actually fearmonger. There's been some rumblings in the anti-cheat community that one of the signals some anti-cheat systems use is: the amount of money you spend on their in-game store. Its probably a good signal: cheaters tend to cycle through accounts as they get banned, they'd lose all their cool stuff if an account is banned, so they spend less money. Imagine a reality where Apple uses spending heuristics as a signal to determine if a device is real; your account is on the verge of suspicion, and the final data point against you is that you aren't subscribed to Apple One, because per our statistical research 98% of confirmed bots aren't subscribed to Apple One.
Look: some bank and education sites have been doing a small time idiotic version of this, often via useragent parsing. It doesn't really work all that well; but it should signal that the desire for something more functional exists. This solution won't actually be more functional, in a form which allows legitimate non-Big-Tech-Users equitable access. Thus, it'll trend, slowly, toward "trusting the vendor", which also won't work all that well, but no one cares because "at least we're doing something". I think, at the end of the day, the entire domain of "bot mitigation" is misguided; they can't be stopped, you install captchas and you get warehouses of people paid pennies solving them, or you get better AI to solve them. You trust the device, attackers buy the devices. Its a treadmill that literally only serves to reduce access to computing services for minorities (differently-abled people who can't pass captchas, linux users, etc).
We need to, as an industry, take a giant step back and reframe this from "how do we stop bots" to "how do we live with bots".
By Linux, the OP was simply referring to an OS that is solely under the control of the user and gives the user full freedom. Not the locked-down versions of Linux like Android and no doubt whatever else will appear as the "officially sanctioned Linux(es)."
Also, vote. Big Tech has grown enough power to be a government itself, but not one we voted for. Hopefully the ones we can vote for, can at least restrain some of that power.