How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
He writes: "Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app."
It's honestly comical and a little sad.
[1]: http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-o...
It can be reconciled with love for money and total lack of moral fiber.
Aka « I don’t give a shit about my actions destroying every one, as long as I go get paid »
I can tell you that the machine is so big and the responsibilities diluted to such extent that no one really feels like they're making a morally dubious decision, it just sort of happens on its own, magically.
What this guy's doing is shameful, but I've seen dozens of otherwise lovely people, working for charities, spending much more time on socially-important and useful work than 90% of the crowd here... and the same people would push barely legal (if not illegal) targeting on masses of people, arguing to push cigarette ads in markets that still allow it. Advertising is cancer and the current model is not sustainable.
What I'm (poorly) trying to say is: be angry, let everyone know that you're angry, make more people angry, but remember that focusing on this guy is a distraction from a bigger systemic issue and it actually helps organisations like Alphabet.
It’s not generally easy, but I think I’m in the position to say that.
The guy has the choice of company to work with and has the choice in the company and what department to work in.
It's easy: he works for Google. Every single public-ish web developer and/or devrel from Google will spend inordinate amounts of time lambasting Apple, writing eaassays on how Apple cripples the web etc.
While Google has broken the web so badly that Apple would need several decades to come anywhere close.
Note: the moment they leave Google, they may slightly change their tune and criticise Google a bit. For an example, see Alex Russel of web components when he went to work at Microsoft after spending a decade making sure that web browsers are turly unimplementable: https://infrequently.org/2021/07/hobsons-browser/
― Upton Sinclair
as long as they get their $1280 bonus they don't care
even if they're destroying their future employment prospects
> Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop.
Ben, you've thought about the impact your proposal would have on Linux laptop users, right? Surely you sometimes use your laptop for banking, right?
Even the ad example is about not charging advertisers for bot views, which is a huge problem right now.
The problem is that a tool can often be used for evil as easily as for good, and the more the standard was used to block ad blockers over simply filtering out User Agent spoofing bots, the more this tool ends up evil.
And even if the limited scope in the proposal was the true intent, there's nothing preventing scope creep.
Though reading over it all, I do think the assumption of motivations in most of the comments here are misaligned. This does seem to be primarily focused on the issue of growth in bot activity and making it harder on bots to act as if human to servers.
Still, the spirit of who controls the client is very much at stake, and the comments here are ostensibly right that this is a measure that should not happen.
(And frankly, given the bubbling attitudes about enshittification coupled with the coming lowered barrier of entry for competition against software firms and content production, I think this is very much the kind of thing that may backfire horribly if forced though.)
Disclosure: I work at Google but not on this.
Now, I'm not opposed to having a locked down device when performing actions like using a bank app.
However, Google is abusing this, because they force their adware and spyware into that device, so I can't have a secure, locked down Android device without that.
But bank apps won't implement it because the market share isn't large enough. This is a great showcase of the issues with the new proposal as well.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
As if you personally know 90% of the people here? And how many of those 10% would never ever push advertising on anyone, would you guess?
It's moot anyway, you cannot compensate for a lie by giving someone a lot of cake, even all the cake in the world. It's apples and oranges.
> Advertising is cancer and the current model is not sustainable.
"Advertising" is just a shorthand for the concrete actions concrete individuals engage in. There is no "model" outside of hundreds of decisions people make every day. It's like blaming "capitalism" and pretending people just play the "game" as if that existed outside of those actions. For any person you could name, I can find you someone in the same situation who refused to do the evil thing.
It's just an open question, and as such, it does seem it's an afterthought, when it should be front and center if anyone care for an open web.
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)
"This internal contradiction is further demonstrated by the fact that the proposed solution to prevent misuse by websites - holdbacks - is to simply sabotage the functionality of the system itself, by making attestation probabilistic. This is not a workable solution to the problem: if the holdback rate of requests is low enough, the denial of service to legitimate users will simply be a cost of business that websites will accept; if instead it is high enough, websites will not use this system as it does not provide meaningful enough information, even for analytics purposes, due to the high uncertainty. There is no goldilocks zone where this system is useful but not open to abuse by implementer websites. You're either implementing a feature that can - and most likely will - be used by websites to exclude unattested clients, or you're implementing a useless feature."
https://github.com/RupertBenWiser/Web-Environment-Integrity/...