It's honestly good for this to get a lot of attention though, I'm happy to see additional commentary on it getting shared.
I'd be curious to know how or if Chrome actually manages the PR around their work. Chrome lead fired off a blog post So you don't like a web proposal which effectively says it's purely a technical decision, and that only constructive technical criticism is regarded at all. >>36818409 https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
It is:
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
https://tildes.net/~comp/18h8/web_environment_integrity_a_go...
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[0] gemini://hackersphere.space
So get a front row seat and get ready for what is to come in September this year to witness the beginning of the end of a company once adored by hundreds of techies finally getting broken up to pieces.
[0] https://www.cnbc.com/2020/10/20/doj-antitrust-lawsuit-agains...
[1] https://www.cnbc.com/2023/01/24/doj-files-second-antitrust-l...
Of the FAAMGs my favorite is Google, but this makes me reconsider my position.
* I won't even say relatively unknown, he has 8 followers on GitHub. Simply unknown to the dev community.
Web Environment Integrity API Proposal - >>36817305 - July 2023 (428 comments)
I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.
Once again, Stallman was very prescient: https://www.gnu.org/philosophy/right-to-read.html
Also, Firefox just passed ahead of Chrome on some JS speed benchmark, so you should get ready to switch back!
Archive: https://catless.ncl.ac.uk/Risks/
So much of our current hellscape was foretold long ago.
This is false. Safari supports Manifest V2 and has no plans to deprecate it.
I'd guess that you're confused because Safari lacks support for webRequest BlockingResponse: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Would it be acceptable for a website owner to block users from Detroit (78% African Americans)[1] or block users from El Paso (82% Hispanic)[2] because the website owner claims that fraudulent ad clicking is more prevalent from those cities?
Would it be acceptable to only serve web pages to people without disabilities and without a need for specialist accessibility software because it's not economically viable to consider users with disabilities?
Would the poorest 10% of the population be able to access web pages and services delivered over the Internet with old hardware (all they can afford) and with limited computer literacy and limited ability to raise complaints (that are ignored anyway or responded to by an AI algorithm that doesn't care)?
A website owner is still discriminating when they hide behind technology such as AI algorithms, Web Integrity APIs, etc and pretend that their use of such technology is non-discriminatory.
[1] https://www.census.gov/quickfacts/fact/table/detroitcitymich...
[2] https://www.census.gov/quickfacts/fact/table/elpasocitytexas...
It's super telling they know by how they are acting, by locking down the GitHub repo.
It's very depressing how far both Google and Googlers have fallen. What was once a home to innovation, growth, and technical creation is now just ads, abusing their market position to give Chrome an insane advantage during the later years of the browser wars, and more of the same.
It's probably time to bring anti-trust action against Google. Also if you're not already, please move to Firefox and stop using Chrome. Mozilla stands against this and these engineers pushing it [6].
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[3] https://github.com/RupertBenWiser
[4] https://github.com/yoavweiss
[5] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[6] https://github.com/mozilla/standards-positions/issues/852#is...
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
But also the spec itself is bad: "MUST" in capital letters when talking about setting up the HTTP3 endpoint and verifying the cert. https://datatracker.ietf.org/doc/rfc9114/
There are compile-time flags you can use to enable it in the QUIC HTTP/3 libs you can then manually link when compiling your personal browser. But with Google/Microsoft/Apple/Mozilla browser binaries used by the public they will not be able to connect.
https://www.spglobal.com/marketintelligence/en/news-insights...
There's even a post on front page right now about Mozilla's position on the very proposal we are discussing: >>36857032
TEE on Android, for example. Intel ME on PCs, and probably TPMs also have a firmware of their own. Secure Enclave on Apple devices.
There's an outstandingly good perspective on the issue in another thread: >>36859465
Try searching for "only chrome".
Having said that, the comment that Weiss links to when citing himself...:
> I understand many folks here are upset about this proposal. I urge you to actually read the proposal, rather than rely on rumors about what it does or doesn't propose. If it's at all helpful, I wrote a few words about ways you can constructively engage with proposals you don't like.
... almost certainly does run afoul of the W3C's provisions for acceptable and unacceptable behavior outlined in the code of ethics and professional conduct. Implying that someone who is "upset" about the proposal is responding to rumors and that it is okay to admonish them to "actually read [it]" is both uncharitable and noxious to the discussion. There's a good reason why HN, for example, has an explicit rule against accusing people of not having read the article.
1. <https://www.w3.org/TR/design-principles/#priority-of-constit...>
From a legal viewpoint, the answer is dependent on the complexity of state laws[1]. What a website owner can do with a website in one country obviously differs from what they could do in another country. Most countries have very weak anti-discrimination laws, and if they do exist, they typically only apply for very specific purposes such as employment discrimination based on age. These limited laws tend to be near impossible to enforce short of someone self-incriminating themselves. In some countries however, an example being Norway, laws against discrimination can be very strict and routinely enforced to the level of requiring all website owners to implement WCAG 2.0 at AA level[2].
From an ethical viewpoint, the Universal Declaration of Human Rights[3] states in Article 2:
"Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty."
"Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."
[2] https://www.uutilsynet.no/english/about-us/903
[3] https://www.ohchr.org/en/human-rights/universal-declaration/...
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
- https://www.cci.gov.in/antitrust/
- https://www.cci.gov.in/filing/atd
Canada:
- https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-e...
https://android-developers.googleblog.com/2019/09/trust-but-...