zlacker

The latest, tone-deaf response from a Google engineer: https://github.com/RupertBenWiser/Web-Environment-Integrity/...

>>zb3+(OP)
I like how he changed his GitHub profile photo to a picture of a yellow duck.

I'd do the same thing if I was working for the devil and I knew it.

>>zb3+(OP)
In the above he's mentioning that

Privacy features like user-agent reduction, IP reduction, preventing cross- site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:

- sign-in gates to access basic content

- invasive user fingerprinting, which is less transparent to users and more difficult to control

- excessive challenges (SMS verification, captchas)

My question is whether there is any data to back up those claims.

>>zb3+(OP)
"it's clear we need a larger discussion (so you understand why I'm right" and not "it's clear this was a bad idea"

>>zb3+(OP)
You have to be hopelessly naive to believe that the hold-back feature is going to be implemented as described, if at all, and not quietly removed when the outrage dies down.

And even if it stays as described, the percentage will be low enough that those that fail attestation can be safely barraged with captchas or simply told to go away. (You can try browsing the web with TOR to get a taste of how you will be treated)

The whole post can be summarized as "trust me bro"

>>alex77+I1
Yeah, it was only when I briefly worked for a FAANG that I realised that it doesn't really matter how many well-meaning engineers you have, because ultimately they don't make the decisions. Execs make the big decisions, and they will always take the most profitable choice.

>>bob102+61
Is that like a reverse canary?

>>zb3+(OP)
This seems like a very reasonable reply to me; what's tone deaf or otherwise objectionable about it?

>>alex77+I1
Those cited 5-10% are laughable. If countless US sites prefer to just block the entire EU over bothering with privacy regulations they'll just tell you to reload the page every 10th to 20th time you click on something. Compared to what the majority of people already silently accept with ads, cookie banners and popups it's not even worth mentioning, and that's assuming Google can be trusted for once.

>>zb3+(OP)
Imagine outing yourself this publicly as the next engineer to get your employer slapped with a couple more billion-dollar European Commission fines.

>>zb3+(OP)
> Let’s work together on finding the right path

This is precisely what the reported issues are trying to achieve, regardless of their tone. The current path is completely wrong and reckless. The first step of working together would be to abandon this approach entirely.

This is akin to suggesting that we'd solve global warming by triggering a nuclear winter. This is not something you can solve by iterating and finding a middle path. The entire premise of this proposal is dangerous and should be binned.

Just think about all the potential ways in which this approach can (and obviously would) be abused.

(Posting this here as I just noticed they disallowed commenting)

>>kafrof+j1
This was my take away as well. I see a lot of imaginary, proposed future problems and no concrete issues that this is currently trying to solve. It gives the impression that it's just being put out there to muddy the waters and give some credence to an otherwise awful barrier to entry for the web.

>>zb3+(OP)
> I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one.

I'm curious what "better forum," if any, Google will actually engage with on this matter. I too wouldn't this sort of overwhelming reaction to happen in a personal repository. But the conversation needs to happen somewhere!

>>zb3+(OP)
On Friday:

> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend

After the weekend - leaves long comment but doesn't reopen comments as promised.

>>jefftk+P4
It's not a terrible reply, but it does miss the point.

It focuses heavily on privacy concerns and how those will be resolved - the vast majority of criticism I've seen hasn't been related to this at all, and those aren't especially hard problems to solve in the context of the existing spec.

It still largely ignores browser diversity & experience this will create for non-Chrome users. His argument is that blocking fingerprinting in future will mean anti-fraud will make the web unusable, and WEI will make it usable again. Given you accept the premise, still the conclusion is only true for browsers that can access WEI - which means the web will become unusable for browsers who can't (Linux, rooted Android, Firefox, etc etc).

For the ecosystem as a whole, it's better if everybody has a fair playing field. By definition, WEI structurally privileges certain clients. The more widespread that becomes the worse the effect on the wider ecosystem is. If WEI does not exist, and fingerprinting does not exist, providers will be forced to find ways to limit the impact of anti-fraud mechanisms. If 90%+ of browsers use attestation, that pressure decreases dramatically. Using Tor on the web today is a good example of the likely experience.

The mention of holdbacks here touches on this (though for full blocks, rather than wider impact) but ignores the existing strong pushback against holdbacks from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and ignores that the attestation they already shipped on Android for exactly the same use case does _not_ do this.

Fundamentally, the issue isn't about privacy during these checks, or whether defeating fraud without fingerprinting is valuable. Those are reasonable but obvious points. The issue is that client-focused validation for fraud is a flawed goal in itself (it's impossible - even with full & perfect attestation, you can set up a fully automated + WEI-approved machine by automating input peripherals directly) that risks enormous collateral damage, and we shouldn't encourage it in any sense. We definitely shouldn't standardize practices to make it easier.

At the end of the day, if you want to block fraud you have to do so server side (statistical analysis, rate limits, validated user accounts, requiring payments, some kind of proof of work, etc). This is a hard problem, absolutely, but it's unavoidable.

>>zb3+(OP)
I find it interesting that the author thinks "invasive user fingerprinting" would stop with WEI. If you really believe ad networks are _only_ fingerprinting users to fight fraud and will stop doing it after WEI, I have a bridge to sell you.

How else are they going to learn more about me and shove ads that they think I care about?

>>zb3+(OP)
> We want to continue the discussion and collaborate to address your core concerns

> An owner of this repository has limited the ability to comment

>>zb3+(OP)
The problem with him arguing that it's just an early proposal is they are adding it to Chrome nightly builds

>>zb3+(OP)
The hold-back feature is so extremely out of touch with reality

"There seems to be something wrong with your request, try reloading this page"

Good luck getting this ad infinitum you are on an environment that Google doesn't approve.

>>vamc19+hf
> If you really believe ad networks are _only_ fingerprinting users to fight fraud and will stop doing it after WEI, I have a bridge to sell you.

I very much doubt author himself believes that.