https://www.theregister.com/2023/07/25/google_web_environmen...
Despite the spec's half-baked state, the blowback last week was swift – in the form of a flood of largely critical comments posted to the WEI GitHub repository, and abuse directed at the authors of the proposal. The Google devs' response was to limit comment posting to those who had previously contributed to the repo and to post a Code of Conduct document as a reminder to be civil.
The usual way to deal with opposition these days.
Now it's almost impossible to access websites in an automated way -- the CTO posted you can just email him (>>34639212 ) and he'll sort it. Because that scales.
edit: Mispoke about the CTO, said he would approve you, I was wrong. Apologies.
Their DNS is "privacy focused", but they provide "aggregated results" of domains. How is that privacy focused?
Cloudflare came from the approach of being a developers friend ("Look! SSL is now free!") but was given the internet on a silver platter.
Ben Wiser ( https://benwiser.com ) turned off comments altogether.
Edit: the Register article linked elsewhere looks as good as it gets for now https://www.theregister.com/2023/07/25/google_web_environmen...
[1]https://arstechnica.com/gadgets/2023/07/googles-web-integrit...
Nested CSS is supported in the latest version of all major browsers.
The link at the top of the page is pointing to the GitHub repo, where you can see literally over a million contributions from thousands of people working at hundreds of companies: https://github.com/chromium/chromium/commits/main
I've worked on both Chrome and Android (Chromium and AOSP) professionally, and never worked at Google.
On a separate note, for journalists and others who wish to communicate with the spec's author directly, his public website (which lists a personal email) is one of the other repos on the Github profile under which the specification was published. It's painfully absurd that he wrote this sentence in 2022 [0]:
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
[0] https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...
Add to Mozilla's perceived not-very-good management and you have a death spiral on your hands, and more power to Google and Apple to shape the Web towards their interests.
FWIW, first-class profiles support matters a lot: https://medium.com/sort-of-like-a-tech-diary/profiles-the-on...
Sounds like a great way to enforce censorship:
- websites can deny access to unverified web browsers / web clients
- WEI-enforcing web browsers / web clients can refuse to go to unverified websites (not a stated goal, but it is a logical next step to boost website adoption of WEI APIs once a critical mass of clients is reached)
Google wants to build a wall around the Web and have their own walled garden:
It was this thread, where you mentioned emailing: >>34639212
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
The double-think is absolutely astounding.
[0] https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...
"The proposal suggests that websites should be able to request an attestation from the browser about its “integrity”. Such attestations are to be provided by external agents, which – presumably – examine the browser and its plugins, and issue an approval only if those checks pass.
The attestation is sent back to the website, which can now decide to deny service if the agent did not give approval." [1]
1. https://interpeer.io/blog/2023/07/google-vs-the-open-web
In other words, websites can now force you to comply with their shitty behaviour in order to allow you access, otherwise you get denided access.
Put a gentle "Use Firefox" (or any other non-Chromium-based browser) message on your website. It doesn't have to be in-your-face, just something small.
I've taken my own advice and added it to my own website: https://geeklaunch.io/
(It only appears on Chromium-based browsers.)
We can slowly turn the tide, little by little.
https://www.opensecrets.org/orgs/alphabet-inc/recipients?id=...
Here is them lobbying specifically around antitrust reform legislation: https://www.opensecrets.org/federal-lobbying/bills/specific_...
> Private equity deals and transactions in the healthcare and technology sectors continue to attract heightened antitrust scrutiny...
> The US agencies have also demonstrated an increased interest in challenging vertical transactions.
> In January 2022, for example, the FTC sued to block Lockheed Martin's US$4.4 billion proposed acquisition of Aerojet, which the parties subsequently abandoned.
> Increased enforcement, combined with the agencies' reluctance to approve remedies, has created an uncertain environment where commercial parties should be increasingly prepared to litigate mergers.
> The ramping up of antitrust enforcement in 2022...
https://www.whitecase.com/insight-our-thinking/us-ma-fy-2022...
Here's another:
> Since 2020, the Federal Trade Commission (FTC) and U.S. Department of Justice (DOJ) have filed multiple lawsuits against major tech companies...
> "The agencies have started laying the foundations for a more interventionist stance over the last two years, and this year is when we'll start to see some of those efforts come to fruition -- or be stopped in their tracks by the courts," Kass said.
https://www.techtarget.com/searchcio/news/252528606/FTC-push...
I'm sure you can find more.
- Attestation does not work as an antifraud signal unless it is mandatory - fraudsters will just pretend to be a browser doing random holdout otherwise.
- The banks that want attestation do not want you using niche browsers to login to their services.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
https://www.opensecrets.org/orgs/amazon-com/recipients?id=D0...
and Microsoft:
https://www.opensecrets.org/orgs/microsoft-inc/recipients?id...
And yet we see high profile activity against them from the current FTC.
"FTC rewrites rules on Big Tech mergers with aim to ease monopoly-busting"
https://arstechnica.com/tech-policy/2023/07/ftc-rewrites-rul...
"FTC prepares “the big one,” a major lawsuit targeting Amazon’s core business"
https://arstechnica.com/tech-policy/2023/06/ftc-prepares-the...
"The Federal Trade Commission sued Amazon today, claiming the online giant violated US law by tricking consumers into signing up for the $14.99-per-month Amazon Prime subscription service and making it annoyingly difficult to cancel."
https://arstechnica.com/tech-policy/2023/06/ftc-sues-amazon-...
"FTC files to block Microsoft’s $69B Activision Blizzard acquisition"
https://arstechnica.com/gaming/2023/06/report-ftc-will-file-...
"A Federal Trade Commission lawsuit filed yesterday accused Ring, the home security camera company owned by Amazon, of invading users' privacy"
https://arstechnica.com/tech-policy/2023/06/ftc-amazon-ring-...
"Microsoft will pay $20 million to settle an FTC complaint that its Xbox platform illegally collected and retained information about children without their parents' consent"
https://arstechnica.com/gaming/2023/06/xbox-coppa-violations...
And that's all just from one news source, in the last three months.
A lot. Here's a link where you can read about some recent activity in the tech industry (change it to sort by Date, I couldn't figure out how to do that in the URL): https://arstechnica.com/search/?ie=UTF-8&q=ftc You can probably find more on Google (or perhaps Duck Duck Go? :) ).
https://www.reuters.com/legal/us-appeals-court-opens-docket-...
Or Judges fast-tracking lawsuits to allow those being prosecuted by the FTC to get things over quicker, ex: https://www.reuters.com/legal/illumina-wins-fast-track-appea...
And I think the biggest blow may actually come about because of the SEC lawsuit that will be heard this upcoming term at SCOTUS: https://www.reuters.com/legal/us-supreme-court-decide-legali..., which will likely heavily reign in the power of administrator judges and the ability for an agency to keep initial fights in-house (blocking litigants from taking fights to the normal courts).
I think it's time to establish a successor to the web that we can once again call home. This doesn't mean we need to give up on the web or stop using it—it can run in parallel to the mainstream, a niche home for hackers and techies and people who care about freedom. It needs to be simple, like Gemini [0], but also have enough interactive features to enable old-school social apps like HN or the old Reddit. It should have a spec and a governance process that discourages rapid changes—we've learned from hard experience that more features does not mean better.
I realize this sounds like a cop out, and that getting people to use such a thing in sufficient numbers would be extremely difficult. But I'm pretty convinced at this point that the web as we knew it will never come back unless there's a reset—unless we create a new niche tech that isn't big enough for corporations to want to take over.
Remember that moderators can be abusive not just in terms of removing content that shouldn't be removed, but also by forcing you to accept things that harm you. Moderation is a trust relationship because I'm delegating my own personal decision to accept or block traffic/content/etc to someone else. Cloudflare is not trustworthy.
Cloudflare also used to be a big pain in the ass for Tor/VPN users because competent DDoS protection requires some kind of traceable identity. Their solution was Privacy Pass - an extension that let you pre-solve their CAPTCHAs. However, this wasn't good enough, so their next solution... was to literally partner with Apple to implement Web Environment Integrity, years before Google even proposed it. Nobody noticed this - not even me - because it was sold as a way to make CAPTCHAs less annoying. It was literally the trojan horse Google could only dream of building.
[0] https://forums.malwarebytes.com/topic/108447-my-site-using-c...
for a personal blog it has quite a lot of PR speak
https://www.nytimes.com/2023/01/24/technology/google-ads-law...
n.b. I've found a lot of comfort by conciously rolling away from any subject that leads me to do "They"-ing, i.e. name an enormously large group, then talk about them as a unit. The more I avoid it, the more I realize how prevalent it became and drives how a lot of us feel society shifted.
They had enough weight at the time to say "The Web is XHTML2, you can make your own internet if you want " compared to what they can bargain for these days.
Maybe at the time it was a somewhat reasonable decision to abdicate their responsibility over to big internet companies, but that's what brought us to the current state where we're basically going back to original version of The Microsoft Network[1].
And Intuit: https://www.opensecrets.org/orgs/intuit-inc/recipients?id=D0..., https://www.ftc.gov/legal-library/browse/cases-proceedings/1...
And Epic: https://www.opensecrets.org/orgs/epic-systems/recipients?id=..., https://www.ftc.gov/legal-library/browse/cases-proceedings/1...
etc. etc.
https://vivaldi.com/blog/googles-new-dangerous-web-environme...
Shame on Rayan Kanso <rayankans@chromium.org>
Shame on Peter Pakkenberg <pbirk@chromium.org>
Shame on Dmitry Gozman <dgozman@chromium.org>
Shame on Richard Coles <torne@chromium.org>
Shame on Kinuko Yasuda <kinuko@chromium.org>
Shame on Rupert Ben Wiser: https://github.com/RupertBenWiser/Web-Environment-Integrity
Google needs to be broken up.
<span id='browser' class='hidden'>
This website is designed for <a target="_blank" rel="noopener noreferrer" href="https://firefox.com/">Firefox</a>, a web browser that respects your privacy.
</span>
<script>
if (window.chrome) {
document.getElementById('browser').className = '';
}
</script>
.hidden { display: none; }I'm having trouble grasping how WEI works, providing examples of what would and could happen and what to ask/tell the EU specifically.
From my limited understanding it would mean the lockout of people with non-compliant hardware/software, greatly increase the fingerprinting of web browser users and further vendor lock in to Google as a company?
It's free and open source, works everywhere, has stuff like background replacement, and doesn't require signup at all.
85 points by KoftaBob 1 day ago | flag | hide | past | favorite | 109 comments
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
The problem is that the proposal has not yet been brought to W3C.
Will OS check if such python lib is installed or script running in the background? Then those that doing ad fraud will move to programmable board as BLE keyboard/mouse/hid. Even microbit can can be programmed as BLE HID device [1]. Add external camera on unattested device that will stare at attested device screen and you can automate lots of thing. Sure this is more complicated to pull off but will probably eventually happen anyway if this is a lucrative business.
In the end WEI wouldn't prevent ad fraud / fakes but would end up used for restricting other things.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It's nakedly user-hostile. A blatant attempt to invert the "user agent" relationship such that the agent works for the advertiser/corporation/government to spy on the human behind the screen. The way the intro paragraph tries to disguise this as something users need or want is frankly disgusting:
> Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business.
Ugh. Here's a fixed, honest version:
Corporations like Google often depend on advertisers knowing as much as possible about their users. Their revenue may depend on fingerprinting the client environment, tracking their behavior and history, and attesting that a human with sufficient disposable income is behind the keyboard. This personal data mining is the backbone of Google's business model, critical for their continued dominance of the web and for the sustainability of their enormous margins.
Regardless, I have Googled this for you: please return the favor by helping others learn to use search engines in the future before leaving comments insinuating that they are lying.
The tldr (as you'll probably insist on that also) is that Firefox finds Mozilla, not the other way around, as the latter is a non-profit while the former is a FOR-profit, so Mozilla actually can't directly fund Firefox.
https://www.reddit.com/r/firefox/comments/ow9k0y/is_there_a_...
https://www.reddit.com/r/firefox/comments/a98gmi/donations_t...
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
It's even funnier with the auto-reply "Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA)."
Not on HN, please. I realize that you're trying to protect something you care about (and that maybe we all care about) but this leads to ugly mob behavior that we don't want and won't allow here.
You can make your substantive points without that, as most other users in this thread have been doing.
You may not owe web-destroying $MegaCorp better, but you owe this community better if you're participating in it.
[1]: https://radar.cloudflare.com/adoption-and-usage And CF stats doesn't depend on JavaScript.
Google has proposed a new Web Environment Integrity standard, outlined here: https://github.com/RupertBenWiser/Web-Environment-Integrity/....
This standard would allow Google applications to block users who are not using Google products like Chrome or Android, and encourages other web developers to do the same, with the goal of eliminating ad blockers and competing web browsers.
Google has already begun implementing this in their browser here: https://github.com/chromium/chromium/commit/6f47a22906b28994....
Basic facts:
1. Google is a developer of popular websites such as google.com and youtube.com (currently the two most popular websites in the world according to SimilarWeb)
2. Google is the developer of the most popular browser in the world, Chrome, with around 65% of market share. Most other popular browsers are based on Chromium, also developed primarily by Google.
3. Google is the developer of the most popular mobile operating system in the world, Android, with around 70% of market share.
Currently, Google's websites can be viewed on any web-standards-compliant browser on a device made by any manufacturer. This WEI proposal would allow Google websites to reject users that are not running a Google-approved browser on a Google-approved device. For example, Google could require that Youtube or Google Search can only be viewed using an official Android app or the Chrome browser, thereby noncompetitively locking consumers into using Google products while providing no benefit to those consumers.
Google is also primarily an ad company, with the majority of its revenue coming from ads. Google's business model is challenged by browsers that do not show ads the way Google intends. This proposal would encourage any web developer using Google's ad services to reject users that are not running a verified Google-approved version of Chrome, to ensure ads are viewed the way the advertiser wishes. This is not a hypothetical hidden agenda, it is explicitly stated in the proposal:
"Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins."
The proposed solution here is to allow web developers to reject any user that cannot prove they have viewed Google-served ads with their own human eyes.
It is essential to combat this proposal now, while it is still in an early stage. Once this is rolled out into Chrome and deployed around the world, it will be extremely difficult to rollback. It may be impossible to prevent this proposal if Google is allowed to continue owning the entire stack of website, browser, operating system, and hardware.
Thank you for your consideration of this important issue.
Please don't do this here. It's not what this site is for, and destroys what it is for.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
More explanation:
In addition: could you please stop posting unsubstantive comments and flamebait generally? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
This sounds myopic, or what do you mean? W3C is not only about HTML and CSS innovation, but is responsible for and/or involved in a diverse set of relevant standards — many of which "big companies" don't show as much interest in contributing to.
https://en.m.wikipedia.org/wiki/World_Wide_Web_Consortium#St...
https://www.einvestigator.com/government-email-addresses/ [2022]
this abuse of tech, potentially goes beyond antitrust, and damages global economic wellbeing, as well as impoverishing information systems on global scale, generating isolation, ignorance, division, and radicalization.
According to these folks[0], Firefox has a 3.29% market share globally. They also claim there are 4.66 billion browser users globally.
If those numbers are correct, Firefox has a bit more than 150,000,000 users worldwide.
If my software had 150,000,000 users, I'd consider that wildly successful.
Other folks have different ideas/takes on that, I suppose. But it's food for thought nonetheless.
[0] https://backlinko.com/browser-market-share#worldwide-browser...
Edit: Fixed prose.
Citation? To be sure, there was not universal outrage over Safari's attestation implementation, but out of curiosity I looked up the only thread I was aware of, in part because I couldn't remember what my reaction was at the time. That thread was a year ago and the overwhelming sentiment of the comments section is critical: >>31751203
Here were my comments at the time:
They're less forceful than they are now with Google, partially because I know more now about how attestation works than I did over a year ago, and partially because (as some people have also pointed out) Chrome's implementation is straightforwardly more dangerous than Apple's is.
But HN "actively defending" Safari? That's not the impression I get from the overall comment section and it's definitely not what I personally was doing. There are a lot of people in these comments calling Apple's implementation DRM. So I'm a little skeptical of the "nobody on HN cared about this with Safari" narrative that has sprung up; from what I can see media coverage was fairly positive, but people on HN were rightly critical. I'm not sure the facts match the narrative: Safari was criticized for this.
It's a fair critique that there wasn't a coordinated attempt to outright stop Apple, but I would once again remind everyone that attestation in Chrome is way more dangerous than attestation in iOS. The market matters, that's not context that can be ignored. So it's not really all that weird to me that people are more willing to react more strongly to abusive behavior in Chrome.
For any experiencing barriers for writing the email, my method is below; Bing Chat generated an excellent email that only needed a bit of editing.
1. Open https://vivaldi.com/blog/googles-new-dangerous-web-environme... page in (ugh) Edge.
2. Open Bing Chat sidebar (top right corner); it auto-summarizes the article.
3: My prompt: Using the that webpage summary, please write a letter reporting Alphabet for antitrust violation. Please include the following [this language is from the ftc.gov site]:
Q: What companies or organizations are engaging in conduct you believe violates the antitrust laws? A: Alphabet
Q: Why do you believe this conduct may have harmed competition in violation of the antitrust laws? A: [use the article]
Q:What is your role in the situation? A: I'm a user of the Firefox browser
[edit: line breaks for readability]
Here you can specifically create new antitrust complaints.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
And here's why it may be bad:
https://vivaldi.com/blog/googles-new-dangerous-web-environme...
And the HN discussion on the latter:
0: https://gs.statcounter.com/os-market-share/desktop/worldwide
Mozilla opposes this proposal because it contradicts our principles and vision for the Web. Any browser, server, or publisher that implements common standards is automatically part of the Web. ... Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.
The full response is here:
https://github.com/mozilla/standards-positions/issues/852#is...
Mozilla developers will then try to reach out to the website’s owners, add a fix or workaround in Firefox, or (as a last resort) spoof Chrome’s User-Agent string to bypass the website’s Firefox block.
For example, these provide essentially the same attestation service for native apps consuming APIs, validating that the phone is not rooted, and the OS and app are unmodified:
https://developer.android.com/google/play/integrity
https://developer.apple.com/documentation/devicecheck/
Apple and Cloudflare combined to take it to the browser last year and basically no one noticed:
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
Of course that will be hooked up to Google's new thing as soon as possible!
Microsoft has also been preparing it with the whole TPM integration in Windows 11 and mandatory inclusion of such hardware in all prebuilt PCs since ~2015. That's what the Chromium integration builds on - Google can't actually do the foundation for this themselves on Windows.
You can absolutely bet that all of these companies are on board with whatever Google is doing.
And this particular feature? They want to pretend it's s standard. You don't create a spec proposal for a feature you don't just develop internslly
He provides a nice piece of anecdata there: for one-on-one meetings, you can just send people a link and usually they just join. Even if they've sent a link to Zoom or Meet or whatever, you still can say “hey, join this instead” and it will work. I haven't tried this yet, but sounds plausible to me.
And yet, we've seen many such proposals go through this process because Chrome is paying lip service to it. Whatever Google wants it ships. And Google wants this.
As an adjacent (ads- and tracking-related) example: Google's FLoC flopped, hard. So they immediatey shipped the replacement Topics API [1] despite there being no consensus. E.g. Firefox is against [2] (but Chrome presents Firefox's position as "No signal" in the feature status). And despite the fact that its status is literally "individual proposal, not accepted" [3]
Do not assume any good intent on Google's part when it comes to Google's business interests. Their intent is always malicious until proven otherwise. And there have been fewer and fewer cases when they have been proven otherwise.
[1] https://chromestatus.com/feature/5680923054964736
[2] https://github.com/mozilla/standards-positions/issues/622
The only way this attack can even be avoided in principle is to restrict distribution of the DRM TPM chip — ala Nintendo's NES CIC lockout chip that never left Nintendo's hands except in the form of finished first-party-assembled game cartridges. But even that only prevents mass production and sale of devices that defeat your DRM; any sufficiently motivated attacker can still buy a legitimate device from you that includes the DRM TPM chip, rip the DRM TPM chip out, and feed it to their evil-demon hardware to enable it to faithfully attest a lie over the network.
In short: if this was truly a practical additional layer of defense, there'd be tons of use-cases for it — game consoles, set-top boxes, kiosk computing (e.g. ATMs), etc.
But you don't see anyone using DRM TPM chips for these systems, because it's not a practical additional layer of defense: such chips would increase BOM for these systems, while only defending against attacks that weaker defenses (namely software DRM, or programmable-firmware DRM like Intel SGX) already defend against; and while not doing anything more to stop the truly motivated attackers than current layers of defense already do — as your Netflix pirate media-scraping bots, your EVE Online gold-farming bots, etc. all have the monetary incentive and capital to invest to build exactly these evil-demon systems.