zlacker

One of the proposals for WEI is to make it probabilistically fail.

Ie. on a given device, for 10% of websites, WEI pretends to be unsupported.

That means websites can't deny service where WEI is unsupported. Yet it still allows statistical analysis across bulk user accounts.

If WEI was implemented like this, I would support it as being good for the web ecosystem.

>>london+(OP)
This is the bait to make it sound reasonable. Of course this hold-back feature will be quietly disabled at some point in the future. The whole proposal is full of weaselly half truths and misrepresentation about their real plans

>>london+(OP)
That’s a silly proposal that will eventually be turned off as it causes issues. Users will complain that sometime websites are broken for no reason and the first proposed fix would be to turn the failure probability to zero. Then the zero failure setting will become the default.

>>london+(OP)
And what guarantees do you have that the probabilistic failure rate won't be turned to 0 at some point in the future?

Except for Google's pinky swear, I mean.

>>throwa+12
Also if Netflix or Twitter decide to require device authentication they can give you an error message and instruct you how to turn the holdback feature off

>>london+(OP)
Workaround: check WEI across 4 domains, P(failure) = 0.000001%

>>phpnod+x1
> this hold-back feature will be quietly disabled at some point in the future.

Will it though? Googles main reason for WEI I assume is to combat ad-fraud. Ie. to prevent someone making a bot farm to click ads to earn money from advertising or exhaust competitors ad budgets or manipulate search engine user ranking signals.

With WEI, all ad clicks without WEI could just be ignored (ie. not billed to advertisers, ignored when calculating statistics and signals). If 10% of clients have WEI 'cloaking', you just inflate the final advertising bill by 10% to account for those users - the end result is the same as billing for all real users and no bots.

WEI still achieves all of Googles goals even with cloaking.

>>london+(OP)
The attitude from Google towards this has changed significantly over the last few days (unsurprisingly).

From the "explainer": "we are evaluating whether attestation signals must sometimes be held back [...] However, a holdback also has significant drawbacks [...] a deterministic but limited-entropy attestation [i.e. no holdback] would obviate the need for invasive fingerprinting".

From the Google worker's most recent comment on the issue: 'WEI prevents ecosystem lock-in through hold-backs [...] This is designed to prevent WEI from becoming “DRM for the web”'

So, in other words, WEI could be used to prevent fingerprinting, but won't be able to if holdback is introduced -- 5-10% of clients would still get fingerprinted.

Looking at the list of "scenarios where users depend on client trust", all of them would be impacted by a holdback mechanism:

- Preventing ad fraud: not for the holdback group

- Bot and sockpuppet accounts on social media: not for the holdback group

- Preventing cheating in games: not for the holdback group -- and thus not for anyone playing against someone in the holdback group

- Preventing malicious software that imitates a banking app: not for the holdback group

In other words, if there was holdback, WEI would require places which currently fingerprint to retain and maintain the fingerprinting code and apply it to fewer users, in the best case, or would be completely useless in the worst case (for things like games).

However, it's also quite interesting to look at the implications of successfully attesting a browser which supports arbitrary extensions:

- Preventing ad fraud: install an automation extension

- Bot and sockpuppet accounts: as above

- Cheating in games: install an extension which allows cheating

- Malicious software which imitates a banking app: a malicious browser extension could do this easily.

In other words, unless you attest the browser with its extensions, none of the trust scenarios outlined in the explainer are actually helped by WEI. It's not obvious whether the Google employee who wrote this deliberately didn't think about these things, or whether the 'explainer' is just a collection of unconnected ideas, but it doesn't appear to hold together.

It is not surprising that the first target of WEI -- Chrome on Android -- does not support extensions.

>>london+(OP)
Here's how this goes:

WEI randomly fails, website sees it, has never implemented any error checking (or fails on purpose without WEI), WEI becomes effectively mandatory.

Google is a gun manufacturer telling people on the other end of it "don't worry, every one in 20 bullets doesn't fire".

>>london+T4
As the middle man Google benefits from ad-fraud and has few incentives to really stop it. Ad-blocking is a real problem for them however, and they have huge incentives to prevent that. Ignore what they say - that's what WEI is actually about.

>>london+(OP)
That's currently just an idea in the 'Open questions' section of the spec, but there is already pushback against it from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and notably the attestation feature Google already shipped on Android for native apps in the same situation does _not_ do this.

>>london+(OP)
The antifraud company that worked with Google on the WEI proposal is already calling for the removal of holdouts from the spec[0], because:

- Attestation does not work as an antifraud signal unless it is mandatory - fraudsters will just pretend to be a browser doing random holdout otherwise.

- The banks that want attestation do not want you using niche browsers to login to their services.

[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...

>>phpnod+Z6
Googles main business is ads on google search. Here they aren't a middle man.

Companies give google $X, and hopefully sell Y extra products. X/Y is the cost per sale. Google competes with other advert forms (eg. TV/radio/newspaper ads) on that X/Y number.

If there is ad fraud, that Y number gets decreased (budget is used up on fraud that doesn't translate to sales), and their revenue decreases as advertisers spend their ad budget on other mediums.

>>london+T4
>Will it though? Googles main reason for WEI I assume is to combat ad-fraud. Ie. to prevent someone making a bot farm to click ads to earn money from advertising or exhaust competitors ad budgets or manipulate search engine user ranking signals.

Right. And so I ask this question: Why should I be forced to donate my data, CPU cycles, network bandwidth and privacy to one of the largest corporations in the world so they can address an issue (ad fraud) between them and their customers?

I'd note that I am not a customer of Google or their advertisers. Because advertisers are the only real customers of Google.

Edit: Clarified my point.

>>london+(OP)
If you have 50% of people having adblock then websites loosing 10% of traffic because of WEI probabilistically fail it still seems like win for big tech if they force user to their approved unmodified OS/browser.