If websites implement this, it will effectively make building a web search engine impossible for new entrants. The current players can whitelist/attest their own clients while categorizing every other scraping clients as bots.
If not for other reasons, I can't see how Google a search company can be allowed to push something that can kill competition using its market dominance in other areas like browsers.
Because antitrust has been dead for a while. Chrome is a tool to drive people to Google and Google ads and nothing more.
I will say, I did appreciate Microsoft having a browser engine with IE and Edge, even if the former was notoriously a pain, it gave competition in the space. Unfortunately, that's not the case anymore and everything is either Chrome (Blink), Firefox (Gecko), or Safari (WebKit). And it's pretty clear what Chrome has done once that have amassed a dominant market share.
I'm sure there are Googlers who think they're legitimately making the web a safer place, but I think the real reason is pretty clear if you take a birds eye view.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
One thing about your comment above: Hulu can't start implementing attestation until Google turns the knob to 0 because they can't start randomly dropping 5% of Chrome users. So in your comment above it should be "and" not "or". If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
If let's say they did turn the knob for Chrome, wouldn't it take a while for websites to start implementing this? For me not knowing as much about this it feels like this is a step in an ambiguous direction which could be good or bad still. But since it's Google everyone is thinking ahead in the causal chain. Can you help me understand why this is such a big and clearly bad step against the open web? Thank you!
I have no way of knowing if they are honest or not and even if they are there's no guarantee that they won't change their mind later.I cannot take the risk and be on guard forever.
I would much prefer not to allow them into the house in the first place.
Google should not have brought this proposal but they did.So, I will not place my trust in Google doing the right thing irrespective of their claims and promises.
I hadn't really considered this. In a roundabout way, is there a process for this to be rejected on grounds of "fair use" limitations?
My mother's new Windows 11 laptop's out-of-the-box configuration had me clicking through half a dozen things attempting to manipulate me or her into spending more money. There are (I can only assume paid-placement) news and adfotainment in the start menu! Repeat pop-up reminders from Lenovo to subscribe to their protection package. Emotionally-manipulative reminders to subscribe to virus protection services. To Microsoft Office. Etc. etc.
It's been the same thing in the mobile market, where the move to "apps" means you are running their software on your device all the time, so they can optimally surveil you, and target the advertisements and behaviourally-modifying nudges. Quite a few messaging services now actively mess with delivery of notifications, spacing them out, delaying them, according to research that shows what maximizes engagement.
I saw the trend 20 years ago and switched to free software around that time -- I liked Linux anyway, but it was partly on principle. Still, the new laptop was eye-opening. The degree of intrusion, the degree to which even desktop computers have turned into user-hostile advertising terminals serving the purposes of their manufacturer, rather than a computer for the user to accomplish their work, is quite shocking.
Everything networked is becoming like that - twisting the user's hardware, turning it into nothing more than a terminal, an extension of the corporation, serving their interests at all times. Even smart TVs now have ads built-in to their menus and such.
Hulu has DRM issues in Firefox and their DRM just fails with unknown errors on about ~15% of content they host (anecdotally, of course, I have no specific data). There's no way for me to tell if a specific episode of a show will fail or not, some succeed, others don't. I at least find no pattern for this. From this perspective, they are essentially randomly breaking 100% of Firefox users some seemingly random percentage of the time.
They have "good" business reasons to require this DRM and whatever this random broken user percentage is, I'm sure it meets their bottom-line criteria as a business.
"95%" uptime for Chrome users is only "one-9", but it's still got that one 9. That's an acceptable SLA to many businesses. A business might easily decide attestation is worth that "uptime risk" because it sells more ads or makes the DRM vendors happier (and thus the content owners are happier) or any other number of "good" business reasons.
There is no other end state in capitalism. If you want tools and products that serve you instead of an owner, you must do it outside capitalism like with truly open source stuff.
> However, a holdback also has significant drawbacks. In our use cases and capabilities survey, we have identified a number of critical use cases for deterministic platform integrity attestation. These use cases currently rely on client fingerprinting. A deterministic but limited-entropy attestation would obviate the need for invasive fingerprinting here, and has the potential to usher in more privacy-positive practices in the long-term.
I think any holdback will eventually go away because of the "critical use cases for deterministic platform integrity attestation"
Can't they already do this by having scrapers send plain-old client certificates? Or even just a request header that contains an HMAC of the URL with a shared secret?
Actually, taking a step further back: why does anyone need to scrape their own properties? They can make up an arbitrary backchannel to access that data — just like the one Google uses to populate YouTube results into SERPs. No need to provide a usefully-scrapeable website at all.
I don't see how it is against their interest, it would cement Google into power in a way that is very difficult to undo barring government intervention (which I doubt is going to happen).
> It seems like the project is explicitly stating their goal isn't to allow for websites to do this, and they are implementing it in a manner consistent with that.
If you drop a frog in a pot of boiling water, it will of course frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As the water gradually heats up, the frog will sink into a tranquil stupor, exactly like one of us in a hot bath, and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death.
> If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
Hulu will keep their attestation implementation ready to turn on at a moment's notice because it's patently obvious that the hold-back stuff will be gone when it's ready to go, and it's obvious because the currently described implementation (with the hold-back) does not really serve any real purpose.
The hold-back is only on the spec to keep people from revolting while the thing is built and tested.