> WEI prevents ecosystem lock-in through hold-backs
> We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.
So this avoids the DRM or blocking certain browsers issue. Brilliant. I’m not entirely certain but I think this avoids the main issues which people had with the proposal.
I still think a lot of people will not read this and react with vitriol but I would like to expect more from hacker news, as a forum where people don’t simply downvote opinions they disagree with.
I haven't reviewed the proposal enough to see how they implemented that, and if it was done in a cryptographic way that prevents changing to 100%, then that could work. But the fact remains that control of our browsing computing environment is diminishing under this proposal.
I think if it were changed to be 100% then it would be problematic. Also it seems the proposal writer would also agree that some form of opt out is required to make it viable so as to not forbid unknown clients.
I think its important to stay away from considering potential “what ifs” that completely defy the intent of the spec. For an example of why this isn’t effective discourse, we could have a potential addition to the spec to explicitly block users from certain countries. That’s not great but also its easy to understand why its not worth debating that point (even though it does sound scary).
>Holdback
>To protect against both risks, we are evaluating whether attestation signals must sometimes be held back for a meaningful number of requests over a significant amount of time (in other words, on a small percentage of (client, site) pairs, platforms would simulate clients that do not support this capability). Such a holdback would encourage web developers to use these signals for aggregate analysis and opportunistic reduction of friction, as opposed to a quasi-allowlist: A holdback would effectively prevent the attestation from being used for gating feature access in real time, because otherwise the website risks users in the holdback population being rejected.
>Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations.
>However, a holdback also has significant drawbacks. In our use cases and capabilities survey, we have identified a number of critical use cases for deterministic platform integrity attestation. These use cases currently rely on client fingerprinting. A deterministic but limited-entropy attestation would obviate the need for invasive fingerprinting here, and has the potential to usher in more privacy-positive practices in the long-term.
>We ask for feedback from the community group on the idea of a holdback, and are very interested in alternative suggestions that would allow both goals to be met.
To me this is very clearly stating there needs to be some mechanism that forces website developers to not block access based on the results at attestation so as to allow clients to opt out. I’m not seeing the “maybe we could this,” interpretation, instead I’m seeing “we need to do something to allow client opt out, here’s one such way (with issues)”
Granted, I don't fully understand how they intend to holdback, but even if they cache the results of the attestation such that 10 calls in a row fails to attest, they can't cache it infinitely. Website can employ traditional fingerprinting techniques/cookies in combination with attestation to build pretty foolproof systems to not serve the user based on attestation results.
Google is a big dog and will not care about our yapping. If it's allowed to do as it will without consequence then it will do so, and there is nothing that individuals can do to stop it other than to cease using their products.
The TLDR is that I don't see how I'm supposed to believe that this discourages sites from using invasive fingerprinting techniques if those sites are essentially required by holdbacks to still have those invasive fingerprinting techniques at the ready: and 1 in 10 requests even from a browser that implements WEI will still be subjected to those fallback techniques, so your browser/device is still basically guaranteed to be fingerprinted by any site you visit regularly.
You can't discourage the development of something and require it at the same time.
And if the experience of non-participating browsers is so much worse that it's obviously better to implement WEI, then we're right back to the same DRM and competition questions that we had before.
If holdbacks are rare enough that sites can ignore them (or statistically filter them out and determine if a browser actually implements the spec), then those sites don't need to have a fallback mechanism and we're right back to DRM. However, if holdbacks are common enough that sites can't ignore them (and if they can't statistically determine whether or not holdbacks are holdbacks or a non-implementing browser), then everyone is still going to be subjected to the fallback techniques that Google says it's trying to discourage.
Google would need to make holdbacks persistent enough that you couldn't retry them and get a different result. Even if they do, there are other problems, but... I mean, randomly failing requests is definitely not enough to guarantee that attestation would be optional. And there are no details I see in the spec that suggest to me that Google is planning to do something different.
Part of the job of web specification development is to determine what potential bad actors could do in the future. If a spec was proposed that easily allowed blocking users from certain countries, I would want that listed in the potential risks. Mitigations and technical requirements are introduced into specs all the time that only exist to stop a potential future attack.
In other words, developers of web apps who want to know certain difficult-to-fake facts about a client's browser would not be able to rely on WEI with holdback (by design) and would be obliged to implement all the same invasive techniques they perform now -- but now just to apply them to 5-10% of users. So it doesn't save developers any time. Does it help users? It doesn't seem like it, for two reasons. Firstly, while it's nice to know that there's only a 1 in 20 chance that my browser will be fingerprinted on a given site, that means that if I browse for any reasonable length of time and visit enough sites I will certainly be fingerprinted, and my information shared with whatever ad networks the site is using. Secondly, if developers are going to implement browser fingerprinting anyway, why not just apply it to everyone as an extra signal? Sites don't take heat for fingerprinting users now, why would they care?
In summary, the holdback idea seems to be at odds with the rest of the proposal, and the only reason it sounds attractive is because it nullifies the whole thing.
So, no, you couldn't continually request attestation from the one site. Instead, you could create 20 separate top-sites and load them all in tiny iframes. :)
Remember that Firefox has at least a 3% marketshare. Safari has somewhere in the neighborhood of 20%. If websites are willing to go Chrome-only in that environment, permanent holdbacks won't change anything for those websites.
Particularly not if the solution to those holdbacks is "reinstall your browser and the holdback will probably go away." Which... they'd need to be unless Chrome starts tracking users to figure out who should have what holdbacks :)
The only way that holdbacks matter is if they affect 100% of Chrome users -- ie every single one of your customers/readers will at some point not send you attestation at some point for your website. And even then... telling them to refresh the page becomes a problem.
But it it's only a subset of users, then just banning 5% of users (especially from ad-supported platforms) seems perfectly feasible for a company and would probably be a preferred solution for some of them.
----
User: "Hey, for some reason when I browse Reddit nothing loads."
Support: "Yeah, very rarely a new Chrome install will do that. If you create an account and sign in, and then you send us some verification documents like an ID so we know you're not a scammer, then you'll still be able to browse. Otherwise just reinstall Chrome."
User: "Is there anything else I can do?"
Support: "No, we have to protect our ad integrity. If reinstalling the browser doesn't help, contact Google about it."
----
> Instead, you could create 20 separate top-sites and load them all in tiny iframes. :)
This too :)