The overall goal for the spec is described in the comment:
> The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse. Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients.
In other words, the intended goal of this spec is to discourage the development and use of fingerprinting techniques, login screens, and other invasive user-validation techniques on websites.
However, the goal of holdbacks is then described in the following way:
> This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior. [...] The hold-back and the lack of browser identification in the response provides cover to browsers that spoof their user agents that might otherwise be treated differently by sites. This also includes custom forks of Chromium that web developers create.
In other words, one of the goals for the holdback system is to make it practically impossible for a website not to have fallback mechanisms for validating user trust when encountering requests that don't have attestation. And a essential part of that design is that even implementing browsers like Chrome will refuse to verify the environment integrity 10-15% of the time.
----
So why is this a problem? Because holdbacks are on-purposed designed to make it so that fallback mechanisms have to exist and that sites can't skip including them; but the whole point of this spec as stated is to discourage developers from building those same fallbacks they're required to include because the fallbacks violate privacy or are are invasive or are essentially login walls.
And 10-15% of the time even users in participating browsers will be subjected to those fallback strategies. So you're still basically guaranteed to have your device fingerprinted, and any site that uses login as a backup verification method still will require you to make an account.
The only thing that this would affect is the frequency of user-annoyances in front of websites -- essentially, if sites started using this as a substitute for captchas, this would encourage them to drastically increase the number of captchas they use since Chrome browsers would only see 10-15% of those captchas.
And that's also a problem if you're trying to guarantee that competing browsers won't be affected, because "your users see 9x as many captchas on every website" is a pretty stinking big competitive moat.
Forgive me for thinking that "you can build a browser that competes with us, but unless we specifically approve of your browser, anyone who uses it on Android will be solving captchas over and over at a massively increased rate until they eventually give up and move back to Chrome like a good little consumer" still kind of has a lot antitrust implications.
----
This proposal doesn't make sense; assuming the best of the authors I can only assume they haven't really thought through what they're trying to build. But you can not build an attestation method that simultaneously improves the web substantially for your own users over non-attestation methods, but that also magically does not hurt the web for any of your competitors who don't get those improvements.
And holdbacks only make those goals even more contradictory: because privacy, paywalls, and logins will still affect Chrome if it decides randomly that it's not going to attest to the NYT for the duration of today. The only aspect that this makes sense for is specifically user annoyances; and where annoyances are concerned an attestation method that excludes most mainstream users on unmodified devices from annoyances while leaving niche browsers out is an invitation for websites to discriminate against those browsers -- holdbacks change nothing about that situation.
You can't tell me this is about discouraging fingerprinting in the same comment that you tell me that you're going to guarantee that sites will still need to build fingerprinting solutions and will still need to use those solutions even on participating browsers.
This is my conclusion too.
Regarding alternative browsers, the "explainer" says that all browsers on a platform would be able to be attested. But this doesn't really matter, because support for arbitrary browser extensions nullifies all the trust requirements identified at the start of the document.
In other words, the moment a browser hits the Play store which both supports WEI and allows arbitrary extensions, sites relying on WEI will start ignoring it if it's sent from browsers other than Chrome.