> Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites. So really, Google can do whatever it wants.
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
> When Google can do something that every one of it's users hates
I don't think this is remotely the case. Quite a few tech-savvy people I know (some of them software developers) use Chrome and mostly don't care about whatever Google does with it. I mention "manifest v3" and get a blank stare. I talk about advertising and ad blockers, and most people don't care, with some of them not even using ad blockers.
We really live in a bubble, here on HN. Most people think of privacy as some abstract thing that they have little control over, and are mostly fine with that. And some are even also fine with government erosion of privacy, in the name of "save the children" style arguments, and of corporate erosion of privacy, in the name of getting free stuff in exchange for their personal information.
It's a sad state of affairs. If most people really did care strongly about these sorts of issues, then I think it would be baffling why we haven't seen more change here -- after all, Firefox is a perfectly viable alternative to Chrome that very few people use. But the lack of change is no surprise: most people don't care.
I don't buy this. I'm sure most iphone users don't care when you ask them about privacy or manifest v3 as an abstract concept, but remember what happened when Apple tried to push a U2 album to them? They lost their collective shit. They may not write blog posts about privacy or donate to the EFF, but they have deeply personal relationships with "their" phone and they absolutely hate being reminded that it isn't really theirs.
If this weren't true, Apple could just start inserting ads into every iphone's Safari window tomorrow, and Youtube could serve the ad in the same stream as the video to defeat adblockers, and they'd make a bunch of extra money with no downside. The fact that they don't do this suggests that Apple and Google understand this: people only tolerate restricted platforms that do a convincing job of pretending to be unrestricted. In practice, this means that step 1 of Google foisting off user-hostile stuff on us is getting Firefox to include it too, which is presumably why they spend so much money on it.
>when Apple tried to push a U2 album to them? They lost their collective shit
and that's exactly it. putting something in your music library is a hugely more visible and tangible thing than all the nebulous privacy concerns the internet wants me to be afraid of. nobody gives a shit if google or apple or facebook or whoever else introduces some techical measure that could be used for nefarious things. they only care if that api is actually used for nefarious things. as long as the argument is "well if google implements X, then it would potentially allow them to do Y*, that's a failing argument.
like it or not, people actually do trust the big tech companies. as long as they aren't actively abusing that trust in ways that people care about, things like "google wants to know if you're a real person or a bot" aren't going to cause a whole lot of outrage. most people can understand that letting fake people pretend to be real is bad, and that preventing that is probably a good thing.
> as long as the argument is "well if google implements X, then it would potentially allow them to do Y", that's a failing argument.
It's similar to privacy 'dead bodies'[1], where users want to know actual concrete examples. I keep a collection of them in a larger directory of web pages about privacy, about instances where 'nebulous' privacy aspects meet reality and users are impacted and upset by it.
[1] Term used by a law professor in Daniel J. Solove's "I've got nothing to hide" and Other Misunderstandings of Privacy
No one I knew really cared much about the U2 album except that it was a bad album and they didn't want it in their collection. From the people I know there no one upset about the power dynamics - everyone who complained would have been 100% happy if Apple had given them an album they liked.
And also, in a bug I'm not sure was entirely on Apple, when plugged into many car stereos iTunes would start playing the first song in your library, so users were annoyed because everythime they'd plug their phone into their car to charge it would start playing a 3rd tier U2 album.
> when Apple tried to push a U2 album to them? They lost their collective shit.
Yeah, Apple was toast after they did that. Their share price in 2014 when they did that was $24, and immediately afterwards it rose to $33 over the next 12 months. And since then, it's just been one long slow decline to almost $200 a share, as their global mobile market share has gone from the 24% it enjoyed in 2014 to the measly 29% it enjoys today.
You’re forgetting a 4:1 stock split in August 2020, so it’s even worse ;-)
I think this illustrates that people only worry about this kind of thing if it gets shoved into their face.
The privacy thing is OK as long as it’s only used for the good. For example, I think nobody would object against a world where every killer would be caught within an hour to get a fair trial.
However, such a world also would be one where every traffic offense could be fined, and where powers that be could find some dirt on anybody in their email history, presence on on-street cameras, etc. Worse, it would take relatively few people to pull that of.
That’s something I think nobody wants, but it’s abstract until it affects you, so few people worry about it.
By this argument we should defund the police because they could be used for oppression. Forgetting the reality that they are also stopping thousands of crimes every single day.
Privacy absolution is never what most people signed up for.
Where did I make the argument that “we” don’t want to give up any privacy? I’m only claiming “we” don’t want to give up all privacy.
Also, “the police” are thousands of humans. That makes it harder to use the police for oppression than if “the police” were a bunch of computers and robots.
If somebody proposed the latter, I think lots of people would object.
I care, and I've basically stopped using my iphone for anything because the web is an abysmal experience full of ads even with the maximum amount of ad blocking possible on iOS. I hate the iPhone and the only reason I haven't switched back to android is that it seems to manage to, somehow, still be even worse. We are well and truly on the other side of the enshitification event horizon on mobile, and it looks like Google is doing it's best to make sure the web keeps up on the desktop too.
Not trying to get you back on your iPhone but I can tell you that 1Blocker + NextDNS do wonders when it comes to blocking ads on the web using iphones. Granted, sometimes some sites do break for weird reasons but i'm happy to live with that if it means I get to avoid ads. Hell, it even manages to block ads on mobile youtube.
My personal experience with ad blocking on iOS is that it’s both far less effective overall than ublock origin, and still manages to break a lot more sites. I have 0 tolerance for ads though- so even a 99% success rate on a site is unacceptable to me and I’ll just not use that site on my phone. Maybe 2/3rds of sites fail by that criteria for me. If ublock origin on my desktop computer also fails, then I don’t use the site at all- but that’s a vanishingly rate occurrence.
Until Apple allows other browser engines, everything is still limited to the same set of blockers you can get in safari. None of them are remotely good enough compared to ublock origin. My current phone probably has around 6-12 months of life left in it, and if Apple doesn’t have a solution by then I’m dropping the iPhone and either going with a de-Googled android build or giving up on smart phones altogether.
This is exactly the take that Google, and companies interested in setting up WEI-enabled web sites, will adopt. When you're talking about business, technical details that will affect a tiny minority of nerds simply doesn't matter. What matters is what value can you capture from the lion's share of the market? And how much is it gonna cost you to support the tiny minority that remains?
Back in the 90s, much of the web was designed for Internet Explorer exclusively. A bit later, Flash took off. Both of these posed problems for users of niche browsers and operating systems, but from a business standpoint, nobody was complaining.
Multiple bubbles on HN. Obviously, most of us are complicit in some techbro business conventions today that, 30 years ago, would've gotten us shunned by our peers, and reported to the authorities.
(Not that current phenomena weren't foreseen. SF writers had already been all over it. Anecdotally, Internet-savvy techies were often informed by various forward-looking thinking and by world history, and tended to act like stewards rather than exploiters.)
I'm a tech-savvy person and I consider Manifest v3 an improvement (improves security + performance), and Firefox implements it as well as things like declarativeNetRequest[1].
Manifest v3 itself is an improvement and is probably non-controversial. I can't see why anyone would think deprecating manifest v2 along with removing webRequest is a good thing. The latter is what everyone is mad about when they talk about "manifest v3". I'm not sure whether you're trying to making a nitpick point about the difference between the two, or you legitimately think the latter is a good thing.
Can you expand on the security improvements of v3? This is the first I've heard this.
As for performance... That sounds dubious. Declarative blocking surely will be faster than v2, but what is being blocked by v2, I would imagine, is generally way slower than the difference between v2 and v3. At the end of the day, I don't see the performance of my browser negatively impacted by uBlock Origin, I see it saving CPU, bandwidth, memory, privacy, etc.
I'd be willing to bet that whatever isn't blocked by v3 is sifnificantly slower than whatever supposed slowness there is with v2 (in general).
this argument is inadequate because it only examines and explains one side of a multi-part system. The users of consumer electronics as a mass at a point in time is not sufficient, even if well described, to explain important changes of the system over time.
When you talk about communications technology adopted at a societal scale, changes in norms and routine have ripple effects. Most certainly one of those is a change in asymmetric power relations by central communications companies, versus the user of their systems who get strictly limited information views of what is happening with their phone calls or emails.
When you have asymmetric power relations with market advantage and secondly literal surveillance at stake, a unilateral change in the service agreement is not a small "oh well" matter.
This single statement "people do not care" does not show all the players, and most especially does not show the players making decisions, the management of the companies making more money or new revenues with new decisions.
Yeah, because you called it manifest V3, not gimping adblockers, which is what it actually was. How many of Google's users love that they're gimping adblockers?
Same for Web Environment Integrity API. Nobody knows what those jargon terms means. That's part of how enshittification works. If everyone knew how badly they were being fucked, this would never work.
I actually don't understand it well. What does it mean? I can't browse the web from xubuntu any more? I believe it's scary, but can't seem to actually sell myself on that.
If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
The problem with remote attestation is that there's no bound to exactly how bad it could become. If you can get enough of the internet on browsers that support remote attestation, to the point where it's an acceptable loss to simply reject anyone who does not have a browser that does support remote attestation, you can theoretically assert full control over the end user.
What will actually happen? Nobody knows for sure. The most likely outcome is that you will not be able to do banking, watch Twitch streams, etc. on anything other than Chrome, Firefox and Edge, on Windows and macOS. Linux will probably be relegated to the legacy web that does not enforce remote attestation. Alternate browsers like Librewolf, Brave and Mullvad Browser will just disappear as if they never existed. You can not browse Tor on clearnet websites anymore, as if you really could anyways. Etc, etc.
> If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
Microsoft of today is doing things blatantly in the open, that Microsoft of 199x would never dream of doing. The difference now is that all of the major computer manufacturers are basically going the same way, just at different rates.
The reason HN is a bubble is because people here actually get and interested in real tech news.
If a journalist would explain these news to the masses AND the news has a way to reach the masses.
These days these kinds of news do not make it to broadcasted news and most people do not watch the old broadcasted news.
The news currently get people attention from the news feed on Android and Apples phones.
Those feeds recommend only the kind of content you usually interact with. No many people gets tech articles. And you can even argue that there is some extra filters on what news get on the feed in first place.
I have to disagree with Firefox... in terms of functionality and configurability it's by far and away my preferred browser but in terms of performance it just crunches to a crawl on my Mac. Load times of pages are absolutely fine but changing tabs crunch , scroll down the webpage judderfreeze whereas Edge is just silky smooth.
Maybe it's an extension or three I'm running but I just want to use the bloody thing not sit there and figure out what extension is not working nicely (and then potentially find out it's none of them) on one platform but is fine on another.
Every so often I go back and have look to see if it's improvised but it hasn't in the last few years for me.
Did that and weirdly nothing seems to be excessive... indeed the Macs own performance monitor doesn't suggest anything is particular excessively using cpu or ram but here it is juddering away especially when scrolling pages.
Three year old Mac btw... everything else runs pretty well... if I get a chance I might fire up Firefox in Parallels and see if it's a Mac issue
When you write "about:performance" to your address bar, and press enter, you should access to the internal performance monitoring page of Firefox. That should list every tab and extension by RAM use and power impact.
I use brave, arc, firefox, chrome, and safari. Safari is the best performing. 'tis a shame that other web browsers are unable to use it as their rendering engine.
If I don't want to be tracked, I won't use chrome. If I don't care then I'll use it.
Just like I'll have some conversations on WeChat but if I want to talk about Chinese politics maybe I'll do that on another platform.
I don't really see the erosion in the corporate space. The erosion of privacy is happening at the government level. With "forced backdoor" laws and/or just outright forking the internet backbone (ala PRISM). I've never really understood "Corporate erosion of privacy"... It's opposite, Privacy is literally a USP of Apple products. They had to back out changes that hinted at an erosion of that trust with the on-device processing of Photos for cloud-sync. People are more aware than ever.
"Exactly how the rest of the world feels about this is not necessarily relevant, though."
This quote is from page 2 of the article. It is common for certain HN commenters to remind us that HN is a bubble. True. However, the author of this article is not necessarily in this bubble.
But, honestly, what difference does it make whether HN is a bubble or not. Google is a bubble. The Register, another entity outside the HN bubble, calls Google "The Chocolate Factory".^1 Does it matter that Google is a bubble.
1. Of course it's also common for certain HN commenters to try to broadly dismiss all journalism, on a news aggregator site no less. Maybe there is a pattern here.
Would anyone outside the HN bubble try to discredit the observations about so-called "tech" companies mabe by those inside it. (Besides those with vested interests in so-called "tech" companies.) All evidence I've seen since 2009 points to the contrary.
I can still block content in any way I see fit on Gecko-based applications, not so much on Blink-based things. There are many things about Firefox-the-browser and Mozilla-the-organisation which could do with an overhaul but as it stands it is still my go-to browser. I only use Blink-based things to test and for those (annoying) sites which insist on it in which case I first try Bromite, then Ungoogled Chromium. If it still does not work it is not worth visiting. I do not have Chrome installed on any device and have never felt I was missing out.
>Firefox is a perfectly viable alternative to Chrome that very few people use.
The problem is that it isn't.
Do you know why Firefox managed to usurp IE6 in the first place? Because it won the adoption and appeal of tech enthusiasts and professionals. Mom and pop (read: the general population) switched to Firefox from IE6 because their tech nerd kids installed it for them, and the enterprise largely moved off of IE6 dependence because the general population moved off.
But the Firefox today is not the Firefox that defeated IE6. Mozilla steadily eroded and destroyed every single thing tech enthusiasts and professionals loved about Firefox, to the point it practically became just a Chrome ripoff. At that point, why bother? Chrome's right there, the real deal.
Not to mention Mozilla happily takes money from Google with no shame at all so their CEO can get her fat paychecks.
Firefox is not a viable alternative, Firefox is literally controlled opposition to pedantically argue Chrome is not a monopoly. Not even the Intel and AMD x86 duopoly is this blatant.
It's a small difference, perhaps, but its "my" browser in a way chrome will never be. Blink sucks.
Also, not a clue what you are on about - I don't have an issue with firefox. Chrome is basically for dealing with google stuff, and for the rest of the web I don't care about them.
Sometimes Drive stops working for me, trying to download something results in a redirection loop.
Clearing the cache sometimes fixes it. I suspect the Firefox anti tracking settings but I haven't bothered to test it.
Firefox did not defeat IE6. That was Chrome. Firefox has basically been a fringe browser since Netscape imploded.
The original reason Google started the Chrome project was that the stagnation of IE6 was a barrier to implementing the web software they wanted to build. At least that's what they told us.
This is true. As someone who had a work time card I could fill out on Solaris using Firefox. This the new time card website came out that was “ie” only and we had to log onto a virtual NT server do our time card. Ugh. It was a nightmare. Then slowly Firefox came back. It was short lived majority but I still use it. I rather like it.
The "death knoll" was dev tools for chrome - they hired the firefox guy who was doing better work, then you couldn't lift an arm without hitting some web dev thinking they were cool for using chrome.
Firefox got better dev tools and mozilla did random crap for a bit, meanwhile brain-dead devs insisted on continuing to use chrome. When the devs supported it, they started favoring the googlified things.
Honestly it's a terrible browser - we are back to the bad old IE days (almost).
> after all, Firefox is a perfectly viable alternative to Chrome that very few people use
I don't use Firefox because it's slower than Chrome and because their behavior regarding limiting which extensions are available in phones, requiring signed extensions, Firefox Pocket, ads in new tab page, etc, does not exactly give me confidence that Mozilla truly has my interests in mind. In fact I bet they'll implement the nightmare DRM API once it's done swiftly and without complaint lest their money flow suffer.
If Mozilla ever decides to stop screwing around, clearly position themselves as an ally of the consumer, clearly express support for adblockers and put resources into making the browser faster and better and more customizable instead of whatever makes their CEO richer then I'll switch to Firefox even if it is a bit slower or has some flaws.
In the meantime uBlock works right now in Chrome which makes it usable, so since Chrome is the fastest right now, Chrome it is.
> limiting which extensions are available in phones
As opposed to chrome, which doesn't allow any extensions on mobile
> requiring signed extensions,
So does chrome
> ads in new tab page
Chrome is made by a company whose main business is selling ads ...
> clearly express support for adblockers
Mozilla has long shown support for ad blockers for example, uBlock origin was the first extension aupported on mobile, Mozilla has no plans to drop the blocking WebRequest API, largely because it is needed for sophisticated ad blockers like uBlock origin, etc.
I don't agree with everything Mozilla has done, but I still think Firefox is better than the alternatives.
uBlock Origin doesn't work on mobile Chrome. I don't understand this perspective. At the very least you would want to use an alternative Chromium browser on Android, even if you weren't willing to install Firefox. You're upset about not being able to run every extension and so you're running none of them?
Look, I will absolutely criticize Mozilla for some of its policies. Pretty much every issue you've raised there is spot-on, in fact I'll go a step further and remind everyone that Pocket was kind of supposed to be Open Source by now, and it still isn't.
But it's cutting off your nose to spite your face to use Chrome. Google is less receptive to criticism than Mozilla is, has worse extension APIs and is more restrictive of how extensions get installed, has worse privacy features, allows for no extensions on phones, is more directly tied into an advertising network, and is actively trying to make the web worse.
Use Firefox.
I am not telling you to be complacent or to ignore Mozilla's problems, I am telling you not to lend support to the browser that is actively trying to make the web worse. We're all very happy for you that you're very principled about not just picking the better of two bad options. We're happy that you have those standards. But we're less thrilled about your policy of picking the worst of two bad options. At the very heckin least you're not even going to use a Chromium fork? You're just going to make the worst browser choice you can make for the Open web?
That's true, I was talking about desktop, I probably should have not mentioned the phone extension thing.
In Android I use Bromite (a Chromium fork) which I should probably replace since it's fairly outdated at this point.
But you're wrong about me not using Firefox out of spite, the real reason I don't use it is because it is (or apparently was according to the other replies) slower to the point it is noticeable, at least on my desktop (and even more so on my old phone). The rest is just why I don't support them despite being worse.
Will you at least consider switching to a DeGoogled Chromium fork? Yes, it would still be the same browser engine, but there are a lot of features in Chrome proper that Google uses to help contribute to its ad network and data collection.
Firefox may not be _as_ fast as Chrome, but it's a fairly negligible difference nowadays. rendering speed hasn't been a limiting factor for a while, and i feel like network latency and poor application optimization has been more the culprit there. you can only squeeze so much blood from the optimizing inefficient JS stone, and no amount of rendering engine optimization will ever fix shitty backend API response times
Firefox fails because there is no actual industry pressure to build a better browser. you simply can't sell a browser alone anymore: the free offerings have been good enough since the early 2000s.
Safari only needs to be good enough for iOS users to not abandon the platform entirely, and the ecosystem wants to push you into native apps anyway (Apple wants their IAP cut).
Chredge is, well, _there_, but basically just a minimum batteries included that maybe funnels some set of users into other Microsoft offerings, but it isn't the core product.
Chrome is, well, Chrome.
Firefox is comfortably supported by Google funding as an antitrust action shield. there's no real pressure for them to try and beat Chrome in market share because they're explicitly paid to be minority market share, and aren't really going to lose that share because they already have all of the "intentionally don't want to use Chrome" market. Mozilla faffs about making also-ran internet services (idk, whatever the heck that VPN offering was, etc.) because they fundamentally can't lose their main revenue stream so long as Google wants to avoid antitrust action, and have no real pressure to offer a competitive product.
Doing stuff their customers hate is the default MO of most tech companies. There's very little recourse.
For example, when Apple makes a user-hostile hardware change, every major Android vendor will copy it in a matter of months[0]. The only thing you can go to after that is niche Chinese phone makers that will cause you a bunch of other pain.
I'm basically completely disconnected from Google at this point. My phone requirements forced me to get a phone without Google Play Services, and I live in a country where Google is not dominant. The only thing that still pops up is YouTube occasionally. (Also it would be nice if I could get my old Google Photos archives exported from Photos, but the export in Takeout keeps erroring! Oh well...)
[0]: Back when I worked at Google, there was a mailing list thread on a big internal engineering mailing list, where somebody point-blank asked "Did we remove the headphone port on the Pixel because Apple did?". The answer from the product team was a whole bunch of wishy-washy word soup, amounting essentially to "Yes".
Did you try different export options? I recently had to do one export and it kept failing but exporting using another option worked. I don't remember which one but it was either email or drive.
This line is what makes me roll my eyes whenever I hear someone say "Safari is the new IE". Safari missing a couple of features few websites use is far less of an issue than the dominant browser company can just invent new "standards" that make the web actively worse for everyone. (Sorry, I should say "everyone except for the scummy advertisers".)
Safari is just Apples Opera (before they went Blink and made themselves irrelevant).
They aren't great, just another proprietary browser. Every time I've used it has been sub-par. It reminded me a lot of Opera in that it was very opinionated, even if it tried to offer some feature. Apple makes money off of apps, not websites, though, so it makes sense they don't invest much into their browser.
Safari has the fastest JavaScript engine. In many respects, Safari's implementation is top notch. Apple makes money off phones and people use Safari a lot on phones. I don't understand why people think Apple don't invest on Safari.
Because people are in arms about Web Integrity API, but a lot of the same people will crucify Safari (and Firefox) for not implementing a bunch of Chrome-only non-standards (like the plethora of hardware APIs)
Subpar on what? That’s the important part. For my non-techie family, it seems to do everything they need WHILST saving a lot of battery life. If that’s the criteria, it’s a great browser.
I’d never use it due to lack of uBlock Origin and good dev tools, but it’s hard to argue with the speed and battery efficiency on macOS.
There are some weird implications of this and I don't think the economics point to a viable futures:
1. Unlike EME (the controversial web DRM backed by Google that was standardized somewhat recently), the Web Integrity API requires a third-party service, which involves maintenance costs, as well as development costs to constantly adjust to the arms race against all the hackers who really want to thwart these tests.
2. In a "functioning attestation industry", many attestation servers would compete on price to validate users, making the network efficient and robust. I struggle to see this becoming reality because decent attestation would require very complicated techniques for each supported browser, and there is only 1 company that does both significant browser development and also wants to run an attestation server.
3. In a monopolized attestation industry, Google would be the single point of failure for all DRM-protected media on the internet. Google's down? So is Netflix, Hulu, HBO, etc. because they can no longer validate that their users are running an approved version of Chrome. This also give Google an incredible amount of leverage over other companies, because they can change fees and policies unilaterally and there are no alternative games in town. Companies have an incentive not to put themselves in that position.
If the entire media industry coalesces around Google Chrome as the only supported browser for media on the internet, and bestowed this incredible market power and leverage upon Google, then it could work. I find it hard to believe that this will slip past every significant regulatory body on Earth, and any significant gaps in market control would make the scheme unworkable.
But that's the catch, company breakups are extremely hard to perform especially when you're talking about such a giant company being tackled by an organization that only has ~400m in funding. Especially when they can point to the other giant companies as defense against claims of monopolist behavior. See Google using Microsoft, Apple, and Amazon as a reason for why their ad business should not be broken up in the January lawsuit.
On top of all this, a lot of users don't care, which is a problem itself, but also leads to an even harder time trying to navigate a company breakup. The convenience is too great for them, and it's too easy for the above noted companies (alongside other giants like Walmart) to shift public opinion.
You'll be very pleased to hear that it is going to happen soon with two antitrust cases against Google, one for search dominance [0] and the other for their ad business [1] with the former going to happen this year in September. So there is a start on that.
So get a front row seat and get ready for what is to come in September this year to witness the beginning of the end of a company once adored by hundreds of techies finally getting broken up to pieces.
I think one of the major problems preventing a tech breakup is that every politician has a portfolio in an index fund and they all know how top heavy in the same seven tech companies that portfolio and the SP500 is. You have the people that should be breaking tech up afraid to do so because their own personal finances would suffer. I don’t know how we get around that problem. It involves personal integrity and putting your own gains below the greater good- both things politicians aren’t known for.
Even if Google were forced to partition off employees and give up control of Chrome, they would still be allowed to be an influential force that gets a seat at the Chrome decision-making table, just the same as Meta, Apple, etc if they were to want it.
How would this have changed the existence of the Web Integrity API?
The reason why Google hasn't been and won't be is that everything they make is "obstensibly" open-source. (Minus the advertising network)
Google Chrome is "open source".
Android is "open source".
ChromeOS is "open source".
Nevermind the truth being more "open source" with proprietary bits (the bits that matter).
So the opening argument often is; well, someone else can enter the market and do what they do. But that's missing the trees for the forest (and the devil's in the details).
At this point, the "open-source" parts are just legal arguments that they can throw in courts whenever they are attacked for antitrust behavior, nothing more.
They know that making it so tedious means it will only be used by a handful of hobbyist and nothing more significant.
Dunno. I've got three browsers on the laptop. I usually use Chrome but if it's annoying I'd switch to one of the others. Likewise search and I don't use their OS.
I remember Google+ when they ignored feedback on users hating aspects of it and tried to force it on us using their dominant position and it didn't go very well for them.
Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites.
Their hold on these claims are extremely tenuous. No one would be surprised if Firefox, Bing, or iOS resurged and killed Google’s offering, for example.
Microsoft is way too busy shooting themselves in the foot with Bing and OpenAI along with telemetry and all the tracking/dark pattern crap they do on Windows or any of their offerings.
They're quite happy scrambling for the crumbs as it is.
> The goal of the project is to learn more about the person on the other side of the web
…
The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
I use Firefox on desktop and mobile, I use DDG, stopped using Google Analytics but I sadly still use Gmail and Android. I degoogled the east things (e.g. GA and Chrome) but getting totally rid off Google is hard.
Sometimes impossible in my case. Google Drive is always used in any collaborative project; so is Google Colab and Google Meet. And I still have the instinctual drive to reach for Google Translate/Maps, because it's so easy to access (physically and mentally).
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
“There is a tension between utility for anti-fraud use cases requiring deterministic verdicts and high coverage, and the risk of websites using this functionality to exclude specific attesters or non-attestable browsers. We look forward to discussion on this topic, and acknowledge the significant value-add even in the case where verdicts are not deterministically available (e.g. holdouts).”
See, don’t worry, they’re thinking about you, holdout.
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
This phrases itself as ensuring news sites can block unpaid users, but also targets the Internet Archive, other webpage archives, possibly Reader modes, and more.
One thing from the blink-dev discussion caught my eye:
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
It's funny how they frame laws and regulations designed to prevent companies from abusing people's rights as a "larger societal debate". Yes, the debate is between people who want companies to respect their rights and companies who don't wanna. That's not a debate and framing it as such is just an obvious attempt to narrativize their stance for lobbyists. Also "perfect privacy" is a red herring (binary fallacy or what is it called?) because the compromise between no privacy and perfect privacy doesn't have to be "Google gets to harvest users' data against their wishes".
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
The problematic dude's disdain for humanity aside, the quote serves as a good reminder that the "but the criminals!" argument is often used and rarely justified.
I've been thinking about this for a few days but just realized that this is a complete end run around all web scraping in general.
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
What will happen if such a thing actually happens is that the underground market for "trusted device" farms grows, not too different from what's currently already happening but possibly at a far larger scale. Of course, that means the financially motivated scraping services still keep going while the honest individuals wanting user-agent freedom get screwed, just like with many other forms of DRM...
This has been happening already. The market is trying really hard to price out web scraping through scraper detection technologies and it's kinda working - scraping is becoming non-existent in user-space apps. It's also extremely discriminatory. Try running a single scrape with a developing country's IP and Linux, you'll be blocked at TLS step lol
> The market is trying really hard to price out web scraping... scraping is becoming non-existent in user-space apps
Uhh... Those two matters are pretty much unrelated to each other. Scraping is becoming non-existing because the era of static web pages has ended. No need to "scrap" when you have a nice, performant JSON REST API provided for you.
SSG vs SSR really has nothing to do with whether an API exists to provide the data you would otherwise need to scrape.
When was the last time you saw a site with a JSON API providing metadata, like the json-ld for a product on an e-commerce site? Or an API just for the open graph data? How would you even discover these APIs for sites that you don't own?
It's also worth noting that very, very few JSON APIs today are actually REST. They rarely include all the context needed, and in general JSON is much less useful than XML when you're talking to other APIs that you don't own since JSON can't easily describe the shape and datatypes of the content.
Having your cake and eating it too is a natural goal of every business and honestly it was just a matter of time till web pages figured out they can have the benefits of public data and avoid the costs. Web scraping and botting is basically a solved problem too - just put a login gate for the data which allows you to legally litigate against scrapers and bots. Done. However, nobody wants to lose the benefits of public data so here we are.
Yeah, exactly this, and on top of that, it also conveniently for Google makes it impossible or wildly expensive to build an index of the web if most of it is behind this attestation stuff.
the thought of this being used is making me much more strongly consider moving to firefox, there are still things I don't love about it, like many of the extensions I use are still chromium only, but now I really feel like I don't have a choice.
It's great to see this getting more attention. User-agent discrimination (i.e. "go away if you're not using the latest version of Chrome") needs to become illegal. As long as I'm not overloading your service or similar, what hardware or software I use must not be restricted. The same goes for other deliberate obstacles to accessibility and interoperability --- creating a "standard" that's so complex and churned frequently enough that only Google can implement it and keep up with changes, and then spreading propaganda to encourage all sites to essentially become Chrome-only regardless of their actual utility, is something that needs to be stopped.
I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.
For the same reasons a shop owner must sell to all customers without discriminating on ethnicity, religion, disability, etc?
Would it be acceptable for a website owner to block users from Detroit (78% African Americans)[1] or block users from El Paso (82% Hispanic)[2] because the website owner claims that fraudulent ad clicking is more prevalent from those cities?
Would it be acceptable to only serve web pages to people without disabilities and without a need for specialist accessibility software because it's not economically viable to consider users with disabilities?
Would the poorest 10% of the population be able to access web pages and services delivered over the Internet with old hardware (all they can afford) and with limited computer literacy and limited ability to raise complaints (that are ignored anyway or responded to by an AI algorithm that doesn't care)?
A website owner is still discriminating when they hide behind technology such as AI algorithms, Web Integrity APIs, etc and pretend that their use of such technology is non-discriminatory.
I block China and Turkey from some of my websites to reduce bots and hacking attempts, does this make me a bad person for discriminating or should I have to tolerate the script kiddies, ddosing and exploit searches?
I’m not defending google’s crap but I should be able to block anyone I want from my websites if I choose.
> I block China and Turkey from some of my websites to reduce bots and hacking attempts, does this make me a bad person for discriminating or should I have to tolerate the script kiddies, ddosing and exploit searches?
Yes, I am the bad guy for defending my sites from being defaced and my clients private data stolen from the bad actors coming from those two countries specifically. It is totally me making the internet a shittier place. If only I had the strength and energy to unblock those countries to tolerate the unrelenting abuse and attacks so I won't be such a terrible, horrible person.
What's the point of asking a question (...does this make me a bad person for discriminating?) if you're not ready to accept some of the answers?
Yes, geoblocking totally makes the internet a shittier place. In the same way as the hackers and scriptkiddies make it the shittier place. It's a chicken and egg situation. You're blocking part of the world because it's dangerous waters. I am blocking part of the world because I disagree with the politics of that particular part. We are together making geo-blocking tolerable and acceptable. We're together making the internet more shitty than it deserves. Congratulations.
By the way, I'm not sure I wouldn't have done the same thing you did. I guess if I can't properly manage the security of a resource, the easiest way to deal with it would be to eliminate the source of the attack vector. I wouldn't deny that I'm part of the problem though. Because that's exactly what I am.
I wonder if locking my doors as well is discrimination according to you? No geoblocking doesn't make the internet a shittier place, you're blaming the symptoms/victims not the true cause.
What is actually making the internet a shittier place is the bad actors, bots, scammers, scrapers, psychopaths and etc. Maybe those countries that get blocked should do more to stop those bad actors in the first place.
Has China or Turkey ever contributed or paid for one of my projects/services? Nope, not once. Have they caused me grief and wasted my time dealing with bullshit? Yes, absolutely!
So I don't think I am a bad, unless you think preventing myself from getting punched makes me bad guy.
Maybe you should change your frame of thought and start pointing the fingers at the actual bad guys who actually ruining the web and stop accusing people of self defense of being "bad guys".
Basically if you don't want to be treated like an asshole (geoblocked) don't act like an asshole. I know it's a very hard concept to grasp.
Hey, quick question - why in your holy rage you’ve decided to ignore an important part of my previous comment? I don’t normally waste my time on people who act like this. If you read it and pay attention to it you’d get some answers you’ve raised.
> Has China or Turkey ever contributed or paid for one of my projects/services?
Have other countries? What about the countries that haven’t? Isn’t it completely unrelated to the “bad actors” question?
Internet is the best thing that we have now. It’s great because it’s open. You’re ruining it. As well as the other bad actors, attackers, etc. You’re just one of them, even though you’re also the victim. So no, you’ve completely missed my point. I’m not blaming the victim. I’m blaming everybody in this particular situation. You are the part of the problem just as well as the attackers.
> I know it's a very hard concept to grasp.
Calm down. Take it as a grown up. You’ve asked for opinion yourself, don’t forget it.
> holy rage
The only one raging is you unless if you consider asking purposefully loaded questions is rage.
> Have other countries? What about the countries that haven’t?
Not every country has paid, but they also haven't launched a barrage of DDOS attacks, blatant scraping, and constant scanning for exploits and etc.
You're funny because you think defending one's site from hackers is "ruining the internet". You gave your naïve opinion and I have the right to disregard it and think that it is really stupid, don't forget.
Defending the integrity of the internet isn't OP's job. He's not making the internet a shittier place, the governments of China and Turkey are. Blame them, not some random web host.
That's the same approach as requesting a valid phone number for a service that absolutely doesn't need a phone number, just to filter out potentially problematic users.
Is it within your rights ? totally. Does it make sense from a business perspective ? yes, probably. Is it morally right ? I'd say no. Will most people give you a damn about it ? probably not.
Most people won't care if you discriminate against some minority they're not part of and don't interact with. Some will, but I'm not sure how much it matters to you if you're seen as a "bad person" either way ?
This is a massive leap in assumptions and arguments.
For one, blocking users in a geographic region would not be legally considered racial discrimination unless you can prove intent. This is the bullshit loop hole that makes it easy to get away with discrimination, but that's the way it works.
If Google really wants to play this game and create a technical gate preventing usage of sites by anyone that uses a browser that may be blocking ads, there's a legitimate business need there and all they have to say is they are no longer willing to serve users that refuse to pay by viewing ads and providing valuable data. In the case of Chrome they can extend this and say they are helping make sure anyone hosting content online can also protect their revenue as well.
Is that a shitty practice and will it cripple the internet as it was originally designed? Absolutely. But likening this to systemic racism is an insane argument and really doesn't help get at the underlying problem that we would all rather have an internet that is open, free, and not designed entirely as a corporate ad playground.
The grandparent comment asked whether a website owner would ever be unjustified in deciding who can use their website.
From a legal viewpoint, the answer is dependent on the complexity of state laws[1]. What a website owner can do with a website in one country obviously differs from what they could do in another country. Most countries have very weak anti-discrimination laws, and if they do exist, they typically only apply for very specific purposes such as employment discrimination based on age. These limited laws tend to be near impossible to enforce short of someone self-incriminating themselves. In some countries however, an example being Norway, laws against discrimination can be very strict and routinely enforced to the level of requiring all website owners to implement WCAG 2.0 at AA level[2].
From an ethical viewpoint, the Universal Declaration of Human Rights[3] states in Article 2:
"Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty."
And numerous other articles are relevant, including Article 19:
"Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."
Such broad declarations of rights are completely ridiculous.
As a consultant, this would mean I can't turn down a client. Ever. It doesn't matter if I have higher paying offers, moral objections to what they want built, or silly just don't want to work with them.
This type of blanket declaration of freedoms can only extend so far as another person's rights aren't infringed upon. I the consultant example, my right to decide how I spend my time and value my work should be protected. If I can't discriminate for any reason because it could be deemed "[an]other status", my life can be wrecked because anyone asking for my services are owed good faith effort and I can't legally decline.
How is this, conceptually, any different from sites that used to block IE out of spite?
I don't agree with doing that either, but whereas things like changing UA headers/page-rewriting proxies would easily get around that sort of discrimination, this is now cryptographically secure.
Governments are scared of encryption because it could be used against them. The population should've realised the same could also apply to them, because it is now actually happening.
> It's great to see this getting more attention. User-agent discrimination (i.e. "go away if you're not using the latest version of Chrome") needs to become illegal.
UA should be fully deprecated already. It rarely achieves its goals at this point. There are better alternatives.
No, it helps me find scrapers and bots too lazy to spoof their UA, oh you’re using “curl”, “go-http-client”, or whatever non browser client? You get an instant block.
> It's great to see this getting more attention. User-agent discrimination (i.e. "go away if you're not using the latest version of Chrome") needs to become illegal.
I really hate this attempt by Google and hope they don't follow through, but why should this be illegal?
Software users agent strings are just an identifier added on by a browser to give the server context, it's not a protected class. Google has every right to gate use of their software however they choose, we can just stop using it.
We don't have a fundamental right to an open internet, no one owes us this. I hope we can get back to the days when the internet was much more open and less commercialized, but that day won't come by legal regulation.
> As long as I'm not overloading your service or similar, what hardware or software I use must not be restricted.
A lot of the push is not for bad actors literally DDOSing servers, but bad users degrading the service for other users. If most users of a service agrees to, for example, run an attestable environment to access a service, then that service should be able to refuse access to users who don’t buy into it.
> If most users of a service agrees to, for example, run an attestable environment to access a service
With Chrome's near monopoly in browsers, most users will run an attestable environment when chrome ships it without ever knowing and agreeing to doing so.
Even if Google manages to "collect" consent, this has so much potential to adversely impact everyone(including businesses) except Google in the long term that it should not be allowed.
If the customer is already running in an attestable environment, why would they disagree with attesting to that environment?
> this has so much potential to adversely impact everyone(including businesses) except Google in the long term
How so? It prescribes mechanisms to ensure websites don’t exclude certain browsers/OSes
> To protect against both risks, we are evaluating whether attestation signals must sometimes be held back for a meaningful number of requests over a significant amount of time (in other words, on a small percentage of (client, site) pairs, platforms would simulate clients that do not support this capability). Such a holdback would encourage web developers to use these signals for aggregate analysis and opportunistic reduction of friction, as opposed to a quasi-allowlist: A holdback would effectively prevent the attestation from being used for gating feature access in real time, because otherwise the website risks users in the holdback population being rejected.
> If the customer is already running in an attestable environment, why would they disagree with attesting to that environment?
There are countless modern PCs that have secureboot enabled by default. Does that mean all their users endorse and agree with secure boot based attestation knowingly?
My point is defaults cannot and should not automatically be treated as implicit consent/knowledge.
Attestation will be enabled by default when Chrome ships WIE and the "majority" condition you mentioned will most certainly be true from day one. That doesn't necessarily mean that every single user of chrome is onboard and happy with WIE.
That's wrong on so many levels, I don't know even where to start.
First of all I hate this "proposals" which is actually, "we implemented this in our flagship product, and kindly force it on our users, you don't have to use it, if you have a choice", stance.
Then comes all the "ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways." part. I'm using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links/elinks/lynx/dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?
It's 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.
Except in the 90s you controlled 100% of the code running on your computer. Now there are all kinds of treacherous computing with all those "trusted" execution environments and TPMs and all the other bullshit that can't be avoided, with someone else's public keys burned into the silicon.
Nope. In the 90s we also had tons of closed code on our computers, namely the BIOS, proper firmware embedded in plethora of peripherals (Disks, Ethernet cards, Microcode in the CPU, etc.), yet due to computing constraints, this has been only tried in forms of Pentium 3 Serial Numbers + Windows APIs + IE6.
However; courts, Free Software Movement and alternative operating systems plus Mozilla stopped this.
Now all of them are under attack. Esp. Free and Open Software Movement is being enshittified with a process which we can call as "Rewrite it in Permissive Licenses, so companies can hire you while closing down the ecosystem".
> In the 90s we also had tons of closed code on our computers
Sure, there was much closed code, but there was no signed or trusted code. You could still reverse engineer, patch and reflash every single bit of it to your liking, provided you knew what you were doing. On modern hardware, even dumping the decrypted binary for the "trusted execution environment" is a challenge, and getting the thing to run your modified version is simply impossible because it needs to be signed with a key you don't have.
You can't. On most modern systems there is software that runs with privileges above your OS kernel that you can't remove or modify because it is signed with the manufacturer's key. The key is part of a "trusted" boot chain. The root of trust is usually burned into the silicon in the fuses or the initial bootloader (boot ROM).
TEE on Android, for example. Intel ME on PCs, and probably TPMs also have a firmware of their own. Secure Enclave on Apple devices.
Even so, on most of the platforms you list you can disable the security checks and attestation mechanisms with a custom OS, which mitigates the risk of letting a site know that your computer is running any specific version of an OS with the proper anti-tamper checks. If you find a device that doesn’t, you can just not buy that device. At a certain point it’s not constructive to say “you can’t build that” when there is enough of a consumer benefit/desire and business incentive to do so.
The problem is not someone knowing something. The problem is that since 99% of people use their devices in stock configuration, "no attestation available" would be interpreted as "attestation not passed". We're already seeing that with banking apps on Android. It doesn't matter whether you've rooted your stock ROM or running something without Google services, the app will refuse to work either way.
The bank thing doesn't bother me, personally. I can circumvent such restrictions entirely by using a bank that has a physical branch near me, and doing my business in person.
From what I gather it depends a lot on the country, but in some countries, including Russia where I'm from, money transfers are done through your bank's app. You probably won't go to a branch to send someone $15 for pizzas they ordered at a party or something. Your only option would be to carry cash for such occasions.
> Your only option would be to carry cash for such occasions.
I'm in the US, but this is exactly what I do. I don't think I've ever actually used a banking app to send a small payment to someone for things like this, nor has anyone tried to use an app to send money to me. Cash is king.
(I fully understand that not everyone can or wants to handle payments this way. I'm just saying what works for me. I have no banking apps on my phone at all.)
I don't have the models memorized and I'm not at home to check, but I recently bought four towers that don't have TPM or a management engine and allow you to disable UEFI. They're not new, true, but they're certainly not 486 level.
> an Ethernet card with real Firmware in a real ROM, no platform controller, nothing. ...and a completely open BIOS w/o any binary blobs
None of which I was talking about. But I am pretty sure that with any motherboard, you can disable onboard Ethernet and install whatever adapter you want instead.
They have also violated an important Code of Conduct [1], to the point of even aggressively closing valid complaints [2]. The Googlers RupertBenWiser [3] and yoavweiss [4] are really just toeing the Google line. What's super gross is even yoavweiss tried to play pretend that the original issue they forced closed, without comments or reading, was "spam" [5]. I believe both of these users are acting in very-bad-faith, and not correctly observing any ethical codes of conduct in Engineering.
It's super telling they know by how they are acting, by locking down the GitHub repo.
It's very depressing how far both Google and Googlers have fallen. What was once a home to innovation, growth, and technical creation is now just ads, abusing their market position to give Chrome an insane advantage during the later years of the browser wars, and more of the same.
It's probably time to bring anti-trust action against Google. Also if you're not already, please move to Firefox and stop using Chrome. Mozilla stands against this and these engineers pushing it [6].
Claims of code of conduct violations on the basis that the technical proposal itself is a violation of the Positive Work Environment provisions is a stretch. It is, however, a clear violation of the Priority of Constituencies[1], including the dictum about who is in control: the Web must enhance individuals' control and power[2].
Having said that, the comment that Weiss links to when citing himself...:
> I understand many folks here are upset about this proposal. I urge you to actually read the proposal, rather than rely on rumors about what it does or doesn't propose. If it's at all helpful, I wrote a few words about ways you can constructively engage with proposals you don't like.
... almost certainly does run afoul of the W3C's provisions for acceptable and unacceptable behavior outlined in the code of ethics and professional conduct. Implying that someone who is "upset" about the proposal is responding to rumors and that it is okay to admonish them to "actually read [it]" is both uncharitable and noxious to the discussion. There's a good reason why HN, for example, has an explicit rule against accusing people of not having read the article.
I wish it didn't take bad faith efforts to enforce anti-trust laws, if we even get there with Google.
Im not a fan of big government and regulation, but if we're going to have anti-trust laws on the books they should be enforced evenly. It's so crazy to me that Bill Gates got raked through the coals for years over IE while Google and Apple have been allowed to get away with much, much worse.
Unless the parent comment was edited to remove some details your bar on “doxxing” somebody is pretty low. Linking to somebody’s public GitHub profile isn’t revealing any private information. Both participated in the discourse on GitHub— it’s not like finding their profiles would be difficult.
Linking to public profiles and GitHub discussions isn't doxxing. Sharing the Googlers' private, personal information would be but I at least don't see anything like that in the GP post now.
As far as I am concerned the reputation of this Ben Wiser guy is so far down the toilet that there’s practically nothing he can do or say to recover it.
Both RupertBenWiser and yoavweiss reputations are fully gone from this. Pretty much the moment they closed an issue without a single comment [1], locked the repo from everyone else, and then a much later time claiming it was "spam" is a pretty dirty tactic [2].
Of course nothing happened to their reputations. Unfortunately there are very few people who care about this, or now who the people are in these proposals.
A reminder: the tech lead for AMP who promptly closed all discussions critical of AMP and AMP for email, and banned people who raised the questions repeatedly is now the CTO of Vercel.
Lol yep sure, almost every website out there uses Recaptcha, Cloudflare and similar services, but they all totally hate the guys who work on stuff like that.
The bubblethink here is out of control. A clear majority of website operators would love this tech to exist because the pile of hacks and user-hostile verification systems that currently keep bots and fraud at bay are time limited, and always have been.
I mean, is the yoavweiss in the wrong here? The #112 issue does look like spam (pretending to care about diversity in hope of making problems for the maintainer, because diversity issues are taken very seriously at Google).
Don't get me wrong, I hate this proposal too and I hope it gets dismantled and forgotten. But I would probably do the same, as an owner of a controversial repository that somehow got to the top of HN frontpage.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data.
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
Attestation is a great concept for stuff you're in control of. Employee laptops, your own servers, your own phone, you name it. You want to be able to control and verify your devices are still under your control, preferably without manually entering the data center every week to check. The concept isn't inherently bad.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
And in practice it will eventually mean being unable to do online banking if you're on Linux. My Android phone with a custom ROM doesn't pass even a basic SafetyNet check, and this means I essentially cannot use mobile banking. For now, using a browser on my phone is a "workaround", but this proposal could change that
one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
> a bank website refusing to be accessed unless the entire OS & browser stack pass attestation
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
IT in big banks is usually horrible and their security departments would close you and your family in a cage if it was possible and helped them avoid liability. If attestation exposes let's say your password policy, be sure you'll be required to set it for monthly changes the moment they can do that.
I don't want them to have a say in how I run my devices.
But that's not a direct value. I'm aware that reducing fraud for banks will potentially (bank behavior makes me doubt this) increase interest rates/decrease fees since they'll have less stolen money. I'm also aware that the current internet is built on free-as-in-beer services due to ads typically covering costs.
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
I hope banks like getting phone calls, then. MacOS and Windows normies are going to get caught up in this, and so are all of the laypeople who got pissed at those two and moved to OS's like Linux Mint.
Attestation can have value in a corporate network, ensuring only patched company laptops can connect to certain services, for example.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
Are you using Chrome now? Hate to say it, you are part of the problem. Switch to anything else.
I'm not a super anti-Google person. I use Gmail and Google as my search engine. But Firefox is a good browser that I use as my daily driver, and Edge, Brave, Safari and the DDG browser are other options.
Switch today and start taking away Google's leverage.
Edge and Brave are based on Chromium. While Brave would likely block this API for a while (until too many sites require it and it would hurt their market share) they don't block most changes that Google pushes into Chrome so are still largely contributing to Google's power over the Internet.
So if you really want to disrupt Google's control over the web platform the only options are really Firefox and Safari.
Safari has far more weight here though people are loathe to admit it. Apple's market share is a direct check on Google's ability to push things through so easily.
Firefox unfortunately does not have the numbers on their side nor will they seemingly risk their Google payout deal. At this point, if you're using it, you're doing it because it has specific features or extensions you want, or you believe that it's ethically the right choice and you're comfortable with the trade-offs.
(I love Firefox, I just think we need to be realistic here)
Edit: I will actually note, in thinking after posting this comment, that it wouldn't surprise me if Apple was actually down for this proposal. Sigh.
I think the most important thing is getting off Chrome. And ideally completely off Chromium. I agree that Safari is a good option to keep Google on check at least for many changes. But having Mozilla in the story as well would also be valuable. Even if both Safari and Firefox could pass 50% together that would be a huge difference.
Is thst still the case? I've actually noticed much less Safari bashing over the last year or two, around the time the team seemed to really focus on shipping new specs and features again.
The main complaints I still see are related to the (likely illegal) lack of support for third party browsers, and missing web APIs for things like push notifications. Those are still valid complaints today though, for anyone who cares about them.
Google's issue if the leverage they have by having Chome used. If it is just a derivative then that lessens their leverage because the vendors of those derivative browsers do have the option of modifying Google's choices.
I agree that it lessens their control to use a derivative but it is still some control. I agree that these are far better than Chrome, but still less of an impact than a fully independent browser.
Google seems to be escalating the speed of its efforts to restrict its user base to the completely non-technical, but Apple and Facebook already own that market.
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
Are you referring to Google Maps automobiles connecting to open WiFi networks? Because to be fair, those networks were wide open, and they were being advertised.
I don't see how advertising an open WiFi network is much different from advertising an open house. In both cases you should expect visitors.
I disagree. An open WiFi network that is not being advertised would be similar to leaving a door unlocked or the shades open. When that network is actively advertised it ceases to be an open blind, and moves into open house territory.
If you are advertising that your door is unlocked, and the precedent is to enter unlocked doors - as it is to connect to open networks, then yes. Permission in such a scenario is implied.
You make these analogies attempting to equate an advertised open WiFi network to an unlocked home, while ignoring the precedent around both of those things.
It is expected that people connect to your advertised open WiFi network. It is not expected that people wiggle your doorknob to check if it's unlocked or not. If you put a sign on the door advertising, "the door is unlocked!" then I wouldn't be surprised when someone mistakes that for "come in".
I think that depends a bit on context. If I am at home, and my neighbors are advertising an open Wi-Fi network, I’ve never taken that as an invitation to connect and use it. However, if I’m at coffee shop Foo and I see “Foo Guest” advertised, then sure…
No it doesn't. Imo, that would be both poor etiquette, and a violation of trust.
While I do remember hearing about Google Maps vehicles connecting to open WiFi networks in the news, I don't recall hearing about private credentials being published. Was that the case? I thought it was just a map of open WiFi networks that was published with basic details such as SSID?
Edit: I found the article (2010, holy cow does time fly). It looks like they did collect payload data for non-encrypted traffic. Even though the data wasn't published in any way, I must agree that they went too far. I would have no issue if they were to simply verify that they could connect and record basic info such as SSID, but collecting payload data from network requests was inappropriate.
To be clear, my stance on the matter is that it is 100% okay for anyone to connect to any open WiFi network.
I don't find it particularly troublesome that maps of open WiFi networks exist.
I do not, however, think that it's okay to behave maliciously, or inappropriately on open WiFi networks.
My earlier response to your comment about hoovering plain text passwords didn't properly acknowledge the bad behavior that took place. I concede that you are correct, it was rude and insidious behavior.
This proposal only impacts "the web", which has already been going downhill for years now due to unsustainable ad-reliant business models. The internet is fine.
For the vast majority of people, the internet is the web, as well as mobile apps. The latter are already out of the control of users. Today, we at least have browsers that we can mostly force to do what we want (like stop downloading and displaying ads), but WEI will end up restricting portions of the web to users running browsers that do what the web servers want, not what their users want.
And for most people in the world, that is "the internet".
The distinction is important in my opinion because it means that our technology stack isn't necessarily captured to the root by hostile interests. In these respects, a better world is possible without having to dig everything up and start over, for now.
I wish I could agree. The internet isn't in nearly as bad of shape as the web is, that's true. But it doesn't look nearly as healthy as it used to, as more and more services are moving to the web and abandoning the internet.
While I agree with the other people in this thread pointing out that the web practically is the internet for the average user, I think this is an opportune moment to mention that Gemini exists, free of any kind of mass surveillance or advertising. It's like the web prior to Eternal September. I even have my own Gemini capsule[0] which has a live web mirror[1] statically generated from the former's content. Granted, Gemini is vanishingly obscure and relatively inaccessible compared to the web, but it's still cool that it exists.
I am using various browser extensions which make browsing a better experience for me like Dark Reader to make all webs dark. Sometimes I write userscripts for TamperMonkey to add missing functionality or get rid of some annoyance. That all will probably be impossible thanks to this attestation BS. :S
And if they don't give in, Firefox users will stop being able to access Google properties, and then probably others like video and music streaming sites, and possibly even the larger news outlets. Banking sites might get in on the action, being led to believe that doing so will increase security.
Mozilla are proposing IPA[1] which is designed to track user interaction with ads and product marketing, and track any conversion that occurs (e.g. users end up purchasing something).
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
You can still disable EME if you don't want it. That's a lot harder to do on other browsers.
I would probably have dropped Firefox back then if it was the only browser that I couldn't watch Netflix in, and I wouldn't be the only one. I don't think Mozilla can bear the loss of userbase.
Right. That's why Mozilla can't meaningfully stand up against these forces anymore. It's not that they don't want to, it's that they don't have the market strength.
thats because mozilla simply stopped having any interest in browsing whatsoever.
They now have an interest in limited edition color drops and with their bespoke charactaristic allowing users to select color that best resonates with them.
You and I, as mere mortals, may not know what this means, but rest assured, mozilla does.
The market share of firefox is so low and there are already a ton of popular websites that don't work on firefox. Mozilla will very much be forced to follow along here.
That makes zero sense. If they ever did that they would lose all their market share overnight, and they know that. Google has always been good about letting people have full control over their devices, despite building incredibly locked down UX.
It would be trivial for them to build a Chromebook, or Android phone, or browser that you can't flip into dev mode, but they've never done that, even though many of their competitors in the space regularly lock users out of their devices.
That is what would happen if they made adblocking impossible in chrome today, minus all the people who don't use AdBlock and happen to be numerous enough to be Google's entire business.
In a world with attestation, you can't browse any website unless you are using Chrome or another attested browser. The New York Times would refuse to serve content to unattested user agents. That is what would make everyone use Chrome.
The scariest part is that it's not just the browser --- remote attestation goes right down to the hardware with things like the TPM, so if even one piece of your software is not "approved", you'll be locked out.
> The New York Times would refuse to serve content to unattested user agents.
You forgot one thing – once a copy of the content is server to AT LEAST one attested user agent – what prevents him from sharing his copy with unattested users?
It is easy to see that if something will make getting the content harder – it will immediately find the path of least resistance. This is the reason any new Netflix title is available for free an hour after the premiere. And the harder Netflix will try to fight this - less time will pass before their content is stolen and re-translated for free. Exactly same will happen to New York Times if they refuse to serve - someone would serve a copy instead of them – because there is now demand created for such copy.
i dont need debug tools in the browser - if the bytes of encoded content are getting transmitted to the socket on my machine, there is no realistic way to prevent me from taking and replicating them, i don't see how some software inside the browser can have any effect on this, because the browser has zero idea where these bytes can go after they hit the socket. A good analogy would be filming your screen manually - computer has no idea of this filming and in no way can prevent it, because it cannot act on a real world around it, the same applies for browser, i can take a document, video or sound from any page without involing the browser
> because the browser has zero idea where these bytes can go after they hit the socket
The attestation uses a secure enclave in your processor with a secret key you can't access to verify that secure boot is on, you booted a signed OS, the OS is in locked-down mode, etc.
No secure enclave of registers or hidden secret keys can help, because a person can utilize the lower-level physical world around the processor to manipulate it (e.g sending electrical currents from a programator device manually). But that is a last resort, there are simple software attacks available already to fake as many "attested" devices as needed (for the same DRM system of Android). It will only bring more jeopardy to the "integrity"
See that's exactly the issue why I hate this. You can always circumvent it, worst case with an electron microscope and some acid. So all it really does is prevent the average user from gaining control over their own hardware.
And for tech-minded people it doesn't fundamentally change anything, it just means that it now takes more time to do the same than before
True, a cat-and-mouse game going on forever. Anyways, I don't believe they can succeed in walling such a monstrosity of technologies as the web, just by controlling some parts of it, even significant parts like the browser or search. It is only something governments can do by requiring a passport scan each time you open a connection (which is closing when you eject the passport from the scanner)
This is why Risc-V being developed in China and other countries and exported elsewhere is ironically a good thing at the base-level of computing. The chinese computers will require China's bugs, whereas exported good will NOT have it, otherwise it won't be bought.
I assume it's something like the old Protected Media Path.
For example, if you try to screenshot a Netflix video all you screenshot is a dark-pinkish square, because the video is probably added by the graphics card at the last moment.
It will be, as always, incrementalism. Tweak this little requirement here, then maybe two versions down the road lock this down, then a couple years later bring the hammer down before anyone can react. "Move fast and break things..."
I think this is one of the shittiest things I've seen so far. The thing with this is that
is invisible to 98% of regular users out there. It's already hard to explain things
clearly to non-tech persons as why certain policies are harmful at the privacy level.
And even if they do understand you, in most cases their perception of you is as someone
really paranoid about privacy, and yes they will undoubtly ask things like: "so you don't
have twitter, facebook, instagram, ...". It's really hard to convince people or at least
make them truly see all these dark things going on behind the scenes.
Regular people won't even talk about this, they don't/won't care. As long as they
still able to see the content they are requesting this is something that do not affect them,
it affects the people that know the shit is going on under the hood because we understand
how machiavelic a move like this is.
On the other side if this somehow manages to ever see the light of the day, it's a huge opportunity
for other people to come up with alternatives that effectively fight back this initiative and/or
bypass it. If there's something that we do not run out of in this industry is creativity,
for all sort of things, even the craziest ones, and that's something no corporation will ever
be able to mitigate.
Also keep in mind that no browser is going to ever be in the podium eternally.
Chrome has a expiry date, we just don't know when it will expire.
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
More importantly, a company of the size, scope and sophistication of Google trying to hide its fundamental redefinition of how people access the web, behind “it’s only a technical change” is unacceptable.
As if something with multiple downstream non-technical effects, is only a technical change
As if you can minimize and dismiss everyone’s fears and concerns as hollow, invalid and irrelevant by waving the magic wand of tis only a wee technical change, to be sure, to be sure
As if everyone’s protests and arguments against can be instantly hosed down, because aye, you guessed it laddie, it’s only a technical change
It’s almost as if the folks at Google think people are so stupid that not only do people not know what they’re talking about, but they’ll actually believe the lie and fall for that deception…
It’s almost as if Google was trying to gaslight the public about this…
If they end up groveling about this, I don’t think “in retrospect, we could have communicated this better” is going to cut it. This is a company the size, scope and sophistication of Google. This is not their first rodeo. They know exactly what they’re doing, and they mean to do it…
This defies my Occam's Razor view. You seem to be assuming Google is an extremely well connected organism with vast coherency: each limb knows what the others are doing, they are working together in close fashion, & doing things for ulterior motives.
This is such a horrific & bastardly case - of creating unparalleld rank awfulness hither-to-fore unimaginable - that I am tempted to agree. And I do think there probably was some cross-pollination on this idea (which I personally would characterize as unlike the vast majority of things happening on the Chrome team).
But I still think there's a very necessary "reel it in" counter-response that has to happen here. It was me who characterized this as "only a technical change". Google is trying to shift how the web works & knows it, with this change, and that's clear, and their explainer indeed rather twists words somewhat to make it sound like it's for the user: but it is also imminently clear they seek to shift of the web works in a wide way, and they're not cloaking that behind anything or as simply technical: they're wrong & immoral & awful, but up front about what they're doing, and they're not presenting it subtly.
I linked Yoav Weiss's post with some disdain (for rebuffing), but I think a lot of these rules hold true in most circumstances, and I think even under duress many should be respected to the degree possible. But reciprocally, I've already advocated (in the HN thread) that sometimes I don't think constructive replies are appropriate or possible. When we are working to define the only open accessible shared hyper medium humanity has, there is a higher degree of engagement necessary, which also has to permit explosively deconstructive argumentation sometimes. That was my main critique: that Yoav is sheltering Chrome unjustly from the minefield of conflict he created (or more generously, let be created).
No, I’m using Google rhetorically. Sure you could be more specific and say the Google Chrome team, or whoever is actually discretionary responsible for this, and the chain of command that authorizes them with that power within the org… but I think, bothering with such specifics would make the message less effective so I didn’t.
Also, I don’t think it’s necessary. Google is responsible for whatever its parts are doing; a corporate entity. And people are right to expect that if they get something from Google then it’s caused by Google.
Also, I think it’s wrong and too early to be diluting or shielding Google behind the pedantic hairsplitting that, “oh you see it’s not actually google at fault here, um, it was probably some guy that works in a basement somewhere, you know, his views not reflected by ours and so on…” it’s not necessary to provide them that shield or confusion at this stage.
He may work at google, you may work at Google, I may work at google; we don’t know. And it’s not important. What’s important is that Google is at fault here. (I don’t btw)
Magnitude of the malfeasance is so great they deserve to be held to account for it, and a simple label of Google is sufficient.
Also, Occam’s razor? I think it’s unnecessary to invoke the preposterously exaggerated strawman of some ghastly and convoluted conspiracy here, when their actions directly align with, and can be efficiently implemented by, their business. It’s a simple thesis: Google is at fault and they meant to do it. They know it’s bad and therefore are selling it deceptively.
It’s neither convoluted nor complex in any way. In fact, if they’d tried to engage with this technically in a way that accounted for acknowledged and respected the fears and concerns people raised in response, then I think they would’ve ended up with a solution that is more convoluted, and complex. In this we have the curse of simple evil.
I think it’s drinking the gaslit Kool-Aid to pretend “oh no, it’s an accident, it’s incompetence, they didn’t mean to.” This is directly (if harmfully and unethically) supporting their business interests. They meant to do it. That’s the simplest explanation. That’s Occam’s razor.
> You seem to be assuming Google is an extremely well connected organism with vast coherency: each limb knows what the others are doing, they are working together in close fashion, & doing things for ulterior motives.
Nah dog, you're overcomplicating it. All it requires is a person or two in a management chain to recognize the hint of long term business potential in a technical change. It doesn't have to be a sure thing, or a big thing, the bare minimum is that they just notice a business model that could be enabled, and choose to explore it. Then once the company takes on the initiative, some combination of communication and intuition spread the understanding of what they're doing across some of the buisness. For the wider scale, all the rank and file need to do is play dumb, or be legit unaware, about the obvious incentive they're working towards.
That's not a vast complicated conspiracy. That's every single business' outward-facing messaging strategy.
When parent poster talks about the "size, scope and sophistication of Google," the point doesn't have to be that they're meticulously coordinating. The point can simply be: there's no fucking way they're not playing dumb.
This is my problem with people using Occam's Razor to understand business decisions. They often assume the idea that someone could be employed in business development and spend months championing and refining an idea is a level of complexity that must fail to a more simplistic explanation. But we know that shit happens all the time.
The Chrome team have used "the Open Web" as a euphemism for what is to all intents and purposes Google's great ad supported walled garden. That so few people see this for what it is is amazing, and then they get all surprised when Google act to preserve it and close the capability gap with native platforms.
It's an incredible hubris to pretend to gatekeep the whole Internet. Google´s being doing a pretty hansome profit, maybe not the meteoric rise they were used to before 2020, but still nothing to warrant such desperate measures to secure future profits.
When Microsoft did this with IE, they did it with proprietary and undocumented APIs. The fact that this is an open spec, discussed in an open forum, using well established and standard technologies is what ensures it can never be positioned against users in any meaningful way.
To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.
Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.
What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?
TPMs can be emulated. Also basically every hardware platform can be placed into a hardware debug mode that allows live debugging of the underlying operating system. Keys can also be extracted from hardware. If even one supported platform leaks a key (and in this doomer fantasy world all platforms must be supported right?) then the attestations can be bypassed. It only needs to be bypassed once to be bypassed everywhere, basically forever.
EME is a great example. It's been around for over a decade now. In what way has it negatively impacted users? Is piracy any harder than it was? EME has been built into Chrome since long before it was an official W3C spec, which it has been for six years now. People lost their minds when EME was getting standardized, yet here we are. This same nonsense is playing out with WEI, yet people haven't seemed to learn a thing.
The people involved in this concept/idea/proposal should be shamed into retirement. They should never work in the tech sector again. They should be afraid to use their names before first knowing their audience (an agricultural audience would likely be OK).
It's really perplexing how people in such privilidged positions would put their name on this. Either their not as smart as they appear or somehow manipulated/corrupted.
I would assume they are prominently putting their names on the proposal to claim they lead this effort during performance review. After all, they are probably expecting a big payout for something like this.
Nah, they just realize that the sort of rank ideological hatred they're gonna get from the sort of people posting here isn't representative of the software industry as a whole let alone the wider world.
The iPhone is a bastion of remote attestation. You can't just rock up and download apps from the iPhone app store using a convenient API, it's restricted so only the iPhone itself can do it. Do Apple engineers hesitate to use their real names? No, because nobody cares and heck HN threads often fill up with praise over the fact that you can't even install apps outside the app store, let alone download apps from it and emulate them on a PC.
Games consoles are fully based on remote attestation. You can't connect a PC to the Xbox or PS gaming networks because they do RA to keep you out. Do the engineers who work on games consoles have to go into hiding? No, because nobody cares. HN never discusses it because it works and lots of gamers, especially the casual ones, prefer it.
Fact is that users like this tech because it solves problems that they'd otherwise have. The web lacks it and therefore has to rely on user hostile stuff like CAPTCHAs, phone codes, magic JavaScripts and social network logins which people hate, so they switch to native apps instead. And devs hate dealing with all the automated abuse they get, so that pushes them towards app-only services too.
One of them has been a SWE for only about 5-6 years, probably a smart person but naive enough to be the face of this proposal being pushed by some bigger fish in Google Corp that didn't want their name attached to it.
You don't think that targetted "harassment" (e.g. publicly calling them dangerous people working against the interests of almost all of us) is called for when they advocate for and actively attempt design a system designed to take away power from us all as individuals?
"The explainer is authored by four Googlers, including at least one person on Chrome's "Privacy Sandbox" team, which is responding to the death of tracking cookies by building a user-tracking ad platform right into the browser."
Mr Amadeo does a good job succinctly explaining the explainer.
I've been reading HN since its birth and have been in the browser game for 25 years. HN, as a collective, shit all over Firefox and Mozilla for a decade while Google, who was never going to to anything but this, did just this. Good job.
You mean the same browser getting paid by Google to maintain it as the default search engine? The same organization that relies on those payments as majority of income?
This isn't to shit all over Mozilla, this is to highlight that browser choice is irrelevant here, this is not a "war" won by installing another program.
Seems like this is going to get a lot of pushback. It might not go through. But remember whether it goes through or not isn't the important thing. The fact that Google wants it to is what matters.
This feels like a reincarnation of Microsoft Halloween documents but all in the open... How corrupt our industry became that this doesn't cause the same uproar... Google truly morphed into what it fought in the beginning.
Correct. If the pushback is successful, rest assured that the reprieve will be temporary. At best, they'll come back around with some tweaks and changes to blunt the more egregious aspects, but it will come back.
The "privacy sandbox" stuff is a perfect example of this process.
> Correct. If the pushback is successful, rest assured that the reprieve will be temporary. At best, they'll come back around with some tweaks and changes to blunt the more egregious aspects, but it will come back.
Yes, they might even intentionally have started with proposal so over-the-top that people who are now protesting may feel that they won when some time afterwards Google presents slightly less creepy second iteration this. And the ones who don't will be cast as radicals who don't want to engage in good-faith discussion while Google seemingly proposes a reasonable compromise. Besides, would anybody please think of the child... err... banks with webpages!
The Web will cease to be an open system, and will become a glorified fax machine and cable TV network. Those few who care will turn to more esoteric, incomplete, user-unfriendly but open systems. Eventually one of those systems will gain popularity with nerds, academics, and weirdos. They'll fill it with information and media they compile and create in their spare time, and it will interoperate in useful ways that for-profit corporate networks can't. Over time it will gain popularity and "normal" people will start using it too. Money will start to pour in, the network will fill up with garbage, and then corporations will come in and take it over and lock it down.
ISPs will not be letting that traffic through. So no little romantic underground. No cycle; the internet is happening just once, and we're in it. The assumption that everything is necessarily part of a little epicycle of history somehow mashes together Whig history and and an inert nihilism. Don't worry, nothing matters?
We're not in a movie. When they close the open internet, there will be no reason for them to open it back up. Everybody's Playstation will still work. Facebook will still work. Twitter will still work, but it will be all blue checks.
In the future they may not even sell general purpose computers to the public that can access the internet. The network will kick them off as unsigned machines. Maybe they won't let anything on the internet that is capable of running illegal or unlicensed encryption.
The open systems will have to be physical places where we go meet each other, and don't bring our phones. Of course, they could make you carry your ID in your phone (for a few years, there'd just be a $100 charge for a physical ID until they eventually just phased them out), or make you carry cash in your phone, so how could you meet up in person if they didn't want you to?
If we're talking cyberpunk dystopias, we'd have to resort to hand-soldered audio couplers that use our locked-down phones as modems. Once the next Android/iOS update detects and blocks unauthorized binary carriers, we'll have to steganographically hide our traffic in fake voice calls. Crappy baud rate, but good enough for encrypted text. Augment with sneakernet and local hard-wired networks running under lawns and dorm room carpets.
Although in this grim future where all communication is monitored and censored, people like you and I will probably be up in the hills in the rebel camps, and open networking protocols might be low on our list of priorities.
Now I kind of want to build one just for the challenge. Analyze what frequencies can get through, and reverse engineer the phone company's codec so I can send a pirate signal, like a phreaker of old.
Fun fact: You can no longer do such a project in software on stock Android. They locked down the voice audio API.
Just talking about subcultures/communities that I've been a part of. Several of them only have a minimal presence on the public web, having moved to a network of private sites. A couple of them have assembled what amounts to a "shadow internet" that uses the internet for an encrypted communications channel but provides its own mailservers, IM servers etc. that don't interact with the internet proper.
And, locally, there have been two ISPs set up (one by me and my friends) that aren't meant for public use, but to supply service to smaller groups. The one I set up was to supply internet service to a remote neighborhood that isn't likely to get reasonable commercial internet in the near or medium future.
Those two ISPs supply internet access, but they also operate an intranet that is mostly decoupled from the public internet.
All baby steps, and nobody is 100% "off the grid", so to speak, but it's a trend that started long ago and seems to be gaining a bit of momentum.
My prediction is that the web will ultimately be just for commercial use (it's already 90% there), and there will be a whole bunch of tiny networks -- that may or may not portal to the internet -- that will fill the needs that the internet is increasingly unable to fill.
Except in the age of hyperinformation, you will see such fringe systems pump and dump on the time frame of a few months, not decades like it used to. You would pray that it would not happen and the thing that you are using right now will not gain that kind of attention.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked.
Because of this. If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable, then the gates are up and the free web is no longer free at all.
> If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable
I guess it has been the case from the good old CGI era? I do remember all those private forums that required me to wait for several days until they can "verify" my identity and "approve" my registration. The control always has been at the hand of platform. The difference is that now attacks are much more sophisticated (GPT-4 powered!), while defense line is left at a pretty miserable state.
This is bad but how is it going to affect the usefulness of my personal web site, that will never use that API to check who's reading it, not or human? Same thing for a lot of sites, probably the vast majority of them.
Personal sites likely wouldn't be affected directly. What this will affect is the ecosystem of browsers that people are willing to use. My prediction is that it will slowly strangle independent browser development, which will turn the web into something akin to the Android/iPhone duopoly. This is kind of already the case with browser engines, but because this is DRM, it would extend that same effect to the actual distributed binary (e.g. you can't visit your bank with Chromium on a Debian box, since that wasn't compiled and signed by Google).
> Same thing for a lot of sites, probably the vast majority of them.
Once Google gets this in place, it can then perform these checks through their ads SDK and demonetize traffic from visitors that don't pass the check. This will create an incentive for any site owner that wants to make money through ads to enforce that visitors must use an approved browser. Basically the DRM equivalent of 'Please disable your ad blocker'.
> Basically the DRM equivalent of 'Please disable your ad blocker'.
An interesting observation I've had in my own browsing behaviour is that the majority of sites I visit are time wasting visits. If any site presents the above message (or the equivalent - 'sign up to read' like Medium does), I find I just navigate away and do something else.
The bigger concern for me like you call out - major institutions like banks enforcing a separate company's requirements on me in order to interface with them.
I never had ads on my site and if it disappears from search results, no problem. I'll give the URL to the very few people that might be interested to browse it. I probably know all of them, plus a number of bots.
They may also flag your site as "unsafe" and will refuse to display it with scary warnings and hidden overrides that the average user will not be able to access it. This already exists btw. Also in Firefox, using Google's blacklist.
That is because without https, there is no guarantee that the site requested is bring delivered as the site intends. For example, an ISP could insert data or scripts into the page.
And monkeys could fly out of my butt. Not everyone has the same threat model.
Faced with a choice between a vague future threat that might happen (an adversarial ISP or other MIM attack) and a certain future threat that will happen if we let it (incumbent gatekeepers locking down the Web), I'll take my chances with the former, and opt for less gatekeeping rather than more.
It's not a "might happen." ISPs, especially in places like hotels and other public WiFi spots, were replacing ads on sites with their own ads. I don't know if they did anything more nefarious but they were probably also snooping and logging to at least some degree.
"That is because without Web Integrity, there is no guarantee that the site requested is being delivered as the site intends. For example, a browser extension could remove ads or modify content on the page."
See where this slippery slope is heading? We DO NOT want what "the site intends". We want to be in control of the content we consume.
Then make laws to force your ISPs to be neutral carriers and prosecute any pulling shit. Most of the world doesn't have this problem yet we are still forced to waste countless of cycles and man-hours on TLS for public read-only content.
HTTPS has a lot to do with that. let's encrypt is free, but requires things common users dont have, such as control of a domain, as it is if google can see your stored certificates it could exclude you from a site based on "sites you hang around with"
It honestly boggles the mind that the same company I used to respect twenty years ago has morphed into the evil monster that is modern Google. A tragic fall from grace.
Such is the fate of all companies. Companies need to be allowed to die in order to facilitate competition, but because of a failure of antitrust regulators to do their jobs, giant companies have been allowed to leverage their war chests to perpetuate themselves by gobbling up competitors and prolonging their own demise, to the detriment of us all.
Google needs to be broken up, and the other tech giants too. Bring back competition to the market or we'll continue marching towards Blade Runner corporate dystopia.
Remember they already added DRM to browsers once. There was a big outcry at the time, and they still went ahead and implemented it. Now even Firefox supports Widevine.
If they believe that it's in their best interest, I'm not really sure what we can do against this...
That's the premise that the RIAA and friends was pushing. There is of course another choice; to stream the movies without DRM. Once Flash was gone, eventually they would have caved in because there is a lot of money to be made by streaming movies.
This was a faustian bargain.
Now that DRM is in the browser, it's going to be pushed further, as with this proposal. It forced Firefox to compromise on their values of open-source in order to stay relevant. Streaming movies are still getting copied the same day.
We know from experience with the gaming and music industry that what protects the publishers is to provide a convenient platform, with reasonable prices. And of course the legal system to take down pirate websites.
And? Making people who can't help themselves from consuming DRM'd content jump trough hoops is much better than integrating this shit into the browser. Eventually media companies might have caved in and accepted DRM-free distribution like the music industry already has.
> Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites. So really, Google can do whatever it wants.
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
They don't even have to do that. In five or ten years your browser will be bitrotted and unable to read tons of webpages, since you'll be stuck on the version before Firefox completely capitulated and called the users who complained about it "childish bullies."
We need legislation that clarifies who owns a device and what consequences this ownership has. But we won't ever get it as governments and corporations feel that they should own the device. If they ever agree on a separation of ownership, it's game over. Our devices will become our biggest enemies.
> So if you root an Android phone and get flagged by the Android Integrity API, several types of apps will just refuse to run.
That's just messed up. If like saying if your car detect you have been doing maintenance yourself, you can use this particular brand of carburetor because they will refuse to work.
While I don't love this API's idea, I understand why they're doing it, and the API it describes really just sounds like any Captcha API today.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
Captchas only let you verify that the user is human, this API lets you do more: it lets you verify that your web application is going to run unmodified and that the user is going to see what you want him to see, _everything_ that you want him to see and nothing else.
Unlike captchas with this you can remove adblockers, greasemonkey/stylus edits, extensions adding download links to your youtube videos, etc, from the picture.
One key difference to Captchas is that since this new system requires no user input, the "cost" of a website requesting attestation is a lot smaller. So it will probably be used more widely.
This highlights the evil of DMCA. DRM is not that big of a deal if you can freely exploit some vulnerability in you tpm / hardware attestation module, extract the keys, lobotomize the creep, visualize minimal functionality and share your research. With DMCA you're suddenly breaking the law at multiple steps of the way.
But they told me that Google being the one of the largest advertising companies in the world, had no interest in handicapping ad-blockers. BTW its the same company spreading FUD over AGPL.
This won't even work to solve the problem they're trying to solve. If I'm a scraper or someone that wants to drive fake ad impressions, what stops me from faking the attestation info? There's some mention in the original article about the attester validating the attestation data is signed on the client, but that just pushes the problem down the stack a bit. Someone could still spin up VMs, and just automate the scraping in a real environment that passes attestation. The author is claiming this will ensure only humans are viewing said data, but it doesn't really ensure that, it only adds a couple steps.
I also find it funny that the authors point to mobile platforms as an example of how this will work well. Last time I worked with ad tech, mobile ads were flooded with fake impressions, and I highly doubt that has changed. The funny thing about players like Google is that they want to be able to tell advertisers they're doing a lot to prevent fake impressions to get them to buy ads, but they don't really want to solve the problem because it would cost them a lot of money. So they kinda play the line and develop tech like this that sounds fancy but doesn't actually stop the problem in practice.
I failed to learn how this exactly works, but you're looking for the term 'remote attestation'. This aims to prove that your computer is only running the approved software by having the TPM look into the computer's memory, hash the running software and its configuration and signing the hash with a unique private key burned into the TPM that is impossible to extract without physically invading the chip.
The proposed function is impossible to implement in general. More precisely, it's impossible to implement without specific hardware and operating system (you have one of a handful of choices) to the de facto standard that would develop over time if web servers came to depend on the behavior of the function. It would make the web decidedly not open.
Google will degrade their services for non-DRM browsers. They have a long history of "oops" with UA sniffs and serving slow buggy alternatives to Chrome-only JS.
You'll be filling in captchas 10 times a day, getting randomly locked out of your Google account in the name of security, and whatever new feature they add to their services, they'll find an excuse to require the DRM for it.
Don't you think people will inevitably crack the software side of things (as has been done with the lower levels of Widevine)?
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
That is exactly the goal of this, and why it needs to be opposed fiercely.
That doesn't make any difference. There will be websites that will only allow people using approved browsers to access them. Instead of whatever you expect, you'll get a link to download Chrome (or whatever), and possibly install $COMPANY's attestation software.
Then, people will DDOS the attestation endpoints because why not.
What I've seen missing in these discussions is what happens with Headless browsers. Yes, these are used a lot for scraping, but there are also many legitimate use-cases. If the Web Integrity API is available to everyone then you can effectively no longer use Headless Chrome to browse to any of these pages, or am I missing something?
I'm totally behind all opposition against this, as I'm massively in line with the sentiment here. However thinking about it more and more, I get the impression that it will be essential to explain the impact of this to normal people (like my mom) and that's, what I just don't succeed in so far.
Without a broad support and public opinion about this, they might shockingly just be able to get this started. Apple and on-device CSAM scanning is something I have in mind about this, as s counter example.
What's a simple narrative non-tech people understand about this? Should I ask ChatGPT?
There are conflicting "requirements" for the web it seems. We want freedom and anonymity but not too much because bots and because we want to use the web to buy things but not too little because dissidents, but not too much because pedos and terrorists...you get the idea.
I think the wisest course of action is to boycott all chromium-based browsers. Yes it might be painful, yes you might not have your favorite extension or add-on. Suck it up. I've been exclusively using Safari for years, even after extensions were killed.
Scraping webpages is extremely useful and this would seem to combat this. It's also extremely useful by... oh yes... Google. And I'm sure they would find a way to whitelist their scrapers to index pages, but archive.org? Oh you're SOL.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data.
Sounds pretty sweet from a corp security perspective. Context Aware Access lets you do attestation at SSO time but baking device integrity further into the system would be helpful.
Unfortunately, this gives a lot of power to webpages. I'm not sure it's worth the tradeoff. This seems like something better handled by an extension, but I'll have to read the spec.
So I'm already at the point where if I go to a website and that stupid Cloudflare "securing your connection" dialog pops up, I just click away. Fuck Cloudflare and their walled-garden horse.
If Google does this too then I guess the "mainstream" web will become invisible to me. No great loss since it's mostly thoroughly enshittified anyway.
I'm happy to move to the new un-googled "darkweb" where freedom, anonymity, and non-SEO content still prevail.
Even if this DRM doesn't get accepted and used Google's QUIC protocol they call "HTTP/3" that they whitewashed through the IETF with MS makes it so it's impossible to establish a connection to a server unless it gets 'attestation' from a third party CA TLS corporation. It's the same thing in different clothing but everyone is cool about it for some reason.
Google should've just called this HTTPS+ Everywhere and there'd be no blowback.
The spec suggested defaults don't matter when all current HTTP/3 implementations will not let compiled software users connect to a site with a self-signed cert (or none at all).
But also the spec itself is bad: "MUST" in capital letters when talking about setting up the HTTP3 endpoint and verifying the cert. https://datatracker.ietf.org/doc/rfc9114/
There are compile-time flags you can use to enable it in the QUIC HTTP/3 libs you can then manually link when compiling your personal browser. But with Google/Microsoft/Apple/Mozilla browser binaries used by the public they will not be able to connect.
The attestation need not be done by Google or web browser owner themselves. This can be done by operating systems or any third party attestation just like a simple version of certification attestation. I think even though the intention behind the idea is good, the integrity of the company that suggested this is so doomed that we are all afraid. I think such proposals will come and need to come so that gradually these proposals will mutate into something useful
Practically speaking yes, the OS (and further down the TPM/enclave) will be the root of attestation. Google here is starting with Google Play Integrity (previously known as SafetyNet), which is an OS-level attestation authority. On Windows, this attestation would probably be done via TPM/Secureboot and Windows integrity APIs.
That's what's scary about it, because it has the potential to make large parts of the web inaccessible unless you have a signed and sealed OS layer and browser to browse it with.
But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
When it comes to a game of chicken it's better to not just seem like you won't move, but to throw out the wheel entirely.
Of course it's dubious if it applies here, especially because the playing field doesn't feel quite equal, but I think the most effective thing we can do is simply refuse to use websites that require a custom built user agent to access.
Heck maybe we've already mostly lost the battle to keep the internet usable with curl, let's at least try to keep some of the other options open.
I'll tell you this – there are people who watched all Netflix titles and never visited netflix.com. People who read the NYT daily but never visited nytimes.com.
What does this change mean? There will be more such people.
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
Google must love Brexit. I guess that in the UK people feel distance from the devs in the US complaining about this. And the company is more comfortable with the legal situation in the UK than in the EU.
It looks like a good proposal. Botfarms are a pita for a lot of sites. Cheating in games is bad. Asking someone for their id to receive a package or content they paid for is normal in the offline world.
I don't know if anyone's all that interested in a possible explanation that doesn't make Google look like the bad guy, but if so, I wrote about it here:
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked.
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
Surprising even myself, I actually like this proposal. It does two things, one which is good, and the other which is not as bad as people are saying.
The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL's vision for the web in the first place.
The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It's bad and it's a bad system that makes the world worse.
Do you know how rooting Android is basically useless nowadays? Most banking and government apps, at least in my country, don't work if Google didn't give the seal of approval for your system. I take it you see as good thing to bring this to the browser as well, because this somehow has to do "personal computer advocacy"? It literally cripples the users' devices.
I don't see the connection between Chrome attestation and Android attestation. A computer has only one operating system (in general) but many browsers. I see some value in attesting to a "pristine" browser environment to any application developer, as it removes a wide array of error modes (particularly useful if you have a weak or underfunded team).
Now, if the application provider chooses not to support the alternatives, I'd argue that's on the app provider (the bank and gov apps). And again, perhaps the best thing is to NOT USE THOSE KINDS OF APPS ON A PHONE. I am very concerned that people are essentially locked out of essential services if they don't have a smartphone and a working SIM card. After all "the best way to repeal an imperfect law is to enforce it perfectly."
I'm not Nostradamus; but I'm hopeful that if Google goes down this path that it will hasten the end of a wide variety of error modes in the world. Of course that may be putting a little too much faith in neoliberal capitalism, to come up with alternatives that aren't smothered in the cradle.
Browser attestation only works if the OS is attestated, though. It has to be an unbroken chain of signed blobs from the TPM / boot loader to the browser - otherwise, you could just use e.g. a kernel driver to modify the behavior of a signed browser.
If WEI is implemented, we will get the combo package.
What happens when things like braille readers, TTS devices, and software to reformat websites to facilitate accessibility are blocked because they are modifying webpages’ content?
Devices and browsers will become locked down & attested blackboxes, manufactured by a handful of attested companies. Those companies will have trouble finding employees because less and less people will be interested in low-level stuff and security as there will be no devices and software to learn this stuff on. There will be less and less debugging options and "Software developer" will just be a dumb ape copy&pasting example corporate code, writing to the megacorp's support (based in india) if something won't work.
Google's proposed 'Web Integrity API' raises some intriguing questions about the future of web security and user privacy. While the intent to secure the web environment and ensure user authenticity is commendable, the approach seems to echo DRM mechanisms, which have often been contentious. The proposal also brings to light the ongoing debate about device control - should users be penalized for wanting full control over their devices? This 'gatekeeping' approach could potentially stifle the open nature of the web and limit user freedom. As we move forward, it's crucial to strike a balance between security and user autonomy.
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.