Google employee responds to all the negative feedback WEI, (google drm the web)

Hardware backed attestation isn't about security or privacy, if you can't pass SafetyNet on your Android device you can't install certain apps, but even with stock software and passing SafetyNet you can still install malware direct from the App Store, it's about vendor lock in, always has been.

Edit: Clarified my point.

This is the part that caught my attention:

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult.

And we do those things, not because we're fraudsters, but because we're trying to protect ourselves from the likez of YOU!

YOU did this, change your model and maybe it'll be better? Oh! But! Mooooooooney! I forgot. Stupid me.

This is the fucking bully telling the nerd that if he doesn't just HAND OVER his lunch money, that he'll get beat. It's YOUR fault! Not OURS!

Edit: Formatting and added about bully

Edit 2: fixing the formatting of the formatting edit. :-D lol

WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open

(Emphasis mine)

They contradict themselves in the span of 2 sentences. Great look, folks.

WEI’s goal is to make the web more private and safe

Bull. Fucking. Shit. You do not get to pick and choose who you treat differently based on software level indications. You absolutely cannot justify this technology with fraud-prevention; as your fraud prevention should be baked in elsewhere in your logic chain and service delivery anyways. Developers do not need yet another magic number. Your typical fraudster is going to be an Authenticated Human anyways; and will easily bypass this attestation if this is actually implemented as intended. Because of that fact; this will drive desperate developers to implement this in consumer-hostile and privacy-hostile manners. You cannot simply say "That's not how it's intended to be used" and expect those devs to play along with it!

TL;DR: We must not give developers tools that can be abused in ways that run counter to the open internet

WEI is not designed to single out browsers or extensions

Wrong!

You absolutely ARE singling out browsers; particularly ones that may be older or "Un-attestable" for other arbitrary reasons. This will impact a large number of people in the disabled community who may use specific, webpage modifying extensions in order to make the web more usable for themselves.

WEI prevents ecosystem lock-in through hold-backs

This won't work; your devs will just write other server backend code that is forked off of yours that won't "hold back". This is a ridiculously tiny band-aid for a gaping wound that needs stitches;

WEI does not disadvantage browsers that spoof their identity

Wrong again! You cannot trust developers and companies with financial motivations and interests to not mark spoofed browsers as fraudulent; nor can you obligate them to treat them exactly the same as a properly attested browser agent.

Let’s work together on finding the right path

This proposal is not working together! This is a blatant attempt by Google and Alphabet to further bully it's dominance over standards for the financial gain of itself and it's partners. Please don't pretend otherwise.

Maintaining users' access to an open web on all platforms is a critical aspect of the proposal.

But with this the web wouldn't be open. 😒

The objective of WEI is to provide a signal that a device can be trusted

This is exactly the opposite of everything anyone would learn in CompSci 101.

NEVER TRUST THE CLIENT. CLIENTS CANNOT BE TRUSTED. CLIENTS ARE NOT SANE. THAR BE DRAGONS THERE. (Maybe that last one is pirate treasure maps, but I think it holds.)

Anyone who is buying this guy's argument that they're trying to make it so you can trust clients, should immediately be removed from any computers they are in possession of and be "invited" by men in black suits to go live on a nice agrarian farm where the only computer available is an air-gapped Tandy TRS-80 MC-10. They can rejoin humanity when they've relearned the lessons of the last 40 years and understand why this is just patently insane.

"You're blowing this out of proportion... circular speech... platitudes... and this will make everything better!"

comments disabled

"Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:"

Ohhh it's fighting fraud that they want to do! And here I thought it was entirely for the much more profitable goal of maintaining advertising revenue. Well, I'm SO GLAD to be wrong on that one. Slash S.

WEI prevents ecosystem lock-in through hold-backs
We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”.

At least this acknowledges that this proposal would in fact be "DRM for the web" if the only thing from preventing it from being that is an additional measure unrelated to the core implementation.

Not to mention, what prevents a future release of the feature either turning the percentage to 0% or removing the hold-back entirely?

When did we vote to make Google ordained gate keeper of the Internet? I must've been out sick that day.

lol

Nice internet you have there. It would be a shame if something "happened" to it.

"We're the good guys, trust me!"

All roads with Google lead to tracking and advertising

we are looking for a better forum and will update when we have found one.

The only acceptable forum for this garbage is the deepest pits of hell. Fuck off forever.

Well, looking at these comments, one thing is clear: the discussion is not going to happen here. I don’t think there was even one comment of substance, which is unfortunate, since the explainer in OP reads sincere to me.

Maybe instead of jumping on the „google bad“ bandwagon, it would be helpful if people point out the specific issues that they are seeing with this.

As it stands, we might just take literally any commit to chromium and paste the same comments below it.

Edit: since posting this, the comments have considerably improved, I love some of the discussion. Thanks!

How does this person sleep at night?

My big concern with this and the new digital standard for images that they're proposing is that it looks to make the internet less anonymous than even in-person interactions. To me, that's a complete destruction of one of the most valuable features of the internet. To some extent, anonymity is a shield against tyranny; a government can't exactly come and drag you off for re-education if they can't tell who made the image mocking the dear leader. No matter who you are or how you identify politically, we should be able to throw our tomatoes anonymously if we do choose, without threat of Google telling the Chinese or American governments who threw them.

You know who the least trusted party is here? Not privacy-focused users, not even malicious users and bots. You are the least trusted party here. The greatest point of security vulnerability is giving greater control of what does and doesn't get seen to a company that's proven itself to be a bad actor.

Megacorps that feed on our data are the danger. Not just to network security, but to humanity. We don't want or need you limiting our access to information and to one another so that you can further lock down your pilfering of our personal data and your force-feeding of ads and toxic cultural forces.

The abuse of this responsibility has already caused untold damage to our individual lives, the functioning of our societies, and our actual planet itself. It's led to the mass promotion of some of the worst ideas in human history, and the diminishment of good will, social cohesion, and personal autonomy. The last thing we need is more overreach.

Leave the internet alone. Go make a game or something.

"The WEI experiment is part of a larger goal to keep the web safe and open" I'm guessing the openness they're referring to doesn't apply to everyone given that their proposal would likely negatively affect assistive technologies a lot of disabled people rely on? Haven't seen them address that

Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

If it's actually a "significant enough proportion of attestable devices to disincentivize this behavior" why would anyone want to rely on this mechanism? I have a means to check if a device should be trusted, but it fails enough of the time that I shouldn't depend on it... Why would I ever depend on it? What use case allows for an expected 10% failure rate?

Google, the Internet Government.

Google has turned evil. Back to Microsoft, everyone!