←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.294s | source
Show context
danShumway ◴[25 Jul 23 14:53 UTC] No.36863173[source]
The most important section of this article:

> This feature is largely bad for the web and the industry generally, like all attestation (see below).

> That said, it's not as dangerous as the Google proposal, simply because Safari isn't the dominant browser. Right now, Safari has around 20% market share in browsers (25% on mobile, and 15% on desktop), while Chrome is comfortably above 60% everywhere, with Chromium more generally (Brave, Edge, Opera, Samsung Internet, etc) about 10% above that.

> With Safari providing this, it can be used by some providers, but nobody can block or behave differently with unattested clients. Similarly, Safari can't usefully use this to tighten the screws on users - while they could refuse to attest old OS versions or browsers, it wouldn't make a significant impact on users (they might see statistically more CAPTCHAs, but little else).

> Chrome's usage is a larger concern. With 70+% of web clients using Chromium, this would become a major part of the web very quickly. With both Web Environment Integrity & Private Access Tokens, 90% of web clients would potentially be attested, and the "oh, you're not attested, let's treat you suspiciously" pressure could ramp up quickly.

----

It's bad that Safari is shipping attestation, but a big reason why Safari often gets a pass on negative features that Google doesn't get a pass on[0] is because Chrome has a 60% market share, many sites are tested only in Chrome, and Chrome's marketshare is only likely to grow in the future once we finally get Apple to finally allow alternate browsers on iOS. In contrast, Safari's marketshare is pretty much tied only to iOS and Mac, and they don't even have a monopoly on Mac.

Like it or not, it matters more when Chrome breaks the Internet.

I'm not saying we should ignore Safari (we definitely shouldn't), but if that "double standard" makes anyone upset, perhaps that's a good reason to break Google up and introduce more browser diversity. If Chrome didn't have a 60% marketshare over the entire web, it would be possible to extend more grace to the people proposing experimental features within Chrome.

The extra scrutiny and tougher standards, and even the lower leeway to make mistakes are partially consequences of being the dominant browser in the marketplace. I'm sorry, but the standards are higher when you're in a position where it's possible for you to break everything.

----

[0]: see Manifest V3, which is also based heavily on Safari's own adblocking restrictions, which are similarly harmful to adblockers but tend to get a lot less attention.

replies(1): >>36863236 #
jsnell ◴[25 Jul 23 14:57 UTC] No.36863236[source]
So Apple may provide a way to prevent their users from seeing captchas, but their competition is not allowed to. You see why this is a morally bankrupt position to hold, right?

"Tired of seeing all those captchas? Get an iPhone or a MacBook."

replies(1): >>36863270 #
danShumway ◴[25 Jul 23 14:59 UTC] No.36863270[source]
It's bad for Apple to add attestation, but it's not a threat to the Open web when they do. It is a threat to the Open web when Chrome does.

If that bothers you, support browser competition and consider breaking up Google. I'm sorry, but it is a fact that it is more dangerous for Chrome to take harmful web positions than it is for Safari to take harmful web positions. That's just the consequence of having a browser monopoly, and Google has to live with that consequence.

Morality has nothing to do with it. I don't support attestation on Safari, but it matters more when Google does it. It's not "fair" because the market isn't fair, there is a dominant player and their actions matter more. Again, if that upsets you, get upset at the unreasonable power dynamics that Chrome has over the Internet. They are the reason for the extra scrutiny.

replies(1): >>36863626 #
jsnell ◴[25 Jul 23 15:20 UTC] No.36863626[source]
When Apple is the only company allowed to ship browser features with such high and user visible impact as eliminating captchas, it will directly contribute to them increasing the market share of the devices people use to access the web.

Once the majority of users are on Apple's platforms, the open web doesn't matter. It is whatever Apple wants it to be, which is most likely "dead".

The rules have to be the same for everyone, and the discussions around the WEI on HN have made it clear they aren't. The other threads are filled with massive rants about how evil Google is and how amoral anyone working on this project must be.

But then this thread on how Apple has been doing exactly the same thing has people for the first time engaging with the technological parts, and suddenly the critiques have turned to full-on excuses. "Oh, it's just a little bit bad when Apple does it."

replies(1): >>36863884 #
danShumway ◴[25 Jul 23 15:37 UTC] No.36863884[source]
> When Apple is the only company allowed to ship browser features with such high and user visible impact as eliminating captchas, it will directly contribute to them increasing the market share of the devices people use to access the web.

At which point we'll start criticizing Safari more frequently than Chrome. But I don't think you need to worry about that, I can't even run Safari on Linux or Windows in the first place. I already don't test any of my web projects in Safari specifically because I can't, I don't own a device that I can test Safari on. So good luck getting devs to build Safari-only websites. I think it's misguided for us to worry so much about a theoretical future monopoly that we avoid correctly prioritizing efforts to combat a present monopoly.

Of course incidentally, "we" (whatever that means on HN) do criticize Safari all the time. "Safari is the new IE" didn't come out of nowhere. And another reason why this issue in particular matters much less for Safari is because those criticisms seem to have worked and I fully suspect at some point in the next 5 to 10 years it's very possible that Apple will be required by regulators to open up iOS to support multiple browser engines.

And that will be great for certain parts of the Open web, I'm hoping that if iOS opens up its browser restrictions PWAs might get a lot better. But it's also very dangerous because it means Chrome's monopoly will grow even more, and it makes it even more pressing that we deal with specifically Chrome's dominance on the web. So there are plenty of areas where iOS presents a larger threat to user autonomy than Google/Android does (app store policies, user lock-in, sideloading, etc), and I have no shame about subjecting Apple to stricter standards than Google in those areas. This isn't one of those areas.

> and suddenly the critiques have turned to full-on excuses

I'm not offering a single excuse for Safari, it's bad that Safari implemented attestation. I am offering an accurate assessment of the threats that Safari and Chrome currently pose to the Open web.

My standard rule -- consistently applied to everyone in every situation -- is "don't break the Open web", and even with both browsers implementing attestation, Google's implementation is breaking the Open web more than Safari is right now.

> The rules have to be the same for everyone, and the discussions around the WEI on HN have made it clear they aren't.

I don't get to set the rules, or else nobody would be doing attestation anywhere including on native app stores. But it is naive to look at a browser with 20% marketshare doing something harmful and to say, "well, this deserves exactly the same amount of attention as Google." It doesn't. I criticized Brave inserting its ads into webpages, but I'm not going to pretend that my reaction to Chrome doing the same thing wouldn't be a lot harsher, because Brave is not the dominant browser on the web. It's not a double standard to take context into account when prioritizing where coordinated community efforts should go.

In this case, "fairness" for outrage over browser features effectively means ignoring the largest threat in the room to the web and pretending that we're not in a market with a dominant browser. But we are.

replies(1): >>36866120 #
jsnell ◴[25 Jul 23 17:34 UTC] No.36866120[source]
> In this case, "fairness" for outrage over browser features effectively means ignoring the largest threat in the room to the web and pretending that we're not in a market with a dominant browser.

Huh, funny that being equally outraged about both isn't an option for you... It would pretty obviously have been useful for achieving the claimed goal of suppressing this feature.

If there had been this kind of backlash (rather than universally positive press) when Apple did it more than a year ago, maybe it would have sent a message.

But since Apple gets a free pass from people who think like you, the outrage didn't happen, and this is now de facto a reasonable feature for a browser to implement.

replies(1): >>36867713 #
1. danShumway ◴[25 Jul 23 19:05 UTC] No.36867713[source]
> Huh, funny that being equally outraged about both isn't an option for you...

Yes, funny that my response is directly proportional to the actual threat posed by both actions, rather than pretending that they're an equivalent risk.

> If there had been this kind of backlash (rather than universally positive press) when Apple did it more than a year ago, maybe it would have sent a message.

There is a limited amount of bandwidth the general public can devote to being outraged. Apple does a lot of stuff that's worth being outraged about. Our job as activists is to draw attention to the biggest threats where public outrage will do the most good. That means prioritizing issues based on the markets in which those issues appear and based on which actors in those markets are most likely to do harm. Of course that doesn't mean only paying attention to Google -- like I said above if this was a conversation about mobile platforms and user choice more generally, I would be speaking much more critically about Apple's lock-in and app-store restrictions than I would be when talking about Google's similar violations. But it does mean paying attention to situations where whataboutism serves to dilute public attention rather than reinforce it or expand awareness.

A reminder that at no point during this entire conversation have I given Apple a free pass; at no point during this entire conversation have I even said a single positive word about Apple. Literally every single comment on Apple I've made during this conversation has been negative.

But no, I'm not equally outraged about both, because they're simply not equivalent threats to the web, and you seem determined to ignore the practical realities of the current browser market in defense of some kind of "fairness", as if amoral structurally anti-consumer companies were somehow humans on trial who deserve equal rights. They're not. You don't have to be fair to them, Google and Apple are not people, they are large corporate systems.

> and this is now de facto a reasonable feature for a browser to implement.

The fact that there is near-universal outrage over Google's position from basically every non-Google source covering it proves that this hasn't turned out the way you're worried. I've seen no one (other than people who would already be defending Google anyway) point at Apple's implementation as if it's a justification for Google's behavior. The statements from press have also been strong and straightforward and haven't tried to excuse the policy with Apple's attestation efforts.

It turns out that focusing outrage intelligently on areas where it will do the most good is actually better practical strategy for consumer rights advocacy than being equally outraged at everything in every situation and pretending that the market is something that it's not.

It is weird to me that condemning Apple isn't enough for you. For some reason it's not enough for you that I say that Apple's actions are bad, I need to be exactly as vehement about drawing attention to Apple as I would be for any other company and I need to expend the exact same resources and need to be pushing for the exact same press coverage. For some reason I need to pretend that Google isn't a unique threat to the web. But... it is.

It is weird to me that you seem to think that user advocacy is about fairness rather than about about achieving a concrete goal and protecting user rights. If you are an activist you are not under an obligation to fight "fair" for user rights, you don't have an obligation to be fair or equitable to companies. You have an obligation to be honest and moral and upfront with users (and I believe that I am, I'm not lying and saying that Apple's implementation isn't bad, I've condemned it in every single comment I've posted in this conversation). But where companies themselves are concerned your only obligation is to make sure that user rights win.

I really don't understand how your comments help with that fight. If anything, focusing attention on Google is a valuable tool for generally educating normal people (and tech-communities) about the dangers of attestation. I think it is unlikely you could have mustered nearly as much public criticism of Apple's actions before news of Google's spec proposal broke.

Holding one company's feet to the fire with more force than you hold another company's is perfectly acceptable, and in fact in many situations is strategically advisable (and I think the current reaction to Google demonstrates that very well). Pretending that every single company is the exact same threat is way more dishonest than saying upfront "both of these examples are bad, but this particular example is dangerous." And Chrome's attestation is more dangerous than Safari's. If you think my behavior is weird, I would counter by saying it's also very strange to me that you seem determined not to acknowledge that fact.