Unpacking Google’s Web Environment Integrity specification

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

This is indeed concerning. I'd like to see Brave's response to this, and we already know how Firefox has responded.

Other than Encrypted Media Extensions (and these are much more constrained than WEI!), I don't know of any other web standard that does that.

I already block all ads so I'm obviously not totally sympathetic to developers who make decisions based on what will maximize ad revenue, but it still is not fair to put the burden on developers here and say "it's your choice, just say no".

I think this makes a category error. Most browser features/APIs are indeed treated as progressive enhancements by web developers, at least until an overwhelming number of the users have access to that feature. And even then, even if the developer makes assumptions that the feature/API is present, often the result is a degraded experience rather than an all-out broken experience.

The same is not true of web attestation. If a website requires it and a browser refuses to implement it, in at least some cases (probably a concerningly high number of cases though) the result will be that the user is entirely locked out of using that website.

It's also worth noting that _even if_ Vivaldi implements WEI, there's a solid chance that the attestation authority (Google, Microsoft, Apple) or possibly the website itself[1] will not accept it as a valid environment at all! After all, what makes Vivaldi not a "malicious or automated environment" in their eyes? What if Vivaldi allows full ad blocking extensions? User automation/scripting? Or any example of too much freedom to the user. Will the attestation authority decide that it is not worthy of being an acceptable environment?

[1] if this ends up spiralling out of control by allowing the full attestation chain to be inspected by the website

Absolutely zero large web properties do anything based on what's best for users. If this gains traction, Google will simply deny adsense payments for impressions from an "untrusted" page, and thus all the large players that show ads for revenue will immediately implement WEI without giving a single flying shit about the users, as they always have and always will.

I do remember the controversy at the time of everybody shifting to HTTPS only, though, and how it might exclude small/hobbyist sites. Fortunately, we've found ways to mitigate that friction in the end. I'm much less optimistic here.

Insects in a swarm can choose where to go but they can't choose where the swarm goes.

I don't think I've made a category error, that again is true of all browser features. If your browser does not support JavaScript or WebSockets or WebGL, many sites would lock you out of them entirely as well. It's a choice of the website creator what to assume and what to require, and how to degrade the experience or offer alternatives when a feature is missing.

The way I imagine it, WEI will start with skipping CAPTCHA. Then it will be about serving ads (users without WEI would generate no or very limited ad revenue.) Then it's up to the owner of a site whether or not they want to allow non-WEI traffic at all. Some will choose to block users without WEI, and hopefully the number of browsers that have chosen not to implement it, and the number of users on those browsers is high enough that that option will not be appealing.

I hope that Vivaldi remains one of the browsers that doesn't implement it, whether or not the EU rules against it.

1) FLoC: https://www.theverge.com/2022/1/25/22900567/google-floc-aban...

2) Dart: Google wanted this to replace javascript, but Mozilla and MS both said no way, as they had no part in it. So that project ended up dying.

Google tries lots of things. Mozilla, MS, and Apple are still strong enough (especially outside the US) to push back on things that they think are a bad idea.

Basic reality and the easiness of attacks made it impossible to stick with HTTP for much longer. And hell if I watch Scammer Payback on Youtube, I'm beginning to think it might be a good idea to disable developer tools on browsers and to only unlock them if you can prove physical, un-remoteable access to a machine, similar to Apple's SIP.

There are a number of issues with your imagined scenario. I'll address two of them. Firstly, as nvy points out[0]:

    If this gains traction, Google will simply deny adsense payments for 
   impressions from an "untrusted" page, and thus all the large players that 
   show ads for revenue will immediately implement WEI without giving a single 
   flying shit about the users, as they always have and always will. 

The second issue is who is providing this "attestation" and what their criteria might be for "trustworthy" browsers. This will break down to a handful (Google, Microsoft, Apple and maybe Cloudflare and/or one or two others) of trusted "attestors" who will decide which browser/plugins/OS combinations are "trustworthy."

Since these folks all have a stake in walled gardens^W hellscapes, who's to say that Apple won't "attest" that any browser other than Safari on iOS or MacOS isn't trustworthy? Or Google may decide that any browser with uBlockOrigin, uMatrix or NoScript isn't trustworthy -- thus permanently deprecating ad/tracking blockers.

Since the spec doesn't specify the criteria for a "trusted" client, nor does it allow for the web site to determine for itself what constitutes the same, it's almost certain that such "trusted attestors" will penalize those who don't dance to their tune.

There are a host of other issues with WEI, especially privacy and property rights related, but those two (IMHO) are most relevant to your imaginings.

[0] https://news.ycombinator.com/item?id=36882333

I completely agree about the spec's vagueness about what makes a client trusted, and that attesters can choose arbitrary criteria, and will likely favor things that make the walls on their gardens higher.

I hope you're not misunderstanding my position, I think WEI is bad for users and I'm hoping that alternative browser vendors like Vivaldi take a stand to not implement it.

I don't know much about the online ad market. I assume advertisers will pay more for attested impressions than for unattested ones. But unattested impressions will still be worth something.

Strongest possible disagreement here.

On the other hand, you can bet that that's absolutely something scammers will be able to convince people to do while they're on the phone with them...

Some of it, yes, but there are a nontrivial number of small/hobbyist sites that never overcame that friction.

I definitely agree that AdSense blocking clients that don't implement WEI seems likely. At that point, it will be up to websites that rely on AdSense revenue to decide what to do with customers they aren't monetizing. That's already a question they have from users with ad blockers, although that is a little bit more challenging to detect.

My hope is that the majority of sites accept that they can't rely on ad revenue, and instead resort to directly monetizing users as a way to make ends meet. IMO that's a better relationship than indirectly selling their data and attention.

It's very simple. Google has concerns of click/impression fraud. Unattested traffic would be more likely to be fraudulent. Not paying for unattested impressions/clicks is therefore an easy way to cut costs and combat fraud.

> On the other hand, you can bet that that's absolutely something scammers will be able to convince people to do while they're on the phone with them...

Indeed but it will slow them down significantly and reduce the amount of marks by a significant amount as well.

Chrome will happily block a Google ad if it uses too much resources, I experience this a lot with a few sites that do ad replacements in the background.

Isn’t this a no brainer? Ad funded websites have zero incentive to serve pages to ad blocker users. Not only they don’t make any money from them, they cost them money.

Makes me recall Flash.

Once was a time when very large parts of the web were dark to me because I would not install Flash

Not an exact comparison, but we've been (near) here beforehand

How?

You see, this is the problem I have with all these debates where advertising is declared the villain. "Directly monetising" usually means subscriptions and logins, which means you lose all anonymity, not just gradually like under an ad targeting regime, but definitively and completely. Now payment processors and banks also get a share of the surveillance cake.

The greatest irony is that you may not even get rid of advertising. Advertising only becomes more valuable and more effective. All the newspaper subscriptions I have run ads.

The second issue is that advertising is paid for by consumers in proportion to their spending power, because a certain share of every £$€ spent is used to buy ads. Therefore, rich people fund more of our free at the point of use online services than poor people do.

If rich people move to subscriptions, this subsidy ends. Poor people will either be cut off from high quality services and relegated to their own low quality information and services (as is already the case with newspapers) or they will have to suffer through even more advertising.

Except Google of course, the only allowed scrapper.

  - cost mostly marginal money
  - continue to use your platform, potentially watch ads later
  - their usage can be sold to anyone: where are they at a given time and what are they doing
  - don't go to rival platforms
  - tell their friends about the website
  - etc

This tech is not to prevent serving content to people who adblock, this technology is to make sure that people don't have the ability to make that choice and force certain setups that prevent adblocking

The source can still be available for reference, but your build needs to be blessed somehow to be considered trustworthy.

> Now payment processors and banks also get a share of the surveillance cake.

I agree this is a problem. I work on Bitcoin and the Lightning Network, so that's my preferred solution to the problem, but there are other approaches to addressing the poor state of privacy and payments too. I don't think that that being a problem means that the relationship we have with advertising isn't as bad though.

> If rich people move to subscriptions, this subsidy ends.

There are plenty of examples where this is not the case. The freemium model exists in places where injected advertisements are not the norm, such as free to play games. Fortnite whales subsidize millions of low income players to get a high quality game for free. Whether or not you think the relationship between Epic and its players is another question, but it's a model that can continue to exist without advertisement. Especially when free users are necessary to provide content for paying users, like posts on Twitter or Reddit, or players in a game.

That being said; creators needs money to keep making what they are making. Too bad ads is such an all encompassing method. The web is literally worse with it, but would not have been as big without it.

Granted, the difference between the tiers may be small engouh in some cases for this to be an acceptable compromise, but the principle is still the same.

Apple already built and shipped this same feature last year, so they're not opposed. MS? Probably gonna love this. Mozilla hasn't said anything on it (yet at least). I'm not expecting any of those players to save us.

A better plan might be for websites to find some a better way to sustain themselves, possibly by running ads that are more relevant and less obnoxious so that users wouldn't block them.

This is fundamentally different from a world where Google gets to decide if I am a risk to them.

Is that the one rendering [1] text and UI widgets into an HTML canvas element from JavaScript/Dart (completely coincidentally breaking ad blocking in the process)? What a beautiful piece of software.

> Apple already built and shipped this same feature last year,

Are you referring to Private Access Tokens (PAT)? These seem quite a bit more limited in what they do. WEI seems to specifically set out to roll back some of the blinding/anonymization aspects of PAT under the banner of debuggability/providing "feedback" to attesters.

[1] https://docs.flutter.dev/platform-integration/web/renderers

Are Chrome users really Google's customers, though? Arguably, they're part of the product.

Youtube used to be the same, although that's changing a bit with the current aggressive push for Youtube Premium.

tampering meaning running your code instead of theirs

Now if Google cares about real impressions it's still terrible no good very bad evil.

If you use a browser which supports attestation you will be denied service by companies who disapprove of what you run on your computer.

If you don't use a browser which supports attestation you will be denied service by companies who disapprove of what you run on your computer.

So everyone loses. If this goes live everyone in the world loses.

It is an utterly heinous proposal. It is perhaps the worst thing Google has ever produced. I use Firefox and will never use any browser that implements attestation, even if I have to stop using most of the WWW one day.

But unfortunately individual action is not going to be enough here, because no matter what you do, you lose.

We then got AngularJs, but with Dart (AngularDart). This was again trying to improve the coding experience of making web apps.

When typescript came and the Angular team picked that up, TS seems to be the primary path forward (though angulardart is still getting updated).

At this point dart wasn't seeing a lot of attention. The Flutter team was able to pick up Dart as the primary owner and has been driving it since then.

It's good for google to care, it's not good for them to do this.

It would also drive the point home to the very same legislators that the author is deferring to.

If browsers now start pre-emptively folding, Google just straight up won. It's great that the Vivaldi team is against this change, but a blog post and hoping for regulation just won't cut it. You have actual leverage here, use it.

Those sites that showed you the “disable ad blocker” pop up that prompted you to leaving won’t miss you.

The point Google seem to be making quite clearly, is that the browser does not serve my needs, but the needs of Googles paying customers.

Because this is an incredible way of exerting their total control over the web across all browsers. If they don't like a feature, they get to downgrade the user's attestation or fail it. If it costs them some unattested traffic in order to create a permanently unassailable market position, it's worth the money.

It'll block all other search engines by preventing web scraping except those blessed by Google. For this reason alone many websites will adopt it. This will impact competition, research and freedom.

After this, all user choice is gone, and it'll only be governments who can break the racket.

If the CCP don't already do this, I expect they'll quickly implement something similar.

I take umbridge at this implication. When a monopoly like Google takes anti-competitive actions it's not fair or just to expect individuals to stand up to it. Governments exist to counter anti-competitive behavior like this and governments have been doing a terrible job chopping down companies with too much vertical integration lately.

But hey, it's great that some people want to make the devices they own and holds extremely valuable days of their own person, something controlled by external entities.

Don't worry, those of us who know our tech and value our privacy, will continue not listening to the "just take it" crowd.

You want to support the ad-funded website you keep coming to, yes or no? Yeah ideally every website would have a paid option for the HN crowd with cushy jobs, but that's not always feasible.

In that case, ads, being psychological manipulation to get users to do things they would not otherwise do, are already highly unethical. The ethical think to do is to discourage their use, which includes blocking them for yourself thus making them less profitable overall.

Many ad-supported sites rely on unpaid users for content.

Apple already implements equivalent functionality.

MS has been pushing "trusted computing" left and right.

Mozilla alone is irrevelant.

Yep. I'm not saying Dart is a good thing - I've never used it and don't currently have plans too. All I'm saying is that it is NOT dead as GP asserted.

> Are you referring to Private Access Tokens (PAT)? These seem quite a bit more limited in what they do. WEI seems to specifically set out to roll back some of the blinding/anonymization aspects of PAT under the banner of debuggability/providing "feedback" to attesters.

Yes. PATs don't provide as much information about the attestation to the website, but they do provide the critical part which is "is this person using a blessed client." That's plenty for a website to block people on.

It's like staying on a dancing elephant. And it requires MONEY. Lots of.

I suspect this is the desired result of Google to protect chromium despite it's opensource.

I don't think Google has actually done anything. The bar for experimenting with new code in Chromium is pretty low. This Chicken Little reaction to a non-starter is just a result of developing in the open.

But you can "care" about something in good and bad ways, and the criticism is not "Google bad".