Unpacking Google’s Web Environment Integrity specification

There is zero point debating this in technical detail because the proposal itself is evil. Don't get distracted by tone policing and how they scream you must be civil and whatnot.

Our best hope is kicking up a huge fuss so legislators and media will notice, so Google will be under pressure. It won't make them cancel the feature but don't forget to remember that they aren't above anti-trust law. There is a significant chance that some competition authority will step in if the issue doesn't die down. Our job is to make sure it won't be forgotten really quickly.

I can see it being useful to have a feature which could validate if another user on a website is a human. e.g: on reddit or twitter, the user you're talking to has a little checkmark (not the blue checkmark) next to their name if they've been WEI validated. Rather than refusing to let a user use the platform, just letting other users know that the person you're talking to isn't a bot

WEI doesn't check whether they are a bot though.... they can trivially use a "trusted" browser setup and just automate it with Selenium or whatever. Or in a worst-case scenario, a $5 robot arm, with a perfectly attested browser.

The whole "this will block bots" part of the spec is complete bollocks and a red herring to distract from the real purpose - to block adblockers and competition from new browsers. And DRM, of course.

I guess it depends how far the certification goes.

If even extensions can be detected, why wouldn't selenium be detected? Granted, I don't know how it works exactly.

In addition to the 5$ robot arm you need to add 200$ for the device it is operating. Drastically raising the cost to run a bot farm is key. You can't fully eliminate inauthentic behavior, but you can make a lot of it unprofitable.