Unpacking Google’s Web Environment Integrity specification

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.

This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

>But as a software creator, it's up to you to determine what is best for your customers.

Absolutely zero large web properties do anything based on what's best for users. If this gains traction, Google will simply deny adsense payments for impressions from an "untrusted" page, and thus all the large players that show ads for revenue will immediately implement WEI without giving a single flying shit about the users, as they always have and always will.

I think this is a little reductive. WEI is likely what some people at Google felt was best for AdSense's customers, i.e. advertisers. It just so happens that Google has a whole other set of customers who this is not best for, e.g. Chrome users, YouTube users. The problem is that it's all coming from one company, and AdSense is where the money is at, so I don't trust Google to make the best decisions for their secondary customers.

I definitely agree that AdSense blocking clients that don't implement WEI seems likely. At that point, it will be up to websites that rely on AdSense revenue to decide what to do with customers they aren't monetizing. That's already a question they have from users with ad blockers, although that is a little bit more challenging to detect.

My hope is that the majority of sites accept that they can't rely on ad revenue, and instead resort to directly monetizing users as a way to make ends meet. IMO that's a better relationship than indirectly selling their data and attention.

> At that point, it will be up to websites that rely on AdSense revenue to decide what to do with customers they aren't monetizing.

Isn’t this a no brainer? Ad funded websites have zero incentive to serve pages to ad blocker users. Not only they don’t make any money from them, they cost them money.

I run an ad blocker on all of my devices (mix of uBlock or Brave browser) and I'm pretty surprised how infrequently sites ask me to disable it to access content. Not sure if your experience is different.

Probably because ublock deletes those “disable Adblock“ screens.

Any proper gate for a user to access content should be managed by a server, not on the client side. It would have to be the same for WEI. If they can detect that I'm using an adblocker, there's no reason they couldn't prevent me from accessing content by not even serving the content in the first place.

the point of remote attestation is the environment the client is running in can be measured by the server and any tampering detected

tampering meaning running your code instead of theirs