Well, every big corp in the World Wide Web is closing their open access to their sites and APIs, so it was only time Google decided the World Wide Web is *their* API and close it to be used the *approved way*. Link to Reddit, beware.

Google's New Web Environment Integrity (read DRM)

🦉 ResetReboot

2023-07-22 · 10 months ago · 🤔 1

9 Comments ↓

☕️ Morgan · 2023-07-22 at 09:22:

That does not seem like a healthy response from the Reddit group :( they have piled onto the github project with a lot of spam comments and issues.

I suggest reading this thread for more information about what is proposed and why, and for some frank discussion about the privacy concerns.

— chromium.org blink-dev thread

If you have concrete concerns or questions yourself it looks like a good place to raise them.

Note the discussion in that thread around a holdback mechanism: the topic is how to force that websites to allow browsers without attestation; this is required because "continue to allow browsers to browse the Web without attestation" is an explicit goal of the proposal. Good ... that seems important.

It's a waste of everyone's time and energy when people start yelling about something that the engineers concerned are already specifically working to address and asking for input on.

Hopefully, we can do a bit better here and cut past the attention grabbing headlines to the actual issues--when there are any.

I found this aspect interesting: "Another user-facing consideration is that these same inferences are made today using highly identifiable information from the browser, and inadvertently allow for widespread tracking of users. Given the deprecation of third party cookies and other privacy efforts, we recognize an urgency to create a well-lit path for anti-fraud use cases that does not rely on widespread collection of re-identifiable signals. My north star is for these existing approaches to be dropped for a more reliable, and more private alternative."

So as I understand it the topic is pretty much: how to tighten up browser privacy (which is already happening) while keeping the functionality website owners want (which is what this proposal is supposed to help with).

Thanks.

🔥 Sm0key · 2023-07-22 at 12:02:

@morgan from what I see from that link you shared, it seems that they want to implement a token identification system which would lessen the requirement of fingerprinting/tracking browsers to verify human activity. "to protect user privacy" seems like a noble goal on the surface.

However I remain sceptical for one good reason. Its Google. Those same engineers are bankrolled by a company that has absolutely no interest in protecting user privacy. Google doesn't make its money that way. No, they make their money tracking every little thing you do that they can, and selling that data to the highest bidder. That is where their money is at. That is what the USA federal government wants them to do.

Every seemingly good intentioned thing done by Google has actually been another step paved on the path to Orwellian surveillance state hell. Everything they and their engineers do is a thinly veiled ploy to either further their data monopoly or tighten their control of users, often times both at once. I guess we shall she where this ultimately goes, my money is on them using this token system to establish enough precedent to kill off all non-google-approved (read as ad-blocking) browsing.

🍄 Ruby_Witch · 2023-07-22 at 13:59:

This proposal is for DRM for the web. The attestation tokens will be provided by the user's OS or some program with low-level access running on the OS. If you read their explainer, this is said explicitly.

These kinds of DRM schemes have historically come with a multitude of drawbacks, the easiest to see for this being OS compatibility. Jailbroken android versions, your favorite Linux distribution, or even older versions of Windows may never develop compatibility with this "feature" if it is implemented.

DRM is never good for users. The "benefits" described for users are against theoretical harms, while the benefits listed for businesses are actual reductions of privacy for users. This should not be implemented.

☕️ Morgan · 2023-07-22 at 14:09:

Thanks @Sm0key :)

Scepticism is important!

Google can certainly make bad decisions and it's useful if people can argue or otherwise take action against that.

For that to happen, I find it's important for the discussion to be accurate.

As a point of fact, Google does not track and sell everything about you that they can. This is public information because Google's ad products are public; and advertisers have to know what they are paying for, or there is no point in having it. So you can just sign up as an advertiser (it's free) and take a look.

I know a fair bit about online advertising and have written in detail about it on my gemlog (circadian.gemlog.org).

The difference between what people seem to worry about and what actually happens is pretty big. I sometimes wonder if this might be the result of a sneaky propaganda campaign to intentionally cloud the issues; possibly as a result, there does not seem to be any clear distiction made in commentary (e.g. in mainstream media) between tech companies behaving well and tech companies behaving badly. This seems like a win for the badly-behaved companies, which is why I would strongly prefer more accuracy. This stuff matters.

Re: ad blockers, in my post "How Online Ads Work" I explained why "opt-in" ad blockers increase ad value, so they're not something ad companies urgently want to get rid of. This is true except for a special case where ads are not actually ads, they are just there to intentionally annoy you so you want to pay to get rid of them.

Re: "kill off all non-google-approved browsing", that's the same point as the "holdback mechanism" discussion, i.e. exactly what they are discussing to figure out how to <not> do. So, it looks like they are aware of that problem, at least ;) given that it's a top level goal in the proposal I hope they come up with a solution everyone can feel relaxed about.

Thanks.

☕️ Morgan · 2023-07-22 at 14:16:

Thanks @Ruby_Witch.

That again goes to the same point, and what they call the "holdback". They propose to force a portion of browsers that _could_ provide attestation to provide nothing.

That way, they would force website owners to treat clients without attestation as first class citizens, or lose a sizeable number of guaranteed-real users.

I've no idea if that's workable in practice but it seems like a creative solution to the problem.

Re: benefits and harms, I'm not sure I follow you there. If I understood correctly, websites are already using browser fingerprinting to build the equivalent feature. The proposal is to replace this with something less privacy invasive, because it's intentionally minimal to do what's "needed".

It's not an area I know a lot about, but that's what I got on first reading.

Thanks.

🦉 ResetReboot [OP] · 2023-07-22 at 15:07:

That's the thing with everything Google has done back in the Don't Evil era. They were good things, but they gave the company an edge on everything Internet related and they've been turning it into the things we see nowadays about tracking and surveillance capitalism.

Then we get these technologies they have been pushing through claiming better privacy and security... sorry, but I think we have more than enough to just suspect for the worse in anything Google proposes for now, how we have been never able to trust anything Microsoft have been doing at the OS level.

☕️ Morgan · 2023-07-22 at 18:53:

@ResetReboot suspecting the worst is the best way to give engineering input, anyway :) so it's fair enough. It's an interesting idea/feature/misfeature--thanks for posting :)

I dunno, maybe I am too naïve--I kinda feel like the battle has moved on here, as with my post "What dystopia?" and idiomdrottning's response. I mean ... it's open source, discussed in public, open working groups ... there are other browsers that are compatible, also open and well supported ... it feels like the tech part is great.

Now I think it's more a problem of, okay, the tech is great, but are we using it right.

No harm in being vigilant about the tech getting worse, of course--imagine where we'd be if nobody had built a good-enough iPhone rival in time--but it doesn't worry me overly just right now.

🦉 ResetReboot [OP] · 2023-07-22 at 20:28:

@Morgan Yeah, I mean, constructive input regarding the dangers of certain technologies, can help. But in the end, we are seeing a lot of power to decide to put certain technologies into the hands of a corporation (and only one at that) to say "This is what Internet should be like".

Just like the other day, one Geminaut was lamenting how hard is to set up your own email server if you expect it to work with certain provider. And does it have ever deterred spam, all that tech? No, my spam folder keeps getting filled daily and what keeps it usable are the filters. But it has deterred anyone with the know-how to put up their email server if they wish to. I see the same potential here.

☕️ Morgan · 2023-07-23 at 06:10:

Hmm, I haven't had problems with spam for years; but maybe my setup is unusual: my own domains forwarding to free email.

I like this setup because I control the domain and can switch actual email providers if I like. Also, I forward everything @ the domain, so I can give out a different email address to every signup/contact. This means I can tell who leaked the email address I gave them.

The only time I remember it not working well is one company had a problem on their side causing their forwarded emails to be marked as spam ... they could only send successfully direct to the free address.

I use nearlyfreespeech.net for domain management and email forwarding, they also do minimal spam filtering but I never had problems there.

I guess the downside is cost. Email is tied so much into account access and online identity that it seems worth it to have long term control.