Hey everyone, thank you for your patience, and thank you to everyone who engaged constructively. It is clear based on the feedback we’ve received that a bigger discussion needs to take place, and I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one. We want to continue the discussion and collaborate to address your core concerns in an improved explainer.

I want to be transparent about the perceived silence from my end. In the W3C process it is common for individuals to put forth early proposals for new web standards, and host them in a team member’s personal repository while pursuing adoption within a standards body. My first impulse was to jump in with more information as soon as possible - but our team wanted to take in all the feedback, and be thorough in our response.

That being said, I did want to take a moment to clarify the problems our team is trying to solve that exist on the web today and point out key details of this early stage proposal that may have been missed.

WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse. Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients.

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:

sign-in gates to access basic content invasive user fingerprinting, which is less transparent to users and more difficult to control excessive challenges (SMS verification, captchas) All of these options are detrimental to a user’s web browsing experience, either by increasing browsing friction or significantly reducing privacy.

We believe this is a tough problem to solve, but a very important one that we will continue to work on. We will continue to design, discuss, and debate in public.

WEI is not designed to single out browsers or extensions Our intention for web environment integrity is to provide browsers with an alternative to the above checks and make it easier for users to block invasive fingerprinting without breaking safety mechanisms. The objective of WEI is to provide a signal that a device can be trusted, not to share data or signals about the browser on the device.

Maintaining users’ access to an open web on all platforms is a critical aspect of the proposal. It is an explicit goal that user agents can browse the web without this proposal, which means we want the user to remain free to modify their browser, install extensions, use Dev tools, and importantly, continue to use accessibility features.

WEI prevents ecosystem lock-in through hold-backs We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

Additionally, and this could be clarified in the explainer more, WEI is an opportunity for developers to use hardware-backed attestation as alternatives to captchas and other privacy-invasive integrity checks.

WEI does not disadvantage browsers that spoof their identity The hold-back and the lack of browser identification in the response provides cover to browsers that spoof their user agents that might otherwise be treated differently by sites. This also includes custom forks of Chromium that web developers create.

Let’s work together on finding the right path We acknowledge facilitating an ecosystem that is open, private, and safe at the same time is a difficult problem, especially when working on the scale and complexity of the web. We welcome collaboration on a solution for scaled anti-abuse that respects user privacy, while maintaining the open nature of the web.

1 point
*

This is the part that caught my attention:

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult.

And we do those things, not because we’re fraudsters, but because we’re trying to protect ourselves from the likez of YOU!

YOU did this, change your model and maybe it’ll be better? Oh! But! Mooooooooney! I forgot. Stupid me.

This is the fucking bully telling the nerd that if he doesn’t just HAND OVER his lunch money, that he’ll get beat. It’s YOUR fault! Not OURS!

Edit: Formatting and added about bully

Edit 2: fixing the formatting of the formatting edit. :-D lol

permalink
report
reply
0 points
*

Well, looking at these comments, one thing is clear: the discussion is not going to happen here. I don’t think there was even one comment of substance, which is unfortunate, since the explainer in OP reads sincere to me.

Maybe instead of jumping on the „google bad“ bandwagon, it would be helpful if people point out the specific issues that they are seeing with this.

As it stands, we might just take literally any commit to chromium and paste the same comments below it.

Edit: since posting this, the comments have considerably improved, I love some of the discussion. Thanks!

permalink
report
reply
0 points

fwiw I think mozilla’s response was the most thought out response available to date. https://github.com/mozilla/standards-positions/issues/852#issuecomment-1648820747

permalink
report
parent
reply
0 points

Makes sense to me!

permalink
report
parent
reply
0 points
*

Here’s a specific issue: this will obliterate all browsers other than Chrome and Safari. There will be no meaningful competition, because websites will block competing browsers as untrusted. No more Firefox, no more Brave, no more Vivaldi, no more self-built Chromium. Use the official build or be shown the door.

This is “embrace, extend, extinguish” for the web, and it’s terrifying because of how many things require the use of the web. Some banks don’t even have physical branches any more; you’ll have to use Chrome or lose your account.

permalink
report
parent
reply
0 points

As pointed out in another comment, the proposal explicitly states that web sites have to function without this feature; and chrome itself will keep it disabled for a random 5% of users.

permalink
report
parent
reply
0 points

The explainer may be sincere; however, it is clear that privacy and an open web are not in Google’s interests. They contradict that sentiment in the explainer entirely. There’s 0 reason for any one to give them the benefit of the doubt.

permalink
report
parent
reply
0 points

From what I can tell, out of all the big tech firms, Google goes to the greatest lengths preserving your privacy. You can even go to your profile settings right now and delete all your data. This was possible even before GDPR, so I am not sure how you get this picture.

permalink
report
parent
reply
0 points
*

For a conversation to happen, there must be trust. I don’t think anyone trusts them, so there is no attempt at serious communication.

They should be treated with contempt.

permalink
report
parent
reply
0 points

As a counterpoint, IMHO Google has the best track record regarding privacy of all the big tech firms. Googles data was never sold, leaked, or abused by employees as far as I can tell.

This is in stark contrast to companies like meta and twitter.

Maybe Google isn’t as good communicating that fact, but what is your reason for the distrust in this particular case?

permalink
report
parent
reply
0 points
*

Meta and Twitter are social media companies. They have access to peoples tweets. It’s similar to having access to these messages you and me are typing, except many people use their own names there.

It’s not too bad privacy wise, just social messages.

Google on the other hand has the private searches of billions of people. Everything you put into a search engine because you are worried, afraid, sick, or curious about something.

Google records all this private activity and saves it under your personal profile, and then uses cookies to track every web site you are visiting on the web (using not only Google search but Google analytics cookies that exists on almost every website).

They also combine this data with whatever you are doing on your android phone, or what places you go to using Google maps, or what video meetings you are having with Google meets, what emails you have in Google Mail, what video you watch on YouTube, what calendar events you are having with Google calendar… And so on.

Then they feed all this data into algorithms designed to figure out what you are likely to do next. They sell this data to advertisers so they can target you with ads. They also send this data to American agencies like nsa to be stored and analyzed.

There is a giant difference here between Google and the other companies you mentioned. Google is literally watching moments from people’s entire lives, while the others only see your social media messages.

This is why Google is completely absurdly in it’s own class of anti-privacy. No other company has this amount of data about people’s every moment awake.

Now they use their dominant position to try and take over the entire web, so it’s not possible to escape them anymore using a different browser, blocking cookies and tracking, or using another search engine.

If everyone is forced to use their browser, we have lost everything good about the web.

They should be treated like the cancer to a free web they really are.

permalink
report
parent
reply
0 points

We already have sufficient attestation for the web. It’s called SSL/TLS. It guarantees that what the browser sees is what the server put out.

WEI is about blocking the browser from modifying the website in any way on the client side. Can it be used for good? Sure. Will the company whose income is 90% ads, spies on billions of people, and owns 90% of the browser market share use it for good? Hmm…

permalink
report
parent
reply
0 points

The explainer explicitly mentions that the proposal allows browser to ignore WEI and the web is intended to work without. It even points out that there will be a continuous group of chrome users of ~5% that have the feature disabled.

If website owners rely on this feature, they are hurting chrome users just as much as other browsers.

permalink
report
parent
reply
0 points

Seeing as you’re having such trouble with people’s reactions to this, maybe you should be the one in this thread to point out the specific reasons why individuals should be in favour of this.

permalink
report
parent
reply
0 points
*

I wouldn’t necessarily agree with that. If you are outraged by something, I think it’s unrealistic to expect other people to explain to you why there is nothing to be outraged about. Otherwise you might as well just walk through life outraged by anything.

Rather, it is your responsibility to take a deep breath and ask yourself, what is it really you are concerned about? And if you deem that serious enough, convince others.

permalink
report
parent
reply
0 points
*

Your advice is applicable to your own original comment, so it seems you do agree with what I said, at least to some degree.

Anyway, in the interests of constructive discussion, let me ask you specifically. Do you think this WEI proposal is good for and why? Does the proposal mention at all what the downsides of this feature might be, or how it could be abused? Is it proposed in such a way that the dominant implementors can’t deviate later from the terms suggested in the proposal?

permalink
report
parent
reply
0 points

It’s just that with your current participation in the thread, you’re indistinguishable from a bad actor planted by Google to try to distract from the topic and make those who don’t understand what’s actually being said here think everyone else is being unreasonable. The people here are explaining what they don’t like about this, which you’re actively obfuscating.

Curious.

permalink
report
parent
reply

Technology

!technology@beehaw.org

Create post

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

Community stats

  • 2.8K

    Monthly active users

  • 1.7K

    Posts

  • 9.7K

    Comments