305
Google employee responds to all the negative feedback WEI, (google drm the web) (github.com)
submitted 11 months ago by trashhalo@beehaw.org to c/technology@beehaw.org
104 comments fedilink hide all child comments

Hey everyone, thank you for your patience, and thank you to everyone who engaged constructively. It is clear based on the feedback we’ve received that a bigger discussion needs to take place, and I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one. We want to continue the discussion and collaborate to address your core concerns in an improved explainer.

I want to be transparent about the perceived silence from my end. In the W3C process it is common for individuals to put forth early proposals for new web standards, and host them in a team member's personal repository while pursuing adoption within a standards body. My first impulse was to jump in with more information as soon as possible - but our team wanted to take in all the feedback, and be thorough in our response.

That being said, I did want to take a moment to clarify the problems our team is trying to solve that exist on the web today and point out key details of this early stage proposal that may have been missed.

WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse. Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients.

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:

sign-in gates to access basic content invasive user fingerprinting, which is less transparent to users and more difficult to control excessive challenges (SMS verification, captchas) All of these options are detrimental to a user’s web browsing experience, either by increasing browsing friction or significantly reducing privacy.

We believe this is a tough problem to solve, but a very important one that we will continue to work on. We will continue to design, discuss, and debate in public.

WEI is not designed to single out browsers or extensions Our intention for web environment integrity is to provide browsers with an alternative to the above checks and make it easier for users to block invasive fingerprinting without breaking safety mechanisms. The objective of WEI is to provide a signal that a device can be trusted, not to share data or signals about the browser on the device.

Maintaining users' access to an open web on all platforms is a critical aspect of the proposal. It is an explicit goal that user agents can browse the web without this proposal, which means we want the user to remain free to modify their browser, install extensions, use Dev tools, and importantly, continue to use accessibility features.

WEI prevents ecosystem lock-in through hold-backs We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

Additionally, and this could be clarified in the explainer more, WEI is an opportunity for developers to use hardware-backed attestation as alternatives to captchas and other privacy-invasive integrity checks.

WEI does not disadvantage browsers that spoof their identity The hold-back and the lack of browser identification in the response provides cover to browsers that spoof their user agents that might otherwise be treated differently by sites. This also includes custom forks of Chromium that web developers create.

Let’s work together on finding the right path We acknowledge facilitating an ecosystem that is open, private, and safe at the same time is a difficult problem, especially when working on the scale and complexity of the web. We welcome collaboration on a solution for scaled anti-abuse that respects user privacy, while maintaining the open nature of the web.

top 50 comments
sorted by: hot top controversial new old
[-] superfes@beehaw.org 176 points 11 months ago* (last edited 11 months ago)

Hardware backed attestation isn't about security or privacy, if you can't pass SafetyNet on your Android device you can't install certain apps, but even with stock software and passing SafetyNet you can still install malware direct from the App Store, it's about vendor lock in, always has been.

Edit: Clarified my point.

load more comments (2 replies)
[-] ozoned@beehaw.org 145 points 11 months ago* (last edited 11 months ago)

This is the part that caught my attention:

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult.

And we do those things, not because we're fraudsters, but because we're trying to protect ourselves from the likez of YOU!

YOU did this, change your model and maybe it'll be better? Oh! But! Mooooooooney! I forgot. Stupid me.

This is the fucking bully telling the nerd that if he doesn't just HAND OVER his lunch money, that he'll get beat. It's YOUR fault! Not OURS!

Edit: Formatting and added about bully

Edit 2: fixing the formatting of the formatting edit. :-D lol

[-] PenguinTD@lemmy.ca 35 points 11 months ago

Look at the steps we have to go through? Firefox container tabs just for google products, have to switch to DDG as default after every update, have to keep the browser extensions updated, have to use vpn, tried to not use google open auth when register on 3rd party sites, have to clean the cookies regularly, have to click through those cookie settings visiting a site. Oh, and have to go around the amp link when trying to share a searched image/page result.

load more comments (2 replies)
[-] Melody@lemmy.one 95 points 11 months ago

WEI’s goal is to make the web more private and safe

Bull. Fucking. Shit. You do not get to pick and choose who you treat differently based on software level indications. You absolutely cannot justify this technology with fraud-prevention; as your fraud prevention should be baked in elsewhere in your logic chain and service delivery anyways. Developers do not need yet another magic number. Your typical fraudster is going to be an Authenticated Human anyways; and will easily bypass this attestation if this is actually implemented as intended. Because of that fact; this will drive desperate developers to implement this in consumer-hostile and privacy-hostile manners. You cannot simply say "That's not how it's intended to be used" and expect those devs to play along with it!

TL;DR: We must not give developers tools that can be abused in ways that run counter to the open internet

WEI is not designed to single out browsers or extensions

Wrong!

You absolutely ARE singling out browsers; particularly ones that may be older or "Un-attestable" for other arbitrary reasons. This will impact a large number of people in the disabled community who may use specific, webpage modifying extensions in order to make the web more usable for themselves.

WEI prevents ecosystem lock-in through hold-backs

This won't work; your devs will just write other server backend code that is forked off of yours that won't "hold back". This is a ridiculously tiny band-aid for a gaping wound that needs stitches;

WEI does not disadvantage browsers that spoof their identity

Wrong again! You cannot trust developers and companies with financial motivations and interests to not mark spoofed browsers as fraudulent; nor can you obligate them to treat them exactly the same as a properly attested browser agent.

Let’s work together on finding the right path

This proposal is not working together! This is a blatant attempt by Google and Alphabet to further bully it's dominance over standards for the financial gain of itself and it's partners. Please don't pretend otherwise.

load more comments (3 replies)
[-] KoboldCoterie@pawb.social 91 points 11 months ago

WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open

(Emphasis mine)

They contradict themselves in the span of 2 sentences. Great look, folks.

[-] exscape@kbin.social 15 points 11 months ago

How is that a contradiction?

The Open Internet (OI) is a fundamental network (net) neutrality concept in which information across the World Wide Web (WWW) is equally free and available without variables that depend on the financial motives of Internet Service Providers (ISP).

Open is not the opposite of private. You can have an open internet where your information is not shared with third parties, i.e. private.

load more comments (1 replies)
[-] DarthYoshiBoy@kbin.social 74 points 11 months ago

The objective of WEI is to provide a signal that a device can be trusted

This is exactly the opposite of everything anyone would learn in CompSci 101.

NEVER TRUST THE CLIENT. CLIENTS CANNOT BE TRUSTED. CLIENTS ARE NOT SANE. THAR BE DRAGONS THERE. (Maybe that last one is pirate treasure maps, but I think it holds.)

Anyone who is buying this guy's argument that they're trying to make it so you can trust clients, should immediately be removed from any computers they are in possession of and be "invited" by men in black suits to go live on a nice agrarian farm where the only computer available is an air-gapped Tandy TRS-80 MC-10. They can rejoin humanity when they've relearned the lessons of the last 40 years and understand why this is just patently insane.

[-] shrugal@lemm.ee 23 points 11 months ago

I think your and their definition of "trusted" is a bit different. They mean trusted as in "very likely a real human". That's not enough to allow any privileged access, but it should help when trying to block bots heuristically while preserving a good experience for real users. "Trusted" devices could skip capture checks for example.

Of course this doesn't make this proposal any better, it's still extremely dangerous and misguided imo!

[-] El_Rocha@lm.put.tf 12 points 11 months ago

In this case, I believe that the clients will be signed by the big companies (Apple, Google Microsoft, etc) and these signatures are what will be trusted.

For instance, if you download Chrome, it will be signed by Google. But if you try to alter it in anyway, the signature will not be valid and the website won't trust you anymore.

[-] Bowen@beehaw.org 12 points 11 months ago

Anyone who's played an online game in the past 30+ years knows that nothing is secure on a client machine. You have to rotate offsets and encryption keys constantly, and even then you buy yourself a few days at the most. You'd think google would have actual good engineers, what are they paying all that money for?

[-] sabreW4K3@lemmy.tf 74 points 11 months ago

Maintaining users' access to an open web on all platforms is a critical aspect of the proposal.

But with this the web wouldn't be open. 😒

[-] interolivary@beehaw.org 64 points 11 months ago

It's a bullshit answer to placate people. "We don't want this to turn into DRM for the web" when it's literally doing exactly that, regardless of what they claim they're doing

[-] that_one_guy@beehaw.org 16 points 11 months ago

There's a massive difference between one's intentions and the consequences of one's actions. They are only talking about their intentions, while the rest of the community is bringing up the inevitable consequences.

[-] interolivary@beehaw.org 15 points 11 months ago

And I honestly doubt their intentions are as good as this person makes them sound. They may actually believe what they're saying, too, but anyone with two brain cells to rub together should be able to see that this isn't quite as harmless of a proposal as they try to say

load more comments (1 replies)
[-] Goronmon@kbin.social 67 points 11 months ago

WEI prevents ecosystem lock-in through hold-backs
We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”.

At least this acknowledges that this proposal would in fact be "DRM for the web" if the only thing from preventing it from being that is an additional measure unrelated to the core implementation.

Not to mention, what prevents a future release of the feature either turning the percentage to 0% or removing the hold-back entirely?

[-] Rentlar@beehaw.org 35 points 11 months ago

Yes or a "retry until attestation received" strategy by websites.

[-] gwheel@lemm.ee 20 points 11 months ago

And if attestations are rate limited then a grace period until they can get enough attempts in to be confident.

If sites are expected to accept opted-out clients because they might just be randomly non-attested, why wouldn't the hackers and fraudsters just opt out of attestation?

load more comments (2 replies)
[-] Zyansheep@lemmy.ml 17 points 11 months ago

Not to mention, what prevents a future release of the feature either turning the percentage to 0% or removing the hold-back entirely?

Imo thats like the main issue here. Google tweaks chromium changing a single number and everything goes to shit. This proposal is a trojan horse!

[-] Bishma@discuss.tchncs.de 65 points 11 months ago

"You're blowing this out of proportion... circular speech... platitudes... and this will make everything better!"

comments disabled

load more comments (1 replies)
[-] Butterbee@beehaw.org 63 points 11 months ago

"Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:"

Ohhh it's fighting fraud that they want to do! And here I thought it was entirely for the much more profitable goal of maintaining advertising revenue. Well, I'm SO GLAD to be wrong on that one. Slash S.

[-] style99@kbin.social 51 points 11 months ago

lol

Nice internet you have there. It would be a shame if something "happened" to it.

[-] LiveLM@lemmy.zip 41 points 11 months ago* (last edited 11 months ago)

we are looking for a better forum and will update when we have found one.

The only acceptable forum for this garbage is the deepest pits of hell. Fuck off forever.

[-] HaiZhung@feddit.de 40 points 11 months ago* (last edited 11 months ago)

Well, looking at these comments, one thing is clear: the discussion is not going to happen here. I don’t think there was even one comment of substance, which is unfortunate, since the explainer in OP reads sincere to me.

Maybe instead of jumping on the „google bad“ bandwagon, it would be helpful if people point out the specific issues that they are seeing with this.

As it stands, we might just take literally any commit to chromium and paste the same comments below it.

Edit: since posting this, the comments have considerably improved, I love some of the discussion. Thanks!

[-] lemmyvore@feddit.nl 56 points 11 months ago

We already have sufficient attestation for the web. It's called SSL/TLS. It guarantees that what the browser sees is what the server put out.

WEI is about blocking the browser from modifying the website in any way on the client side. Can it be used for good? Sure. Will the company whose income is 90% ads, spies on billions of people, and owns 90% of the browser market share use it for good? Hmm...

load more comments (6 replies)
[-] trashhalo@beehaw.org 42 points 11 months ago

fwiw I think mozilla's response was the most thought out response available to date. https://github.com/mozilla/standards-positions/issues/852#issuecomment-1648820747

load more comments (2 replies)
[-] eth0p@iusearchlinux.fyi 36 points 11 months ago* (last edited 11 months ago)

Adding another issue to the pile:

Even if it isn't the intent of the spec, it's dangerous to allow for websites to differentiate between unverified browsers, browsers attested to by party A, and browser attested to by party B. Providing a mechanism for cryptographic verification opens the door for specific browsers to be enforced for websites.

For a corporate example:

Suppose we have ExampleTechFirm, a huge investor in a private AI company, ShutAI. ExampleTechFirm happens to also make a web browser, Sledge. ExampleTechFirm could exert influence on ShutAI so that ShutAI adds rate limiting to all browsers that aren't verified with ShutAI as the attester. Now, anyone who isn't using Sledge is being given a degraded experience. Because attesting uses cryptographic signatures, you can't bypass this user-hostile quality of service mechanism; you have to install Sledge.

For a political example:

Consider that I'm General Aladeen, the leader of the country Wadiya. I want to spy on my citizens and know what all of them are doing on their computers. I don't want to start a revolt by making it illegal to own a computer without my spyware EyeOfAladeen, nor do I have the resources to do that.

Instead, I enact a law that makes it illegal for companies to operate in Wadiya unless their web services refuse access to Wadiyan citizens that aren't using a browser attested to by the "free, non-profit" Wadiyan Web Agency. Next, I have my scientists create and release a renamed versions of Chromium and Firefox with EyeOfAladeen bundled in them. Those are the only two browsers that are attested by the Wadiyan Web Agency.

Now, all my citizens are being encouraged to unknowingly install spyware. Goal achieved!

load more comments (2 replies)
[-] eth0p@iusearchlinux.fyi 31 points 11 months ago

And here's a concern about the decentralized-but-still-centralized nature of attesters:

From my understanding, attesting is conceptually similar to how the SSL/TLS infrastructure currently works:

  • Each ultimately-trusted attester has their own key pair (e.g. root certificate) for signing.

  • Some non-profit group or corporation collects all the public keys of these attesters and bundles them together.

  • The requesting party (web browser for TLS, web server for WEI) checks the signature sent by the other party against public keys in the requesting party's bundle. If it matches one of them, the other party is trusted. If it doesn't, they are not not trusted.

This works for TLS because we have a ton of root certificates, intermediate certificates, and signing authorities. If CA Foo is prejudice against you or your domain name, you can always go to another of the hundreds of CAs.

For WEI, there isn't such an infrastructure in place. It's likely that we'll have these attesters to start with:

  • Microsoft
  • Apple
  • Google

But hey, maybe we'll have some intermediate attesters as well:

  • Canonical
  • RedHat
  • Mozilla
  • Brave

Even with that list, though, it doesn't bode well for FOSS software. Who's going to attest to various browser forks, or for browsers running on different operating systems that aren't backed by corporations?

Furthermore, if this is meant to verify the integrity of browser environments, what is that going to mean for devices that don't support Secure Boot? Will they be considered unverified because the OS can't ensure it wasn't tampered with by the bootloader?

load more comments (1 replies)
[-] argv_minus_one@beehaw.org 29 points 11 months ago* (last edited 11 months ago)

Here's a specific issue: this will obliterate all browsers other than Chrome and Safari. There will be no meaningful competition, because websites will block competing browsers as untrusted. No more Firefox, no more Brave, no more Vivaldi, no more self-built Chromium. Use the official build or be shown the door.

This is “embrace, extend, extinguish” for the web, and it's terrifying because of how many things require the use of the web. Some banks don't even have physical branches any more; you'll have to use Chrome or lose your account.

load more comments (6 replies)
[-] Pleonasm@programming.dev 23 points 11 months ago

Seeing as you're having such trouble with people's reactions to this, maybe you should be the one in this thread to point out the specific reasons why individuals should be in favour of this.

load more comments (5 replies)
[-] modulartable@beehaw.org 20 points 11 months ago

The explainer may be sincere; however, it is clear that privacy and an open web are not in Google's interests. They contradict that sentiment in the explainer entirely. There's 0 reason for any one to give them the benefit of the doubt.

load more comments (1 replies)
[-] mrmanager@lemmy.today 17 points 11 months ago* (last edited 11 months ago)

For a conversation to happen, there must be trust. I don't think anyone trusts them, so there is no attempt at serious communication.

They should be treated with contempt.

load more comments (4 replies)
load more comments (1 replies)
[-] ElectricAirship@lemmy.dbzer0.com 39 points 11 months ago

"We're the good guys, trust me!"

[-] millie@beehaw.org 37 points 11 months ago* (last edited 11 months ago)

You know who the least trusted party is here? Not privacy-focused users, not even malicious users and bots. You are the least trusted party here. The greatest point of security vulnerability is giving greater control of what does and doesn't get seen to a company that's proven itself to be a bad actor.

Megacorps that feed on our data are the danger. Not just to network security, but to humanity. We don't want or need you limiting our access to information and to one another so that you can further lock down your pilfering of our personal data and your force-feeding of ads and toxic cultural forces.

The abuse of this responsibility has already caused untold damage to our individual lives, the functioning of our societies, and our actual planet itself. It's led to the mass promotion of some of the worst ideas in human history, and the diminishment of good will, social cohesion, and personal autonomy. The last thing we need is more overreach.

Leave the internet alone. Go make a game or something.

[-] ashtrix@lemmy.ca 36 points 11 months ago

All roads with Google lead to tracking and advertising

[-] sunbeam60@lemmy.one 41 points 11 months ago

Hey, thank you so much for the feedback on having the wolf guard the sheep. It’s clear from the discussion that there some concern around using ravenous carnivores to guard prey-animals and we want to continue this important discussion in a meaningless way so it looks like we give a shit before we make the wolf guard the sheep after “a significant time to discuss and address concerns”. We will obviously listen to take onboard feedback such as “what colour fur should the wolf have” and “should it be a male wolf or a female wolf?”. Don’t worry you’ll be able to significantly change this proposal as long as the net result is that a wolf ends up guarding the sheep. Thank you so much for all the involvement from all you sheep. Kind regards, The Wolf.

[-] argv_minus_one@beehaw.org 35 points 11 months ago

How does this person sleep at night?

[-] RickRussell_CA@beehaw.org 34 points 11 months ago

On a pile of advertising money

load more comments (4 replies)
[-] conditional_soup@lemm.ee 34 points 11 months ago* (last edited 11 months ago)

My big concern with this and the new digital standard for images that they're proposing is that it looks to make the internet less anonymous than even in-person interactions. To me, that's a complete destruction of one of the most valuable features of the internet. To some extent, anonymity is a shield against tyranny; a government can't exactly come and drag you off for re-education if they can't tell who made the image mocking the dear leader. No matter who you are or how you identify politically, we should be able to throw our tomatoes anonymously if we do choose, without threat of Google telling the Chinese or American governments who threw them.

load more comments (3 replies)
[-] CyberCatBytes@kbin.social 32 points 11 months ago* (last edited 11 months ago)

"The WEI experiment is part of a larger goal to keep the web safe and open" I'm guessing the openness they're referring to doesn't apply to everyone given that their proposal would likely negatively affect assistive technologies a lot of disabled people rely on? Haven't seen them address that

load more comments (3 replies)
[-] DarthYoshiBoy@kbin.social 25 points 11 months ago

Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

If it's actually a "significant enough proportion of attestable devices to disincentivize this behavior" why would anyone want to rely on this mechanism? I have a means to check if a device should be trusted, but it fails enough of the time that I shouldn't depend on it... Why would I ever depend on it? What use case allows for an expected 10% failure rate?

[-] shrugal@lemm.ee 11 points 11 months ago

I guess something like: Skip capture if it succeeds, show capture if it fails. It would allow people to skip capture checks most of the time.

To be clear, this doesn't make it ok!

load more comments (3 replies)
[-] nobodyspecial@kbin.social 13 points 11 months ago

Google has turned evil. Back to Microsoft, everyone!

load more comments (1 replies)
[-] mrmanager@lemmy.today 12 points 11 months ago

Google, the Internet Government.

load more comments
view more: next ›
this post was submitted on 26 Jul 2023
305 points (100.0% liked)

Technology

37213 readers
169 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
Los@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org