Google tries to defend its Web Environment Integrity
Google tries to defend its Web Environment Integrity
Google has defended its Web Environment Integrity on the grounds that it aims to make web browsing more private and safe through tokens.
I'm happy to see this being noticed more and more. Google wants to destroy the open web, so it's a lot at stake.
Google basically says "Trust us". What a joke.
WEI can potentially be used to impose restrictions on unlawful activities on the internet, such as downloading YouTube videos and other content, ad blocking, web scraping, etc.
Not one of those things is illegal.
Some are against a site’s TOS and some are outright fine.
Yeah that's bullsh*t by the author of the article.
Well ai scrapping is against copyright.
Scraping itself is not illegal. It's not until an AI generates a copyrighted IP that it becomes an issue.
It's like if I were trying to start an art business. You come to me and ask me to draw a princess. I've never seen a princess before, so I go online and look up images of princesses to get an idea what to draw. I go back to the studio and draw you a picture of Snow White.
Me looking up princess images is fine. It's only when I sell a Disney® IP without their permission that it becomes illegal. And, even then, it's a civil matter, not criminal.
If you are not using Firefox now is a good time to start.
Just switched yesterday, was way easier than I thought it would be. I'm converted on all my devices, all my stuff has been synced from Chrome in a few clicks. Just do it people.
If you haven't already, check out Firefox Sync.
You can sync your stuff across Firefox instances (PC, mobile, different PC profiles etc.) You can choose to sync logins, open tabs, bookmarks, add-ons etc.
Each place you use Firefox can choose to sync different stuff, so for example you can sync logins everywhere but only sync open tabs on the PC.
In case you replace the phone or your PC HDD crashes etc. all you have to do is login back to Firefox Sync and you get all that stuff back.
I love Firefox so much. Specially the built in sync. I can browse something on my phone and open it on my computer later and continue where I left off.
I recently switched and all's good so far. Correct me if I'm wrong, wei would also be able to block certain browsers, including Firefox, right? I wish just switching browsers would be enough to avoid Wei though :/
If google gets their way websites will be able to block OS's and browsers. But if enough people switch to Firefox they won't be able to push this change as easily. Google Chrome has about an 80% marketshare in the browser market and most of the alternatives are forks of Chromium which google controls. If this doesn't change Google will be able to do anything they want.
I have too use Edge at work. Is Edge also implementing this shit?
Im so sorry u should use it...
Firefox in the meanwhile but long term we need to move away from the unfathomably bloated web
protocolstandard/browsers.
There's an ongoing protest against this on GitHub, symbolically modifying the code that would implement this in Chromium. See this lemmy post by the person who had this idea, and this GitHub commit. Feel free to "Review changes" --> "Approve". Around 300 people have joined so far.
I think there's some non-symbolic effort going on in ungoogled-chromium.
Here?: https://ungoogled-software.github.io/about/
Looks like a good project, I didn't know about its existence.
I don't think filling Google repositories with complaints and well-intentioned, but garbage issues/pull requests. At best they'll just delete them occasionally and at worst work less in the open, changing permissions on repositories, doing discussions more in internal tools.
What you can do is support alternative browsers, get other people to use them too and notify news as well as your local politicians about such problems. Maybe join organizations on protecting privacy or computer clubs (in Germany, support e.g. Netzpolitik.org and CCC).
Maybe acknowledge what the in-principle good things about WEI would be and support alternative means of achieving them. This proposal uses good things like less reliance on captchas and tracking, a simple to use API to enable a huge potential for abuse and power grab. Alternatives might be a privacy pass, as mentioned by WebKit https://github.com/WebKit/standards-positions/issues/234
(also @[email protected])
Maybe it is pointless, maybe it is a bad idea. Maybe not. It's difficult to predict what this kind of small-scale actions will have on the big picture and future development. No matter what you choose or not choose to do, it's always a gamble. My way of thinking is that it's good if people say, through this kind of gestures, "I'm vigilant, I won't allow just anything to be done to me. There's a line that shouldn't be crossed".
Of course you're right about supporting and choosing alternative browsers, and similar initiatives. There are many initiatives on that front as well. I've never used Chrome, to be honest; always Firefox. But now I've even uninstalled the Chromium that came pre-installed on my (Ubuntu) machines. Besides that I ditched gmail years ago, and I've also decided to flatly refuse to use Google tools (Google docs and whatnot) with collaborators, as a matter of principle. If that means I'm cut out of projects, so be it.
Regarding WEI, I see your point, but I see dangers in "acknowledging" too much. If you read the "explainer" by the Google engineers, or in general their replies to comments and criticisms, you see that they constantly use deceiving, manipulative, and evasive language. As an example, the "explainer" says a lot "the user needs this", "the user desires that", but when you unfold the real meaning of the sentences it's clear it isn't something done for the user.
This creates a need for human users to prove to websites that they're human
Note the "need for human users", but the sentence actually means "websites need that users prove...". This is just an example. The whole explainer is written in such a deceiving manner.
The replies to criticisms are all evasive. They don't reply the actual questions or issues, they start off a tangent and spout a lot of blah blah with "benefit", "user", and other soothing words – but the actual question or issue never gets addressed. (Well, if this isn't done on purpose, then it means they are mentally impaired, with sub-normal comprehension skills).
I fuc*ing hate this kind of deceiving, politician talk – which is a red flag that they're up to no good – and I know from personal experience that as soon as you "acknowledge" something, they'll drag your into their circular, empty blabber while they do what they please.
More generally, I think we should do something against the current ad-based society and economy. So NO to WEI for me.
They claim it's to prevent bots, but we all know it'll soon become standard in every WAF out there (Cloudflare, Akamai, etc) to just blanket block browsers failing attestation.
All you need to know what will happen is to root an Android phone. You'd expect Netflix and bank apps and other highly sensitive apps to stop working. Okay, I can accept that, it kind of make sense. But the more you use the phone the more you realize a ton of apps also refuse to work. Zoom complains and marks your session as insecure, the Speedtest app refuses to test your speed, even the fucking weather app won't give you weather anymore. Jira/Confluence/Outlook/Teams also complain about it. It's ridiculous.
Even if it'd trust Google to not misuse the feature and genuinely use it to reduce ad fraud, the problem is the rest of the developers and companies. Those, they absolutely cannot be trusted to not abuse the feature to block everyone. Security "consultants" will start mandating its use to pass security audits, government websites will absolute use it, and before you know it, half the web refuses to work unless you use Chrome, Edge or Safari.
Yup I noticed this also. I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background which means Google finds out about literally everything we do on our phones. They already own the entire operating system but we can't even run apps without them being in the middle.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it's somehow ok.
But I'm a long term Linux user and I'm used to the OS not calling home and not reporting what apps I use. And this is how it should be. I'm so over big tech it's not even funny anymore.
I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background
This has nothing to do with being rooted but with Google encouraging people to build apps using its proprietary libraries to make Google Android more valuable than Android Open Source Project. There may be a connection to the EU's attempts to stop Google from forcibly bundling several of its other apps with the Play Store.
For most use cases, good alternatives are available and it's just a matter of developers being lazy, but I'm not sure there's another good option for chat apps to get timely notifications without high battery consumption. MicroG provides an open source alternative to Google's libraries and works for most apps, including chat notifications.
It's even worse without Google apps, but I was talking about SatetyNet/PlayIntegrity specifically.
The mere act of unlocking the bootloader, without even modifying anything, will cause all the problems I outlined, and it's the same API that Google is proposing to use by browsers to check for device integrity.
Stuff depending on Google libraries, eh, that annoying but people can and will reimplement those, be it microG or Wine/Proton. Not being able to see the weather I literally could get just looking out the window because my bootloader is unlocked? That's insane.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
Not so much used to it, but just kinda sigh and accept it because I like my apps to work. I'm a long time Linux user as well, and I still have to keep a Windows box around for random shit that just refuses to work on Linux for various bogus reasons.
I have a rooted LineageOS running Android and besides Kostum widgest everything is working fine. Yea I had to fiddle around with the banking app, but other than some popups and ingame stores not working everything is fine.
The fraud-fighting project has fired up quite a controversy
fraud-fighting? Even Google's initial pitch was explicitly describing it as a way to sell more ads.
I wish they'd have grown a pair and outright said "we're forbidding ad blockers in Chrome, come at us". I bet there'd be less controversy. This WEI thing just makes them look like sniveling weasels.
From their point of view, blocking ads probably equals fraud.
From this github comment:
If you oppose this, don't just comment and complain, contact your antitrust authority today:
- UK:
Dear madam/sir
I dont trust googel. take me seriously.
yours, Willer
Dense US citizen here. Eli5 how I should explain "just trust us not to abuse collection of all your data or else get locked out of the world wide web" applies to antitrust laws for the FTC?
I'm genuinely wanting to submit an email complaint/report. I understand that WEI protects nothing, but risks your data with all the sites you visit, all in an effort just to block possibly unprofitable users -- but I'm not sure how to tie in and word the Breaks Antitrust Laws part.
Thank for your time to post these links.
Nothing dense in this, I don't quite know what to write either. In my opinion what you wrote in your comment is just perfect, you're a citizen simply expressing an honest concern, without lying – not all people are tech-savvy. It also makes it clear that it's a letter from a real person.
But that's only my point of view, and maybe I haven't thought enough steps ahead. Let's see what other people suggest and why.
Another dense citizen here. I ould say that you put it quite eloquently in your comment.
But direct the question towards them.
"Would googles new changes on their ad and user policy be affected by FTC data protection laws and GDPR or would they be in compliance"
Or something among those lines.
It's time to use web integrity against them, by blocking access to your site if they "pass" integrity checks, and telling them to use a freedom respecting browser instead.
This is actually already implemented, see here.
Redoing several sites I have ,this will be included
I would support this
Lmao this would be hilarious
Fuck Google 2023
It offers web publishers a way to integrate their websites or apps with a code that checks with a trusted party (such as Google)
Imma stop you right there...
I came to say the same.
"checks with a trusted party (such as Google)"
Google is not a trusted party.
I'm glad the reaction all around seems to be "That's sus as fuck"
Me too, there is hope!
Google: Do
noALL evil.Just like Trickle Down, “Don’t be evil” has aged well and deserves to be repackaged. /s
The motto not the evil
So, how the hell is this supposed to prevent bots? Unless Google are planning to completely lock the browser down to prevent user scripting and all extensions then surely you can still automate the browser?
*waiting patiently for EU to catch on to this.
Google may not like the outcome…
I stopped trusting google when they decided to remove the "Do not be evil" clause
guess money and having a (near to) monopoly changes any company
explain like i'm a developer why wei is bad? ad blocking can already be detected
Only browsers blessed by a single company can view the entire web. Not exactly a feature of the free and open web.
What people are rightfully scared of is that:
- Big websites will only accept attestations from big companies like Google, Apple, and Microsoft
- Google, Apple, and Microsoft will refuse to attest your browser if you have an adblocker installed, or if you are using a browser or operating system they don't approve, or if you made modifications to your browser or your operating system etc.
While adblocking can be detected, you can block anti-adblock scripts, it's sort of a weapons race. Depending on how deep an attestation goes, it might be extremely difficult to fight. Attestations might also be used to block more than just adblockers, for example using Firefox, or rooting/jailbreaking your phone, or installing an alternative OS might make your phone ineligible for attestations and thus locked out of a lot of the internet.
This is much much more than just ad blocking. The mechanism is so generic that it can be used to lock out users for whatever reason. If the "attester" doesn't provide the requested proof then you're just shit outa luck. We should not hand such a power to anyone, let alone big for-profit companies.
Their proposal is that, when you visit a website using WEI, it doesn't let you see it right away. Instead, it first asks a third party if you're "legit", as opposed to maybe a bot or something.
The problem is, it would be really tricky to tell if you're "legit", because people get very, very tricky and clever with their bots (not to mention things like content farms, which aren't even bots, they're real humans, just doing the same job as a bot would). So, in order to try to do their jobs at all, these kind of third parties would have to try to find out a whole bunch of stuff about you.
Now, websites already try to do that, but for now the arms race is actually on our side; the end user has more or less full control over what code a website can run on their browser (which is how extensions like u-block and privacy badger work).
But if the end user could just block data collection, the third-party is back to square one. How can they possibly verify ("attest") that you aren't sus, if you're preventing all attempts at collecting data about yourself, or your device / operating system / browser / etc?
The answer is, they can't. So, to do a proper attestation, they have to have a whole bunch of information about you. And if they can't, they logically have no way of knowing if you're a bot. And if that's the case, when the third-party reports that back to the website you're trying to visit, they'll assume you're a bot, and block you. Obviously.
That's pretty much my understanding of the situation. In order to actually implement this proposal, it would require unprecedented invasive measures for data collection; and for people who try to block it, they might just end up being classified as "bots" and basically frozen out of major parts of the internet. Especially because, when you consider how people can essentially just use whatever hardware and software they want, it would be in these big companies' interests to restrict consumer choice to only the hardware and software they deem acceptable. Basically, it's a conflict of interest, especially because the one trying to push this on everyone is Google themselves.
Now, Google obviously denies all that. They assure us it won't be used for invasive data collection, that people will be able to opt out without losing access to websites, that there won't be any discrimination against anyone's personal choice of browser/OS/device/etc.
But it's bullshit. They're lying. It's that shrimple.
The proposal explicitly goes against "more fingerprinting", which is maybe the one area where they are honest. So I do think that it's not about more data collection, at least not directly. The token is generated locally on the user's machine and it's supposedly the only thing that need to be shared. So the website's vendor do get potentially some infos (in effect: that you pass the test used to verify your client), but I don't think that it's the major point.
What you're describing is the status quo today. Websites try to run invasive scripts to get as much info about you as they can, and if you try to derail that, they deem that you aren't human, and they throw you a captcha.
Right now though, you can absolutely configure your browser to lie at every step about who you are.
I think that the proposal has much less to do with direct data collection (there's better way to do that) than it has to do with control over the content-delivery chain.
If google gets its way, it would effectively switch control over how you access the web from you to them. This enables all the stuff that people have been talking about in the comment: the end of edge case browser and operating systems, the prevention of add blocking (and with it indeed, the extension of data collection), the consolidation of chrome's dominant position, etc.
As other have pointed out, it goes way beyond ad-blocking. It's a complete reversal of the trust model, and is basically DRM for your OS:
Right now, websites assume rightfully that clients can't be trusted. Any security measure happens on the server side, with the rationale that the user has control over the client and you as a dev control the server. If your security is worth two cents, you secure server side. This change propose to extend vendor power, by defining a set of rule about what they deem acceptable as a client app, and enforcing it through a token system. It gives way too much power to the vendor, who gets to dictate what you can do on your machine.
We actually have a live experience of how that could go down with safetynet on android. Instead of doubling down on the biggest security issue there (OEM that refuses to support their software for more than 1 or 2 year after release which, quite frankly, should be universally considered as unacceptable), google decided that OEMs should be allowed way more trust than the user. Therefore modifying your own OS in any way, even if it's ripe with security flaws to begin with and you're just trying to fix that, breaks safetynet. If you break safetynet, "critical apps" like banking apps stop working altogether.
The worst part is that there are ways to circonvent safetynet breakage, because in the end, if DRM taught us anything, it is that if you control the client and know your way around, with enough work you can do pretty much anything you want with it. So bad actors are certainly not kept at bay, you just unjustly annoy people with legitmate usecases or even just experimenting with their hardware because in the end, you consider that your user are at best dumb security flaws, at worst huge cash machine, often both at the same time.We actually have a live experience of how that could go down
Another example: latest iteration of Google Captcha. Released with promises to end manually inputting text captchas, the main thing it turned out to check for is whatever you are logged into your google account. If so, you get through automatically, or, at worst have to press a checkbox. If you are not logged in, enjoy selecting fire hydrants and crosswalks.
Basically the website will just not render if the browser does not have a proper credential, or if the ad's are blocked. He'll they could also block Linux OS clients from accessing these same websites.
They don't care about a "safe web environment". That is not making them any more money. Knowing much more about their users and being able to perfectly match everything a user does anywhere with Googles advertising business, though, will.
This is actually in correct. They do care about it because they are going to enforce a standard. Which means they will be able to force ads to be displayed. Ads is Google's main revenue source.
While you are at it, convince Apple to allow Firefox on iOS, and decline to use WEI in Safari. Otherwise there's no way to avoid WEI on iPhone, and only one mainstream rendering engine free of this insidious malware. Many companies will shy away from it if it breaks mobile apps on the Apple platform.
I think with the possibility of sidloading apps, Apple in Eu will have Firefox
Here's hoping that happens, but it still won't fix two things: Firefox is kinda weird and clumsy on mobile, and it'll still need attestation if that's implemented on key websites as a hard-barrier to usage. I'm now on Android (I alternate between the two, so next cycle will be Apple), and even as a highly technical type I don't sideload on there anyway, so I think few will sideload on iOS either.
Vote with your wallet. Corporations only understand money. If users leave because they are not getting what they want, they'll get what they want.
On mobile web in iOS browsers, they'll just do the old "install our app to continue" move.
Probably, which gives more ways to collect data and still uses WebKit underneath.
Well passed time to do some monopoly busting.
Monopoly busting. Ecosystem lock-in. Right to repair. Software patent reform. Privacy and AI regulation.
What do lawmakers even do these days anyway?
What do lawmakers even do these days anyway?
Accept bribes. Insider trading. Forment outrage.
Screw the proletariat, mostly
Would WEI stop Adblock by DNS? Like pihole or similar ?
Basically it's a way for a "third party" that's chosen by the web server to verify the environment where the front end code is running meets its standards. Those standards would be up to the third party. So I'd imagine if an assessor said "hey, we can verify ads load properly" or even "we verify this extension isn't running" then many sites would possibly choose those assessors. It also is blatantly deceitful because of all the issues it suggests it can fix, it doesn't actually fix any of them. And many of them aren't even that big of a problem.
From my very basic understanding of it yes. It in effect checks what's loaded against what was served and if there's a discrepancy it does its thing.
Note. If I have misunderstood please someone correct me.
Yes and no. They can freely enforce a specific DNS server and reject any browser with a custom one as "tampered with". Just like they can freely enforce any part of your system being like they want it to be "or else".
All of that can be easily checked via JavaScript, but now if you world use extensions to disable those checks you would not pass the attestation.
So yeah, essentially you no longer have control over your computer, and need to bend over and accept everything the site owner wishes to do.
bend over and accept everything the site owner wishes to do.
Including a malicious site owner's wishes.
No, but that only works if the ads are being served by known ad hosts, so you should expect that adtech will get hip to that and proxy their traffic through the same hosts as the content.
That being said, it’s pretty easy to check if a user has network blackholing going on in clientside JavaScript, you just do a test request to a popular ad network and see if it resolves, no special browser support needed.
No that should still work. The server will send a page to your browser, and when the browser renders it, it will request the ad. And your pihole will block the request.
Unless WEI somehow changes how page rendering works but I don't think so.
Not really. The environment could easily include resolution of an ad server. If a site uses two ad servers and neither resolves, the attestor could decide to fail the environment. The problem is the attestation is left open for the attestor to create. It could check web browser, extensions, operating system, etc. I fail to see how this is at all privacy protecting to begin with.
There's no way there's a legitimate argument why this is good for us/the internet
it says something about "spoofing identity" which raises a good question. If this does happen, how difficult would it be to just lie about your client environment with a spoofer of some sort?
That's exactly what it is trying to prevent. Basically you, as an user is not to be trusted, so the website and your own computer work together to prevent you from doing anything the site deems inappropriate, like spoofing things, blocking ads etc.
It would be difficult. Your operating system, the browser, and the website's code would have to be compliant to pass the WEI check
Let's say you use a non-compliant OS (linux), or a non-chromium browser, or use userscripts, in all three cases you are locked out of the website.
*its
Fixed - thank you.
We do not decide what is right and what is wrong.
But you don't accept our drm do you're wrong.
I ain’t trusting nobody
The word "intend" comes up quite a bit around this topic.
Just like Trickle Down, “Don’t be evil” has aged well and deserves to be repackaged. /s
I'm a bit less worried after reading this comment, which explains things like how they DON'T want it to be "DRM for the web" and the proposed measures to prevent it. https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/28#issuecomment-1651129388
This is classic Google/corporate strategy - make it "digestable" to the most vocal public and address the concerns on the surface, then slowly erode, lock in and enshittify. Look at what's happened to Gtalk/Hangouts for instance - everyone using other XMPP clients eventually switched to Gtalk since it was an open protocol and they could also continue using their existing clients, but after some time Google locked them in, then completely killed XMPP, then completely killed Hangouts.
It may subjectively look like Google is trying to address concerns around Web Integrity and sure, initial iterations may all be harmless and won't break anything, but I'm 100% willing to bet that as people put their pitchforks down and Web Integrity all but fades away from public memory, they'll start to lock you in with more and more DRM-like features, more and more websites will start to adopt it, until one day, you suddenly look back and realize you've been had, and how shitty the web has become - but by that point, it's too late to change anything.
We need to nip this in the bud, before it even takes off. It goes grossly against the open web envisioned by Sir Tim Berners-Lee, regardless of its "good" intentions.
Google had said a lot of things during the years. Lying is second nature. As soon as there is a possibility to increase revenue, get on the good side of advertisers, or decrease competition, they will.
You have to understand that they are working under capitalism, where the only thing that matters is to grow your profits every year, or your stocks tank.
They are there for profits, and don't care at all about the internets health or wellbeing. Maybe some employees do but it doesn't matter. They don't decide what to work on.
Google wants the internet sites to be like cable TV. You subscribe to them, you can't block ads, and you have to run their allowed operating systems and devices. They make all the rules. You can do nothing.
WEI code is already being merged while Google is trying the "finding a suitable forum" tactics. If it's truely for open web's benefit, why the rush?
I think we need to start being very realistic here.
Google has ad buying customers who want their ads served, and it's those customers that would probably opt into the SDK and API in the first place. Scope matters.
Next there's a plethora of freeloaders on the Internet who consume mountains of content but who scoff at paying for or contributing to the Internet.
Lastly I'm not seeing anything here that says it will block a site like Lemmy for example.the one thing I do find problematic is this potentially limiting competing browsers
I guess you missed the part about being able to "validate" plugins, entire operating systems, dns resolving etc.
I don't care about Googles financial problems. I don't use their services. They can close down YouTube if they don't have enough paying customers. Same with Google search. Bye Google. And the internet is suddenly a much better place.
I'm going to guess half of the proposal is to waste time and distract from the minimum requirement they're hoping to actually pass. We saw this a lot in general politics in the US: you make a bold overshooting statement while passing legislature on the side.