Kyle BakerJul 22, 2023
Koinu

This is a credible proposal for DRM for websites in general. It would enable unbeatable adblock-blocking. It would prevent user customization for not just convenience but also accessibility.

I do not say this lightly: Enabling the forfeiture of control over the browsing experience is a fundamentally evil idea that must be rejected now, as it has been in the past, and we must remain vigilant against its reemergence in the future.

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity

Contribute to RupertBenWiser/Web-Environment-Integrity development by creating an account on GitHub.

GitHub
Jul 19, 2023 at 2:03pmWeb
Show threadNoxy 🐾🏳️‍🌈Jul 19, 2023
@gsderp Jeeez. And I was worried about DNS over HTTPS or TLS, this is a whole other level of horrific.
Show threadKoinuJul 19, 2023
@noxypaws DOH/DOT is dual-use, attestation is not. DOH/DOT is an unequivocal good when it enforces the free choice/consent of a device user-owner to control what resolver is used, and to enforce privacy in that use, (against/over the interests of a network-path interloper,) which is essential for further privacy improvements like ECH to be meaningful. In contrast, the fundamental purpose of attestation is to subvert a device owner-user’s ability to enforce their consent and exercise meaningful control over the what their device does, which is indefensibly evil.
Show threadNoxy 🐾🏳️‍🌈Jul 19, 2023

@gsderp Yah, agreed on all points. DOH/DOT is a double edged sword but seems mostly good - I just think a lot about how my LG TV, for example, could start evading DNS based ad blocking.

But yeah this attestation crap sounds just deeply awful.

Show threadKoinuJul 19, 2023
@noxypaws The problem with the TV falls squarely under the umbrella of eroded owner-user rights. (Well, at the edge where they just flat out don’t exist any more.) DOH/DOT being available for use by your browser doesn’t enable a shit TV to do anything it couldn’t already have done. At most, DOH/DOT being an off-the-shelf standard means a substantial reduction in the work they would need to do to implement their own secured host resolution.
Show threadNoxy 🐾🏳️‍🌈Jul 19, 2023
@gsderp Agreed.
Show threadAndreas KJul 21, 2023

@noxypaws @gsderp The funny thing is the champions of that crap usually cannot tell what the use case/benefit for the user are.

E.g. Why the f$ck do all kinds of “security conscious” apps on my phone require attestation, thus locking me out because I run a custom rom. But they have no problem running on an Android 4.0 mobile that had no security updates for years. There are literally apps that can root these things on the fly, given the gazillion of severe security bugs out there.

Show threadAndreas KJul 21, 2023

@noxypaws @gsderp Theory, which probably is the real reason, when I take the total non-representive sample of people I know in real-life and have seen their phones: 90% of phone users don't care about updates, would literally buy phones that are out of support.

Attestation is not about security, it's about control.

BTW, Google has turned off the possibility for github users to comment on the repository.

Guess why, their personal armour was not that pitchfork safe.

Show threadKoinuJul 21, 2023

@yacc143 @noxypaws My assumption is that they were tasked to “do something” about click fraud.

Ad/click fraud (not related to ad blocking) is a genuine problem. However, between the futures of an open web where ad money dries up because of ad fraud and many services become unviable, and a world where remote attestation reaches critical mass and gets leveraged for the hellscape of other evil possibilities it enables, I’ll take the former any day. I have zero sympathy for anyone who supports the latter.

Show threadAndreas KJul 21, 2023

@gsderp @noxypaws
But click fraud is only a symptom of the “individually tracked user level ad industry”.

Pre-Internet the industry lived with rough statistics. And they lived and it worked.

You can only commit view/click fraud because the industry insists on counting them exactly.

If the ads were like in the real-world part of the website that shows them, the advertiser would only have rough numbers (e.g. view estimations from services like alexa ranking). 🤷

Show threadAndreas KJul 21, 2023

@gsderp @noxypaws Google is in a way pretending to solve a problem that THEY have created.

Ruining it for the rest of humanity, but you have to understand, it's Google.

Show threadFerles  Jul 21, 2023

@yacc143 @noxypaws @gsderp same for me with computers

I would rather Word and other programs not update--just let me buy them and then leave me alone

Show threadNoxy 🐾🏳️‍🌈Jul 21, 2023

@Ferles @yacc143 @gsderp Violently agreed.

I'm fucking fed up with rent seeking software. Fuck a subscription.

Show threadHal AetusJul 21, 2023
@Ferles @yacc143 @noxypaws @gsderp Exactly. Plus it's extremely enraging when you get to a remote place, with no internet, and can no longer use your software, or the files you have already saved locally, simply because 365 derped and forgot that you were a subscribed user. Yes, this is with "use offline" turned on and having been connected within 30 days. Sometimes it works, sometimes not. But, that's the ONLY choice you have when you work remotely with an iPad.
Show threadlj·rkJul 20, 2023

@gsderp @noxypaws Only if device owner is the same person as holding the device physically. Which in many case is true, but it's not if my device is (temporarily) in somebody else's control. I see that attestation has a big potential to do evil, but attestation as done in e.g., GrapheneOS or on your own Linux laptop is quite a security benefit *if* (temproary) physical access by a non-owner is a realistic scenario.

You can say that physical access means automatically having lost of course, but that's just unrealistic.

The key is being able to control the attestation device and enroll your own keys. Or, as @mjg59 described it:

> _An aside: when I say "trustworthy", it is very easy to interpret this in a cynical manner and assume that "trust" means "trusted by someone I do not necessarily trust to act in my best interest". I want to be absolutely clear that when I say "trustworthy" I mean "trusted by the owner of the computer", and that as far as I'm concerned selling devices that do not allow the owner to define what's trusted is an extremely bad thing in the general case._

Show threadNoxy 🐾🏳️‍🌈Jul 20, 2023
@gsderp I am glad to see strong dissent in the repo issues, if nothing else
Show threadWander ΘΔ Jul 20, 2023

@noxypaws @gsderp first thing I did was check the discussions. It's bad enough that most people don't have admin access to their phone phone's OS. No need to spread such BS further.

And by the way, my apps don't detect my phone is rooted unless I want them to. So, it's trivial to get around what they propose, especially for anyone motivated enough to run bots.

Show threadStephanie 🎀Jul 20, 2023
@gsderp how exactly do we prevent this? Who do we contact?
Show threadhalcy​ @  Jul 20, 2023
@BeamsAndBows @gsderp we can all complain to google, but since they recognized years ago that they‘d need to control the web and effectively do so now via chrome (same for mobile and android): if they want to do it they will
Show threadkira :3Jul 20, 2023
@halcy @BeamsAndBows @gsderp how does one even attempt to complain to google? they've really been maintaining the "impenetrable wall" style of user interaction for years, but if they're accepting complaints, i have some thoughts about the hard turn to fascism in everything from youtube to google news to the android store
Show threadCassandrichJul 20, 2023
@BeamsAndBows @gsderp Apple, for one. We need Apple unequivocally opposed to this and refusing to do it on their devices.
Show threadrain 🌦️Jul 20, 2023

@dalias @BeamsAndBows @gsderp Apple already shipped an equivalent with https://developer.apple.com/videos/play/wwdc2022/10077/

Marketed as a way to get rid of CAPTCHAs but basically the same thing with some details being different

Replace CAPTCHAs with Private Access Tokens - WWDC22 - Videos - Apple Developer

Don't be captured by CAPTCHAs! Private Access Tokens are a powerful alternative that help you identify HTTP requests from legitimate...

Apple Developer
Show threadrain 🌦️Jul 20, 2023
@dalias @BeamsAndBows @gsderp To emphasize, this actually shipped in current versions of Apple's OSes and is in active use by Cloudflare and Fastly at least
Show threadCassandrichJul 20, 2023

@rain @BeamsAndBows @gsderp Still, Apple.

They don't have to be consistent or morally upright in this. It's perfectly fine to have them demonize and refuse to implement Google's thing even while they have something functionally similar of their own.

Show threadCassandrichJul 20, 2023
@rain @BeamsAndBows @gsderp Apple's thing is relatively harmless because every site knows only users of luxury devices have it and they can't rely on it being present. Having it be a web standard and sites being able to assume cheap devices have it (and locking out anyone who doesn't submit to using one) is what would be disastrous.
Show threadrain 🌦️Jul 20, 2023
@dalias @BeamsAndBows @gsderp Apple's thing is a draft IETF standard: https://www.ietf.org/archive/id/draft-private-access-tokens-01.html
Private Access Tokens

This document defines a protocol for issuing and redeeming privacy-preserving access tokens. These tokens can adhere to an issuance policy, allowing a service to limit access according to the policy without tracking client identity.

Show threadCassandrichJul 20, 2023
@rain @BeamsAndBows @gsderp 🤮
Show threadrain 🌦️Jul 20, 2023
@dalias @BeamsAndBows @gsderp I don't see how that serves the cause of freedom, we're just going to have two different standards that eg banks can check for either of them to lock out free OSes
Show threadCassandrichJul 20, 2023
@rain @BeamsAndBows @gsderp Ah, you're saying it doesn't matter if Apple doesn't implement because of that. Yes. But having them vocally oppose it and keep it out of standards agenda would still be useful.
Show threadNEO//LIX 🔊Jul 21, 2023
@rain @dalias @BeamsAndBows @gsderp If it is basically the same thing, how comes that ad blocking in Safari not only still is possible, but even kinda encouraged through built-in support of content blockers?
Show threadCassandrichJul 21, 2023

@neo @rain @BeamsAndBows @gsderp Um, because Apple isn't an ads company.

Attestation "proves" the client is an actual Apple device running the software Apple wants it to be running, which includes ad blocking support because that's not contrary to their interests. The problem comes when that's Google.

Show threadNEO//LIX 🔊Jul 21, 2023
@dalias @rain @BeamsAndBows @gsderp Which means we can be quite sure that Apple will refuse to implement whatever Google is proposing, while Google can not afford to lock out millions of iOS devices where they simply can't install their own browser engine, which, for once, could be a good thing. 🤔
Show threadCassandrichJul 21, 2023
@neo @rain @BeamsAndBows @gsderp Unfortunately Apple already has a comparable thing, but it just promises the client is a genuine Apple device, not that it follows Google's rules. Still, with both duopoly platforms having one of these, they'll lock out all non-locked-down alternatives. 🤬
Show threadStephanie 🎀Jul 20, 2023
@rain @dalias @gsderp bloody hell, is there any hope for escape from corporate abuses?
Show threadrain 🌦️Jul 20, 2023

@BeamsAndBows @dalias @gsderp Not in the short term. these megacorps are built on top of FOSS and now want to kill it, for consumer software.

FOSS is just not compatible with DRM. Just can't square the two

Show threadKoinuJul 20, 2023
@BeamsAndBows @rain @dalias This is no panacea, and it is highly general/nonspecific, but I wonder if there might be an avenue for small local wins through civic involvement and adding privacy-ensuring conditions to government contract requirements. Consider little things like putting into local law that a bank is ineligible to be awarded a contract to handle the city govt’s accounts if its mobile app or website discriminates against vpn users, people who use a voip phone number, or people who use a phone that doesn’t pass safetynet checks. Stuff like that.
Show threaddana Jul 22, 2023
@BeamsAndBows @gsderp https://groups.google.com/a/chromium.org/g/blink-dev/c/Ux5h_kGO22g this is where you contact
Show threadNatanox 🇺🇦🇵🇸Jul 20, 2023

@gsderp What I read from this:

> Authority over "good" browsers. Compiled it yourself with a fix? You're screwed.
> Kick out "modified" devices, granting Google, Apple and Microsoft a de-facto monopoly on computers and smartphones
> Adblockers shall die
> They want more (reliable) ad revenue
> Prevent fingerprint anonymization
> Bind every user to a specific traceable public key. Yet another surveillance factor

Sure they use fancy excuses but in the end it's always the same bullshit with them.

Show threadAndreas, DJ3EI, he/himJul 20, 2023

"For example, this API will show that a user is operating a web client on a secure Android device."

This whole approach can not work in an open source infrastructure (custom ROM, Linux desktop, ...). Instead, the approach requires the device to act against the interest of its owners. Any open source device can always be reprogrammed to stop doing that.

@Natanox @gsderp

Show threadprozacchiwawaJul 20, 2023

@dj3ei @Natanox @gsderp the stupid games/stupid prizes part is the web scraping and astroturfing people have their whole livelihood on the line reverse engineering and defeating it whereas individual users are in the middle with less capability.

there's no doubt in my mind that if google rolls something like this out, the "trust" model will wind up relaxed for interactions that score high in attestation, meaning that someone who defeats attestation will have an easier time carrying out sim-swap and phishing attacks on the web. meanwhile the astroturfers, once compromised attestation keys and "verified" installs on server VMs exist will wind up with the same or greater capability as they have today.

The worst, and a potential outcome, is that attackers have a better understanding of the nuances of how this game is played than either the "users" (really website operators and ad networks in their paper) and us and wind up selling our access to the web back to us -- ironically selling us the tricks they use to bypass attestation roadblocks so we can "prove we're human".

Show threadCassandrichJul 20, 2023
@prozacchiwawa @dj3ei @Natanox @gsderp Those folks they claim it's supposed to stop already have it solved, the same way they do for farming mobile game currency: paying someone to sit in front of 100+ phones and babysit them. This can easily be automated further if needed. The *only* people it impedes significantly at all are normal good faith users who don't want a cop in their pocket.
Show threadHenry MaddocksJul 20, 2023
@dalias @prozacchiwawa @dj3ei @Natanox @gsderp locks only keep out honest people.
Show threadBlake LeonardJul 20, 2023
@gsderp Switch to Gemini. It's not even possible for anyone to pull something like this. 😉
Show threadDark Sage Torunka Jul 20, 2023
@gsderp Tim Berners-Lee is spinning in his grave and he's not even dead yet.
Show threadWiredfire Jul 20, 2023
@gsderp I’m interested in how @Vivaldi and @brave will be handling this. Will they be further forking their Chromium base to avoid this horror show?
Show threadVivaldi BrowserJul 20, 2023
@wiredfire We're aware of the matter, and we're looking into this.
Show threadWiredfire Jul 20, 2023
@Vivaldi I suspected you would 😁 Thanks!
Show threadmav Jul 20, 2023
@gsderp
Somebody stick a fork in the internet
Show threadJPJul 20, 2023
@gsderp that was instantly my first thought when I saw it, too. and naturally it's an all-goog effort (at least looking at the authors) -_-
Show threadMichał KawalecJul 20, 2023
@gsderp
I love how this is submitted as a seemingly personal project, just some engineers thinking about some stuff on the side :D
Show threadHenry MaddocksJul 20, 2023
@monad_cat @gsderp why would you work on this and why would you put your name at the top? Are these people real?
Show threadRAKJul 21, 2023
@acute_distress @monad_cat @gsderp: Bay Area brainworms tunnel in deep.
Show threadZergling_manJul 20, 2023
@gsderp Haha lynx go brrrr
Show threadShrikant JoshiJul 20, 2023

@gsderp Here I was hoping we could find an HTML-like extensible language for apps so they can be hooked into and tweaked.

Instead, we are now headed towards an internet that makes the open web more like these shitty apps!

And, because 'compassion fatigue' has set in among the wider population, it automatically makes any protest against this a mammoth task...

If this proposal manages to ram its way through, we are gonna set humanity back by several decades... 😔

Show threadErica "digifox" Kovac 🌐⚛️⚡Jul 20, 2023
@gsderp The explainer specifically outlines that an important goal is to ensure it *cannot* be used in the way you are describing.
Show threadKoinuJul 20, 2023

@digifox As a framework it doesn’t and can’t do anything to mitigate against sites deciding to trust only attesters that require immoral (anti-user freedom) criteria as part of their “baseline”.

The “holdback” mitigation is incapable of delivering the stated goals of making sure this isn’t usable for discrimination. The framework is prima facie immoral if the holdback percentage isn’t high enough to to make this useless for every case except measuring ad fraud. However, If holdback isn’t stable, even if the holdback percentage is high, sites can still discriminate against users that never pass it. If the set of held-back destinations is stable the set of held-back destinations becomes a useful and durable fingerprint. Furthermore there’s the relatively intractable problem of destinations colluding to share trust signals and enabling discrimination based on that.

There is no open web if an attestation framework gains critical mass, so such a framework must not be allowed to exist.

Show threadErica "digifox" Kovac 🌐⚛️⚡Jul 21, 2023
@gsderp to be clear: I agree with you. But by specifying this as a design goal it is effectively drawing a line in the sand that any solution that doesn't meet it is not acceptable and the proposal will be scrapped or drastically overhauled.
Show threadKoinuJul 21, 2023
@digifox They haven’t even bothered to reject the issue complaining that there should be zero holdbacks because any holdbacks at all would make it useless for (evil) use cases.
Show threadAndrewJul 20, 2023
@gsderp it's absolutely wild that this document opens by attempting to come up with user-friendly-sounding justifications for this brazen act of user-hostility and literally the first one is "users don't like our ad-heavy websites"? like, yeah, too right we don't, but "remove the option to do anything about it" is not a pro-user solution
Show threadnearJul 20, 2023

@gsderp couldn't put it much better than @mhoye in https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/28#issuecomment-1642559280:

> Is this the work you wanted to do? Was this the dream, is this the kind of engineer you wanted to be? Because you have agency too, you can still make choices about who you want to be and how you want the world to be different because you were in it, and maybe they can be better choices than this.

Don't. · Issue #28 · RupertBenWiser/Web-Environment-Integrity

Sometimes you have to ask the question whether something should be done at all, and trusted computing is certainly one of those cases where the answer is obviously a big fat NO. So please reconside...

GitHub
Show threadKevin Karhan Jul 20, 2023

@gsderp *nodds in agreement*

We also need people besides #TechLiterates like @aral and others to be aware of it, and literally get those needing #accessibility to know this ableist trash and publicly outcall the use of it...