- cross-posted to:
- programming@programming.dev
- cross-posted to:
- programming@programming.dev
I’m happy to see this being noticed more and more. Google wants to destroy the open web, so it’s a lot at stake.
Google basically says “Trust us”. What a joke.
WEI can potentially be used to impose restrictions on unlawful activities on the internet, such as downloading YouTube videos and other content, ad blocking, web scraping, etc.
Not one of those things is illegal.
Some are against a site’s TOS and some are outright fine.
This is the most disturbing “boring dystopia” thing yet.
deleted by creator
This is why projects like tor are important
Yes exactly. This is what worries me the most since I also run only Linux, and I can’t imagine even being interested in computers anymore if Linux is not allowed on the web. That would be horrific.
It’s 100% critically dangerous and must be stopped.
I’m a bit less worried after reading this comment, which explains things like how they DON’T want it to be “DRM for the web” and the proposed measures to prevent it. https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/28#issuecomment-1651129388
They claim it’s to prevent bots, but we all know it’ll soon become standard in every WAF out there (Cloudflare, Akamai, etc) to just blanket block browsers failing attestation.
All you need to know what will happen is to root an Android phone. You’d expect Netflix and bank apps and other highly sensitive apps to stop working. Okay, I can accept that, it kind of make sense. But the more you use the phone the more you realize a ton of apps also refuse to work. Zoom complains and marks your session as insecure, the Speedtest app refuses to test your speed, even the fucking weather app won’t give you weather anymore. Jira/Confluence/Outlook/Teams also complain about it. It’s ridiculous.
Even if it’d trust Google to not misuse the feature and genuinely use it to reduce ad fraud, the problem is the rest of the developers and companies. Those, they absolutely cannot be trusted to not abuse the feature to block everyone. Security “consultants” will start mandating its use to pass security audits, government websites will absolute use it, and before you know it, half the web refuses to work unless you use Chrome, Edge or Safari.
Yup I noticed this also. I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background which means Google finds out about literally everything we do on our phones. They already own the entire operating system but we can’t even run apps without them being in the middle.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
But I’m a long term Linux user and I’m used to the OS not calling home and not reporting what apps I use. And this is how it should be. I’m so over big tech it’s not even funny anymore.
I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background
This has nothing to do with being rooted but with Google encouraging people to build apps using its proprietary libraries to make Google Android more valuable than Android Open Source Project. There may be a connection to the EU’s attempts to stop Google from forcibly bundling several of its other apps with the Play Store.
For most use cases, good alternatives are available and it’s just a matter of developers being lazy, but I’m not sure there’s another good option for chat apps to get timely notifications without high battery consumption. MicroG provides an open source alternative to Google’s libraries and works for most apps, including chat notifications.
I have a rooted LineageOS running Android and besides Kostum widgest everything is working fine. Yea I had to fiddle around with the banking app, but other than some popups and ingame stores not working everything is fine.
I heard spoofing safety net is possible with magisk so banking apps should work with it
Unfortunately some apps don’t check only for SafetyNet
What other ways are there? At least my banking app worked with spoofed safetynet
Checking whether the bootloader is locked or not, checking for abnormal system properties like whether the ROM is using release keys or test keys, and other methods that idk of, you can test momo which is an app that checks the environment and tells you if there is anything abnormal about it, some use it to check if they were successful at hiding root and anything abnormal
If you are not using Firefox now is a good time to start.
I have too use Edge at work. Is Edge also implementing this shit?
Im so sorry u should use it…
Just switched yesterday, was way easier than I thought it would be. I’m converted on all my devices, all my stuff has been synced from Chrome in a few clicks. Just do it people.
Firefox in the meanwhile but long term we need to move away from the unfathomably bloated web
protocolstandard/browsers.
explain like i’m a developer why wei is bad? ad blocking can already be detected
What people are rightfully scared of is that:
- Big websites will only accept attestations from big companies like Google, Apple, and Microsoft
- Google, Apple, and Microsoft will refuse to attest your browser if you have an adblocker installed, or if you are using a browser or operating system they don’t approve, or if you made modifications to your browser or your operating system etc.
While adblocking can be detected, you can block anti-adblock scripts, it’s sort of a weapons race. Depending on how deep an attestation goes, it might be extremely difficult to fight. Attestations might also be used to block more than just adblockers, for example using Firefox, or rooting/jailbreaking your phone, or installing an alternative OS might make your phone ineligible for attestations and thus locked out of a lot of the internet.
Their proposal is that, when you visit a website using WEI, it doesn’t let you see it right away. Instead, it first asks a third party if you’re “legit”, as opposed to maybe a bot or something.
The problem is, it would be really tricky to tell if you’re “legit”, because people get very, very tricky and clever with their bots (not to mention things like content farms, which aren’t even bots, they’re real humans, just doing the same job as a bot would). So, in order to try to do their jobs at all, these kind of third parties would have to try to find out a whole bunch of stuff about you.
Now, websites already try to do that, but for now the arms race is actually on our side; the end user has more or less full control over what code a website can run on their browser (which is how extensions like u-block and privacy badger work).
But if the end user could just block data collection, the third-party is back to square one. How can they possibly verify (“attest”) that you aren’t sus, if you’re preventing all attempts at collecting data about yourself, or your device / operating system / browser / etc?
The answer is, they can’t. So, to do a proper attestation, they have to have a whole bunch of information about you. And if they can’t, they logically have no way of knowing if you’re a bot. And if that’s the case, when the third-party reports that back to the website you’re trying to visit, they’ll assume you’re a bot, and block you. Obviously.
That’s pretty much my understanding of the situation. In order to actually implement this proposal, it would require unprecedented invasive measures for data collection; and for people who try to block it, they might just end up being classified as “bots” and basically frozen out of major parts of the internet. Especially because, when you consider how people can essentially just use whatever hardware and software they want, it would be in these big companies’ interests to restrict consumer choice to only the hardware and software they deem acceptable. Basically, it’s a conflict of interest, especially because the one trying to push this on everyone is Google themselves.
Now, Google obviously denies all that. They assure us it won’t be used for invasive data collection, that people will be able to opt out without losing access to websites, that there won’t be any discrimination against anyone’s personal choice of browser/OS/device/etc.
But it’s bullshit. They’re lying. It’s that shrimple.
The proposal explicitly goes against “more fingerprinting”, which is maybe the one area where they are honest. So I do think that it’s not about more data collection, at least not directly. The token is generated locally on the user’s machine and it’s supposedly the only thing that need to be shared. So the website’s vendor do get potentially some infos (in effect: that you pass the test used to verify your client), but I don’t think that it’s the major point.
What you’re describing is the status quo today. Websites try to run invasive scripts to get as much info about you as they can, and if you try to derail that, they deem that you aren’t human, and they throw you a captcha.
Right now though, you can absolutely configure your browser to lie at every step about who you are.
I think that the proposal has much less to do with direct data collection (there’s better way to do that) than it has to do with control over the content-delivery chain.
If google gets its way, it would effectively switch control over how you access the web from you to them. This enables all the stuff that people have been talking about in the comment: the end of edge case browser and operating systems, the prevention of add blocking (and with it indeed, the extension of data collection), the consolidation of chrome’s dominant position, etc.
There’s an ongoing protest against this on GitHub, symbolically modifying the code that would implement this in Chromium. See this lemmy post by the person who had this idea, and this GitHub commit. Feel free to “Review changes” –> “Approve”. Around 300 people have joined so far.
I don’t think filling Google repositories with complaints and well-intentioned, but garbage issues/pull requests. At best they’ll just delete them occasionally and at worst work less in the open, changing permissions on repositories, doing discussions more in internal tools.
What you can do is support alternative browsers, get other people to use them too and notify news as well as your local politicians about such problems. Maybe join organizations on protecting privacy or computer clubs (in Germany, support e.g. Netzpolitik.org and CCC).
Maybe acknowledge what the in-principle good things about WEI would be and support alternative means of achieving them. This proposal uses good things like less reliance on captchas and tracking, a simple to use API to enable a huge potential for abuse and power grab. Alternatives might be a privacy pass, as mentioned by WebKit https://github.com/WebKit/standards-positions/issues/234
It won’t block browsers that spoof their identity? Yeah, sure.
Trust me, I’m Google.
Hey kid, I’m a computer. Stop all the downloading.
Help computer.
Who wants a body massage?
You’re not cooking…
Pork chop sammiches!
From this github comment:
If you oppose this, don’t just comment and complain, contact your antitrust authority today:
- UK:
Dear madam/sir
I dont trust googel. take me seriously.
yours, Willer
*waiting patiently for EU to catch on to this.
Google may not like the outcome…
They don’t care about a “safe web environment”. That is not making them any more money. Knowing much more about their users and being able to perfectly match everything a user does anywhere with Googles advertising business, though, will.
It’s time to use web integrity against them, by blocking access to your site if they “pass” integrity checks, and telling them to use a freedom respecting browser instead.
This is actually already implemented, see here.
Absolutely. And build web sites where all browsers and operating systems are welcome.
Not that I find idea bad but doesn’t this statement contradict the one you’re commenting?
Yes you are right actually. :P
Can’t get that past a programmer can I… :)
deleted by creator
Google does not have a trusted position.
From the point of web infrastructure and standards, they certainly do.
They used to have a motto like “Do no evil”, which was kinda sus to begin with (they were a search engine in a time when many didn’t even consider the evil possibilities of the internet). But if you start out with a motto like that, it’s even more sus if you suddenly drop it, which they did.
Just like Trickle Down, “Don’t be evil” has aged well and deserves to be repackaged. /s
While you are at it, convince Apple to allow Firefox on iOS, and decline to use WEI in Safari. Otherwise there’s no way to avoid WEI on iPhone, and only one mainstream rendering engine free of this insidious malware. Many companies will shy away from it if it breaks mobile apps on the Apple platform.
I think with the possibility of sidloading apps, Apple in Eu will have Firefox
Here’s hoping that happens, but it still won’t fix two things: Firefox is kinda weird and clumsy on mobile, and it’ll still need attestation if that’s implemented on key websites as a hard-barrier to usage. I’m now on Android (I alternate between the two, so next cycle will be Apple), and even as a highly technical type I don’t sideload on there anyway, so I think few will sideload on iOS either.
On mobile web in iOS browsers, they’ll just do the old “install our app to continue” move.
Probably, which gives more ways to collect data and still uses WebKit underneath.