In the present day, are alternative browsers popular enough that we can avoid the worst-case scenario? Do enough people compile these alternative browsers from source code (meaning each binary is slightly different) to make a difference?
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
So if this goes forward, websites will be able to call the web environment integrity API to check you are a proper ad-watching human before serving content.
Jamie Kellner's words still ring true today. When corporations make content available supported by advertisements, they are assuming a moral obligation on your part to see those advertisements. Violating that obligation is felony contempt of business model.
Not a lawyer, but in my understanding, the core property of a contract is that both sides are aware of it, in particular of their obligations in the contract. There must also be a defined moment the contract is concluded.
This is specifically not the case with ads: Ad-supported services are frequently advertised as "for free", not in the sense that ads are the "payment". Even if they were, they would be unlike any other business transaction as the service provider is free to change the "price" (i.e. amount of ads shown) at any time.
That's not even considering all the situations where you're subjected to ads without receiving any kind of service - or where something that you paid money for suddenly starts to show you ads too.
Felony contempt of business model indeed, as well as theft of assumed future profits!
I live in Norway, and even "serious" advertisers shows me alcohol and gambling advertisiments. This is strictly forbidden by norwegian law, yet I have seen multiple advertisements of this kind from Google, Facebook and Discovery. Discovery in particular has just recently agreed to follow the law for television broadcasts, to be fair.
GDPR is also violated a lot, especially by advertising corporations. I have never consented to the vast amount of tracking that I'm subjected to when browsing the internet, even though I have that right.
It's not like they are obligated to provide services to my country either. If european laws are too strict, they can always leave instead of violating our rights.
I don't like you cause you contradicted me the last time, therefore I'm going to mod you into oblivion :]
"Ad blockers need to be prevented. The new WEIE APIs will ensure that ad blockers aren't running and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEIE we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
What about all the people who have an outdated browser and don't know how to update it?
edit: One of the goals addresses this[0]:
Continue to allow web browsers to browse the Web without attestation
> How does this affect browser modifications and extensions?
> Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality: E.g. if the browser allows extensions, the user may use extensions; if a browser is modified, the modified browser can still request Web Environment Integrity attestation.
Then what's the point? I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
I don't believe they're being honest with how this will be used. We need to legally regulate remote attestation.
> As new browsers are introduced, they would need to demonstrate to attesters (a relatively small group) that they pass the bar, but they wouldn't need to convince all the websites in the world.
It speaks for itself. Horrid.
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
This is the beginning of the further DRM-ification and enshittification of the Web.
Another use case is multiparty computation. Three people wish to compare some values without a risk that anyone will see the combined data. TC can do this with tractable compute overhead, unlike purely cryptographic techniques.
Observe what this means for P2P applications. A major difficulty in building them is that peers can't trust each other, so you have to rely on complex and unintuitive algorithms (e.g. block chains) or duplication of work (e.g. SETI@Home) or benign dictators (e.g. Tor) to try and stop cheating. With TC peers can attest to each other and form a network with known behavior, meaning devs can add features rather than spend all their time designing around complicated attacks.
These uses require you have a computer that you do trust which can audit the remote server before uploading data to it. But you can compile and/or run that program on your laptop or smartphone, the verification process is easy.
But exactly because TC is general it doesn't distinguish based on who owns the machine. It doesn't see your PC as morally superior to a remote server, they're all just computers. So yes, in theory a remote server could demand you run something locally and then do a HW remote attestation for it. In practice though this never happens anymore outside of games consoles (as far as I'm aware), because most consumer devices don't have the right hardware for it, and even if they did you can't do much hardware interaction inside attested code.
Yeah, this just incentivizes spammers to copy the parts of Chromium that do the attestation (or whatever browser has source available), and use that to pretend they're Chromium. There will always be workarounds. This seems to kill innovation and allow spammers to flourish.
I suppose I can understand an argument that they want to prevent scraping, but this is absolutely not going to stop that.
I'd go a step further. We need to ban it. It should be illegal to sell devices to consumers that already contain private keys, unless all of said keys are provided to the consumer at the time of purchase.
So computers, phones, and game consoles cannot have remote attestation but home security systems, ATMs, e-Readers, medical devices, water/electricity usage meters can do remote attestation.
