Where was that pointed out? To me it seems that they are not all that different on any level[0]. Not in terms of expressed goals, nor in terms of technical capabilities for capacity to exclude minority browsers or operating systems if misused. The only real difference was PATs being launched with a very specific PR spin of "fewer captchas".
It isn't just "make ad-blocking (near) impossible" as the current title of the submission suggests. It is:
Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.
Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.
Make crawling the internet possible only to Google. No private crawling and no competing search engines.
Make browsing the internet possible only on CPUs allowed by Apple, Microsoft, Google. So no RISC-V just yet, and even when RISC-V will be supported by them: No competition allowed in CPU.
Make browsing the internet possible only on SoCs allowed by Apple, Microsoft, Google. No competition allowed in SoC. [0]
Make browsing the internet possible only on form factors approved by Apple, Microsoft, Google. So no calculator with a web browser [1]. No competition allowed in form factor.
Make browsing the internet possible only on UX approved by Apple, Microsoft, Google. So backtracking 10 years ago, when Android made documents-oriented web browser (= each tab appears just like a standalone app in recent apps), that would have been abuse of that position. No competition allowed in UX. [2]
PS: I come from Android OS world, all those examples already apply to Google/Android.
[0] Well this one will depend on whether their Web Environment Integrity implementation will enforce full secure boot approved by them. Considering how it went for Android, I'd say it will, but can't say for sure.
[1] Yes you can find calculators running Android (but can't run Google/Android so no Chrome). Amongst a lot of other weird Android devices. You can find walking robots, toothbrushes, urinals running Android.
[2] You'll probably find a better example. Arguably it's the same as "competition allowed in browsers", but that was an OS-wide change, but saying it's "OS" IMO largely reduces it.
You don't need this is stop innovations in CPUs, any new CPU will be for non-computers or for servers - for the same reason that Linux is not yet king of the desktops, which is that people need their computers to run old software.
So? They can force you to pick between running old software or running new software. This is hardly new if you look at the broader "compatibility" scene. Old hardware and software are being dropped all the time. (Remember when MacOS dropped 32-bit support and wiped out a huge chunk of older games?)
If you want to stay in the old chain, you're free to do so, just like how you can still pick up a word processor made a couple decades ago and make documents on it. It only affects you if you want to use the Internet as that keeps evolving. (If you load up some '00s or '10s era browsers you'll see that many of them do not work at all for the popular Internet sites, which have all adopted things like newer TLS implementations and HTTP/3 or whatever the latest one is...
iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.
It's important to remember they are only commercial efforts. If you can value something other than money it doesn't matter what the corporate web is doing compared to human ingenuity and the internet. Let them waste their time and money write their specs.
Unfortunately, the corporate Web has managed to monopolise how we communicate and learn about things (Facebook, reddit, twitter, YouTube, news sites, etc).
This is a mistaken view. The closest thing I have to social media is HN. I did get a twitter account in the beginning and I was waiting for the right moment to tweet but it seems to have passed.
The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".
The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.
A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.
If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.
The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.
Take away the commercial interest and you are left with passionate publishers and audiences.
That is why I call for federated publishing tools. Believe it or not I plan on launching such a channel and it will be self-hosted in the 90's meaning of the term. They only way the channel will grow an audience is if it is passed by word of mouth.
The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.
Real creators create and don't need the like, subscribe, patreon, mantra.
Most of the gunsmithing sights on YouTube are moving towards this idea.
I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.
I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.
Not an answer but your question has me curious now. I'm not old but I've got a particular worldview that could use an update. Why video? Aside from entertainment or live collaboration, I've never found video compelling for productivity.
Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.
Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.
If you're dyslexic, I get it but TTS systems are extremely solid these days.
Do Channels on Nebula count? Since Nebula is paid only, ads free and creator owned (as far as I understand), it might be the one prime example of a video platform not incentivized to restrict access to only consumers using proprietary, big tech OSes.
I visited Practical engineering and tom scott's websites and AFAI seen they embed youtube videos in their websites.
I couldn't find astronaught's website. Its not even linked to in his youtube channel.
He has article versions of his videos which you can find linked in the description of his YouTube videos. The videos on his website are just linked to YouTube however.
I don't mind in these cases. Because I already have to present my ID card or my driver's license, when I'm doing most of this. I'd buy a cheap laptop, label it as a banking and ecommerce laptop/tablet, and use it to browse the corporate web. More friction, yes, but I'd welcome it as it would make me reluctant to interact with them. Any other sites that try would just end on my blacklist.
I have been in the tank for Apple since the 80's. So no doubt I'm distorted but content.
Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.
Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.
It is only out of convenience that these services are currently tied to a "phone".
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.
It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.
The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.
More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.
I mean if root can do anything then such system is not "trusted" from corporations point of view. Therefore, it won't be able to pass the attestation or play DRM content.
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.
Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.
> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.
Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.
And, again, it is complicated to get it turned on. How complicated? Take a look:
>The kind of Linux 99% of Linux users are running today.
I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.
Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.
The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.
If secure boot is enabled on the motherboard, Fedora can be installed and used without going into the motherboard firmware and turning it off, but that is different from secure boot's providing to the Fedora install the kind of security assurances that secure boot provides to the other mainstream operating systems (Windows, MacOS, iOS, Android and ChromeOS).
It's true initrd is not verified; the system boots but the security secure boot is supposed to provide is not available by default. I don't think many Fedora users care, but that can be an issue.
To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.
I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.
As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.
Unified Kernel Images sounds like a useful improvement. I imagine that when combined with whole-disk encryption it provides useful protection against evil-maid attacks, but I haven't been able to find any signs that there is any Linux install in existence anywhere--except for Android and ChromeOS--where the boot process can detect an alteration to a file in /usr/ (e.g., the system's C library) and refuse to boot or at least warn the user. Unlike an evil maid, malware that has succeeded in its goal of running in a privileged process can alter any file in the unencrypted root filesystem.
In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.
In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.
Gentoo users and people running Nvidia drivers and the like will be out, that's true. That's very different from "only certain architectures allowed", though.
Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.
This is exactly why people criticized secure boot. To not allow such system to establish themselves is the best defense. True for secure boot as well. Security is not the argument anymore, it is market domination.
> “We (Microsoft) are in a very unique position to be able to go spend Sony out of business,” said Booty in a December 2019 email, referencing spending $2 billion or $3 billion in 2020 to avoid competitors getting ahead in content at a later date.
There won't be an anti-trust suit. The implicit deal will be we will prevent "misinformation" (favor news sources you support and censor anything you request with our algorithm) and you will allow us to monopolize the internet.
Maybe if I donate to American Petroleum Institute I can help tilt their agenda in a more green direction.
Maybe if I donate to NRA-ILA I can tilt their agenda towards gun control.
you’re not going to tilt a think tank against its master, and the point of Mozilla is controlled opposition so google can point out they’re not quite a monopoly.
There are many, many, many web browsers that are not corporate-controlled. Some of my favourites lately are the Argonaut Constellation [0] – mostly because of the interesting technical decisions going in the development (particularly the CSS and the Haskell), but also because Rhapsode is already better than eSpeakNG + AT-SPI2 + Firefox.
There's also the venerable lynx, and elinks (which I reluctantly admit is better than lynx, even if I don't use it much), and Dillo+ [1] (a fork / continuation of Dillo that supports Gopher and Gemini). And could I forget NetSurf, with its graph-y history navigation? And of course, Ladybird, [2] probably the best-funded of the lot.
These are just the ones I've heard of. There are surely dozens more you'd be interested in, and thousands of little hobby projects. Why not try making your own web browser?
If that would be the case, then countries with bad relationship with the USA will end up having the real free internet because these tech services and products would be undesirable or inaccessible to them. They might risk political persecution for their online activities but so do people in the "West". The 3rd world will be forced to use homegrown solutions and there's a possibility that they might end up much more innovative when not everything is about advertisements.
Definitely seems like we will have a commercial internet run to satisfy corporations and an adjunct internet that is federated and open for free thinkers. I think focusing on federated publishing tools is the best route around these ideas.
Remember the corporations will need to be more disruptive than a nuclear war to break the internet. We can always route around them ourselves.
As someone who has built a business on browsing certain website using Chrome in headless mode this proposal worries me, and it has the potential to destroy large commercial segments of other similar companies.
> Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers
Forgive my stupidity, but isn't this only going to be the case for websites that will opt into the use of this api? Currently, websites can already do user agent sniffing, or hide their content behind a login wall; but we are not complaining that this is the end of the web. Or are we?
Do you know what puzzles me most? How can software engineers work on something like this? Don't those paid engineers or involved ones have the balls or dignity to walk away? I'm just wondering how they would feel about this (if they feel anything at all). I mean, if I'd be in such a position and asked to push something like this I'd have walked away on the spot, no matter what you offer me. No one at Google is standing up against this? I really hope that if this ever sees the light of the day, somehow in the end this backfires badly on them.
Yup, we've lost, what, two or three generations of developers to an industry that'd do better work by digging holes and filling them in? It's my guess that this is also why so much programming nowadays looks like it's being done by the bottom 10% of talent.
They do it because the money, though. I turned down a FAANG job partly because I'd have to relocate across the US and partly because I didn't think I could sleep at night working for them. Total compensation package for first year was $250-350K depending on performance, and there was a signing bonus. This was 2015 or so.
I often half regret that decision, because it hurts to know I could've ticked that income box rather than fighting month after month to keep work coming in (self employed/contractor).
For a while I worked at a company that did arguably worse things than Google does. Regardless of dignity and courage it's hard to just "walk away" from a paycheck when you have mouths to feed, a mortgage to pay, a family who gets sick and needs medical care, pets, hobbies, whatever. There's also the fact that for most of us work is a huge percentage of our time and our social lives can be deeply intertwined with our work lives--it can be a tough decision to walk away from all your colleagues and friends who you enjoy working with even if you don't particularly enjoy the work itself (sometimes shared hardships and commiseration can make those bonds even tougher to break).
Expecting engineers to die on this hill for us seems incredibly unfair. To balk at someone not upturning their life and (under the US healthcare system at least) endangering the health and well-being of themselves and their families in the name of dignity or morality when the net result of doing so would be exactly zero because Google can replace them in a heartbeat is, in my opinion, a gross and unnecessary misdirection of blame.
Just look around in this thread you can find people defending Google. It is not hard to think an engineer would actually want to work on this themselves.
Let's hope that indeed is the case... But as a first reaction I'd expect some friction or resistance to this from within Google. What would be their rationale for exposing their plans on Github and not going silently as (I've recently learned) Apple did?
There wouldn't be anything close to an open internet with the engineers of today. I despise my generation for this. Generalization yes, but the draw of big money to big tech did something. How about being smart for once and think two step ahead the next time...
But surely those folks can walk away and put in their CV that they quit because they were in charge of implementing one of the worst ideas the history of internet has seen so far. Wouldn't you hire someone that puts that in their resume?
>Wouldn't you hire someone that puts that in their resume?
To most employers, that would read as "prone to insubordination", and be an immediate red flag. Because each and every one of them will inevitably ask you to do something at some point that will be fucked up.
People don't work for the dignity, they work for the paycheck. As long as people are willing to pay others more for doing this than saving the internet, it will continue the trend. Lashings will continue until morale improves.
> People don't work for the dignity, they work for the paycheck.
I'm sorry but I don't believe that. I do understand that line of thought if you are in a very complicated personal/financial situation but you're stating that the only driver is money, which is clearly wrong...
I do need an income too. I do pay rent, every single month. I do pay a loan, every single month. Bills? You guessed it: every single month. What's your point, really?
People are going to take their pay and do their job because to do otherwise could mean they can't maintain their lifestyle or keep their family provided to the same standard they're currently living at.
Altruism is not a default position, and is unusual in the real world.
I'm not saying that's how it should be, or that people shouldn't work to make it otherwise. But you say why don't all those people walk away from that? How far would you go? What if you had children depending on you? It's very easy to condemn other people as "greedy" but you show a lack of understanding, of empathy, perhaps, for how people in general function in the world if you assume they should just do what you say because "obviously, my moral stance trumps their concerns."
Edit: I upvoted your other comment, by the way, where you lay out the very scenario I speak of. Many people are "screwed" because their lifestyle has expanded to their current circumstance. Few people realize that progress in some dimension rarely rules out regress back along the same path. Liberty requires maintenance, because there will always be societal forces aimed at eroding it.
those will walk away, others will come and to them money would be absolute motivator. If there's a thing humans can invent/implement, without any regulation, it'll be implemented (and often even with regulation it may be implemented)
If only there was some form of labor organizing that could allow workers to keep their job while collectively opposing building horrific things like this.
I can't recall where I read it but the biggest danger with having a fat paycheck is that your lifestyle changes drastically. More money? Well, now you can do/afford more expensive things, you can take more luxuries, have a bigger place, a fancier car, and so on.
And the problem comes when you have to cut back all that, you need a job that can support that lifestyle. I believe the best thing you can do if you have a fat paycheck is to exactly take the opposite approach: keep living simply, save as much as you can, yes give yourself a treat from time to time, but essentially keep an average lifestyle.
The day you need to go elsewhere and you find out that you are against the wall because you need that much money and you can't find a similar income is when you're basically screwed.
That is... a gross simplification. There is a cost of living. If you include people giving you stuff for free in the "how much one makes" category, then you need shelter, food, healthcare, etc. There are plenty of people who struggle to make enough to pay for these necessities. We call this "poverty", and it absolutely is a matter of "how much one makes".
Even in poverty having to spend more than one makes is a problem. Therefore my statement maybe simple but true.
The best kind of truth in my book. I have lots of ideas about poverty but I was actually responding to the trap of high-earners. Careful spending is more critical in impoverished situations.
Google is a big organisation, even if some people don't want to work on it, there are plenty of others who will. It's not as if every software engineer in the world shares your views and your principles.
Those with conscience get filtered out of these kinds of projects.
I mean, we are in a climate crisis and massive worldwide inequality and some really competent people both made this happen and prevented the general public from being able to avoid this - because that happens to profit the few.
Most of the worldwide economy is predicated on this (capitalism). It's a logical outcome.
No, of course they haven't! Thanks for adding this insightful and revolutionary perspective to the debate. Everything which is less serious than war crimes is obviously morally ok.
It's possible to provide for one's children without turning the world into a ruinous corporate dystopia. What a world to subject your children to.
No, "I have kids" is not an excuse. You do see how that makes this even worse, yes? To pretend to give a shit about future generations while gleefully destroying the liberties of those future generations?
But my point is that you do have plenty options in the industry! For sure if you're in charge of something like this you can have a pretty decent job elsewhere. You sound as if those people have nowhere else to continue their careers... Am I wrong?
Lots of people get by fine with less-than-FAANG pay.
(FAANG salaries are not an "order of magnitude" higher than salaries at other U.S.-based companies for similar jobs.)
FAANG salaries are just at the level at which those companies discovered people are willing to sell their souls, or that is high enough to attract naive people who won't question why it pays more.
Speaking as someone "getting by" on lesser money, yeah, that's certainly true.
Maybe I'm just really bad at marketing/promoting myself or I gasp have to take work "below my pay grade" because it's still work and I've got bills, but I'm not netting six figures doing highly technical work (embedded development, electromechanical development, board layout and design, etc.). In the last five years I've had one in which I grossed six figures. I'd figure I just suck and am an outlier but I keep hearing the same stories from friends who are also not at big shops.
There are plenty of 6 figure jobs outside of FAANG, and the lowest pay I'd even fathom taking for a software development role isn't far below that (maybe 85-90k for a straight-out-of-school junior dev). If you're making less than that, with enough experience to be talking about "the last five years", then you probably should start looking for roles at other companies.
Yeah, probably, but I'm stuck with the current situation for now.
Wages for developer work are not consistent, though. I was making around $45K out of college in upstate NY in 2011 or so. I left that job around $55K in 2015 when we moved from the area. Those were entirely normal salaries in the NY capital district for developers with a four-year degree and proven skills in a given language.
I'm now in central VA and am friends with the owner of a local media/web development shop. Their average pay is around $20/hour. Remote work levels the field a bit now, but that's what folks who want to work locally at a desk are offered. They have people actually working there, so I guess folks think that's a reasonable pay "for the area."
It is not an order of magnitude. I work at a software non-profit and am paid reasonably compared to my FAANG friends. Sure, they make more, but not an order of magnitude more, not even double, and I can sleep at night knowing I'm trying to make the world better for humans rather than trying to enrich a few mega-corporations.
It's certainly double or more in many cases for rank-and-file developer jobs, in my personal experience, meaning "jobs I've worked or gotten offers on." Again, maybe I just suck, but then so do a lot of folks I know.
I mean "order of magnitude" in the sense that a 6-figure salary is an order of magnitude more than a 5-figure salary.
I've got a mortgage and two kids, I don't have a FAANG job and live very comfortably thanks. Stop spreading BS, you don't need to work for one of them to have a high paying tech job.
As the one employed member of my household (spouse is retired) I paid off a Silicon Valley mortgage in under 15 years working for a non-profit software outfit with no stock options or any of that, just a decent salary for a solid company for a good stretch of time. That you think it can only be done with a small handful of specific employers is silly.
A good and measured article marred only by a silly, clickbait title.
Unless there is a plan to allow attesters that are independent bodies then this is absolutely a threat to the open internet, or what's left of it.
The biggest dead canary for me is the lack of calling this out explicitly by Google or Apple. We're left to assume that Google is hand-wavingly saying "don't worry we can take care of that" when the private companies already monopolizing parts of the Internet are the absolute last people we want handling attestation.
even assuming unbiased and objective attesters, the issue lies with the "baseline criteria" of attestation and who defines them.
There are two risks here (examples follow):
1. hostile requirements - "the agent won't feature adblockers", or "scraping without explicit website permission must be forbidden"
2. prohibitive requirements - "the agent implements protocols X, Y and Z and adheres to standards A, B and C" - all of these may be reasonable things, but en masse they may be too much work to carry by anyone but a reasonably big vendor
Additionally these criteria must be verifiable, so user can't basically modify the agent, because then the attestation is practically void.
Rest assured it is sarcastic. It is terrifying because you start sensing what power shift that is. And it is not theoretical in the slightest, my wife starts complaining about dynamic pricing in web shops where she used to find deals at seasons end.
Or what is wrong with meeting politicians what have always a very good brief in their hands telling them what words have maximum impact on the small group before them? It seems to work looking at the increasing number of spineless chameleons.
I think for me it's terrifying because it sounds like the same line of reasoning as, "Why should I care about encryption? I don't have anything to hide," and people say (and mean) that a LOT.
So many people genuinely don't understand what would be wrong with this scenario, and that's why I'm afraid.
Obviously this is awful, but I wanted to share some organizations could use that as a bad pattern:
"Oh, this area of $hot_social_media_site is for people earning ($user_salary * 1.4). But you can get access for just $10/month paid monthly or $9/month paid a year in advance! You don't want to be left out and lose the chance to network with higher earners, do you?!?"
> A simple example would be just rejecting ad-blocking extensions from their Chrome store. They've never done anything close to that (including all the manifest v3 hullabaloo where they explicitly worked with ad-blocking teams to help them migrate) so who in their right mind would think that they would try to sneak it in via some fancy new web standard that wouldn't even be able to effectively block ad-blocking if it wanted to.
Like, perhaps like if they didn't allow any extensions on their mobile browsers?
(Note: You can't use extensions on Chrome on mobile devices)
"Brave is on the play store" is a very similar argument to "You do not have to use IE, you can install Netscape". And subject to the same logical holes.
Why? If it were a browser extension, you would still have to install that manually too. Are you mad that Google doesn't ship ad-blocking functionality by default in their standard build?
Google - a company that makes most of its money on ads - removed the ability to install ad blocking extensions on the default mobile browser for over 2 billion devices.
If that does not seem shady to you, then I will be unable to make you understand the point.
This rule applies to discourse, not perspectives. I also wouldn't call many of these concerns "fantasies," because anyone with a basic understanding of public-key cryptography can tell you exactly how this technology, even its most basic form, could be used to:
- Create an absolute monopoly on browsers.
- Give the holder of the browser monopoly the power to control who can/can't crawl the web.
- Give the holder of the browser monopoly the power to control what OS you use to access the web.
and so much more that it's head-spinning.
Is OP's title clickbaity? Yes. Are the concerns brought up by commenters totally legitimate? Yes.
Your premise is broken. How is this even possible in an open source ecosystem? Chrome was built to be forked, and there are several healthy forks that are thriving. There is zero chance of there being a browser monopoly any time soon. Basically every proprietary browser is now dead.
Whether or not the browser is open-source has no impact on this issue. The monopoly would not exist because Google/Apple/whoever are the only people allowed to make browsers. Google would simply have the power to make all of its services (search, docs, etc) totally unusable on any browser that isn't a version of Chrome compiled and distributed by them, thus making all other browsers useless to the vast majority of the population. Because analytics data is money, other companies would have financial incentive to follow suit.
By the way, Chrome contains proprietary code. Chrome and Chromium are not identical.
Your hand wavy description of manifest v3 which conveniently skips the core issues makes me skeptical of your position and intent. Sounds like users and developers are the problem here -- I never see anyone else talk about Chrome with such a positive tone. Manifest v3, privacy sandbox and now the "integrity" nonsense should say enough about Chrome and Google.
Must be nice. The major Canadian banks only offered 2FA with SMS until recently and still don't support TOTP or hardware tokens, opting instead for some kind of proprietary flow through their phone app.
Okay, top three banks in the US.. Chase requires MFA, but still allows SMS, which can be broken easily with SIM swapping. BoA and Wells Fargo MFA can be completely disabled, which is how many people likely have their accounts set up.
Until just a few years ago, mine would pop up an MFA prompt, but if you hit the "mobile website" button, it would just bypass it completely. I reported it to them for at least five years before it got fixed, and it's more likely that they just fixed it on accident.
I hate to say it, but if you used Chrome to read this, then you're part of the problem.
Awful stuff like this wouldn't stand a chance if Google didn't have such a near-monopoly position.
For the sake of the open internet, please switch to a different browser. IMO, Firefox is best*, but even something chromium based is probably fine. Just not Google Chrome.
* On desktop - Firefox is a bit weaker on Android, with an extemely limited set of extensions (but still better than Chrome with no extensions) and just a Safari wrapper on iOS, with no extensions. (But sync works everywhere!)
(I posted something similar in a different thread recently but I think it bears repeating.)
I agree, I use Firefox everywhere. But we must not forget the following:
In 2011 Mozilla income was 85% derrived from Google, through the primary search engine deal. Around a billion was paid over three years as part of this deal at some point. Appearantly there was bidding by Microsoft for making Bing the default, which pushed up the pricing.
So every time Mozilla speaks out against Google, it is a bit awkward, since they are biting the hand that feeds them. I suppose they could take a deal from Microsoft, Yahoo or even DDG (or Baidu!), but without interest from Google I presume the funding would be lower. Quite an interesting situation.
Thank God both Firefox and Chrome are open source. That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
Yeah, I mentioned this in another comment: it's really a shame that Mozilla spends the majority of that money (often poorly IMO), instead of putting it into an endowment fund or something similar that would leave them in a much better position for the long run.
It actually takes a lot of people to build and maintain a modern competitive browser. Not paying those people and instead investing the revenue would end the project in short order. Mozilla is already outgunned on staff by the other major browser makers and you want us to cut staff to save more? That's not realistic, IMO.
I don't disagree with you, but Mozilla takes in hundreds of millions of dollars a year and I don't think they spend all of that on Firefox - possibly not even the majority of it!
I think that if they cut back on some of the other projects in the short-term, they could ensure the foundation was funded for the long-term - to support Firefox and anything else they deem valuable.
Perfect is the enemy of good. If you postpone or skip using Firefox because of this reason/excuse, you are even more a part of the problem than you probably realize ;)
Mozilla's opposition to such initiatives matters only because of their users. And there are no other significant fighters in this ring on _our_ side, unfortunately.
> That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
Chromium being open source is a red herring. The web is a protocol between clients and servers, and having the ability to fork the client doesn't matter if all the servers ignore your fork and continue speaking the protocol dictated by the dominant client. You need to fork the entire protocol, which is to say, you need to fork the entire web.
Mozilla should really double down on Mozilla VPN. Judging by all the NordVPN ads on every major youtuber's video, the profit margins must be astronomical (or their business model must be suspicious). It should provide a good income stream for Mozilla. The entire space is shady and filled with dubious actors. It is just begging to be disrupted by a trustworthy organization.
I can't think of a single candidate other than Mozilla that has the technical expertise, experience, trust, reputation, resources (not to mention non-profit structure) built over 20 years defending the open web. I don't understand why Mozilla is dragging their feet on this. They should have owned the entire VPN market by now. VPNs aren't cryogenic rockets.
VPNs are barely gonna make a dent in their income. What do you think the market is for VPNs? 99% of people don't know what VPN means.
Of the remaining 1%, most don't need a VPN for anything personal. It's literally just a handful of geeks who need VPN (mainly for secure piracy, or accessing different regional Netflix catalogs), and maybe a few dozen journalists living in dictatorships.
Mozilla needs to gut spending. Get rid of all the diversity /hr/evangelism people bloating their employee headcount and funneling people's donations to divisive causes like that org that doesn't hire white men (forgot the name but it made me cancel my monthly donation to Mozilla). They shouldn't need more than 25% non-technical staff, and the purpose of those 25% should be exclusively to support the technical staff. Instead they became another bloated Big NGO that's basically welfare for liberal arts majors in California.
Is the Mozilla organization generally responsive to social media? I have had a hard time trying to figure out where the organization responds to publicly, generally.
I would love to have a Mozilla hosted email and calendar service from them, for example. I don't understand why they aren't branching out into more common web citizen needed services.
Yes. I don't know why though. I don't understand why they can't host and run their own OpenVPN instance. Or why MozillaVPN is only available in 30 countries (mine not included), 4 years after announcement. Or why i haven't seen a single ad for Mozilla VPN anywhere on the web other than in mozilla's homepage. Or what they are doing with their 800 million dollars in annual revenue.
Almost all in Chromium is open-source, there are some missing pieces though.
For example, the per-device configuration (GPU acceleration enabled or not, etc) is not there, the statistics collection infrastructure, the WebAPK minting code is not there, etc.
Chrome feels faster though. I just switched back to it after using Firefox for the last year. Chrome on my work computer felt snappier than Firefox on my comparable spec personal machine.
My concern is that soon the comparison will be "Chrome without ad block" vs "Firefox with ad block". There's no way Chrome outperforms Firefox in that scenario. Even if Chrome is faster for your unique workflow today, prepare to switch back.
I switched to Chrome pretty much the day it first came out and it was revolutionary. Switched back to Firefox a few years ago due to Chrome becoming too dominant and Google throwing their weight around in standards committees too much. When I desperately need Chromium for something I use Edge (which I actually rather like).
The problem with Mozilla Corporation/Foundation is that they blew all their time/money/resources/lead on things that didn't matter, not helping pave the way forward, and then fired a lot of their staff to boot!
Mozilla was once a bright shinning beacon of hope for the open web, but they wasted their good will on too many of us, and it pains me to think what could have been.
Good will is nice but those people also need to eat and mozzilla really needed to find a revenue stream other than google paying them off so they don’t have to spend 100x the amount on antitrust litigations.
This is a perfect case in which I’d like to see my taxes funding their work.
You can actually use more extensions on Android. It's just more involved than it should be. The trick is to create an "extension collection" from your Mozilla account. Then you can use any extension, and a lot of them just work.
I know but it never worked for me. I followed the procedure twice, two different years, two different installs. I'm always doing something wrong. On Mozilla's side, why are they even doing that to us on Nightly?
It works for me on the Beta. No need to go to nightly. Mozilla was even gracious enough to allow us to go to about:config!
I don't know what you're doing wrong (all I can say is that the name of the collection is case sensitive) but I haven't had any trouble adding the custom collection settings to my Firefox installs.
Yeah, I know - I ended up switching to Iceraven on my phone, though. I've heard good things about Mull too. But I didn't want to muddy the original post with all that.
Web standards are a part of the problem that few people think about. Existing rendering engines grew along with the standards. However, the standards (especially CSS) have become so absurdly complex that implementing a new engine would be nearly impossible. Even Microsoft caved, and Edge is now essentially Chrome.
Some will point out that Chrome is based on open-source software. In reality, however, Google has a huge amount of power here. If Google is serious about this initiative, they will try to force it into the projects, and make it an essential part of the web experience. As others have pointed out, Google is also a primary supporter of Firefox, so they have influence there as well.
THIS...except "a part of the problem" is miserably understated.
Extreme technological complexity is just about the best possible moat a huge business can have. Though in this case "walls around the prison in which the users are incarcerated" might be a better analogy.
And all the prisoners, who just can't resist the endless shiny new goodies added to the web standards, are forever building their own prison walls higher...
Yeah, I'm actually using Iceraven right now, I just didn't want to muddy up the point of that comment any further than I already had. Firefox is an easy recommendation on desktop but mobile needs a bit more nuance.
The point is that using anything that's not Google Chrome is better for the internet.
Nope, I've never seen that. Iceraven is just Firefox for Android with more extensions enabled, about:config support, and a couple of other minor annoyances fixed.
Wait, the post says iceweasel but the link is iceraven, are they the same thing? This was on the default browser one of the times I tried LineageOS, this was back in 2019 or so. I could be misremembering the specific fork.
I found this about iceweasel, which inclines me to believe that you remembered it correctly, and the grandparent was just mistaken about the name:
> In August 2005,[11] the GNUzilla project adopted the GNU IceWeasel name for a rebranded distribution of Firefox that made no references to nonfree plugins.
> [...]
> The GNU LibreJS extension detects and blocks non-free non-trivial JavaScript.
I would love to use Firefox, if it wasn't so persistently such an utterly slow piece of shit if you open more than a few tabs or use it much. Across every laptop I've ever owned and across every version of FF I've ever used, this has been the case despite all promises. So unless i'm haunted by some magical digital browser curse, Chrome at least performs rapidly, even for a tab hoarder like me. I barely use anything by Google knowingly, but with Chrome Firefox can fuck off in comparison if it can't simply perform at the basics of agile functionality.
This has never been the case for me at all. I write this comment in Chrome because I have it for testing and specific purposes, but I believe CPU and memory utilization advantages of Chromium always have been a myth for the most part. And I am someone that holds a lot of tabs open without rebooting my work machine for days or months.
Browsers are still memory hogs, but at some point you have to decide if you want speed or low memory usage. Fast reaction time or nicely rendered pictures. On a decent machine, not even a fast one, there is no difference. That said, I despise notebooks and usually use towers.
I'll look into that on my laptop and see if it may just possibly have been a major cause of problems all this time. I'm skeptical, but thanks for the tip.
If you're using Apple products, your first preference should be Safari. I use that all the time, it's faster, leaner and syncs tabs/history/bookmarks greatly between different Apple devices.
I use Apple devices for work, but a combination of Windows, Linux, and Android for personal use, and I like that Firefox can sync between all of them.
I will concede that if you're all-in on Apple, then Safari is certainly more convenient. It's also more power efficient on macOS, so if I know I'm going to be on battery all day, I may switch to Safari for the day.
1. Native integration across devices: Safari integrates seamlessly with Apple's ecosystem due to proprietary features like iCloud, Handoff, and universal clipboard, allowing for a consistent user experience across all Apple devices, with seamless transition among them to stay in your flow across devices.
2. iCloud Private Relay: This is a recent security tool from Apple and participating CDNs that encrypts all Safari traffic and protects the user's privacy by preventing anyone, including both Apple and network providers, from seeing which sites are visited.
3. Password Management Integration: Safari offers seamless integration with Apple’s Keychain for password and two-factor authentication (2FA) management across devices and across apps and browsers. Safari leverages Apple's OS level full password manager that's been quietly iterated each major release, now including support for TOTP and compromised-site checks.
4. Increased security/privacy: Safari uses AI/ML backed Intelligent Tracking Prevention to identify and block trackers, ensuring enhanced user privacy. While similar features can be added to Firefox via extensions, Safari has these capabilities by default.
5. Improved Power Efficiency and Performance: Multiple battery life tests confirm that Safari is significantly more power-efficient than Firefox and Chrome. Apple pulls this off through co-optimization of hardware and software, power-efficient technologies, hardware acceleration, conservative use of resources, efficient resource handling, and the blocking of resource-heavy ads and trackers. In real world use, you may see twice the battery life during web heavy usage.
6. Extended Support for WebKit: Use the browser your users use, so you understand and support their experience.
Other factors like persistent tab groups, 120hz scroll performance, and first class "retina" typography simply add to the smooth experience Safari provides on macOS and iOS.
Here are some lesser known tips for tuning up Safari to your liking and using features folks may be less familiar with:
Apple has a pretty terrible record on security given the Pegasus spyware and 0 clicks. Although most are related to iMessage and hardware exploits.
I still have a hard time believing the Privacy stuff since PRISM and Apple's openness to give data to China and Russia. But if you believe them, don't mind the government's access, and don't want to use other software, I can see where you are coming from.
If I remember right, DuckDuckGo's browser just uses the system webview. So that might be Chromium on Windows now that Edge is Chromium-based, but it'd be WebKit on macOS, and I'm not sure what it'd use on Linux.
What does HN think about Mozilla adding some premium tier of the browser itself for a small subscription fee? I already subscribe to MDN out of sheer principle, and would be OK substituting some bullshit like Hulu if it would help even more... I am willing to pay the true cost of the "open" web, whatever it is. Just tell me how much and where to sign.
Money is going to be a required tool to fight back against google, whether we like it or not. Capitalizing on the lesser evil to fight the bigger evil is not a terrible idea in my estimation.
People need to be more aware about this.
I also use Firefox on the desktop. On Android I use Mull, which is based upon Firefox and it's actually pretty good!
Microsoft is exactly the kind of company that would throw its full backing behind this google proposal, seeing how they have spent the last 20 years working towards the same goal. See Windows 11, Trusted Platform Module, Pluton, Palladium, SecureBoot.
I think the person you are responding to would say that edge is just another chromium skin. It doesn't exactly relieve Google's monopoly on browser technology
Not only is Edge based on Chromium, as a major operating system vendor with strong influence on the hardware market, Microsoft is well positioned to be one of the widely-accepted attesters. So they have little motivation to oppose this proposal.
With few exceptions the browser market is a lot like the Volkswagen Group. They design key components and depending on market segment they slap a Audi, VW or Skoda label on it, do a few tweaks to the look and feel and add a few features that they know that a particular segment wants. Under "chrome" it's a Volkswagen.
My guess is, GP is referring to the significant amount of funding that Mozilla gets from Google. Not sure if it's still the case, but I believe at least for a time, it was actually their main source of funding and basically what kept the whole organisation alive.
So by "don't bite the hand that feeds you" logic, they couldn't be interested in being too adverse with Google, because in the end, this could threaten their whole existence.
Not sure if this is still the case though, or if they managed to diversify.
Mozilla is two parts, the Mozilla Foundation and a subsidiary which is Mozilla Corporation. Neither of those are "funded" by Google.
I'm guessing you're referring to the search partnership between the two? That doesn't mean that Google owns Mozilla, unless you're really unclear about what "partnership" or "deal" means. Mozilla have multiple deals with search engines, not just Google.
> The only reason Firefox exists is because Google wants something they can point to in court and say "look! we're not a monopoly!"
A competitor that survives at the charity of a monopoly is evidence of a monopoly, not evidence of the opposite. A court might see a non-profit that is directly dependent on Google for ongoing operating cash very differently that how it saw Gates' one-time personal investment in Apple.
At a much lower price, because search deals are paid based on number of searches done (so indirectly, the number of active users), and because Google has 90%-ish market share, it means a 90% drop in revenue.
Also, Bing has on average twice higher RPMs, so, a 50% of drop in income after rev-share.
So, you remove 90% of the revenue, and you divide by 2 what is remaining.
Technically it might even be healthy for Mozilla to loose 90% of the budget as they are spending that on bs projects that has nothing to do with Firefox. Maybe it would force them to spend the money on the Firefox team, and all the money hungry top management would go somewhere else where they can waste money.
A little nitpick: Mozilla has no shareholders. Mozilla Foundation is a non-profit, while Mozilla Corporation is 100% owned by the Foundation. Your point still stands though.
If Google turned off this money faucet, Mozilla would be severely impacted. Unfortunately as Firefox's market penetration gets lower, the value of that deal gets lower, should Google stop paying it and someone like Bing takes over.
They have no motivation to "turn off the money faucet" since the payment is effectively lead generation -- bringing eyeballs to their ads that pay them more.
It's true that Mozilla gets the vast majority of their income from Google and has, IMO absolutely squandered most of it.
If Mozilla had put most of its income into an endowment fund instead of hiring tons of staff for a miriad of now-mostly-canceled projects, they'd be in a much better position today. (Hindsight is 20-20 and all that.)
But I think it's an overstatement to say that Google owns Firefox. I donate monthly, and I think a smaller form of Mozilla could survive completely without Google.
If you have a customer who pays more than 50% of your income that’s not a customer that’s a controlling interest. Track record shows the relationship looks the way google wants it to look and behaves the way google wants it to behave.
I don't know where you got that idea from (accepting money to make the Google search engine the default?), but Firefox is made by the Mozilla Corporation which is a wholly owned subsidiary of the Mozilla Foundation.
I'm honestly (as in putting in multiple hours) trying to switch to Firefox every 4 to 5 months. I tried at least 4 times. I do the dance of migrating bookmarks, passwords, layout preferences, add-ons, workflows, setting up sync, installing on all Android and desktop devices ... and then i run into issues, try to fix some of them, research, then give up and go back to chrome and don't think about it anymore until another article like this pops up on HN.
This time I won't be shamed into doing it again. I don't have the time or motivation.
edit: forgot to mention explicitly, it's not Firefox, it's me. I'm not strong enough.
I find that condescending but I'm sure you didn't mean it that way and had good intentions asking that.
The problems I experienced that can be fixed in Firefox itself probably already got fixed.
My (personal) problem with Firefox is that functionally it's not Chrome and doesn't look/feel like it. The claimed non-functional improvements (privacy, freedom, ...) DON'T make up for the difference for me personally.
If Firefox looked and felt more or less exactly like Chrome for the functional parts then I would not have any problem switching for good. It's not at the moment, so this is what stops me from adoption.
I don't propose to change anything (you did). I was merely stating why I'm not on Firefox yet as a data point.
Absolutely not intended to sound condescending, sorry if that came across that way.
I see your point and it is absolutely within your right to stay on Chrome if you don't want to change. I've found it pretty much identical in terms of functionality and UX for the past decade though. Do you have any particular functional improvements in mind that you're missing in Firefox?
As an example: https://ibb.co/Wynn5Tg
Subjectively(!) Firefox is cluttered and takes much more space than Chrome for itself. Unfocused tabs are hard for me to make out on Firefox.
I think that personally I'm a lost cause. Either give me Firefox in a Chrome's pelt or I stay with Chrome. And maybe that's good this way: Firefox should just focus on new users and make the best browser for "them".
I have zero issues using FF everywhere. I used to have to use Chromium every couple months because some dumb website was pulling in a library that was using some non-industry-standard thing chromium did - and everything broke due to their utter lack of testing - but even that has died down. There is a newer trend where I have to disable uBlock every once in a while to complete a task, which is just as bad, but I rarely have to actually use another browser.
> I hate to say it, but if you used Chrome to read this, then you're part of the problem.
Victim blaming BS.
Let's see who else is the problem. How about all those engineers who decided not to contribute to Firefox? Or all those website developers who didn't test their site in Firefox? Or hell, why not all those Mozilla engineers who didn't fix Firefox hard enough?
Let's put the blame where it actually is. Google is to blame. Not the users of their free products they advertise all over the place and have an unlimited marketing budget for.
Victim blaming is absolutely the correct approach here. Of course you shouldn't blame your grandma for using Chrome, but people on HN are a completely different audience. HN readers should be well aware of the damage Google is causing to the open internet, using Chrome is tantamount to supporting this effort.
I don’t know if they won the game of capitalism but their market power and profit incentive are facts.
If you don’t want to stop using Chrome, then your alternative is to buy a controlling share of Alphabet and appoint a Board that forgoes advertising revenue in exchange for being nice to adblock users.
Yes, the worst are the techies who should know better but insist on using chrome because "it feels slightly faster, therefore I have no choice but to use it." Such people pretending to be victims is complete nonsense.
Firstly, the examples you gave are dissimilar; GP is pointing out a positive action (choosing a specific browser) while you're emphasizing negative ones (not doing specific things to contribute to Firefox). Secondly, they did not say that the user is to blame for the situation, merely that they are part of the problem, which is trivially true; Google would not be able to do what they are without a large number of people choosing their browser. Thirdly, the way to effect change through fora like this one is to identify what an audience, personally, can do and encouraging them to do that thing. People can choose what browser they use. They cannot meaningfully change Google's behavior.
I never seen a single chrome add. I'm sure we're in different part of the world and in different add segments, but seems to me chrome marketing in not that widespread, is it ?
As a retired FE engineer, the top reason I used chrome and test with it was the powerful yet light devtools.
You have to be hopelessly naive to believe that the hold-back feature is going to be implemented as described, if at all, and not quietly removed when the outrage dies down.
And even if it stays as described, the percentage will be low enough that those that fail attestation can be safely barraged with captchas or simply told to go away. (You can try browsing the web with TOR to get a taste of how you will be treated)
The whole post can be summarized as "trust me bro"
Yeah, it was only when I briefly worked for a FAANG that I realised that it doesn't really matter how many well-meaning engineers you have, because ultimately they don't make the decisions. Execs make the big decisions, and they will always take the most profitable choice.
Those cited 5-10% are laughable. If countless US sites prefer to just block the entire EU over bothering with privacy regulations they'll just tell you to reload the page every 10th to 20th time you click on something. Compared to what the majority of people already silently accept with ads, cookie banners and popups it's not even worth mentioning, and that's assuming Google can be trusted for once.
Privacy features like user-agent reduction, IP reduction, preventing cross- site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:
- sign-in gates to access basic content
- invasive user fingerprinting, which is less transparent to users and more difficult to control
This was my take away as well. I see a lot of imaginary, proposed future problems and no concrete issues that this is currently trying to solve. It gives the impression that it's just being put out there to muddy the waters and give some credence to an otherwise awful barrier to entry for the web.
This is precisely what the reported issues are trying to achieve, regardless of their tone. The current path is completely wrong and reckless. The first step of working together would be to abandon this approach entirely.
This is akin to suggesting that we'd solve global warming by triggering a nuclear winter. This is not something you can solve by iterating and finding a middle path. The entire premise of this proposal is dangerous and should be binned.
Just think about all the potential ways in which this approach can (and obviously would) be abused.
(Posting this here as I just noticed they disallowed commenting)
I find it interesting that the author thinks "invasive user fingerprinting" would stop with WEI. If you really believe ad networks are _only_ fingerprinting users to fight fraud and will stop doing it after WEI, I have a bridge to sell you.
How else are they going to learn more about me and shove ads that they think I care about?
> I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one.
I'm curious what "better forum," if any, Google will actually engage with on this matter. I too wouldn't this sort of overwhelming reaction to happen in a personal repository. But the conversation needs to happen somewhere!
> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
After the weekend - leaves long comment but doesn't reopen comments as promised.
It's not a terrible reply, but it does miss the point.
It focuses heavily on privacy concerns and how those will be resolved - the vast majority of criticism I've seen hasn't been related to this at all, and those aren't especially hard problems to solve in the context of the existing spec.
It still largely ignores browser diversity & experience this will create for non-Chrome users. His argument is that blocking fingerprinting in future will mean anti-fraud will make the web unusable, and WEI will make it usable again. Given you accept the premise, still the conclusion is only true for browsers that can access WEI - which means the web will become unusable for browsers who can't (Linux, rooted Android, Firefox, etc etc).
For the ecosystem as a whole, it's better if everybody has a fair playing field. By definition, WEI structurally privileges certain clients. The more widespread that becomes the worse the effect on the wider ecosystem is. If WEI does not exist, and fingerprinting does not exist, providers will be forced to find ways to limit the impact of anti-fraud mechanisms. If 90%+ of browsers use attestation, that pressure decreases dramatically. Using Tor on the web today is a good example of the likely experience.
The mention of holdbacks here touches on this (though for full blocks, rather than wider impact) but ignores the existing strong pushback against holdbacks from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and ignores that the attestation they already shipped on Android for exactly the same use case does _not_ do this.
Fundamentally, the issue isn't about privacy during these checks, or whether defeating fraud without fingerprinting is valuable. Those are reasonable but obvious points. The issue is that client-focused validation for fraud is a flawed goal in itself (it's impossible - even with full & perfect attestation, you can set up a fully automated + WEI-approved machine by automating input peripherals directly) that risks enormous collateral damage, and we shouldn't encourage it in any sense. We definitely shouldn't standardize practices to make it easier.
At the end of the day, if you want to block fraud you have to do so server side (statistical analysis, rate limits, validated user accounts, requiring payments, some kind of proof of work, etc). This is a hard problem, absolutely, but it's unavoidable.
Unfortunately, we will all happily accept this. Because using Chrome is "convenient". People will accept anything for convenience — WhatsApp is a good example, where millions of people worldwide happily share and sync their entire phone book with Facebook/Meta.
If you care, stop using Chrome. If you criticize this evil move, but continue using Chrome, you are part of the problem.
I switched over to a fully open source environment, at least for mobile/desktop OS, browser, almost all software as well as cloud file storage etc. But with a notable exception where I still use Google Search.
Perhaps with the rise of LLMs, one day I will run my own LLM to complete the move to being no longer reliant on monopolists.
Depending on the use-case, I find DDG is far better in many cases in returning sane search results. Might be a option to try. Not entirely open-source but better than the GOOG.
Same here, been using DDG for several years now and have not had any issues. I have tried switching to google a few times when im not finding what i need, but get turned off by their recommendations as well as just bad search results. I remember it took be a few weeks to get used DDG when i first switched. In a way it felt like going back to how search used to work, more keyword based, less trying to guess my life story to try to figure out what i really want.
WhatsApp and Chrome is apples and oranges - not using WhatsApp comes at a social cost (especially in countries like Germany and India where almost everyone uses it) because you can no longer communicate with other WhatsApp users or participate in group chats.
Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
> Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
Not quite. Increasingly, as Chrome became popular, you get websites that "work better in Chrome". Or do not work at all in other browsers. And you hear recommendations to "just use Chrome", so that things work. It's just more convenient all around.
Meta use your social connections to create advertising profiles of your friends whether they're on FB or not.
Your social graph is more accessible to other 'actors' than it would be if it weren't on Meta.
You may not care about this kind of thing, but I do. Unfortunately I'm not entirely free of it either, so any finger wagging on my part is at least partially hypocritical.
Well, for one, you tell Meta about me, without my consent.
Let's say I have a kid at a school. I don't use WhatsApp, but several parents have me in their phonebooks. They use WhatsApp and also use Facebook on their phones. Facebook gathers their location information, and given what Facebook knows about them, it isn't difficult to infer that I also must have a kid attending a school at a particular address at particular times during the day.
Data mining quickly gets scary.
You can also look at it another way: if this information wasn't valuable, do you think Facebook/Meta would have paid a billion for WhatsApp back in the day? Do you think they maintain the "end-to-end encrypted" communications app out of the goodness of their hearts? This is extremely valuable information: millions of people share their identifying information (their phone number) and their social network (their phonebook). It's worth a lot!
> Websites funded by ads require proof that their users are human and not bots...Social websites need to differentiate between real user engagement and fake engagement...Users playing online games want assurance that other players are adhering to the game's rules.
The whole ad based web industry is really desperate to authenticate humans from bots isn’t?
It’s not authenticating humans, though— just sanctioned software and hardware.
There’s no reason you couldn’t hook a bot up, via video feed and inputs, to an “attestable” device and have it use the Internet that way. This just raises the bar on bot sophistication.
In another thread somebody talked about pointing a camera at a phone and using a robot “finger” to interact with it. If anything WEI would make that easier because you’re not getting CAPTCHAs anymore! You’re a “human”, after all.
This is also how sophisticated game cheating systems work[1]. No amount of rootkit-like anti-cheat will help when you're cheating with a capture card and emulated mouse and keyboard.
Nah, they want us to think they do. But bot clicks are clicks and can be charged. I read somewhere that 80-90% of facebook ad clicks were bots. That seems inline with the traffic I see on some commercial website I work on. Most traffic is from bots, crawlers, scanners and 'security researchers'.
Sometimes I pick up on actual fraud, like 'affiliate marketing' traffic 'boosters' that just result in someone clicking through a banner, making and order and not paying. 200 times in a day. Nobody cares, as long as the stats look good
Google can't be trusted with ads. I've seen 3 ads today pretending to be Macy's and Bed Bath & Beyond, that were actually from Hong Kong, as well as the fake Mr Beast ads are back on YouTube. I won't even get into the borderline porn Queen's Blade ads.
I just don't know how this is possibly conceived as ok, or how they can possibly justify trying to block ad-blockers - I consider ad-blockers as a more important security barrier than a virus scanner - that's been the case for me going on a decade.
I did my part, my website shows "Not available on Chrome, Use a more modern and open browser instead... and some explainer text"
if most of us Devs do this, this change would have no chance.
What would be even nicer is If someone can build a JS file that the rest of us could include to show a hard blocking pop up just to show how the future web might look like, supported with a nice explanation and link to good videos, that would be nice too.
This isn't Chrome/WEI defense btw. All attestation in web browsers ("user agents" my ass) is bad. Base your complaints on objective problems, not hate of one brand.
I remember AMP. If they push this through I'll be taking our business off Google. That would mean a lot of workflow changes but there is absolutely no way this gets a pass. Quitting Twitter was annoying and quitting Google will be a lot harder but I do believe that if you don't stand up against stuff like this that you're effectively part of the problem.
Maybe each household should host its army of noise-making AI which spews out page visits and random searches in order to let the people hide in the noise.
Projects like these existed, I think it was an extension, but we'd probably need to do better than that.
Google is checking through Opinion Rewards whether users can watch a certain advertisement video. On Android I'm using the Adguard DNS and their ad video wouldn't load twice. This occurred last week and fits this article to a tee.
I'm sure I'll get a new advertisement video soon which will load despite my Adguard DNS. That's how Google can confirm whether their ad-blocking-blocking works.
Opinion Rewards is great not just for being able to get apps for 'free', but also to be one of the first to see what Google is researching.
I assume you don't have to click them anymore nowadays?
Should be fairly simple to find a correlation between ads shown to users and products sold, no?? I guess tracking solves this case.
Also as others said, there are quite a few people who still click them or click the first ad-links in google searches
They don't require interaction. Think about billboards, TV/video ads, sponsorship ads, etc. It's enough for you to just see an ad, to not forget a brand or product exists.
At some point, you might think about a product subconsciously due to any reason, and since you saw the ads, you'll think of a specific company's product and likely rank them higher among "unknown" brands by default. That will bubble up at some point and you'll have a desire for it which you either accept or reject. Most will accept, causing more to accept to be in the group. It's human nature.
Which implies the click fraud problem. I thought that Google was strongly disinterested in robust counter measures because so much as engagement is straight fraud. If you shine a light on it the market shrinks a lot.
Sure they have known for a long time. What is changing is advertisers awareness of the fake clicks. Creates an opportunity for ad platforms that can prove the humanity of their viewers.
Basically the only ads I click are in search results. If I'm looking for something and the correct answer is the same as the ad right above it, I click the ad. Currently I primarily use Ecosia as my search engine and I'd like them to make money, so if the ad is the correct answer anyway, I use that link.
Other than that... No, I'm newer clicking on ads.
In the article they write:
> Social websites need to differentiate between real user engagement and fake engagement.
No, they really don't. Why would they? They have a platform, you can buy ad space on that platform, it's not the job of the website to provide you with engagement numbers. You run an ad campaign for a given period, you track if sales increase during that time, if they don't your campaign was no good. I'm also okay with tracking sales directly from each campaign, have a tracking code for that campaign, but not the user/customer, that fine. The obsession with tracking everything single little detail back to a person is becoming increasingly obnoxious.
I've willingly clicked on a couple ads sometime this year when I was desperately trying to find something that neither DuckDuckGo, Amazon, nor Google could find (namely, a very last minute plane ticket for an even remotely reasonable price). My thought being "since the regular results are SEOd to death, maybe the people willing to pay for me to look at their offer are of higher quality". Plot twist: they weren't. But at least that made me realize that my adblocker was disabled so I could at least fix that.
If I do see something in an ad that interests me I make a point of accessing the advertiser’s site without interacting with the ad. Presumably this is still being tracked but I try, at least.
I want the overt metric of a site visit caused by the ad, and the per-click fee to the advertisement host, to be as obfuscated as possible (or ideally, non-existent).
Sometimes they are relevant and I click. Maybe few times in the last year. Quite a handy way to discover something you had no idea existed. A specialized driving school in my area, for example. Not searchable through Google Maps or Google; it's specific, but not specific enough.
Many different things, big and small, that shows that their principles are to make the maximum amount of money possible at every given moment, rather than thinking about long term consequencies or any moral values.
One extremely small example from the last 60 minutes of my life is that many Google workspace products don't work very well in non-Chrome browsers. I have to switch from Firefox to Chrome whenever I call someone in Google Meet, because the system load is higher and some features are not supported (e.g. visual effects like background blurring). I'm skeptical that these features can't be done in Firefox, but when you try to use them you get a warning to use a supported browser.
This is such a good idea for the next stage of the surveillancification of the Internet that it could possibly get Google, if they go ahead with attempting to implement this, in the very-good-books with the increasingly paranoid, control-freakish western governments.
It will voluntarily segregate the happy conformists into their safe, normalised, walled-garden whilst the, likely technically proficient types that can wrangle hardware and software and therefore the single most dangerous group of individuals on the planet, non-conformists are easily identified by their continued participation in the wild-west-web of yore, eschewing, or at least not exclusively joining, the new utopia.
Maybe we'll get back the web we keep saying we miss, with Eternal September nicely walled-off, but maybe it'll be a case of be careful what you wish for, because now it'll put us on watch lists, not because law enforcement understand the technology any better, but because they've got their own tools to build what they think is a better mousetrap. And law enforcement love their own tools.
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
I'm slightly suspicious this won't work in any way, but I'm not exactly sure why... Maybe because "will be required" is a huge non-technical issue that has to be resolved separately in non-technical means.
This kind of behaviour makes me not trust security researchers (something they should desperately try to protect given that trust in the field is essential).
A hobbyist I found that sells vintage computer replicas uses Wix to host his site. My older machines with an older Safari (OS has peaked, Safari version capped out on those devices) are apparently disallowed on Wix sites. "Your browser is too old..."
No doubt Wix is doing this for my own protection.
I can definitely see the majority of the web going in a similar direction.
Sounds great in theory but I'd suspect that you'd cave pretty soon after your bank adopts this (or whatever essential site/service you aren't considering is captured here).
Both should be blamed. A proposal like this would make me not want to hire Ben Wiser, Borbala Benko, Philipp Pfeiffenberger, or Sergey Kataev, ever.
There are projects one of integrity should simply refuse to work on, if they make the world a worse place. With Google on a resume, it's not exactly hard to find jobs. People who agree to work on projects like these are defective human beings.
I might actually start a blacklist over this. We are looking at aggressively hiring and I don't think I want anyone who has ever served time at Google on my staff anymore.
If you're serious, that feels overly broad. I know a lot of very good Googlers. Organizations are a bit of an abstraction in how we organize people.
A blacklist seems like a fine idea here, but it's important it be specific enough to pick out just the bad actors.
The way I manage my life, I want to make sure the work I do makes the world a better place. For the past many years, virtually everything I've done has been aligned with advancing humanity (education, medical, etc.), and has been open-source. I'm fortunate enough to be somewhat well-known for a former project, so I've always been able to find jobs like that. My values state that:
- If that meant working at a good subdivision in an evil organization, I'd do that.
- If it meant doing evil work for a good organization, I wouldn't.
- Heck, if it meant helping reform an evil, powerful organization to be good, that seems like worthwhile work too.
I haven't been in a position to need to manage those conflicts, mind you, but that's how I'd play them according to my ethical compass, if they came up.
I'll also mention: It's also important to be aware of people's situations and more complex trade-offs. Consider a person who does scammy sales pitch telemarketing calling during dinner to sell you on snake oil medicines. Now, consider that they make minimum wage, it's the only job in their town, and they have a five-year-old they need to feed. I'm in no position to judge.
I am in position to judge Ben, Borbala, Phillip, and Sergey.
Makes sense. This is the (labor) market selecting on services it wants to support. Employers like Google have no sort of leverage or responsibility here what-so-ever.
I never said they didn’t, but people seem to be arguing the engineers have no responsibility here. And people wonder why the internet and technology sucks — no one wants to own it, even the people who are literally writing the code.
“What choice do I have?” - a Google engineer who drives a brand new Tesla, living in a $10k per month apartment.
No, ultimately the managers and executives can do nothing without the engineers. At the end of the day some engineer has to build the thing, and no one is holding a gun to their head to do so. They are willingly trading their time for money to do work that makes the world a worse place for us and a better place for Google.
There's a difference between a struggling worker earning a low salary, with low prospects of finding a better position being asked to do unethical things on behalf of their employer, and a Google engineer earning multiple hundreds of thousands of dollars per year.
I have refused to implement unethical code when I earned US$8.8k/year and supported my mother (living in Brazil, beginning of my career), I believe a Google engineer has much more leeway and money sloshing around to decide it's not right to do something unethical, and be vocal about it. There's much more of a choice than I had at that time and if I managed to choose to not be an asshole doing unethical bullshit, and didn't starve my family in the process, they are pretty damn able to do it as well. Might need another job but c'mon, you have Google in your CV, jobs will come, stop being a greedy pig.
Anecdote again: my mom was sick at home when I earned US$8,8k/year and refused to implement code to defraud customers.
I'm very sure if you are earning US$300k/year and depending on every job you get to be comparable or better you have set yourself to be fucked for life... Again, with Google on your CV you can get another job for a visa, or to pay student loans, if you depend on earning US$300k/year to just live your life you have much bigger problems.
You are trying to make it look like someone with one of the highest paid white collar jobs in the world is struggling to live and depends on earning that amount. Let's be real, it's a very, very very very small subset of people earning on that bracket that actually might have enough issues in their lives that require earning that amount (huge amounts of medical and student debt, supporting a family with disabilities [spouse, kids, etc.], etc.).
They might exist in this case, yes they might, but making that possible exception into a "think of the poor golden handcuffed employee who is being forced by some freak life situation to do this hugely unethical thing in name of their employer" excuse is not reality, in reality it's just much more likely these are people that want to keep their cushy job ingratiating their employer by making the web worse for everyone else. Greedy. Pigs.
Yeah, but you know what? Many of us do have choices and many actively do make those choices. Lets not pretend that we are struggling low paid workers whose families would starved if we changed the job or asked for reassignment.
Also, many unethical choices are made or advocated for by engineers themselves.
Yes, there's some that just want to work on different problems and want to just fix the puzzles.
But blanket blaming all of them and saying they all have a choice is not real. Any of them on visas? How would you feel about risking not just your job but also the ability to live somewhere.
You can't blanket blame all engineers and say they all have a choice.
How much is the cost of living? Lifestyle creep? Do they have anyone at home sick and they're the only ones working while also living in a high cost of living area?
"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects." Isthe kind of insane thinking only people at HN seem to say without flinching.
Like at that point do not work at google, write ransomware for a company in Russia, they will pay even more money. Make bio weapons for a dictator in a civil war afflicted country of the third world. If Life style creep and your new Tesla to drive your kids to the private school is the only thing keeping you in check, you might as well trade stocks against life expectancy based on obesity reports and climate change effects on coastal areas.
>"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects."
That also accounts for expenses.
Do any of them send money home? Help parents or grandparents? Do any of them had to bring their parents or grandparents to live with them due to health issues? Lifestyle creep takes into account taking on more debt. That debt is not just in luxury like how most people think.
Standing up for your principles is never easy when it counts the most. Usually it's going to cost something. Sometimes that's a fat salary and a cushy job.
And is everyone, or should everyone, be willing to risk that fat salary, cushy job, benefits for their principles if it means risking the quality of life for their family?
Do any of them support a sick kid, spouse, parent? Any of them send money home?
All I'm saying is that some of them might not be in a situation in which they could, on a whim, risk getting fired. And we shouldn't blame them because the fix for that is not on their hands.
> And is everyone, or should everyone, be willing to risk that fat salary, cushy job, benefits for their principles if it means risking the quality of life for their family?
Google engineers are not special. Everyone has a situation, and family, and bills. Everyone has a parent who will die one day. Everyone hits hard times. Everyone faces tests of character at inopportune times. Very few of those people are making $300k a year tho, and nonetheless making the rightethical choices every day. Why can't Google engineers?
That's why I said standing up for your principles is difficult. If it were easy, everyone would do it.
I'm not joking when I say it's very hard to tell whether you're sarcastically making fun of the facetious arguments they could hypothetically put forth or if you're serious.
I don't work at Google. I know of people that have the circumstances I've mentioned.
Some that help their parents, some that have kids, some that have sick spouses, some that brought their parents to live with them and support them due to health issues, some that have work visas.
I am simply saying that even though the right thing to do would be refusing, you also have to consider everyone's life circumstances when they make decisions.
The fact that they make $100k, $200k, $300k like another comment said means that they don't just need a job, they need a job making roughly the same amount of money and having the same benefits to be able to risk getting fired.
My original comment I wrote it so that we wouldn't just place everyone in the same group and generalize. It's not necessarily always as easy as refusing and risking your job. You're risking whoever else you support for example.
This will also speed up separation of Internet into national networks. American websites won't trust attestation from Russian browsers, and vice versa, Russian sites won't trust American browsers.
People get mad at Google for implementing something Apple already implemented up to a point, that the economic driving force behind the free internet is asking for.
It's a shit idea but honestly Google isn't even the bad guy here. Everyone is mad at the theoretical anti-adblock usage of theoretical websites. Be mad at those websites instead!
Almost every free service out there runs on ads. If you pay your subscriptions, you probably won't even notice these shitty websites. There is exactly one group of people who will be hit the worst, and that's people who want everything for free with no ads and no requirement to provide anything of value in return. Guess what? No business can operate like that!
Google is in some very deep shit if the alleged ad fraud stories are true. They need to be able to verify that people are human or they will collapse under lawsuits.
We wouldn't need this crap if we, as a society, hadn't decided that we want everything for cheap or for free. Remote attestation can actually be valuable (i.e. for company owned devices entering a corporate intranet) but the fact everyone fears getting locked out of everything is a symptom of a much bigger problem with the internet today, one we're probably not willing to face.
I'm all for killing the big tech giants and bringing back competition, but Google quickly going bankrupt will be disastrous. Youtube and about fifteen years of human existence will disappear from the internet, billions of phones will stop receiving updates, gmail.com will disappear and businesses all over the world will be ruined as a result.
Even if this falls through, Google will still need to validate real browsers somehow. Expect CAPTCHAs for every news article instead. Maybe solve some puzzles before you can comment. This is their user friendly, unobtrusive attempt to get this tech through; if it fails, I expect their next attempt to be much worse. The web may very well end up being like browsing through Tor.
> It's a shit idea but honestly Google isn't even the bad guy here. Everyone is mad at the theoretical anti-adblock usage of theoretical websites. Be mad at those websites instead!
Absolutely not, Google is the driving force giving them that power, knowing it's very ripe for that sort of abuse.
Google is experimenting with detecting adblockers on YouTube. Don't for a moment think that the fact that this can be used to stop adblocking is lost on google. Honestly I wouldn't be surprised if that was secretly one of the main drivers behind it all.
I use ad blockers on Youtube myself but I have no illusions that this will keep working forever. Youtube knows damn well who's using adblock, they've they subtracted adblocked views from their creators' ad payout for years.
They don't need the extra adblock detection, they need to validate that a human is watching the ads that do come up. You, as a user with an adblocker, are not YouTube's customer (unless you're paying for Premium, in which case you don't need standard adblock); their advertisers are.
I don't think adblock is such an immediate concern just yet. If they want to cut down on adblock usage, they can just restrict adblock users to a limited amount of videos per day, or limit them to 480p, or pull all kinds of other stunts. Premium exclusive higher bitrate streams seem to be slowly rolling out, but I suspect that's just the first step.
What Google desperately needs is proving to their real customers that they're not scamming them out of advertiser money. An ad not playing isn't costing them much, but an ad playing in a scraper's virtual browser window is a liability.
Safari doesn't have the market share that they could affect a change, especially since it is only seriously available on Apple devices. but Chrome is still in such a position.
Next comes the state that demands clients are verified in a way that they can ensure the age and identity of the user. This doesn't lead to anything good.
Google was essential in securing the web. Their acceleration of HTTPS adoption was constructive. This is for their ad business, against privacy and against the open web for very questionable benefits.
Their AI agents will be stronger than yours. They'll watch you 24/7 and make sure you're not doing that – verify there are no non-approved gadgets in front of your eyes; verify that there are no visible analog-gap-defeating tools anywhere in your physical proximity. Nothing will escape the machine's notice: no detail too small or subtle for a bored yottaflop God with nothing in the world to do but watch you.
You'll be free to opt out, though most of the internet will be unusable without Environment Integrity.
Analog gap. An AR headset that classifies ads in its field of view and filters them in real-time. Adversary model being, the evil Googleborg fully control your web browser and the locked OS it's running on – but you still control the gap between the display screen and your eyeballs.
The grandparent likely means Augmented Reality; they may be imagining a strange world where you wear glasses that filter ads out of your vision, and yet those ads are on a computer screen you view rather than right there in the headset being projected onto your eyes.
Google engineers or Google managers/business units? I don't think regular engineers have the voice to drive these kind of things. Sure, engineers are the ones implementing it, but at the end of the day it needs the approval of management.
That's cheap argument to try to remove responsibility. Everyone who is part of this is responsible because they have a choice. It's like saying nuclear scientists is not responsible for making bombs that kills so many people, govt is responsible only who makes those decisions.
Let's say WEI is all good - we trust Google and all of the people involved and it gets passed and implemented. Later on, by gradually changing it, it becomes all of what we feared it will become. How do we get back at that point? Can we even get back to a state before it? How would we fight against it? Do we just stop surfing the web as way of protest? Obviously that won't work.
There's an immense power disbalance about this and any privacy limiting or freedom limiting features. Once they go through, there's no coming back from it.
In practical terms, what’s the best think and individual can do to make this less likely to happen?
I’ve been doing webdev for 20+ years, haven’t used chrome for the past few years besides using its inspector in Chrome canary. I’m content, I don’t feel like I miss it. I will try to convert my family to FF as I did in the past. But this makes me feel hopeless, unless there’s a strong legislative pushback (probably from the EU) or we break up the behemoth… It’s the first time I can’t see a way out of this.
Normies used to use IE. Then their techier friends asked them if they have used FF or Chrome and they moved on. Don’t underestimate the impact of local experts on the choices of people who don’t care/have time to explore.
Because both were a lot faster than IE. Nowdays almost everyone uses Chrome, Safari or Edge. Because Firefox is rather slow given the current competitors, not because the others care more about privacy (Also because that's just what their devices come with)
The "normie" internet is some kind of hell, but they seem to be content.
"We" need to do more / better to educate them!
I tried to implement pi-hole for some extended family members. They asked me to turn it off within a week because they couldn't watch advertising videos to earn a new 'life' on candy crush (or something closely resembling that).
I can't relate to "normies" anymore, it's too late for me...
Techies care enough about ad blockers that they will install Firefox on normies computers, just so when their normie friend wants to show them a youtube video, they don't spend 15 seconds watching some absurd commercial.
Ad blocking is at least as big a deal as speed in terms of browsing comfort.
I keep seeing this comment on Hacker News and it makes me wonder. Do you only speak to engineers in your life? I'm on the side of people who think this is a violent threat against the openness of the web, but let's be real. Most of the people you'll run into on the street will have no better sense of this than they did the paradigm shift to HTTPS. In fact it will likely be even more transparent than that, which is part of what makes it so insidious. If you're waiting for a public to mobilise against a self-evident threat, this will fly into being without protest. Most people will need to be made to understand its danger, because they absolutely will not flee by themselves.
Well, considering most people using a browser don't even know of the existence of ad-blockers, I'd wager that no, most people will continue to use whatever is already installed to continue browsing Facebook as usual.
I think survey results showing 40% using ad-blockers is sufficient to question your assertion that most people don't know about ad-blockers. Folks may not all be using them, but I think a majority certainly are aware. And outside the U.S., even a majority use them in some countries.
Ordinary folks on the Internet have friends and family that are technically inclined and often seek advice from them. But most of the time, ordinary folks figure things out just fine in their own.
There's an elephant in the room. That is the question "Is internet content so good that people will consume it even if they're forced to see adverts?" Google thinks it is. I don't. The impact of this tech will only shrink audiences when their ad blockers stop working. It won't persuade people to carry on watching or reading with adverts switched back on.
As year after year passes and nothing happens on the anti-trust front it is clear that the do-no-evil embrace of the boa constrictor will end in a fatal bone crushing event that no alternative vision of technology could survive.
The open minded tech comminity can move mountains but this is now bigger than a mountain.
At this point about the only slingshot manouevre that could help us escape this fate is a reasonably resourced sovereign entity fully underwriting an open source stack (desktop, mobile, browser, cloud, fediverse) and nudging / seeding a mass user base by making it mandatory for engaging with public functions, paying taxes, transacting is sovereign money etc.
Effectively by declaring a tech "liberation" war.
I don't give this scenario high odds of happening but hopefully not every sovereign is captured. History is not made by the dazed and confused indulging in debilitating apathy.
Why the fuck we let an ad company have any say whatsoever in web standards is beyond me. Of course they want to turn the web into a billboard. If they could they'd beam ads directly into your dreams. The answer to this, and anything else proposed by google until they can prove good faith, is "no".
For example, elsewhere on this page someone is saying that Google is trying to do [x], where x is something that would kill one of the main apps on Samsung's phones. Of course Samsung would submit an antitrust complaint and win. Assuming Samsung wouldn't is stupid. I really wish people would put forward their arguments without such stupidity.
It reminds me of the Microsoft criticism of 10-20 years agom, when there was so much stupid criticism of Micosoft that it devalued the substantive, intelligent criticism. Lots of people assumed that the substantive criticism was just more ranting, and ignored it.
The point of attestation is to verify the integrity of your execution environment. With a "compromised" execution environment, access to websites could be blocked. Presumably, the attestation process would send a fingerprint of your browser configuration to the attester, who would then be able to see whether you're using "compromised plugins," and deny you access by not attesting your browser.
There might be ways to filter away the ads after they've been served, such as memory manipulation, but the problem can't be solved with a plugin anymore, as browser attestion could let websites deny you access altogether if you use a plugin they don't like.
Why would anybody expect them to do anything different. They are an ad company. Their revenue comes from selling your attention and profile.
People seem to have some severe cognitive dissonance when it comes to commercial web sites. They are crucified for selling ads and tracking then when they have the temerity to try and charge for their work people will start posting archive.is links to route around their paywalls.
If you don't like advertising then don't visit advertising funded sites or use their "free" tools. If you don't like paywalls then hit the back button and spend your attention elsewhere.
some cognitive dissonance from that explainer github
> "Users often depend on websites trusting the client environment they run in."
Nope, websites depend on the advertisers trusting them.
WEI is solving a website vendor problem, not a user problem.
> "The web page executing in a user's web browser"
From a user perspective web pages "render" in the browser, not "execute".
Vendors that want "execution" on a client machine should distribute a rich client app, where many OS platforms already support environment attestation.
WEI is web page vendors wanting to have their cake and eat it.
>Google ensures that the tokens will not include unique identifiers
Let me get this straight, so they want to establish "personhood" without attesting a unique ID to also preserve privacy.
Then how will they prevent a single secure element attesting an entire FSB worth of fake internet users? I feel like these two goals are mutually exclusive.
This is of course the least of my concerns. The whole thing should've been uprooted ages ago.
I hate ads as much as anyone but providing a free service that runs ads and shares part of that income with content creators is hardly particularly evil.
You make it sound like an old fashioned newspaper.
But in reality it's more like the newspaper publisher would then follow you around all day wherever you go and interrupt you every time you try to have a moment's thought or talk to your children, so they could perhaps interest you in this product they're advertising.
Not only would they passively follow you around but instead direct you to places where you find the most outragous people you can think of. When you're all worked up they could put you in touch with the higest bidding political operative that promises to ease all your pains.
I mean sure, maybe the publisher is not evil but I don't know what to call them.
Lately I started getting shocksites kind of ads (think goatse.cx) of horrific cases of fungus in the legs or whatever. I pressed x on several occasions, naively thinking that anyone cares. Then I decided I don't want to see an ad in my life again. I got ublock origin on firefox and moved to Vivaldi browser in my android (which is a really good browser, coming with an adblocker out of the box). The hardest thing is in the non digital world though, walking in the streets it is hard to look away from the shiny big ass screens everywhere. But with AR vision in the next 5 years it would become obsolete as well.
And if you happen to be a tech giant that can drive the industry literally to every direction you want for decades, and what you choose to innovate is ad tech and NOTHING else, you're not evil, just stupid. Well maybe both. Or either. But definitely stupid.
Well I don't tell myself anything like this because honestly I don't think anything about it is "cool".
It's much cooler to not understand it, which makes you the cool guy :)
People were quite ok with the ads when they were not as obnoxious as today. Apart from techies, few people would put the effort to block them.
But these days, you want to watch a 2' video on YouTube you are subjected to 20-30" of unskippable ads. Discounting the privacy (and even security) concerns, this alone pushed a lot more people to start ad-blocking were they can.
People pay for Netflix because they want to watch the specific content, for which the platform has already invested money. It feels natural and fair to pay them. For the same reason, if they had a perhaps limited in content, but not obnoxiously annoying ad-supported options, people would be more likely to respect it.
On the other hand, YouTube wants you to pay to get rid of the annoyance they intentionally planted in their platform, while they have invested 0 of their money on content. Also, most creators don't seem to be paid enough from YouTube, and appear to make their living off of 3rd party sponsors, sales, referrals, etc. With this model, it is not surprising that people aren't very keen in having a YouTube subscription.
I would accept ads more easily with if they were not a privacy disaster.
I’m watching a video about cars, sure show me the ad about this crappy car brand I will never buy. I’m reading an article about Prometheus, sure show me an ad about your greatest SaaS metrics platform that cost more per monitored machine than my machine.
>I would accept ads more easily with if they were not a privacy disaster.
Would you really? I mean I keep hearing this but it doesn't ring true to me. People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away. This seems like a far greater motive to install an ad-blocker than some hand wavy tracking that probably doesn't even work that well.
> People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away.
Here you answered it yourself why people adblock. If ads were served on either side of the holy grail layout like the good ol days it wouldnt have been such a pain in the ass.
I remember jumping on the ad-blocking wagon when google started serving their shitty ads in between scroll content, serving diseased peoples photo ( ketto.org ) and getting frighteningly accurate/curated ads of what I searched for previously. Literally fuck google for having a digital private investigator on my ass 24/7 just to sell me shit. I am gonna use ad-blocker till the end of time.
Sergey Brin and Larry Page's original search engine paper fell short of calling it evil. But they did use phrases like "incentive to provide poor quality search results", "particularly insidious" and "inherently biased towards the advertisers and away from the needs of the consumers".
It really depends on whether you see ads as "bringing to the user's attention that there is a product out there that might improve their lives" or if you see them as "attempts to manipulate people into spending money on things they don't need or want".
I'm definitely in the latter group, but I can see how some market purists might believe in the first version.
emotional brainwashing(entertaintment, fear etc) people to buy stuff that they don't need. taking advantage of people's weakness. it's not like "this is our product, this is what it does, and this is the price of it" instead "your neighbour has this cool stuff but you don't means you are lesser person if you don't buy also", "if you don't buy this stuff, you won't get a girlfriend and die alone", "if you don't buy this stuff, you will miss out amazing opportunity of becoming rich and stuck as poor"
Ads per se are a fine alternative to pay for a website, the problem is when they are the most attractive option. Because them being the most attractive option usually means they are the only option, meaning they are also the only option for people that would be willing to pay to see no ads (me).
I see it like smoking. It should be legal, but there need to be laws in place preventing smokers from harming and annoying anyone that chooses not to smoke. Ads should be legal, but there need to be laws in place allowing people to completely avoid them by paying a fair price. Until this is the case and everyone can choose, making them unavoidable is morally wrong.
That is not what the article is about though. The article is about a new proposal which people are concerned would give Google even more leverage over how the web functions.
Technically we do not need "proof" that our users are human, not even when using AdSense to monetize our websites.
The only reason Google think we do is because they implemented AdSense incorrectly. E.g. Using an impractical and underpriced PPC model. If they used a fixed pricing model this would not be a problem, and fake clicks would not even be an issue.
No, of course not. An advertiser should conduct do actual diligence, experiment, and find what works.
I am reminded of a story of a retailer who adódnak l accidently stopped advertising online and so no adverse change in sales. While I can't find the exact one I have in mind, it seems this isn't rare.
It depends what kind of advertising you're doing. For performance advertising, where you want someone to take an action right away (click an ad, complete a sale) not totally works. Performance advertisers are generally willing to deal with counterparties they don't trust at all because it's easy for them to see if they are getting their money work.
On the other hand, most of the money in advertising today is in brand advertising. No one clicks through an ad for Ford or Coke and buys immediately. You can run experiments on these at a very coarse level, but that level is approximately "the English speaking internet". Which means brand advertisers are willing to pay far more if they know real people are seeing their ads.
(I used to work in ads, but quit a year ago and have no plans to go back)
I wonder how future historians are going to look back at this. The vast majority of people letting themselves be forced into wasting a portion of their lives on adds make me pessimistic for the survival of this race. Might seem like hyperbole, but I'm not talking about ads anymore, I'm talking about submissiveness.
I have a counter proposal. Us humans should fully embrace this and then work to become even more useless than a bot. We're going to maximize watching and clicking ads without every buying a damn thing again.
We never convert, making online advertising pointless.
I use Brave Browser and Brave Mobile. They started out to tackle these kinds of issues but they've adopted chromium since. Should I ditch them for Firefox?
Firstly, Google's notion of a trust-privacy trade-off seems to be an oversimplified solution to a complex problem, which in effect could mean a bargain with the devil. Yes, the digital world needs more trust, but to gain that at the expense of privacy, strikes me as a hasty solution which smacks of Orwellian overtones. Would you trust a lock that promises to protect your home but allows the locksmith uncontrolled access?
The possibility that this is a thinly veiled attempt at introducing Digital Rights Management into web pages is a concern that should not be dismissed lightly. This may well be a sly effort to muzzle ad-blocking capabilities, thus reducing the web to a cacophonous bazaar of incessant advertisements, a capitalist wet dream at the expense of user experience. I echo the critics who view this as a potential threat to the open web. Furthermore, the question of who controls the "attesters" is a serious concern that evokes dystopian scenarios of a digital oligarchy. In a world increasingly reliant on digital verification, the potential to manipulate trust scores essentially hands over the reins of the digital world to a select few. This, far from enhancing trust, could potentially further erode it.
The ambiguity surrounding browser modifications and extensions further fuels suspicions. In its guise of ensuring legitimacy, the proposal seems to conveniently overlook the diversity and customization that has been a hallmark of the digital world, creating an environment of dubious one-size-fits-all integrity.
Moreover, the vague explanation of the enforcement and establishment of baseline requirements does little to allay fears of vendor exclusion. What are these requirements and who indeed gets to decide them?
This is a dumb article that's trying and failing to tie Attestation to ad blocking.
> However, how this plays out with browsers that allow extensions or are modified remains a grey area. As the proposal vaguely mentions, "Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality."
And if ad-blockers are considered illegitimate software?
This would be entirely in line with financial incentives of the proposed attesters and even logically defensible (oh well, we haven’t vetted uBlock, so you can’t browse with that installed).
Web Environment Integrity API Proposal – https://news.ycombinator.com/item?id=36817305 (618 points/4 days ago/442 comments)
Google Chrome Proposal – Web Environment Integrity – https://news.ycombinator.com/item?id=36778999 – (117 points/7 days ago/94 comments)
Web Environment Integrity Explainer – https://news.ycombinator.com/item?id=36785516 (87 points/6 days ago/44 comments)