The attitude from Google towards this has changed significantly over the last few days (unsurprisingly).
From the "explainer": "we are evaluating whether attestation signals must sometimes be held back [...] However, a holdback also has significant drawbacks [...] a deterministic but limited-entropy attestation [i.e. no holdback] would obviate the need for invasive fingerprinting".
From the Google worker's most recent comment on the issue: 'WEI prevents ecosystem lock-in through hold-backs [...] This is designed to prevent WEI from becoming “DRM for the web”'
So, in other words, WEI could be used to prevent fingerprinting, but won't be able to if holdback is introduced -- 5-10% of clients would still get fingerprinted.
Looking at the list of "scenarios where users depend on client trust", all of them would be impacted by a holdback mechanism:
- Preventing ad fraud: not for the holdback group
- Bot and sockpuppet accounts on social media: not for the holdback group
- Preventing cheating in games: not for the holdback group -- and thus not for anyone playing against someone in the holdback group
- Preventing malicious software that imitates a banking app: not for the holdback group
In other words, if there was holdback, WEI would require places which currently fingerprint to retain and maintain the fingerprinting code and apply it to fewer users, in the best case, or would be completely useless in the worst case (for things like games).
However, it's also quite interesting to look at the implications of successfully attesting a browser which supports arbitrary extensions:
- Preventing ad fraud: install an automation extension
- Bot and sockpuppet accounts: as above
- Cheating in games: install an extension which allows cheating
- Malicious software which imitates a banking app: a malicious browser extension could do this easily.
In other words, unless you attest the browser with its extensions, none of the trust scenarios outlined in the explainer are actually helped by WEI. It's not obvious whether the Google employee who wrote this deliberately didn't think about these things, or whether the 'explainer' is just a collection of unconnected ideas, but it doesn't appear to hold together.
It is not surprising that the first target of WEI -- Chrome on Android -- does not support extensions.
From the "explainer": "we are evaluating whether attestation signals must sometimes be held back [...] However, a holdback also has significant drawbacks [...] a deterministic but limited-entropy attestation [i.e. no holdback] would obviate the need for invasive fingerprinting".
From the Google worker's most recent comment on the issue: 'WEI prevents ecosystem lock-in through hold-backs [...] This is designed to prevent WEI from becoming “DRM for the web”'
So, in other words, WEI could be used to prevent fingerprinting, but won't be able to if holdback is introduced -- 5-10% of clients would still get fingerprinted.
Looking at the list of "scenarios where users depend on client trust", all of them would be impacted by a holdback mechanism:
- Preventing ad fraud: not for the holdback group
- Bot and sockpuppet accounts on social media: not for the holdback group
- Preventing cheating in games: not for the holdback group -- and thus not for anyone playing against someone in the holdback group
- Preventing malicious software that imitates a banking app: not for the holdback group
In other words, if there was holdback, WEI would require places which currently fingerprint to retain and maintain the fingerprinting code and apply it to fewer users, in the best case, or would be completely useless in the worst case (for things like games).
However, it's also quite interesting to look at the implications of successfully attesting a browser which supports arbitrary extensions:
- Preventing ad fraud: install an automation extension
- Bot and sockpuppet accounts: as above
- Cheating in games: install an extension which allows cheating
- Malicious software which imitates a banking app: a malicious browser extension could do this easily.
In other words, unless you attest the browser with its extensions, none of the trust scenarios outlined in the explainer are actually helped by WEI. It's not obvious whether the Google employee who wrote this deliberately didn't think about these things, or whether the 'explainer' is just a collection of unconnected ideas, but it doesn't appear to hold together.
It is not surprising that the first target of WEI -- Chrome on Android -- does not support extensions.