Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web

&gt; Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world&#x27;s most popular web browser, the world&#x27;s largest advertising network, the world&#x27;s biggest search engine, the world&#x27;s most popular operating system, and some of the world&#x27;s most popular websites. So really, Google can do whatever it wants.<p>This is the point that company breakups start to make a lot of sense.<p>When Google can do something that every one of it&#x27;s users hates and none of us can do anything about it, they <i>perhaps</i> have too much market power.

&gt; The goal of the project is to learn more about the person on the other side of the web … The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games<p>Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.

The use cases for the WEI proposal are pretty clear from the explainer (<a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;</a>...):<p>Google &quot;will be able to request a token that attests key facts about the environment their client code is running in.&quot;<p>Google &quot;will ultimately decide if they trust the verdict returned from the attester.&quot;<p>&quot;Allow&quot; Google &quot;to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.&quot;<p>I have replaced &quot;web sites&quot; and &quot;web servers&quot; in the original explainer text with &quot;Google&quot; for clarity of intent.<p>Why would Google want these capabilities in web browsers?<p>What does Google plan to do with them?<p>What follow-on actions is Google planning?<p>Google marketing exec: &quot;We need to lock down web browsers so we can make more money by showing ads.&quot;<p>&quot;Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren&#x27;t running, that our ads are being seen, and that no DRM is being compromised.&quot;<p>&quot;We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can&#x27;t control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty.&quot;<p>Getting browsers to adopt and implement Web Environment Integrity is Step 1.<p>Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.<p>Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.<p>Step 4 Profit!<p>Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.

One thing from the blink-dev discussion caught my eye:<p>&gt; Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.<p>Ensuring that your devices don&#x27;t spy on you on behalf of a government or company does not imply &quot;perfect immunity for criminals&quot;.<p>Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?

I&#x27;ve been thinking about this for a few days but just realized that this is a complete end run around all web scraping in general.<p>All &#x27;adversarial compatibility&#x27; from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.<p>And just like the book industry was terrified of piracy and were &#x27;rescued&#x27; by Kindle, so too will journalism outlets that can&#x27;t find a business model flock to Google to save them.<p>This is going to be rough.

It&#x27;s great to see this getting more attention. User-agent discrimination (i.e. &quot;go away if you&#x27;re not using the latest version of Chrome&quot;) needs to become illegal. As long as I&#x27;m not overloading your service or similar, what hardware or software I use must not be restricted. The same goes for other deliberate obstacles to accessibility and interoperability --- creating a &quot;standard&quot; that&#x27;s so complex and churned frequently enough that only Google can implement it and keep up with changes, and then spreading propaganda to encourage all sites to essentially become Chrome-only regardless of their actual utility, is something that needs to be stopped.<p>I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.<p>Once again, Stallman was very prescient: <a href="https:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;right-to-read.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;right-to-read.html</a>

That&#x27;s wrong on so many levels, I don&#x27;t know even where to start.<p>First of all I hate this &quot;proposals&quot; which is actually, &quot;we implemented this in our flagship product, and kindly force it on our users, you don&#x27;t have to use it, if you have a choice&quot;, stance.<p>Then comes all the &quot;ensuring they aren&#x27;t a robot and that the browser hasn&#x27;t been modified or tampered with in any unapproved ways.&quot; part. I&#x27;m using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links&#x2F;elinks&#x2F;lynx&#x2F;dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?<p>It&#x27;s 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.<p>It&#x27;s maddening and saddening at the same time.

The proposal author (who locked the issue[0] on Github) also commented on HN and has, so far, remained silent here too: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36825097">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36825097</a><p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;issues&#x2F;28#issuecomment-1646083436">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a>

&gt; Google&#x27;s plan is that, during a webpage transaction, the web server could require you to pass an &quot;environment attestation&quot; test before you get any data.<p>There is no value in this &quot;attestation&quot; for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don&#x27;t want.

Are you using Chrome now? Hate to say it, you are part of the problem. Switch to <i>anything</i> else.<p>I&#x27;m not a super anti-Google person. I use Gmail and Google as my search engine. But Firefox is a good browser that I use as my daily driver, and Edge, Brave, Safari and the DDG browser are other options.<p>Switch <i>today</i> and start taking away Google&#x27;s leverage.

Google seems to be escalating the speed of its efforts to restrict its user base to the completely non-technical, but Apple and Facebook already own that market.<p>It also sounds like they&#x27;re promoting yet another way to make &quot;the internet&quot; slower, more bloated, and have greater impediments to usage.

They&#x27;re going to prevent me from running an adblocker in this &quot;web integrity&quot; environment, aren&#x27;t they.

I think this is one of the shittiest things I&#x27;ve seen so far. The thing with this is that is invisible to 98% of regular users out there. It&#x27;s already hard to explain things clearly to non-tech persons as <i>why</i> certain policies are harmful at the privacy level.<p>And even if they do understand you, in most cases their perception of you is as someone really paranoid about privacy, and yes they will undoubtly ask things like: &quot;so you don&#x27;t have twitter, facebook, instagram, ...&quot;. It&#x27;s really hard to convince people or at least make them truly see all these dark things going on behind the scenes.<p>Regular people won&#x27;t even talk about this, they don&#x27;t&#x2F;won&#x27;t care. As long as they still able to see the content they are requesting this is something that do not affect them, it affects the people that know the shit is going on under the hood because we understand how machiavelic a move like this is.<p>On the other side if this somehow manages to ever see the light of the day, it&#x27;s a huge opportunity for other people to come up with alternatives that effectively fight back this initiative and&#x2F;or bypass it. If there&#x27;s something that we do not run out of in this industry is creativity, for all sort of things, even the craziest ones, and that&#x27;s something no corporation will ever be able to mitigate.<p>Also keep in mind that no browser is going to ever be in the podium eternally. Chrome has a expiry date, we just don&#x27;t know when it will expire.

See also previous discussion on <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305</a> (the same link mentioned in the article)<p>It&#x27;s honestly good for this to get a lot of attention though, I&#x27;m happy to see additional commentary on it getting shared.

The Chrome team have used &quot;the Open Web&quot; as a euphemism for what is to all intents and purposes Google&#x27;s great ad supported walled garden. That so few people see this for what it is is amazing, and then they get all surprised when Google act to preserve it and close the capability gap with native platforms.

The people involved in this concept&#x2F;idea&#x2F;proposal should be shamed into retirement. They should never work in the tech sector again. They should be afraid to use their names before first knowing their audience (an agricultural audience would likely be OK).

&quot;The explainer is authored by four Googlers, including at least one person on Chrome&#x27;s &quot;Privacy Sandbox&quot; team, which is responding to the death of tracking cookies by building a user-tracking ad platform right into the browser.&quot;<p>Mr Amadeo does a good job succinctly explaining the explainer.

I&#x27;ve been reading HN since its birth and have been in the browser game for 25 years. HN, as a collective, shit all over Firefox and Mozilla for a decade while Google, who was never going to to anything but this, did just this. Good job.

Seems like this is going to get a lot of pushback. It might not go through. But remember whether it goes through or not isn&#x27;t the important thing. The fact that Google wants it to is what matters.

This sounds like the final death blow to the web as a useful platform for anyone who isn&#x27;t a corporation.

It honestly boggles the mind that the same company I used to respect twenty years ago has morphed into the evil monster that is modern Google. A tragic fall from grace.

Remember they already added DRM to browsers once. There was a big outcry at the time, and they still went ahead and implemented it. Now even Firefox supports Widevine.<p>If they believe that it&#x27;s in their best interest, I&#x27;m not really sure what we can do against this...

I already hate SafetyNet™ on Android, which punishes people for rooting their phones. This basically appears to be trying to bring that to the web.<p>Want to go to an online banking site? Then we&#x27;ll need to make sure your computer is <i>unmodified</i> and contains no <i>unapproved software</i>.

&gt; Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world&#x27;s most popular web browser, the world&#x27;s largest advertising network, the world&#x27;s biggest search engine, the world&#x27;s most popular operating system, and some of the world&#x27;s most popular websites. So really, Google can do whatever it wants.<p>On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they&#x27;re big enough. &quot;Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!&quot; But that&#x27;s a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it&#x27;s just you don&#x27;t always realize it&#x27;s ankle deep.<p>On the other hand, Google <i>can</i> do what it wants with Chrome, because it&#x27;s their product. I use Firefox, and it won&#x27;t affect me. All the people who don&#x27;t care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.

We need legislation that clarifies who owns a device and what consequences this ownership has. But we won&#x27;t ever get it as governments and corporations feel that <i>they</i> should own the device. If they ever agree on a separation of ownership, it&#x27;s game over. Our devices will become our biggest enemies.

&gt; So if you root an Android phone and get flagged by the Android Integrity API, several types of apps will just refuse to run.<p>That&#x27;s just messed up. If like saying if your car detect you have been doing maintenance yourself, you can use this particular brand of carburetor because they will refuse to work.<p>And they want that... for the web?

Friendly reminder to don&#x27;t just comment and complain, contact your antitrust authority today:<p>US:<p>- <a href="https:&#x2F;&#x2F;www.ftc.gov&#x2F;enforcement&#x2F;report-antitrust-violation" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.ftc.gov&#x2F;enforcement&#x2F;report-antitrust-violation</a><p>- antitrust@ftc.gov<p>EU:<p>- <a href="https:&#x2F;&#x2F;competition-policy.ec.europa.eu&#x2F;antitrust&#x2F;contact_en" rel="nofollow noreferrer">https:&#x2F;&#x2F;competition-policy.ec.europa.eu&#x2F;antitrust&#x2F;contact_en</a><p>- comp-greffe-antitrust@ec.europa.eu<p>UK:<p>- <a href="https:&#x2F;&#x2F;www.gov.uk&#x2F;guidance&#x2F;tell-the-cma-about-a-competition-or-market-problem" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.gov.uk&#x2F;guidance&#x2F;tell-the-cma-about-a-competition...</a><p>- general.enquiries@cma.gov.uk<p>India:<p>- <a href="https:&#x2F;&#x2F;www.cci.gov.in&#x2F;antitrust&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.cci.gov.in&#x2F;antitrust&#x2F;</a><p>- <a href="https:&#x2F;&#x2F;www.cci.gov.in&#x2F;filing&#x2F;atd" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.cci.gov.in&#x2F;filing&#x2F;atd</a><p>Canada:<p>- <a href="https:&#x2F;&#x2F;www.competitionbureau.gc.ca&#x2F;eic&#x2F;site&#x2F;cb-bc.nsf&#x2F;frm-eng&#x2F;GH%C3%89T-7TDNA5" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.competitionbureau.gc.ca&#x2F;eic&#x2F;site&#x2F;cb-bc.nsf&#x2F;frm-e...</a>

While I don&#x27;t love this API&#x27;s idea, I understand why they&#x27;re doing it, and the API it describes really just sounds like any Captcha API today.<p>&gt; Google&#x27;s plan is that, during a webpage transaction, the web server could require you to pass an &quot;environment attestation&quot; test before you get any data. At this point your browser would contact a &quot;third-party&quot; attestation server, and you would need to pass some kind of test. If you passed, you would get a signed &quot;IntegrityToken&quot; that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.<p>The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.<p>I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I&#x27;m OK with that. Of course, I don&#x27;t think this API should be used for the entire web, but I definitely understand its use-case.

This highlights the evil of DMCA. DRM is not that big of a deal if you can freely exploit some vulnerability in you tpm &#x2F; hardware attestation module, extract the keys, lobotomize the creep, visualize minimal functionality and share your research. With DMCA you&#x27;re suddenly breaking the law at multiple steps of the way.

But they told me that Google being the one of the largest advertising companies in the world, had no interest in handicapping ad-blockers. BTW its the same company spreading FUD over AGPL.

Recent and related:<p><i>Web Environment Integrity API Proposal</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305</a> - July 2023 (428 comments)

Be Evil™

This won&#x27;t even work to solve the problem they&#x27;re trying to solve. If I&#x27;m a scraper or someone that wants to drive fake ad impressions, what stops me from faking the attestation info? There&#x27;s some mention in the original article about the attester validating the attestation data is signed on the client, but that just pushes the problem down the stack a bit. Someone could still spin up VMs, and just automate the scraping in a real environment that passes attestation. The author is claiming this will ensure only humans are viewing said data, but it doesn&#x27;t really ensure that, it only adds a couple steps.<p>I also find it funny that the authors point to mobile platforms as an example of how this will work well. Last time I worked with ad tech, mobile ads were flooded with fake impressions, and I highly doubt that has changed. The funny thing about players like Google is that they want to be able to tell advertisers they&#x27;re doing a lot to prevent fake impressions to get them to buy ads, but they don&#x27;t really want to solve the problem because it would cost them a lot of money. So they kinda play the line and develop tech like this that sounds fancy but doesn&#x27;t actually stop the problem in practice.

The proposed function is impossible to implement in general. More precisely, it&#x27;s impossible to implement without specific hardware and operating system (you have one of a handful of choices) to the de facto standard that would develop over time if web servers came to depend on the behavior of the function. It would make the web decidedly not open.

Well, I think this move by google will divide the chromium project in 2 versions: one with and one without this &quot;feature&quot;.

What I&#x27;ve seen missing in these discussions is what happens with Headless browsers. Yes, these are used a lot for scraping, but there are also many legitimate use-cases. If the Web Integrity API is available to everyone then you can effectively no longer use Headless Chrome to browse to any of these pages, or am I missing something?

I&#x27;m totally behind all opposition against this, as I&#x27;m massively in line with the sentiment here. However thinking about it more and more, I get the impression that it will be essential to explain the impact of this to normal people (like my mom) and that&#x27;s, what I just don&#x27;t succeed in so far.<p>Without a broad support and public opinion about this, they might shockingly just be able to get this started. Apple and on-device CSAM scanning is something I have in mind about this, as s counter example.<p>What&#x27;s a simple narrative non-tech people understand about this? Should I ask ChatGPT?

There are conflicting &quot;requirements&quot; for the web it seems. We want freedom and anonymity but not too much because bots and because we want to use the web to buy things but not too little because dissidents, but not too much because pedos and terrorists...you get the idea.

I think the wisest course of action is to boycott all chromium-based browsers. Yes it might be painful, yes you might not have your favorite extension or add-on. Suck it up. I&#x27;ve been exclusively using Safari for years, even after extensions were killed.

More dystopian nonsense by the totally not evil company

Scraping webpages is extremely useful and this would seem to combat this. It&#x27;s also extremely useful by... oh yes... Google. And I&#x27;m sure they would find a way to whitelist their scrapers to index pages, but archive.org? Oh you&#x27;re SOL.

&gt; Google&#x27;s plan is that, during a webpage transaction, the web server could require you to pass an &quot;environment attestation&quot; test before you get any data.<p>Sounds pretty sweet from a corp security perspective. Context Aware Access lets you do attestation at SSO time but baking device integrity further into the system would be helpful.<p>Unfortunately, this gives a lot of power to webpages. I&#x27;m not sure it&#x27;s worth the tradeoff. This seems like something better handled by an extension, but I&#x27;ll have to read the spec.

So I&#x27;m already at the point where if I go to a website and that stupid Cloudflare &quot;securing your connection&quot; dialog pops up, I just click away. Fuck Cloudflare and their walled-garden horse.<p>If Google does this too then I guess the &quot;mainstream&quot; web will become invisible to me. No great loss since it&#x27;s mostly thoroughly enshittified anyway.<p>I&#x27;m happy to move to the new un-googled &quot;darkweb&quot; where freedom, anonymity, and non-SEO content still prevail.

Even if this DRM doesn&#x27;t get accepted and used Google&#x27;s QUIC protocol they call &quot;HTTP&#x2F;3&quot; that they whitewashed through the IETF with MS makes it so it&#x27;s impossible to establish a connection to a server unless it gets &#x27;attestation&#x27; from a third party CA TLS corporation. It&#x27;s the same thing in different clothing but everyone is cool about it for some reason.<p>Google should&#x27;ve just called this HTTPS+ Everywhere and there&#x27;d be no blowback.

The attestation need not be done by Google or web browser owner themselves. This can be done by operating systems or any third party attestation just like a simple version of certification attestation. I think even though the intention behind the idea is good, the integrity of the company that suggested this is so doomed that we are all afraid. I think such proposals will come and need to come so that gradually these proposals will mutate into something useful

Sounds crazy.<p>But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.

Install Firefox. Disregard google.

Chrome should be split from Google for anti-trust reasons

I hope this somehow backfires so badly that EU wakes up and somehow forces them to remove widevine to restore some semblance of an open web.<p>One can hope.

If one thinks of computers as (cybernetic) extensions of brains then remote attestation is direct thought control.

Does this relate to the TPM chips ?<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trusted_Platform_Module" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trusted_Platform_Module</a>

I&#x27;ll tell you this – there are people who watched all Netflix titles and never visited netflix.com. People who read the NYT daily but never visited nytimes.com.<p>What does this change mean? There will be more such people.

Elinks, Lynx, w3m still works.<p>Heck, you can run Opera, Vivaldi, Firefox, and Chrome 78 on 2000 or XP with a 2023 build of KernelEx.

When Google created Chrome, some people were very happy! &quot;It&#x27;s the end of Microsoft&#x27;s monopoly.&quot;<p>The monopoly has been successfully changed ... to another monopoly!

What is the best way to block google? I mean, everything to do with them. On your router and on your phone.

Next step Google starts scanning your face and eyeballs but doesn&#x27;t bother paying for it.

I&#x27;ll add to this, notably, issues are still closed after the weekend: <a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;issues&#x2F;28#issuecomment-1646083436">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a><p>If this proposal gets rejected it&#x27;ll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (<a href="https:&#x2F;&#x2F;blog.yoav.ws&#x2F;posts&#x2F;web_platform_change_you_do_not_like&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.yoav.ws&#x2F;posts&#x2F;web_platform_change_you_do_not_li...</a>).<p>This has been a longstanding issue with how Google approaches web standards; according to Google there&#x27;s no such thing as a harmful feature and Google&#x27;s approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.<p>There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you&#x27;ll get a few people from the Chromium team saying &quot;we hear you and we need to communicate better.&quot; Note the underlying implication behind that statement that the original proposal wasn&#x27;t <i>bad</i>, it just wasn&#x27;t <i>communicated</i> well. People just need to do a better job of &quot;getting involved&quot; in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and &quot;remembering the human&quot; -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.<p>There will never in any situation be an acknowledgement that the direction or intent was wrong; that&#x27;s just overwhelmingly not how the Chromium team operates on any issue big or small.<p>It&#x27;s good for larger sites like Ars to cover this, and it&#x27;s good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it&#x27;s a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (<a href="https:&#x2F;&#x2F;danshumway.com&#x2F;blog&#x2F;chrome-autoplay" rel="nofollow noreferrer">https:&#x2F;&#x2F;danshumway.com&#x2F;blog&#x2F;chrome-autoplay</a>) and it was a trend before that point as well.<p>It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it&#x27;s done quite a bit to squander that assumption. It&#x27;s regrettably kind of a waste of time to try and engage on this stuff, it&#x27;s better to just criticize on social media and hope that the press runs with it. Because that&#x27;s the only thing that Google listens to.

Hopefully Apple&#x2F;Safari refuses to implement this. Apple loves DRM though...

Good. I never liked the &quot;Web&quot; in 2023 anyways, so good riddance.

Looks like I’m going to be reading a lot more books in the future.

They keep trying this shady type of thing every few months

Good old Google forcing itself upon users like always.

It looks like a good proposal. Botfarms are a pita for a lot of sites. Cheating in games is bad. Asking someone for their id to receive a package or content they paid for is normal in the offline world.

I watch all my DRM on Edge just to be annoying.

Anybody want a new Internet yet?

I don&#x27;t know if anyone&#x27;s all that interested in a possible explanation that doesn&#x27;t make Google look like the bad guy, but if so, I wrote about it here:<p><a href="https:&#x2F;&#x2F;tildes.net&#x2F;~comp&#x2F;18h8&#x2F;web_environment_integrity_a_google_proposal_for_general_web_drm#comment-9rh9" rel="nofollow noreferrer">https:&#x2F;&#x2F;tildes.net&#x2F;~comp&#x2F;18h8&#x2F;web_environment_integrity_a_go...</a>

Please explain how attestation by TPM works exactly, and why the device owner cannot break it.

&gt; Google&#x27;s plan is that, during a webpage transaction, the web server could require you to pass an &quot;environment attestation&quot; test before you get any data. At this point your browser would contact a &quot;third-party&quot; attestation server, and you would need to pass some kind of test. If you passed, you would get a signed &quot;IntegrityToken&quot; that verifies your environment is unmodified and points to the content you wanted unlocked.<p>Would you rather a capitalist dystopia, where large corporations get to approve everything you see &amp; hear, or a socialist dystopia, where the government gets to determine what you&#x27;re allowed to view?<p>[Answer: Neither]

Surprising even myself, I actually like this proposal. It does two things, one which is good, and the other which is not as bad as people are saying.<p>The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL&#x27;s vision for the web in the first place.<p>The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It&#x27;s bad and it&#x27;s a bad system that makes the world worse.

Google&#x27;s proposed &#x27;Web Integrity API&#x27; raises some intriguing questions about the future of web security and user privacy. While the intent to secure the web environment and ensure user authenticity is commendable, the approach seems to echo DRM mechanisms, which have often been contentious. The proposal also brings to light the ongoing debate about device control - should users be penalized for wanting full control over their devices? This &#x27;gatekeeping&#x27; approach could potentially stifle the open nature of the web and limit user freedom. As we move forward, it&#x27;s crucial to strike a balance between security and user autonomy.