The Right to Lie and Google’s “Web Environment Integrity”

I think the fundamental disconnect here is that Google&#x27;s view of &quot;user&quot; is a &quot;Chrome&#x2F;Android User Who Shops from SERP Pages&quot; -- google makes money vs the more nebulous &quot;user&quot; of &quot;the (open) web&quot; which is probably only understood by a few people who were alive in the pre-web world (people 35 and older who were also online).<p>Google does not care about the later and only wishes to make more money from the former. Google has a clear and blatant monopoly position over ad-based web monetization so <i>most</i> of the web will follow Google&#x27;s will. We all need paychecks. The group of old farts who saw the world change are growing older and irrelevant.<p>I am extremely pessimistic about the future of &quot;the (open) web&quot; as the vehicle of our modern low-friction economy as these corporate gatekeepers (Google and Microsoft) are making such big wins recently.<p>Good luck out there. The World Wide Web (old school) and Old Fashioned HTTP+HTML are under grave threat from carpetbaggers.

His comment system is currently broken and will just 404 and return you to a URL at <a href="https:&#x2F;&#x2F;rants.org&#x2F;%5Ehttp:&#x2F;your.ip.addy.here&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;rants.org&#x2F;%5Ehttp:&#x2F;your.ip.addy.here&#x2F;</a>. So I guess I might as well post here instead,<p>&gt;My web browser (currently Mozilla Firefox running on Debian GNU&#x2F;Linux, thank you very much) will never cooperate with this bizarre and misguided proposal.<p>Mozilla used to be about user freedoms. Lately Mozilla has been a front-runner on turning off and disabling non-TLS just HTTP support. They will likely be one of the first browsers to remove support for it and eventually HTTP&#x2F;1.1 as a whole. ref: <a href="https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2015&#x2F;04&#x2F;30&#x2F;deprecating-non-secure-http&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2015&#x2F;04&#x2F;30&#x2F;deprecating-non...</a><p>Given that HTTP&#x2F;3 as implemented by Mozilla <i>cannot</i> connect to self-signed TLS cert websites this means the future of Firefox is as a browser that can only visit websites that third party TLS CA corporations periodically approve (even if those corporations are currently benign, like LetsEncrypt). Does this remind you of anything? That&#x27;s not to say other browsers are better in this respect. Mozilla&#x27;s Firefox and it&#x27;s forks are the least worst... it&#x27;s just everything is getting much worse all together.

&quot;If your computer can’t lie to other computers, then it’s not yours.&quot;<p>This fundamentally comes down to &quot;do you really control your computer, or does someone else?&quot;:<p><a href="https:&#x2F;&#x2F;youtu.be&#x2F;Ag1AKIl_2GM?t=57" rel="nofollow noreferrer">https:&#x2F;&#x2F;youtu.be&#x2F;Ag1AKIl_2GM?t=57</a>

Is there a link to an article that actually goes into WEI on a technical level that isn&#x27;t the proposal itself?<p>So many things posted to HN about it have been the grand overview, which is a perspective worth diving into but also has drowned out every other perspective to the point where it&#x27;s very difficult to figure out what&#x27;s really happening with the proposal here.

I figured I’d take a minute to try and find the proposal itself, so I could see what the proponents considered the virtues of this to be.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;standards-positions&#x2F;issues&#x2F;852">https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;standards-positions&#x2F;issues&#x2F;852</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;blob&#x2F;main&#x2F;explainer.md">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a><p>I stopped reading after the explainer’s intro section. The first example is making it easier for websites to sell adds (lmao) and the other 3 are extremely questionable whether if the proposed remedy even helps. And it’s presented as a benevolent alternative to browser fingerprinting, as if we must choose between these two awful choices. It’s an absolute joke of a proposal.

May I suggest something like &quot;Enterprise Environment Integrity&quot;. How does the public know that the enterprise (i.e. google) it&#x27;s dealing with is healthy?<p>The public should have an entity that will receive detailed attestation data to assess that. Failing the attestation will revoke business permit along with an announcement.

&gt; In the normal world, you show up at the store with a five dollar bill, pick up a newspaper, and the store sells you the newspaper (and maybe some change) in exchange for the bill. In Google’s proposed world, five dollar bills aren’t fungible anymore: the store can ask you about the provenance of that bill, and if they don’t like the answer, they don’t sell you the newspaper. No, they’re not worried about the bill being fake or counterfeit or anything like that. It’s a real five dollar bill, they agree, but you can’t prove that you got it from the right bank. Please feel free to come back with the right sort of five dollar bill.<p>Side note: This at least would occasionally happen if you tried to spend Scotland or NI £5 notes in England.

I can&#x27;t convey how disgusted I am at the thought of WEI becoming a reality.<p>It will lead to three webs: the remainder of the open web, the new closed web, and the pirate web.<p>Personally I&#x27;ll do my bit to preserve openness, even if that means working socially and technically to support the new world of piracy. It will always be a losing battle without institutions fighting for openness, though.<p>This is a moment when Sun&#x27;s old line - &quot;the network is the computer&quot; - starts to look hideous and dystopian. Prophetic, but maybe not how we thought.

In other words, Google earnestly believes your browser belongs to them and your just using <i>their</i> tool. They&#x27;re not really wrong either. What&#x27;d we think would happen when Google (an ad company) dominated browser market share ...

The underlying hostile technology is &quot;remote attestation&quot; and it&#x27;s what we should all be fighting against.<p>People justify the latter by speaking about companies wanting control over employees&#x27; environments, but IMHO that shouldn&#x27;t be allowed either. This is also why &quot;zero trust&quot; is problematic; they want to replace humanity with centralised control.

<i>My web browser (currently Mozilla Firefox running on Debian GNU&#x2F;Linux, thank you very much) will never cooperate with this bizarre and misguided proposal. And along with the rest of the free software community, I will continue working to ensure we all live in a world where your web browser doesn’t have to either.</i><p>That depends on Mozilla. As long as our software comes from corporations, we will just be reduced to begging.

We have come a long way since &quot;don&#x27;t be evil&quot;, would be funny if not so sad..

I&#x27;m not sure the title is helpful, or the analogy.<p>It&#x27;s more like, if you want to borrow a book from the library, you have to bring an FBI agent home with you too, so they can certify that you don&#x27;t have a photocopier or scanner (or even a pen and paper), that only you can read the book, and not another family member, that if you want to read aloud, your windows can&#x27;t open and let anyone else listen in, that you read it from cover to cover including the back-page ads for other books in the series, that you can&#x27;t leave home with the book, to re-lend it out, and so on.<p>NO. Not on <i>my</i> machines.

On the one hand, I firmly do believe that we need a proper way to verify identity globally over the internet. The Turing Test is over and AI is going to destroy every user-submittable form online.<p>On the other hand, it&#x27;s infuriating that advertising is the first front in this war. I specifically don&#x27;t want advertisers to have my identity. I&#x27;m fine with like my Mastodon server or a site like HN to know I&#x27;m me because I&#x27;m actively interested in interacting with them. I don&#x27;t want to interact with advertisers, or for them to have my identity, but they&#x27;re going to wall off half the internet for people who opt out.

Funny that this was cross posted to fediverse, a network that is heavily reliant on digital signatures to prevent lying.

people built internet just to destroy it. its not a tech problem. its economics. the forever decreasing profits because more people just know and re-sell for less. tor will become more and more expensive till people realize that needs the same hardware trick with another brand like internet2,3,4,5,... to seek the solution by hacking wont stop this foverer battle. its just ends when the imaginary of fair price for information meets the offer (the forever decrease of population to let universe in peace)

The wei camp wants a world where you can have your open source OS with encryption that actually works but almost any commercial website won&#x27;t talk to you.<p>Wei will get integrated with your CBDC.

Upvote if you actually read the proposal in question.

The premise of this article is fundamentally wrong.<p>&gt; On that Web, if you send a valid request with the right data, you get a valid response.<p>Explain DoS protection then.

&quot;By analogy: right now, you can tell your browser to change its User-Agent string to anything you want.&quot;<p>You can also choose not to send this header. By default I do not send it. The RFCs do not require it^1 and very rarely do I find sites that do. When I do find such sites,^2 I just add them to the proxy config so that a UA is added on the way out. Almost invariably these sites will accept a made-up UA, so long as it is well-formed, which is interesting.^3 It suggests no one knows what new UA strings will appear.<p>The origin of changing the User-Agent header dates back to one of the earliest browsers, written in part by a well-known Silicon Valley VC.^4 It was always possible for the user to control HTTP headers such as UA and the designers knew it. Later in the &quot;browser wars&quot; Microsoft changed its UA header to match Mozilla&#x27;s.^5<p>1.<p><a href="https:&#x2F;&#x2F;towardsdatascience.com&#x2F;the-user-agent-that-crazy-string-underpinning-a-bunch-of-analytics-86507ef632f0?gi=e30981d0139f" rel="nofollow noreferrer">https:&#x2F;&#x2F;towardsdatascience.com&#x2F;the-user-agent-that-crazy-str...</a><p>2.<p>For example, www.federalregister.com and sec.gov.<p>3.<p>Many users want to &quot;blend in&quot; and use common strings so perhaps use of made-up strings remains largely untested.<p>4.<p><a href="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;alandipert&#x2F;ncsa-mosaic&#x2F;master&#x2F;mosaic-spoof-agents" rel="nofollow noreferrer">https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;alandipert&#x2F;ncsa-mosaic&#x2F;mas...</a><p>5.<p><a href="https:&#x2F;&#x2F;webaim.org&#x2F;blog&#x2F;user-agent-string-history&#x2F;comment-page-1&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;webaim.org&#x2F;blog&#x2F;user-agent-string-history&#x2F;comment-pa...</a><p><a href="https:&#x2F;&#x2F;humanwhocodes.com&#x2F;blog&#x2F;2010&#x2F;01&#x2F;12&#x2F;history-of-the-user-agent-string&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;humanwhocodes.com&#x2F;blog&#x2F;2010&#x2F;01&#x2F;12&#x2F;history-of-the-use...</a><p>As for WEI, I&#x27;m inclined to think that the terms &quot;abuse&quot; and &quot;fraud&quot; in the spec may actually refer to ad fraud, including potential fraud by Google itself in marketing its ad services because it hides the true extent of ad fraud from its customers.<p>People who like to access the web with uncommon TCP&#x2F;HTTP clients may not be a significant problem. There are no details given in the spec about this alleged &quot;fraud&quot;; perhaps that&#x27;s intentional. Although by being vague in the spec, real humans that prefer not to use popular browsers may jump to conclusions.^6<p>It could be that we&#x27;re on the cusp of exposing the true extent of ad fraud with respect to Google, and the ultimate unworkability of Google&#x27;s core &quot;business&quot; (selling ad services). Perhaps Google believes its advertiser customers could begin to lose trust; maybe direct more ad spend to Apple.<p>6.<p>Some pre-spec discussion: <a href="https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;g&#x2F;blink-dev&#x2F;c&#x2F;Ux5h_kGO22g&#x2F;m&#x2F;XCAIgPtxAQAJ" rel="nofollow noreferrer">https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;g&#x2F;blink-dev&#x2F;c&#x2F;Ux5h_...</a>

For crying out loud, Google

What is so wrong with Web Environment Integrity? It&#x27;s a great policy, and the notes CLEARLY outline how the main benefit is going to be for the users and website developers. If you&#x27;re not doing anything wrong, then you shouldn&#x27;t have an issue.

At no point does he explain what the hell the rant is about.

There is no right to lie. There is a right to remain silent. That is what &quot;Web Environment Integrity&quot; threatens.

&gt; If your computer can’t lie to other computers, then it’s not yours.<p>And why is that not okay?<p>I think this sort of attitude is left over from when computers were expensive. Nowadays, I have multiple computers, some of which are fun toys I mess with, while others are appliances that I just use for their intended purpose. And that&#x27;s fine, because when I screw up, maybe I don&#x27;t want to have broken the computer that I use for video chats and to do my banking? Maybe I don&#x27;t want my main phone to stop working?<p>It&#x27;s okay to be a hacker and buy a router that you just use as a router and a Chromebook that you just use for web browsing. You can also buy a Raspberry Pi and mess with embedded programming on cheap devices. The appliance computers should be as low-maintenance as possible so you have more time for hacking.<p>The nice thing about really cheap devices like a Raspberry Pi Pico is that if you actually build something useful for real work, you can deploy it, stop messing with it, and buy <i>another</i> computer for experiments.