Given that 5.07 billion people use the web https://www.demandsage.com/internet-user-statistics/ it would be surprising if the politicians and regulators of the countries that HN users reside in are not at least some of them among those users.
As there are many regulations and court cases in the EU and the US (and I presume in other places as well) aimed at some of the richest companies in the world that have to do with browsers behavior it seems that they would have to know what a browser is.
Using the web isn't the same as knowing what the difference between a web browser and a computer OS is. Most people don't buy personal computers anymore, politicians are likely only using office PCs and their phone.
I use a train to get to work every day, but I don't really know anything about how the technology works (beyond a superficial level, the same degree of trivial superficiality whereby I know that Khartoum is the capital city of Sudan)
Even if I didn't know the word 'train' I think most reasonable users of English would still agree that I know what a train is.
People who use a browser to go on the web, even if they don't know the name for the category of application they are using is "browser" and all the technical functioning of the browser and how the internet works, can be said in normal English usage to know what a browser is - it is one of a class of applications that they use to go on the web.
They click on an icon, a window opens up they go on the internet. The "browser"
You'd think they would have to know what a browser is. Certainly some people within the courts and legislative bodies do. But, I challenge the "have to," because I want to give credence to my anecdotal theory that a ton of people have no idea, especially older people, and most politicians are super old. Why do they "have to?" Couldn't a lot of boneheaded decisions we've seen over the years be because they don't understand? They could maliciously be applying law per their lobbyist needs, which is probably a thing that happens, but they also could just be ignorant.
Remember "series of tubes?" What about David Cameron's push in 2014 to "protect kids from porn" that was really just a PRC style great firewall? Pretend it wasn't a malicious attempt at massive state surveillance - how does it stop kids from getting porn from Twitter, Youtube? Anybody with a glancing familiarity with the internet would know why stopping porn is essentially impossible without blocking literally EVERYTHING and creating a country intranet, combined with a massive, pervasive state surveillance operation with police that have broad powers. Impossible in a liberal democracy (the effective porn blocking, not the attempts to have pervasive state surveillance - the issues come when it's time to start arresting).
Some quotes from when Zuckerberg was in front of congress:
"If I’m emailing within WhatsApp … does that inform your advertisers?" Senator Brian Schatz
"What was Facemash?" Senator Billy Long
"How do you sustain a business model in which users don’t pay for your service?" Orrin Hatch (the "senator... we run ads" quote)
Why are so many politicians opposed to encryption? Because they're fascists that want better state surveillance? Maybe, but I think more likely is they hear that it makes it harder for the FBI to track down two murderers in San Bernadino and they think "Encryption? Affecting law enforcement? Do we need it? Just make it illegal."
Tangent: This makes me wonder about a broader topic I've been questioning: I think we assign too much competence and reasoning to eachother and to our leaders. Random examples: Musk put a big flashing X on the roof of the twitter offices, it's obviously against code, it's obviously horrible, but there are people arguing "Genius marketing move! No press is bad press!" Really? Or, when Bezos climbed into a rocket. "He wouldn't get into it if he wasn't sure it was mostly safe. You don't get to be a billionaire without knowing what you're doing." A couple years later and a submarine that the most layperson of laypeople would point out is a deathtrap proves that idea wrong.
This on top of the fact that sometimes it seems like entire financial markets depend on people making "rational" decisions. A housing crash because "the banks would never maintain these portfolios as AA if they weren't rock-solid!" A dot-com crash because "www is the future, it'll make money somehow!" It keeps happening. We keep giving ourselves way too much credit. I think climate change is going to be the greatest example of this, should we survive it. "We'll let it go far, but not past a certain point. Someone will stop this before it's actually irreversible. Or if necessary, at some point, the people will rise up and destroy oil pipelines." No, I don't think so, I think we'll keep thinking we're too smart to let something like that happen.
I don't think knowing what something is requires a deep understanding of the technical workings of that thing, in normal usage of English do you know something relates to do you have some familiarity with the existence of the thing.
IF someone said Bryan doesn't even know what a car is you would wonder "how could he not know what a car?" is as opposed to thinking yes well lots of people have a limited, superficial, or extremely incorrect understanding of the workings of the modern automobile.
I think your example is perfect, because you use a train to get to work.
My example is a bunch of old people that don't use trains and have never used trains, legislating things about trains. "What, you can't take it directly to your destination? That sounds pointless, why don't we just rip up the tracks to add more lanes for cars?"
They don't understand technology and they aren't even users of the technology they're legislating about.
If you think it unlikely that there's people that don't use browsers, come to my next family reunion or city council meeting.
>If you think it unlikely that there's people that don't use browsers, come to my next family reunion or city council meeting.
given the statistic cited earlier of over 5 billion people using the internet and there are 7.8 billion people in the world, 1.4 billion of them in China, which has slightly over 1 billion on the internet, 1.4 billion in India, which has evidently 759 million on the internet, etc. etc. I think it is most likely that we find the largest concentrations of people without internet in non-Western countries and in less developed regions.
>My example is a bunch of old people
There are nearly 270 thousand people age 75 and over in the world, that age being also over the age of retirement in many places. I doubt you are actually discussing people that are 75 and over.
How old are these "old" people that don't use browsers?
Consider that IE6 was released in 2001, 22 years ago. Someone 33 years old at that time would be 55 now. Probably a good age for a legislator.
I never said it was unlikely that people don't use browsers, but given the statistics outlined above it seems statistically unlikely that there would be a significant concentration of them in any group legislating the internet, although you seem invested in the idea that this is so.
Do I think it is possible that if I went to your family reunion would I meet someone who did not use browsers - sure - also if I went to your city council meeting. Assuming 12 people on the council a naive calculation of 5 billion internet users on the planet would lead me to saying maybe 5 don't, but given the other factors outlined here I would think it statistically strange if it were more than 2.
What percentage of people at your family reunion, and city council meeting, do you think do not use browsers and if it is anomalous in relation to the statistics outlined here - how do you account for this anomaly?
on edit: also I live in Denmark, every politician here knows how trains work and has probably spent a significant amount of their life commuting on trains.
on second edit: regarding your previous example of encryption; the difference between encryption and a browser is the difference between lithium-ion batteries and Electric cars. The first is a functionality of an application, the second is an application.
Pretty much everyone has an understanding of the application and what they do to make it work, hardly anyone has understanding of how the underlying technology works. It may be useful to have people who know how the underlying technology works to legislate on it, but not knowing how HTTPS works or how the browser interprets the file formats it receives back from a request is not the same as not knowing what a browser is and I originally responded to the suggestion that people did not know what a browser is.
Regarding old age - I can see that in the U.S the median age of U.S. senators is 65 and the median age of representatives in the House is 58, so in the case of those age 65 I would be willing to suppose there is a larger percentage of them who do not know what a browser is - so maybe 40% of those over 65 do not know, and with vanishingly smaller numbers as you get closer to 50.
There's 14 senators 50 and younger, I bet all of them know what a browser is.
I believe so. Big Tech has gained a lot of enemies in governments around the world, and it doesn’t require a lot of technical knowledge to understand that WEI is a way for Google to gain more control. Whether WEI is good or not, politicians on both sides in the US would be more than willing to oppose Google.
I don't have any desire to carry water for this horrible concept but "Google is too important" is awfully abstract to run a campaign on.
We're at the level where "does it break end-to-end encryption without anyone else being technically capable of reading it" is a serious debate.
Why does this technical proposal actually threaten them or their constituents in a concrete way? More importantly, does it threaten a politician's ability to fundraise or broadcast the message they like?
I think the idea is horrific on many ethical and technical grounds, but how can Google directly use it to ruin a [political] career? That feels like more what they will empathize with.
If I must vote with my participation then I choose to vote by using Brave as my browser. They’ll making choices I agree with more than any other browser currently.
Pissing in pants for warmth IMO. It is still Chromium. Feels like not voting in protest when a candidate you don't like looks to be winning big. The only difference it will make is how you feel, no real world implications.
Though, of course, as with DRM, if it becomes standard for let's say, all payment sites to require it enabled, your choice becomes "stop using the internet" or switch browsers
Which works until (1) your job depends on it, or (2) your bank/credit union depends on it.
I have to use Chromium for Slack Huddles for example, since evidently Slack Huddles "don't support" Firefox on Linux (it's WebRTC, wtf?). I don't really get an opt out of using Chromium for those couple occasions a week, because work. Now imagine that, but with GoogleDRM.
1 makes sense, no? assuming your job has certain security policies in place to ensure compliance with laws and regulations, requiring some level of attestation + MDM to ensure this compliance.
Well, I was thinking more of the "your work requires you to use some SaaS shit that transitively requires this attestation, whether it's legally required or not" angle. Like if, I don't know, let's say your time tracking software or something started depending on WEI.
That also applies to Javascript, or being forced to use some form of an up-to-date browser. What is different with WEI?
I didn't see many people debating the actual text of the WEI explainer[0] on the HN posts about WEI, and that's probably because they were links to articles about WEI. The HN post for the explainer with the most upvotes only has 89[1], likely because most of HN treats the upvote as "I agree/like this" instead of "boost this topic for discussion".
whenever something is devised [e.g.upvotes,javascript,thumbtacks] there are those who use it for the intended purpose, and those who find as many usefull purposes for it as possible.
All the previous restrictions have had some form of workaround, but without the keys, you're not going to get past remote attestation.
Governments are scared that people will use encryption against them.
Now we should be scared that companies are using encryption against us.
I'm not in favour of banning encryption either, but the situation is more subtle. Encryption is a weapon, and not surprisingly that's why it was classified as such and strongly controlled only a few decades ago, so I don't expect there to be an easy way to solve this ...just like the debate around 2nd Amendment.
There is a legislatively easy way to solve this. Make "people who have full control over all aspects of their devices" a protected class. Make it illegal to refuse service to those people.
Getting there is a whole different level of difficult, of course.
The explainer means jack shit. It is corporate marketing mumbling, intended for techy audiences.
It does not matter what the explainer says. We know what this system CAN be used for and pinky promises by a monopoly entity not to use WEI for nefarious purposes are an indication that WEI will be used for nefarious purposes.
Discussing the explainer can only lead to slippery slope examinations of how bad WEI actually is and how much integrity of WEI hangs on good will of Google. WEI is very bad, extremely bad when coupled with secureboot and similar hardware restrictions, Google has a solid track history to throw anyone and anything under the bus if it means profits. What reasonable discussion would you expect?
I wonder if payment sites and similar services want to exclude a large swathe of customers on older devices or risk excluding those that cannot be verified due to other technical limitations (e.g. device configurations WEI isn't optimised for).
A large number of banks already have jailbreak / root detection and will refuse to function if it detects such (usually there are bypass tools available).
We have a system like it on phones already. Circumventing it to use a bank app while having a rooted phone is a pain in the ass and oftentimes impossible. Almost all users would not know how to even do this if it was required to use your browser. That's close to being the same as no workaround.
Yes! There are so many use cases where a false alternate option is given as part of reasoning why the given solution is ok, often the only option is accept this or stop using it.
This is why users don’t complain about e.g. privacy tracking. It’s not that they like being tracked, it’s that you consent or don’t use the product.
Moral posturing sure is fun, but we'll see what happens once Chrome becomes the only browser that you can use to log in to your bank. Mozilla made lots of noise about EME, but eventually fell in line – and that was at a time when Firefox had a market share it can only dream about today.
The so-called "independent" browser makers will scream and shout with indignation, then try some legal and political action (which will fail), then try to find a compromise (which they won't get), then finally implement whatever Chrome implements, while explaining to their users that this was really always about choice and adding this feature gives the user that choice. And then they will move on to their next battle, which they will lose just like they lost all the other battles they fought over the past 10 years or so.
It would be annoying to buy a separate device just to access my bank. Not annoying enough to change banks of course, but it could be the straw that broke the camel’s back if I was already inclined to switch.
> It would be annoying to buy a separate device just to access my bank. Not annoying enough to change banks of course
Why "of course"? That would very much be annoying enough for me to switch. I switched banks because they decided to randomly start requiring SafetyNet to pass.
I dunno. I just like my credit union I guess. All my auto payments are set up with them, I’ve overdraw a bunch of times and they haven’t charged me (I fix it soon afterwards, it is just a matter of account juggling), they do everything pretty quickly and have friendly customer service.
Actually come to think of it, it is not a very serious problem for me, I already have an iPhone which will presumably support whatever DRM scheme. So, I guess I already have the second locked down device anyway. Linux on the laptop/desktop for real internet, iPhone for the nanny-corp net I guess.
If banks require WEI, then maybe it's time to boycott the banks too. Brave should start redirecting people who go to bank websites to a crypto exchange instead. oh wait..
Weird. I'd find changing browsers a bigger pain than changing banks. I have like six accounts already, if one refuses to work with Brave, I'll just move the funds and cancel it...
Google isn't a "steward" of anything. They are an entity concerned with expanding their own power. And there is absolutely nothing that you, or I, or any other browser maker, can do about it.
But at the very least, we can be honest. If Mozilla published a blog post today that said something like "While we are ideologically opposed to WebEnvironmentIntegrity, we will almost certainly be forced to implement it in Firefox eventually", my respect for them would rise tremendously.
Firefox has lost. There is no shame in admitting it. But there is shame in pretending it isn't so.
When you're a core member of the W3C, and you use that position to push browser features that help your browser and remove features that hurt your ad/surveillance-based business model, you are a steward, and a bad faith one at that.
Your own phrasing indicates that there is a battle to be lost or won, and Google has indeed won. Which is pretty clearly a bad thing for the Internet as a whole, and quite good for a single company and their shareholders.
What do you get out of making these kinds of posts on HN?
Like, do you think it's productive to set some bait out so you can argue about something abstract or subjective like whether or people respect people who fight unwinnable battles?
I write what I consider to be the truth, because I believe the truth to be important, including when it is demotivating, and even when it is destructive.
What do you suggest people do, exactly, if they want to change the situation? Is it your position that such a thing is impossible, and we should all give up and move on? How do you think any major change was achieved, not only in the tech world but basically anywhere?
If you think you're going to lose and give up, you'll certainly lose.
If you keep fighting, you might get a chance to win.
which they will lose just like they lost all the other battles they fought over the past 10 years or so.
The public managed to convince Intel to disable the serial number feature of their processors 23 years ago. It's possible --- there just needs to be enough opposition.
Stop with the defeatism and start by exercising your right to free speech upon everyone who supports WEI and the authoritarian dystopia.
> The public managed to convince Intel to disable the serial number feature of their processors 23 years ago.
At a time when technology companies were just companies – not the system that effectively runs much of the world.
Mozilla also pushed Microsoft out of a core market once. That would never happen today, regardless of how good Firefox becomes.
Today's technology industry is nothing like it was in the 90s. "The public" has as much chance of stopping WEI as it has of getting the United States Military to disarm.
> Today's technology industry is nothing like it was in the 90s
Mozilla did not dethrone IE in the 90s. And I disagree with your statement that end users (“the public”) can’t stop a browser feature. MV3 was scaled back because of this.
As I said in another comment before, you could have said the same thing about Apple's restrictions on iOS app distribution, and yet that's about to change due to legislation from the EU.
What leads you to think that a similar thing won't happen here, if the problem is serious enough?
In my opinion this is different. As I see it, in your example, this would be suing an app maker for the closed down app store.
In OPs example Google is providing a feature, that you can use or not freely, then the bank dicided to use it. The problem is of course Google providing it but it is the bank that close down their site for non-chrome users, not Google.
Legislatively speaking at least, it has a simple solution. Make it illegal for entities above a certain size to refuse service to users based on the status/control of the devices used to access them.
OK, we'll have twenty browsers, all different skins on Chromium and all controlled by Google, and see if the EU legislators can understand the concept, and, if they can, whether the banks will allow them to continue to understand said concept.
If the reason "only chrome" works is that the others refuse to ship signed binaries, I think google is going to be in court with a reasonable case. They make the signing barrier low. It's as low as store entry. The refusal to sign code isn't an "only google can do it" thing its "only signed browsers can do it, but there can be many signed browsers"
of course the case is more complex: the reasons they won't sign will be material.
Yes, but each and every website needs to explicitly allow each and every browser key. Which increases barriers to entry for new browser vendors and makes Open Source / Free Software browsers nigh impossible.
The EU isn’t stupid and is kinda fond of Open Source / Free Software (because it serves as a way to make the EU economy and society less dependent on foreign tech giants).
> Yes, but each and every website needs to explicitly allow each and every browser key
You mean like how browsers need to explicitly allow each and every root CA key? If that's the basis on which a legal case is built then it'd fail even in the ECJ, because all that's required is set up an equivalent of the root store programmes and it's solved.
The way this would actually work is something like: websites just "apt-get install browser-keys", add a bit of JS to their HTML and now their nginx or apache or AWS LB just adds an extra header to proxied HTTP requests saying "X-User-Agent-Accuracy: HIGH" and "X-Extensions-Signing-Keys: <...>". Then every so often you do an apt-get update and the latest round of browser/extension signing keys get added.
So there's no reason why obscure browsers can't take part in this scheme, just like how obscure CAs can take part in the web PKI.
Nor does it make open source browsers impossible. Just like how there are open source CA software stacks, so too can you compile your own browser, publish the code, sign binaries of it and get those signing keys into whatever equivalent of the root store programme would appear. Availability of source code is irrelevant. Establishing trust in your operation is the hard part but you have to do that anyway if you want to get users, just like how you can set up your own CA using a simple GUI on macOS but getting people to actually trust it is a different kettle of fish.
Not that there's much chance of any of this actually happening outside of mobile anyway. It's all quite theoretical on desktop. Windows is too far behind on remote attestation tech and the general OS security stance for it to happen anytime soon, especially with so many users not upgrading to Windows 11.
But if people want to argue against remote attestation, you'll have to learn how it actually works. Otherwise you're just going to make bad arguments and your opponents will beat you.
> The way this would actually work is something like: websites just "apt-get install browser-keys" (…) Then every so often you do an apt-get update and the latest round of browser/extension signing keys get added.
Do you remember when MSIE was the dominant browser and websites started to sniff User-Agent headers to dissuade or sometimes even block visitors using other browsers? Because I do. This will be even worse.
Sure. And impose a fine of 3-5 billion Euros. Which Google will fight in the courts for a few years, then eventually pay. Without actually changing their practices. For which they will again be fined a few years later.
I wouldn't be surprised if the people who are ultimately behind WEI are already anticipating those fines, and have concluded that they will be well worth the gain in control that this feature gives to Google.
I don’t expect the EU to allow Google to treat fines as just a part of doing business.
If a fine doesn’t lead in a change of behaviour, more rigorous measures will probably be implemented. EU lawmakers are itching for a reason to split up big tech giants; Google may very well give them one. And representing a sizable part of the global economy, the EU is something you ignore at your peril.
And Google will pay some small percentage of their billions of profit after many years of legal proceedings.
Google is being sued in various EU countries and by commission more or less continuously. It hasn't hindered them from becoming a 99% monopoly for Android phone apps.
(Yes, the case is slightly different because there is still Apple. But as a consumer I can not say today I use Google and tomorrow I prefer to install an app from Apple, so once you made a decision you lost any market competition for years ahead.)
I mean, you have to actually be anticompetitive for them to sue. Its not an antipopularity contest. I doubt implementing an open standard (no matter how much i dont like it) meets the mark for anticompetitive behaviour.
It’s anticompetitive for the very reason places like HN have been up in arms about it (and rightly so IMO): it serves to limit which browser software a user may use to access a site. The fact that it’s an open standard is immaterial.
If it serves to limit the browser software to chrome, than sure. But if its an open ecosystem than i think anticompetitiveness is a hard argument to make.
Making a popular product with choices that we don't like is not anti-competitive.
> just like they lost all the other battles they fought over the past 10 years or so.
History repeats itself. I'm old enough to remember the IE lawsuit in 2001.
Now I'm reading articles about how Microsoft is abusing its desktop position to push Edge, and Chrome is abusing its stance as the dominant browser to push this nonsense.
Give it 10 more years, it will die down. Then 10 years after that we'll be discussing the same thing again.
Google begged me at least 3 times today to use chrome, with things like "For a faster google experience, try Chrome" or "Google drive is better on Chrome". I'm a firefox user till the day it dies, or I die, which ever one comes first.
Memories are short. Everyone who got on the early web knew the problems that would come with one browser dominating the market. We had that with IE and it took a lot of work and trouble to dismantle that. It was quite obvious from day 1 that Chrome was going to do, or atleast try to do, the same thing. Yet, people fell in line. That's the problem and I'm not sure resistance or anything else is going to solve that.
As a side note, as of today Firefox has something like 2.79% of the browser market, coming in fifth, behind Opera, Edge, Safari and (of course) Chrome. Firefox only comes slightly ahead of Samsung Internet which I have only just heard of today. It's really sad to see how far Firefox has fallen.
One reason may be that they alienate users by copying the look, bad habits and feel of Chrome. They also engage in dark pattern UI behavior that pisses me off each time I get it in my face.
Dear Firefox: If I wanted Chrome, I would use Chrome. Please be an alternative to Chrome.
3 of those are preinstalled on devices by their corporate owners (Safari is literally imposed on all iOS users). Opera today is really a VPN/proxy/bandwidth optimiser for bandwidth-poor Asian markets, and iirc is government-mandated in some cases.
Firefox can do better for sure, but its competitors basically cheat.
For me, the bank website is where I pay the bills, review my cash flow, and manage investments / savings. Even if others could be replaced, I can't imagine going to a physical branch just to pay for my internet connection.
It helps that I live in Japan, so a non-online payment isn't too difficult to setup. I use one time use cashcards for the majority of online transactions.
If my bank prevents me from logging in with a reasonable browser (as opposed to a privacy nightmare designed to facilitate advertisers) - I will do my bank business in person, the bank.
That's what happens when you stand for nothing, you'll fall for anything. Half the population doesn't have a backbone these days, all they care about is being inconvenienced.
Out of curiosity, is there anything stopping websites from detecting if a browser has WEI and then simply not serving the website?
It would be amusing to see browsers get pressured to not implement certain features for them to access the web, rather than the other way around. And it would be ironic for it to be a DRM feature.
Is there any reason at all that websites can't do this?
> Out of curiosity, is there anything stopping websites from detecting if a browser has WEI and then simply not serving the website?
Of course, just check for the existence of the attestation API described by the spec.
> Is there any reason at all that websites can't do this?
Because it would be an extremely dumb move regarding reach. Banning WEI-enabled user agents means you're banning over 80% of your traffic. This might be okay for a small blog or if the website owner is big into activism, but if you have a commercial interest you absolutely can't do this. Plus, blocking WEI-enabled user agents only hurts the user in the end; Google won't walk back on such an aggressively-pushed feature simply because some site refuses to serve Chrome users.
> Because it would be an extremely dumb move regarding reach.
Unless you are a de facto monopoly. Google can mandate WEI because they are a monopoly, other monopolies can do the opposite.
Sadly, it is hard to imagine a monopolic website that both is used day to day and does not meaningfully benefit from WEI. Banks, utilities, etc. are used too rarely to matter.
I expect, if given the chance, large banks will adopt WEI just like they adopted integrity APIs on iOS and Android. And they'll put up a prompt telling you to use "a secure browser".
You are most likely right on the expected outcome, I would bet money on that outcome too. However, I do not think banks get any tangible benefit from WEI, since banks have strong form of mandatory 2FA on every destructive step anyway.
Websites can do whatever they want if there's logic added to do it. I remember a few annoying personal homepages that would refuse to load using a particular browser. If you want to ban all Firefox users on Linux, you could add a middleware to your tech stack that checks for User-Agent. This is how many mobile redirection sites work.
So then, by extension, if a particular company wants to mandate WEI, then that's their prerogative but I won't be a customer of theirs for long.
For US government websites, there could be a legal argument that it unjustly limits access to government services. Would be interesting to see how that plays out in court.
I think it's the smart plan on this one, because a lot of more or less essential services like Bing, Google, banks and streaming services are likely to adopt it. And together those can easily force something through, especially since it doesn't per se bother legitimate users.
So I'm guessing you're using no sites hosted on Cloudflare or Fastly? They already use exactly this kind of remote attestation technology for traffic from Safari.
124 comments
[ 3.5 ms ] story [ 140 ms ] threadAs there are many regulations and court cases in the EU and the US (and I presume in other places as well) aimed at some of the richest companies in the world that have to do with browsers behavior it seems that they would have to know what a browser is.
Even if I didn't know the word 'train' I think most reasonable users of English would still agree that I know what a train is.
People who use a browser to go on the web, even if they don't know the name for the category of application they are using is "browser" and all the technical functioning of the browser and how the internet works, can be said in normal English usage to know what a browser is - it is one of a class of applications that they use to go on the web.
They click on an icon, a window opens up they go on the internet. The "browser"
You'd think they would have to know what a browser is. Certainly some people within the courts and legislative bodies do. But, I challenge the "have to," because I want to give credence to my anecdotal theory that a ton of people have no idea, especially older people, and most politicians are super old. Why do they "have to?" Couldn't a lot of boneheaded decisions we've seen over the years be because they don't understand? They could maliciously be applying law per their lobbyist needs, which is probably a thing that happens, but they also could just be ignorant.
Remember "series of tubes?" What about David Cameron's push in 2014 to "protect kids from porn" that was really just a PRC style great firewall? Pretend it wasn't a malicious attempt at massive state surveillance - how does it stop kids from getting porn from Twitter, Youtube? Anybody with a glancing familiarity with the internet would know why stopping porn is essentially impossible without blocking literally EVERYTHING and creating a country intranet, combined with a massive, pervasive state surveillance operation with police that have broad powers. Impossible in a liberal democracy (the effective porn blocking, not the attempts to have pervasive state surveillance - the issues come when it's time to start arresting).
Some quotes from when Zuckerberg was in front of congress:
"If I’m emailing within WhatsApp … does that inform your advertisers?" Senator Brian Schatz
"What was Facemash?" Senator Billy Long
"How do you sustain a business model in which users don’t pay for your service?" Orrin Hatch (the "senator... we run ads" quote)
Why are so many politicians opposed to encryption? Because they're fascists that want better state surveillance? Maybe, but I think more likely is they hear that it makes it harder for the FBI to track down two murderers in San Bernadino and they think "Encryption? Affecting law enforcement? Do we need it? Just make it illegal."
Tangent: This makes me wonder about a broader topic I've been questioning: I think we assign too much competence and reasoning to eachother and to our leaders. Random examples: Musk put a big flashing X on the roof of the twitter offices, it's obviously against code, it's obviously horrible, but there are people arguing "Genius marketing move! No press is bad press!" Really? Or, when Bezos climbed into a rocket. "He wouldn't get into it if he wasn't sure it was mostly safe. You don't get to be a billionaire without knowing what you're doing." A couple years later and a submarine that the most layperson of laypeople would point out is a deathtrap proves that idea wrong.
This on top of the fact that sometimes it seems like entire financial markets depend on people making "rational" decisions. A housing crash because "the banks would never maintain these portfolios as AA if they weren't rock-solid!" A dot-com crash because "www is the future, it'll make money somehow!" It keeps happening. We keep giving ourselves way too much credit. I think climate change is going to be the greatest example of this, should we survive it. "We'll let it go far, but not past a certain point. Someone will stop this before it's actually irreversible. Or if necessary, at some point, the people will rise up and destroy oil pipelines." No, I don't think so, I think we'll keep thinking we're too smart to let something like that happen.
I don't think knowing what something is requires a deep understanding of the technical workings of that thing, in normal usage of English do you know something relates to do you have some familiarity with the existence of the thing.
IF someone said Bryan doesn't even know what a car is you would wonder "how could he not know what a car?" is as opposed to thinking yes well lots of people have a limited, superficial, or extremely incorrect understanding of the workings of the modern automobile.
My example is a bunch of old people that don't use trains and have never used trains, legislating things about trains. "What, you can't take it directly to your destination? That sounds pointless, why don't we just rip up the tracks to add more lanes for cars?"
They don't understand technology and they aren't even users of the technology they're legislating about.
If you think it unlikely that there's people that don't use browsers, come to my next family reunion or city council meeting.
given the statistic cited earlier of over 5 billion people using the internet and there are 7.8 billion people in the world, 1.4 billion of them in China, which has slightly over 1 billion on the internet, 1.4 billion in India, which has evidently 759 million on the internet, etc. etc. I think it is most likely that we find the largest concentrations of people without internet in non-Western countries and in less developed regions.
>My example is a bunch of old people
There are nearly 270 thousand people age 75 and over in the world, that age being also over the age of retirement in many places. I doubt you are actually discussing people that are 75 and over.
How old are these "old" people that don't use browsers?
Consider that IE6 was released in 2001, 22 years ago. Someone 33 years old at that time would be 55 now. Probably a good age for a legislator.
I never said it was unlikely that people don't use browsers, but given the statistics outlined above it seems statistically unlikely that there would be a significant concentration of them in any group legislating the internet, although you seem invested in the idea that this is so.
Do I think it is possible that if I went to your family reunion would I meet someone who did not use browsers - sure - also if I went to your city council meeting. Assuming 12 people on the council a naive calculation of 5 billion internet users on the planet would lead me to saying maybe 5 don't, but given the other factors outlined here I would think it statistically strange if it were more than 2.
What percentage of people at your family reunion, and city council meeting, do you think do not use browsers and if it is anomalous in relation to the statistics outlined here - how do you account for this anomaly?
on edit: also I live in Denmark, every politician here knows how trains work and has probably spent a significant amount of their life commuting on trains.
on second edit: regarding your previous example of encryption; the difference between encryption and a browser is the difference between lithium-ion batteries and Electric cars. The first is a functionality of an application, the second is an application.
Pretty much everyone has an understanding of the application and what they do to make it work, hardly anyone has understanding of how the underlying technology works. It may be useful to have people who know how the underlying technology works to legislate on it, but not knowing how HTTPS works or how the browser interprets the file formats it receives back from a request is not the same as not knowing what a browser is and I originally responded to the suggestion that people did not know what a browser is.
Regarding old age - I can see that in the U.S the median age of U.S. senators is 65 and the median age of representatives in the House is 58, so in the case of those age 65 I would be willing to suppose there is a larger percentage of them who do not know what a browser is - so maybe 40% of those over 65 do not know, and with vanishingly smaller numbers as you get closer to 50.
There's 14 senators 50 and younger, I bet all of them know what a browser is.
We're at the level where "does it break end-to-end encryption without anyone else being technically capable of reading it" is a serious debate.
Why does this technical proposal actually threaten them or their constituents in a concrete way? More importantly, does it threaten a politician's ability to fundraise or broadcast the message they like?
I think the idea is horrific on many ethical and technical grounds, but how can Google directly use it to ruin a [political] career? That feels like more what they will empathize with.
You're living in a fantasy land where the US government actually regulates industry in any sort of pro-consumer non-regulatory-capture way.
If this happens it'll be the EU that does it.
Just like Chrome was webkit as long as it needed to.
I have zero doubt that when things get rough, they'll either hard fork it or work with a different engine.
I have to use Chromium for Slack Huddles for example, since evidently Slack Huddles "don't support" Firefox on Linux (it's WebRTC, wtf?). I don't really get an opt out of using Chromium for those couple occasions a week, because work. Now imagine that, but with GoogleDRM.
Make them print everything out, for the rest of time.
I didn't see many people debating the actual text of the WEI explainer[0] on the HN posts about WEI, and that's probably because they were links to articles about WEI. The HN post for the explainer with the most upvotes only has 89[1], likely because most of HN treats the upvote as "I agree/like this" instead of "boost this topic for discussion".
0: https://github.com/RupertBenWiser/Web-Environment-Integrity/...
1: https://news.ycombinator.com/item?id=36785516
All the previous restrictions have had some form of workaround, but without the keys, you're not going to get past remote attestation.
Governments are scared that people will use encryption against them.
Now we should be scared that companies are using encryption against us.
I'm not in favour of banning encryption either, but the situation is more subtle. Encryption is a weapon, and not surprisingly that's why it was classified as such and strongly controlled only a few decades ago, so I don't expect there to be an easy way to solve this ...just like the debate around 2nd Amendment.
Getting there is a whole different level of difficult, of course.
What's stopping other browsers from piggybacking off of Chrome's keys?
It does not matter what the explainer says. We know what this system CAN be used for and pinky promises by a monopoly entity not to use WEI for nefarious purposes are an indication that WEI will be used for nefarious purposes.
Discussing the explainer can only lead to slippery slope examinations of how bad WEI actually is and how much integrity of WEI hangs on good will of Google. WEI is very bad, extremely bad when coupled with secureboot and similar hardware restrictions, Google has a solid track history to throw anyone and anything under the bus if it means profits. What reasonable discussion would you expect?
This is why users don’t complain about e.g. privacy tracking. It’s not that they like being tracked, it’s that you consent or don’t use the product.
The so-called "independent" browser makers will scream and shout with indignation, then try some legal and political action (which will fail), then try to find a compromise (which they won't get), then finally implement whatever Chrome implements, while explaining to their users that this was really always about choice and adding this feature gives the user that choice. And then they will move on to their next battle, which they will lose just like they lost all the other battles they fought over the past 10 years or so.
Why "of course"? That would very much be annoying enough for me to switch. I switched banks because they decided to randomly start requiring SafetyNet to pass.
Actually come to think of it, it is not a very serious problem for me, I already have an iPhone which will presumably support whatever DRM scheme. So, I guess I already have the second locked down device anyway. Linux on the laptop/desktop for real internet, iPhone for the nanny-corp net I guess.
Do you feel that Google is being a good steward of the internet with their dominant position?
But at the very least, we can be honest. If Mozilla published a blog post today that said something like "While we are ideologically opposed to WebEnvironmentIntegrity, we will almost certainly be forced to implement it in Firefox eventually", my respect for them would rise tremendously.
Firefox has lost. There is no shame in admitting it. But there is shame in pretending it isn't so.
Your own phrasing indicates that there is a battle to be lost or won, and Google has indeed won. Which is pretty clearly a bad thing for the Internet as a whole, and quite good for a single company and their shareholders.
Nobody respects, or even remembers, those who fought "to the bitter end" but lost anyway.
Like, do you think it's productive to set some bait out so you can argue about something abstract or subjective like whether or people respect people who fight unwinnable battles?
What does it get you in the end?
Have you ever considered learning more effective communication techniques?
Thousands of other glorious defeats are immortalized throughout history in poetry and song.
I say give people the right to try.
If you keep fighting, you might get a chance to win.
which they will lose just like they lost all the other battles they fought over the past 10 years or so.
The public managed to convince Intel to disable the serial number feature of their processors 23 years ago. It's possible --- there just needs to be enough opposition.
Stop with the defeatism and start by exercising your right to free speech upon everyone who supports WEI and the authoritarian dystopia.
At a time when technology companies were just companies – not the system that effectively runs much of the world.
Mozilla also pushed Microsoft out of a core market once. That would never happen today, regardless of how good Firefox becomes.
Today's technology industry is nothing like it was in the 90s. "The public" has as much chance of stopping WEI as it has of getting the United States Military to disarm.
Didn't chrome effectively do that in the present? Edge is barely an independent browser
Mozilla did not dethrone IE in the 90s. And I disagree with your statement that end users (“the public”) can’t stop a browser feature. MV3 was scaled back because of this.
What leads you to think that a similar thing won't happen here, if the problem is serious enough?
In OPs example Google is providing a feature, that you can use or not freely, then the bank dicided to use it. The problem is of course Google providing it but it is the bank that close down their site for non-chrome users, not Google.
I guess the EU will sue Google for anti-competitive behaviour.
of course the case is more complex: the reasons they won't sign will be material.
The EU isn’t stupid and is kinda fond of Open Source / Free Software (because it serves as a way to make the EU economy and society less dependent on foreign tech giants).
Don’t worry, Brussels will save ya. :)
You mean like how browsers need to explicitly allow each and every root CA key? If that's the basis on which a legal case is built then it'd fail even in the ECJ, because all that's required is set up an equivalent of the root store programmes and it's solved.
The way this would actually work is something like: websites just "apt-get install browser-keys", add a bit of JS to their HTML and now their nginx or apache or AWS LB just adds an extra header to proxied HTTP requests saying "X-User-Agent-Accuracy: HIGH" and "X-Extensions-Signing-Keys: <...>". Then every so often you do an apt-get update and the latest round of browser/extension signing keys get added.
So there's no reason why obscure browsers can't take part in this scheme, just like how obscure CAs can take part in the web PKI.
Nor does it make open source browsers impossible. Just like how there are open source CA software stacks, so too can you compile your own browser, publish the code, sign binaries of it and get those signing keys into whatever equivalent of the root store programme would appear. Availability of source code is irrelevant. Establishing trust in your operation is the hard part but you have to do that anyway if you want to get users, just like how you can set up your own CA using a simple GUI on macOS but getting people to actually trust it is a different kettle of fish.
Not that there's much chance of any of this actually happening outside of mobile anyway. It's all quite theoretical on desktop. Windows is too far behind on remote attestation tech and the general OS security stance for it to happen anytime soon, especially with so many users not upgrading to Windows 11.
But if people want to argue against remote attestation, you'll have to learn how it actually works. Otherwise you're just going to make bad arguments and your opponents will beat you.
Do you remember when MSIE was the dominant browser and websites started to sniff User-Agent headers to dissuade or sometimes even block visitors using other browsers? Because I do. This will be even worse.
I wouldn't be surprised if the people who are ultimately behind WEI are already anticipating those fines, and have concluded that they will be well worth the gain in control that this feature gives to Google.
If a fine doesn’t lead in a change of behaviour, more rigorous measures will probably be implemented. EU lawmakers are itching for a reason to split up big tech giants; Google may very well give them one. And representing a sizable part of the global economy, the EU is something you ignore at your peril.
Why would you not expect that? That's exactly how EU fines have worked for the past 10 years.
Google is being sued in various EU countries and by commission more or less continuously. It hasn't hindered them from becoming a 99% monopoly for Android phone apps.
(Yes, the case is slightly different because there is still Apple. But as a consumer I can not say today I use Google and tomorrow I prefer to install an app from Apple, so once you made a decision you lost any market competition for years ahead.)
Making a popular product with choices that we don't like is not anti-competitive.
History repeats itself. I'm old enough to remember the IE lawsuit in 2001.
Now I'm reading articles about how Microsoft is abusing its desktop position to push Edge, and Chrome is abusing its stance as the dominant browser to push this nonsense.
Give it 10 more years, it will die down. Then 10 years after that we'll be discussing the same thing again.
The stats: https://gs.statcounter.com/browser-market-share
Dear Firefox: If I wanted Chrome, I would use Chrome. Please be an alternative to Chrome.
Firefox can do better for sure, but its competitors basically cheat.
I don't trust the bank's website, so I always just go to the local branch. (Not that I need to do that much at all outside of withdrawing cash.)
For me, the bank website is where I pay the bills, review my cash flow, and manage investments / savings. Even if others could be replaced, I can't imagine going to a physical branch just to pay for my internet connection.
If my bank prevents me from logging in with a reasonable browser (as opposed to a privacy nightmare designed to facilitate advertisers) - I will do my bank business in person, the bank.
ActiveX was a thing and some institutions required Internet Explorer in order to log in/provide documents. It was THE most popular browser back then.
I’m curious about Apple’s stance on this. If Safari decides to not have WEI it might get very interesting.
It would be amusing to see browsers get pressured to not implement certain features for them to access the web, rather than the other way around. And it would be ironic for it to be a DRM feature.
Is there any reason at all that websites can't do this?
Of course, just check for the existence of the attestation API described by the spec.
> Is there any reason at all that websites can't do this?
Because it would be an extremely dumb move regarding reach. Banning WEI-enabled user agents means you're banning over 80% of your traffic. This might be okay for a small blog or if the website owner is big into activism, but if you have a commercial interest you absolutely can't do this. Plus, blocking WEI-enabled user agents only hurts the user in the end; Google won't walk back on such an aggressively-pushed feature simply because some site refuses to serve Chrome users.
Unless you are a de facto monopoly. Google can mandate WEI because they are a monopoly, other monopolies can do the opposite.
Sadly, it is hard to imagine a monopolic website that both is used day to day and does not meaningfully benefit from WEI. Banks, utilities, etc. are used too rarely to matter.
So then, by extension, if a particular company wants to mandate WEI, then that's their prerogative but I won't be a customer of theirs for long.
Being near "full Stallman" I use one of the few FSF approved Linux Distros (Trisquel), there is no way this will ever be implemented in that system.