426 comments

[ 2.6 ms ] story [ 298 ms ] thread
Google used to be cool and now it’s not. Wonder which companies of today will end up completing the cycle tomorrow?
> You either die a hero or you live long enough to see yourself become the villain
Google was made possible by a platform shift: From desktop apps to websites.

First they positioned themselves very early in the web user experience: After the user turned on their Dell computer, booted Windows and started Internet Explorer, the next step was to use Google.

Then they moved one step closer to the user by building their own browser: Chrome

Then they moved even closer to the user by building their own OS: Android

Then they moved even closer to the user by building their own computer: The Pixel Phone

The question is what the next platform shift could be. And if the big players will miss it so that a new player can emerge. And if there will be a new player which is as smart and driven as the Google founders.

Ad Chromebooks too.
Frankly, I think it’s less “moving closer to the user” and more just securing control over the path users use to get to their service.

Chrome was made to prevent whoever controls the browser from blocking users’ access to Google.

Android was created because they were afraid Apple would block them on mobile.

All tech companies do this kind of positioning.

Apple made Apple Maps to make sure Google Maps isn’t the only choice on iOS fearing Google could withdraw Google Maps and hurt the utility of iOS devices - at least in the short term.

It’s why Apple made Safari and enforces it as the only browser on iOS.

Apple learnt relatively early the dangers of being dependent on another company, https://www.folklore.org/StoryView.py?story=MacBasic.txt

The next platform shift are obviously DRM locked closed app platforms like TikTok, ChatGPT, Meta ecosystem and Apple apps. No APIs, no freedom.

Everyone is very actively working on making the browser dead and serving you content exclusively via corporate controled apps on locked platforms.

You can kill off Chrome, but the result isn't going to be a renessaince of Firefox, but a move into your content being only available on locked iPhone.

> Everyone is very actively working on making the browser dead and serving you content exclusively via corporate controled apps on locked platforms.

Aka cable box.

Google was made possible by US antitrust turning a blind eye towards Google's acquisition of DoubleClick and YouTube. Considering Alphabet is dominating both search and ads and also offers services via searches, the EU commission already hinted at a breakup as a viable measure to lead the web out of its misery.

[1]: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_...

Google's market cap was already at over $100B with billions in revenue and hundreds of millions in profits when it bought DoubleClick and YouTube.

So while those were big aquisitions (Around $3B and $2B) they only accelerated the process of Google turning into the web's central player. It was already set in motion before the aquisitions.

The large market cap is exactly why they shouldn't have been allowed to acquire either. (Same goes for Facebook with Instagram, Whatapp).
Remember when they use to say “Don’t be evil”?
crazy that they just unashamedly removed it.
I doubt their motivation was "now we want to be evil". Probably more like "evil isn't actually well defined and people keep pointing to this and having dumb arguments about it".
Thankfully, there is an apt definition for evil nowadays: Google.
That doesn't sound like a typical corporate thought process. There is plenty of cognitive dissonance around logos and mottos and whatnot by corporations, and unless it affects the bottom line, they won't do anything about it.
Hint: If there are "dumb discussions" about whether what you are doing is evil, it probably is.
Do you really think the world is neatly divided into good and evil?
While it can easily be criticised in encouraging black and white patterns, people that have an intellectual problem with the definitions are mostly smartasses and very often actually do "evil" shit, as defined as self-serving to the disadvantages of all others.
Are there any cool companies left? I think consumers and employees have become more cynical.

    - OpenAI is already 'evil'.
    - Apple has staying power but I still wouldn't consider it cool anymore.
    - Likewise Tesla.
What did OpenAI do? I know they refused to share their proprietary model even though they're called "Open", is this what you're referring to?
As I understand it, Google wants to add some signal to http requests which tell the server that the user is using a system made from some specific software. For example an unaltered stock Android phone.

What would be the one-sentence technical explanation of how Google wants to achieve this?

Every request first goes through "trusted attesters" (read: Google and pretty much Google alone) along with some information about your device (hardware information, browser data, executable hash, etc) for them to sign it and decide whether or not you're legit. See the Play Integrity API on Android for similar implementations.
So there's some hardware level support for this? Could you man-in-the-middle the connection and alter the message to say whatever needs to be said to convince the other computer that my computer is working the way it expects?
Not without a machine key signed by a trusted (by google) manufacturer - which is held in the secure enclave, so you can’t just read it from your machine.
If they intend to copy the Play Integrity API, it indeed has different levels of attestation, going from software "should be alright" to hardware "actively signed in a secure enclave that the user will never have access to".

>Could you man-in-the-middle the connection and alter the message to say whatever needs to be said to convince the other computer that my computer is working the way it expects?

If you're willing to break modern cryptography for that to happen, sure. Also, requests include a hash and a timestamp to prevent replay attacks and delayed attacks too. So you better crack that cryptography _fast_

Most chips have a TPM which holds a key. You can’t access the key without expensive and specialised equipment. The key is signed by the manufacturer’s key (google, in this case).

The TPM has an API that returns a signature of the running OS code. If you tamper with the OS, you get a signature mismatch.

> What would be the one-sentence technical explanation of how Google wants to achieve this?

Denuvo for browsers. Rootkit disguised as a browser from your favorite Ads service provider.

(comment deleted)
Google have long been a trojan horse for corporate and governmental interests. This was clear with the approach they took with rss - make a fantastic product to draw in lots of users, then kill it as rss disintermediated the web, with little scope for google to direct you to where they want you to go.

I suppose they told us what they are when they scrapped their "don't be evil" motto.

The article applies this terrific Doctrow quote about Secure Computing to WEI:

  > Should your computer be able to be compelled to tell the truth, even when you would prefer that it lie on your behalf? Should there be a facility in your computer that you can’t control that other people can remotely trigger?
It is an apt application of the quote, and a fundamental question that is likely based on culture and each persons or organizations past experience with abusive overlords. I personally opposed it.
Doctorow demonstrably knows more about this, and has thought about this, than me, but to me the answer seems somewhat straightforward:

> Should your computer be able to be compelled to tell the truth

In the context of the soldered chip that "can't be removed" that can report the "truth" of the kernel etc, the answer to me is a simple, "it's impossible to know if the computer is telling the truth or not." Go to defcon once and you'll know this as true as well. No matter what, there's always a way in. There's always a hack. The harder you make it to hack, the more motivated those crazy people at defcon will be to break it.

> Should there be a facility in your computer that you can’t control that other people can remotely trigger?

"Other people" will never be "just the people you want." It will always include criminals, stalkers, and authoritarian governments. So the answer is a simple, "no."

> No matter what, there's always a way in. There's always a hack. The harder you make it to hack, the more motivated those crazy people at defcon will be to break it.

Absolutely, but I don't want to have to use 0days like a criminal or to open up a TPM chip in an $1M electron microscope just to have my PC render webpages the way I want it to (without ads that is).

I think the importance of the quote is not in the answer, it's about how to frame the problem.
A bit similar dilemma with self-driving cars that they don't necessarily serve their owners but rather "what is right" (aka the truth); in case of unavoidable collision, should they save the interests of the current owners, or the interests of the manufacturer, or the interests of everybody on average, etc.
Trying to avoid collisions even if theyseem unavoidable seems like it would lead to more robust software then solving trolley problems and driving over lower value people on purpose.
I lived in china and put effort into de-googling my phone. Now I’m back in the open world and seems need do all over again.

Must be a biz opp to run a proxy that strips everything google from pages and web communications. I would pay a few $/month to not be farmed without consent.

No need to proxy, you can just use https://brave.com/. Add a pihole to strip it from other devices and non-browser web traffic.
Using a browser powered by Google’s technology stack is hardly deGoogling.
I don't really know much about how Brave is made, but you make it sound like they're using proprietary Google libraries, whereas I was under the impression that it was built from open-source software. If I'm right, the fact that this software originally came from Google is immaterial. If it's open source, Brave have full control over what it does and Google has zero.
Brave uses Chromium: an open source project controlled by Google. They can submit patches back to Google, but if Google don’t want to take them they don’t have to integrate them. So that leaves Brave with three options: they can take Google’s Chromium as is and focus on the browser interface potentially flipping a few config switches, they can maintain their own set of patches and update over time, or they can fork and go it alone. So far they’re hovering between options one and two. The closer they get to three the less influence Google has but the more it costs Brave. At the moment they’re not being particularly courageous with reducing their Google alignment.
Still better then running straight Google Chrome.

Yes there is Firefox

But Brave still faster + own search engine

That would be the same Brave that was replacing ads on sites with their own ones?
Nope, that never happened. You must be thinking of a different Brave browser.
Options are Linux, and half broken "phone"

or Apple, the hardware is their profit center, as well as getting you to buy their software product, but your info isn't sold to 3rd parties (yet?)

or Google (circumvent some of it with firefox+adblock origin)

or just don't participate at all and get a flip burner.

> ~~adblock~~ origin

FTFY:

uBlock Origin

Why 'half broken "phone"'? I used GrapheneOS for a while now, it works pretty well imho, the only problem I encountered till now is with maps. Finding a good and no-play-services maps app is a major issue. I use OsmAnd and it's quite mediocre compared to Play Services based options. With that (important) exception, I love the de-googled experience. The funny part is that to be de-googled the best choice is buying... a Google Pixel phone.
The problem with degoogling your phone in the west is that you may hit something that requires a non-rooted, pristine manufacturer provided rom to work.

In my case, my bank won't allow me to do online payments unless I validate the payments through a smartphone app as the 2fa. They do not do texting/sms based 2fa anymore.

The app will refuse to launch on a rooted phone or a custom rom. To me, this means a degoogled phone is absolutely unusable. I can't do without being able to use my credit card online.

This is in fact the sort of thing that will happen soon to the web if browser attestation becomes a thing. I can already see it coming, my bank rejecting logins from browsers that are not untempered, Google-provided.

Authoritarianism is always creeping in. Its a force or evil that just never stops.
Stipulate that Google itself has noble intent at the moment.

There is zero control over the future.

That is, we don't have to ascribe malice to Google while running away from this potentially evil mechanism.

In 2012, I interviewed at Google Ireland for an SRE position. I ended up not taking the job due to family issues, but I somewhat regretted having missed the opportunity to tackle Google-sized problems and make FAANG-sized money for a few years after.

This feeling has ceased entirely in the meantime, due to what Google has become, and how its understanding of its role in the world seems to have shifted. Or maybe its true corporate nature has only become more apparent? I am not sure - but I was a firm believer that Google was a force of good in the corporate landscape of the 00s, and I am fully convinced it is not any more. It actually makes me sad, and I am afraid of the damage it will end up doing to the places (the 'net) and communities (most of the FOSS world) I love.

They used to be innovative and forward looking and send to be having fun at contributing new tech. Under Pichai they seem to only want to lock in their position, kill all competitors, convert the WWW to GWWW
It's also been a massive boost to FOSS as well. I don't think Google is a single entity with a true nature. It's just people deciding things. Sometimes we get VP8 open sourced, a world-level value adding move. Sometimes we get them running an experiment whose intentions should've been better articulated.
Some gifts along the way like AMP aka "Better internet"
Certainly, there are many incredibly talented and passionate programmers there. These people want to make interesting things and many of them want to share them with the world. The company has gotten to where it is by being an exciting place to work for these people and supporting their endeavours.

But let's not fool ourselves, Google at the end of the day is still an ad company. So while we can appreciate what they've contributed using this approach, we can never ignore the fact that ultimately business priorities will always trump everything else, which means they can use their creations against us on the turn of a dime.

Money is a hell of a drug.

Early Google seemed to be genuine and upstanding fellas. The dotcom crash made everyone scramble to pay the bills and monetize which is where the seeds were sown for what we have today.

I think Google did used to be a force for good. I even got happy when they bought the notorious DoubleClick, because I was confident that they would be able to change the scumbag online ad industry for the better.

That didn't happen, though. What happened instead is that Google became a scumbag online ad company.

It's time to start lobbying hard for an antitrust breakup of Google. This DRM plan, as abuse of a monopoly position, provides more political coverage for a forced breakup.

It's pretty clear how to break up Alphabet, because it grew mostly by acquisition.

- Google - search, ads on search pages and nothing more.

- DoubleClick - third party ads on other sites.

- Analytics - services to web sites.

- Cloud - the money-losing data center service. Probably gets sold to AWS or Hurricane Electric.

- Android - phones and similar devices

- Chrome - browsers

- YouTube - streaming content. Probably gets sold to Netflix or AT&T or Comcast.

- Waymo - self-driving cars. Probably gets sold to a car company.

- Alphabet - all the other stuff.

Now, some of these have conflicting interests. That's a good thing. With Chrome separated from Google and Doubleclick, and forced to fight for market share, it's not in Chrome's interest to prevent blocking ads from DoubleClick or Google. Google wants people to see ads on search pages, while Doubleclick wants people to leave the search site and see ads elsewhere. Now there's competition.

Antitrust action against Google is already underway. The State of Texas and several state attorneys general have a case pending.[1] There are other cases.[2] All these cases benefit from Google's move to entrench their monopoly by technical means.

So make lots of noise politically about that. It's quite likely to make Google dump this proposal, on the advice of their antitrust lawyers.

[1] https://www.bloomberg.com/news/articles/2023-06-05/google-an...

[2] https://www.lanierlawfirm.com/google-antitrust-lawsuits-expl...

I fully agree with a breakup but arguably other than Search, DoubleClick, and Youtube, none of the others are solvent without ad money.

On thing I feel we are still missing is for FSF, Wiki, Archive.org, etc. to effectively gather enough cash to start lobbying in politics and in industry much in the same way Meta and Alphabet do. Politicians/legislators are ridiculously cheap to lobby in the grand scheme of things.

> none of the others are solvent without ad money.

This is a consequence of Google's structuring. If the pricing is unrealistic after a split, it's also currently an example of price dumping preventing competitors from emerging.

That’s not “price dumping”. https://en.wikipedia.org/wiki/Dumping_(pricing_policy)

If you don’t charge a normal price for something anywhere, then it’s just a loss leader (costco hot dogs).

Just because the marketing dept calls it a "loss leader" doesn't mean it's not predatory pricing.

Whether a company crosses the line is defined by the impact it has on the market: if a company with enough market power uses that power to damage competitors, then this is deemed predatory. And, when it comes to Google, their history of leveraging their dominant lines of business to force an advantage in new markets, including via pricing, makes a good case for this.

If some spin-offs of a Google antitrust can't swim, let them drown.

> if a company with enough market power uses that power to damage competitors, then this is deemed predatory

I think the trick there is that you legally have to show intent. One could argue that anything a market leader does to grow or even just retain it's market share hurts the smaller competitors.

Chrome is probably the best example. I don't really know how people would expect that to be a company or even a division under Alphabet. It's rather unfortunate, because I don't think Google can be trusted to build a browser anymore.

Android is also a weird case. All funding is coming from Google, but the revenue isn't coming from licensing of the OS. Separating out Android and require manufacturers to pay a license wouldn't kill it at this point, but it could fragment the Android market. Like with Chrome, Google isn't the best steward, because their interests are primarily data mining and advertising, but building the best mobile operating system.

DoubleClick, analytics, Youtube and search are the divisions I'd go for if I where a regulator, but there where would Chrome and Android go?

> require manufacturers to pay a license wouldn't kill it at this point

They'd only have to pay for Google services like the Play Store. However half of them would now belong to a different company and I don't know if the Play Store would be self sustainable on it's own?

Samsung already has their own store, smaller ones will probably still stock to the Play Store for the time but increased fragmentation would be unavoidable.. That might not be a bad thing on its own, however I don't see how/why anyone would continue funding the development of the open-source bits of Android to a degree Google is capable now.

They forked the browser to grab data for the advertising engine.

If all they wanted was high quality browser imagine what Apple and Google could have done if google hadn't forked webkit.

That's wishful thinking. Politicians will never break up Google since they benefit from it.
Fundamentally, Big Tech is an outsized part of what sets America's economy apart. Breaking up any of them would potentially be a footgun.
Yep - weakening Big Tech in the US will strengthen China's Big Tech, which no one wants.
So we have to accept control through Google or Apple or otherwise we will be controlled by Alibaba or Huawei? I don't want my devices to be controlled by neither company.
One wants profits; another wants to influence you. Take your pick.
I agree that big tech is huge part of the American economy.

In the 1900s, Teddy Roosevelt busted up the biggest monopolies and did it boldy. He was a strong believer in capitalism and market forces, and he believed that government had a responsibility to keep market forces working well.

I know we are not in the early 1900s anymore, but I think it is interesting to ponder how the only politicians who dare to say something similar today are the furthest left we can imagine (Bernie Sanders and AOC and the like).

> I know we are not in the early 1900s anymore...

We still have the antitrust laws of Teddy Roosevelt's era, the Clayton Act and the 1890 Sherman Act.

Sherman Act, Section 2:

"Every person who shall monopolize, or attempt to monopolize, or combine or conspire with any other person or persons, to monopolize any part of the trade or commerce among the several States, or with foreign nations, shall be deemed guilty of a felony."

The US Justice Department hasn't often applied that standard rigorously, but it can if it wants to.

Google is not quite Standard Oil though and generally modern tech function in an environment is different from the cartels/trusts/monopolies of the day that it's hardly comparable.

Also thankfully general regulatory situation (and arguable level corruption) isn't as quite yet as bad as it was back in the 1900s.

It's like banks, it depends on your logic. We have systemically important banks, banks that will always be bailed out. You have two ways of dealing with that scenario, either prepare to save these companies when they fail or make them non-systemic so we can afford to let them fail.

What I fail to understand is why it's better for society to support these "to big to fail" companies. Why not break them up. Why not plan break them up if they become to "important" for a lack of a better term? How can you not see it as a political failing that taxpayers have to be ready to save a company, just because you failed to bring it under control?

It's mind boggling.

There’s reasoning if you can actually see what’s happening. Does it outway the costs? It’s a political question, but there’s some benefits.

For example, JPMorganChase is “the” big bank lately. It was able to handle the acute financial crisis this year by providing liquidity and a buyer as needed to keep the system from ever losing a deposit. That was likely bad for them as a business, short term, but it happened because the regulators can call up a single organization and get what they want.

Big tech has similar (unrealized) opportunities to keep strategically important things going. One possible example is the ease of releasing the Covid contact tracing system. If there were 20 fragmented parties they may never have aligned.

> There’s reasoning if you can actually see what’s happening.

You can't see what's happening though, because JP Morgan "mistakenly" deleted 47 million emails. [0] Their fine for that came to about 12 minutes worth of revenue.

They "failed" to keep records, firm-wide, right to the top. [1] Again, their punishment was at the "cost of doing business" level.

We're talking about the bank that financed and enabled Epstein here [2].

There are other ways to provide liquidity without relying on these ghoulish overlords who manipulate global markets [3] and finance blackmail operations.

0 - https://www.reuters.com/legal/jpmorgan-chase-is-fined-by-sec...

1 - https://www.sec.gov/news/press-release/2021-262

2 - https://trendingpoliticsnews.com/breaking-attorney-general-t...

3 - https://www.cftc.gov/PressRoom/PressReleases/8260-20

Politicians would never break up Standard Oil or Bell Telephone either.
Why? It's pretty straightforward to show how Standard Oil or Bell Telephone were harmful to consumer interests. With Google.. well they are giving away half+ of their products for free which they wouldn't able to if broken up. Antitrust laws from the 1900s were just not designed with that in mind, they were trying to solve quite different issues.
"Chrome - browsers"

And the money is coming from where? Chrome exists mostly, so the ad buisness gets more data and they can influence the direction of the web.

Seperate that and there will be no more chrome as there is no other source of income. (Except maybe a little bit from ChromeOS).

Otherwise I get it, it is mostly politics to threaten google to reach this.:

"It's quite likely to make Google dump this proposal, on the advice of their antitrust lawyers."

But a breakup of google(alphabet) is something very unrealistic and actually not something I want to see, unless we also break up Microsoft at the same time. Otherwise we end up with Microsoft dominating the web again. No thank you, I still remember those times.

Well maybe from search engines, who'd pay to be the default search option? So far, it mostly worked for Mozilla.
"So far, it mostly worked for Mozilla."

Yeah, with tracking and ads from the browser enabled by default and by now allmost non existent marketshare. The money from ad companies does not come with no strings attached.

(But I still use Firefox btw.)

Money for developing chrome is not an issue. Google search could pay chrome to be the primary search engine just like they pay mozilla. Microsoft could fund chromium based on their use in Edge. Etc…
> Google search could pay chrome to be the primary search engine

This doesn't sound like a good idea if your goal is to prevent these two companies (or divisions of the company) for co-conspiring.

"Microsoft could fund chromium based on their use in Edge. Etc…"

Microsoft surely will continue to develope edge. That is my main issue with this thing, because they surely would like to be the one with the dominating browser again and if google has to drop chromium, Microsoft will just overtake it.

Antitrust and breakup is not a simple thing to do right.

Then lets break up Microsoft too.
There's plenty of questionable business practices that Microsoft could probably be slapped on the wrist for of anyone cares, but I'm not actually sure there's a good antitrust claim that could lead to a breakup there.
There's always bundling a web browser with their OS and giving it an unfair advantage over all other browsers, aka the exact thing they were sued for last time.
ChromeOS bundles its own browser and goes even further in preventing people from installing their own than Windows. Imagine if on the first boot of ChromeOS it asks if you want to use Chrome, Edge, Safari, or Firefox.
There's a small difference in that Windows clims to be a general purpose operating system and Chrome OS is exactly what it says on the tin, but also a Chromebook running Firefox would be pretty great.
That lawsuit SAS honestly complete bullshit. Going after Microsoft for having plentiful stolen their browser would have been one thing, but saying an OS couldn't ship software applications out of the box is crazy. What do you find when booting up an OS for the first time? Am empty desktop and no way to install anything?

What apple has done with browsers at least seems more egregious. Windows didn't stop you from installing a different browser, ios does. There was even a long running joke that the only good use for IE was to install a real browser.

It wouldn't be hard to find a reason to sure Microsoft though. Take a look someone at where the legal text states their software builds were made and ask what tax benefits one might get from running production builds on servers in the Caribbean.

The problem I see with this idea is that MS doesn't really have much leverage to push Edge on people any more. People aren't just using Windows PCs for their web browsing these days; lots of people are using mobile devices, and many don't even have PCs any more. Google and Apple control the mobile device market (roughly half and half, though it depends on which country you're in too).

If a bunch of websites suddenly required Edge on Windows to view, they'd lose a majority of their visitors.

"The problem I see with this idea is that MS doesn't really have much leverage to push Edge on people any more"

But they do it any way they can. I never intented to open edge even once, but through various sketchy things, I had it open way too many times.

(when you click on the "learn more about this awesome landscape" - you land in edge, open a pdf, edge, saved a mhtml in chrome and open it, edge again. Search for chrome on edge? It almost tries to block you from downloading it.)

What do you expect if you're using an MS platform?

Meanwhile, all of us not using MS platforms (Linux, Android, MacOS, iOS) don't see any of this.

MS only has power over you because you choose to give them that power. They have no power at all over anyone not using an MS OS.

I sometimes have to use Microsoft Teams at work. Microsoft Teams requires Microsoft Edge to run. I was forced to install Microsoft Edge on my Ubuntu machine. Microsoft is pushing its Microsoft Edge product even on GNU/Linux.

There are indeed the end times. I just saw cats lie down with dogs.

> Microsoft Teams requires Microsoft Edge to run.

Where exactly did you get this idea?

It runs fine on both Chrome and Firefox on desktop, including voice, camera, screen sharing. They also have desktop apps, including a .deb for Linux (since it's ultimately just an Electron app).

Well, perhaps "runs fine" is not exactly the right word for what Teams does, but it's as awful on every platform at least.

>I sometimes have to use Microsoft Teams at work. Microsoft Teams requires Microsoft Edge to run.

Plainly wrong. I use MS Teams at work too. My machine is running Debian. No, I sure as hell don't have Edge installed on Debian; I use it in Chrome.

At that point nothing would stop AdCorp from cutting a deal with the new ChromeCorp that says "you get incentive payments for each page load that presents a remote attestation that no ad blockers are present". It wouldn't be seen as anti-competitive then because there are multiple ad serving companies and multiple browser companies, and anyway, legislators would expect and find it reasonable that browsers only get paid referral fees for page loads that do actually display ads. In fact if it goes to court you might not get what you expect - judges (who likely don't use ad blockers much themselves due to age) might perceive browsers who take ad incentive payments but allow ad blocking to be engaged in fraud.
> At that point nothing would stop AdCorp from cutting a deal with the new ChromeCorp that says...

I suspect judges that just ordered an antitrust would not be kind to people to people who essentially ignore the order by recreating an informal structure.

Why? Company breakups are about increasing competition. It's not about killing the Baby Bells by cutting them off overnight from what they need to survive. ChromeCorp would be both free to cut similar deals with other ad networks, and incentivized to do so, that would be sufficient for governments concerned about monopolies and anti-trust.

It's important to keep things mentally separate here. There is nothing anti-competitive about remote attestation, no more than there is about TLS. It's just far too general a tool for that. Even much more restricted versions as used by the smartphones, games consoles, Windows managed network security etc have never been claimed to be anti-competitive. That would be a very novel legal theory that's unlikely to work on its own (you can use the tech in ways that are anti-competitive, but it needs someone to actually do so).

So if Google were to be broken up, it'd have to be for wider competition and market health concerns, it wouldn't be to do with any specific API getting added to Chrome. And then if they were split up, they'd need to formalize arrangements in contracts that are today informal, like how Chrome is funded exactly. At that point, do you think the newly born AdCorp will just accept paying lots of money for ad impressions to Chrome when the users aren't going to see them? Google tolerates it today for a mixture of reasons e.g. a lot of their own staff use ad blockers, they want to be able to recruit very widely for many different projects, etc. A company specialized only in advertising would have fewer such concerns and could easily demand more aggressive measures, indeed, their new shareholders might insist upon it. Whereas today Google isn't really susceptible to stockholder pressure and is willing to let a lot slide.

1. Judges don't order an "antitrust" case, a prosecutor must do that start a case. A judge can then rule on it OR a jury (the DOJ in fact requested an anti-trust jury trial this year)

2. Your theory was basically proven broke by the fact that ATT which was broken up in anti-trust, became ATT, again.

> A judge can then rule on it

And the result of a ruling is a court order to do something. Sure, "ordering an antitrust" is a bit less precise than "ordering a series of actions that result from a successful antitrust prosecution", but I was hoping it to be clear enough.

My point was that judge do issue orders, and they really don't like people finessing around the wording.

I guess you have no idea how much money it costs to develop something like Chrome, especially at Google's salary.
Google currently plays Apple billions ($15B supposedly) to be the default search engine on Safari, and another half a billion a year for Firefox. For Chrome, with their gigantic market share, they'd pay billions (just like they pay Apple).

Browsers are complicated, but let's not pretend that that kind of money wouldn't be enough.

I’m not sure what you mean. Google would continue to pay chrome to advertise?
They’re saying: Google (the search company) would pay ChromeCorp (company behind Chrome/Chromium) big money to be the default search engine in the browser. Google already pays both Mozilla and Apple in this way.

Theoretically this money should be enough to finance the continued investment in Chrome.

It might be nice to have less web browser development, fewer engineers who need to add a new feature to get a bullet point for their review.

Rendering a website should not be a huge project. Websites are a medium for transmitting ideas; communication. A communication scheme that requires a massive engineering effort to interpret it is bad. A web browser should be something that a small community team can throw together in a couple months.

It shouldn’t be necessary to pay so much to develop Chrome in the first place. Web standards have gotten so unimaginably complex that only two of the richest companies in history can produce a web browser (and then somehow, inexplicably, Mozilla manages to almost keep up; wildly impressive on their part).

That figuring out the funding required to draw a website is seen as a big issue is a symptom of the problem.

Mozilla makes money with Firefox. Brave does with brave. It is not impossible that Chrome could. ChromeOS, default search engine, integrated VPN offering, ... The browser has a monopoly market share, income would be huge fast.
Mozilla feeds from Googles hands to ensure an awesome pay for their execs
Call me old skool, but how about charging for it?
When every other browser is free, that sounds like a death sentence
Maybe, but I know that I'd happily pay for a browser that was better than the ones that currently exist, as long as it wasn't a subscription/SaaS thing. So I know there's some sort of market. How large it is, I have no idea. Has anyone actually done this market research?
> But a breakup of google(alphabet) is something very unrealistic and actually not something I want to see, unless we also break up Microsoft at the same time. Otherwise we end up with Microsoft dominating the web again. No thank you, I still remember those times.

This isn't the 90s anymore. Smartphones exist, where Microsoft is irrelevant.

> And the money is coming from where? Chrome exists mostly, so the ad buisness gets more data and they can influence the direction of the web.

This is their business problem, not ours.

Since Chrome, the browser, is in some way a new OS paradigm we can think that the open source community would take it seriously to build a new one and/or improve/fork Firefox in the same way we have Linux, OpenBSD, FreeBSD, NetBSD, etc, etc. I think the main issue is UX/UI where the open source community doesn't excel, yet.

Sure, but then you have to militate also for half of the fortune 500, most of them having bigger impacts.
Cloud would be a huge profit maker as YouTube, search, ads would all then pay cloud for hosting. And they’d have no where else to go.
Further, selling GCP to AWS is not how we "break down monopolies".
as long you can rent rack full of servers and use it easily there is not that kind monopoly.
The logistics at scale can't just be waved away like that; current providers would have at least a 10 year moat at scale to a new competitor even if they did nothing. And you can bet if a new company came along that was a serious threat the current players wouldn't sit idly by.
The FTC would never allow that anyway.
This may seem like a good idea but so much of Google's power comes from the Search + Search Ads monopoly. That is where they are anticompetitive to the max, that is where a change needs to happen. Splitting everything else off doesn't solve the core problem.

Within Search + Search Ads you have a platform where Google are/have:

- the sole vendor of a digital asset - ads

- the sole marketplace for that asset

- a closed algorithmic trading system with no public auditing

- no public ledger or auditing showing who bid what

- currently one of the main customers for those ads (advertising their own products)

Along with that you as an advertiser have to install tracking on your site allowing Google to see every transaction, all revenue, every customer, of your business. The level of spying on the advertisers is insane, when seen in combination with the closed source algorithm and market for the ads the potential for manipulation is enormous.

The whole ads platform is built for extracting every last cent of margin from advertisers businesses. It's anticompetitive, monopolistic, and to some extent even a protection racket.

The most important "breakup" needs to be the ads business from everything else, including search. That's going to hurt, and I don't have the answers to how to make it work, but changes are needed.

I suspect a "breakup" isn't on the cards, maybe some strong regulation of online ad marketplaces, ring fencing them from the rest of the business and auditing of the platform?

> The most important "breakup" needs to be the ads business from everything else, including search. That's going to hurt, and I don't have the answers to how to make it work, but changes are needed.

You can be happy then.

https://www.justice.gov/opa/pr/justice-department-sues-googl...

The press release doesn't mention it, but the actual court document asks the court to:

"Order the divestiture of, at minimum, the Google Ad Manager suite, including both Google’s publisher ad server, DFP, and Google’s ad exchange, AdX, along with any additional structural relief as needed to cure any anticompetitive harm"

Note, too, that this is the DoJ. They, unlike the FTC, actually know what they are doing.
Let's not forget maps, where they arbitrarily decide to show you a shop/hotel/restaurant 5km away when there is one 200m away.
I am kind of surprised none of the navigation apps divert your course slightly to pass in front of a large store or something yet. It could even announce the place. "On your right is such and such store where using the code Maps will give you a 10 percent discount."
You could actually package this up in a way that people would find palatable.

What if maps only took you to places where you have a loyalty card - or the places that currently have discounts on things in your shopping list.

Give it the right marketing spin and people would love it.

I can imagine Margrethe Vestager will start flexing her regulation muscles the minute Google even thinks about it.
Google Maps (and even more so Waze which they own) already had partnerships with various brands - for example, type McDonalds into Google Maps (at least in the UK) and it has the M logo next to "see locations" as soon as you've typed Mc - so it's not such a huge stretch as you think it would be.
This isn't a "partnership", it's an option for anyone who has purchased a Local Campaign product on Google Ads.
Despite not being privy to the details, I am familiar enough with this sort of marketing to be extremely confident that Google and McDonalds (and other big brands) did indeed negotiate specific terms including promotion of McDonalds locations beyond what is available to typical Google customers, rather than a McDonalds marketing manager just logging in and setting up some local campaigns.
I'm sure you're right, but that doesn't change the fact that "logos on Google Maps" =! "partnership"
I'm grateful they started doing this sort of thing. It was what got me to finally stop using Google Maps.
"And weren't you searching for something like this on your laptop yesterday?"
Waze does this, or at least it did a few years ago when I used it. I remember being stopped at a light, and it told me there was a Taco Bell or Jack in the Box, or something within X feet, a coupon for some kind of discount if I go there, and a button to navigate me to it.
One reason I prefer Apple Maps. shrug Let’s see if it stays ad-free.
The ideal breakup would be between search engine and index.

The index should be treated as a utility like water or electric that search engines purchase access to for a regulated fee.

You can then have a thousand competing search engines started in garages with their own ranking algorithms and ads but realistically there are only ever going to be a few indexes. Thats the part that requires enormous data centers and dedicated power stations to run.

I doubt this is feasible, there's a lot that goes into the index which determines which kinds of queries you can even run.
Why? As a supplier of an API to search engine "customers" their entire job would just be to service that demand and provide new query options.

The intra-engine competition, meanwhile, would drive up results quality. Search engines would rise and fall on their own merits rather than on the basis that theyve got access to the biggest index.

But part of the competition is the index quality. For example, it's a lot easier to provide a keyword index than a phrase index. There's code search which is almost orthogonal to what ordinary search wants separators wise etc
I dont doubt that. The point of regulating it as a utility isnt that theres nothing to compete over but that the barrier to entry is so high that you can't simply rely on the market to provide competition.
Even if you split the search and ads divisions into two companies, what prevents them from entering into a partnership and keep doing whatever they do now?
That's what I fail to understand in these breakup threads. They would be free to business with whoever they want. It feels like if a breakup happens it's mostly paperwork and accounting changes in practice.
No, they would certainly not be free to do business with whomever they want. There's a reason the Baby Bells didn't all just enter into a partnership with each other the day after the breakup... they were not permitted to do so.

If/when business was unavoidable between two offspring companies, at minimum, I would expect them to have to inform the FTC, justify how it was unavoidable, and make the details of the transaction public. If someone complained that it wasn't unavoidable, quite possibly there would be additional penalties leveled on each of the participants.

It's not like some Monty Python character waves a wand and declares "you're not n different companies", only to wander off and never exercise oversight. Mind you, I don't think there's enough political capital in the world to manage to break Google up, but if it did happen then the judgement will have the teeth to make sure they're actually broken.

> They would be free to business with whoever they want.

The separate pieces would not be able to engage in business together that constituted a combination in restraint of trade, because that’s illegal whether or not they are breakuo siblings. Breakups turn what used to be sole company actions into combinations, which, in and of itself, adds legal complications.

(Also, as soon as the ownership diverges at all, which will happen almost immediately, between the siblings, a lot of things that are problematic for market effects would also be breaches of fiduciary duty on one side or the other.)

And all of this leaves out the explicit targeted constraints that would inevitably be part and parcel of any breakup order.

In the past, such forced breakups included restrictions on how the new entities could do for a period of time. As an example, AT&T was not allowed to use any of the Bell trademarks despite still owning them. In theory, the government could bar them from any contact whatsoever once the breakup is complete.

That said, AT&T/Bell was broken up in 1984. The "Baby Bells" had all merged back together into 3 different companies (AT&T, Verizon, Lumen) by 2000. So there would need to be better protections in any potential breakup of Google or any other company today

Enshittifying search to serve ads' end goals/margins will go against the search company's shareholder interest, and they can be sued for that.
Good chance the shareholders would be the same people for both.
The court order would embargo that for a period of time.
I feel like if you broke up the browser from search then the elimination of third party cookies will magically fall off the table because you break the browser's integration with the engine and the ad platform which made that elimination profitable for Alphabet (and a knife in the lungs for "open web" advertisers).

I hate web advertising but it's the model we've got so bear with me.

Once third party cookies are back on the table it helps level the playing field. Programmatic advertising becomes profitable again and all those small players can get back to competing. Only this time they're just competing with each other and doubleclick.

Maybe momentum carries forward and third party cookies are eliminated anyway (such faith in humanity). If that's the case then once again the playing field levels a bit more and everybody is working with the same blinders on.

Search will still be awful because of google.com's market share and its enablement of click bait and echo chambers, but search will always be awful and five years from now everybody will have their own LLM instead of search anyway (and five years after that LLMs will suck because there's no new data to train against but that's another rant).

Analytics will change a lot. Google not legally being able to integrate the data it scrapes from GA into its own products means that there's a lot less of a reason to stick just with their ecosystem. They'll still lag behind as far as privacy goes, so third party analytics providers will actually be able to get their toes in the door.

Anyway like you I agree that a breakup probably isn't going to happen. Most of the people who would legislate a break-up don't even understand the internet or what alphabet is, or what google does.

Nit: Google Cloud has been profitable this year: https://techcrunch.com/2023/04/25/google-cloud-turns-profit-...

It's actually perfectly fine to lose money; you have to invest before you can start making a profit, and services like Google Cloud can be money printers once they're established.

But all the cloud providers are competing hard, pumping money into 3rd parties / partners that will then sell it and set it up at companies. I was at one company (a famous flower exchange in the Netherlands) that was in the process of moving all their workloads - hundreds of services, from people's office suites to high volume exchanges - to AWS, and I'm confident that the one guy, the new manager of the IT department, has Connections with Amazon to help sell AWS to companies like this. Because once they're in, it'll cost millions and years to move out again; I don't think many companies will do a sideways step often and move from e.g. AWS to GCP.

Also I don't think selling GCP to AWS really helps competition.
(comment deleted)
> But all the cloud providers are competing hard

They are not competing hard enough. (Or maybe they competing too well? I don’t know)

I used to work for AWS then Azure, and now just do consulting for both. The amount of companies I come across with the chief complaint of “We pay too much for AWS/Azure” is staggering.

In a healthy market with healthy competition, you’d think that would never be a statement to be made. No one says “I pay too much for Chevron, I’ll only buy gas from Total”

AWS, Azure, (and wth) GCP are in the tech support business, not infrastructure resell business. You’d think a cloud only need to sell VMs but there is literally no money in that. That’s the part that “competes hard” also the losing part. As a cloud provider, you want to be out of that shitty business. You want to be SaaS. SaaS is the magic work in Cloud. Selling Software is magic. It made Microsoft in the 80s/90s. It made Oracle in the 90s/2000s. It made Google in the 2000s. Selling software is an incredibly lucrative business. It is where you want to be.

100% of companies I consult for don’t spend money on VMs in the cloud. They always spend it on “log analytics” or “data warehouse” or “serverless”

Why hire a Postgres admin when you can pay AWS/Azure 200k a month for postgresql “managed” offering where you can email them whenever things are not working and have _them_ hire the Postgres experts who would look at your usage/queries/tables and suggest an index here, or a stored proc there.

> It's actually perfectly fine to lose money; you have to invest before you can start making a profit, and services like Google Cloud can be money printers once they're established.

It's not fine if you use a monopoly in one area to buy your way into another. That's one of the core tenets in antitrust (back when it was being enforced, at least).

Google Cloud is quite far from a monopoly...
No, it’s using their de facto advertising monopoly to get into a new market (cloud hosting).
So, like Amazon used their de facto book sales monopoly to get into cloud hosting? How Microsoft used their huge desktop & office software market share to get into cloud hosting? How IBM used their huge typewriter market share to get into computers? It's normal for large companies to use their revenue to expand into new market segments.
Those are excellent examples! This kind of thing was prosecuted firmly until antitrust was “reformed” under Reagan (the law didn’t change but the FTC reinterpreted it, largely led by Bork), the new approach (consumer price doctrine) followed by every successive president until Biden. And those years of doctrine, and judges influenced by them have made it tough going. But I think the tide is slowly turning.

The consumer price doctrine (all that matters is what consumers pay, whether by a large monopolist or deep competition doesn’t matter; pick the best for each situation) is seductive: after all the whole point of government, at the end of the day, is what’s better for the people, right?

But lazy analysis meant just imagining the immediate price change for consumers; long term factors like supplier resilience, innovation, supply chain fragility et almare ignored. Also ignored is the reality from empirical data: permitting or even endorsing monopolies ends up with higher prices not lower.

Browsers aren't a business for Google (or any of the other big browser suppliers), they are an adjunct to other businesses, in Google’s case a way to shape the web—initially through client performance—to support the kind of online app environment that Google’s actual profit making ventures rely on.
I totally agree. IMHO regulators should have been looking at safety net attestation already because it effectively destroys the claim of Google that OEM have a choice and it is not Google's monopoly. The problem is that Google is really good at just keeping below the radar (only the few people will notice that are not using Apple, Google or Microsoft products, which probably does not include any politicians, the broad public or other influential individuals)

With this thing it is the same. The problem is: nobody will care. And I think everyone who should care will look away again, because it is just too complicated to explain.

The core problem is that a minority raises this concern and this minority is not loud enough. We really need to nag out banks etc if they do not allow to use de-google Android. There should be public visible lists of the few 'good' guys left. Not even tech magazines seem to pick up this topic.

I think the only thing to do for now is really actually using free browsers and free operating systems and on the other hand raise the issues (literally on GitHub?) as loud as possible. The world is just lacking enough web activism. The only loud thing about freedom of the web is web3 and crypto, but obviously to me this is just backed by some people who like keep the buzz up to make some more money with speculation.

>IMHO regulators should have been looking at safety net attestation already because it effectively destroys the claim of Google that OEM have a choice and it is not Google's monopoly.

Apps that require play services are just as much exclusive as apps that require attestation. Phones that don't use play services can create their own attestation API and partener with apps to support it.

Cloud - the money-losing data center service. Probably gets sold to AWS

Your solution to breaking up a large monopoly is to boost another (quasi-)monopoly? I'd suggest that both Amazon and Microsoft should be prevented from taking over those assets.

Yes, we will need to evaluate and approve each acquisition but I am not sure if it is even possible to break up Google.

I don't have a solution to the problem but I know this — we can't do the stupidity of breaking alphabet into a bunch of small baby alphabets like what we did with at&t.I think that was complete incompetence, if not corruption.

We can't have a bunch of regional companies. However, we can't do what OP said either, even with your safeguards. Amazon and Microsoft don't care if they get Google cloud for themselves to buy. Either they get to buy it or it dies, they still get its customers.

I think someone else said elsewhere if Microsoft abuses MsEdge, break up Microsoft as well but that's the kicker. That will take time. Microsoft can and will abuse it's position during this time. I don't think it is possible to do a "safe landing" here. An alphabet Google will either be a nothing burger like the AT&T break-up or will be very painful to ordinary people, at least for some time.

> we can't do the stupidity of breaking alphabet into a bunch of small baby alphabets like what we did with at&t.I think that was complete incompetence, if not corruption.

After the breakup, it became trivial for me to buy my own phone and hook what I wanted up to my phone connection (including dial-up modems later).

What do you think would have granted+preserved those options, that wasn't an exercise in incompetence and corruption?

But if it's indeed "money-losing" wouldn't it be just worth as much as their equipment is?

Also if we are talking about MS/Amazon/Google's cloud businesses we shouldn't ignore that these companies themselves are generally their own biggest clients which is something they could leverage to a significant degree to outcompete their rivals (initially at least)

> Cloud [...] sold to [...] Hurricane Electric

I'm a customer of both GCP and HE and this would be a really, really weird merger. Not saying I don't want to see it. :)

+1

Google's ad business (and the need to track ad conversions) affects every business sector it's involved in. From Maps (where you loc. is tracked for 'in-store' conversions' to your Google ID which tracks which ads you click, to Chrome pushing for mechanisms to track conversions after cookie-blocking has become standardized.

You kind of understand their needs (since ads fund search and everything), but I also don't trust them not to 'over-optimize' (esp. given the unchecked powers, both political and technocratic, they have).

> - Cloud - the money-losing data center service. Probably gets sold to AWS or Hurricane Electric.

I don't think any of this would happen, but I'd rather see it go to Cloudflare so there's still 3 "big player" choices. They seem to be trying to head down the cloud provider path anyway.

This will immediately kill some of the parts (Chrome, Analytics, Alphabet) and increase the antitrust issues in others (Cloud, YouTube)
> So make lots of noise politically about that.

How? I've seen similar ideas but the best they do is resonate really nicely in this echo chamber.

Send letters and call your Senators and House representatives. Donate to them the maximum you’re legally allowed to and when you get the staffer call asking for more money, give them an (respectful) earful.

All it takes most of the time is a dozen people pushing the issue for a rep to make up their mind on a bill. On contentious issues, a few hundred persistent constituents will convince even Senators in large states.

Seriously it’s not that hard when it’s not a culture war issue. The vast majority of the time our politicians get bought out for a pittance like $10k in contributions. It doesn’t take much to bend them the other way when coming from voters.

Speaking from experience.

So what kind of money are we talking about here? Order of magnitude?
$3,300 is the federal maximum per election per candidate but even a $1-2,000 donation will get a House rep’s attention (better donate the max for a senator though).
None of what you suggest has any impact, and your model of how many people it takes to influence a Senator is frankly delusional. A max donation to a campaign will get you a signed thank-you card if you're lucky.

Policy on stuff like tech is set by staffers, most of whom work from material helpfully pre-drafted for them by lobbyists. There are some legislators (like Wyden of Oregon) who have very good in-house people on tech policy, while others have no expertise and have to rely on outside parties. But the idea that anyone can be bought for a donation is heartbreakingly naive (and fortunately false). Large donations at best get your calls answered by the junior staffer whose job it is to protect the Senator/Congressman from ever having to talk to people like you directly.

Major legislation on tech is rare, and it's generally much easier to kill something you don't like than to get a provision put into it. The latter course requires being deeply plugged in to the people drafting policy (again, mid-level staff on the Hill, who have zero awareness or interest in which private individuals are making campaign contributions) and enough clout and political ability to shepherd your desired policy through the full sausage-making apparatus of Congress.

Look at the current dueling bills on crypto for an example of how the process actually works. None of it is driven by strongly-worded letters from constituents.

I never said you could buy a Senator's vote for the max donation, just that you can get their ear. You should try harder if all you get is a thank you card because a decent sized donation is the easiest way to quickly establish a relationship with their office.

YMMV but I've helped several nonprofits in SoCal navigate Congress and I'm constantly surprised by how little coordinated effort it takes to effect legislation, especially the budget (and I have no previous experience in politics, I was just an interested volunteer). We've only just begun collecting sponsors for the first bill drafted by one of the nonprofits so I can't speak to the whole process for a greenfield bill just yet but already we've had help from the Office of the Legislative Counsel to fix up the bill through our House rep so the ball is rolling.

So far we've spent far more on travel expenses than any of the orgs have spent on lobbyists or the members have spent on donations.

> Large donations at best get your calls answered by the junior staffer whose job it is to protect the Senator/Congressman from ever having to talk to people like you directly.

They're there to protect the politician from raving abortion/guns/bullshit-of-the-day lunatics. Offer to send them a short fact sheet in the format that they expect and the doors start to open quickly.

Like I said though, I'm in SoCal and YMMV. I have no idea what it's like with the GOP or in states where both Senators are like Feinstein (her office is a black hole). I do agree with the rest of your point about tech bills, my experience is with environmental and social services nonprofits who don't deal with very controversial issues.

You will not be getting in a senator's ear for the maximum campaign donation. Senate races are nosebleed expensive, and the federal maximum doesn't scale with the kind of race. It has not been my experience that large donations to congressional candidates get you any real airtime either (which is a good thing), and House races cost 1/20th what Senate races cost.

Now, if you max out any Democratic race anywhere in the country, Raja Krishnamoorthi will ring you up from Illinois CD8, and you can talk his ear off. But it's a grift. He's not going to do anything for you. With my John Williamson voice activated: he - just - likes - talking - to - donors.

As regards affecting legislation, I'd be interested in hearing some specifics about your experience here. What legislation did you see get altered, and what were the tactics that accomplished it?

> On contentious issues, a few hundred persistent constituents will convince even Senators in large states.

If there aren't already that on each side of an issue, its not actually that contentious. In reality, it takes large numbers of people coordinating action or a small number of people who each are financially involved orders of magnitude beyond the maximum legal direct donation (either as fundraisers marshalling donations for others, or as well-known contributors to party committees and SuperPACs as well as candidate committees, or whatever) to sway most members of either House of Congress from where they would otherwise be. (Being an existing org that is known to either bring a lot of voters or act as a proxy for a lot of big donors, or better both, also helps.)

Your solution to Alphabet abusing their position in the market is to consolidate some parts of its business in to its present competition.

I don’t see how that increases competition.

Wholeheartedly agree. And we shouldn't stop at Google : a large part of western capitalism in 2023 looks pretty much like a dystopian landscape out of a cyberpunk novel. It's a democratic nightmare in the making.
> a large part of western capitalism in 2023 looks pretty much like a dystopian landscape out of a cyberpunk novel. It's a democratic nightmare in the making.

My take is that this process is inevitable while the following is in play: DoJ rubberstamps monopoly creating mergers, merger desiring companies fund campaigns & otherwise gift politicians, voters keep reelecting those politicians while not overly objecting to their corruption, news orgs fail to cover mergers in a historical context while generally preferring fluff and stenography.

Those wishing to expose flaws in my analysis can use the space below.

>it's not in Chrome's interest to prevent blocking ads from DoubleClick or Google

But it would still be in their interest in preventing ad fraud on the web.

Why? Users don't care about ad fraud and neither should the user agent.
Because sites, advertising networks, and advertisers do care about it and they are part of the web too.
I don't see why people think that antitrust is a magical silver bullet that will solve everything. Breaking up Google will be great for Google's paying customers, mostly advertisers. That doesn't mean it would it would help the users. If anything, each broken up piece of Google would have less scrutiny that the whole.
It's ultimately all about ads, though. Ads on the search page, ads in Android aps, ads on web pages, ads in or around YouTube videos, and several big data sets that help them figure out which ads you are most likely to respond to.

Although the Chrome team would prefer not to block ads, I'm pretty sure there's some pressure on them to reduce the number of users using ad blockers.

This is such a naive and for lack of a better word stupid take

> YouTube - streaming content. Probably gets sold to Netflix or AT&T or Comcast.

Make Netflix more powerful? In what world is that good for competition

>> YouTube - streaming content. Probably gets sold to Netflix or AT&T or Comcast.

>This is such a naive and for lack of a better word stupid take

What is the not naive, not stupid, clearly-more-beneficial-than-what-we-have action that should be taken with youtube?

Doing nothing? I mean Youtube is at least competing/trying to compete with Netflix, Spotify and others to some degree at least.
I don't understand the downvotes. You asked a legitimate question. How do we fix this anticompetitive monopolistic behavior?
I worry the enshitification of a monopoly like Google, who now has it's hands deep in the workings of things like the web and email, means their supposed mission of "organizing the world's information" has devolved into "putting as many paid middlemen in front of the world's information as possible," or walling parts of that information off completely.

This goes without saying, but we shouldn't let one company be solely responsible for managing the "world's" information. "Organizing" sounds benign, but they've clearly extended past that.

I don't know that you're totally on point about how to break Alphabet up, but you're right that it should be. If information wants to be free, we should also re-examine how to ensure it stays that way in a world where Google isn't it's supposed shepherd.

How exactly does taking one of the 3 major cloud providers and selling it to the largest of them help with monopoly/antitrust?

Besides IIRC Google cloud is actually profitable these days. No need to find a buyer.

The problem with Chrome is it would have no funding unless we suddenly end up with subscription browsers.

It also means the fall of Firefox because they are still dependent on the Google moneytit.

The future I see in this direction is Chrome ends up getting a free easy takeover/hijack by Microsoft since they are have no problem throwing money at Edge.

How would Chrome make money? Right now they get a blank check from Google because dominance on the web is their business model. But if they're not supposed to sell out users interests to the ad-company, how are they supposed to earn any revenue? Sell Chrome licenses?
Just like how Firefox earns money, sell default search engine rights to highest bidder (google, bing) etc , Chrome itself can become billions of dollar business.
So in other words, sell user interests to the highest bidder.

Firefox is not comparable because it's not a stock company. They don't have the obligation to maximize profit for shareholders.

> - Google - search, ads on search pages and nothing more.

> - DoubleClick - third party ads on other sites.

No, hard disagree. One of the things that gives google its position of power is that its both an ad exchange and a publisher (as participant in said exchange).

The correct way of breaking is NOT search+ads vs third party ads. It's search vs ads.

Make google a publisher that DOESN'T own an ad exchange and make it compete for search ad revenue on equal footing with everyone else. Lets see how well it does (I'm guessing not well).

Same goes for facebook.

It is highly unlikely that Android, Chrome, and Analytics can be viable businesses on their own. I can perhaps see a viable path for analytics if a lot of things go their way but those three are almost entirely successful because they are subsidized by the other businesses. Youtube, and the other ads business can probably survive okay on their own but Chrome and Android I suspect can't.
All can be fully viable, very profitable, very large independent businesses.

Android Based on information obtained by Oracle in a lawsuit, Android had, as of 2010-ish, generated $31bn for google

https://www.androidauthority.com/android-generated-google-31...

Chrome: Browsers make money by

- sharing revenue from ( product and service ) ad searches

- prioritization in search engine results in the browser ( eg being set up as the default search engine)

https://www.investopedia.com/articles/investing/041315/how-m...

It is estimated, for instance, that as of 2021, Google was paying Apple $15bn for default browser placement

https://www.theregister.com/2023/02/17/google_apple_chrome_i...

Google Analytics:

This is much harder to research - since looking for 'revenue' with 'Google Analytics' simply shows how to use the tool to track revenue for 'your' site if you are a Google Analytics user and my Google-fu fails at a quick remedy for that.

Best quick result would be a proxy i.e. competitor revenue. MixPanel is a standalone Google Analytics competitor and it makes $96MM from that business

https://www.crunchbase.com/organization/mixpanel

I know it's just a hypothetical but YouTube being sold to Netflix or god forbid a century-old telecom company sounds awful to me, unless they let it continue to run as basically a completely separate entity - possible under something like Netflix or another tech-forward streaming company, nigh impossible under something like Comcast.

I would hope YouTube could just operate as its own company. Certainly there's enough traffic, and it makes Google billions so presumably there's enough for it to survive on its own.

(comment deleted)
Government should force google to give competitors access to its search index so that they have a real opportunity to build a competing service on top of it, AI or search. The same way monopoly telcos were forced to open infrastructure to competing service provides.

Google products are getting increasingly crappy. Would be great to see what others could build with their information monopoly.

Google and it's employees are, combined, one of the largest DNC donors. This will never, ever happen.
No one pays for web browsers, I doubt Chrome would be a viable separate company.
Rather than sharding the company, and getting stuck in endless discussions of where exactly to draw lines and what business units are unsustainable, why not nationalize it?

The "projecty" things like Chrome and Android and Waymo are arguably money sinks that will produce things of significant public value over time-- what if we funded them like other research probjects, with the understanding that the commercial applications will either generate public revenue or directly enhance domestic competitiveness. Imagine if in 5 years, the American carmakers had highly discounted access to Waymo's self-driving technology, but Mercedes and BMW still have to roll their own or license it at an intentionally hostile price?

The revenue-generating stuff could be "commoditized" -- turn it into white-label products they'll resell to all comers. You no longer go to Google, you go to a Google Reseller who provides their own ad or subscription monetization model to pay for the underlying infrastructure cost. Since they all have the same core index, they start from strong competitive parity, and then they can focus on their differentating features-- extended custom indexes, more tools, etc.

Your computing device is your agent, more than any doctor, priest, or lawyer-- you share greater intimacies with it, and you have far less ability to go about an ordinary life without access to one. Your computers mediate an increasing share of your interactions with other people, with the world at large. You need one to communicate, to obtain essential services. You take it into your home, into your bedroom. It should be required to act in your best interests and it certainly should not against your best interests.

This shouldn't be an unusual demand or even a demand at all-- it should be table stakes.

Even back when the concept of Free Software had just become an identifiable thing people advocated it in terms of respecting the user. But for a long time the disrespect was largely banal-- rent seeking, over priced, indifference to features or bugs that matter to you, rules that benefit the author but didn't care about the user's needs. The fact that software could actively and intentionally work against its users wasn't a surprise-- the freedom to inspect, modify, and share the results answers those risks too, at least in theory. But back then it wasn't a common problem. Somehow software and systems that actively betray their users became common, even normalized. And in large part it seems most people never noticed.

This is attributing intentions to Google when it's unclear what they're going to do. Probably even unclear to them. Not all anti-fraud measures are DRM. If "holdout sets" get implemented then it can't be used as DRM, because it will randomly fail.

What we know now is that they wanted to run an experiment to gather some data. Since it's in Chromium, they needed to explain it, and they explained it poorly.

It's not unclear. They "lost" 22 Billion due to ad blockers.
That's nothing. I actually lost a trillion dollars just now. Apple is worth about $1T, and because Apple and its shareholders didn't simply gift me their entire company, I've now lost $1T. And that's just a drop in the bucket for money I've lost in the last few minutes!
Holdout sounds like it is explicitly added to ward off any criticisms insinuating DRM.

If a server is not denying access for clients with no valid attestation then what exactly are the servers gaining from implementing WEI?

CAPTCHAs also reasonably prove that the user is a human and legitimate but not all captcha challenges are solveable by humans in one go.

Businesses have denied access for those failures and they just repeat the challenge until the captcha is solved successfully. If the failures are less per client they can easily be treated as tradeoff against security.

What's stopping websites from doing the same with WEI? They can always deny access and repeatedly request attestation until a positive reply comes.

This is acceptable for those "attested" clients where the failures are random and within an upper bound. But a client without attestation can always be denied or they can be shown different limited content altogether.

In both the cases the unapproved clients are at a disadvantage.

I 100% agree with this. But even if holdouts could magically prevent the abuse of this API there is still a massive issue. Once this standard gets wider adoption and it's time to boil the frog further literally all it takes to disable holdouts is editing a single value in the attester code. They will justify it by saying holdouts are no longer needed because 98% of clients are already compliant.
Bullshit. Stop assuming the trillion dollar corporation is incompetent and blameless. They know exactly what they are doing. Remote attestation allows them to determine that a web page has been "tampered with". Tampering includes deleting ads and corporate spyware as well as user scripts, extensions and automation. It is obvious how Google and all other corporations stand to gain from such technology.
Google might have pretended to stood for something, but they have been an evil corporation since they have been a corporation. That's what corporations do by design.

One relevant example is that they've been doing the "only for ie5+" with their services for 10+ years now. They killed most of their browser competition not by having a good product, but by having or buying up good services that they used to force chrome onto users - voluntarily (billions worth of advertisements) or not (lies about compatibility, performance or outright blocking other UAs).

That’s not how I remembered it. Chrome really was a good browser and I would argue is still a good browser (for now).

IE got displaced by Firefox’s predecessors because MS got caught napping - they disbanded the IE team thinking they have won. Firefox simply got outcompeted by Chrome as Google went crazy making it faster and faster. Firefox fell behind often enough that Chrome managed to take almost all of its market share.

I’m not happily with Chrome’s dominance, and Google’s abuse of its market position, but it was a good product for most of its life span.

> Firefox simply got outcompeted by Chrome as Google went crazy making it faster and faster.

I disagree - if that was the case then people would be switching back to Firefox now. Firefox got outcompeted by chrome by Google adding a "works better in chrome" button to their home pages.

Some people do. I switched back and forth. But most people are “low frequency” switchers. Chrome is ahead often enough that most people stick with them.
Also by paying a bunch of black-hat marketers to use malware to trick people into installing Chrome unintentionally.
>if that was the case then people would be switching back to Firefox now

It's like sayinig people would be switching off of Facebook or Twitter. It's really hard to disengage the general audience.

With that said, I did in fact switch to Firefox in 2023. I still unfortunately need google translate on mobile, but once Firefox can get those add on features out of beta it will be a pretty seemless transition.

This is partly rewriting history. Yes, Chrome literally outperformed Firefox, but there are other parts to this story. First, Google pulled engineers it had paid to work on Firefox, including the project lead, to kick-start Chrome instead. That's fair game (and Mozilla's fault for not seeing it coming), but it obviously set back Firefox as Mozilla had to scramble to fill those gaps without much of a forewarning. Secondly and perhaps most importantly, Google dumped countless millions of marketing money and often engaged in dark patterns to promote Chrome, e.g. bundling it with random shareware and freeware that would automatically make Chrome the default browser. That was even before they paid laptop vendors to preinstall Chrome, something that Mozilla could never afford, and Google could only afford because of its monopoly in search / advertising.
That’s the “nerd history”, which I mostly agree with. Normal users however don’t care much about performance and whatnot. Their PC came with Chrome, so they use it. If you give them some other browser, they probably won’t be able to tell the difference.

Chrome didn’t “win” because it was good. It won because of Google’s hyper-aggressive marketing on all channels. They basically did was Microsoft was fined for by the EU back in the day.

Their PC came with Internet Explorer. It was Java (that almost everyone had to download at some point) that came with Chrome.
I'm thinking about more recent times. Internet Explorer has been dead for almost a decade now. Chrome did not kill it.

Chrome was however preinstalled on many PCs/laptops as part of the crapware package.

Also, yes, it came bundled with basically everything.

I adopted Chrome almost as soon as it was released. Chrome was better than the other browsers available at that time. Firefox was a mess, and Internet Explorer... well, best left unsaid.
I started using chrome vs Firefox because each tab had it's own process, novel at the time, such that a crappy website crashing would bring down the tab and not the browser.
>Normal users however don’t care much about performance and whatnot. Their PC came with Chrome, so they use it

You talk like it's impossible for nerds to have influence on their surroundings. Way before Chrome got preinstalled on a computer or went on a dark pattern campaign, I heavily recommended it to my acquaintances, friends, family. I even remember a perfectly "normal user" type uncle using Chrome before I recommended it to him because he had learned of its existence from another person's word of mouth. I constantly see people try to diminish the power of word of mouth spreading good products here on HN, which is complete nonsense. Contrary to the popular belief on HN that "normies" are idiots who only ever settle for "defaults", they routinely try new things if their peers recommend it, it's how non-preinstalled apps like Whatsapp grow. It's not just the networking effect, you need to be better than the default. Sending things like pictures through texting apps sucked, group messaging sucked, Whatsapp provided something /much better/ so people used it. By the way, it's out of topic, but mentioning messaging apps reminds me of how Google in fact could not, despite its monopoly and advertisement power, get anyone to use theirs. If you think dark patterns and preinstalling apps is enough to gain success, then why has google failed, time and time again? Apps like Google Duo were preinstalled on all android phones I've seen and literally no one I know in real life ever made use of them. Maybe google's apps weren't bad, but they were not /better/ enough to encourage people to give a shit. To convert people, you can't just be "as good" as the competition, you need some serious oomph.

When Chrome came out, it was a landslide. IE was dead, and Firefox was dramatically inferior in both performance and security. The multiprocess architecture of Chrome combined with other security related decisions, and the V8 JIT for javascript made it a vastly superior browser and people knew about it. Firefox took a VERY long time to get to a place where it didn't feel bad to use once websites started taking advantage of Chrome's superior performance and got more bloated in the process. Some of the changes it made to get there were heavily contentious with the nerds who ended up being the main population of users for FF, like removing XUL, further pushing FF into a very specific niche : the privacy conscious and people who use it solely to reject google's monopoly. The "normal people" who would have used Firefox instead of IE back in the day because of peer recommendations would not use Firefox instead of Chrome today unless they're very obsessed with those things, because FF is no longer clearly better than the alternative, to the contrary, it's still weaker, though not as much as it used to be.

And while the crowd on HN tends to focus heavily on things like privacy, if there's anything the average person doesn't care about in my experience, it's that. They will never trade convenience for more privacy.

I think it was clear when they started with Google docs that they were using their browser to get market domination. They offered a free product that people liked, but almost forced them to switch to Chrome. They got entire nations to switch their education tooling to chrome and google docs. Now they keep adding features that enable bad developers to create websites that don't work properly in Firefox and Safari. There's been no change. Chrome has always been part of Google's strategy.
Google’s web products have always worked with Firefox to my knowledge. Maybe they run a bit faster on Chrome but I don’t recall them ever being broken on Firefox. Perhaps I’m wrong. Can you cite incidents of Google’s stuff not working right on Firefox (or Safari even). Also which features enable developers to create sites that don’t work in Firefox and Safari? (I really don’t know. I’m not a web developer.)
I'm a lifelong FF user, and I had problems with google docs in the beginning. I vaguely remember it was using JS features that FF hadn't implemented yet.

Currently, Chrome has a number of CSS features that Firefox and/or Safari don't support. You can find them at [1]. Some make life a bit easier, and devs use them because they like easy or even because they think everyone should force their browser maker to adapt all those features ASAP.

In an old thread, I explained that my code ignores these features because we want to be compatible with as many users as possible. I got some miffed replies saying we should make our users upgrade. Really.

Then there are also APIs in Chrome that have not been standardized, and some of which should not be in a browser (IMO), like USB access (see [2]). Some of that is an attempt by Google to replace "native" applications by web pages, which would give them even more leverage.

[1] https://caniuse.com/?compare=chrome+115,firefox+116&compareC... [2] https://caniuse.com/?compare=chrome+115,firefox+116&compareC...

Google Meet reported errors for Firefox users which no other service had problems with.

Google Cloud’s login page frequently broke for Firefox users.

YouTube was famously slower for a long period of time where they used a proprietary API which only Chrome supported instead of the standard API which Firefox and Safari implemented.

I suspect that all of those weren’t malice as much as neglect but for such a large company it’s definitely not a lack of resources if they choose not to test on browsers they don’t make.

The real damage, however, was not things actually breaking but the constant push to use Chrome. If you used Firefox you would be prompted to do that frequently visiting Google search, mail, YouTube, etc. with various allegations of better performance which didn’t hold up in testing.

cloud console is unusably slow in Firefox
This is also how I remember it. "getfirefox.com" is burned into memory from ages ago, the first real competitor to IE. Everyone wanted to switch to it.

Then chrome came along and people reluctantly switched at first, then enthusiastically. Firefox had the reputation of eating RAM like candy.

>Firefox had the reputation of eating RAM like candy.

It wasn't unwarranted. They were dealing with a great deal of memory leak issues in the early Chrome vs FF era. The most important thing is that even when Chrome ended up taking more ram than FF for an equal amount of tab and equal websites loaded, closing tabs on Chrome was far more likely to let you free ram usage than on Firefox, and nobody likes to have to close the entire browser session to reclaim ram.

In the XUL days, Firefox was quite janky. XUL enabled powerful addons that made it a great power user browser, and people still occasionally can be seen missing it on places like HN, but it was also a curse upon the browser and they took too long to decide to get rid of it and rearchitect their browser into something more modern.

Yes true, it was very much a warranted reputation, no doubt about that. I still use Firefox and am put off about its UX much in the same way as when chrome was released.
The other thing which was a problem were popular extensions which leaked memory. A lot of people went on this cycle where they’d install extensions until their browser was slow / unstable, switch to a different browser, say it was much faster, and then lard it up with extensions before repeating the process.
Being the better browser helped gain initial momentum in the 2000s with desktop users, but they took the lead once they made Chrome the default browser in Android. The majority of software users don't change their default settings
> Firefox simply got outcompeted by Chrome

Yes, a lot of issues are of Firefox's own making. Google sabotaging them helped, too: https://archive.is/tgIH9

I kinda feel like them removing ‘Don’t be evil’ from their motto was the canary in the coal mine.
Good/bad is too simple to explain these things. Corporations try to make money or build leverage. Of course some of them don’t execute or compete very well. In the early days it was doing good and building the leverage, now it is time for them to use that leverage to continue to milk the cash cow for as long as possible.
I wonder if Google has considered how this technology can be used against themselves? If WEI is deployed, we ought to use it to lock out Googlebot!
Weeeeeeell, Googlebot can just lie about itself, no?
You can already lock out Googlebot because it respects robots.txt and its IP ranges are documented.

It's very hard to "turn the tables" on companies when it comes to remote attestation because companies rarely directly lie to consumers about the true nature of their operations. When they do they tend to end up like Sam Bankman-Fried or Elizabeth Holmes. That's why all the big cloud vendors support remote attestation of servers to clients:

https://cloud.google.com/confidential-computing

So not only do they want you to demand remote attestations from their servers but they even document how to do it and provide significant infrastructure support to do so.

Not many people are using it though, and when they do it's usually to generate trust in non-tech firms running software on top of those clouds. Which is certainly a decent use case, but it's more like defense in depth than something existential for most companies. Whereas the inverse can be existential (multiplayer shooters without anti-cheat will rapidly become unplayable because so many players will lie to get ahead).

My conjecture is that Google just pretended to stand for freedom, when they were a smaller company and they needed goodwill to be able to build an empire. Now they don't need that goodwill anymore.
The freedom Google stood for was also a trend of the time — tech start-ups were trying to break out in the burgeoning internet against established giants — and naturally the companies ideologies reflected that rebellion against the norm.

They a few billion dollars later and you realise that morality and stakeholder profits can never be aligned...

(comment deleted)
We all let it come this far, because of how we treat the services Google provides: As nice free and helpful tools. Talking about "Chrome this and that" all the time we forget what that really means, namely:

Using the strategic tools of the largest Advertising Agency in the world, that allows them to ever grow their dominance. Chrome, GMail and all that jazz all fit into a global-scale ad-tech framework to push shady ads and slurp in your PII for shady business. Google uses monopolies and oligopolies to force itself into your life. In other words..

Google is SHADY BUSINESS. And that should be the framing to spread about. Always repeating that Google is an advertising giant. Not some trustworthy biz. Zero integrity. So how can Chrome relate to integrity then?

Is your Bank using Google's integrity foo? Give them a support call. Act like a noob and keep them busy for as long as possible with "It isn't working". Until they explain about Integrity + Chrome. Then comes the angry phase: "WHAT? Are you in bed with a SHADY advertising agency?? I thought you were a trustworthy bank."

> Give them a support call. Act like a noob and keep them busy for as long as possible with "It isn't working".

I'm all for grassroots change, but I really don't think that doing this to Tier 1 support staff is going to effect any real change. With all love to my helpdesk folks, what matters is ticket closure metrics and call duration -- an emotional outburst isn't going to change a thing.

seems like an emotional outburst is not the worst way to have a long call with no actionable outcomes.

my sympathies for the call staff thou

"I also have an account with xyz and there I don't have this problem" might be an effective addition.
> We all let it come this far, because of how we treat the services Google provides: As nice free and helpful tools.

This is exactly what we need to change. "Free" services are never really free. You pay for them in the end, anyway, and doubly so. First with your data, then with your money.

The free internet may be nice for some people, but we all pay the advertising tax in the products we buy. It would be much better if we banned this entire freemium pricing model and started paying for things like in the old days. It would solve a lot of problems.

Google is just copying Apple, this is the entire funny part. Apple is over 50% of US market share of phones

https://httptoolkit.com/blog/apple-private-access-tokens-att...

You should be more afraid of banks soon requiring Apple devices only

I don’t follow this logic. For one… the other 50% is Google. But Google has equal or better market share of many other key product/service areas… and significantly higher share in the web advertising ecosystem central to the discussion.
How did you get from Advertising Agency to Shady Business? Agencies on Madison Avenue are not generally thought of as shady.
They aren't exploiting global monopolies and oligopolies either, forcing technologies down people's throat that will cement and further expand their already overly dominant position. For the most part they aren't pushing ostensibly benign tools that lure and capture people in their web (i.e. Google Web literally).
Google always stood for selling adds, there are no surprises in them wanting to cash in on their monopolies.
The elephant in the room is the increase of interest rates. The free lunch of cheap money is over. Now corps have to make money by squeezing every rock for the last bit of water.

My advice to everyone is to watch out, and be carefull. Look over the license changes over the incoming days to see how you might potentially be squeezed.

one “side effect” of this would be enabling Google to effectively block ad-blocking. And, of course, plenty of people will insist that that’s not a side-effect, that’s the end goal.
How would this block ad-blocking?
Google could stop certifying configurations with an ad-blocker. Of course they are the ones that want to be established as infrastructure to certify your client being "genuine" or not.
Websites could choose to deny access to clients that attest to having adblocking addons installed.
Point me to anything which would give websites access to that information via WEI. There is nothing. I have seen nothing except FUD. Aside from that, this only attests for the device. Ad-blockers can be external. This does nothing for external ad-blockers.

Explicit non-goals for WEI:

"Enforce or interfere with browser functionality, including plugins and extensions."

https://github.com/RupertBenWiser/Web-Environment-Integrity/...

Oh. Hmm.

That link needs to be passed around a little bit more. Whoops.

I guess I'm not seeing any technical barriers there to an attester providing a service that only attests to browsers that don't have adblockers installed.
This will be hard as:

The attester verdict is an abstract concept that refers to the response from attester. It reports how much an attester trusts the web environment the user agent is executing in.

The web environment is defined as TODO [sic]

So essentially google has carte blanche for information from your browser.

And they are prototyping that into browser - so forgive me but I'm concerned even more.

I suppose we have to start webrings again and ditch Google. Today they would be more feasible, since you can announce entry points on Twitter etc.
Anyone that ever belived into the "Do no evil" motto was only fooling themselves, companies only care about their profitability.
I bet $10 you once believed that motto yourself. of course you have long since changed and that is good
Great, because I am a grey dog, born in the 1970's, first generation after the Portuguese dictorship, still experienced the leftovers of it, and don't belive in giving human attributes to capitalist corporations.

Where can I collect my $10?

So at the end of the day Google are a full monopoly that can do what they want... Nothing new under the sun.
It seems Everyone is taking for granted the claim that this is about DRM. The claim is that websites (not Google) will use this signal to allow or deny access but this is already possible with various means. Google or any other Browser vendor do not have a say on how websites use or misuse features.

> There is a tension between utility for anti-fraud use cases requiring deterministic verdicts and high coverage, and the risk of websites using this functionality to exclude specific attesters or non-attestable browsers.

This risk is already present and actually happening. What makes this not widespread is not that it is not possible (it is) but that it is unpopular. Websites that you are forced to use (many banks for example) do it every day and they get away it with it because you have no choice.

Many articles are just reapeating the "DRM" claim without explaining how is this different, what does Google have to do with how websites choose to treat their users or what solution they would propose. It seems to me just protest for the sake of it because it's trendy to question every Google Initiative. And yes every Google Initiative must be questioned but I don't see any questioning here beside just parroting in article after article what someone identified as a potential misuse without any critical thought going into it. Might as well autogenerate the contents with AI already because the utility of all articles i have seen on this topic is the same, just rearrange words without adding anything to it.

> what does Google have to do with how websites choose to treat their users or what solution they would propose

Google owns YouTube. Is it so hard to imagine that some product manager at YouTube counted the losses due to adblockers and asked a team in Chrome to prevent them?

Youtube can and in some measure is already doing it without this new API. If google wanted to be sneaky they can provide whatever data they want to Youtube alone without making it a public standard. you see how all of these fears are contorted reasoning because you want to try to find something wrong with the proposal because all fo your fears do not require this proposals and would be easier and with much less backlash without a public standard API.
Yeah right. "Don't worry, the leash you'll be wearing is a public standard.".

You're either paid or delusional.

How can they get hardware attestation right now? They can't, that's why WEI is proposed.
Chrome has access to all kind of hardware information. they could have implemented that hidden in Chrome without all of this dust raising for a public Standard that gets scrutinized by everyone. Note that all discussion about chain of trust is there only because of all actors involved in a public standard, in case they wanted to just do this themselves they would just trust whatever the hidden chrome api would answer and that's that. much simpler, total control, no noise.

For all that we know all kinds of closed source software are already doing something like this (especially ones who do a lot of natural network traffic so you cant even distinguish from the capturing raw data what is legit and what not.)

For example, Netflix allows you to download a movie from their native apps but not from the browser, this is only because in the native Apps they have access to all kinds of hardware information and they can attest themselves about the "environment"

Having access to hardware information doesn't imply being able to transfer them to websites in a trusted way that the user can't modify.

Chrome runs in the userspace, whereas I can write a kernel module which chrome can't interfere with (I did that for widevine in 2017!) that will emulate/lie to chrome about the hardware I have, and there's no way that the website owner could know whether I lie or not (this might require some effort on my part, but it's doable).

Hardware based attestation was created precisely because the software based one can be bypassed.

In what universe do you live that Google or anyone else should device this complicated scheme to just capture 2-3 people. Linux has only 3% share of the users. of those maybe 0.1% could write a kernel module (or even install one) and of those maybe 1% would be maniac enough to dedicate time and effort to it just to "stick it to the Pawaaa"

Google could accomplish all of their supposedly nefarirous goals by just ignoring the linux users. Do you really think they are going through all this trouble to make sure that they deliver adds to those 2-3 people? I can already see the next earnings call, "adds impression targets increased by 2".

Notice again the Netflix example. They just don't have a linux App and you cant legally view Netflix movies offline in Linux. it's cheaper to ignore linux users. like it or not, that is a fact.

outside of Linux, if chrome were to provide an API, for hardware information it can be completely trusted and even in linux case I would say that it still can be trusted with 99.99% confidence.

> Google could accomplish all of their supposedly nefarirous goals by just ignoring the linux users.

No, because in order to ignore linux users you'd need to know that the device in question is actually running linux. But then again, I can run a windows VM inside (sure, this might require effort to patch the windows inside), with no need to write a kernel module because this time I can introduce custom logic in the VM which the virtualized chrome-on-windows process will not be able to interfere with and with enough effort, they have no way to tell whether this setup is "legit".

Of course this will be legit in 99.99% cases, except that the 0.01% case is precisely what causes the damage (bots, fraud, piracy and so on).

> except that the 0.01% case is precisely what causes the damage (bots, fraud, piracy and so on).

Thankyou, that's precisly my point. All this trouble is worth only for fighting fraud and bots and not for making sure that that 0.1% can't use a adblocker like anyone is crying about.

But:

1) I meant damage to them, bots are beneficial for users (scrapping services) just like piracy (but this is a political point)

2) Even if the reason for these changes it to fight that "fraud", it does NOT mean it won't be used to further restrict the user freedom.

On Android, banking apps require hardware attestation and this can be seen as reasonable from the security perspective.

But Google abuses it to insert their Adware and Spyware into the system, just like other vendors. Now if you root your device to remove that crap, then poof - you're no longer considered secure. With WEI this is about the same thing.

> Google or any other Browser vendor do not have a say on how websites use or misuse features.

Seriously? Would you give the kiddies sharp knives and loaded guns, and then be shocked when someone is injured?

If we let this become available, we will all have to live with the consequences. We can see clearly what those consequences will be. Let's not be stupid.

This overboard generalizations is what make me sure that everyone is just gut-reacting. Have you read the actual proposal (not an article about it)?

In your knife-analogy, Google is producing sharp knifes for the cooks, not the children. the DRM crowd here is saying but what if the Cook uses the knife the attack the restaurant clients? Do you know of anyone seriously discussing that we should stop all production of knifes because someone might give one to a child? SO yes I agree, let's not be stupid.

> the DRM crowd here is saying but what if the Cook uses the knife the attack the restaurant clients?

Your analogy once again falls apart because in this hypothetical scenario, the cooks have a decade-long history of attacking the guests every single time they get a hold of a new knife.

In which case, yes, these cooks shouldn't have access to knives anymore. Of course that's not very practical, so perhaps they shouldn't be allowed to work as cooks anymore - i.e. separate Chrome from the ad business at the regulatory level and use Firefox or other alternatives on a personal level.

Google is also the biggest ad vendor on the planet.

They have every incentive to require websites running their ads to only allow ("google play" + other big players) verified software on their sites.

They can a) prevent ad blockers and b) assure their customers that ads will be viewed by real humans.

Not doing so once this is in place would be intentionally saying no to profit

Why in the world would google care about anything else?

> It seems Everyone is taking for granted the claim that this is about DRM. The claim is that websites (not Google) will use this signal to allow or deny access but this is already possible with various means.

How about you offer a reasonable opposing viewpoint? It's hard to see this, at best, as anything other than an extremely naive viewpoint. Every feature that can be used to lock down content and/or spy on users, will be used to do just that. That's true for every single feature that exists today. Claiming otherwise borders on bad faith.

> Google or any other Browser vendor do not have a say on how websites use or misuse features.

That's settled then. Full filesystem, location, camera, and microphone access should therefore come on by default without a permission dialog. Why not bring back Java and Flash while we're at it! It's not the browser vendor's fault that websites are misusing it.

> Many articles are just reapeating the "DRM" claim without explaining how is this different

This is different because any meaningful "attestation about the environment the browser is running in" can only be achieved via a full chain of trust, starting with secure boot, which will allow Google (and websites you visit) to verify that your system is using a Google-approved bootloader to load a Google-approved operating system which only loads Google-approved drivers and Google-approved software (or worse, website-approved software).

> How about you offer a reasonable opposing viewpoint

Read the proposal: https://github.com/RupertBenWiser/Web-Environment-Integrity/...

>That's settled then. Full filesystem, location, camera, and microphone access should therefore come on by default without a permission dialog. Why not bring back Java and Flash while we're at it! It's not the browser vendor's fault that websites are misusing it.

Now who is arguing in bad faith? if you have read the proposal, it's clear that they are being careful and are upfront about the some potential misuses and the proposed handing of them.

> to verify that your system is using a Google-approved bootloader to load a Google-approved operating system which only loads Google-approved drivers and Google-approved software (or worse, website-approved software).

again there is no such thing proposed. The "attester" is not specifically Google. anyone can become an "attester". The chain of trust is a chain that trusts tokens not specific "things". if you for example would trust let's say Opera as the attester, Opera would need to trust windows or Linux or Android as the OS attester.

The analogy here is the certificate Authorities. You may very well have a "let's encrypt" attester that democratizes the good parts (certification) without the bad parts (too much information) .

> if you for example would trust let's say Opera as the attester, Opera would need to trust windows or Linux or Android as the OS attester.

But it's not the user ("you") deciding which attesters to trust - it's website operators. And they will choose to trust only attesters that meaningfully (cryptographically) verify the user's client environment, including the secure boot chain, OS, and browser. Otherwise the attestation can be spoofed, in why case why would they bother using the EnvironmentIntegrity API at all?

> But it's not the user ("you") deciding which attesters to trust - it's website operators.

You know what? They are already doing it. This just gives them another option.

> And they will choose to trust only attesters that meaningfully (cryptographically) verify the user's client environment, including the secure boot chain, OS, and browser. Otherwise the attestation can be spoofed, in why case why would they bother using the EnvironmentIntegrity API at all?

You might as well complain that any website requires any sort of authentication or authorization.

How is WEI any different from all the other current methods which have not killed the "open web" in the way the hysteria over WEI is claiming?

Those methods didn't kill the open web because they could be bypassed, and that's precisely why WEI was proposed.
Really?? Mind telling me how to access Netflix, Disney+, or any other streaming service without authentication/authorization? I'll take the information on banks too.
Where did I say you could access these without authentication? Nowhere.

But I can still access them with my device being controlled by me, I can create bots/extensions to export and archive content. I can because there's no reliable method to identify whether my device acts in my interest, so they have no choice - they have to restort to methods that can be cracked. WEI is an attempt to introduce that reliable method.

Sure, there's EME with Widevine L1, but this is currently limited to providing media content, not apps themselves. That's why WEI is considered the DRM for the web.

> Read the proposal

I have, and that is not a viewpoint unless you wrote the proposal.

> if you have read the proposal, it's clear that they are being careful and are upfront about the some potential misuses and the proposed handing of them.

The goal of the proposal is strictly incompatible with our freedoms. After all, restricting which devices, environments and software we're allowed to use to visit the website is the entire point of this proposal, is it not?

> again there is no such thing proposed. The "attester" is not specifically Google. anyone can become an "attester". The chain of trust is a chain that trusts tokens not specific "things". if you for example would trust let's say Opera as the attester, Opera would need to trust windows or Linux or Android as the OS attester.

So what? Even if this were true in any practical sense, as a user I have no control over which attesters the website trusts - and they will require attestation from parties that attest that I'm running the latest version of Windows or MacOS with Spyware version 5.49.182 installed, and another party that attests that their ads are visible in my framebuffer.

That won't happen immediately, of course, it would be much too obvious. But introduction of WEI establishes a clear path forward towards that reality. Once WEI is in place, the chain of trust will continuously creep up the stack until everything from the TPM chip up to your framebuffer and display is locked down. They'll slowly boil the frog, like they always do.

> The analogy here is the certificate Authorities. You may very well have a "let's encrypt" attester that democratizes the good parts (certification) without the bad parts (too much information) .

That's a terrible analogy. For one, the only thing TLS server certificates attest to is that I *the user* am connected to the *server* that I intended to connect to.

A better analogy would be mandatory TLS client certificates which would attest that I'm John Doe, underage, registered to reside in a country where the legal drinking age is 18, warning the websites that my juvenile criminal record is spotty. That's what WEI is comparable to, and you'd see a similar level of pushback if that's what was being introduced.

> anyone can become an "attester".

Good luck getting your bank to trust any ol' attester and not just FAANGs.

> it's clear that they are being careful and are upfront about the some potential misuses and the proposed handing of them.

On the contrary, my main issue is that they identify one of the primary issues and fail to address it.

The biggest issue is that web designers will design around WEI such that the web is unusable without it. For example, while the current use case might be “captcha without WEI, no captcha with WEI”, a future use case might be “captcha with WEI, 401 without WEI”

Essentially this means an end to the open web: websites block you if you aren’t attested. If you want to browse from NewOS, tough cookies that’s not recognized by attesters

This is addressed in the proposal in “Open Questions > How will we prevent this signal from being used to exclude vendors”.

The only proposed solution is in section “Holdback”:

“[…] we are evaluating whether attestation signals must sometimes be held back for a meaningful number of requests […] Such a holdback would encourage web developers to use signals for aggregate analysis and opportunistic reduction of friction, as opposed to a quasi-allowlist […]”

This is a massive potential issue. The author acknowledges WEI could become an allowlist for the web. The author implicitly acknowledges this is most likely if most clients are using WEI (hence, the proposed solution of artificially decreasing WEI usage via holdback)

And even then, the proposed solution of holdback is not a solid one. There’s no technical reason that WEI will continue to have holdback in the future, at best maybe a google pinky promise. Further, there’s solid game theoretic reasons we can predict that holdback may vanish: if popular sites start using WEI as an allowlist, then any browser with holdback will have a degraded browsing experience on a percentage of visits. You can win market share by abandoning holdback!

As a tragedy of the commons, we can reasonably assume in the long term WEI is supported on all visits by all major browsers and a nontrivial number of websites use it as an allowlist.

In conclusion: the author admits WEI breaks the open web with sufficient market share, but the only proposed solution seems guaranteed to fail in a competitive browser marketplace based on game theory.

> The biggest issue is that web designers will design around WEI such that the web is unusable without it. For example, while the current use case might be “captcha without WEI, no captcha with WEI”, a future use case might be “captcha with WEI, 401 without WEI”

You know they can do that right now, right? They aren't doing it. Will more do it because it is simpler now? Sure. Will it put "an end to the open web"? Nope. If they wanted to end it, they could have already achieved that. WEI is just simply another better option for the websites which sorely need it. Sure, some other sites will abuse it, but I think you already avoid them since you still think the "open web" is still a thing.

"We will abuse this but you should stop complaining because we sorely need this to pad the profit margins for our investors."
I’m not sure what you mean by “they aren’t doing it”. WEI doesn’t exist yet, obviously nobody is blocking clients who aren’t attested.

More to the point, even the author of this proposal has recognized this is an issue, identified it as so in the proposal, then failed to put forward a workable solution. That’s my problem.

> I’m not sure what you mean by “they aren’t doing it”.

Making the web impossible to use if you don't fit into their specific requirements. WEI is just another signal. It won't be the only signal for the vast majority of the web. Google cannot do anything to break the web without the help of Apple. Frankly, Apple has a better chance of breaking anything open than Google does. Apple has the vertical control. Google has what? Chrome? I just don't understand how people seem to think Google has all this power, but continue to ignore Apple.

> WEI doesn’t exist yet, obviously nobody is blocking clients who aren’t attested.

Yet a lot people seemingly know its going to do this, that, and some other bad thing even though there is no proof and stated goals which are the opposite.

> More to the point, even the author of this proposal has recognized this is an issue, identified it as so in the proposal, then failed to put forward a workable solution. That’s my problem.

They cannot prevent websites from requiring X to access their sites. There is no workable solution to force someone to accept traffic against their wishes. If they only accept requests with some custom header, that's their prerogative. Many features of browsers have been (ab)used for "nefarious" purposes. Should we get rid of those? This whole thing feels like since Trump is not president in the US any more, certain people need a boogeyman and are using Google in his place. Anything Google does is automatically bad.

Part 2:

> Yet a lot people seemingly know its going to do this, that, and some other bad thing

Original https://news.ycombinator.com/item?id=36935843

New

Because any other option is not sensible:

1. Authors don't understand what tech they use. (not possible as they acknowledge issues)

2. Authors don't understand that something unrealistic is unrealistic.

Idea that you can give companies or corporations tools to check "did user modify his environment" and they would not use it to exclude users is stupid or disingenuous because advocates for this did exactly comment in such way: We want this proposal to do precisely that.

Again Google tries to defend it by saying "we will return invalid 'false' for some of the users/times of Chrome users" [to make sure that website will not do that] which for me is not only bad because it then creates "when google revokes this policy we are in even worse situation" but then leaves the issue how google decides "who" to give back this 'false':

I will reject times immediately not only because this can be easily circumvented by website [check n-times] to detriment of user but it would also contradict official documentation of WEI (same token for same input from user).

And this leads us to another point - if Google wants to return false negatives it would need to either keep information that is supposed to return 'false' - EU will not be very happy with that (also it does contradict this "chrome users"); or more likely it will be implemented in chrome.

Now when we established that implementation in chrome is most probable - we can also establish that:

A) Implement this on profile basis - companies will ask you to reset profile if you are this false negative.

B) Implement on connection basis - companies will ask you to refresh.

C) Implement on device age / os version / type - Google can even make the manufacturers happy with this one.

… as you can see at most this will be nuisance and if by some weird way:

Z) Implement on Super-complicated basis - this will be still possible because…

3. Google plays disingenuous word game with us here by saying - We won't destroy open web

Other Chromium browsers may ignore that Google X% false negative (Google may loose few % of users before it scrapes this policy). And there is 0 need for Google to actually do something when companies will misuse this API.

In simple words the part that should worry you is not that "Google will destroy web by using this API on Chrome and it services", what must worry you is that other companies will do that for Google and Google will wash their hands from this by saying "We wanted good but didn't work". You can see that tone from the Google - We don't want that so we created these "holdouts".

They are proposing thing that any sensible person see as clear cut attack (or stupid idea that can only work this way) on Privacy and Your Right to use Your Device (and for some people Your OS and/or Your Browser) as You want to use. They are at fault here.

Part 1:

> They cannot prevent websites from requiring X to access their sites.

They can by lowering amount of signals site gets - so to make it impossible to guess what client is running.

> There is no workable solution to force someone to accept traffic against their wishes.

Not give someone way to disallow traffic based on OS or Browser.

> If they only accept requests with some custom header, that's their prerogative.

And it is users prerogative to not give you any custom header which they do not want - or if you force them to do so give you not real one.

>Many features of browsers have been (ab)used for "nefarious" purposes. Should we get rid of those?

Yes we should. Or at least we should do risk assesment on those to check if they should be part of standards and Browsers. We should do more risk assessment of any new feature and standard.

>Anything Google does is automatically bad.

If they start championing privacy and less pro-corpo bs - I will applaud them for that.

> This whole thing feels like since Trump is not president in the US any more, certain people need a boogeyman and are using Google in his place.

Don't bring your (USA) bs politics to this - if anything it is your fault to not make proper regulations on your market.

> even though there is no proof

If you understand even tiny bit of tech - you will see the definite proof - the proposal.

> "and stated goals which are the opposite."

PR is irrelevant.

How can they verify it now with hardware-based security? They can't, that's why WEI is proposed, to bridge device attestation API.

While trivial fingerprinting methods can be bypassed, TEE-based methods are pretty much impossible to bypass ($500K reward for that)

"anyone can become an "attester"" - and no site has to respect that. Read between the lines - using TLS as example: I can attest that my site is my by being self-certified but no browser will accept that - as my certificate is not "attested" by browser or OS.

The WEI attester is exactly same - if site decides that it trust only Google, Apple and Microsoft - you do not have any way to access the site if you don't have attestation from that group, period.

"Opera would need to trust Linux" - Again I need to stress out to anyone who doesn't understand anything about Linux - Linux is not single uniform OS - it is bunch of distributions (OSes) that agree on some common API (not always) to produce more or less something that seems to be single OS for application (often not really) - binary compatibility is not a thing to this degree that linux has many (again no uniformity) separate solutions to make closed source binaries to work.

In reality trying to attest "that binary is not modified" on Linux is simply fallacious or outright misguided on basic idea - leaving aside distros that do not ship binaries (Gentoo) many ship often modified versions of software. And Users may modify software as they see fit - so there is literary no way that you can attest Linux.

By Anyone I didn't mean end-users. The TLS analogy stands. No browser has made the decision to trust only one authority. A motivated and funded organisation can become an Authority (like Let's Encrypt did) and the same can happen in the WEI case too. Ofcourse noone can trust self-certification. At the "trust-me-bro" game bots are more convincing than real users.
> By Anyone I didn't mean end-users.

then it isn't anyone.

>and the same can happen in the WEI case too

It is impossible to happen in this case.

If client has to be certified, then as product OS must be certified out-of-the-box for non-technical user. This will make sure 97% of market is covered by Apple, Microsoft and Google - these are "Authorities" web will have - even if the remaining few percent would be unified - it still will lead to most often then not "not being included" as trustworthy from server side.

>The TLS analogy stands.

no it does not. TLS cares about connection not OS stack. Also power dynamic flows in opposite direction.

>Ofcourse noone can trust self-certification.

If you want you can - because You (user) can import any certificate. The problem for me is that:

[Free/Open] Source/Linux in their entirety can be attested only if self-certification is possible. AND Self-certification means that WEI doesn't work. AND Any proposal that excludes any OS (or Linux distribution) from web is unacceptable.

Do you see logical outcome which this reasoning leads me to?

>No browser has made the decision to trust only one authority.

But it is not the browser here who has the final power "to trust", it is the server. And companies will only care about Windows, Mac(Safari), Android and Chrome.

>A motivated and funded organisation can become an Authority (like Let's Encrypt did)

Let's Encrypt could do that because TLS works in reverse direction and it is website that must be certified not the user.

> At the "trust-me-bro" game bots are more convincing than real users.

Yes exactly which is again everyone's point - for 10001 times and again "You cannot trust the client" - it is impossible to create privacy/[freedom of use for browsers and OS]-focused 'secure' and perfect attestation about client.

One has to give - 'security'/perfection or privacy/[freedom of use for browsers and OS].

We calculated what this proposal brings and rejected it on basis that bad is bigger than potential 'good' it can bring.

And again to put it clear - you need bots: search crawlers, web archive bots, URL scanners.

So put it clear - it is clearly from my perspective a wrong proposal.

P.S. This another thing worth considering if you think WEI will create real security: https://news.ycombinator.com/item?id=36985317

You know this is about DRM because that is explicitly the stated goal of this move.

Apologies for just repeating a previous post I made about this but:

The first goal of the proposal is to

> Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.

That is, to give web servers the ability to Digitally restrict (or Manage) a user's Rights to access content on a device and software stack of their choice.

The fact that this is DRM is unquestionable. What you seem to be taking at face value is Google's claim that this DRM will only be used to discriminate against bots and other abusive traffic, whereas everyone else is just pointing out that this technology can very easily be used for evil and that Google has every incentive and ability to do so.

> what solution they would propose

A man on the street stops you, points a gun to your head and instructs you to give him all of your money. How do you propose to solve the man's problem of lack of your money in his hands? Also, you cannot ask him to put down the gun before solving that problem.

DRM is not about access or not (that can and is being done with simple authenticated content). DRM is about what you can do with SPECIFIC contents. The MANAGE part in DRM. Netflix requiring you to login to view a movie is not DRM. Netflix offering a way to content owners to specify for example this movie can be seen but not download or this movie can be seen only once or this movie can not be fastforwarded, that is DRM. DRM means Publishers decide how their content gets consumed (on a case by case and publisher by publisher case).

Nothing in this proposal gives publishers those means (beyond what is currently available). Verifying the authenticity of a device in this case is a generic "trusted/not trusted" not "OK for movie 123/KO for skipping on movie 456"

> DRM is not about access or not (that can and is being done with simple authenticated content). DRM is about what you can do with SPECIFIC contents. The MANAGE part in DRM.

Sure, if you redefine DRM to mean whatever you want it to mean, this is not DRM. I'm not even sure what authentication has to do with it if you prevent access to your website before I even got a chance to see it.

> Netflix requiring you to login to view a movie is not DRM.

Not sure where you came up with this strawman, I said nothing about requiring you to log in.

I said "access content on a device and software stack of their choice.", so for example, limiting streaming quality to 720p on Linux, or blocking a user using FireFox, or blocking a user on Linux, or blocking a user with a custom kernel, or blocking a user without a TPM.

> Nothing in this proposal gives publishers those means

It gives them the means to discriminate based on hardware and software, for example by only trusting a single attestor of their choosing which only gives a trusted signal for whatever passes their hardware or software criteria.

As an example, Google may decide that as a requirement to having their ads on your website, you must only trust a single attestor - "Google Play" (as named in the proposal), because otherwise you may be trusting an attestor that facilitates ad fraud, and we can't have that. Google naturally only treats devices running Chrome as trusted, how can they trust anything else that they don't own?

Naturally, the same applies to their own websites, can't have you using FireFox to send people CP via gmail, right?

Do you want your website to be protected from bots via Google's reCaptcha? I'm sure they know how to decide which access attempt belongs to a valid user or not. And they'll be happy to cooperate with Cloudfront to make sure everyone online is equally safe.

Obviously, it is also on Google to protect users from websites that host botted content, so if you want to appear on search results and don't want the browser to give a scary warning when accessing your website, be sure to only trust the trustworthy attestor.

And let's not get started on what happens if you want to take payment from users while "mitigating fraud"...

> (beyond what is currently available)

Right, the justification to do more evil is that we already do some evil, I'm convinced.

> Verifying the authenticity of a device in this case is a generic "trusted/not trusted" not "OK for movie 123/KO for skipping on movie 456"

In just this specific example you prove yourself wrong. You can use the generic "trusted/not trusted" signal to decide "movie 123 is OK for not trusted, but movie 456 we will restrict to trusted only".

DRM is in fact very much about access and is the reason that, for example, if you want to watch HD video from any major streaming service on Linux you need to run a Windows browser in Wine.

This workaround only works currently because these systems rely on software-based DRM, perhaps because there isn't yet a convenient built-into-the-browser hardware-backed root-of-trust-based attestation system for the web.

(comment deleted)
Okay, but as far as I can tell, "trusted" can be defined however the attestor chooses, and one way could be "the user is really using Chrome, on Windows, and isn't running any extensions or other applications that we don't like."

Same way HDCP can tell an application whether the video is being played on a screen rather than a capture card. No trusted screen? No video for you. That's DRM.

The difference is that currently you can lie. You can identify the fingerprinting techniques being used, and work around them. yt-dlp already does something like this, for example. In Android, there was a lot of support for making your rooted / custom ROM system look like stock Android so you could still do banking. Now, depending on the level of Safetynet the app is using, you literally can't. I'm not arguing in favour of fingerprinting, just pointing out that prior to TPM-backed attestation you had control over your own device.

With Android Safetynet attestation, you can't work around the problem because the attestation is backed by a root of trust which your custom ROM can't provide. Being able to supply your own thing doesn't matter, because everyone will just support the one that Google supplies. LineageOS is a good example of this; they have their own Safetynet implementation which has very little buy-in.

WEI is effectively an extension of Safetynet to the Web.

In summary, this is fundamentally different because it takes away your control of your own device.

I mean, you can still lie, it's just made more difficult. Unless i'm missing something, running your OS under a hypervisor with a virtual TPM (or a forked browser with TPM access stubs and custom kernel drivers) still allows you to do whatever you want. It's certainly more difficult, and unreasonably so, but it's still quite possible. While i'm not familiar with Safteynet, i'm sure it's also possible to bypass it that way.

The issue with this seems to be a sort of a restricting freedom for the greater good idea. If you restrict the ability of web developers to check security values and stuff, then they can't do some good things like improve security, but they also can't do any really bad things like block ad-blockers. But if you allow this access then you get the opposite.

My understanding is that the vendor installs keys in the TPM which can't be retrieved. So no, a virtual TPM wouldn't work, because you don't have the vendor's keys. Or rather, you would be in the same situation as before, because you can install your own keys and then have the challenge of getting third parties to trust you.
They'd have to install them before you even get the parts then, right? Otherwise they'll just install them on your virtual tpm. I know apple does that because they own their own chip fabs and have limited (relatively) production runs, but i don't think google is going to manually etch a unique (and it has to be unique otherwise it'll leak) private key into the silicon of every single tpm for mobile and desktop ever. Or are they planning to only allow you to access websites on Google made hardware, and cut out 90% of the world's population?
Correct, this is what they do. Google requires hardware manufacturers who want to use Play etc to get their stuff signed with their root certificate, which the TPM then verifies. See https://developer.android.com/training/articles/security-key...

In particular:

"""

If the root certificate doesn't contain the public key on this page, there are two likely reasons:

[It is from an old version of Android, or]

The other likely reason is that the device isn't a Google Play device. In that case, the device maker is free to create their own root and to make whatever claims they like about what the attestation means. Refer to the device maker's documentation. Note that as of this writing Google isn't aware of any device makers who have done this.

"""

In other words, to get into the Google attestation party you have to get your device Google Play certified. Obviously device manufacturers are strongly incentivised to do this.

Edit: If this were to be applied to desktops as well, the obvious approach would be to partner with Microsoft and make use of their trust root, because Microsoft's keys are installed in ~every TPM.

Ahhh, ok that makes sense, they're in effect replicating Apple's method then. That does mean this can't really work on desktops atm, due to the low amount of pre-signed TPMs there, so this API is only actually unbreakable for Google and Apple hardware owned mobile devices. Which is already pretty bad, and allows them to boil the frog on desktops! Thank you for the explanation!

Edit: I wasn't aware Microsoft was already pre-signing basically all desktop TPMs, that's crazy. Makes sense thinking about it now, especially with Windows 11 requiring it.

Yeah! I agree Apple is the "pioneer" here..
>In summary, this is fundamentally different because it takes away your control of your own device.

No, it allows a business to deny to you if you can't attest to the security of your device. You are still free to do whatever you want on your own device.

If a business had an office that required you to unlock a door, but it also had a pickable lock that wouldn't be great security. It allows people to lie about having a badge by letting them pick the lock to get in. If a business increased security by making the lock no longer printable that seems like a good thing to me.

>LineageOS is a good example of this; they have their own Safetynet implementation which has very little buy-in.

Have they actually approached apps and offered compensation for them to implemented it? Or are they hoping apps just randomly decide to adopt it?

I'm sorry, but the idea that it's about allowing me to attest to the security of my device is not correct. I can make all the attestations I like about the security of my device, but if they're not backed by a confirmation from Google then it's quite likely that nobody will care.

The issue is that making modifications to anything in the chain of trust requires approval from a trusted third party.

>the idea that it's about allowing me to attest to the security of my device is not correct

I was oversimplifying. A service doesn't have to trust every attestation and a service does not need to do anything with the attestation if it doesn't want to.

>The issue is that making modifications to anything in the chain of trust requires approval from a trusted third party.

That is by design because it means untrusted people can't make changes while remaining trusted.

Yes, you are correct that preventing users from making modifications to anything in the chain of trust without being approved by an already-trusted third party, likely the company who certified the device, is by design.
The problem is that the owner of the device is considered "untrusted" here. While that sometimes makes sense (for law enforcement purposes), using this for business purposes is anticompetitive. It shouldn't be possible for companies to do whatever they want.
>using this for business purposes is anticompetitive

Businesses not trusting every random person is not anticompetitive. Doing that is how businesses make bad deals, get hacked, or make bad decisions.

Of course it is anticompetitive, if a given service (which is defacto mandatory) strikes a deal with select few hardware vendors to artificially make it impossible to access the service using different hardware (for purely business reasons), then it obviously is anticompetitive.
>strikes a deal with select few hardware vendors

That isn't what is happening. Anyone can become a manufacturer for Windows PCs or Android certified phones.

Right because Microsoft and Google don't mandate what can and cannot be installed by manufacturer… oh wait.
The whole point of Android certification is that you are following Google's rules. If you make something that is not certified you can not get play services.
>The whole point of Android certification is that you are following Google's rules.

Whole point of WEI is that you are following Google's rules.

You essentially acknowledged that YOU CANNOT become manufacturer - you become subcontractor for corporation that dictates what you can and cannot do.

Which from point of trust is precisely that - anticompetitive behaviour.

>Whole point of WEI is that you are following Google's rules.

That would be the point of the Google Play attestor. With WEI sites can use anyone as an attestor. It is up for attestors to compete in providing a valuable signal to sites.

It's not anticompetitive because you can come up with your own standard of a secure device and get sites to trust your attestor.

Even if that'd be the case I'd still consider this API nothing more than a framework for enabling anticompetitive behaviour.

But let's go back to the "anyone as attestor" argument. I don't see it in the API at all - I see only content binding..

When navigator.getEnvironmentIntegrity is called the browser can get an attestation from any single atestor willing to attest to it.
I'm unable to understand this. Since the API doesn't provide a way to force a specific atestor to be invoked, doesn't it mean it will be the browser that decides which atestor can run on a given platform?

Of course then substitute browser for Chrome and we'll get the obvious outcome - Google will decide.

There are seriously so many conflicting informations that this should be hanged from implementation before it its fully formulated (aside fact that it is bad idea and should be scrapped).

Firstly on Android Chrome implementation (testing) only Google Play is now implemented as attester and it does not seem that probable for it to change. (so presumably at least Chrome+Root wont work).

Second and Most Important - the mechanism does not allow for "willing to attest it" - it actually contains this phrase "The web server then checks that the token came from an attester it trusts" so it is disingenuous to say that "any single atestor" is OK - it must be attestor that server decided beforehand (so if server decide we only trust Google and Microsoft - and you have Mac, then tough luck. [more realistically Linux will be at issue]) - so we are getting system that can exclude certain OS and Browsers permanently without recourse - by server side.

@zb3 >doesn't it mean it will be the browser that decides which atestor can run on a given platform? That seems to be case in Chrome implementation* - and there is nothing about this in standard so unless other browsers would create another standard - this way seems likely.

This would be disastrous for any decentralized OS like Linux or BSD - it would be completely impossible for it to realistically work as it requires single "platform" by design - and I should remark "there is no single uniform thing in Linux".

* - note that server decides which attestors it trusts. Which means in essentia that sever decides which platforms it trusts.

Again this must be scrapped.

>It is up for attestors to compete in providing a valuable signal to sites.

right because users will chose attestor - oh wait they will not.

This system is designed (at least in Chrome) with PLATFORMS in mind not independent attestors - so you clearly didn't get the memo.

>valuable signal

rather highly intrusive signal.

>It's not anticompetitive because you can come up with your own standard of a secure device and get sites to trust your attestor.

Again it is anticompetitive when you produce a standard that benefits you (or biggest players) on market and makes nearly impossible for another competitor to emerge - it is even more anticompetitive when you create standard that "is impossible to implement" for architectural and 'branding' (ideological) reason by another competitor.

Such situation can be understood as public attempt: to form cartel at best, monopoly at worst. Both are anticompetitive by nature - and would result in dissolution of company if it is registered in any country with working and not totally corrupt government.

>secure device

about "security": https://news.ycombinator.com/item?id=36985317

That's not the competition I really meant, replace hardware vendors with OS vendors / Google.

"Android certified" means it follows Google's rules, so there's no way to compete by creating alternative security model (for example where the user has more power).

So the anticompetitive part is the attestation part, which artificially makes it impossible to run an app that'd otherwise work on the system that doesn't follow Google's rules.

>so there's no way to compete by creating alternative security model (for example where the user has more power).

There is a way, by creating a new attestor service that provides less guarantees than what Google Play's attestor provides.

Compete in anticompetitiveness? Attestation is the problem itself, it makes it harder to compete, by definition excluding any newly created environment.

But this isn't really my problem as I'm not a business. As an user, I'd be happy to have a secure OS with hardware attestation and app security but without Google Adware and Spyware.

>Compete in anticompetitiveness?

Trust isn't anticompetitive.

In this context it clearly is - if the server assumes the request sent by the client is always untrusted, then any capable device / app can use the service and it's possible to manufacture that device / app without permission from some company that has a dominant market position..

I acknowledge though, that this is incompatible with many practical scenarios, and CPC advertisements are one of those.

It's hard for me to argue here theoretically without taking context into account, as it turns out what I'm arguing for depends on it heavily..

It could be possible for Google to make changes where while theoretically possible to compete, it's not practical, and when it gets practical, Google could make another change and so on..

(comment deleted)
> ...as companies become less innovative, rather than creating new useful things, they focus on extracting more value however they can, while simultaneously trying to stymie and hold off innovative upstarts.

What makes them "extra" dangerous (or evil), in this this regard, is they have such broad reach and control over the Internet and tools people use in their daily lives that many have no idea to the extent of censorship, manipulation, spying, or damage that is being done. Any perceived rival, threat to their business, or to any of their products can be silenced, censored, or inhibited in ways few will ever know or realize was possible.

And to the extent they can keep getting away with it, is likely the extent they will keep pushing their control and corruption.