130 comments

[ 2.8 ms ] story [ 186 ms ] thread
The browsers keep circumventing them, so the W3C seems more ceremonial than a real standards body. In an ideal world something like the W3C would own Chromium, but alas...
That's symbolic but important. I wish the W3C had the same resolve with EME.
It'd be nice if there were a consortium of organizations that maintained a fork of Chromium, such as W3C, Brave, Edge, Opera, Vivaldi
A suite of tests might be better: point them at a candidate browser and they'll tell you which naughty and which nice features that browser supports.

Then point the other half of the test suite at a candidate site and get a similar list of naughies and nices.

Conscientious technologists of the world can then refuse to support browsers or sites that test naughty.

This is my attempt to avoid preaching to the choir. Market share wise, only a tiny slice would opt into the non-evil browser. But it's that slice who also makes things work for the rest of the world, so:

> it's out of my scope of support unless it passes these tests

Might impact a wider audience.

> A suite of tests might be better: point them at a candidate browser and they'll tell you which naughty and which nice features that browser supports.

Perhaps we could have a suite of Web Platform Tests? And we could host them at https://wpt.fyi ?

Yeah, something like that.

If Google adds WEI to chromium, will wpt.fyi flag it as broken?

I was being a bit silly; wpt.fyi doesn't do the naughty/nice thing.

If the WEI proposal keeps progressing towards a standard I'd expect that team to submit a test to WPT, yes.

As long as google gets to use its monopoly to push chrome-by-default on its platforms while breaking open safari, none of that matters. The council of neckbeards representing 2% of browser share is as relevant as polling slashdot opinions, in terms of actual effected change on the world.

When those neckbeards represent 50-60% of total web traffic their opinion might matter. Marketshare is power and in realpolitik power is all that matters. The tech world is littered with the remains of the companies that made principled stands, google and Microsoft are where they are for a reason and it’s not because of their overriding morals.

Right now google has >80% of traffic and now that they have pried safari open that number is gonna climb. Their opinion is literally the only one that matters - what are you gonna do, not use google products?

if google wants to fight they’ll win, have fun getting into your gmail account if they require attestation. What are you gonna do, not use email? Change your whole internet identity to not run on google? Gmail is effectively email, and small mailservers are fundamentally broken on the modern web. Even for things like outlook.com they could require that other mailservers provide the attestation used to send it and lock people out of gmail entirely, even just needing to gmail.

It’s game over, the apple sideloading case swept away the last resistance to chrome monoculture, and google already runs a supermajority of the other web services that matter. This is google flexing their muscles now that they know they’re utterly unopposed. But unfortunately the EU is way more concerned with outlawing the lightning port and mandating 2000s-vintage removable battery phone designs than actually fighting a monopoly using its monopoly power to leverage abusive behavior in related market segments to the detriment of consumers.

This is a classic useful-idiot situation where all the android fanboys waved their flags at their “team win” over “braindead” apple fans getting the app-review process neutered by sideloading. Because it’s not enough to have a popular brand which supports that too, you need to outlaw any alternative business models to your preferred brand. And despite warnings that exactly this chrome monoculture would be the outcome, people pushed for it anyway. Wait and see, they said, we’ll cross that bridge when we come to it and if google starts to be a problem the EU will step in. It took literally a matter of weeks before google just went ahead and crossed that bridge. Extremely frustrating.

And yea, safari has some attestation features too. Not necessarily the same ones as google, and they don’t prevent Wipr or Adblock Plus extensions from working. But now you’ve gone and made sure there’s no alternative browsers that don’t, either. You pushed this on yourself. sideloading has locked in an unshakeable chrome monopoly marketshare, it’s going to be a massive uphill battle to sell people on Firefox when it doesn’t even work on almost any relevant web services because it doesn’t (by design) allow attestation.

Almost as if... most of Apple's iOS stances aren't just random/exploitative, but actually have some basis in security posture or app-review. And almost as if... Apple is still fundamentally trying to sell you a phone first and foremost, then icloud/apple music revenue, and then adtech is way down on the list, while google makes all its money from (a) ecosystem effect and the monopolistic behaviors it allows, and (b) direct revenue from adtech. People keep trying to push the "apple is the same thing!" and just like you can see from their attestation not caring about adblocking, it's really not.

I loathe that the brand wars have gotten to this place, "both sides are the same" but also they are different enough that you need to literally outlaw the business model of your competition and reduce choice in the market. Can't let some "brainless" apple fan m...

the W3C's role has been explicitly and intentionally ceremonial since they tried to invent xhtml, and learned exactly how much power they really have.

their mission is only to write formal standards to describe and document the things that browsers have already implemented, not to drive browser development.

At this point I don't think it matters -- if Google wants to do it, they'll do it. :/
Well, outcry does help. It did manage to nip FLoC in the bud.
Not really, it just got rebranded as the Topics API and is still, as far as I know, being pushed into Chrome.
Eternal vigilance is the price of liberty.
I just got a topics intro popup on my work computer the other day. One of many many other reasons I'm happy I use Firefox at home.
I don't really agree. Topics are materially different from FLoC. Especially in the way of moving it from a shady background activity into something the user can interact with.

Also, nobody really gives a shit about it. WEI could break adblockers and that would be a huge issue.

And Google wanted WebM to happen and for people to pay full-retail price for rented games.

Google isn't (yet) big enough to force it through: given iOS marketshare in the US it means web-app devs won't (can't?) do anything unless both Apple and Google adopt it (yes, there are plenty of Chrome-only websites, and Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store (PWAs, WebUSB, etc).

----

That said, I am sympathetic to the reasons why orgs like banks want things like remote-device attestation (and am less sympathetic to the likes of the MPAA, etc) - it is unfortunate that better ideas are hard to come by.

WebM happened? Safari takes WebM now and Apple SOCs decode VP9 that's commonly used in them in hardware.
> Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store (PWAs, WebUSB, etc).

Many of those are not "new web standards". Those are Chrome-only non-standards, and Firefox agrees with Safari on most of them.

As for PWAs, there's no such thing as a single PWA standard, and Safari has supported the vast majority of the PWA standards for years (but if you point that out, the goalposts of what constitutes a PWA shift faster than superheated plasma).

I'd just be happy with Safari having a functional IndexedDB - an old web standard.

https://gist.github.com/pesterhazy/4de96193af89a6dd5ce682ce2...

How critical that is, compared to WEI - and more broad problem adopting it entails, namely a single company basically dictating the whole web what it can and cannot do?
Reading through that page it looks like a combination of Safari (a) prioritising privacy and performance and (b) not implementing draft specs. With a whole bunch of bugs that have already been fixed.
IndexedDB's API design is one of the worst I've ever seen (next to the original JS document.cookies "API")

Fortunately, Safari does support OPFS ( https://stackoverflow.com/a/71581910/159145 ) so provided you don't need all of IndexedDB's features and just need an async blob store for large blobs/files/etc (potentially gigabytes and beyond) then OPFS should work for you.

Why include WebM in that list? WebM is good.
It is just an example that because Google makes it available and wants it to be used doesn't mean it will be used in any appreciable manner.
They couldn't really push VP9/Opus without making it available in a non-Google proprietary format. WebM seemed more like a vehicle for that.

The amount of popular videos served on YouTube in VP9 and Opus may not exactly be WebM, but the codec support byproduct it pushed probably saved Google/YouTube a huge pile of cash.

Apple have already been shipping an equivalent attestation mechanism in Safari for a year.
Safari's support for WebAuthn does not include support for "direct attestation", if that's what you're referring to.

EDIT: Or do you mean "Private Access Tokens"? I just found out about this now and wow... looks like I've got some reading to do, but so-far it seems far more limited in scope than Google's version, and doesn't seem like it can be used to fingerprint visitors between sessions either. ( https://httptoolkit.com/blog/apple-private-access-tokens-att... )

I indeed mean PATs. They are not more limited than WEI in any meaningful way. Both could in principle attest anything. Both claim they are meant to attest only certain kinds of properties. They would be just as useful (or useless) for fingerprinting.
Apple doesn't have a monopoly on the web ad market, and thus this is kind of irrelevant - they aren't forcing this down everyone's throat.

Though I cannot help but wonder why exactly they did that. Some kind of a corporate requirement?

So, first of all, the entire point of the GP was that Apple would be slow to implement this. Clearly that is not true.

But also JFC, it is amazing how the moment it is pointed out that Apple is already doing a thing that's being railing at, and the reaction shifts from outrage to basically "I wonder what amazing and important reason they have for doing this" and "nobody but Apple can possibly be allowed to benefit from this because monopoly".

Apple's stated reason is exactly the same as Google's. To make a privacy-preserving anti-abuse signal for browsers. Apple need it because they are piping their best customers' traffic into what is basically an open sewer of IP reputation (Apple Private Relay), and need a way to avoid said customers giving up in disgust due to the high rate of captchas. Google need it because they want to remove all fingerprinting vectors, and need privacy-preserving replacements for legit use cases.

> basically "I wonder what amazing and important reason they have for doing this"

That's not what I said.

I don't care who does this, I will despise it either way, I just hope that Apple at least has a proper justification to do this.

> Google need it because they want to remove all fingerprinting vectors, and need privacy-preserving replacements for legit use cases

"Legit" defined by whom? Google? I am sorry but at this point Google has burned almost all trust, at least with me.

Putting your head in the sand and making assumptions doesn't lead to good outcomes. If you can't find the time to understand what is being discussed, perhaps it is better to simply not offer an opinion on the matter. Opinions based on assumptions are dangerous.
And we still have people crying Safari being new IE all the time. The remaining minor incompatibilities that we have now are nothing compared to what we had in IE6 days, and yes, this is the price we pay for not giving complete control of the web to a single ad company.
Banks shouldn’t care to authenticate the browser, they should care to authenticate the user. WebauthN is the solution there and is w3c
> Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store

Cautious.

Many of those web-standards e.g. WebUSB have significant security vectors and have been used in the past to fingerprint devices for advertiser tracking. Also many have impacts on battery life and performance.

Whereas Chrome seems to be getting slower and bloated over time, Safari has remained fast and light-weight.

Not to mention that many of the things that the WebKit team has been reluctant to implement the Gecko team has been similarly reluctant about.
> I am sympathetic to the reasons why orgs like banks want things like remote-device attestation

I'm not. I mean, I am in theory; being able to warn a user their device might have some sort of malware upon trying to log into a banking website is useful, but we've already seen how banks handle these things in practice with mobile devices having attestation capabilities.

The result is some banking apps refuse to run on my phone with a very up-to-date and definitely not compromised LineageOS, but will happily run on devices several years out of date. Google SafetyNet can tell that the bootloader is locked and the system partition hasn't been modified, but can't tell that some malware has gained root access by privilege escalation.

I don't want them doing that to their websites as well. This technology should not be let loose on the world.

> Google isn't (yet) big enough to force it through

When they want, Google literally strongarms various vendors into implementing their codecs: https://www.protocol.com/youtube-tv-roku-issues

--- start quote ---

At the core of this allegation appears to be Google's decision to push hardware makers to adopt the AV1 codec, an open video codec that promises better-looking 4K videos at lower bitrates. As Protocol first reported in October, Google is requiring makers of Android TV devices to support AV1 starting this month. Additionally, Google also seems to push makers of smart TVs and streaming devices not based on Android TV to use AV1 for YouTube.

...

Google has long forced device makers to use the free VP9 codec for 4K YouTube streams.

--- end quote ---

This is true in the sense that Google is running an experiment (an "origin trial") and they didn't need anyone's permission to do that. (None of the other browser vendors need to get permission to run an experiment either.)

That's different from making it a web standard. They will want cooperation from other browser vendors (not random people on the Internet) for that.

I doubt they'll make a serious effort at convincing anyone of anything until they decide what they want to do, which will be based on the results of the experiment.

Take a stance at least
> Take a stance at least

A stance to irrelevance, sadly.

This was always the deal with the devil that W3C had; play ball with the vendors or get left in the dust.

(comment deleted)
w3c is completely irrelevant. https://whatwg.org/ is the functional keeper of the standard.
My understanding is that WHATWG doesn't govern standards at all - it basically documents what browsers are doing at the moment. So when Google rolls WEI in a Chrome update, it will become a WHATWG "standard" automatically. Is that correct?
no, to become a standard at least one other browser vendor would have to at least signal an intent to implement it.
No.

To actually become a standard it needs at least two inependent implementations.

But it's interesting that you wrote what you wrote. Because that's exactly what Chrome is doing: it's announcing an intent to implement, and then enables whatever they intend by default. Oh, they do pretend to ask other vendors about their position, but ship anyway. And then use web.dev to pretend it's a standard.

The W3C is relevant in multiple critical areas of the Web. Just to name a few topics where W3C is the primary venue for all standardisation efforts:

- Accessibility

- Authentication

- CSS

- Self-Sovereign Identity

- Virtual Reality

- Linked Data

- XML

I wrote a comment about the W3C's relationship with WHATWG a few days ago: https://news.ycombinator.com/item?id=37052428

If you do nothing else, please pass your eyes over the list of W3C Recommendations and other publications on standards track: https://www.w3.org/TR/

Exactly. They were the original resource as far back as the mid-90's. They originated SGML, HTML <3.0 .. 4.01, CSS, XML (XPath, XSLT), and so forth.

And yes, even VRML :)

https://www.w3.org/MarkUp/html-spec/ HTML 2 (the wild west)

https://www.w3.org/MarkUp/Wilbur/ HTML 3.2

https://www.w3.org/TR/WD-html40-970708/appendix/changes.html Diffs of HTML 3.2 -> 4

https://www.w3.org/People/Raggett/book4/ch02.html History of HTML until 3.2

https://www.w3.org/TR/html401/ HTML 4

https://www.w3.org/TR/html5-diff/ Diffs of HTML 4 -> 5

https://www.w3.org/TR/2021/NOTE-html53-20210128/ HTML 5.3 (last version on W3C)

https://html.spec.whatwg.org/multipage/ HTML5.3+ (moved to whatwg)

https://www.w3.org/MarkUp/VRML/ Virtual Reality Markup Language

(comment deleted)
I'd believe this- if it were not for the fact that Google is ignoring the W3C across the board. This includes privacy sandbox (fledge) and topics (floc) as well. Google can come up with good reasons why something that has negative impacts on the entirety of the ecosystem (except them), because it always ends with Google in a stronger position
What's there to believe? Standards follow implementations. The W3C aren't the browser police; they just standardize the interoperable things browsers do.

It's not W3C's (or WhatWG's) role to "oppose" random things browser vendors decide to do.

Maybe it should be their role. Arguably, things like browser standards are as important to society as electrical or network standards.
I wrote postal letters to the FTC, the president, my senators and congressman telling them to investigate WEI as another monopoly move on the part of Google and highlighted that the FBI says you should use an ad blocker.

You should too.

It can't be their role. Standard organizations enjoy no de jure authority at all. The most they could possibly do is certify all the other "complying" browsers as "W3C-approved", and nobody cares who doesn't already care about the particulars here.
Maybe, but it's a moot point, because there's no way to get from here to there. If the browser vendors want to add a standard, they will; and if they don't, they won't. On one or two prior occasions the W3C has proposed something that the browser makers didn't like, they unanimously told the W3C to go pound sand, and that was the end of it.
But then you’d also need a world police who enforces that.
Who enforces electrical and network standards? Those don't require world police.
> Who enforces electrical and network standards? Those don't require world police.

Most blocs have their own standards. Commonwealth countries follow one standard, EU countries another, North American engineering standards are not the same as Japanese ones.

> Maybe it should be their role.

Who would grant them such a authority and how would it be enforced?

Can't wait for the FBI to bash in my door for running curl because it fails to meet established legal criteria for browser operation.
(comment deleted)
The W3C had their chance in the early 2000s and they hyperfixated on XML nonsense while browser and web evolution stagnated. I'm not saying that the status quo is perfect, but if we want W3C to try again then we should make sure we don't run into the same issues 20 years ago.
And here I thought web evolution stagnated in the early 2000s due to IE6. It's vital we don't get locked into a single dominant browser that ignores open standards whenever it's convenient to them.
The web's stagnation was not monocausal. IE6 was bad, but W3C wasn't doing anything to help beyond fixating on XML work that never went anywhere.

I agree we shouldn't let a single web browser dominate. I'm just saying that the W3C doesn't have any power to do so nor have they shown themselves capable of pulling it off.

> It's not W3C's (or WhatWG's) role to "oppose" random things browser vendors decide to do.

Then why are they making standards in the first place?

They're already deeply involved in the operation of browsers; they are practically morally obliged to object to things which could harm the Web.

For the same reason people write dictionaries.
Im not sure whether that example supports your point. The Oxford dictionary is essentially an authority on spelling, and their editors and councils definitely have weight in debates on the proper spelling of things.
(comment deleted)
(comment deleted)
Wait. No. The OED is descriptive of English (UK only?) but is not prescriptive. They don't tell people what to spell or what they need to mean. They describe the spelling and meaning as it is being done. This is why there are new words that get added every year. It's not as if OED sit around and think of new words.

I'm not arguing if the OP is right or not but I don't think the OED example is correct.

It’s just a bad example. The Oxford Dictionary is just a publication of Oxford University Press. A popular one perhaps, but fundamentally no different than a Webster’s, or even say a Random House. Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.

A better example would be a language academy, however English has never had a language academy, unlike French or Spanish, resulting in it being a stubbornly descriptivist, rather than prescriptivist phenomenon.

> Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.

The OED, in my experience, covers the varieties of English spelling quite well, and if you want no distractions as an American but can deal with less extravagantly complete coveraged, you can always use the OAD.

Oxford seems to know how to spell quite well.

OAD is no longer in print and has been superseded by the New Oxford American Dictionary (NOAD).
> Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.

I had to give a chuckle at that, but seriously, the way in which words are spelt (ahem) in the OED is genuinely interesting! They use both -ize and -ise, for instance, choosing one or the other based on each individual word's etymology.

I recently saw an author on social media remarking that their editor complained that they were mixing American and British spellings, and they should just pick one. The author was confused by the statement, because they didn’t there was anything unusual going on. Then the penny dropped. They’re Canadian.
> I can say with confidence that Oxford doesn’t know how to spell

The OED includes American spellings for all of its entries.

That’s not really true. The OED is a historical/scientific work. Its goal is to describe the English language, not to influence it. Things are not described as proper or improper in the OED, though they may of course be described as colloquially, nonstandard, regional, etc., which are not value judgments. A lot of words, especially the ones that have been around for a while, have absolutely tons of variant spellings listed, most of which a normal literate modern person has never heard of.

Source: I have an OED subscription and look at it regularly.

(comment deleted)
> Then why are they making standards in the first place?

For one thing, membership in W3C is loaded with representatives from those browser vendors. Which is a good thing, since W3C would be absolutely useless if browser vendors weren't there.

For another, standards aren't the place for rants about who sucks shit and who doesn't. It would be a fun read, but a bad standard. A standard is for saying what you must do, not for saying who sucks shit.

The W3C's draft vision statement [0] clearly states:

> Aim to reduce centralization in Web architecture, minimizing single points of failure and single points of control.

IMO it is entirely in scope for, and part of the responsibility of, the W3C to introduce a specification that explicitly forbids user agents from implementing Web Environment Integrity or any similar system as currently drafted.

One might say that the members' conflicts of interest make it likely that they will abdicate this responsibility, but that doesn't make it any less their role!

[0] https://www.w3.org/TR/w3c-vision/#principles

They don't have power to enforce specificiations, so what's the point of a negative specification?
It's a signal if nothing else.

Maybe Google cares, maybe not, but there's no sense in having a spineless standards body that just turns around and says that the spec is whatever Google implements in Chrome.

The W3C has no ability to "forbid" anything. You're going to find professional organizations resistant to undertakings that beclown themselves. W3C's statute and importance is improved when they publish things that the industry implements. That is the only mechanism they have to find impact. They are not the Internet police. I know this is fuzzy-seeming because of all the "MUST NOT"'s in standards language, but it's not really fuzzy at all.
It's not really that Google is ignoring the standards process. It's that the process involves a feature-flagged shipped implementation before it can be a part of the standard.

The only way for FLoC to become a standard is for them to do exactly what they're doing now - opt in/feature-flagged evaluation.

Of course, Google could continue to ignore the standards process and just make this generally available in their browser even if it doesn't become a standard.

> Of course, Google could continue to ignore the standards process and just make this generally available in their browser even if it doesn't become a standard.

That's exactly what they've been doing with dozens of "standards".

This matters about as much as the US defying the UN. Chrome needs to be spun out.
Heh, yeah or the UN defying anybody who is a member of their own security council.
Considers who was on the other side of the military conflict in which the first, only, and still active UN military command was involved as a direct party and...

Not sure I understand your point.

China at the time referred to the Republic of China, i.e. Taiwan. And the USSR's delegation to the UN was boycotting the UNSC entirely (and immediately began using their power to prevent any further UNSC resolutions regarding Korea being passed as soon as they stopped boycotting).
Has there ever been an anti-trust suit on the grounds that an actor is using their market dominance to subvert a standards process/body? Is there any legal precedent or standing for such a thing in the US or elsewhere?
I don't think web standards work that way. Often times we'll see things get deployed and implemented before they become standards anyway. And it's not as if W3C has any authority. But even if W3C had any authority, Google and Apple would just pay off every seat.
I like the idea of spinning Chrome out, but how would that work in practice?

Seems like making a browser isn’t profitable at all, and so the hypothetical Chrome Browser Corporation would probably quickly turn to evil tracking schemes as well.

The hypothetical Chrome Browser Corporation will likely become like Firefox, trying not upset whoever gives them a search deal.
In what ways does Mozilla try not to upset Google?

They do implement ad blocking/anti fingerprinting. Mozilla obviously has to continue setting Google as the default search engine.

If Blink and Chrome were to be spun out, it should probably be into something like a non-profit organization funded by sponsors, with a model similar to that of Blender. The only difference is that given Blink/Chrome's dominance, it'd be necessary to bar Alphabet and other companies with overwhelming power in web tech from becoming sponsors to help prevent conflict of interest.

This could have the effect of normalizing corporate investment in FOSS web engines and browsers, which could benefit Mozilla as well.

> This matters about as much as the US defying the UN.

Are those accidentally reversed?

No. The US regularly defies and ignores the UN with no consequences. One example is that the US doesn't recognize the International Criminal Court.
Right. So the US defying the UN matters in terms of real-world effect, but the UN defying the US doesn't.

In the analogy here, wouldn't the W3C be the UN defiantly making toothless proclamations that Chrome (the US) can simply ignore? That would be my understanding of it, since "mattering about as much" implies not mattering at all.

The ICC is independent of the UN. Also its treaty based so you have to consent to its juridsiction at least once (or have the UN security council give it juridsiction) so of course there are no consequences for countries that haven't signed up. Anyways this is a really bad example (you are probably trying to reference invade hauge act, but even still that doesn't fit.

US does ignore UN in other ways, but the ICC isnt an example of that.

So? Since W3C approved DRM, any self respecting user should struggle to take them seriously.
Surely it's the other way: an organization that approved DRM pumping the brakes implies that the thing in question is remarkably bad
Ok so Google ignores W3C on WEI.

But could someone else create a W3C proposal that could counteract WEI? It wouldn't have to implementation-specific but rather one or more principles drawing a line in the sand that shouldn't be crossed like what WEI is built to achieve?

Not with a "White Hat" on, I think.

If a user who is not you uses a browser using WEI (implicitly approving of this attestation tech) and connects to a website that uses WEI, that's entirely up to third-parties and there's nothing legal that you can do.

The most you can do is protest this with:

1. Using a browser without WEI or with WEI disabled.

2. Modifying your own site to talk the WEI protocol but for any browser that can talk that protocol, you ban the user from using your site (or redirect them to a site explaining how WEI is DRM of the entire internet, etc)

Moving beyond White Hat to Grey Hat and Black Hat, you get things like:

1. Modifying your own hosting company to apply this WEI-blacklisting mechanism to your clients' websites.

2. Convincing (or "convincing") owners of core backend libraries in popular programming languages to introspect connections and blacklist WEI-compatible browsers.

3. Take advantage of XSS vulnerabilities to interfere with WEI operations on other tabs within the same browser on the user's machine if they happen to be using your website.

4. Take advantage of vulnerabilities in the WEI protocol to corrupt the underlying attestation system so it fails to function in all future WEI requests for that physical machine.

5. Hack/Crack attestation system security and publicly release the keys, making any hardware using that version suspicious/blacklisted by users of WEI.

6. Probably some other things I haven't thought of, but as you can see they quickly go from dubiously legal to straight-up illegal. It would be best to nip WEI in the bud before such measures are deemed necessary.

WEI would be super valuable if it was targeted at corporate network infrastructure.

In those situations, enterprises have the jurisdiction and need to know who is connecting to their network.

Putting a technology like this into a browser seems to only benefit sites that monetize their content...

If you like what the W3C is doing for the privacy, accessibility and openness of the Web, you can become a W3C participant. Upon finding a W3C Working Group[1] to which you think you could contribute, you can send an email to the address of that WG's 'Staff Contact' explaining how you think you could help. If the Chairs and the Staff Contact agree, they will ask you to join as an 'Invited Expert' (IE). This does not confer voting rights but grants you access to the meetings, relevant Git repositories etc. You'll need to sign a licensing agreement allowing the W3C to freely publish your contributions.

I say this because, at first glance, it seems like the only stakeholders with any influence are W3C Members. The reality is that W3C is very open to contributions from individuals, but just has had a constitutional framework that makes things slightly more complicated for individuals, a situation which they are deliberately improving.

As for myself, I'm an IE for the W3C in the Linked Data area, so whilst of course I do not speak for the W3C, I would be more than happy to answer questions here on HN about how the W3C works.

[1]: https://www.w3.org/groups/wg/

Back in 2014 I met with Tim Berners-Lee himself, and his SoLiD team, and proposed to join forces. Here is the pic: https://lh5.googleusercontent.com/Rp4Su5Z2h28vCASKfrbhYKrULG...

His team lead (Dmitry Zagidulin) liked what we were doing a lot. But ultimately Tim chose to go in a different direction, spun off "Inrupt" and left MIT. We continued building our open source platform to try to realize the vision he keeps writing about: https://theconversation.com/tim-berners-lees-plan-to-save-th...

I was writing very similar things, but of course I didn't invent the Web: https://cointelegraph.com/news/how-a-web-that-lost-its-way-c...

Ultimately, my point is that we tried our best. I even hired Dmitry when he left Tim's project for a while, but very quickly Dmitry got demotivated to work with us because we were putting out working code for customers, instead of conforming to standards. Back then I argued to him that we don't have a ton of funding and executions matters more, after which the winners can help spearhead the standards. After all, Twitter pioneered oAuth, and Meebo+Google pioneered xAuth (if anyone remembers that). Dmitri and I did.

So we went our separate ways, and I realized that standards are an expensive detour that can work if you have extra funds to hire people. We plan to support Matrix, Mastodon and other interoperability. But for the time being, our platform is "just" free and open source.

Whether it's the UBI "movement", or the decentralized web, or other initiatives, everyone seems to go their separate way and it fizzles out (e.g. https://decentralizedweb.net and https://indieweb.org/). I wish people were willing to join forces on projects more, and get each other funded. That's how we can build real open source alternatives to the corporate internet we are all forced to depend on.

W3C and IETF standards are aspirational wishes that vendors routinely violate or ignore with intent or by buggy code. It's the responsibility of all ethical engineers to:

0. seek out appropriate, minimum friction standards before reinventing the wheel

1. refuse to implement solutions that harm users

Thanks for your interesting response. Although I don't really want to admit it, you are right in some cases that "standards are an expensive detour", because I've been involved with one of those myself! On the other hand, when the object of standardisation is very clearly defined, eminently possible and widely usable, a consensus-backed standard can be made very rapidly indeed.

Data canonicalisation is one such example: although the idea has been around for quite a while, a couple of years ago lots of people spontaneously decided it was something they needed (myself included!), and here we are with RDF canonicalisation[1] nearing Candidate Recommendation not even halfway through its WG's charter, along with several mutually independent approaches also in a good state of development. The result of this is that in about one more year from now, software developers will find cryptographic verification of data considerably more consistent, which can be translated into a pretty significant boon for Web users.

The ideal timing of a standard is surely after the limits of the idea have been found by theorising or prototyping, and before anyone with that idea has a large enough commercial interest in it to benefit from a monopoly on it. Trying to build a monopoly first and then 'donating' it by spearheading a standard is a viable technique, but it feels risky to me unless you can be sure that you're really the only party who understands the idea, and so won't be overtaken by someone with equally monopolistic but less altruistic motives.

I think that a good place to start is limiting the scope of a proposed standard very consciously, unless as you say you have the funds to hire everyone you need to implement it entirely at least once. Although I'm not familiar enough with your project to comment on any details, I suspect that most social network or forum applications could implement one way ActivityPub or Matrix support easily, and also proper two-way federation unless the original software makes too many assumptions about identity.

[1]: https://www.w3.org/TR/rdf-canon/

What project are you referring to?
I can’t tell you, I promised @dang I would mention it very rarely :)
That's good to hear because I really wanted to join one of the more recent groups that were formed about a year or two ago, but I didn't make the open invitations in time. Figured the door was closed but I've thought about reaching out to offer.
I would like to suport the W3C Line Mode Browser. It still compiles on the present-day computers I have; I use it from time to time for the nostalgia, to remind myslef how fast computers and the internet have become.
Does the W3C have any influence anymore?

I thought it lost some of it's influence, but can't recall why.

The W3C took a hit to it's influence in the early 2000s after their introduction of RDF (Resource Description Framework), the technology behind Linked Data and XHTML. Whilst technically superior and philosophically more elegant than the raw HTML they sought to enhance (note that HTML5 hadn't been invented at this point), it was not immediately very popular - the concept of Linked Data was somewhat harder to understand than the concept of markup, and getting it wrong would mean your website might fail to display. This lead to the creation of WHATWG, which holds sway over HTML5 and some miscellaneous JavaScript browser APIs, but still a very limited set of Web features compared to the W3C, which standardises lots of areas including CSS.

I would say that it was a pretty minor loss of influence overall, and their Linked Data is now used in almost all websites in at least a basic metadata capacity, which is how those 'social links' work (where you paste a URL in a chatroom or social network and find the title, logo and header picture appear automatically) for instance. More extensive use of Linked Data is often not directly visible to website visitors, but will soon form the foundation of a number of digital identity card systems, even for entire countries, and will do so in a way which has the potential to be significantly more privacy-friendly than a traditional 'citizen number' approach.

I'm currently a participant in the Linked Data area of W3C's work, but I wasn't around during the events I describe above. Resilient Web Design[1], a short but excellent ebook by Jeremy Keith is a good read for understanding why RDF didn't catch on initially, and anything by Manu Sporny will be worth reading/watching for getting a positive description of how useful RDF and Linked Data can be (his introduction video to the topic, for instance[2]).

[1]: https://resilientwebdesign.com/introduction/

[2]: https://www.youtube.com/watch?v=4x_xzT5eF5Q