Skip Navigation

Google is working on essentially putting DRM on the web

The much maligned "Trusted Computing" idea requires that the party you are supposed to trust deserves to be trusted, and Google is DEFINITELY NOT worthy of being trusted, this is a naked power grab to destroy the open web for Google's ad profits no matter the consequences, this would put heavy surveillance in Google's hands, this would eliminate ad-blocking, this would break any and all accessibility features, this would obliterate any competing platform, this is very much opposed to what the web is.

272 comments
  • Ad blockers are my best disability accommodation. The things they do with ads to capture attention f with my brain. I'm really going to struggle if this happens. And I'm dependent on the internet for so many things, from groceries to prescriptions to people.

  • I'm a non-techie and don't understand half of this, but from what I do understand, this is a goddamn nightmare. The world is seriously going to shit.

    • My ELI5 version:

      Basically, the 'Web Environment Integrity' proposal is a new technique that verifies whether a visitor of a website is actually a human or a bot.

      Currently, there are captchas where you need to select all the crosswalks, cars, bicycles, etc. which checks whether you're a bot, but this can sometimes be bypassed by the bots themselves.

      This new 'Web Environment Integrity' thing goes as follows:

      1. You visit a website
      2. Website wants to know whether you're a human or a bot.
      3. Your browser (or the 'client') will send request an 'environment attestation' from an 'attester'. This means that your browser (such as Firefox or Chrome) will request approval from some third-party (like Google or something) and the third-party (which is referred to as 'attester') will send your browser a message, which basically says 'This user is a bot' or 'This user is a human being'.
      4. Your browser receives this message and will then send it to the website, together with the 'attester public key'. The 'attester public key' can be used by the website to verify whether the attester (a.k.a. the third-party checking whether you're a human or not) is trustworthy and will then check whether the attester says that you're a human or not.

      I hope this clears things up and if I misinterpreted the GitHub explainer, please correct me.

      The reason people (rightfully) worry about this, is because it gives attesters A LOT of power. If Google decides they don't like you, they won't tell the website that you're a human. Or maybe, if Google doesn't like the website you're trying to visit, they won't even cooperate with attesting. Lots of things can go wrong here.

    • So, a lot of the replies are highlighting how this is "nightmare fuel".
      I'll try to provide insight into the "not nightmare" parts.

      The proposal is for how to share this information between parties, and they call out that they're specifically envisioning it being between the operating system and the website. This makes it browser agnostic in principle.

      Most security exploits happen either because the users computer is compromised, or a sensitive resource, like a bank, can't tell if they're actually talking to the user.
      This provides a mechanism where the website can tell that the computer it's talking to is actually the one running the website, and not just some intermediate, and it can also tell if the end computer is compromised without having access to the computer directly.

      The people who are claiming that this provides a mechanism for user tracking or leaks your browsing history to arrestors are perhaps overreacting a bit.

      I work in the software security sector, specifically with device management systems that are intended to ensure that websites are only accessed by machines managed by the company, and that they meet the configuration guidelines of the company for a computer accessing their secure resources.

      This is basically a generalization of already existing functionality built into Mac, windows, Android and iPhones.

      Could this be used for no good? Sure. Probably will be.
      But that doesn't mean that there aren't legitimate uses for something like this and the authors are openly evil.
      This is a draft of a proposal, under discussion before preliminary conversations happen with the browser community.

  • This is a total affront to the ethos of the web and everyone involved in drafting this awful proposal should be publicly shamed. Stick sandwich boards on each of them saying "I tried to build the Torment Nexus", chain them together and march them through the streets while ringing a bell and chanting "shame".

  • This is nothing less than a brazen attempt at total control of the primary large-scale communication mechanism of humanity.

  • Like everyone else, I was an avid google user and used google for all its services. Then I started to learn about privacy and switched to chrome to firefox with duckduckgo. Until yesterday I was also often using an adblocker for advertising, I then realized that this does harm to companies and sites that I am interested in. Advertising is fine, I enjoy it if it's on the site, but I want to be given a choice to behave. That's it. Tradotto con DeepL https://www.deepl.com/app/?utm_source=android&utm_medium=app&utm_campaign=share-translation

    • Years ago i would have agreed with you, but on this era of heavy capitalist surveillance you don't want to give them the chance, they'll get every bit of data they can get about you. That and ads are strong dissemination vectors for malware. If i want to support something i'd rather do it directly, ads have proven to be noxious.

  • I just had to change my domain name because Google wouldn't stop blocking my personal server webpage for being a "phishing" website, there was no way it could be interpreted in that way at all and it didn't matter, my personal server apps were basically blocked on 80% of browsers.

  • Alright, I'm kinda slow today, so tell me if I got it right: We, the users, will be "kindly asked" to get one thingamabob signature/identifier of "integrity", so websites "know" whether we're good or bad guys?

    • Your hardware and OS already gets asked to verify whether it's safe to run an app on it (see: banking apps).

      Same thing, but now with web browsers.

  • Ugh. DRM. I freaking hate DRM. I "buy" a book from Amazon and it's all DRMed. I like the Kindle app so I keep buying there. But when I can I buy physical books at a LBS

272 comments