Skip Navigation

Google employee responds to all the negative feedback WEI, (google drm the web)

Hey everyone, thank you for your patience, and thank you to everyone who engaged constructively. It is clear based on the feedback we’ve received that a bigger discussion needs to take place, and I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one. We want to continue the discussion and collaborate to address your core concerns in an improved explainer.

I want to be transparent about the perceived silence from my end. In the W3C process it is common for individuals to put forth early proposals for new web standards, and host them in a team member's personal repository while pursuing adoption within a standards body. My first impulse was to jump in with more information as soon as possible - but our team wanted to take in all the feedback, and be thorough in our response.

That being said, I did want to take a moment to clarify the problems our team is trying to solve that exist on the web today and point out key details of this early stage proposal that may have been missed.

WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse. Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients.

Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:

sign-in gates to access basic content invasive user fingerprinting, which is less transparent to users and more difficult to control excessive challenges (SMS verification, captchas) All of these options are detrimental to a user’s web browsing experience, either by increasing browsing friction or significantly reducing privacy.

We believe this is a tough problem to solve, but a very important one that we will continue to work on. We will continue to design, discuss, and debate in public.

WEI is not designed to single out browsers or extensions Our intention for web environment integrity is to provide browsers with an alternative to the above checks and make it easier for users to block invasive fingerprinting without breaking safety mechanisms. The objective of WEI is to provide a signal that a device can be trusted, not to share data or signals about the browser on the device.

Maintaining users' access to an open web on all platforms is a critical aspect of the proposal. It is an explicit goal that user agents can browse the web without this proposal, which means we want the user to remain free to modify their browser, install extensions, use Dev tools, and importantly, continue to use accessibility features.

WEI prevents ecosystem lock-in through hold-backs We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

Additionally, and this could be clarified in the explainer more, WEI is an opportunity for developers to use hardware-backed attestation as alternatives to captchas and other privacy-invasive integrity checks.

WEI does not disadvantage browsers that spoof their identity The hold-back and the lack of browser identification in the response provides cover to browsers that spoof their user agents that might otherwise be treated differently by sites. This also includes custom forks of Chromium that web developers create.

Let’s work together on finding the right path We acknowledge facilitating an ecosystem that is open, private, and safe at the same time is a difficult problem, especially when working on the scale and complexity of the web. We welcome collaboration on a solution for scaled anti-abuse that respects user privacy, while maintaining the open nature of the web.

135 comments
  • WEI’s goal is to make the web more private and safe The WEI experiment is part of a larger goal to keep the web safe and open

    (Emphasis mine)

    They contradict themselves in the span of 2 sentences. Great look, folks.

    • How is that a contradiction?

      The Open Internet (OI) is a fundamental network (net) neutrality concept in which information across the World Wide Web (WWW) is equally free and available without variables that depend on the financial motives of Internet Service Providers (ISP).

      Open is not the opposite of private. You can have an open internet where your information is not shared with third parties, i.e. private.

      • The web is currently a communal well. We all drink from it because people before us paid the foundations.

        Google aims to be the owner of that well. Like the land and oil barons before them, they wish to monetize every last second of web access.

        That same corporation, to spew such vile, ignorant nonsense is...well, I guess it shouldn't be much of a surprise, should it?

  • WEI’s goal is to make the web more private and safe

    Bull. Fucking. Shit. You do not get to pick and choose who you treat differently based on software level indications. You absolutely cannot justify this technology with fraud-prevention; as your fraud prevention should be baked in elsewhere in your logic chain and service delivery anyways. Developers do not need yet another magic number. Your typical fraudster is going to be an Authenticated Human anyways; and will easily bypass this attestation if this is actually implemented as intended. Because of that fact; this will drive desperate developers to implement this in consumer-hostile and privacy-hostile manners. You cannot simply say "That's not how it's intended to be used" and expect those devs to play along with it!

    TL;DR: We must not give developers tools that can be abused in ways that run counter to the open internet

    WEI is not designed to single out browsers or extensions

    Wrong!

    You absolutely ARE singling out browsers; particularly ones that may be older or "Un-attestable" for other arbitrary reasons. This will impact a large number of people in the disabled community who may use specific, webpage modifying extensions in order to make the web more usable for themselves.

    WEI prevents ecosystem lock-in through hold-backs

    This won't work; your devs will just write other server backend code that is forked off of yours that won't "hold back". This is a ridiculously tiny band-aid for a gaping wound that needs stitches;

    WEI does not disadvantage browsers that spoof their identity

    Wrong again! You cannot trust developers and companies with financial motivations and interests to not mark spoofed browsers as fraudulent; nor can you obligate them to treat them exactly the same as a properly attested browser agent.

    Let’s work together on finding the right path

    This proposal is not working together! This is a blatant attempt by Google and Alphabet to further bully it's dominance over standards for the financial gain of itself and it's partners. Please don't pretend otherwise.

  • "Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:"

    Ohhh it's fighting fraud that they want to do! And here I thought it was entirely for the much more profitable goal of maintaining advertising revenue. Well, I'm SO GLAD to be wrong on that one. Slash S.

  • lol

    Nice internet you have there. It would be a shame if something "happened" to it.

  • Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

    If it's actually a "significant enough proportion of attestable devices to disincentivize this behavior" why would anyone want to rely on this mechanism? I have a means to check if a device should be trusted, but it fails enough of the time that I shouldn't depend on it... Why would I ever depend on it? What use case allows for an expected 10% failure rate?

    • I guess something like: Skip capture if it succeeds, show capture if it fails. It would allow people to skip capture checks most of the time.

      To be clear, this doesn't make it ok!

      • I guess I'm just the sort of guy who'd rather have to do a CAPTCHA every time than have some invisible (to me) test determining whether I measure up to their standards or not and have no means of understanding why I failed when/if I do. I hate CAPTCHAS, but I hate impermeable black boxes 1000000x more, and I hate this WEI nonsense far more than that.

135 comments