The End of Freedom or Personal Choice in Computing

More specifically, Google is trying to create a DRM-like API for Chromium to avoid DDOS, and scraping. Someone suggested this could also be used to prevent ad blocking.
Edit: Which is certainly possible if it reports what extensions you have installed.

https://chromestatus.com/feature/5796524191121408?context=myfeatures

The response on Github was overwhelmingly negative, but as soon as the discussion turned hostile, they added a code of conduct to the project to excuse themselves for banning anyone who disagreed.

This proposal relies on varying levels of remote attestation for varying levels of accepting your activity session. If you want to know why that’s a problem,

https://gabrielsieben.tech/2022/07/29/remote-assertion-is-coming-back-how-much-freedom-will-it-take/

If hardware attestation is used, which IS used by most common “attestors” but not by this API directly FOR NOW, what you essentially have, is a situation, where specific device may be banned from accessing a particular interactive computer service, permanently, for any level of offense, including factual information considered to be wrong. Virtual machines, and any browser other than Google Chrome, Microsoft Edge, Safari, Brave, and MAYBE Mozilla Firefox, may be unable to access certain websites, or indeed, any website, given that cloudlfare is used by 73% of websites with a known reverse proxy. Cloudflare is certainly going to be implementing this to save money on DDOS protection.
Similarly, any operating system other than Windows, ChromeOS, MacOS, iOS, or Android, is almost certainly going to be given a lower trust rating, and possibly forbidden by default.

There’s no control or oversight into what the large tech oligopoly decides is an acceptable baseline level of information needed to establish “trust”, or what their proprietary attestor applications require to maintain “integrity”. and trust requirements can be changed at any time by the operators of any interactive computer service or contractual requirements.
Presently, this proposal doesn’t call for device IDs. Realistically, that’s going to be implemented later once a number of websites and service hosts start using this. However in the mean time, Microsoft and Google, being in the business of information control, might flag your device as untrustworthy in their Attestor e.g. Play Protect for something you said, or at a government’s request.

Basically, this goes through, and you will eventually not be able to use Purism’s products to interact with society, and may be regarded with suspicion by the general public who was literally told you were untrustworthy.

I don’t see a path to stopping this, short of building your own internet, or perhaps an attestor application that respects your freedom and somehow getting enough people to use it that it can’t be omitted from allowed attestors lists, provided that’s even possible. No one cares about anything if some mainstream news outlet isn’t reporting on it, and I don’t see anything except random people who noticed this proposal. And if I object, there’s a good change someone can just hit back with a “you just want to do bad things and not face consequences,” when the reality is maybe you just want to talk about other ways to do the greatest good for the greatest number of people not mentioned on TV, something that’s becoming increasingly difficult.

So I guess I’m posting this here because I desperately want someone to tell me I’m wrong.

I’ve been somewhat incensed of late when I go to a website, and it tells me my browser is unsupported or out of date and simply refuses to show me anything, not broKen HTML, nothing. Why do I need a specific browser or browser version to see “publically accessable” content?

Web Environment Integrity has an explainer below.

Their idea is to reduce the amount of entropy collected from devices by relying on a low entropy cryptographically-signed token instead of browser fingerprinting and/or cookies that track you across multiple websites. The web server still has to ultimately choose whether or not to trust the token and thus the attester.

These are the goals mentioned in the explainer:

Their fourth goal is the most important point for our discussion. This attestation API is not designed to lock out clients who do not use it, and web servers can choose to distrust the attester and serve the client anyways. This shares some parallels with PureBoot without a Librem Key, as you can ignore tampering warnings and force a boot.

Here are some issues I see from the client’s point of view:

• Trust is deferred to the attester instead of the client, which is a third-party and thus a MITM.
• There is still ongoing discussion about how much entropy/information to collect. Low entropy is vague and open to interpretation.

Right, I read through that, but I still find it disingenuous. The thing is, on a long enough timeline, it can always get worse; once this kind of behavior becomes acceptable, if service providers, or government entities, find that the baseline level of attestation, or “granularity” of the information attested isn’t enough, or someone you’re working demands that you ask for more information from your users.
What seems disingenuous in particular, the part about ensuring human traffic is human, particularly in the context of social media interaction. The issue with that is, there’s a considerable degree of ability to bypass a generative neural network application’s inability to look like a human: you just have humans upload the things it spits out, answer any captchas, and they can do all of this from a fully trusted, unhampered, walled garden environment. For example, sending the text the bot wants the human handler to post via instant messaging or email. Phone farms or click farms, or too many devices all in the same location are detectable, but this kind of work can be distributed with each human worker tasked with handling as many websites as the worker has phones (however, this requires smarter and more expensive workers). VPNs may also be an option for phone farms provided it doesn’t become practice to block devices that don’t attest that they’re not connected to a VPN.
To be sure, attestation can add to the expense of fraudulent activity, making it cost so much that only governments can afford it (not that they need to, since they can coerce service providers into allowing their fraudulent activity anyway), thus reducing it’s prevalence, but it won’t eliminate it.
Ultimately, I think the only hard prevention against all forms of automated activity is to require the browser to attest something representing the user’s personal identity, with a very small group of trusted certificate authorities handing out personal identity certificates, who will be in deep trouble if they hand out certificates to people who don’t exist.
The problem with THAT is that government entities and corporations who are powerful enough will probably be given an exception to the “no certificates for people who don’t exist” rule, because intelligence agencies will insist they need it to do their jobs.

I also don’t buy that this will make much of a dent in phishing without denying a specific device access to services. Not that it won’t have any effect, but the best phishing attacks research their targets well enough to tell them what they need to hear to get them to click something.
Scraping is something I think it will make a big difference in, because you can’t really achieve your goals with scraping (archiving everything you haven’t read to read in some form later) manually, and even hiring out human scrollers may not be possible if the service refuses to work for anyone who has browser automation tools or screen recording software installed. They won’t require this at first, but again, the issue is that this can all be added later.

Furthermore, the fact that they’re proposing the involvement of programs outside the browser means they are concerned with whatever you might have installed on your computer, or if you’ve made any changes to system files that might allow automated activity to go undetected. They’re not controlling what changes to the OS or installed software constitute a compromised device, that’s up to the OS vendor.
And where that gets complicated is with Linux, where vendors/maintainers generally do not care what you’ve got installed or what you deleted or modified. This could lead to the whole of desktop linux being forbidden from certain websites (most likely banks, and streaming services first) due to the lack of control the maintainers have over what you do, but it could also lead to more information being required from Linux users to determine if the computer is in an acceptable state, since there’s no “well the big corp who we agree with that made this says it’s all right”.

All of these arguments hinges on whether or not this will be adopted. Looking at the issues on Github, it is clear that there is still plenty of resistance and disapproval against implementing it.

It is still being prototyped on Chromium, which suggests that each browser vendor can think about whether or not to implement this too. This is not a web standard or draft of any sort that browsers are required to utilize. If it only gains traction with Chromium and Chrome, then simply avoid using them.

Not really a solution. Chrome has 62% market share. Many websites only support chromium based browsers because of this.

There’s that, there’s Open Assistant (properly trained could do it?), and there could be Neal Stephenson’s personal feed agents (see Fall, or Dodge in Hell). Homo Sapiens adapts. Might that be the true meaning of the universe, rather than 42?

Don’t Panic!

Your last statement definitely lacks credibility. State these “many websites” that only support Chromium-based browsers.

Switching browsers is not difficult. There are no accessibility issues preventing someone from doing so.

Well, that’s a great news for me! It means:

1. I’ll stay away from those websites
2. Linux network will develop a lot of new and parallel websites
3. Purism will sell more products

Before your eventual comment, I kindly remind you that humans born without internet as part of anatomical body so we can easily avoid/boycott some kind of websites that, for us, are devil/spyware/Bad in general
Thank you to let me know it!

I sometimes hang out on a site where most of the users use Firefox and Brave to the exclusion of all else, and it was about a 50/50 split last time anyone did a poll there. If anything, it’s the browser itself not working, glitching out, or annoying people with UI changes, which I never hear Brave users complain about. Then again, the Brave users don’t do much customization on their browsers, because they can’t.
And anecdotally, I’ve heard people say to my face “who even still uses firefox”, so this indicates that among the average person, there’s this mentality that firefox is on an irreversible downward trend and if you want to keep up with the times you shouldn’t use it. I’ve also heard people talking about websites that won’t work properly in firefox but work properly in something else, and run into a few of them myself (none of which I visit regularly enough to remember the names of though, except Zoom).
However, what websites don’t work now is kind of a moot point if Chrome, Safari, and Edge implement this change, Firefox doesn’t, and Netflix, mainstream social media sites, or a few bank websites refuse to serve browsers without remote attestation.
The issue with this situation is, it’s not enough to switch yourself in protest. There’s too many people using Chromimum forks. You have to get other people to switch, NORMAL people, not computer enthusiasts, and that’s very difficult to do, especially if they’re stuck in “but I’m used to chrome it just works, but websites don’t work on firefox, but it’s been losing marketshare so something must be wrong with it, but they keep screwing over customization, but signing in with my google account is so convenient (what’s a password manager)” mentality.
Besides that, I work with a lot of people who do not know how to use computers. If you want one of these people to use a new program, you’ll have to show them where everything is and the exact steps in the rituals they need to perform to get the monitor to show them information they want. Learning how to handle any alternative software scares them too much for them to even consider switching.

If you are going to dismiss my argument of Web Environment Integrity failing to gain adoption due to heavy resistance, and continue to spout out wild speculations of a “doomsday worst case scenario” as if it is preordained, then I am going to leave this “discussion”. I do not have any tolerance for arguments solely based on “ifs” and without citations.

More reporting:

P.S. The comments on that article are really great!

We still have a Choice and a Fallback on the Internet before, thanks to Open Source!. However if the sexy pages hosted by the DRM monopoly club, most folks will be sad. And right now they try to play the Development-Card, like optimizing the distributed Service/Information (like Google with Video-Plattform, or Facebook with Threads, or Musk with X), to optimize the Apps for that Services. Apple try this to with its own App-Shop and Golden Cage.

The Solution is to use Fediverse or Plain HTML with a 20 years old wget or rss script, works like a charm ;D

I am more alarmed by folks spreading on Android, IOS or Microsoft these days… cause they got privacy-drained in milliseconds by that devices and A.I. for Pictures, Sound adjustment, Accessibility and typing suggestions. Surveillancecapitalism at its best.

Right now i do not use Firefox or Chromium for my daily information Stream. It may be through apps for Mastodon, when i sometimes use Firefox. But mostly i just consume offline, and predownloaded Web pages.

We life in interesting times, a Chinese byword. And i love to have Hardwareswitches.

I simply don’t believe that the resistance is heavy enough for Google to care, or it certainly won’t be if people keep ignoring the threat, and brushing it off with “that’ll never happen, you’re just being paranoid”. Google has had a history of implementing things in chrome (and everything else they do) that cause problems for other people with insufficient communication to web developers about the changes.

It’s been a couple days, so I’m glad to see there’s more people noticing, and Mozilla has recently voiced opposition, but Safari actually implemented remote attestation already through apple’s Private Access Token scheme that Cloudflare is indeed already using to make security checks go a lot easier on themselves. No one cared then because apple was already considered a lost cause when it came to not being a walled garden and they represented a minority of computer users, but if google does it too, that’s pretty much everyone, and I don’t really have faith that Mozilla will be willing to risk YouTube not working.
Besides that, there’s quite a bit of Department of Defense pressure to create a zero-trust internet. If everyone has to trust no one, they certainly will have to demand that computers prove they’re ‘safe’, but unfortunately, zero-trust has just proven to be placing all trust in a small handful of entities that are too big to fail. Like the ones signing the certificate in your TPM that’s needed to sign the attestation token.

Normally I would dedicate half a hour or more to write up a counter argument, but it seems like Web Environment Integrity’s notoriety became mainstream, so I am not feeling any concern about it being widely implemented whatsoever. If it was warmly received by the public, that would change my perspective quickly.

Well you needn’t even bother, because they have just pushed the commit through to the chromium source code anyway. And he’s moving all the discussion to an unknown forum where presumably only people who support the change will be invited.

So now, we have about two years, before browsers stop supporting windows 10. And thus, at that time, most users will be on windows 11, or iOS, or Android, or ChromeOS. Among these, Windows is the only one that’s not a state-separated operating system, with the system files in a read-only partition, right now, but they’re planning on it, as realistically, this is the only way to ensure that you can NEVER tamper with the attestor.

But that won’t be enough. You’ll probably need either full disk encryption turned on to ensure that you can’t access these system files by booting another OS, or to have a locked bootloader to ensure you can’t access these system files by booting another OS.

I’ve already listed several reasons why you’ll need a “trustworthy” token to access most websites (foremost, Cloudflare, which IS most websites), but Google can also pressure any website that uses its ad network to require WEI or PAT.

So that means, we have two years, so somehow convince everyone, everywhere, on the entire planet, who doesn’t understand how computers work to use desktop Linux without sounding mentally ill. That’s the only way we’ll have leverage to make websites tolerate operating systems that aren’t riddled with spyware written by people who HATE you.

Sure, they’ll start to notice messages to the effect of “this website doesn’t allow screenshots” and start to wonder how to get around that, but downloading another browser that allows screenshots regardless won’t work because it’s binary hash or signature won’t be acceptable to the attestor program. Remember, browsers aren’t going to be given the list of requirements for trustworthiness. Operating systems are.

Or we could try to outbid GOOGLE in bribes for politicians and get them to recognize that Google is too big, in violation of anti-trust law, and must be broken up into separate companies, or push for some kind of “right to access” legislation.

Either of these things is obviously impossible. So this is going to happen, and most normal people will have no reason to notice or care. Desktop Linux is going to have to drastically change to meet the requirements handed down to various attestors by large websites and Cloudflare and the governments of the world. For starters, forget about sudo allowing you to do anything as root ever again.

The alternative is to just keep running away from the problem (fundamentally, that people with power despise the general public or various parts of it) and use dedicated browser boxes and hope capture cards will keep being able to spoof monitor signatures that attestor programs will accept, while you try to convince people to move back to mailing lists for social networking, and pray email providers don’t all start requiring remote attestation from the short, arbitrary list of tolerated attestors to even send a message.

Sorry, but i own a turing machine. I can calculate everything what i want, on an offline Device, and send the Result later to some Server or Web page.

This update or drop of freedom is the try to enable “trusted computing” or “collecting realtime telemetry data”, on a different level. On Web Browsers and Pages, someone try to exclude free speech and only insert applications and DRM/Trusted Platform Devices with enabled or, disabled controll over privacy.

I do not think that we can ever beat mainstram. But we can educate the knowledge about why it is important to have one… and where.

Looks like things are heating up, so I will dedicate time to break down your argument.

Indeed, from an accessibility standpoint, this is highly concerning. Currently though, not all websites using Cloudflare use Private Access Tokens, as that is only available for customers using their Managed Challenge platform who choose it explicitly over “legacy CAPTCHA”. Assuming this blog article is still up to date, it is also only implemented from iOS 16, iPad 16, and MacOS 13.

As for Google potentially placing pressure on websites using their ad network to also use WEI or PAT, we will see about that. If it comes down to the majority of the web being ad-infested and attested by Google though, I would simply avoid them as I have already been proactively doing now myself.

That assumes Windows, MacOS, Android, and iOS will implement WEI in two years, and that other browsers other than Chromium support it. We shall see how this actually develops over time.

Good luck with that. I am far more interested in a technical solution or developing healthy habits that I am empowered to implement myself rather than trusting politicians, the government, or anti-trust regulators to listen to my interests.

We do not know if this is going to happen. Right now, WEI is only on Chromium, so we shall wait and see if other browsers and operating systems implement it. Mention my username if it ever gets past this point.

Its easy. Try not to use commercial Web Pages which try to force you, not to support RSS, Screen-Readers or text Based Browsers without javascript like “links” or wget. You could try to train your curl skills too, and never touch a Firefox or chromium Browser again to get information.

And from my Point of view we are just back in the Ages where you will pay for Information***. Like in Books from Library, Ebooks, Newspapers (Ebooks/pdf). And use or share them with the community. Libraries in Europe have a huge archive where you have access to different Media. I think in the USA too. Like archive.org and its waybackmachine.

For Social experience we have already a dedicated self hosting alternative network. And for email you can host your own Server to message encrypted with Friends and Family (if they do not use Alphabet, Amazon, Apple, Meta or Microsoft).

So i think in computing we nerds have the power in our hands and just the mainstream ones got more and more lost. But this is - i hate to say- the way the mainstream goes.

Personally i think it will go faster and further. With the power of A.I. and the access of Sensore Data, every Provider have a live Coverage of your Moving at home, because with A.I. and your vacuum robot house plan, the A.I. could see how many Humans are between the walls and Moving through the driver logs of your Wlan-Driver. And every Persons heart beat. And this is the way computing and Information flows today, customers do not know or understand the difficulty of a leak on information. Like to wear a new Bluetooth earphone, which collect electroencephalography data. And say: We support to control forward or think volume low and thing volume high by brain activity.

***Ok right now i think we are in the Age where we have to pay, for someone else will not to have more information about us.

So drop the thought about having browsers. Computing will shift soon or late to a new way of been ubiquitous in a different way. Right now its in Apps. Soon it will just be a voice or a thought.
Reading right now “The Battle for your Brain” by Nita Farahany.