Google's proposed Web Environment Integrity API has ignited a heated discussion in the developer community, with concerns over privacy and potential misuse. According to an ongoing discussion between Google engineers and developers, the stakes and consequences of this development are being seriously considered.
A forum participant 'Morgaine (de la faye)' previously expressed concerns about the proposed API, arguing that it may grant too much power to site owners, potentially infringing upon the rights of Chrome users. Morgaine mentioned the risks for users of rooted Android devices who might find themselves unfairly locked out of certain websites or functionalities. They referred to RFC 8890, stating, "The Internet Is For End Users," implying that the proposed API might contravene this principle:
"I'm not sure how RFC 8890 compliant this proposal is. This seems to create a large power for site owners to dictate & control user behavior. But RFC 8890 says that The Internet Is For End Users. This seems to work against that."
Further adding:
"As a user with a rooted phone, it would be highly upsetting & disturb my ability to use the web if you were to create this feature & allow me, a legitimate user, to be locked out of pieces of the web. Trying to narrow down the computing world to only run on attested hardware is the definition of the War Against General Purpose Computing, and it much discussed in intelligent circles as the worst possible dystopian hell that can be brought against users. I hope this feature is abandoned, and if not, I hope it is quickly & readily subverted. This is an indignity to introduce against users."
Ben Wiser, the original author of the proposal and a software engineer at Google, responded directly to these concerns. He acknowledged the potential for misuse, affirming that one of the explicit goals of the proposal was to allow web browsers to browse the Web without attestation:
"I want to be forthright in saying that I have the same concerns. For this reason, it is an explicit goal in the explainer to "Continue to allow web browsers to browse the Web without attestation."
Wiser suggested the implementation of a holdback mechanism, which would restrict only a portion of traffic to be attestable. This could help to ensure that web developers could not enforce attestation verdicts, potentially barring legitimate users from accessing content:
"This is of course easier said than done. One idea is to introduce a holdback mechanism that only allows a portion of traffic to be attestable so that web developers are not able to enforce any particular request on the attestation verdicts. In the rooting example, this would ensure that a web author could not prevent you from browsing without also locking out a sizable number of potentially attestable (but held back) users."
He noted that there are many valid reasons why users would want to limit fraud, such as combatting spam, disinformation, and unfair competition for services like ticket purchases:
Comments
Post a Comment