Google proposes turning browsers into DRM software for the web | Ending AD Blocking for all browsers

[AlTech]

Summary

 

Unsatisfied to allow 3rd party browser makers besides Google to override Manifest V3's neutering of ADs, Google has initiated a new proposal to end AD Blocking forever.

 

Their proposal is called "Web Environment Integrity" and essentially means websites will be able to query web browsers to ask if they have had their Environment Integrity Verified, meaning that a Browser needs to verify that the User is using a device that is approved by the Attester in order to access the website.

 

Attesters will be OS or Browser based and will give Websites a verification value based on factors about the device and the web browser being used

 

For Android, running a rooted device will provide a value indicating it is not verified.

 

Browsers that don't implement this may simply not function with websites relying on a Verification value.

 

There has been no guidance on who will be Attesters

 

It is expected that attestation services provided by Google may consider any amount of AD blocking worthy of triggering a low verification value essentially meaning the environment won't be trusted by the website.

 

Put simply if a website requires this they can force you to disable AD blocking in order to view the website and if you don't then you won't be able to use the website.

 

This could also extent to using phones after they stop getting security updates, using unpopular or unofficial browsers, using devices with custom OSes or firmware.

 

The browser becomes the DRM engine.

 

Quotes

Quote

A significant concern stemming from the tech community is the potential for monopolistic control. By controlling the "attesters" that verify client environments, Google, or any other big tech company, could potentially manipulate the trust scores, thereby deciding which websites are deemed trustworthy. This opens up a can of worms regarding the democratic nature of the web.

 

My thoughts

Alright, well its been a fun ride while it lasted. Time to be sent to the Google reeducation camp and be metaphorically beaten with a cattle prod until you accept that Google will own you and you will own nothing and you will be under Google's control and Google will be happy.

 

Forget about slippery slope, this is jumping off the side of a cliff and only if you support Google will you get a parachute that opens. Otherwise your chute won't.

 

If you continue to use Chrome despite all of these monstrous and truly heinous and cruel things google has plans for: then you deserve the future of the internet Google has in store for you.

 

 

Sources

 https://stackdiary.com/web-environment-integrity/

 

 

[Donut417]

21 minutes ago, AlTech said:

Time to be sent to the Google reeducation camp and be metaphorically beaten with a cattle prod until you accept that Google will own you and you will own nothing and you will be under Google's control and Google will be happy.

No. Time to dust off the Sherman Anti Trust Laws and pull out the fucking hammer they used on the Ma Bell and break Alphabet up. Along with all the cable and phone providers. 

[da na]

Like with any DRM, it will inevitably just become an arms race of addons and extensions trying to circumvent website DRM, and Google trying to block addons, wasting a ton of time and money that could be spent somewhere useful.

At this rate I won't be too bothered if solar flares knock out internet access for several years.

[OhioYJ]

51 minutes ago, AlTech said:

For Android, running a rooted device will provide a value indicating it is not verified.

Same as always, still a game of cat and mouse.

 

Anyone remember Widevine? Google's DRM to protect media. Every device in my house has an unlocked bootloader and rooted, and still has the L1 Widevine certification. Why should I assume this "DRM" works any longer than Widevine did?

[TetraSky]

So, it's only Chrome and potentially Chromium browsers that will be affected by this, correct?

Surely no other browsers, like firefox, will follow suit.

[Kisai]

58 minutes ago, AlTech said:

 

 

My thoughts

Alright, well its been a fun ride while it lasted. Time to be sent to the Google reeducation camp and be metaphorically beaten with a cattle prod until you accept that Google will own you and you will own nothing and you will be under Google's control and Google will be happy.

 

Gee, if only there was a competing web browser that wasn't developed by an ad company.

 

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Attestation_and_Assertion

 

Oh wait, there isn't.

 

See, here's the problem.

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

 

This is entirely being pushed to "protect" content.

Kiss your web scrapers and search spiders goodbye. Google Images, Toast.

 

The thing is, protecting content is a solved thing. Don't-put-it-on-the-web.

 

As we saw earlier this year, Google gave the game away with youtube ad blocking. We know the reason for Manifest v3. It's obvious. It's to make ad blocking impossible by design. Break the web by making it proprietary.

 

The web has slowly been abandoned in favor of "apps" on mobile devices, because the mobile apps have this ability already. By making it so you get the inferior experience on the web browser. 

[OhioYJ]

17 minutes ago, Kisai said:

The web has slowly been abandoned in favor of "apps" on mobile devices, because the mobile apps have this ability already. By making it so you get the inferior experience on the web browser. 

I despise mobile apps, avoid them at all costs. However this is a very good reason for the ad-blocking method not to be built into the web-browser anyways.

 

- If I must install an app, it only gets data (WiFi and cellular) access if it really needs it. Generally background data access is revoked across the board.

- Ads, etc are blocked out globally by a hosts file, on my device.

 

The second part of that statement I think the is the key part of that. I'd go even a step further and say even mobile websites offer an inferior experience. For some reason though some people think they need an app for everything, and every business they interact with.

[Bitter]

Welp just like paywalled websites...I just won't use them. ¯\_(ツ)_/¯

[CarlBar]

Here's the thing, google doesn't just need to implement this into browsers, they need to get websites to actually use the feature, and everyone has to not fall afoul of any regulations. The odds of all that falling goggle's way are pretty low.

 

I can see a lot of businesses and websites not wanting to give google that kind of control and i can see a lot of regulatory agencies, especially in the EU not liking the walled gardens approach it brings.

 

And if it somehow makes it through all of that, (and somehow bypassing doesn't pop up very fast), it's likely the sheer inconvenience it's going to start causing will create regulatory movement on how ads are served to curb the worst excesses.

 

This at best is a very short term advantage for google if nearly everything breaks their way. Otherwise it's either going nowhere or going to actively hurt goggle.

[OhioYJ]

So serious question... Rather than all these complicated solutions for ads, I believe there is a simpler solution. Normally ads are coming from some third party and then you just block that domain. Why not cut out the middle man? If I serve the advertisement directly from my web domain, it's less likely to be blocked.

[Mark Kaine]

4 hours ago, AlTech said:

Aka, if a website requires this they can force you to disable AD blocking in order to view the website and if you don't then you won't be able to use the website.

thats how it is right NOW tho... 

 

4 hours ago, AlTech said:

There has been no guidance on who will be Attestators.

i question the legality of this proposal as "ads" are generally malicious and shouldn't be forced on users in such a way.

[05032-Mendicant-Bias]

Time to use Pi Hole style devices that aggressively excise AD traffic from my network cable!

Have fun trying to get ads to the Party™ Approved Browser© through my LAN cable.

[AlTech]

4 hours ago, TetraSky said:

So, it's only Chrome and potentially Chromium browsers that will be affected by this, correct?

Surely no other browsers, like firefox, will follow suit.

Brave is expected to follow suit.

 

Mozilla has not said whether they will but it is largely irrelevant if they do so or not. Websites requiring this will have issues on Firefox if it isn't present on Firefox.

 

4 hours ago, OhioYJ said:

Same as always, still a game of cat and mouse.

 

Anyone remember Widevine? Google's DRM to protect media. Every device in my house has an unlocked bootloader and rooted, and still has the L1 Widevine certification. Why should I assume this "DRM" works any longer than Widevine did?

Not necessarily. Websites right now don't know if you run a rooted device.

[AlTech]

5 hours ago, Donut417 said:

No. Time to dust off the Sherman Anti Trust Laws and pull out the fucking hammer they used on the Ma Bell and break Alphabet up. Along with all the cable and phone providers. 

I feel like regulators regardless of country aren't breaking up tons of big companies these days though.

 

How do we know the UK or EU will force Google to break up if they do this?

[grg994]

I just want to say there were a lot of people here including LTT, who said about the recent Youtube controversies that paying to Google for Youtube Premium might be a reasonable way.

 

I hope you all see now what your money you pay to Google is being used to! (...developing drm techs like this)

[Doobeedoo]

Ahahaha was wondering when this will come from Google and here we are. 

[OhioYJ]

5 hours ago, AlTech said:

Not necessarily. Websites right now don't know if you run a rooted device.

Neither do most apps? I don't expect a browser to be any better at detecting it, then all the rest of the media, banking, gaming apps, etc.

[jagdtigger]

10 hours ago, TetraSky said:

So, it's only Chrome and potentially Chromium browsers that will be affected by this, correct?

Yes, its only 90% of internet users........

 

Google has a monopoly via chromium, whatever they want they  can shove it down our throats because normies simply wont care. If websites implement this (and they will because it supposedly can prevent client side "tampering") non-chromium browsers wont have a choice in the matter. Its IE hell all over again....

[Donut417]

6 hours ago, AlTech said:

How do we know the UK or EU will force Google to break up if they do this?

Google is an American company which gives our government a little more authority over them. If America thinks in necessary to break them up, then the EU and UK are already passed that point. Because the EU and UK are more regulatory than the US is. 

[AlTech]

1 hour ago, OhioYJ said:

Neither do most apps?

A lot of apps try to detect if a user is running a rooted device or a device with an unlocked bootloader.

 

I say try because there are ways to defeat that but it is a cat and mouse game and Google is trying to win the game.

1 hour ago, OhioYJ said:

I don't expect a browser to be any better at detecting it, then all the rest of the media, banking, gaming apps, etc.

Why not? Almost all of them use the same code to detect if its rooted or not. Google Play Services has a way to detect it. It can currently be spoofed but who knows for how long that will remain the case.

 

This is also what Google would use for browser attestation on Android. Checking for root via Play Services.

[Bitter]

People who are saying 'just pay for ad free' whenever things like this crop up clearly don't remember that paying for something to be ad free has historically, repeatedly, and predictably resulted in you later paying for ads. Cable TV, Satellite Radio, going to the Movies, going to Concerts, Streaming services, etc all used to be free of ads and now all have ads AND you pay to see them. In fact Cable TV's original selling point was that you paid a monthly fee in lieu of seeing ads, I dropped Cable TV because just like broadcast TV I was being fed what felt like more ads than programming and then the programming too was chock full of product placement and ads as well. It's getting to be pretty stupid, saw ads being put up on the Jumbo-Tron at a concert recently DURING the opener and between sets. We didn't pay to come see live bands featuring the new Green M&M.

[freeagent]

You don't have to use google, or their products..

[Sauron]

I hate this but fortunately there's reason to believe it won't end up being used much. There are already systems to detect ad blockers but most websites don't use them; why? Because they're more interested in having a higher traffic than in showing you an ad at all costs. They know that if an ad block user is prevented access to the site they are much more likely to go elsewhere than turn off the ad blocker. Google knows this too, after all youtube and their other websites don't block ad blockers either.

 

With that said, much like the existing browser DRM standard it's a travesty and should not be allowed.

[Sauron]

20 minutes ago, Bitter said:

People who are saying 'just pay for ad free' whenever things like this crop up clearly don't remember that paying for something to be ad free has historically, repeatedly, and predictably resulted in you later paying for ads. Cable TV, Satellite Radio, going to the Movies, going to Concerts, Streaming services, etc all used to be free of ads and now all have ads AND you pay to see them. In fact Cable TV's original selling point was that you paid a monthly fee in lieu of seeing ads, I dropped Cable TV because just like broadcast TV I was being fed what felt like more ads than programming and then the programming too was chock full of product placement and ads as well. It's getting to be pretty stupid, saw ads being put up on the Jumbo-Tron at a concert recently DURING the opener and between sets. We didn't pay to come see live bands featuring the new Green M&M.

It's called enshittification

Quote

Here is how platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.

and it's the reason you should never give companies any amount of sympathy when they whine about needing to raise prices or show ads to remain afloat. They used anticompetitive practices to force you into using them so this is entirely their fault.

[Kisai]

14 hours ago, OhioYJ said:

So serious question... Rather than all these complicated solutions for ads, I believe there is a simpler solution. Normally ads are coming from some third party and then you just block that domain. Why not cut out the middle man? If I serve the advertisement directly from my web domain, it's less likely to be blocked.

That is how *most* websites would prefer it to work, but advertisers do not want it to work this way because they don't get tracking data.

 

Like there is at least 20+ years of data on how people like/hate ads and countermeasures taken against them.

 

Remember popups? Remember why web browsers started implementing popup blockers? Because sites would spawn countless popups chained together. And this still happens, now only they are pop-unders and "clone and close" (where it spawns your current page in a new tab, spawns an ad in the old tab and then closes it so your history is unable to figure out what to block.)

 

At any rate, I hate what ads have become. When ads were just single 468x60 banners on 1024x768 screens they were non-intrusive, and an individual could earn $100 a week just from leaving banners on their computer running when they do other stuff. (That's how "free computer" things worked late 90's/early 2000's)

 

Now, you're lucky if you even get 1$. 

 

Like if it were possible to regulate ads, it would be "one ad, self-served, self-curated, per page, no exceptions."

You have to be kidding yourself that someone is willing to open more than one site linked from an ad. Dilution of the value of ads by providing so much low quality inventory.

 

As I've told my clients. If you are offered less than 0.50CPM, refuse and fill it with your own stuff, cause it ain't ever worth the effort, because that's the threshold where advertisers dump the lowest quality ads on your site.