Holdbacks are an insufficient solution; there is a fundamental conflict in the specification's goals surrounding lock-in.
The overall goal for the spec is described in the comment:
> The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse. Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients.
In other words, the intended goal of this spec is to discourage the development and use of fingerprinting techniques, login screens, and other invasive user-validation techniques on websites.
However, the goal of holdbacks is then described in the following way:
> This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior. [...] The hold-back and the lack of browser identification in the response provides cover to browsers that spoof their user agents that might otherwise be treated differently by sites. This also includes custom forks of Chromium that web developers create.
In other words, one of the goals for the holdback system is to make it practically impossible for a website not to have fallback mechanisms for validating user trust when encountering requests that don't have attestation. And a essential part of that design is that even implementing browsers like Chrome will refuse to verify the environment integrity 10-15% of the time.
----
So why is this a problem? Because holdbacks are on-purposed designed to make it so that fallback mechanisms have to exist and that sites can't skip including them; but the whole point of this spec as stated is to discourage developers from building those same fallbacks they're required to include because the fallbacks violate privacy or are are invasive or are essentially login walls.
And 10-15% of the time even users in participating browsers will be subjected to those fallback strategies. So you're still basically guaranteed to have your device fingerprinted, and any site that uses login as a backup verification method still will require you to make an account.
The only thing that this would affect is the frequency of user-annoyances in front of websites -- essentially, if sites started using this as a substitute for captchas, this would encourage them to drastically increase the number of captchas they use since Chrome browsers would only see 10-15% of those captchas.
And that's also a problem if you're trying to guarantee that competing browsers won't be affected, because "your users see 9x as many captchas on every website" is a pretty stinking big competitive moat.
Forgive me for thinking that "you can build a browser that competes with us, but unless we specifically approve of your browser, anyone who uses it on Android will be solving captchas over and over at a massively increased rate until they eventually give up and move back to Chrome like a good little consumer" still kind of has a lot antitrust implications.
----
This proposal doesn't make sense; assuming the best of the authors I can only assume they haven't really thought through what they're trying to build. But you can not build an attestation method that simultaneously improves the web substantially for your own users over non-attestation methods, but that also magically does not hurt the web for any of your competitors who don't get those improvements.
And holdbacks only make those goals even more contradictory: because privacy, paywalls, and logins will still affect Chrome if it decides randomly that it's not going to attest to the NYT for the duration of today. The only aspect that this makes sense for is specifically user annoyances; and where annoyances are concerned an attestation method that excludes most mainstream users on unmodified devices from annoyances while leaving niche browsers out is an invitation for websites to discriminate against those browsers -- holdbacks change nothing about that situation.
You can't tell me this is about discouraging fingerprinting in the same comment that you tell me that you're going to guarantee that sites will still need to build fingerprinting solutions and will still need to use those solutions even on participating browsers.
Amazingly clever that they have hold backs! Make sure to read this before going along with the anti WEI train
> WEI prevents ecosystem lock-in through hold-backs
> We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.
So this avoids the DRM or blocking certain browsers issue. Brilliant. I’m not entirely certain but I think this avoids the main issues which people had with the proposal.
I still think a lot of people will not read this and react with vitriol but I would like to expect more from hacker news, as a forum where people don’t simply downvote opinions they disagree with.
> We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.
So, does that mean that sites would need to fallback to existing practices for these users (or for custom forks)? So, these users get the worse ux and that's considered "supporting custom browsers"? Now sites can spend less time and resources on detection, but wait...what about the 5-10%? So IT departments will be less likely to spend precious dev time and funding on improving detection due the overall risk reduction. I'm not sure that's a net win.
> WEI’s goal is to make the web more private and safe
Yeah, hopefully you can sleep better telling yourself that.
> An owner of this repository has limited the ability to comment to users that have contributed to this repository in the past.
Fucking joke.
I think the actual comment is this one? https://github.com/RupertBenWiser/Web-Environment-Integrity/...
On my phone this is collapsed and hard to find by default.
Can't trust 'em.
Direct link to comment: https://github.com/RupertBenWiser/Web-Environment-Integrity/...