Google has announced it’s going to drop the Web Environment Integrity proposal – the controversial proposal that set the internet on fire a few months ago. Instead, the company intends to offer a much more limited version of the proposal that only targets Android WebViews embedded in applications, targeting only media streams running inside Android applications.
We’ve heard your feedback, and the Web Environment Integrity proposal is no longer being considered by the Chrome team. In contrast, the Android WebView Media Integrity API is narrowly scoped, and only targets WebViews embedded in apps. It simply extends existing functionality on Android devices that have Google Mobile Services (GMS) and there are no plans to offer it beyond embedded media, such as streaming video and audio, or beyond Android WebViews.
I might be ye of little faith, but this feels a lot like a case of proposing something overtly horrible first, to pave the way for something that now seems benign in comparison. On top of that, that scope might be limited now, but does anyone have any faith left that Google won’t just… Widen the scope later, once we’re all not looking?
This would have stopped spammers and scammers up until the point where someone just configures their evil computer to provide input to their trusted computer sitting right beside it by way of standardized USB interface protocols. Trusted computer has no way to audit or police what is running on evil computer. So, about 3 minutes.
kbd,
It just expanded DRM to encompass everything in the browser. I don’t think it was ever going to stop spammers and scammers though. DRM.
Aside: The spam problem (telephone/email/etc) would be solvable. The fact that today’s spammers can keep sending spam to your email address/phone number or even sell your data to other spammers is obviously the weak link here. We could be using PKI to put an end to this, which is something I advocate for but it would require everyone to agree to compromises that so far haven’t been able to gain momentum.
No more anonymous emails/calls using throw away identities (IMHO this is for the best, I’d rather block cold calls as it’s mostly spam/marketing). People would have to become accustomed to exchanging public keys rather than simple phone numbers/emails. Whereas schools/mechanics/etc would take down your number to reach you today, that would have to be upgraded to a cryptographically secure PKI transaction. This would be an excellent use for NFC/QR codes, even trivial one time keys could work if pencil and paper is all that’s available. Browsers and email programs would need to support signing using one’s private keys. People can share numbers, but the recipient would have a cryptographic chain of evidence for it. If a sender becomes abusive (ie spam whatever), it’s a trivial matter to revoke their key and never get their spam again even if they try to sell your details to someone else. If a bank or store sells your information without your permission (unfortunately banks are a huge source for spam lists), you’d have a record of that and we could shame them over it.
While the technical challenges are solvable (without DRM) and I’d be keen to do it, I know this is all very wishful thinking. Getting everyone on board hardly seems realistic.
“Stopping spammers and scammers” is the sales pitch that is being made in many articles about this though. That’s why I felt it necessary to completely dismantle that idea.
I guess because if they explain to people what its actually about; making it harder to save videos and other content from the web for permanent record (something that has been part of the web since day one), or listen to music on Youtube with your screen switched off without a subscription, people would be even less enthusiastic about web integrity than they already are now.
kbd,
Fair enough.
The most insane thing in all this is that this DRM framework wasn’t proposed by Hollywood nor the RIAA but a fucking advertisising company so that they could force people to stop using adblockers.
Power corrupts.
I’m right there with you Thom. Apple has also pulled a stunt like this in the past, announcing a sweeping privacy invasion couched in the guise of “think of the children”, and when the inevitable pushback came from all corners of the online world, they backpedaled and shelved the idea, but they left the door open to bring it back one day.
Bottom line: Corporations DO NOT CARE about your privacy, security, and accessibility, but they will pretend to as long as it makes them more money to do so. When the pendulum swings the other way and they can make more money by deny you any of the above, they won’t hesitate. Never trust a corporation with your own well being.
I don’t know – it’s hard to disagree with their assessment about the current state of the web – it’s broken and can be a dangerous place full of bad actors. I just don’t know if they have the right solution.
I’m ok with them trying this out in Android, and if they can get it to work, revisiting the broader web. You may not trust corporations, but there are other things I trust even less. Look at all the warnings that Manifest 3 was the end of ad blocker, yet mine is still working. There was a boy who cried wolf a few too many times …
darkoverlordofdata,
DRM is a disingenuous solution. Owners need solutions that work for us and not against us. DRM works against us. This isn’t so much a side effect as it the raison d’être for manufacturers and hollywood.
Corporations holding our device keys are by far and away the most dangerous threats to owner control today. It’s not government, it’s not hackers, but corporations deploying DRM. I think there’s a bit of confusion about DRM naysayers being against device security, but device security and DRM are not the same thing. This distinction is hugely important and most of us are only against the latter.
A house analogy might help:
You live in an unprotected house, and a corporation comes in and says “we can add locks to your house to offer you more protection”. You say “that’s great, that’s what I want!” But then the corporation designs and installs the locks in such a way that they hold the keys and you do not. When you want to get into your house, you must ask them for permission. It is the corporation, and not you, who decide for whom to unlock the door. Furthermore their corporate locks are permanent, officially you have no way to remove them. You hope the corporation won’t abandon your door locks down the line because they are the ones holding the keys to your property.
Most likely this arrangement seems ridiculous to most owners because we have locks to protect our property and we don’t have to give up control to a corporation like this; as owners, we expect a say! This is the distinction between giving owners protection versus taking away their keys. But consumers often don’t make the connection that it’s the same arrangement when it comes to tech companies selling us hardware.
It keeps getting deferred.
https://arstechnica.com/gadgets/2022/12/chrome-delays-plan-to-limit-ad-blockers-new-timeline-coming-in-march/
Technically it is the end of dynamic pattern based ad blocking. Google knows it’s less effective, the EFF knows it’s less effective, we all know it’s less effective. They’ll try to put lipstick on that pig but ultimately the real goal is nerfing adblockers.