"I have encouraged the team working on this to ignore feedback in any forum in which something like Chromium's code of conduct is not being maintained as anything else would be creating an unsafe working environment." - Rick Byers
> Attacks and doxing make me personally MORE likely to support stronger safety features in chromium, as such acts increase my suspicion that there is significant intimidation from criminals who are afraid this feature will disrupt their illegal and/or unethical businesses, and I don't give in to criminals or bullies
That makes it _really_ hard to believe they're debating in good faith.
Anyway the entire thread makes it sound like they're temporarily backing down but still intenting to implement something similar in the future:.
There's no backlash. Is there anyone stating to stop buying Google Ads? Moving to Firefox (since there's no else alternative non-Google-chromium-based browser out there)? Except the HN audience, if course.
There's no danger from "users" for Google. Because their users are huge enterprises paging billions for ads. Not us.
DRM is what banks love. Recently, there're several major banks' mobile apps in Singapore stopped working as they started scanning all apps installed on a device, and some they don't like (MS Authenticator, for instance; F-Droid, and any opensource apk from there, also any developers installed app). This is nightmare as mobile bank apps are a first class citizen now. Web just does not open without push dialog. Not sms otp anymore, but the app push dialog. The only way to handle it is to buy a cheapest android and install all bank apps there.
> There's no backlash. Is there anyone stating to stop buying Google Ads? Moving to Firefox [...] ?
I've actually noticed and increased number of "this is it, I move to FF" posts, here and on Reddit. Since FF fixed their main performance problems, switching is not particularly burdensome anymore; and now the assumption that Google is "evil" has reached the same level of popularity that Microsoft used to have at the peak of their powers.
I think we're in a similar position as early-00s opensource: commercially fledgling, but establishing a solid mindstream in geek circles that will shape the future in unpredictable ways that are not favourable to Google.
> Recently, there're several major banks' mobile apps in Singapore stopped working as they started scanning all apps installed on a device, and some they don't like
This seriously triggers me. I can't even enable developer mode on my phone without these apps flipping out.
Banks in my country (Brazil) have a long standing tradition of doing this. Even on PCs they have these asinine "security plugins" for browsers. You literally cannot log into their systems without the goddamn thing installed. Not a single person managed to explain to me what they do, so years ago I was bored at work and tried my hand at reverse engineering the plugin to figure out why it made the computer so unusably slow.
I caught it intercepting every single network connection.
Didn't bother to check anything else. Just assumed it was phoning home with private information and started treating it like the malware it is from then on. Actually switched banks to one which didn't require this crap. These freaking banks think their "fraud prevention" justifies anything.
There's a package for this "banking security tool" in the Arch User Repository.
Who the hell knows what this thing does nowadays? Maybe it doesn't monitor people anymore, it's been years and we even have a GDPR equivalent now. But I will never install it.
South Korea is the same. I knew Brazil were our only brothers in arms when it came to this hellscape but I was under the impression that unlike here, in Brazil over the last 5 years or so this had become a thing of the past and you don't have to deal with this crap anymore, making Korea unique in the world.
I take it this is not the case, and theyre still making you install malware?
Literally asks for your root password, downloads some proprietary software off the internet and runs them without even computing checksums or anything.
Corporation that made this thing is owned by Diebold, the corporation that made our voting machines. Bone chilling.
It's hilarious how some people's stance on voting machines did a 180 after the 2020 elections (or at least, all the pro voting machine people started coming out of the woodwork). Politics really is the mind-killer
I remember when Diebold were Dick Cheney's personal election-riggers in 2004, although it seemed like a bad long-term plan since the plan was always for Bush to cancel elections in 2008, but I guess quarterly earnings are king.
They're saying anything that disagrees with them is bullying and criminal. But, labelling anything that disagrees with them as bullying, is a bullying tactic to try to silence dissent.
Why do they want to silence opposition? Because their position does not stand up to scrutiny.
Pushing anything in tech uses this playbook. Look at systemd and Wayland. They take the bullying approach and act like their intentions can't be questioned.
We need a stronger response to their arrogance. Something that will affect network performance and intercept revenue. We can start by blocking them at the DNS level. Host with Google? Too bad your choice in tech sucks.
Point out a single Big Deal in tech that wasn't misrepresented or accusing the opposing side of some character flaw.
The behavior from Google fits the same bill. The way they're doing it is just the difference between FOSS 'communities' and multi billion dollar corporations.
They likely have psychs on staff to manipulate the narrative around their totalitarian software and services.
>They're saying anything that disagrees with them is bullying and criminal.
That is not want was said. People making direct and indirect threats against the author are not acting in good faith and want to just silence the author without anyone fairly evaluating the proposal.
>Why do they want to silence opposition?
Threats are not productive for deciding if a proposal should be adopted. They are just noise. Wanting to get rid of noise and focus on signal is not "silencing opposition."
> People making direct and indirect threats against the author
Indeed that would be the case if that were so, yet it looks like what actually occurred here is the author is abusing the labelling of bullying and criminal in order to falsely tar all disagreement as that.
This labelling abuse is itself a bullying act designed to intimidate and shame into silence any disagreement by misrepresenting it as a threat. Which is itself a threat: agree with me or I will accuse you of evil and silence you.
That's what it seemed like at the time. Let's note that the quoted comments are from a months' old thread.
Do you have any evidence to support your claim about there being direct and indirect threats?
>Do you have any evidence to support your claim about there being direct and indirect threats?
Read the Github issue and you will see people irrationally freaking out about this, indirectly and directly threatening to sue the author, etc. The people disagreeing and bring up problems were much more civilized until it went vital and then it turned into a cess pool of unproductive discussion.
In the linked Groups post, the author reports "physical threats and other forms of abuse". I find that very easy to believe and your post reads very uncharitable, unless you have concrete reasons to think that the author is lying.
Yes, and that's the problem the GP is pointing out. We're a social species that's predisposed to defend a victim, that's why playing the victim is a very successful bullying tactic.
There's a big difference between using robust language and threatening someone. What we're seeing here is an obvious attempt by a small minded individual to play the victim.
There isn't playing the victim here. He was pointing out the large amount of noise around this. 99% of the people making this noise have not even read the proposal and do not actually understand what it means. It is hard to engage in a productive conversation if people are arguing against a something that your proposal doesn't even do.
> It is hard to engage in a productive conversation if people are arguing against a something that your proposal doesn't even do.
First thing they should stop taking for granted the right to make proposals. Which obviously leads to the fact that they should accept when their BS is rejected.
Threats can never be a justification for them to act against all of internet users, this is BS. One threat which can be manipulated by themselves (false flag) and now they have an excuse? Bullshit. If they have any problem with that, call the police, that's no excuse.
> It's somewhat ironic to me that some folks arguing passionately for the openness of the web (something I and many of the proposal contributors are also passionate about)
I cannot imagine the level of cognitive dissonance required to simultaneously believe you are passionate about the open web, and push something like WEI.
Either they're flat out lying about their "passion", or they've internalized some very contradictory ideas. Not sure which is worse.
Of course then there's:
> Attacks and doxing make me personally MORE likely to support stronger safety features in chromium, as such acts increase my suspicion that there is significant intimidation from criminals who are afraid this feature will disrupt their illegal and/or unethical businesses, and I don't give in to criminals or bullies.
Which makes me think they're just lying. Or, at best, they don't understand basic logic. Personal attacks and doxing are unacceptable, but just because people who do bad things hold a certain opinion, it doesn't mean everyone who holds that opinion does bad things. Or even that more than a small, vocal minority do.
But ultimately Google is an advertising & surveillance capitalism company. If you're going to work there, and on one of most of their public-facing products, it's pretty likely you're going to eventually do shady things in service of the company's main revenue streams. Your continued employment depends on it.
> I cannot imagine the level of cognitive dissonance required to simultaneously believe you are passionate about the open web, and push something like WEI.
> Either they're flat out lying about their "passion", or they've internalized some very contradictory ideas. Not sure which is worse.
After observing Google for many years, I've figured out that when Googlers say "the open web", what they mean is "running in a browser, not a native app". So anything that makes apps running in a web browser more competitive with native apps is "good for the open web", even if it reduces openness. I think for a lot of people this is not even bad faith; it's just how language is used inside Google, and people pick it up and it shapes their thinking.
>I cannot imagine the level of cognitive dissonance required to simultaneously believe you are passionate about the open web, and push something like WEI.
Imagine a world where EME was not accepted as a standard.
1. Browsers do nothing to support DRM and sites like Netflix recommend people to just use a native app to experience the full Netflix experience. This weakens the open web by having sites leave the web and opt to move users to the mobile web instead.
2. Browsers adopt a closed standard for DRM. This weakens the open web because now a care use case of the web now uses a closed standard instead of an open one.
> 1. Browsers do nothing to support DRM and sites like Netflix recommend people to just use a native app to experience the full Netflix experience. This weakens the open web by having sites leave the web and opt to move users to the mobile web instead.
It would be easier if it was just Netflix using this crap like you imply. Nowadays, a good 10% of the websites have a popup "this page has DRM content, do you want to enable it?", I'm assuming it's used for advertising fingerprinting and malware even more than videos.
So yeah, requiring a netflix app is an improvement on the current situation.
> 2. Browsers adopt a closed standard for DRM. This weakens the open web because now a care use case of the web now uses a closed standard instead of an open one.
DRMs aren't the open web, they are the closed web, regardless if there's a specification or not, that doesn't change a thing.
And having an open specification for it lowers the cost of deploying them (as we've seen now, it's in a lot of places) which is bad.
The open specification doesn't really even mean much, because the specification covers how the DRM module interfaces with the browser, not compatibility between DRM modules. In practice, there is exactly one DRM implementation used on the web, and it is proprietary (Wildvine). You could implement another standard-compliant DRM scheme, but no one would use it; the value of the standard is basically nil.
>So yeah, requiring a netflix app is an improvement on the current situation.
If you are botherd by popups I'm sure you can disable them. I've never seen a popup asking me to enable DRM when I browse the web.
>DRMs aren't the open web
EME has a standardized javascript API for people to use. This is a public standard developed openly.
>And having an open specification for it lowers the cost of deploying them (as we've seen now, it's in a lot of places) which is bad.
Allowing copyright holders to have their hard work be protected is a good thing and allows for them to be willing to share them more if they can trust they won't be stolen from. Artists want control over how their art is used. Saying tough luck and that they should just deal with it being stolen is not productive and is ignoring their needs.
what does that even mean? we are talking about internet arguments here right? how does "safety" even enter the conversation? this guy sounds off his rocker.
> find ways to reduce the harms of invalid traffic across the whole web
Makes sense to me. If during the course of your work you have to read a bunch of internet comments with so much vitriol it is a personal and psychological safety issue. Personally I would not have chosen any job that would subject me to this kind of psychological abuse, and I would imagine someone choosing to work at Google would have thought the same.
Curiously your HN profile says "removed due to doxing, because people are awful" so I'd like to think you at least would have the empathy to imagine someone experiencing something similar to what you experienced. Internet arguments can hurt people; period.
Agreed. And, I can imagine anyone working on anything like WEI will not find a safe work environment so as long as their work environment involves being on the internet in any shape or form. So I guess if you work on the Chrome team and this is assigned to you, I genuinely do feel empathy, although I also think that you should probably quit if you value psychological safety.
This is a complicated issue. I view work as a mutual exchange: I work on software in exchange for money. It is a bonus when I think the software or mission is genuinely cool. That said, I'm not one to be highly moralizing about it. I'd quit if someone asked me to do something illegal, and I will (and have) generally refuse to do work that is just simply morally bankrupt (And I have been tested on this. Early in my career, I refused to remove annual subscription renewal reminders for a subscription service. I didn't suggest that I would quit if it were done, but I voiced my disapproval and made it clear I wouldn't do it. We didn't wind up doing this, thankfully.) But, I will generally work on things that I don't agree with. I'm vocal about it, but work is work.
But y'know, people have livelihoods to maintain. It's easy to say this if you live alone, have plenty in the bank, a great safety net, and a great network. (Not that all of that applies to me, but for sake of argument.) Certainly the job market is also tighter and the future of software engineering as a career is uncertain in some regards. So outright refusing to do work could be a scary prospect. Even being vocal about it and rocking the boat may be scary.
But that said, this being the case does not make the answer any less certain. While harassment and toxicity that crosses certain lines is not something I think people should justify, I certainly understand the why: working on something like WEI triggers an immune response from the proponents of the open web. And while I'm sure many people would prefer to do things "right", I think that there is an overwhelming feeling that the open web is hostage to the big corporate interests, and that the open web proponents are strongly outnumbered and outgunned in the modern world. And Google never played fair anyway, so they probably don't feel especially enticed to either.
So I think it's natural. What's going to happen is that this will probably continue to escalate, and I can't really say I strongly blame anyone. Google is probably happy to push this responsibility onto employees knowing it could be very mentally taxing, employees with increasingly poor career prospects will not want to rock the boat, and disgruntled "internet activists" who feel pushed to their limits are unlikely to care tremendously about the emotional damage they cause (it's not like the Internet is really known for its kindness to begin with.)
I'm thinking it's gonna be a good time to pivot away from computer careers these next few years...
Why? I don't know the name of anyone who worked on Private Access Tokens at Apple or Cloudflare. Likewise the developers who worked on the Secure Enclave, or the slow march Windows has taken to enforce TPM's.
This was mostly a media/social media storm in a teacup. With bad press because its Google.
Chromium is huge because its open source, so the bar is higher than Macos, Safari & Windows.
But it didnt make this proposal much different/worse than any of the others that already exist and are enforced.
At least we got some hilarious statements like "its not needed because bots identify themselves by their user agent!"
Private Access Tokens are bad too, but they were much more limited in scope based on their design. One of the design elements of WEI in its own words is that some use cases would only work if it could be required for all users. Meanwhile PAT is attestation but the scope is explicitly intended to be for fulfilling the role CAPTCHA does today... optionally. Nothing about extensions like adblock that I am aware of. The point was to put users on proxies at the same level as users on residential IPs.
But is PAT good? Well no. It's bad for similar but ultimately different reasons. But until Chrome adopts it, it's just not scary.
The health of the open web depends on not having different user agents being treated as second-class citizens. Not only that, but locking the internet behind CAPTCHAs and remote attestation to fight bots is bad because it will always be playing favorites to bots like Google's. Today, and in the past, we've already seen what it looks like when the Internet does this. But it's just not going to be an acceptable solution to bots. If the Internet of the future is a hellscape of big corps controlling literally everything that remains with cryptographically enforced adblock, Yes I'd happily see it burn down instead. I don't really care if other people would prefer that to nothing, because to me its a worthless future and a waste.
Attestation is not a real option that's really on the table.
The bad press is simply because Google has a bad PR team that does not do an adequate job to control its brand reputation. As simple as that. When other companies attempt this, at least the PR department does some damage control be it press releases or press conferences or whatnot. Google didn't.
I'm glad you used the phrase immune response. I would've opted for something like visceral reaction but yours is a better term. It's certainly the case on this forum. People on this forum can get way too attached to specific technologies or principles that they forget personal attack is never okay.
I'm sorry for the raw words but this is soy as fuck. This is the usual excuse of "well, we got harassment (which we totally deserved) so we are finally justified to do <bad thing>"... These companies present it like harassment and threats just come out of nowhere because people are unreasonable or "hateful", and they refuse to acknowledge they deliberately create the conditions for such extreme measures.
If they don't want harassment or threats, they should maybe stop messing with people's stuff...
https://groups.google.com/a/chromium.org/g/blink-dev/c/Ux5h_...