It seems Everyone is taking for granted the claim that this is about DRM. The claim is that websites (not Google) will use this signal to allow or deny access but this is already possible with various means. Google or any other Browser vendor do not have a say on how websites use or misuse features.
> There is a tension between utility for anti-fraud use cases requiring deterministic verdicts and high coverage, and the risk of websites using this functionality to exclude specific attesters or non-attestable browsers.
This risk is already present and actually happening. What makes this not widespread is not that it is not possible (it is) but that it is unpopular. Websites that you are forced to use (many banks for example) do it every day and they get away it with it because you have no choice.
Many articles are just reapeating the "DRM" claim without explaining how is this different, what does Google have to do with how websites choose to treat their users or what solution they would propose. It seems to me just protest for the sake of it because it's trendy to question every Google Initiative. And yes every Google Initiative must be questioned but I don't see any questioning here beside just parroting in article after article what someone identified as a potential misuse without any critical thought going into it. Might as well autogenerate the contents with AI already because the utility of all articles i have seen on this topic is the same, just rearrange words without adding anything to it.
> It seems Everyone is taking for granted the claim that this is about DRM. The claim is that websites (not Google) will use this signal to allow or deny access but this is already possible with various means.
How about you offer a reasonable opposing viewpoint? It's hard to see this, at best, as anything other than an extremely naive viewpoint. Every feature that can be used to lock down content and/or spy on users, will be used to do just that. That's true for every single feature that exists today. Claiming otherwise borders on bad faith.
> Google or any other Browser vendor do not have a say on how websites use or misuse features.
That's settled then. Full filesystem, location, camera, and microphone access should therefore come on by default without a permission dialog. Why not bring back Java and Flash while we're at it! It's not the browser vendor's fault that websites are misusing it.
> Many articles are just reapeating the "DRM" claim without explaining how is this different
This is different because any meaningful "attestation about the environment the browser is running in" can only be achieved via a full chain of trust, starting with secure boot, which will allow Google (and websites you visit) to verify that your system is using a Google-approved bootloader to load a Google-approved operating system which only loads Google-approved drivers and Google-approved software (or worse, website-approved software).
Read the proposal: https://github.com/RupertBenWiser/Web-Environment-Integrity/...
>That's settled then. Full filesystem, location, camera, and microphone access should therefore come on by default without a permission dialog. Why not bring back Java and Flash while we're at it! It's not the browser vendor's fault that websites are misusing it.
Now who is arguing in bad faith? if you have read the proposal, it's clear that they are being careful and are upfront about the some potential misuses and the proposed handing of them.
> to verify that your system is using a Google-approved bootloader to load a Google-approved operating system which only loads Google-approved drivers and Google-approved software (or worse, website-approved software).
again there is no such thing proposed. The "attester" is not specifically Google. anyone can become an "attester". The chain of trust is a chain that trusts tokens not specific "things". if you for example would trust let's say Opera as the attester, Opera would need to trust windows or Linux or Android as the OS attester.
The analogy here is the certificate Authorities. You may very well have a "let's encrypt" attester that democratizes the good parts (certification) without the bad parts (too much information) .