By the way, a very similar API has apparently been implemented in Safari since 2022. Seems like better marketing does wonders, as I haven't seen any discussion of this.

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

Some interesting bits:

> [...] We don’t actually need or want the underlying data that’s being collected for this process, we just want to verify if a visitor is faking their device or user agent. [...]

> [...] In the example above, a visitor opens the Safari browser on their iPhone and tries to visit example.com.

> * Since Example uses Cloudflare to host their Origin, Cloudflare will ask the browser for a token.

> * Safari supports PATs, so it will make an API call to Apple’s Attester, asking them to attest.

> * The Apple attester will check various device components, confirm they are valid, and then make an API call to the Cloudflare Issuer (since Cloudflare acting as an Origin chooses to use the Cloudflare Issuer).

> * The Cloudflare Issuer generates a token, sends it to the browser, which in turn sends it to the origin.

> * Cloudflare then receives the token, and uses it to determine that we don’t need to show this user a CAPTCHA. [...]

Sounds an awful lot like WAI to me, but at least it's called a "Privacy Access Tokens" so it surely must be good...?

EDIT: turns out there was an HN thread about this a few days ago, I just missed it: https://news.ycombinator.com/item?id=36862494

> Sounds an awful lot like WAI to me, but at least it's called a "Privacy Access Tokens" so it surely must be good...?

Google's PR strategy is to say "no need to worry, it's just like this Apple thing". But as Google themselves note in their explainer¹, they're quite different, and Google considers PAT insufficient for the kind of enforcement they intend to do.

For example, PAT is ultimately just "not a bot" attestation and so doesn't involve the exchange of device and browser environment data. In contrast, WEI needs that data to enable the kind of "DRM for the web" use cases we're reading about.

https://github.com/RupertBenWiser/Web-Environment-Integrity/...