DRM to enforce viewing advertising as part of building their business model based on monetizing attention spans is nefarious and a terrible precedent. They've set the precedent now and good luck to them at preserving their business model if web sites end up doing the same thing.
Conversation
Also, enumerating badness simply isn't a viable approach to privacy and security. The same goes for doing it to try externally replacing the monetization model for the web. Needing to use DRM to try to make their broken model work demonstrates exactly why it's not a viable one.
1
How is using SafetyNet going to make any difference when it's such a weak software-based attestation model, anyway? They could use the hardware-based attestation but a model based on the root of trust rather than pairing is inherently not very strong. Way better than that though.
1
What are they going to do on platforms without support for arbitrary application-defined DRM via attestation? They could use hardware key attestation on Android (SafetyNet attestation is what they used and is easily bypassed) and some half measure on iOS, but what about desktops?
1
Thanks for sketching out some of your concerns in a bit more detail. Need to ponder.
So is weak attestation bad, or all attestation b/c it ultimately leads to lack of user agency?
Is the bigger criticism simply that ad-funded model is totally unworkable as a model?
1
If the last, then good bye Internet. It own't be user funded, not at $320B/year globally growing to $1T/year. If you have a better way, lay it on us. In the meanwhile, we level the antifraud playing field vs. G and FB native stacks (low adfraud incidence) vs. programmatic (high).
1
The painful reality seems there is no 'best' way.
Appreciate fear that normalising strong attestation for ad-views may lead to mandatory rather than optional ad-view by industry even if not Brave.
Also appreciate that without attestation fraud wins, content loses.
2
No Best Way = Worse is Better.
I object to double standards. Apps (including big ones) use safetynet and are not pilloried for "DRM" or accused of "enforced viewing".
Use the same yardstick on us.
1
I do call that DRM consistently. I'm using the same standards. I was very put off when I saw that Brave was doing this. Regardless, I suggested a stronger way of doing it without a hard dependency on a Google service to try to be helpful and was basically told to fuck off.
2
github.com/brave/browser- is one of the places that this started and github.com/brave/browser- is another. Notice how in both cases I was trying to help and was told to fuck off in response. I even put in work to resolve an issue for other browsers, but you aren't welcome to use it.
1
2
1
I talked about it on Twitter a while ago, which was followed with you folks spreading misinformation about Chromium and Android without Play Services. I took a deeper look into what Brave has been doing in particular with using SafetyNet attestation as a form of advertising DRM.
Who in that issue (github.com/brave/browser-) "spread misinformation"? Your comment points towards pairing, which is ok and we are doing it. But you are making a strong claim. Link to the issue comment, please.
1
I'm talking about the follow-up on Twitter. Anyway, now I just need to point to our own conversations for a whole mountain of bullshit and corporate spin. I was put off by far less than what happened here. None of the past nonsense compares to this. Really, *this* makes my case.
1
Show replies
You can whine all you want in my mentions about a couple tweets that I posted retracting my endorsement of Brave while saying I still considered it a better choice than Firefox. You did the opposite of changing my mind about not supporting it. I will actively fight you scumbags.
2
2
2
I'm not whining, I'm calling you either an ignoramus or a liar.
2
Show replies