Whether it was a shadowy executive cabal or a couple of overzealous minions who proposed WEI is kind of immaterial. Google has too much power to decide the fate of the Web, and no incentive not to exploit that power, and something must be done to stop it before it's too late.
What makes you think they'd listen to the W3C if they said "don't do it"?
They'd likely just spin up an "independent" body to manage the specification and publish it outside of the auspices of the W3C. That's what the did with AMP, after all, which sits under the OpenJS Foundation now.
Google kept promising that the search-rank benefits you'd get through AMP would be available via standardized means. And they worked hard to follow through on what, continues to seem to me, to be an excellent wonderful set of technologies that allows impressive & powerful "Local-First"/offline-capable systems for the web, which I really wish had wider adoption (WebBundle & signed http exchanges).
Google themselves actively worked to make AMP non-critial, to make it an implementation detail / toolkit rather than a top-down mandate. And the general idea is solid. To me, there were two major themes: fast rendering components that won't force redraw & wouldn't even block, and the ability to embed/transclude content so Google themselves could feel safe letting you isolated-ly display your content on their search results. The modern incarnations of this idea are very privacy preserving (originally it was less so).
It is a warped point of view, in my opinion, to accuse OpenJS of being a Google puppet with "scare quotes" ""independent" body" nonsense meant to frighten & terrify. OpenJS is home to Node.js, webpack, jQuery, Dojo, and many others. OpenJS has not been a problem or a shill. This was a sensible place for open activity. It's a Linux Foundation project, which - while it has problems (it doesn't do jack to get independent developers a dime, and fuck that noise) - is a fairly respectable organization for collaboration & concern.
To me there's just so much conspiracy-mindedness & reactionary-ism around WEI. This is one topic that deserves the bombasticness, that we should react hard to! But there are processes and checks. Google is far & away the most up-front most-clear, is by far the earliest company to talk about & discuss plans & ideas, and the only company anywhere that has any process for trying stuff/getting data without any commitment to it (Origin Trials).
It's so concerning to me how much it feels like people want to lose their minds over stuff. These chain reactions of negativity are such a power in the world today, but whether or not they have truth & perspective & whether they contribute or distort the dialectic is of such high concern. I struggle to think of what pieces of @m2ys4u's post here contributes & informs & is well coached, but I see so much of it that is aimed to exacerbate, instigate, reactionary-ize. I've tried hard to acknowledge some truths about early AMP, and that was a shitty time, but 2015 was a long time ago and most of Google's promises at the time to follow-through on enhancing rather than controlling the web seem to have been quite seriously followed through on.
The fact that it was even proposed means there elements out there pushing for this stuff. Who knows whether it was a shadowy executive team or just some out of touch developers and PMs.
I wish there was more to say, but the backlash was swift, fierce, and to the point.
Chrome has one of the most transparent, pre-declared software delivery models on the planet.
This does sort of seem like the system is working as intended here. Give people enormous power, but do so in a transparent clear way with lots of review. Rather than a top down organization, this bottom up engineering allows in a lot more potential.
And some of the potential is bad. Do we the technical masses trust in the process, in the various discussions & checks built in to the w3c system? How much is our hunger for attention & excitement & drama fueling a mania, a craziness? 0? Maybe a tiny bit? Or is there real harm to the media cycle blow up beyond proportions to every potentially salacious idea that shows up on radar?
Like Alex, this was a huge deal. A huge issue. But it seemed unlikely to get far as a standard, and had barely begun review cycles, just getting some standards positions, not even getting TAG or security review requests started.
Well, enterprise VPN clients have build in similar attestation[0]. So probably there are cases when it could be useful in browsers. The question is not if there are use cases, it is "can we stop all websites from requiring it?" and the answer is no.
[0] The Linux support for that goes from "bad" (check `uname` for version kernel) to none. At least with one client I had to use copy of "system report" file from Windows machine and it worked. Makes me wonder how much of it is just security theater.
Verification that online communication is a human and not a bot. In short order it will not be possible to know if the person on the other side even exists unless there is a highly reliable "humanness" indicator. We are almost there for live text and audio communication, and video is advancing swiftly.
The FBI has already put out alerts about scammers and other evildoers calling people using the voice of their family members.
How exactly does it stop bots? At best it stops everything, but full blown browsers, from communicating with web servers (that includes `curl` and web security scanners). Even if it kills stuff like Selenium, bots can just use mouse/keyboard input.
Unless we go all the way, and require DRM in every piece of hardware, so for example "Rubber Ducky" no longer can claim to be a keyboard. That would be more restricting than current MacOS.
The OS could have software that detects if bot-like input is occurring.
Even if not, they could just rate limits how fast you can make requests to a speed that's plenty for any legitimate user but terrible for bots. If someone wants to astroturf as a million people on social media, they will need a million physical motherboards and a million genuine licenses of Windows, and a million rubber duckies programmed not to act too fast or too continuously. No more Xeon blades with a fat WAN pipe running a credentialed script.
I actually don't know if input devices still don't have TPMs or not. I know display devices do - try watching Disney+ on a CRT, or even an old HDTV. You'll get a nice error message saying your display is too old and unsupported.
