 Okay, so we immediately need to start talking about the web integrity API that Google is proposing, because even though this is just a proposal, it's already being implemented in Chrome, which is like the most used browser of them. And it's a pretty big deal, so let's talk about it. So you know how many applications in Android, such as Netflix, will simply refuse to work at all unless they are being run on a certified device with Google Play installed on it. Fun fact, this is why I cannot watch Netflix on my own tablet. And it's pretty frustrating, you know. Of course, it makes sense for them by, as they say, checking the integrity of your device. They can make sure that you cannot record your favorite Netflix show and show it around as an example. Having the certainty that your device isn't compromised in any way is required to have good DRM, which is what all of this is about. So Google has proposed to add web integrity API that allows websites like Netflix to check the integrity of the device, regardless of the operating system. It feels like they took the approach that they went with Android and replicated it on the entire web. This raises so many questions, though, like why, how? So on the website part, it's a pretty easy. So the idea is that there's now a function called navigator dot get environment integrity. And simply by calling that, you get an attestation. But what exactly is meant by environment integrity? So the general idea is that your client environment, your browser, the operating system is honest about certain aspect of itself, keeps user data and intellectual property secure and is transparent about whether or not a human is using it. So the emphasis is on keeps intellectual property secure. I think it's pretty clear what this means, DRM. So of course, it's also quite interesting to have is transparent about whether or not a human is using it. The reasoning behind the necessity of knowing whether you're a human is the following. So websites often rely on advertisement work, fair enough. And advertisement is only remunerative, is that how you pronounce it, only if viewed by humans, not robots, so fair enough. But then we discovered that this web integrity, which is supposed to distinguish between humans and robots, is also meant to be used to avoid fake engagement in social networks. This way, websites can only show users content that is popular with real people, if websites are able to know the difference between a trusted and untrusted environment, which is well risky. Maybe it would pave the way for websites like Twitter, X, I meant X, obviously, to completely ignore you if you're not in a trusted environment. If that wasn't enough, another use case, again, all taking from the project documentation itself, is undigit. Online video games want to know whether you're human to make sure you're not cheating. So without a trusted environment, you might not be able to watch streaming films and shows or use a social network or play video games online. So the obvious question is, how are you going to achieve these web integrity status given just how important it might be if websites that this is actually designed for actually start to use it? Well, I had to dive into the technical stuff, and I really hope that I got it right. So ignoring the cryptographic aspect of this, so public case, private case, blah, blah, blah, you do need a third party, which is not going to be the browser, to attest the integrity of the system. The good news is that operating system, the platform, is expected to do that. And I would be surprised if we couldn't make sure that even on desktop Linux, there's always a component that attests the integrity of your system. The bad news, however, is that the website knows who the attestor is and the website can decide to trust or not certain attestors. So let's make an example. The one attestor that the whole introduction keeps mentioning is obviously Google Play for Android devices. If I open Netflix on the browser, Google Play is going to attest for my browser integrity and Netflix is going to be like, oh, Google Play, I can trust those guys, whereas if I do the same thing on Linux, I would expect that attestor to be something that's related to Linux, though this is very much unclear. And Netflix could just be like, hey, you know what, no, I do not trust those guys. And given just how many streaming platforms have killed Linux support for little to no reason, I wouldn't be surprised at all if they went with that approach. So who can be an attestor? Well, anyone? It just says browsers should publish their privacy requirements for attestors and allow websites to evaluate each attestor. Users should also be given the option to opt out from attestors that do not meet their personally personal quality expectations. Pretty confused about that, but this is extremely risky. The thing is that the Google employees that proposed all of this know exactly about the risk, and they say some websites may deny service to browsers that they disfavor for any reason, like, you know, being run on Linux. In fact, they say some website might exclude some operating systems. So yes, yes, yes. So let's see what the authors propose as a solution stand. So the first one is hold back. The idea is sometimes randomly, even if your browser is within 100 percent attested, super cool environment, this API will pretend that you are not in a trusted environment. These will happen just a small fraction of times and only for a small fraction of clients. But it should be enough to stop all of these worries. Of course, no website would be able to deny access to a user simply because the environment integrity API fails, because they know that these API sometimes just pretends to fail and they would be denying access to real customers. But what's the whole point of the whole thing then? Well, the idea would be that to use this API in an aggregate analysis. So as an example, let's get back to social networks. Let's say we have a tweet, a post of. Just suffer with thousands of likes. So let's say that you only count the web integrity API certified ones. Well, then you're going to lose some actual likes from actual people because of this hold back thing. But it's just a small percentage. It shouldn't be relevant. This way, you can still get something useful out of the API, but only if you use it in an aggregated manner. Obviously, this hold back thing doesn't actually solve anything. Firstly, websites can still decide not to trust Linux, as an example. Maybe they won't deny the access to the website. But getting back to Twitter, the Twitter example, they might decide that they don't trust Linux even on the aggregated data, which means that all tweets liked by Linux people will be considered less than tweets like by Windows people because we are just less trustworthy. Finally, I'm not dumb. It's pretty obvious that all of these websites, online video games, streaming services and such want the actual API without the hold back. They are going to ask for it, and they're pretty big websites. So they're gonna win. In fact, not even the proposal says we are going to implement hold back. They just say, you know, it's an option, but we aren't so sure about that. What do you all think? So they are not going to implement hold back. And if they do, they are eventually going to turn it off. It can be done anytime. And boom, we're back at use Linux. Forget the internet. So what does the internet think of this web integrity API? Well, without any surprise, everybody hates it. The really important point is that there is no reason whatsoever why users would want this. This has no positive side for them. It makes everything worse. Why would we want this? Like seriously, so you know who wants it? Big streaming companies, advertising companies like Google, who owns Chrome, the most used browser other. Mozilla said that this API contradicts their principle and vision for the web. The World Wide Web Consortium, not some random games. The World Wide Web Consortium said that the API is not compatible with the vision of an open web. The Vivaldi browser says that this API is dangerous. The Free Software Foundation says this is an all out attack on the free internet, which it is. The brave browser says that they will not ship this API. Everybody hates this, except Google. And of course, Google is pretty powerful. They already started implementing this and there's already code for it. They will say, sorry, they say initially this will only be supported in Android because obviously they already have the Google Play Attester there. Then this feature will require active integration per platform, meaning that every operating system will need some sort of component that will act as an attester. If this gets implemented, it will be a disaster for us Free Software fans. And keep in mind that I've talked about Linux being untrusted a lot, but generally speaking, everything that's ever so slightly unstandard won't be trusted. If you create a new web browser, boom, you won't be able to access half of the internet. This is bad. Even worse, yes, it just keeps on going. Given that the attester checks for the browser integrity, if you're using a platform with an annoying enough attester, like Google Play, they might actually check whether or not you have an ad block enabled. And if so, they might not give you the certificate of trusted environment. The introduction of the proposal clearly states that these kind of things are not goals and should not happen, but technically speaking, as soon as you introduce the concept of a trusted environment to protect advertisement, it feels like a logical next step and it could actually be implemented. So one thing before I disappear into the void. So I just wanted to say these videos take a lot of time to research, write, record, edit, and so on. And they are not sponsored by anybody. So I do also offer a lot of extra stuff that I don't have to offer, like subtitles that are handwritten and a full transcript of the whole video. If you prefer reading over watching videos, all of this takes time. And money. So if you're able to donate something to the channel, this is going to make sure that I keep on doing all of this. So you would join a pretty big community of people whose names you should be seeing around me. And you would get some extra benefits because of that. Specifically, I do make an almost daily podcast about Linux news, that is patterns only. I also contribute to KD Plasma and your donation would help me spend more time working on it. So thank you, everybody. Thank you so much to everybody who's helping me out. I wouldn't be here without all of you. That was everything. So nick out.