It's worth understanding the problem it purports to solve in order to properly dismiss it. WEI positions itself in a way that sounds ambiguously like it might ever serve the user's purposes, and a clear framing of the problem statement would make it more obvious that it does not serve the user at all.
For instance, one of the framings of WEI is that it gives advertisers a way to verify the client so they don't "have" to do fingerprinting. Except WEI does nothing to take away fingerprinting, so advertisers will then have fingerprinting and WEI. (Even if it did simultaneously take away fingerprinting it would still not be OK, but the current framing is not even offering the user benefit it claims to offer.)
Before taking away fingerprinting there would need to be a sunset period to have everyone migrate over to the new API. Ripping it out before new APIs are available or doing it at the same time is irresponsible.
You can't "take away" fingerprinting, because it isn't a single API or even a single set of APIs. Fingerprinting is a set of techniques; you can nullify some of them, but there is nothing stopping companies from inventing new ones.
Despite what Google say, fingerprinting will never go away - any new feature in that space will just be in addition to existing and future fingerprinting techniques.
I'm not sure how that addresses the point you're responding to: regardless of the excuse, WEI with fingerprinting is bad, and WEI without fingerprinting is also bad, and fingerprinting without WEI is also bad
doing bad things (for example, any of the 3 above options) is more irresponsible than implementing bad things poorly
Let me ask you instead: "how you intend to prevent matrimonial fraud?"
…
You can not. Because that is not how world works - crime did happen, happens, and will happen. You can stop attempts or fight it by education or by arresting criminals but never eliminate or prevent it.
"You need signals of some kind to know whether a visitor is likely to be malicious or not."
Innkeeper in 13 century: "I need signals of some kind to know whether a visitor is likely to be malicious or not before he enters." - See how ridiculous it is?
You are being being wrong here - you don't have 'visitor' but 'client' and as far as I'm concerned you do not spy on every client to "know" if he "is likely to be malicious or not". You may be suspicious of client activities but that is what you can realistically do.
Also define "fraud and abuse" because this can mean many things which may have many solutions.
>Innkeeper in 13 century: "I need signals of some kind to know whether a visitor is likely to be malicious or not before he enters." - See how ridiculous it is?
That innkeeper would have used the signal of how the visitor looks. If a visitor was being malicious and got kicked out, that person could not just come right back in as the inkeeper would be able to tell that he was the same person as before.
Also your metaphor is not great because WEI can only happen after the first page load since it requires the site to use javascript to use the api.
>That innkeeper would have used the signal of how the visitor looks
Not like that ever backfired.
>inkeeper would be able to tell
assuming that he have photographic memory and visitor did not change his looks by any way (shaving, getting scar etc.).
if you have to refer to 'looks' you have IP - it has exactly same power as signal as looks.
>Also your metaphor is not great because WEI can only happen after the first page load since it requires the site to use javascript to use the api.
for user that is irrelevant point. As people do not care about how you run server - only if they can use the page.
To put simple - I run My browser of choice on my OS of choice with my stack as I wish (otherwise I wouldn't run Linux). The idea that server owner should get any say about this is simply intrusive.
There are various stakeholder interests which need to be balanced. As much as people like to invent nefarious motives, in reality there likely important players on the internet who have valid use cases for fingerprinting which cannot be broken carelessly. Efforts like WEI try to address their needs via alternative means. I agree that it's bot a guarantee, but it certainly seems like a possibility.
"There are various stakeholder interests which need to be balanced,"
said the giving-alcohol-and-cigarettes-to-children lobby,
"As much as people like to invent nefarious motives, in reality there are important players manufacturing alcohol and cigarettes who have valid use cases for children consuming them which cannot be broken carelessly."
Is there really much browsers can do to actually effectively restrict fingerprinting without going all out like Tor Browser? WEI may disincentivize websites to not use fingerprinting, but if they really wanted to, they could use it for de-anonymization purposes.
For instance, one of the framings of WEI is that it gives advertisers a way to verify the client so they don't "have" to do fingerprinting. Except WEI does nothing to take away fingerprinting, so advertisers will then have fingerprinting and WEI. (Even if it did simultaneously take away fingerprinting it would still not be OK, but the current framing is not even offering the user benefit it claims to offer.)