mark nottingham

What willwould a Chromium-only Web look like?

Wednesday, 22 June 2022

Web Standards

Most of the complexity and nuance of the Web is stuffed into browser engines. Even though they’re a huge burden to develop and maintain, the world is lucky enough to have three major ones, and they’re all Open Source.

Many argue that browser engine diversity is the backbone of the open Web – assuring not only interoperability and user choice but also a bulwark protecting the Web from centralization.

So my ears perked up when I recently heard from a well-placed contact that “many in the Chromium community are arguing for a Chromium-only Web.” While the Chrome team (and friends) have long railed against what they perceive as other browsers’ plodding implementation of cutting-edge extensions to the Web, it’s a pretty big leap to advocate for a Web with only one browser engine.

On the face of it, there is some sense to it – after all, most W3C and WHATWG specifications have been written algorithmically (rather than declaratively) for a while now. Why not just converge on a single actual codebase? That way, interop on things like HTML parsing is perfect, but people can still choose the browser with the features (e.g., privacy protections) that they want.

It’s also not that far-fetched. Microsoft has already ditched their engine for Chromium; we’re all worried about Mozilla’s health and long-term (or even medium-term) viability, and Apple is only one competition judgement away from having to open up iOS to other engines.

After all, the code is what determines what browsers are capable of and therefore it defines the shape of the Web. Chromium already has a high market share of browser engines; why not just formalise it?

Putting aside the many arguments one might raise about diversity, risk management, innovation, and so on, I want to focus on one aspect of this potential change – governance.

Right now, to make something part of ‘the Web’, you need to convince a browser engine to implement it. However, they can’t (quite) go cowboy/cowgirl and do it on their own right now – they’ve all agreed to work together on the definition of what ‘the Web’ is in a Standards Developing Organization (SDO), most often the W3C.

I’m not going to paint the Web standards process as some Elysium of technology-for-good. It’s messy, slow, painful, and the outcomes aren’t always the best ones. It can be dominated by insiders, and sometimes their incentives are less than pure. The W3C in particular has longstanding governance issues that is only now coming to terms with – for example, how to grow past a TimBL-as-BDFL model, and how to transcend being a membership organisation to being a true steward of a global public good. It also struggles between the requirements of browser implementers and those of other parties – with various motivations on both sides.

However, there’s a tremendous amount of merit there too. There are defined processes for making decisions, and documented principles to guide them. Decisions are transparent, and they can be appealed. Leadership positions are democratically sourced from and accountable to the community, and the only structural barrier to participation is financial, with accommodations for participation from those who have something to offer but can’t afford it. As a result, the organisation is truly multi-stakeholer, with representation from not only big tech, but small developers, web authors, academia, goverment departments, civil society, and advocates for things like security, privacy, and accessibility. There’s also a process for evolving the process.

All of these contribute to legitimacy of the organization – i.e., it being broadly regarded as authoritative to administer its area of competence (in this case, the evolution of the Web).

While in theory that might matter to some users of the Web, where I really think it comes into play is with governments, who took a notoriously hands-off approach to the Internet for many years, but are now becoming extremely interested in regulating the Internet (or parts thereof).

It’s not that they’re eager to do so, despite appearances. Most people who are familiar with the regulatory process are painfully aware of the myriad ways it can go wrong; my Regulatory Policy and Practice class is basically a litany of grand regulatory failures.

That means that if there’s an alternative to heavy-handed regulation, it will get serious consideration – especially when what’s being regulated is a global public good, where coordination between multiple jurisdictions is necessary.

In this view, if SDOs offer a legitimate alternative to governance that is compatible with a government’s goals, why wouldn’t it be adopted? So far, this has worked. For example, even though the CMA is seriously concerned about the effects of Chrome’s changes to cookies on the advertising market, it has consciously taken a primarily observational role, watching to see what Google does in the standards process.

So what happens when Chromium is the only browser engine? I can see two possibilities, with roughly the same outcome.

In one future Chromium-only world, governance of the Web shifts completely away from Open Standards, and the Web becomes more like Linux – something based upon some historical standards but whose present and future are firmly governed by Open Source practices.

A slightly different future would be one where Chromium still draws on the Web standards process for broad review and community participation, but because of the increase in their power (something that people already complain about regarding browsers in the W3C), the implementers are effectively in charge, and the SDOs are just along for the ride (even more so than today).

Either way, governance of the Web’s evolution is either in the hands of an Open Source project, or completely dominated by one. And that project is notably light on many of the aspects listed above as underpinning legitimacy.

While it’s transparent in the sense that anyone can browse the source code (if they understand it), it’s not transparent in terms of decision-making. While it’s open in the sense that anyone can become a committer, even if they don’t work for Google, there’s a barrier to entry in that you have to write code, be nominated and confirmed by three existing committers, and not have anyone else object. Accountability and appeal mechanisms are opaque; as far as I can tell, what happens is up to whatever politics are going on between the committers.

Of course the Chrome team and other Chromium folks will continue to consult broadly to make sure they understand the impact of their decisions; they’re notorious for being data-driven and meticulous. Their intent isn’t in question (at least by me); it’s more fundamentally a question of how do we organize society so that important decisions are made well? And, what will be considered legitimate governance of the Web?

Returning to the Linux analogy, you might say “so what? The Linux foundation is perfectly capable of governing Linux, with Linus at the helm. What’s the difference?”

I’ll leave the detailed comparison of governance at the Linux Foundation and Chromium to someone else, along with any comparisons between Linus and Tim. The more important point is that we already face a legitimacy deficit in governments’ eyes with SDOs; reducing governance to a loosely-defined, GOOG-dominated Open Source project is going in the wrong direction.

I strongly suspect that in a Chromium-only world, governments already suspicious of big tech’s influence over SDOs will have absolutely no inclination to consider Open Source governance as legitimate for something as important as the Web. While currently they’re somewhat willing to defer to SDOs in most cases, Open Source governance won’t get the same benefit of the doubt, and browsers will likely be regulated as many other products are, with exacting government-led standards for their design. I’ve written before about the pitfalls on that path. In short, expect fragmentation and ossification.

And just in case you think that cookies are the only place intervention might take place, consider encryption. And accessibility. And browser fingerprinting. And DRM. How will the Web look when they’re all regulated by multiple governments, or by groups of them (in the same way that trade is increasingly regulated by regional trade agreements)?

To be clear, I think Open Source governance is great for its intended purpose – oversight of the design and implementation of a software project that others can use at their option. The issue here is that it’s no substitute for well-designed, multi-stakeholder governance of what has become critical infrastructure and a global public good.

I’d be curious to know what the more senior folks in Chromium, Chrome, and Google think about this. It could be that this talk of a Chromium-only world is just junior engineers venting frustration at the difficulties and slowness of the Open Standards process. But maybe not. Arguably, wrenching HTML, the DOM, and other core Web infrastructure away from the W3C into the WHATWG – a very Open Source-flavoured club of browser engine vendors – was a first half-step towards this, and that didn’t result in any visible negative consequences.

Update: Jake Archibald responded on Twitter:

No, a Chromium-only web is not a goal of Chromium, and not a view we’ve seen tolerated in the community.

and then:

As a developer in the IE days, and someone who has to ship things that work on iOS, I’m very much aware of the dangers of a browser monoculture.

That’s good to hear, and I really appreciate Jake’s candor there. In my estimation, he’s a trustworthy person and also someone who tries to act in the best interests of the Web (as is my original source, who I won’t name).

And then, Sam Sneddon, another engineer with an excellent reputation in the community, chimed in with:

FWIW: I’ve also heard several people echo positive sentiments about a Chromium-only web, mostly from when I was more around the Chromium community. I don’t think it’s representative of a majority, but I think it’s a notable enough minority?

Later, Jeffrey Yasskin (also a Chromium person, and also an ethical, thoughtful person in my estimation) started a thread with:

A Chromium-only web is definitely not a goal, but I, at least, see it as fairly likely to happen anyway. I see 4ish possibilities […]

So take that as you will. Personally, my takeaway is that even in a multi-engine world, we need broader input and accountability than just a bunch of browser vendors agreeing on what the Web should be. SDOs should strive to fill that gap, so they are seen as legitimate not just for creating technical specifications, but also doing what’s right for society.

It’s not that they have democratic authority, all the answers, or even the ability to always get it right. What they do have going for them is a rare concentration of expertise, a global scope, and the fact that the alternatives are much worse.