The mazy web she whirls:
starting Open Web Advocacy

• CMA
• Web APK Chromium Issue
• Open Web Advocacy
• Project Zero
• Project Zero metrics
• CMA press release
• Interop 2023 dashboard
• Digital Markets Act press release
• Open Letter to Tim Cook

In the summer of 1843... [laughter] Sorry. [laughter] Alfred Lord Tennyson published his second book of poems.

In it he told the story of a mysterious woman, the Lady of Shalott.

In 1989, mid-1990, Tim Berners-Lee wrote a set of proposals for CERN, which became the World Wide Web.

And in August 2021, two Australian brothers, Alex and James Moore, contacted me and Bruce Lawson about how we might talk to tech regulators about browsers.

This is their story. [laughter]

I don't know why all this stuff happens in August. I can't even get clients on the bloody phone in August half the time.

Anyway, hi. I'm Stuart Langridge.

I've learned already today that I need to leave you more confused than when you arrived, and that I should destroy global capitalism. No promises, but I'll see what I can do.

What I'm here to talk to you about today is open web advocacy, both the organization and the process, and about the Lady of Shalott.

On either side the river lie, long fields of barley and of rye, that clothe the world and meet the sky, and through the field the road runs by, to many-towered Camelot, and up and down the people go, gazing where the lilies blow, round an island there below, the island of Shalott.

Willows whiten, aspens quiver, little breezes dusk and shiver, through the wave that runs forever, by the island in the river, flowing down to Camelot.

Four grey walls and four grey towers overlook a space of flowers, and the silent isle embowers the Lady of Shalott.

So here, class, this is our first glimpse of the Lady of Shalott.

She's the envy of all who look upon her, who all dream of being seen by her, and she's set apart from others, up in her tower looking down on the people as they look up aspirationally at her.

So remember her, we'll come back to her.

So I got this message August 2021 from Bruce Lawson. Wave at the people, Brucey-kins.

He said we needed a high-level important business meeting.

He said we'd been contacted by two brothers, Alex and James Moore, two Aussies, about talking to the CMA about web browsers.

Now the CMA is the UK's competition regulator, and they were doing a mobile ecosystems market study.

So the CMA, to quote their website, is a non-ministerial department who ensure that all industries in the UK are competitive. They used to be called the Monopolies Commission, for people who remember that.

And they say we help people, businesses and the UK economy by promoting competitive markets and tackling unfair behaviour. They ensure that supermarkets compete fairly, nobody creates cartels, that tech isn't being used to monopolise users and force out new entrants into a market. And this was them looking into competition in the supply of mobile browsers and browser engines, among other things.

They were looking at whether Apple and Google's effective duopoly over the supply of operating systems (so iOS and Android) app stores (the App Store and the Play Store) and web browsers (Safari and Chrome) could result in consumers losing out.

And what we wanted to do was make sure that web browsers were front and centre in that discussion.

So we're going to try a little exercise. This is State of the Browser. So I imagine you all know this one.

How many of you know that web browsers on iOS are just skins around Safari? Give me a hand up.

Almost all of you. Fabulous.

You've got Chrome, you've got Firefox, you've got Vivaldi.

Is there Vivaldi on iOS? Apparently.

So you've got Chrome, you've got Firefox, you've got Vivaldi, but they're all Safari's rendering engine.

[Policeman] "Who is that?" [Fred] "This? This is the end of the mystery!" [Policeman] "Well, well! It's" [Steve Jobs voice] "the full Safari inside." [laughter]

So, slightly more difficult one. Android doesn't block other browsers. So Firefox on Android is actually Firefox. It's using Gecko, Firefox's rendering engine. Now, Android supports adding web apps, PWAs, as proper apps. Hooray! They show up in the app drawer, all of that kind of thing.

And the way this is done is with a process called Web APK minting. So what happens here is the browser sends the web app off to a server. The server creates a signed APK and sends it back down to the phone, and then the phone installs it.

Google has one of these for Android, one of these servers, the Web APK minting server. Samsung has one, but only for Samsung phones. That's it.

How many of you know that only Chrome has access to Web APK minting?

Considerably fewer of you.

Other browsers on Android don't have this. So Chrome has the ability to install a website as a proper app. Everyone else, not so much.

So this is the kind of thing we wanted the CMA to care about.

The aim here is to allow browsers to facilitate web apps being true substitutes and competitors to native apps.

And I'll be honest with you, I was not confident about talking to a government regulator. I kind of assumed, right, we're talking to a government regulator about the web and technology. I kind of assumed we'd walk in the door and get this.

I'd be like, "Hi, I'm Stuart Language, here with Open Web Advocacy."

[Exaggerated posh voice] "Ah yes, young fellow, my lad. I'm Colonel Sir Bufton Tufton. Welcome to the CMA. We're here to work out whether there is sufficient competition in ways to surf the information superhighway. I have a mo-dem myself, you know."

Um, okay. Maybe we could start by looking at hardware access from web apps on mobile phones?

[Exaggerated posh voice] "Mobile phones. Actually, maybe you could help an old duffer with that! I wanted to set the wallpaper on my Nokia Communicator to be a picture of my favourite horse! But it's inexplicably the Daily Telegraph! Can you fix it?"

And it turns out, it was not like that at all! Which is very, very pleasing. The group we saw, they were smart, they were plugged in, they knew what they were talking about. More importantly, they knew what they didn't know. They asked us sensible questions, they let us speak to them.

It turns out, surprise, our government can actually do this stuff! If they create an agency which is independent, anyway.

So, talk to the CMA. Happy.

And here we come back to our Lady of Shalott, sitting up in her tall tower. What was she doing, Lord Tennyson?

There she weaves by night and day, a magic web with colours gay.

And as the mazy web she whirls, she sees the surly village churls, and the red cloaks of market girls pass onward from Shalott.

She loves the web!

Or at least she did back then when she started.

[loud static]

[Steve Jobs] "We have been trying to come up with a solution to expand the capabilities of iPhone by letting developers write great apps for it and yet keep the iPhone reliable and secure. And we've come up with a very sweet solution. Let me tell you about it.

So, we've got an innovative new way to create applications for mobile devices. Really innovative. And it's all based on the fact that iPhone has the full Safari inside. The full Safari engine is inside of iPhone. And it gives us tremendous capability, more than there's ever been in a mobile device to this date.

And so, you can write amazing Web 2.0 and Ajax apps that look exactly like and behave exactly like apps on the iPhone. And these apps can integrate perfectly with iPhone services. They can make a call, they can send an email, they can look up location on Google Maps.

After you write them, you have instant distribution. You don't have to worry about distribution. Just put them on your internet server. And they're really easy to update. Just change the code on your own server. Rather than having to go through this really complex update process.

And they're secure. With the same kind of security you use for transactions with Amazon or a bank.

And they run securely on the iPhone. So they don't compromise its reliability or security.

And guess what? There's no SDK that you need!

You've got everything you need, if you know how to write apps, using the most modern Web standards, to write amazing apps for the iPhone today."

Those were the days, eh?

But then, a shiny pretty knight arrives. Jewels on his saddle. Silver on his bugle. All covered in shiny tempting gold. And the beautiful lady up in her tower got distracted by all the gold. And she stopped paying as much attention to the Web that she once delighted in.

Let's talk about the patch gap.

Everybody has bugs, right? It's a fact of life, in software at least. You can't stop it. And if you do know how to write software without bugs, I will happily buy you a beer this evening and find out your secret!

So what's useful to look at is not how many bugs there are necessarily, but how long they take to fix.

So this is data from Google's Project Zero. It shows the amount of time between when a bug fix went into the public repository for Blink or for Gecko or for WebKit, and then when that bug fix became available to actual people running the actual browser that's based on that browser engine.

So what we're plotting here is the gap between those two things happening. So you want this number to be low; towards the left-hand side of the graph. On the left-hand side of the graph, that's good, because it means a bug fix goes into Blink, and then it shows up in Chrome quite soon after that point.

So there's less chance of it being exploited, right? As soon as a bug is published in Blink or whatever, people can see the commit that went in, they can work out what it fixed, and therefore there's a sort of a region of exploitability after it goes into the open source thing, but before people's browsers have got it.

So this graph's a bit complex, so let's simplify it a bit. This is the graph just for Chrome, right? All mostly pushed over to the left, which is good.

Here's the graph for Safari. Mostly over to the right. The change here is pretty obvious, as you can see. Safari's patch gap's pretty big, because this is what happens when you de-prioritise your browser because you lose attention on it, you fall behind.

But you don't have to de-prioritise your browser.

And these are old statistics, right? This patch gap graph from Project Zero ends in 2021, which is ages ago, right? Internet years are like dog years. Go past very fast. In 2021, we were all still into air fryers and stuff, can you imagine?

[laughter]

It says in my script here, OMG, I can't even, but I didn't write that. I don't know what it means.

Anyway, what's happened since 2021?

This is a list of CVEs, security issues, in browsers over time. Again, it's a bit complicated, but it does have data right up to the present day.

What this is showing is the number of security issues in each browser in each year. So being high up the graph is bad. That means you had more bugs. Being low is good.

And if you look at this, you see that yellow bar is Firefox. Pretty constant over time. Pretty much somewhere in the middle, like that. That's what our browser manufacturer might be expected to do. So we'll call that our baseline. Right? Above, bad. Below, good.

If you're doing worse than Firefox, you're having more security issues, maybe there's something there to have a look at.

So let's take a trip to Planet Chrome. Chrome, I mean, here at the beginning, just about managing to keep pace with a team with one one-thousandth of their budget. Good luck, Chrome team. Sponsor, sorry.

[laughter]

You're great!

But it's all got a bit wrong recently. Safari, though. Safari was really high some years ago, but recently, much, much lower. They're doing much, much better.

There are a lot of issues with these figures. This is only one number, and making any kind of decision based on only one number and someone's presentation of that one number is dodgy. Huge bin lorry full of salt before you make decisions based on this.

But I think it's fairly obvious that something's changed, especially with Safari's attention to detail.

What prompted that change? That could be a lot of stuff, but I think it's reasonable to suggest one contributing cause. As mentioned, in 2021, the CMA started their mobile ecosystems market study.

Right here. [laughter]

And they weren't the only ones. A whole bunch of tech regulators all around the world finally got on board, started asking questions about browsers around that kind of time, and browser diversity and which limits on browsers are reasonable, and whether it's okay for an operating system manufacturer to limit which browsers run on their operating system.

And change... [chuckles] started to happen at the same time as that. At the same time as regulators in the UK, in the EU, and around the world, started asking questions.

That's why we talked to them, after all.

It's a similar story in other places.

If you look at the Interop figures... now Interop can be a bit contentious, because exactly what gets onto the Interop list of things that get assessed is a bit quiet and difficult to get a handle on.

But the numbers don't lie. In 2021, Safari were behind, and in 2023, they aren't.

Good. This is all good.

They're behind again in 2024, but 2024 is not over yet, and Apple stuff tends to happen towards the end of the year, so it wouldn't be fair to show those figures, so I'm not going to.

But there certainly seems to have been a change in the amount of attention being paid at about the same time as a bunch of investigations started happening.

Now, there ought to be some short, pithy way to sum that up, but I can't think of one. When I want short, pithy summaries of tech stuff, I know who I turn to: Alex Russell!

He's got some good tunes, our boy Alex.

This is the power of just the threat of competition.

Our little gang of folks had started to grow. More people joined, helped out, became part of it.

We'd come together enough to give ourselves a name, Open Web Advocacy, OWA.

And we talked to regulators all over the world about this stuff: in the UK and the European Union, Australia, the US, and Japan.

And we called upon the web developer community for help.

And the regulators listened, and the web community answered. And all this started to have an effect.

And let's be clear here, this is not just about Apple banning other browsers. The regulators are investigating big tech companies as a whole for all the things they're doing wrong.

And Google are a long, long way away from being an innocent party in this, right? Tracking people in incognito mode, hidden extensions that work on Google sites only, Google properties pushing Chrome.

Regulators do not like this stuff. And rightly so.

Microsoft wedging, "Hey, why not run Edge into every corner of Windows?" has not gone unnoticed.

I could do like a whole separate talk, maybe next year, on in-app browsers and the shenanigans that go on there from Meta and TikTok.

Apple fans tend to push a line there, that they're the last lonely line of defence against Chrome taking over.

It's not true. It hasn't even happened on macOS, right? There's free browser choice there. A third of people still use Safari, the default browser.

But there is a grain of truth in it.

But given all this, the regulators started regulating.

"No," says the European Union, "it is not reasonable of you to require that there's only one web browser."

The web is about diversity. That's how we stop one company taking over, by stopping all companies from using their existing money and their existing market share to push out competition.

No, Google, you can't steer people towards your own services.

No, Meta, you can't charge people if they refuse to give you data.

And no, Apple, you can't exclude all browsers from your phones except your own.

And the clues were all there in the poem.

This is William Holman Hunt's picture of our Lady while she's being distracted by the shiny gold of the knight. Wonderful for details, Hunt. This is Hercules, capturing the golden apples of the Hesperides, his 11th labour. Hercules the hero, representative of humanity.

Here he is trying to free the apples.

[LAUGHTER]

But the reason this was a labour rather than just... scrumping is that there was a guardian serpent in the way.

Life reflects art. Again, I didn't make this stuff up. I'm right there in the painting.

Because the guardian serpent tries to bite back.

In February this year, Apple decided there would no longer be home screen web apps on iOS.

From now on, everything that used to be a web app was a bookmark. It would open it in the Safari tab, not like an app. No privileged access.

I mean, at first, honestly, we assumed this was a bug. Because there's no way they'd actually do this, right? This was a long step away from the web.

She left the web, she left the loom, she made three paces through the room, she saw the water lily bloom, she saw the helmet and the plume.

This did not go down well. Most of you here might actually remember this happening earlier this year. People were furious. Pushback in every possible realm. Articles in every tech media outlet. Anger on all sides. You rouse the voice of the web, and you'll hear it loud and clear.

Out flew the web and floated wide, the mirror cracked from side to side, "The curse has come upon me," cried the Lady of Shalott.

And at OWA, we wanted to be sure that all this web developer feedback, how betrayed people felt by this, we wanted to make sure it wasn't ignored. That it couldn't be dismissed as a few loud voices, as people have tried before.

So we put together an open letter. And we invited people to sign it. And people did sign it. 4,000 people signed it. MEPs, 400 different companies, people from 100 different countries, literally all across the world. Nobody wanted this, and everyone stood up to say so.

I would have thought, if you wanted 4,000 web devs to all do one thing at one time, it would be get the syntax of clip-path wrong. But no.

I imagine a good chunk of people in this room probably signed that letter. Did you sign it? Hands up.

Sweet. I would like to say, on behalf of OWA, you're fantastic. Thank you very much. We're very pleased. Cheers. You made your voice heard, and it was heard.

Because Apple, one of the world's richest companies, they heard our voices, and they backed off. They completely reversed the decision. The ban on PWAs... wasn't.

[Quoting voice] "Developers and users who may have been impacted by the removal of home screen web apps in the beta release of iOS in the EU, could expect the return of the existing functionality for home screen web apps with the availability of iOS 17.4 in early March."

And it's working. The Verge says the iPhone is now more fun in the EU. Federico Viticci at MacStories says, "I personally feel like the DMA fork of iOS is the version of iOS I've wanted for the past few years. It's still, iOS, a more flexible and fun version of iOS, predicated on the assumption that users deserve options to control more aspects of how their expensive pocket computers should work."

Jason Snell at Macworld says, "yet when I consider everything being experimented with in the EU, I start to wonder if the envy is actually going to flow in the other direction."

Lots of people speak to the regulators. Some speak for their own company, some for their government, some for their product, but who speaks for the web?

We do.

Now, I don't mean OWA, although we do, but we, us, here in this room and in rooms like it.

The web is ours.

The web is woven curiously, Tennyson tells us, in the poem. Someone needs to stand up for curiosities. To help the corporations and the money men and the governments understand why the web is great: because it's ours.

And that's where you can help. OWA doesn't need money. It never hurts, but... We don't need money, and we don't want medals, but what we do need is support. We always need more documents, reading, more papers, writing, more awareness, more staying on top of everything that's going on, more spotting of malicious compliance. And that's something you're all well qualified for.

But this is not a recruiting pitch, right? OWA is not the only way here. You can do your own open web advocacy.

Everyone in this room understands why the open web unlocks doors, why it can work for everyone, everywhere, why this thing we made together is the biggest and best collection of information and exhibitions and joy that the world has ever known.

But not everyone is as enlightened as you, or indeed as attractive as you. I've always admired that about you.

So we need to help people understand.

This is Johannes Ernst.

He says, "The open web is amazing. So we keep saying in our little subculture, and outside of our little subculture, we're generally met with incomprehension. In my opinion, that's because we're not saying why the open web is amazing. I think it all boils down to, on the open web, I can be much more creative with minimum expense than elsewhere, and so easily share my creations with the world."

So write about the web. Build things on the web, in the web, of the web, to help people understand. Build cool stuff and talk about that you did it, and why you did it, and how you did it.

And that includes tech regulators, right? When they ask for input, and you give it to them, they really do listen.

So, the Lady of Shalott stepped away from the web. She turned her attention to the shiny gold of the knight, and the curse came upon her.

A long-drawn carol, mournful, holy, she chanted loudly, chanted lowly, till her eyes were darkened wholly, and her smooth face sharpened slowly, turned to towered Camelot.

For ere she reached upon the tide, the first house by the waterside, singing in her song, she died, the Lady of Shalott.

But the point is, the curse doesn't have to be real.

The Lady of Shalott stepped away from the web to her own doom, but she didn't have to.

If she'd had the foresight, like the poem says, "like some bold seer in a trance, seeing all his own mischance", if she'd had the foresight to know what would happen, then maybe she wouldn't have done it.

If only someone had told her ahead of time, shown her, she could have put all her skill into weaving the web, not hiding from it. She could have embraced the web, not tried to put it down.

Well, here we are, ahead of time.

Don't step away from the open web. Embrace it. Come down from the tower, meet the people, instead of looking down on them.

If you will excuse the sheer hubris of this (if you listen very carefully, you can hear Queen Victoria's own poet laureate turning in his grave), this is how I wish the poem had ended. Because it's not too late.

This need to own her soul devours, decided she to use her powers, grow the web, to fill the towers, join the folk at Camelot.

We birthed establishment defiance, so stop malicious rule compliance, We win when they have self-reliance, the people of Shalott.

Stop looking for more cash to trouser, and listen if her pride allows her, to what she'd learn at State of the Browser!

[APPLAUSE]

She'd love you folks a lot. Thank you very much.

[APPLAUSE]

Oh, wait!

Wait, one more thing.

You want more Tennyson? Well, that's Shalott.

[LAUGHTER]

[APPLAUSE]

Thank you.

[APPLAUSE]