cross-posted from: https://slrpnk.net/post/30992984
We are drowning in enshitified websites. Cloudflare automatically enshitifies ⅓ of the worlds websites. On top of that, there are countless shitty anti-human features that plague the web. Some of them just annoy, and some actually make the website unreachable or unusable to various demographics of people (such as Tor users).
Most infuriating is when a GOVERNMENT website intended to serve the public uses access restrictions (like Cloudflare) or does something else to exclude demographics of people who are entitled access. The Tor community can no longer access most websites of the EU.
What we need
We need an app that will:
- attempt to visit a webpage from multiple different networks (VPN, Tor, residential clearnet, and a variety of different geographic regions).
- try a variety of different user agent strings (cURL, wget, firefox, lynx).
- compare the content between non-erroneous payloads. A significant difference should raise flags. If there is much less content, it could perhaps be regarded as an access denial without error. (e.g. a page simply says: “we don’t serve .. (your kind of people)”). Some common phrases could be searched for.
- detect exclusive walled gardens like Cloudflare and Sucuri
- accessibility¹/enshitification check: whether the contact page imposes a GUI or Google CAPTCHA (¹in terms of people with impairments)
- open data check: whether the contact page discloses a street address or phone number.
- check whether the page functions with uMatrix (maybe this is not possible).
- check whether a privacy policy exists.
- check whether there is a popup blocker blocker (that blocks those who block popups/ads).
In the end, the app produces a checklist and concludes with a final result:
- ✔👍🎉 ❝The website under test is publicly accessible❞
- 🤷🫤 ❝The website under test is publicly accessible but dark patterns or similarly unsuitable/inappropriate anti-user mechanisms were detected. The website should be avoided.❞
- ❌ ❝The website under test is access-restricted or not entirely publicly accessible❞
The report could perhaps be timestamped, digitally signed by the entity running the app, and centrally recorded. Then concerned people among the public could use the report as an independent/authoritative source for claiming that a “public” resource is not actually public.
I did not say /how/ this tool would be used and relied on people to use their imagination. A website audit tool that declares “this page is not publicly accessible” is indeed useless if you don’t use it in clever ways for further action.
Imagine a scenario like this: the gov requires some kind of action from you (like declaring your tax) and they force you to use their shitty website. Then you miss a tax deadline, or whatever web action they demand of you. Maybe the website was unusable for you; maybe not. Regardless of your real reason for failing to comply, this audit tool can produce a certificate saying the website is down, dysfunctional, exclusive/access restricted, etc. It gives you evidence for a defense from which to push back with. You could then also incorporate human rights with your case:
You can use a cert from the audit service/tool to say “not everyone gets public service.. some demographics are excluded according to this independant audit report”
What happens now: You complain to an ombudsman that the website is broken. Some asshole in that office responds with “works for me; problem is you; erase your cookies or something”. Because they believe if it works for one person, it must work for everyone. This audit gives independant 3rd-party push back. They have to work harder to brush you off.
Circumvention techniques are overrated. People tend not to realise that if you surreptitiously circumvent their garbage and they don’t know it, it actually sends them a false thumbs up signal that their garbage is accepted and working.
This is the effect. That’s an example of a gov agency patting themselves on the back.