> Installing an open-source OS and browser is free and the options are practically unlimited

There's what, two and a half real options? Even open-source applications wilfully cut off any non-mainstream OS (see the whole systemd saga). "Anyone is free to create a new browser", sure, but in practice it's now so expensive that even Microsoft had to give up. I've absolutely got more practical choices of country.

I have no idea what you are talking about. There are literally infinite alternatives because you can freely modify any open-source alternative in infinite ways.

No one is going to kick down your door and shoot you if you try to make a new browser or OS from scratch, like they would if you tried to make a new government, but there is really no reason to make a browser from scratch.

Microsoft didn't need to trust Google to fork Chromium, they didn't give up any power to Google and have exactly the same ability to influence web standards as if they had reinvented the browser. If they disagree with a choice the Chromium developers made, they can change it and keep the rest. The same applies to anyone who wants to do the same.

When it comes to certificate authorities, you don't even need to modify the browser or OS because they already allow you to add and remove authorities. The main reason people don't tend to do that is because they have no reason to. If you tried to start a new one, the natural thing to ask would be why I should trust you over the established certificate authorities. If your answer is that I don't have a choice because you have the backing of an army and police force that you will use against me if I don't, it doesn't exactly fill me with confidence.

The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of. Compared to governments, they are also much safer to trust because they rely on consent rather than force. A compromised or malicious certificate authority won't shoot you for trying to replace it, it has no enforcement mechanism beyond inertia.

> When it comes to certificate authorities, you don't even need to modify the browser or OS because they already allow you to add and remove authorities. The main reason people don't tend to do that is because they have no reason to.

They're already starting to make it more difficult. Look at what's happening with DoH where it's harder and harder to choose how your DNS queries get done and you get steered to CloudFlare (who are pretty low on my list of entities I want to trust) instead. Now that browsers have mostly succeeded in forcing HTTPS everywhere, expect them to start turning the screws.

> The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of.

Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?

> They're already starting to make it more difficult. Look at what's happening with DoH where it's harder and harder to choose how your DNS queries get done and you get steered to CloudFlare (who are pretty low on my list of entities I want to trust) instead. Now that browsers have mostly succeeded in forcing HTTPS everywhere, expect them to start turning the screws.

DoH doesn't interfere with your ability to choose your own DNS provider. It only means that your DNS queries are between you and your DNS provider, free from the interference of your ISP and other third parties. It provides greater user freedom because your ISP cannot as easily force you to use their DNS provider. Nothing stops ISPs from offering DoH and some (e.g. Comcast) do offer it. Users may however benefit from using a DNS that's not affiliated with their ISP because ISPs are more vulnerable to censorship demands from governments. Usually, when a government demands that an ISP censor a website, the ISP will simply block DNS queries regarding that domain, allowing users of other DNS providers to escape the censorship. This may of course not be a long-term solution, as governments may be more likely to demand different censorship methods if fewer use the IPS DNS.

As far as I'm aware, no one has suggested that DoH should be mandatory. It is a sensible default that improves the privacy and security of most users, but a user who decides that they do not want to use DoH can simply opt out in the settings. Likewise, HTTPS is not mandatory either, and browsers will not prevent users from accessing unsecure sites. They will however warn users to make sure they are aware of the risks. As far as I'm aware, browser vendors do not benefit from users using HTTPS everywhere. They encourage its use because it is generally beneficial to users.

> Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?

A FoI request is just asking the government to give you information. They will never intentionally give you anything they do not want you to have. FoI laws tend to contain enough exceptions to cover any situation, but even if you should legally receive the information, there is nothing you can realistically do to make them provide it to you. Similarly, you can ask any organization for any information, and they can refuse. The same is true with appeals. You can ask an organization to reconsider its decision and for someone else in the organization to look at it, but the decision remains within the organization. The difference is what you can do once the decision has been finally made. Will the decision maker try to force me to adhere to their decision through violent means, or am I free to ignore them and try to convince others to do the same?

The main difference regarding transparency is that more information is made public by default in the current system (what good is the ability to request information if you don't even know that the thing you wanted to request information about happened?) and that decisions are made by several separate entities that need to justify their decisions to each other in order to maintain consensus.

Missed one important part in my other reply:

> As far as I'm aware, browser vendors do not benefit from users using HTTPS everywhere. They encourage its use because it is generally beneficial to users.

Google (which is to say DoubleClick), which funds the majority of browsers, has a huge financial interest in HTTPS. They make their money on ad tracking, and it suits them to put a moat around that; privacy initiatives help them by making it harder for any new competitors to get hold of the same information they built their business on.

> DoH doesn't interfere with your ability to choose your own DNS provider.

It may not make it impossible but it makes it harder. You need a provider that supports DoH, and your browser will ignore your OS-wide DNS setting. Previously your default DNS provider would be an ISP that you'd picked; now the default is whoever's most profitable for your browser maker (you might say you pick your browser, but there's less real choice there than there is for ISPs, at least where I live).

> As far as I'm aware, no one has suggested that DoH should be mandatory. It is a sensible default that improves the privacy and security of most users, but a user who decides that they do not want to use DoH can simply opt out in the settings. Likewise, HTTPS is not mandatory either, and browsers will not prevent users from accessing unsecure sites. They will however warn users to make sure they are aware of the risks.

They won't do it all at once, but they're making it harder and harder to access non-HTTPS sites. It's gone from a clear warning to a block page where accessing the HTTP version requires multiple clicks on tiny text; the next step will be to make it require a config tweak to even get that tiny text at all, and then they'll say that their telemetry conveniently shows few people are using that config tweak (because who could imagine that the kind of people who would don't trust their browser maker would disable telemetry) so they're removing it. We've seen this whole playbook before. It'll be the same for DoH.

> A FoI request is just asking the government to give you information. They will never intentionally give you anything they do not want you to have. FoI laws tend to contain enough exceptions to cover any situation, but even if you should legally receive the information, there is nothing you can realistically do to make them provide it to you.

Governments are accountable to their citizens, not just in theory but in cultural practice, which is what really matters. If you get a bogus response to an FoI request then you can complain to your representatives, and if your representatives don't respond then you can vote them out. But more importantly, the clerk handling your request knows that their duty is to you, not their shareholders, and will generally act accordingly. And if they don't, there's a whole culture of whistleblowers, investigative journalists, activist judges and so on.

None of that exists for a private company CA where they're working for their shareholders and no-one expects them to do otherwise. Frankly even if it did leak out that a CA had refused to issue a certificate to someone who they just didn't like, it wouldn't even be a scandal unless you were lucky enough to catch the right moment where there was a social movement supporting that particular kind of person.