A Google proposal for a new web integrity tool has been met with scepticism and criticism, with concerns it may signal the end of the open internet.
A team of Google developers published a working draft specification for Web Environment Integrity (WEI) on GitHub last week, a way for websites to determine whether the browser and platform it is being run on is “trusted” by a third party, known as an “attester”.
The developers said the proposal is best aimed at detecting deceptive web environments, such as bot engagement on social media, cheating in online games, or fake engagements with online advertisements.
“Users often depend on websites trusting the client environment they run in,” the Google developers said.
“This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it.
“This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business.”
Currently, this trust is often established through the use of “highly re-identifiable information”, the developers said, meaning their proposed method would offer a more privacy-enhancing way of doing so.
The new proposal would see browser clients establishing trust with a server via a third party attester which would give a token validating the integrity of the user’s environment. It would provide a way for an internet browser to prove it is working as expected and isn’t being manipulated or gamed.
It would involve at least three participants: the web page executing in a user’s web browser, the third party attesting the device a web browser is executing on, and the web developer’s server.
While not confirmed by the developers, Google would likely be acting as all three of these actors, with the website probably coming from a Google search, the browser being Chrome and the server belonging to Google.
End of the open web
But the draft has been met with widespread criticisms, with concerns centring around Google’s prominent role in the trust process, the impact it may have on new browsers and how it would affect the open internet as we know it today.
Cydia developer Jay Freeman told the Register that the Google proposal represented the “inevitable end-game of the web”.
“If websites are going to require ‘this is proven to be one of a small, trusted set of browsers, unmodified from their original behaviour – that we believe will, in fact, show our ads to a real user’, then the bar only goes up for building a new web browser,” Freeman said.
“I feel like there is something even bigger at stake: this takes away even more control over your computer.
“If Google does push this agenda, I thereby believe this would be one of the biggest attacks on not just the open web but on the basic freedom to run a general purpose computer we have so far seen: you can’t trust the browser on an ‘untrusted’ OS.”
Mozilla senior principal engineer for web platform Brian Grinstead commented on the GitHub draft, saying that it “contradicts our principles and vision for the web”.
“Detecting fraud and invalid traffic is a challenging problem that we’re interested in helping address,” Grinstead said in the comment.
“However, this proposal does not explain how it will make practical progress on the listed use cases, and there are clear downsides to adopting it.”
Other comments on GitHub went further, with one claiming that it is “absolutely unethical and against the open web”, while another asked: “have you ever stopped to consider that you’re the bad guys?”
Google published an intent to prototype notice for WEI in May, meaning it is planning to build the feature into Chrome for testing.
Google also recently announced a controversial new tool to replace tracking cookies. The Federated Learning of Cohorts was announced in 2021 as an alternative to intrusive third-party cookies, and would have tracked user’s browsing activity locally, analysed the data and created a cohort ID to give to advertisers.
This idea was canned early last year, with Google now moving onto a new proposal known as Topics. This would see the web browser learning about a user’s interests as they move across the internet, and keep data on this for three weeks. This data would be restricted to 300 topics, with the sites visited categorised into one of these.
