After facing months of criticism over privacy and anti-competitiveness concerns, Google’s Chrome team has announced it is no longer pursuing its Web Environment Integrity (WEI) API proposal.
The proposal was first announced on GitHub in July 2023 by team of Google engineers, thereafter we covered the story from an ad-blocking angle. Funny how that works out too, now that YouTube is shoving ads down everyone’s throat without mercy, maybe the proposal isn’t even necessary anymore.
Web Environment Integrity would have allowed websites to issue a cryptographic challenge to a user’s browser to verify the “integrity” of the browsing environment before granting access.
Proponents argued this would improve security by ensuring sites only loaded in trusted environments. However, critics raised alarms about the privacy and anti-competitive implications.
“The proposal suggests websites should be able to request an attestation from the browser about its ‘integrity’,” wrote Jens Finkhaeuser, an internet freedom advocate, in a July 21st blog post analyzing the proposal. This data could potentially include which plugins and extensions were installed.
Finkhaeuser and others argued the real purpose was “to exclude bots and ad blockers, not improve security,” and warned it could “turn the browser into an extension of an appliance website.”
Privacy and competition concerns
There were widespread fears that Google and websites could use the WEI API for invasive tracking and surveillance of users’ browsing habits and environments.
Critics also argued the proposal would unfairly benefit Google by excluding competing browsers or disadvantaging users who opted out of tracking.
Facing this widespread criticism, Google is no longer considering the WEI proposal.
“We’ve heard your feedback, and the Web Environment Integrity proposal is no longer being considered by the Chrome team,” wrote the Android team in the post.
However, Google is still pursuing similar “integrity” verification for Android apps’ embedded web content through a separate API called the Android WebView Media Integrity API.
“In contrast, the Android WebView Media Integrity API is narrowly scoped, and only targets WebViews embedded in apps,” Google wrote, arguing it is intended to combat fraud and abuse.
Close call
While it’s good Google responded to criticism, their dominance over web standards means they can unilaterally make changes that end up fragmenting the open web. Even if well-intentioned, moves like WEI by a company as influential as Google can have dangerous implications.
The privacy and anti-competitive alarm bells it set off were deafening. This was a close call.
This reversal keeps the open web safe a little longer, but more reforms are needed to decentralize control over standards. Until then, it’s hard for me to fully trust Google’s motives given their dominance. We have to stay mobilized to stop them from quietly reintroducing concepts like WEI when we let our guard down.
