UPDATE (11/2/2023): Google has ditched this proposal, read about it in our article here.
In recent news, Google has put forth a proposal known as the “Web Environment Integrity Explainer“, authored by four of its engineers.
On the surface, it appears to be a comprehensive effort to enhance trust and security in the digital landscape. However, as with many sweeping technological proposals, it’s not without controversy.
The tech community, especially on GitHub, has raised several eyebrows and voiced significant criticism.
Mozilla has just come out to say that they oppose this proposal, “Detecting fraud and invalid traffic is a challenging problem that we’re interested in helping address. However this proposal does not explain how it will make practical progress on the listed use cases, and there are clear downsides to adopting it.”
Updated: 26.07.2023
It looks like Google is already pushing this into Chromium; you can see the commit on GitHub here. And you can also read this article from Interpeer, which explains the motives behind this proposal.
One of the Google employees who authored the paper (Rupert Ben Wiser) has made a comment on GitHub saying that they are feeling the backlash: read it here.
In light of this proposal, I’ve gone ahead and updated my article on web browsers not based on Chromium; it has eleven browsers in total included there.
The Core Proposal: A Trust-Privacy Trade-off?
Google’s proposal pivots on a key premise: enhancing trust in the client environment. It introduces a new API that allows websites to request a token, providing evidence about the client code’s environment. Google’s engineers elaborate, “Websites funded by ads require proof that their users are human and not bots…Social websites need to differentiate between real user engagement and fake engagement…Users playing online games want assurance that other players are adhering to the game’s rules.”
However, the critics argue that the quest for trust may come at the expense of privacy. While Google ensures that the tokens will not include unique identifiers, critics fear that this system, if misused, could lead to unwarranted surveillance and control.
Veiled DRM and the Threat to Open Web
The proposed API, while framed as a tool for fostering trust, could potentially be used to control user behavior on the web. Some critics fear it could be a covert introduction of Digital Rights Management (DRM) into web pages, making ad-blocking near impossible.
This not only impacts user experience but also raises concerns about net neutrality and the open nature of the web. As one critic aptly questioned, “Could this be a veiled attempt at introducing DRMs for web pages, making ad-blocking near-impossible in the browser?”
Monopolization Fears: Who Controls the Attesters?
A significant concern stemming from the tech community is the potential for monopolistic control. By controlling the “attesters” that verify client environments, Google, or any other big tech company, could potentially manipulate the trust scores, thereby deciding which websites are deemed trustworthy. This opens up a can of worms regarding the democratic nature of the web.
As one GitHub user commented, “This raises a red flag for the open nature of the web, potentially paving the way for a digital hierarchy dominated by a few tech giants.”
What About Browser Modifications and Extensions?
Google’s proposal remains ambiguous about its impact on browser modifications and extensions. It attests to the legitimacy of the underlying hardware and software stack without restricting the application’s functionality.
However, how this plays out with browsers that allow extensions or are modified remains a grey area. As the proposal vaguely mentions, “Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality.”
Unanswered Questions and The Path Forward
The proposal leaves several questions unanswered and open for discussion. For instance, it doesn’t clearly address how it will prevent the signal from being used to exclude vendors. Google’s engineers write, “Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.”
However, it’s unclear how these baseline requirements will be set and who will enforce them.
In conclusion, while Google’s proposal is a technically sophisticated attempt to enhance trust on the web, its potential implications for user privacy and the open nature of the web cannot be ignored. The tech community’s concerns highlight the need for a balanced approach that doesn’t compromise on either trust or privacy.
It’s crucial that the tech community continues to engage in these debates to ensure that the future of the web is shaped by openness, privacy, and freedom rather than control and surveillance.
