Google's Web Integrity API branded 'attack on the open web'
Search giant steps up plans to control the internet
A working draft specification for a new browser API from Google has raised outcry from the technical community about ethics, trust and adding DRM to the internet.
The Web Environment Integrity API (WEI) is not a heavily promoted project - the documentation is only hosted on an employee's personal Github account, rather than an official repo - but there are signs that Google is actively working to build the feature into Chrome now.
Seeing as Chrome's foundation, Chromium, underlies many popular browsers, including Microsoft Edge and Brave, the API could affect web browsing for millions.
So, what is it, and should you be concerned?
The WEI's documentation makes the project out to be about trust. At its heart, it's a way for browser clients to establish trust with a server via a third party server.
That third party attestation server would ask your browser to pass some kind of test when accessing a new webpage, proving that the user is a human rather than a bot. You would then get a signed "IntegrityToken" verifying that the browser is unmodified, and directing you to the content you're after.
Make no mistake - although the documentation is careful with its "third party" wording, Google would almost certainly be every player in that process. The website would probably come from Google search, the browser would be Chrome (or Chromium-based), and the attestation server would definitely belong to Google.
That's not necessarily bad, and the project's goals - killing social media bots, serving ads to real humans, enforcing IP rights, securing financial transactions and stopping cheating in web games - are well meant.
But...
Killing off the open web
Web technology in general has been moving away from its early openness for years. Apps have been a big contributor, taking total control the browsing experience (and look at Reddit and Twitter X's recent efforts to kill off third-party apps). Others are systems like Apple's App Attest and Google's own Play Integrity API on Android.
These are protections that go a step further than apps. They ensure a device itself is unmodified and hasn't been rooted - otherwise, some apps will simply not run.
The WEI is effectively the same thing for the web. If the browser is modified in a way Google disagrees with, websites will refuse to load.
Don't be evil
The API's authors, four Google employees, "strongly feel" that the WEI should not be used to uniquely identify people. They are also against interfering with "browser functionality, including plugins and extensions" - for which, read "ad blockers" (you can look to Google's Manifest v3 plan for that, instead).
But all the strong feelings in the world won't dissuade a mega corp like Google, if it decides that's the route it wants to go. Look to other unpopular projects like Privacy Sandbox, which the company is still pressing ahead with despite public backlash.
That backlash hasn't even come from the general public yet. Technical experts are nearly united in their disdain for the WEI.
Jay Freeman, developer of Cydia for jailbroken iOS devices, told The Register, "I believe this would be one of the biggest attacks on not just the open web but on the basic freedom to run a general purpose computer we have so far seen: you can't trust the browser on an 'untrusted' OS."
Comments on the Github repo are similarly united in their criticism.
Brian Grinstead, senior principal engineer for web platform at Mozilla, said the WEI would "likely obstruct many existing uses of the Web such as assistive technologies, automatic testing, and archiving & search engine spiders."
He added, "Detecting fraud and invalid traffic is a challenging problem that we're interested in helping address. However this proposal does not explain how it will make practical progress on the listed use cases, and there are clear downsides to adopting it."
Other comments were less nuanced, starting at "absolutely unethical" and descending from there.
For now, the WEI is only a proposal, but Google published an intent to prototype notice in May. That means it's actively building the feature into Chrome for testing now.