The web isn’t what it used to be. For those of us who were connected back in the early 2000s, we notice that the a lot of the freedoms we had back in the day are now gone. Many alternative platforms, such as search engines for example, have either died out(you can’t try to index the web anymore without basically asking cloudflare first, otherwise you risk getting your IP “banned” from a bunch of websites, tagged as malicious bot) or been bought by google or microsoft. More recently, to add insult to injury, engineers from your friendly mega coorporation Google started working on a way to DRM the ENTIRE internet. Let’s take a look at how awful this is.
What is that?
The web environment integrity API enables websites to request a token that verifies crucial information about the client code’s operating environment. For instance, it can demonstrate that a user is using a secure Android device for web browsing. To ensure the tokens’ security, they are cryptographically signed, preventing tampering. While the final decision to trust the attester’s verdict lies with the websites, the API is expected to rely mainly on attesters from the operating system for practical reasons. The explainer draws inspiration from existing native attestation signals like App Attest and the Play Integrity API. You can read more about it on their github.
This, in theory, would allow websites to know if a visitor is a real human or robot, and whether or not the machine is safe to access things like bank services(without some sort of virus installed). In reality, it is a lot more problematic.
The issue
As much as the API creators promise that this is “for your own safety” and “Offer long-term sustainable anti-abuse solution“, the reality is this is being developed by an AD company(google). Said AD company has been working hard on killing adblockers, with chrome’s manifest v3, youtube blocking users with adblockers, etc so you can imagine what this really is all about.
In their github page, they state the following:
According to their own examples, this API not only wants to kill adblockers of all kind(not just extensions, but any 3rd party software that may block ads from being loaded, or lie to the website saying that it did load when in actuality it didn’t), but also would allow any website to know what software is running on the user’s computer. Essentially, this is a browser-installed DRM for the entire web.
Now you may think “Oh, I can just install another browser and the issue is fixed. I dont need Google Chrome“, however, with exception of Safari and Firefox, every single major browser software is based on Chromium, which was created by, you guessed it, Google. And even if you go to a different browser that doesn’t implement this API, many websites(banks, news, etc) will simply block you until you open it with a browser that comes with said API, because they can afford to. Firefox represents a mere 3% of the market, and safari 18%, and the later, being owned by apple, is extremely likely to also implement the Web Enviroment Integrity API.
Here’s a very informative short video about the topic:
What is a DRM?
Digital Rights Management (DRM) is a technology that controls access to and use of digital content like music, movies, games, and e-books. It aims to prevent unauthorized copying and sharing of copyrighted material by encrypting the content and tying it to specific devices or accounts. However, DRM has raised some problems.
DRM can cause two main problems: performance issues and privacy concerns. Performance can suffer because of encryption, making content slower to load and draining device batteries faster. Privacy is also a worry, as DRM may collect user data and track behavior, raising concerns about how that information is used. These issues raise debates about the balance between content protection and user privacy in DRM technology.
Conclusion
In conclusion, the proposed Web Environment Integrity API may seem like a measure to ensure safety and prevent abuse online, but it raises significant concerns. While it may offer some benefits, such as distinguishing between human users and robots, it essentially acts as a browser-installed DRM for the entire internet. This move could potentially limit user privacy, as websites gain access to information about users’ software and devices. Moreover, the dominance of Google’s Chromium-based browsers raises questions about the real freedom users have in avoiding this API. Overall, this is yet another nail on the free web coffin.