Google’s Web Environment Integrity API is SafetyNet for websites

Google’s Web Environment Integrity API is basically SafetyNet for websites, and it doesn’t look good.

Google has proposed a new web standard called the Web Environment Integrity API, and it’s essentially DRM for the internet. In a proposal detailed by four Google staffers (one of which, Philipp Pfeiffenberger, also was part of the original proposal for Google’s Privacy Sandbox), it outlines how the WEI API will be able to keep the internet “secure.”



In the introduction of the proposal, the team behind it states the following.

“Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business.”

In practice, this sounds a lot like the SafetyNet API (now replaced by Play Integrity) on Android smartphones, which the team states is an inspiration. “This explainer takes inspiration from existing native attestation signals such as App Attest and the Play Integrity API,” they write. Android’s Integrity API verifies that your device isn’t rooted, no matter what you may use that root access for. Whether you use it to interfere with apps or to simply modify your device doesn’t matter, as the API will state that your device does not pass those checks. As a result, rooted users cannot use a lot of services on their smartphones, even if it’s purely for customization reasons only.

Also Read:  accessiBe: Your Ally in Web Accessibility

In other words, the primary aim of the WEI API would be to ascertain that the browser has not been tampered with and that the person using the browser is a real person.

The proposal outlines the flow of how connecting to a website would work in this instance, and it requires a third-party attestation server that would likely be owned by Google in this instance. Your browser requests a web page as normal and then is required to pass a test where a verified “IntegrityToken” is given for passing this test, proving the browser is unmodified and meets the requirements. So long as the page trusts this result, then you will be granted access to the page.

On reading the proposal, the authors state that they “strongly feel” that a device ID should ever be included, as it would allow for device fingerprinting. However, there are contradictions in the proposal for that, such as a suggestion that they would include an “indicator enabling rate limiting against a physical device.” How this would be implemented without device fingerprinting is unknown.

This proposal has flown under the radar somewhat, and it was shared on HackerNews recently after being spotted on a Google employee’s personal GitHub account. In fact, even though Google hasn’t drawn attention to it at all, there is already prototype code being put together for a future Chrome release. Both Mozilla and Vivaldi have criticized the proposal, with Mozilla saying that it “opposes this proposal because it contradicts our principles and vision for the Web,” while Vivaldi referred to the proposal as “dangerous.”

Also Read:  Opera browser's new 'Aria' AI chatbot can write custom bios and give tips on how to launch a streaming career

The proposal threatens the free and open internet in a number of ways, but one of the biggest revolves around the fact that should there be a central server that attests to whether a browser can be trusted or not, it means that anything non-standard will not be trusted. In other words, new browsers would not be trusted, and legacy software would no longer be able to access much of the internet after a certain length of time. Given that it verifies the integrity of the browser, it could also technically block certain extensions (such as Adblock) if Google were to go down that route.

We’ll be sure to keep an eye on Google’s Web Environment Integrity API proposal, as while it’s already proven controversial, it appears that the company is full steam ahead with prototyping it at the very least.

Categories: Reviews