Web Environment Integrity

Greetings and welcome to my blog.

Today, we will discuss Google's newest attempt at virtue signalling people to better their cash flow and gain more control of the web: "Web Environment Integrity".

This is yet another step towards an inevitable and dystopian future that all of us are heading into.

The Whole Situation

Most of you know Google as the company behind the search engine and Android. However, there's a lot more to Google that you might be unaware of.

Google does business in more domains than just Android and Search. And at their core is their advertising business. Google's advertising business holds enough power to make or break its revenue. They monopolized digital ad tech and have been sued by the US Justice Department for it.

In the advertising arena, a huge impact is caused by adblockers, which improve user experience by preventing ads from being shown on the Internet. While they're a pleasing addition to users' experience, Google doesn't like them. They hold a contrary perspective – and understandably so, because adblockers directly hurt their business.

Previously, Google has made desperate attempts to crack down on ad blockers. Implementing adblocker blockers on YouTube, and severing adblock extension capabilities in proposing Manifest v3, are two such recent and major examples. [1] [2] [3]

The third one happens to be WEI.

The Origins of WEI

On April 25th, 2023, a GitHub repository was created by user Ben Wiser, an engineer at Google. It gave birth to the ideation of "Web Environment Integrity" – a new API proposal by Google.

But first, let's zoom out a little, go back in time, and see how the Internet works.

Say there's a person who wants to access files on a different computer, somewhere else in the world.

It goes like this:

  1. The client (person) will send a "request" to the server.

  2. The server will "acknowledge" that request, and a "response" will be sent back.

This transaction requires only two parties.

WEI (Web Environment Integrity) will add several more parties which will negatively impact performance, privacy and freedom.

Let's understand their introduction to WEI proposal:

"Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business." (Source)

  1. "Users often depend on websites trusting the client environment they run in [...]"

    Users do not care about websites trusting their client devices unless it negatively affects the website's functionality.

  2. "[...] keeps user data and intellectual property secure [...]"

    WEI has almost nothing to do with the security of the user data. On the contrary, and as stated, it is designed to protect intellectual property... this is almost starting to sound like DRM (it probably is!).

  3. "[...] trust is the backbone of the open internet, critical for [...] sustainability of the website’s business."

    The same thing as the previous point. WEI is designed with business interests in mind, and it has nothing to do with users or their freedom. Contrary to what it says, WEI will be the beginning of the end of what we call the open Internet.

How WEI Works

Parties involved

... in the execution of WEI API:

  • Web page currently executing.

  • A third party that can "attest" to the device that a web browser is executing on.

  • The web developer's server that can remotely verify and act on the attestation information.

The Process

  1. A web page requests an environment attestation from the attester with a "content binding" (content binding ensures that attestation can't be modified by "attackers"). The attestation constitutes information about the platform, platform version, web browser, and more details that possess the ability to affect the security of the client device.

  2. The attester signs a token containing the attestation and content binding with a private key. The attester then returns the token and signature to the web page. The attester’s public key is available to everyone to request.

  3. The web page returns this information to the web server. The web server first verifies the origin of the payload (ensuring the reliability of the attester) and inspects the token’s payload (attestation + content binding). Then, it verifies the payload by verifying the signature with the attester’s public key.

  4. Optionally, the web server may call the attester’s server endpoint to get additional data on request.

Goals

The authors shared the following goals of WEI:

  • Allow websites to evaluate the authenticity of the device.

  • Offer an extremely robust and sustainable anti-abuse solution.

  • Prevent enabling methods to track users across sites using attestation.

  • Continue to allow web browsers to browse without attestation.

Nope ;—;

I'm not a fan of anything that limits technical freedom, and WEI is certainly one of those things.

WEI provides websites and attestation issuing organizations the capability to restrict requests from "undesired clients".

The "undesired clients" can be any device, ranging from a rooted/jailbroken mobile phone to a 15-year-old laptop running a Linux distro... to a smart fridge hacked (hacked as in modified) to run a web browser, and everything in between. They can readily prevent requests that originate from an unconventional platform, especially if the values upheld by that platform differ from those of the attestation party's organization.

Who's really in power? The user certainly isn't. WEI takes away the freedom of users. It essentially DRMs the web. I'll miss the old web, where users had the freedom to access it from whatever device they wanted to. With the implementation of this "safety measure", users will be required to use the "good" devices that are conditioned to wall gardening. Like a locked iPhone or Android. Or an up-to-date Mac or Windows device. This constitutes a lot more dystopian examples.

The Problem Isn't

Google fails to address one fundamental problem: the problem isn't adblocking, it's what causes adblockers to be.

The present condition of advertisements focuses less on the products they advertise and more on generating annoyance.

No, I do not want to see advertisements for gardening supplies or music shows while I'm in the middle of watching an educational video on YouTube. But again, the problem at its core isn't only about contextual advertising, but advertising design on a deeper level.

People avoid seeing advertisements because they're not a pleasant experience. WEI and Manifest Version 3 are essentially hot patches that somehow band-aid the broken road that we're walking on, instead of fixing the base.

If advertisements were pleasant to view, a lot less people would avoid them.

Perhaps consider figuring out an alternative approach to generate income, rather than clinging to the belief that advertisements are still relevant.

I don't know what will become of the web.


Go back to 2006. Mozilla 1.0.1 has just been released. Internet Explorer 6 is a popular browser, but still a pile of garbage.

Government websites, job application websites, and a ton of other websites only work with IE6. People use plugins to spoof their browser identity so that those restrictions are removed.

Cut to present – WEI enables browsers and big tech to implement such dystopian restrictions in a more hi-tech manner.


Big Brother is watching.

13
Subscribe to my newsletter

Read articles from Pratyaksh Mehrotra directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Pratyaksh Mehrotra
Pratyaksh Mehrotra

compsci senior, product designer 🏢 currently — product @ OnePlus ; OPPO ui/ux designer @ Catoff 🟢 available for — • product design ——— links ——— journey: https://pratyakshm.com book a call (for free): https://cal.com/pratyakshm