Browser developers push back on Google’s “web DRM” WEI API


Google’s plans to introduce the Web Environment Integrity (WEI) API on Chrome has been met with fierce backlash from internet software developers, drawing criticism for limiting user freedom and undermining the core principles of the open web.

Employees from Vivaldi, Brave, and Firefox have taken a strong, opposing stance against Google’s proposed standard, and some have gone as far as to call it DRM (digital rights management) for websites.

What is the WEI proposal?

Web Environment Integrity (WEI) is a new API proposal that introduces a website trust mechanism that allows websites to evaluate the authenticity of devices and network traffic on clients (browsers) and block fake or insecure interactions.

For example, this mechanism can be used to detect whether a human or bot is visiting a website or whether a particular browser on a specific type of device is trustworthy.

Websites will use the API to request a token from a certified “attester,” which will be cryptographically signed to prevent tampering, helping the former validate that the client’s information is legitimate.

WEI logic diagram
WEI logic diagram (GitHub)

The purported goal of the WEI proposal is to help websites ascertain the authenticity of the device and software stack from which they’re receiving traffic and protect users from fraud by deterring malicious online activities.

Example use cases include detecting fake engagement on social media, phishing campaigns, non-human traffic, bulk account hijacking attempts, game cheating, compromised devices, and password brute-forcing.

Google says this is not a privacy risk as it does not enable cross-site user tracking and won’t interfere with browser or plugins/extensions functionality.

Criticism from browser vendors

Although the above sounds positive and helpful, Vivaldi browser’s developer J. Picalausa called WEI “dangerous” in a write-up published earlier this week.

“If an entity has the power of deciding which browsers are trusted and which are not, there is no guarantee that they will trust any given browser,” writes Picalausa.

“Any new browser would by default not be trusted until they have somehow demonstrated that they are trustworthy, to the discretion of the attesters.”

Also, Picalausa underlines the vagueness of Google’s proposal, which he says leaves a significant margin for potential abuse like collecting behavioral data from clients.

Vivaldi’s post further explains that choosing not to implement WEI will be complicated, as Google can very easily abuse its dominant position in the advertising market to enforce its adoption by the majority of sites, rendering dissenting browser projects useless.

The Brave browser team, however, does not fear this scenario as its co-founder and CEO, Brendan Eich, confirmed that they do not plan to ship WEI.

In response to a thread on Twitter, Eich stated that WEI support will not be shipped in Brave, just as they do with many other privacy-intrusive mechanisms Google inserts into Chrome’s code which Brave uses as its basis.

Tweet

As for Mozilla, the internet organization has yet to express an official opinion. However, Firefox engineer Brian Grinstead commented earlier this week that Mozilla opposes the proposal as it contradicts its principles and vision for the web.

“Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users,” reads Grinstead’s statement.

“Additionally, the use cases listed depend on the ability to “detect non-human traffic” which as described would likely obstruct many existing uses of the web such as assistive technologies, automatic testing, and archiving & search engine spiders.”

Currently, Google’s WEI API proposal is still in an early development phase and may change form or be significantly changed if all stakeholders agree to its implementation.

Also, it will be interesting to see the response of anti-monopolist legislative mechanisms and competition authorities to this proposal if Google attempts to impose it aggressively despite the voices of concern and multiple objections against it. 

BleepingComputer has contacted Apple and Microsoft about whether they will support this new standard but has not received a response at this time.





Source link