Oops!... Google Did It Again

Computer scientists always consider the worst case scenario because it allows us to edge against the risk—or, well, certainty—that something will go wrong.

The Web Environment Integrity proposal championed by a small group of Google employees is an example of what happens when you don’t consider the worst case scenario. The proposal aims to create a new Web API which would allow websites to attest the trustworthiness of a client before sending back content—kinda like a DRM for the web.

The browser asks the attester—most likely the OS backed by dedicated hardware such as TPM on PCs or T2 on Apple devices—to check the “integrity” of the client’s device and generate a low-entropy token signed using the attester’s private key. The token is then sent to the website which validates it using the attester’s public key. If the token checks out, the website delivers its content.

The idea is not something new. Back in 2022, Apple implemented Private Access Tokens. Cloudflare uses PATs to eliminate the need for CAPTCHAs when the client runs on Apple devices. The mechanism behind PATs is almost identical to WEI’s. The main difference being that in PATs the Attester (Apple) and Issuer (Cloudflare, Fastly) are two different entities.

Why are people complaining about WEI and not PATs then?

Well, Google is simultaneously the owner of the most popular web browser (Chrome) and the most popular mobile operating system (Android) on top of which Chrome runs. WEI is guaranteed to be a recipe for anti-competitive practices.

The WEI attesters—“a relatively small group”—would most likely be picked by Google. It’ll make it hard, time-expensive, and most probably costly for new OSes, device vendors, and web browsers to get their foot in the door as they will have to go through Google.

Let’s consider the best case scenario for a moment: Google doesn’t abuse their power. Instead, they go out of their way to ensure everyone has equal access to this functionality. As people stop being bombarded with CAPTCHAs, social media websites cut down on fake engagement, and advertisers stop fingerprinting to ensure ads delivery to real humans, we start asking ourselves why WEI took so long!

Now back to reality: no one really cares about the best scenario. It’s not realistic. Once you have power it’s very tempting to abuse it, and it’s very hard to take it away from you.

The worst case scenario is actually way more interesting. As more and more websites start adopting WEI, the mainstream web becomes a walled-garden with Google owning the keys to the entrance. Most popular services such as Netflix, Spotify, and Meta’s stop letting unattested traffic in as it objectively makes sense from a security and business perspective.

Meanwhile, Google is able to dictate which combination of hardware and software is deemed trustworthy making it hard for new companies to innovate while making it easy for existing companies to double-down on planned obsolescence as “oops!… TPM 2.0 is no longer a valid attester”.

Leaving scenarios aside, Google got their monopoly in web browsing and we let them. We had and still have bigger problems in our lives than worrying about a company being one in control of the piece of software we browse the web on.

They are now in the position to go ahead and implement this proposal even if W3C disagrees. What is left to us is to ask: is this CAPTCHA-free bot-less walled-garden world worth it?