By Steven Hawley
Outrage has emerged over a Web Environment Integrity API proposed by Google engineers, which is being ‘sold’ as a way to boost security for end users and help Web sites differentiate live end users from bots; part of Google’s effort to eliminate cookies without compromising its advertising business model – but is being seen as something entirely different.
It sounds like a great promise for the user (no more cookies, sessions or apps that have been compromised are disabled). Great for advertisers: tokens can be forwarded between “colluding sites” to enable cross-site tracking. And great for Google: a token-exchange process that increases confidence that a human is behind the end-point, that it has code integrity, and improving the accuracy of ad measurement.
But it goes much further. Given Google’s market presence (as Chrome has >60% browser share), it’s a way to solidify Google’s presence on end user devices – and to continue Google’s quiet intrusion on end user privacy (although it’s not positioned that way).
Comments have been scathing
One commenter posted that “(T)here is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself and who is finally putting its foot down to decide that we are all going to be forced to either used fully-locked down devices or to prove that we are using some locked-down component of our otherwise unlocked device to see anyone’s content, and they get to frame it as fighting for the user in the spec draft as users have a “need” to prove their authenticity to websites to get their free stuff.
AppleInsider made not of another thread of less-than-positive impressions which were disguised in hexadecimal. Translators are available.
What does this have to do with piracy?
Google proposes a secure environment that is envisioned to function in a manner similar to DRM and conditional access, to use technology to “guarantee” that communication between the consumer and the service provider – in this case, Google – is secure and trustworthy.
But there’s also the potential for a dark side: “If you’re playing by the rules. And the rules were set by Google, so it’s in your best interest to break them by actively harming Google,” said another commenter. “This might be one of the few times where targeted malware could be beneficial if it destroys Google’s services and makes them too much of a risk to use.”
Could Google’s (ostensible) positioning of its Web Integrity API as a security solution backfire as end users suffer collateral damage from attacks on Google’s software?
The proposal also leaves a lot of questions un-answered: for example, how would Google treat media providers or merchants that want consistency across end-user device platforms and decide not to support the API. What about the other nearly-60% of browser users who don’t use Chrome? Do advertisers need to support two worlds: one Google and the other, everyone else?
Shades of the 1990s?
We’ve heard this story of vertical integration before. Throughout much of the 1990s, Microsoft battled the the computer industry and the US government over whether or not Microsoft had used its virtual monopoly power as a computer operating systems supplier, to present its Internet Explorer browser as a feature of Windows rather than as a separate product. Before that, critics felt the same way about Microsoft Word, Excel, Outlook and PowerPoint as the ‘default’ business applications for Windows.
When Microsoft ultimately lost the Internet Explorer bundling case in 2002, it was required “not to retaliate” against PC OEMs for developing, pre-installing or licensing non-Microsoft browsers and applications on the systems they sold to end users.
Web Environment Integrity Explainer. April, 2023. by Ben Wiser, Borbala Benko, Philipp Pheiffenberger, Sergei Kataev (all at Google).
Second Modified Final Judgment. United States of America v. Microsoft Corporation, Civil action no. 98-1232. April 22, 2009. US District Court for the District of Columbia.
Complaint. United States of America v. Microsoft Corporation, Civil action no. 98-1232. May 18, 1998. US District Court for the District of Columbia.
Why it matters
Google appears to be positioning the Web Integrity API as a integral part of its Chrome browser – but not on competing browsers – in a way that seems to parallel Microsoft’s ultimately failed bundling strategy. Whether Google is found to be exercising an unfair advantage is to be seen and probably not determinable until license terms and interface details are made available.
Ars Technica reported in May that “Google published an ‘intent to prototype‘ notice, meaning it’s building the feature into Chrome right now for testing. There’s a page for feature-development tracking on chromestatus.com.”
In its early days, Google’s tag line was “Don’t be evil,” which Google abandoned in 2018. Clearly, early commenters are taking Google task about that. The tag line has since returned, sort-of. Google parent company Alphabet’s Code of Conduct, as of July 25, 2023, concluded with “And remember… don’t be evil, and if you see something that you think isn’t right – speak up!”