Google bins integrity API that looked more than a bit like horrible DRM for websites
Chocolate Factory to focus on more limited attestation for Android WebViews
Amid rising community concern, Google says it will no longer develop controversial technology that was said to fight fraud online though to critics looked more like DRM for websites.
Instead, the Chocolate Factory plans to work on a more limited version of the tech for Android WebViews, a version of its Chrome browser that can be embedded within Android apps.
Google intended its Web Environment Integrity API, announced on a developer mailing list in May, to serve as a way to limit online fraud and abuse without enabling privacy problems like cross-site tracking or browser fingerprinting.
WEI is an attestation scheme, meaning it provides a way for web servers to check the authenticity of browser clients using a cryptographic token. One of its stated goals is to "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
That is to say, the API would allow websites to figure out if they were being visited by a legit user in a normal browser as opposed to a page-scraping bot masquerading as a real person or some malicious software bent on fraudulently viewing and clicking on ads and doing other bad stuff.
To do this, the system would need to check, via attestation, whether the visitor's software and hardware stack met certain criteria and thus was authentic. That's great until it's abused to turn away visitors who have a setup a website owner isn't happy with – such as running a content blocker or video downloader.
Google's browser security plan slammed as dangerous, terrible, DRM for websitesPREVIOUSLY
Technical types saw this immediately, and became concerned that Google wanted to create a form of digital rights/restriction management (DRM) for the web. One benefit could be that ad fraud might be easier to prevent; but the risk is that the API could be used to limit web freedom, by giving websites or third-parties a say in the browser and software stack used by visitors.
Apple incidentally has already shipped its own attestation scheme called Private Access Tokens, which while it presents some of the same concerns is arguably less worrisome than Google's proposal because Safari's overall share of the web browser market across all devices is far lower than Chrome's.
Google also offers two more limited attestation services, the Play Integrity API and Firebase App Check. And its YouTube subsidiary's scanning of client browsers for ad blocking extensions also represents a form of attestation or integrity check, albeit where what's evaluated is installed software rather than a cryptographic token.
Google's plan was to prototype the Web Environment Integrity API in Chromium, the open source foundation of Chrome as well as Edge, Brave, Vivaldi, and various other browsers – though not Firefox or Safari.
- Google's next big idea for browser security looks like another freedom grab to some
- Google Chrome pushes ahead with targeted ads based on your browser history
- EFF urges Chrome users to get out of the Privacy Sandbox
- Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads
But following the publication of a working draft specification in July, a flood of critical feedback from the technical community, both on the project's issues forum and on social media channels put Google on the defensive. The Googlers involved then limited who could post comments to the project repo and public development of the project ceased.
Three months on, after sporadic inquiries about the project's status, Google has moderated its ambitions.
The Chrome team has thus submitted a commit to revert the project code that had made it to the corporation's browser.
Instead, the Android team aims to focus on the Android WebView Media Integrity API, which provides a similar form of attestation but only for WebViews embedded in Android apps.
"It simply extends existing functionality on Android devices that have Google Mobile Services (GMS) and there are no plans to offer it beyond embedded media, such as streaming video and audio, or beyond Android WebViews," the Android team said.
The Googlers note that the ability to have Android apps embed web pages that embed media files has advantages when developing mobile apps but also affords an avenue for fraud. Unscrupulous devs can meddle with embedded content and how users interact with it. The Android WebView Media Integrity API aims to ensure that those embedding media in WebViews can have some assurance that their assets – such as streaming media – are being displayed in the app where they were embedded and not some unknown party's untrusted app.
Media providers interested in testing this process can sign up to join an early access program planned for next year. ®