ALERT: Google Wants to DRM your OS for ‘Web Environment Integrity’

a ‘happy, neurodivergent and actuallyautistic’ womanThinly veiled attempt to track you and make more ad money.

Google’s proposed new web protocol has the effect of adding digital rights manage­ment (DRM) to your operating system. They call it Web Environment Integrity (WEI): A super-secure, all-encompassing are-you-a-robot service for websites—to certify your OS hasn’t been messed about with. It has legit uses in the AdTech industry, but it could also be used in more sinister ways.

Naturally, the “freedom to tinker” brigade are up in arms. In today’s SB Blogwatch, we see both sides.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: If planes had horns.

We Will Kill WEI

What’s the craic? Ron Amadeo reports—“Google’s nightmare Web Integrity API”:

Pinky-promise
Google’s newest proposed web standard is—DRM? … The goal of the project is to learn more about the person on the other side of the web browser, ensuring they aren’t a robot and that the browser hasn’t been modified or tampered with in any unapproved ways. … This data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games, and help financial transactions be more secure.

During a webpage transaction, the web server could require you to pass an “environment attestation” test before you get any data. At this point your browser would contact a “third-party” attestation server, and you would need to pass some kind of test. If you passed, you would get a signed “IntegrityToken” that verifies your environment is unmodified. [Then] if the server trusts the attestation company, you get the content unlocked.

Google … pinky-promises the company doesn’t want to use this for anything evil. [But] Google owns the world’s most popular web browser, the world’s largest advertising network, the world’s biggest search engine, the world’s most popular operating system, and some of the world’s most popular websites. So really, Google can do whatever it wants.

Claroty

Can it ever? Thomas Claburn says WEI “looks like another freedom grab”:

People do not trust
Some in the internet community fear this is the end of the web as we know it. [It] starts to slide the web toward a time in which only authorized, officially released browsers will be accepted by websites. [And] it’s not clear what would be disallowed.

WEI provides a way for a browser to prove it is working as a website operator expects, and hasn’t been manipulated. If you have a website that offers in-browser gaming, and you want to make sure no player is cheating, you could use WEI to determine that connected clients are pure, legit, and not running any cheat code. Same goes for … publishers that only want to serve content and ads to browsers that definitely aren’t just bots.

Building a trust mechanism for web clients becomes more difficult if people do not trust the entity creating the technology. [I] asked Google to comment and the web Goliath declined.

Cars don’t kill people—bad drivers do. kromem thinks it concentrates too much power:

May backfire horribly
A tool can often be used for evil as easily as for good, and the more [it’s] used to block ad blockers over simply filtering out … bots, the more this tool ends up evil. And … there’s nothing preventing scope creep.

[But] this does seem to be primarily focused on the issue of growth in bot activity and making it harder on bots to act as if human to servers. Still, the spirit of who controls the client is very much at stake.

This is a measure that should not happen. And … this is very much the kind of thing that may backfire horribly if forced though.

Or, to put it another way, I’ve Got Three Cats herds ’em: [You’re fired—Ed.]

Like any technology it also has potential for significant abuse. Creating a secure way for people to access important services like banking is great.

It’s also a great way to create a system to utterly dis-empower and control people. Since the latter has a much greater positive correlation with corporate profit motive, which one do you think is more likely to be preferred by corporations?

How to send a message to Google? Fatesrider fires up Firefox:

My personal expectation of Google is, “If we can monetize your data in any way, we will.” While I feel for the Chrome users who value their privacy, I do have to ask them why they use Chrome.

I hesitate to use the word “masochist”, … but I’ve always looked at privacy as something one has to be proactive about, which takes more effort. Sometimes, a lot more effort.

The majority of people who use Chrome have no ****s to give about privacy. And that—more than anything—is why Chrome still exists and [why it] seems hell bent on making sure it has fingers in every Chrome user’s privacy pie.

TIL people still use Firefox. lglethal has another plan:

Best way to kill this: The firm attesting that the “Environment” is safe and untampered with is legally and financially responsible for any failure in the system. Add in a clear penalty on top (say $50k) per failure.

WWrmsD? userbinator quotes Richard M. Stallman:

“Those who give up freedom for security deserve neither.” … This is not the “security” we want, because it is inherently hostile to freedom.

Add “integrity” to the list of adjectives used for obfuscating the rise of authoritarian dystopia. It all started with “trusted computing”, where “trusted” means “not under the owner’s control”. Then they tried to spin it as a “security” thing with TPMs, and created the impression that those speaking out against them were … insane conspiracy theorists. Now it is actually happening.

Who can bring a note of hope? PPH utters a resounding, “Meh”:

I can sandbox your integrity API along with a browser in a VM. You may think you are running on a “clean” OS, but you can never tell.

Meanwhile, Thad Boyd brings good news (everyone):

The good news is it’s a Google project, so it’ll be dead in 18 months.

Also, pivotman319-owo cuts to the chase quick:

Cowards. … Breaking apart the Internet won’t help anyone.

And Finally:

Meanwhile, at London Heathrow airport

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Hiki (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 662 posts and counting.See all posts by richi

Application Security Check Up