Google's browser security plan slammed as dangerous, terrible, DRM for websites

Google's Web Environment Integrity (WEI) proposal, according to one of the developers working on the controversial fraud fighting project, aims to make the web "more private and safe."

Ben Wiser, a software engineer at the Chocolate Factory, responded on Wednesday to serious concerns about the proposal by insisting that WEI aims to address online fraud and abuse without the privacy harms enabled by browser fingerprinting and cross-site tracking.

"The WEI experiment is part of a larger goal to keep the web safe and open while discouraging cross-site tracking and lessening the reliance on fingerprinting for combating fraud and abuse," he explained in a GitHub Issues post.

The WEI experiment is part of a larger goal to keep the web safe and open

"Fraud detection and mitigation techniques often rely heavily on analyzing unique client behavior over time for anomalies, which involves large collection of client data from both human users and suspected automated clients."

WEI is an attestation scheme. It provides a way for a web publisher to add code to a website or app that checks with a trusted third party, like Google, to see whether a visitor's software and hardware stack meets certain criteria to be deemed authentic.

Technically speaking, attestation is just a matter of transmitting a token with a value – derived from as-yet-undisclosed hardware and software characteristics – that indicates whether or not the client is trustworthy. It's then up to the website publisher to decide how to respond to that signal.

In theory, if effectively implemented, WEI could allow a web game publisher to check whether game players are cheating through the use of unsanctioned hardware or software. Or it might be used by a content publisher to check whether ads are being displayed to real visitors or fraudulent bots.

The worry is that WEI could potentially be used to disallow ad blocking, to block certain browsers, to limit web scraping (still largely legal, though often disallowed under websites' terms-of-service), to exclude software for downloading YouTube videos or other content, and impose other limitations on otherwise lawful web activities.

What WEI's attestation check actually looks for has not been revealed. Nor is it evident from the WEI code that has been added to the Chromium open source project. But Wisner insists, "WEI is not designed to single out browsers or extensions" and is not designed to block browsers that spoof their identity.

However, the intended use of a technology isn't necessarily a limitation on it being employed in tricky new ways.

Sounding the alarm

Those in the technical community who have expressed alarm about the proposal argue that the web should not be brought under a permission-based regime, where a third party renders judgment on the worthiness of users – without consultation, based on opaque criteria.

The use cases listed seem very reasonable, the solution proposed is absolutely terrible

"The idea of it is as simple as it is dangerous. It would provide websites with an API telling them whether the browser and the platform it is running on that is currently in use is trusted by an authoritative third party (called an attester)," wrote Julien Picalausa, a software developer at browser maker Vivaldi, in a post on Tuesday.

"The details are nebulous, but the goal seems to be to prevent 'fake' interactions with websites of all kinds. While this seems like a noble motivation, and the use cases listed seem very reasonable, the solution proposed is absolutely terrible and has already been equated with DRM for websites, with all that it implies."

Dangerous though the idea may be, attestation has already been implemented on native platforms (Android and iOS) – some would say autocratic regimes compared to the relatively open web.

• Google's next big idea for browser security looks like another freedom grab to some
• Google asks websites to kindly not break its shiny new targeted-advertising API
• Xiaomi emits phone browser updates after almighty row over web activity harvested even in incognito mode
• How dodgy browser plugins, web scripts can silently rewrite that URL you were about to hit – and throw you into an internet wormhole

But attestation has even made it to the web. Tim Perry, creator of dev tool HTTP Toolkit, noted in a blog post on Tuesday that Apple offers Private Access Tokens for its Safari browser. Network security firm Cloudflare uses Private Access Tokens as a way to avoid showing people CAPTCHA puzzles to prove that they're not robots.

Perry argues that Apple's scheme is less of a concern because Safari's market share (~20 percent of mobile and desktop browsers) is far less than Chrome/Chromium (~70 percent of web clients). Nonetheless, he opposes attestation for being fundamentally anti-competitive.

"Fraud and bots on the web are a real problem, and discussion on ways to defend against that is totally reasonable, and often very valuable!" Perry declared.

Removing all user control over their own devices is not a reasonable tradeoff

"It's a hard problem. That said, this has to be carefully balanced against the health of the web itself. Blocking competition, hamstringing open source and the open web, and removing all user control over their own devices is not a reasonable tradeoff."

Google considers Apple Private Access Tokens to be too private. The WEI proposal says, "due to the fully masked tokens, this technology assumes that the attester can produce sustainable, high-quality attestation without any feedback from websites about gaps such as false positives or false negatives."

Apple's Private Access Tokens do not involve the exchange of device data between the device maker (Apple, as an attester) and Cloudflare. Google argues that masking token data in this manner denies feedback from websites involved in the attestation process that may be able to use withheld device data to minimize incorrect trust verdicts.

In fact, Wiser suggests privacy improvements are what prompted WEI. "Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult," he claimed.

The result of this, he argues, is that websites – determined to fight fraud – have responded by increasing their usage of sign-in gates, invasive fingerprinting techniques, and intrusive challenges like CAPTCHAs and SMS verification. Wiser argues these defenses make the web experience worse.

"We believe this is a tough problem to solve, but a very important one that we will continue to work on. We will continue to design, discuss, and debate in public," he said.

A fundamental flaw

Jon von Tetzchner, CEO of Vivaldi, told The Register in an interview that while Google has yet to specify exactly what WEI will be measuring to render trust verdicts, the details don't really matter – the entire approach is flawed.

"A big part of the reason why there is a problem is the surveillance economy," he explained, "and the solution to the surveillance economy seems to be more surveillance."

Von Tetzchner said that Google wants to know who is seeing its ads when it should, in his opinion, focus on where its ads get shown – often on web spam pages to be viewed by bots involved in ad fraud.

The solution is to get away from the surveillance economy

He recalled when he was involved with the Opera browser and had to deal with Google Docs not working on the browser. "When we started with Vivaldi, my thinking was okay, we are using Chromium, this is not going to be a problem," he said.

But compatibility issues remained, he said, and Vivaldi had to hide its identity (spoof its default User-Agent string) to enable users to access popular Google services. And he's concerned WEI represents more of the same.

Von Tetzchner argues that attestation is not the proper response to online fraud.

"I just don't think this is a solution," he said. "The solution is to get away from the surveillance economy. We've been trying to ban the surveillance economy and ban the collection of data and making profiles on end users and utilizing it for advertisements. I really don't really see any reason why that should be legal in society.

"The surveillance economy is highly toxic," he added. "It has created significant issues for society. And I think that the obvious thing should be to stop using the technology. It doesn't make any sense to use it and there are other ways to do advertising that work just as well. But there is a lot of money for certain companies and they don't want to give up what they have." ®