A proposed Google specification for ensuring trust on the Web has come under fire for potentially giving websites control over which browsers have the right to access them — and potentially blocking an unwanted browser from accessing a site owned by Google or Microsoft.
At issue is what Google calls Web Environment Integrity, described in this explainer uploaded to GitHub by several Google engineers. The proposal has drawn fire by both Vivaldi as well as Brian Grinstead, a senior principal engineer at Firefox developer Mozilla, who said that his company opposes the proposal as well.
Here’s what Web Environment Integrity would do, according to Google’s proposal. WEI assumes that users want to interact with real people on websites, and verify that any software downloaded from a site is legitimate. Those sites, by contrast, want to ensure that the visitors visiting the sites are “real,” not bots, but without applying a multitude of analytical signals that can identify the user.
What Google proposes doing is allowing sites to ask for a WEI token that describes “key facts about the environment their client code is running in,” such as whether or not the user is surfing from a secure Android device. It’s up to the website to decide whether they trust the token, and therefore the user.
The issue is what would happen if a website rejected a user’s token, thereby blocking them. A site like PCWorld might accept all browsers; what smaller browser makers like Vivaldi and Mozilla fear is that a large Web service like Gmail, Google Search, or other sites owned by Google might block users arriving there via a small, alternative browser.
Vivaldi explained its concerns in a blog post. “Simply, if an entity has the power of deciding which browsers are trusted and which are not, there is no guarantee that they will trust any given browser,” Julian Picalausa, a software developer at the company, wrote. “Any new browser would by default not be trusted until they have somehow demonstrated that they are trustworthy, to the discretion of the attesters. Also, anyone stuck running on legacy software where this spec is not supported would eventually be excluded from the web.”
“While this seems like a noble motivation, and the use cases listed seem very reasonable, the solution proposed is absolutely terrible and has already been equated with DRM for websites, with all that it implies,” Picalusa added.
This issue has cropped up before, in a different context. Mozilla, for example, has published research noting how operating systems steer users to their own browsers. Microsoft threw up roadblocks to moving away from Edge in Windows 11 before changing its browser-choice approach. Vivaldi has previously complained about Microsoft throwing up ads when you try to download an alternative to Edge.
Both browser companies, therefore, are sensitive to a company like Google potentially sidelining them. As it is, companies like Vivaldi, Mozilla and Opera provide browsers to just a few percent of users on the Web.
WEI’s controversy doesn’t appear to be ending anytime soon. One of the Google developers, Ben Wiser, noted that the backlash has shown that a “bigger discussion needs to take place.” Proponents of an Open Web hope that it will.