Google is killing off its proposal for “Web Environment Integrity API” as a new web standard, though Android phones may still have to deal with it. According to Google’s proposal document, the primary goal of the project was to “allow web servers to evaluate the authenticity of the device and honest representation of the software stack”—basically Google wanted a DRM gatekeeper for the web. The project got widespread coverage in July and was widely panned.
The ominously vague plan was to allow web browsers to detect if your computer was “modified” in a way that the webpage didn’t like. Presumably, this could be anything from a rooted/jailbroken phone to having an undesirable plug-in (read: ad blockers) installed. When you tried to access some protected content, a browser supporting the Web Integrity API would first contact a third-party “environment attestation” server, and your computer would have to pass some kind of test. After having your local environment uh… scanned? passing environments receive a signed “IntegrityToken” that points to the content you wanted unlocked. You would bring this back to the web server and would finally get the content unlocked.
Google’s proposal did not go over well. The explainer was full of conflicting information about just how invasive it wanted to be and what its goals were. Google pinky-promised it wasn’t meant to “enforce or interfere with browser functionality, including plugins and extensions”—this is a vague reference to ad blockers—but also the proposal’s very first example had to do with more accurately measuring ad impressions. Even more alarming was that this wasn’t a discussion—Google never publicized the feature for any kind of feedback, and the company was already actively prototyping the feature in Chrome before the Internet really found out