What browser do you use most of the time? Did you say Chrome? There’s a good chance you did. Statcounter says 63.55% of people use Chrome and it’s probably right.

But why do you use Chrome? Most of the people I asked didn’t really have much of a reason. The answers boiled down to “idk I didn’t really think about it” or “it was already there” or “who tf starts a conversation like that?”

I use LibreWolf. I’ve been using it for a few years. I used Waterfox, vanilla Firefox and Vivaldi before that. I even used Opera way back when it still used the Presto engine.

If you asked me why I use LibreWolf/Firefox, it’s because I like it, not because I dislike Chromium (although I do dislike Chromium).

With the decisions Google has been making and how it affects the entire Web, I decided to write this post. My goal is to convince the less tech savvy people I know to switch and to inform them on why this matters.

So what are these decisions Google has been making?

Chromium is a browser engine. It’s what Chrome and many other browsers are based on, and it’s mainly developed by Google. It’s under an open source licence which means anyone can go and grab the code, make changes and redistribute it. Sounds great right? Well, we’ll get to that later.

Over the years, they’ve made some controversial decisions, like dropping JPEG-XL support despite a lot of interest (although they have recently reconsidered).

Manifest v3

This is not the point of this post so I’m not going to go into too much detail. If you’re interested, you can learn more here.

A manifest file is used by browser extensions to tell your browser what it needs to run, what permissions it uses etc. Manifest v3 was an update that included a change that severely crippled ad and content blocking extensions. These extensions are important to protect the users’ privacy and make the web more usable.

Mozilla, of course, said that they would continue to support the original content blocking features so really, Firefox and its forks are the only browsers where uBlock Origin can be used to its fullest. You can read more about this if you’re interested but let’s get to the main topic, the thing that prompted me to write all of this.

What is WEI?

Web Environment Integrity, or WEI, is basically DRM for the web. The way it’s meant to work is that it verifies that the browser is running in a “trusted” environment. Why do they say they want to do this?

Let’s look at the first paragraph.

Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, —

This is not the users’ problem, but the server’s. There’s no need to mess with the users’ environment.

There’s a common saying: “never trust client-side.” This just means that when you’re building an app, you can’t trust that the information you’re getting from the client is valid. Most of the time, this isn’t a big deal and a little server-side validation is sufficient. No need to have the user in a secure facility. If you do need the user in a secure facility then you have bigger concerns and this isn’t going to help you as much as you think it will, while also being overkill.

—keeps user data [secure] —

No it’s not going to help keep user data secure. If you’re talking about the connection between the browser and the server, the green padlock indicates that user data is secure. If you’re talking about the server itself, verifying the client isn’t going to do anything, at all, ever. The server is still going to collect all the information you gave them. Keep that in mind, we’ll get back to that later.

—and intellectual property secure, —

This is irrelevant to user data being secure. This just means DRM, aka, worsening the user experience because of the perceived threat of piracy, and some backwards logic that it will somehow increase profits.

—and is transparent about whether or not a human is using it.

Sure, CAPTCHAs are terrible especially for accessibiliy, but this is a terrible alternative.

This trust is the backbone of the open internet, critical for the safety of user data —

No, it’s not. Not even a little.

—and for the sustainability of the website’s business.

This is the actual reason. Well, not exactly but close. The actual reason was always just to control how you consume content on the internet so that it can be more heavily monetized. It never had anything to do with sustainability.

Here are some example scenarios listed.

  • Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they’re human, sometimes through tasks like challenges or logins.

    See my previous points about how this isn’t the users’ problem. When it comes to monetization on the web, it’s true that the current state is not great without ads. But there are plenty of ad-free services that are able to operate just fine with other, more fair and less intrusive models.

  • Users want to know they are interacting with real people on social websites but bad actors often want to promote posts with fake engagement (for example, to promote products, or make a news story seem more important). Websites can only show users what content is popular with real people if websites are able to know the difference between a trusted and untrusted environment.

    Sure, bad bots are everywhere. But the issue isn’t so bad that it warrants such an extreme response.

  • Users playing a game on a website want to know whether other players are using software that enforces the game’s rules.

    Anti-cheat is the exact same thing, you’re letting the game servers snoop on your device. What makes it worse is that none of the big ones are open source, meaning you have no way of knowing what they’re doing on your device. And if you’re thinking that not knowing how they work is better, take a look at why Security by Obscurity is not secure at all.

  • Users sometimes get tricked into installing malicious software that imitates software like their banking apps, to steal from those users. The bank’s internet interface could protect those users if it could establish that the requests it’s getting actually come from the bank’s or other trustworthy software.

    This is absurd. WEI isn’t going to be even a little helpful in combating phishing attacks, because the bank here isn’t even going to be involved at the time of the attack. The compromised client isn’t going to be connecting to the bank’s server but to the attacker’s, making this whole thing pointless.

So what’s this all for? DRM for the web. It’s that simple. They want really strong DRM for the web in the same way Android was locked down with SafetyNet.

So does this mean that I can be tracked online?

The DRM system itself doesn’t send any identifiable data. Does that mean this is only a concern for the content you consume online?

No. Firstly, the software you will be forced to use to be considered “verified” will be packed with spyware, so that’s some indirect loss of privacy.

Secondly, any individual piece of information cannot be used to track you, but a combination of data points is a lot more valuable.

Browser Fingerprinting

Using a lot of metadata, a profile can be built about a user. Things like your installed fonts, timezone, operating system version, browser version, screen size, whether you’re blocking any of this information from being sent and a lot more.

Individually, none of this information can be used to identify you online. But together, it can be used to ID you pretty accurately.

You can visit this site to see if you can be uniquely identified online.

Your browsing habits are a lot more valuable than you think, and you should be concerned about it being used maliciously. Don’t listen to anyone who says that privacy is dead or something similar. It’s not and it’s actually a lot easier to achieve that you may think. You can start by switching to a browser that actually respects your privacy and provides strong protection against fingerprinting. After that, maybe consider switching your operating system as well.

Websites can deny access to platforms they don’t like or can’t control

There are poorly designed sites out there that block access to any browser other that Chrome or Internet Explorer (yes really) because apparently it doesn’t work. But if I just continue using Firefox and spoof my user agent to say “Oh yeah this is Chrome 100% trust me,” the website runs just fine. Normally I would just say “this site isn’t worth it,” but I think it’s safe to say you’ve figured out what kind of sites I’m talking about and why I can’t just not use them.

When designing websites, you should not care about what browser is being used because all of them are expected to follow the same web standards.

But user agent spoofing is easy, DRM is less so. It can be used to limit or deny access to users that the website deems are not using authorized software.

The way WEI is designed, your OS tells the browser who your attester is, which is then passed on to the site. The proposal uses “Google Play” as an example meaning this is likely to be tested on Android first, since it already has a similar API.

However, it’s up to the website to decide whether they trust any particular attester. This of course means that if your attester isn’t one of the big names, too bad for you.

But wait! WEI to the rescue! They have the perfect plan to stop this from happening. It’s called Holdback.

Providing a signal that is unique to the attester could be hazardous if websites decide to only support attesters where certain signals are available. If websites know exactly what browser is running, some may deny service to web browsers that they disfavor for any reason. Both of these go against the principles we aspire to for the open web.

[…]

To protect against both risks, we are evaluating whether attestation signals must sometimes be held back for a meaningful number of requests over a significant amount of time (in other words, on a small percentage of (client, site) pairs, platforms would simulate clients that do not support this capability). Such a holdback would encourage web developers to use these signals for aggregate analysis and opportunistic reduction of friction, as opposed to a quasi-allowlist: A holdback would effectively prevent the attestation from being used for gating feature access in real time, because otherwise the website risks users in the holdback population being rejected.

Umm… so you’re saying, the genius idea to prevent sites from restricting access for dumb reasons, is to make attestation fail randomly? What?

Apparently, the system is supposed to randomly return a false negative some percentage of the time. This, supposedly, might force websites to take aggregate data instead of taking the risk of flat out denying access to a legitimate user.

Not that they actually intend to implement this. This is just a “suggestion” for a potential solution. They don’t actually mind excluding certain vendors and in fact, it’s just going to be good for them.

So who gets to have attestation?

Say I decide to make my own browser, with all the coolest features you couldn’t even dream of. The greatest browser in the world 😎 Or you know, more likely an overambitious learning project that I’ll abandon after a little while. Doesn’t matter. I now have a browser ready to be used by everyone.

How do I get attestation?

If a significant chunk of the web is inaccessible without attestation, then my browser is useless until it’s approved by whatever body ends up in charge.

What if I decide to integrate adblock and privacy features into the browser (because obviously I would do that)? And there’s no way any browser that blocks ads and trackers is going to get the greenlight. Who in their right mind would trust a big tech company?

This will completely destroy any semblance of competition when it comes to browsers.

This proposal is already being integrated into Chromium. The correct process when proposing a new web standard is to follow the procedures outlined by the W3C and go through all the necessary verification and checking to decide whether it should be approved, amended or rejected.

Google is abusing their market share to circumvent any objections and push this through as soon as possible. This absolutely 100% cannot be allowed.

What do others have to say about this?

Mozilla

Mozilla, naturally, responded clearly and in no uncertain terms that they would oppose this proposal.

Source

Mozilla opposes this proposal because it contradicts our principles and vision for the Web.

Any browser, server, or publisher that implements common standards is automatically part of the Web:

Standards themselves aim to avoid assumptions about the underlying hardware or software that might restrict where they can be deployed. This means that no single party decides which form-factors, devices, operating systems, and browsers may access the Web. It gives people more choices, and thus more avenues to overcome personal obstacles to access. Choices in assistive technology, localization, form-factor, and price, combined with thoughtful design of the standards themselves, all permit a wildly diverse group of people to reach the same Web.

Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.

Additionally, the use cases listed depend on the ability to “detect non-human traffic” which as described would likely obstruct many existing uses of the Web such as assistive technologies, automatic testing, and archiving & search engine spiders. These depend on tools being able to receive content intended for humans, and then transform, test, index, and summarize that content for humans. The safeguards in the proposal (e.g., “holdback”, or randomly failing to produce an attestation) are unlikely to be effective, and are inadequate to address these concerns.

Detecting fraud and invalid traffic is a challenging problem that we’re interested in helping address. However this proposal does not explain how it will make practical progress on the listed use cases, and there are clear downsides to adopting it.

Brave

I’m not a fan of Brave browser. I don’t like the crypto features and they’ve been caught messing with links in the past. They also don’t block all ads, instead allowing what are deem “acceptable.” Ads don’t pay a lot if they aren’t targeted, so the only safe ad system is one that doesn’t exist. Ads were one of the worst things to happen to the internet. There’s also some other problems with Brave that are off-topic for this post, but you can take a look if you’re interested.

But what’s their stance on WEI? They won’t be shipping it in their builds of Chromium.

I would personally recommend not using any fork of Chromium at all, including Brave. The privacy protections on Chromium based browsers are just not as good as Firefox and it’s better to avoid anything to do with cryptocurrencies.

We are a fork, have been all along, the “reskinned” claim is complete nonsense. We won’t be shipping WEI support, just as we disable or otherwise nullify lots of other junk that Google puts into Chromium. [1] [2]

Vivaldi

Vivaldi is a pretty good browser even though I don’t use it anymore. They made an excellent post detailing how dangerous this proposal is. You should give it a read.

Can we just refuse to implement it?

Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.

First, they can easily make all their properties depend on using these features, and not being able to use Google websites is a death sentence for most browsers already.

Furthermore, they could try to mandate that sites that use Google Ads use this API as well, which makes sense since the first goal is to prevent fake ad clicks. That would quickly ensure that any browser not supporting the API would be doomed.

The Electronic Frontier Foundation

The EFF has also made a great post about the consequences of letting WEI go through: Your Computer Should Say What You Tell It To Say.

Your computer belongs to you. You are the boss of it. It should do what you tell it to.

Microsoft and Apple

There has been no news on Edge or WebKit but it’s safe to assume that both will likely implement WEI if it happens.

The importance of the open web

The internet is for everyone. You should be able to interact with it however you please. The worst case scenario is if a small handful of very powerful entities have complete control over how you interact with the internet, but that is exactly where all of this is heading. Remember, these companies do not have your best interests in mind. They don’t even care about you. All they care about is making a quick buck, repeatedly, forever, completely disregarding the consequences. They cannot be allowed to have such power, ever.

What is FOSS really about

The core philosophy of free software is that you should be free to use software however you like, modify it, and redistribute it. The point is to collectively improve upon each others work and pay it forward so that more people may benefit.

There are many popular open source projects that are maintained by companies. This isn’t inherently bad but often has a bad effect. Most require you to sign a Contributor License Agreement (CLA) which means you sign away your copyright over your contribution. This allows the maintainers to suddenly relicense the project at any time, leaving contributors worse off.

Sure, Chromium is open source and you can modify the code and redistribute it. But if you want to send your changes to the main project so that more people may benefit from it, it is ultimately Google’s decision. This is the problem with projects that are not community-run. It happens all the time. Google is implementing WEI in Chromium despite so much backlash because they can.

So if I stop using Chrome, everything will be fixed, right?

If only it were that simple. Unfortunately that just won’t be enough. The only way to stop this from happening and make sure nobody dares to try something like this again is with an Antitrust lawsuit. This needs to be killed before it goes any further.

Here are a couple of links for information on filing an antitrust lawsuit in India

This is not the first time Google has been hit with a lawsuit. Back in 2019, there was a case where Google was accused of abusing its position to restrict Android phone manufacturers who wanted to pre-install Google apps. They lost. You can read more about the details here and here.

Tell everyone about this and help make sure the open internet stays open. They cannot be allowed to get away with this.

I might write another, more technical post if I decide to read through all the links, docs and mailing lists I have on this topic more thoroughly. I’m not sure yet because it’s a lot.

Until next time ✌️