Google has announced the discontinuation of its contentious Web Environment Integrity (WEI) API, a protocol designed to combat online fraudulent activities. The technology drew sharp criticism as numerous stakeholders interpreted its functionality as a form of Digital Rights Management (DRM) for websites, hence the decision to cease its development.
The idea behind Google's WEI API was to serve as a guard against online fraud and misuse without facilitating privacy infringements such as cross-site tracking or browser fingerprinting. An attestation scheme at its core, WEI API enabled servers to validate the authenticity of browser clients via a cryptographic token.
This token then becomes an identity badge of sorts for the browser client, ensuring that it not a malicious program conducting fraudulent activities. The problem arose when critics argued that this same mechanism could be exploited to prevent visitors using certain software, such as ad-blockers or video downloaders, from accessing websites.
Android WebViews: A Limited and Safeguarded Approach
In a change of plans, Google now aims to focus on Android WebViews, a Chrome browser version that can be embedded into Android applications. This scaled-back version of the original technology functions predominantly on Android devices and caters only to embedded media, such as audio and video streaming. The decision safeguards users' web freedoms and addresses prior concerns about potential abuses of the WEI API.
Apple offers a similar attestation service called Private Access Tokens. However, because Safari holds a smaller market share in web browsing than Chrome across all devices, the existence of Apple's attestation scheme has not created as much controversy. Besides, Google already has two other attestation services in active use, namely the Play Integrity API and the Firebase App Check. Even YouTube, a subsidiary of Google, scans client browsers for ad-block extensions, which is itself a form of integrity checking.
Looking Ahead: The Future of Google's Integrity Verification Services
Google's intention was to use Chromium, which underpins Chrome, Edge, Brave, Vivaldi, among other browsers except Firefox and Safari, to prototype the Web Environment Integrity API.
Despite the discontinuation of the WEI API, Google's efforts to combat fraud haven't entirely been abandoned. The newly proposed Android WebView Media Integrity API is intended to ensure that embedded media can be trusted to be displayed within the app where it was embedded, rather than an unknown app.