Google has suggested a far-reaching addition to the web which it calls "Web Integrity Standard". This solves a problem that is important not only to Google but to the entire economy of the web. Some users claim it is the death of ad-blocking and the introduction of DRM for web pages. But could it secure the long-term future of the web?

The web has long had a problem - who pays for it? There are plenty of idealists who think that the web wants to be free. They fail to answer the question of what this means in terms of who actually pays for the work done and for the hosting bill. The only reasonable answer provided is that the entire web should be for love of doing something - a huge hobby. Of course, this ignores the fact that the web isn't just an amateur enterprise - there are shops selling things, news outlets and education to name just the obvious professional uses of the web. Even those who are willing to admit that they probably should pay for what is delivered, find it hard to do so. When a website puts up a paywall or asks for donations that result is outrage at the first and apathy towards the second. I understand this because subscribing to one source of information is reasonable, but bankruptcy is the result of subscribing to every interesting source that probably is only interesting once in a while anyway.

Put simply, paywalls limit the freedom to find things out and donations just don't hack it.

The obvious solution, almost from the start of the web, is to allow advertising. The reader is allowed free access to material that costs time and money to construct and all they have to do is put up with some advertising. It should leave everyone happy, but it doesn't. The reaction against web page advertising is often aggressive and absolute. The solution that most adopt is the ad-blocker - a browser add-on that strips out advertising from the web page as it is loaded. This makes the few very happy and the many are condemned to view even more adverts to make up for the loss of income. It can be argued that ad blockers are the drivers of escalation in advertising - they free their users from the need to look at adverts, but they do nothing for the rest of us. We should all use ad-blockers I hear you say - yes but the death of much of the web would follow soon after.

Google, a company once much loved, is now public enemy number one as it survives on advertising. It, of course, also makes the number one browser - Chrome. This is a situation where the poacher is in charge of the game reserve and to be honest I am surprised that Google hasn't found a way to block ad-blockers before now. The latest proposal for a web standard is very much seen by almost everyone as an ad-blocker-killer, but it is very much more as well. It promises to provide a way to trust a client in much the same way as HTTPS allows  you to trust a server. It is designed to confirm that the browser being used conforms to a specification set by the server. For ad serving presumably the condition would be a standard unmodified browser with no ad-blockers installed. For a financial transaction the condition would be that it was a browser and not some bot. For a multiplayer game it would have to have no game cheats installed.

How is it proposed to work?

There are a minimum of three participants involved in web environment integrity attestation:

• The web page executing in a user's web browser
• A third party that can “attest” to the device a web browser is executing on, referred to as the attester server
• The web developer's server which can remotely verify attestation responses and act on this information.

Missing from the proposal is details on how the attester server will actually validate the client. What exactly is it going to measure to arrive at its verdict? All we have at the moment is a fairly precise specification for the transaction.

So is this evil?

The proposal includes a list of things referred to as "non-Goals of the technology" and one of them is:

• Enforce or interfere with browser functionality, including plugins and extensions.

If this is true ad-blockers are not the declared target. However, the statement of the first goal is:

• Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.

This means that servers could refuse to serve content to a client which either failed attestation or had a software stack that was regarded as undesirable - like an ad-blocker.

Currently the proposal is under attack by a vociferous group of users via GitHub issues. Many of the comments are simply expressions that Google should be ashamed of proposing such evil nonsense. Real analysis or alternative proposals seem few.  Apple has already implemented an attestation solution by way of Private Access Tokens - the server can ask the client for a secure token which proves that they are not a bot without revealing their identity.

Google is currently prototyping the technology in Chromium and no doubt it will make its way to Chrome in due course. Without more information on how the attestation servers work it is difficult to know exactly what can be implemented and hence how evil a proposal it really is. The proposal makes it all sound to be for the good - but it would, wouldn't it.

More Information

https://github.com/RupertBenWiser/Web-Environment-Integrity

Related Articles

Manifest 2 Stay Of Execution Further Extended

Manifest 3 - Firefox's Big Chance?

Google Delays Manifest V3 Again

Google Stays Execution Of Adblockers

Google To Limit Ad-blockers In Manifest V3

Google Changes API Making Chrome Adblocking Harder

 Google Adds New Chrome Extension Badges

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info