Google's Web Environment Integrity could be a disaster for the web

Jul 28, 2023

Google has proposed a new web standard called Web Environment Integrity. You may have read about it on other sites, here's why the proposal could be a disaster for the web.

What is Google's Web Environment Integrity proposal?

Google has published an explainer that gets down to the nitty-gritty of its proposal. It outlines the importance of websites and trusting the client environment they run in, i.e. your web browser and operating system and their methods to protect user data, intellectual property, etc.

The goal for Web Environment Integrity seems to be to prevent fake interactions on websites, aka bots. Google wants to help websites verify that the visitor to their domain is not a robot, but an actual user.

The Mountain View company points out that users are concerned about the authenticity of interactions on social websites, i.e. fake interactions (likes, comments) that are used to promote news, posts, products, etc. The document mentions that it is an expensive ordeal for websites to run, and that advertisements help ease their burden, and that ads are meant for humans, i.e. users and not fake clicks by bots. It also quotes other examples, such as players of online games, who may want to know whether other players on the platform are using legitimate software that enforces the game's rules. This is essentially talking about anti-cheating tools to prevent cheaters from ruining the experience.

Google also played the security card, claiming that users may get tricked into installing malware that mimics genuine apps like banking apps, which in turn could steal the user's data, identity or runs a phishing attack. It wants to prevent bulk hijacking attempts, bulk account creation, password guessing attempts (password stuffing), and detect compromised devices where the user's data could be at risk.

Google says that these issues could be prevented by verifying if the request (attempt to access the website) came from the official app or other trustworthy software. It claims that websites need to differentiate between a trusted and untrusted environment (read environment = browsers).

In a nut-shell, Web Environment Integrity seems to be designed as an anti-fraud tool. While that may sound nice on paper, Google's examples are a sales pitch delivered by a salesman, to push their product as something positive, when in fact it benefits only themselves and their advertisers.

The explainer takes inspiration from existing native attestation signals such as Apple's App Attest and the Google Play Integrity API. As Ars Technica points out, Play Integrity (formerly known as SafetyNet) is an API in Android which apps can use to check if the phone has been rooted or not. The API will flag the device if it discovers that the device is rooted, and apps that use the API may refuse to run. This is pretty common in banking apps, games and some streaming service apps. These apps assume that the user could game the system with root access to phish banking data, cheat at games, etc. There was a time when we could use Magisk to hide the root status to pass SafetyNet, but it seems like ages ago. Google nearly killed custom roms when it started flagging unlocked bootloaders as a security risk.

Now imagine if the same thing happens on the web. It could affect the entire internet quite badly, but we'll get to this in a bit.

How Web Environment Integrity API could be implemented?

Websites will use a Web Environment Integrity API, this will allow them to verify the authenticity of visitors. When a user tries to access a web page, the site will request a token that attests the client environment. A third-party server that acts as the attester, i.e. attest to the device a web browser/operating system is running on, will test your device and sign a token (if your device passes the test). This token contains the attestation with a private key.

The attester's public key will be available to everyone. If your browser/device is attested, it becomes a trusted environment, but if it fails the check, it is seen as untrusted. The attester's server returns the token to the originating web page, and the web server checks if the token came from an attester that it trusts and verifies the token, and check its signature with the public key. If everything goes well, you will be able to access the website.

How Web Environment Integrity API could be implemented

In layman's terms, when you visit a website in your browser, the site will ask a third-party service to verify the integrity of your computer or mobile phone which was used to access the website, before allowing you to view the page.

Theoretically, instead of a 404 error, could we actually see an error like "You cannot access the website because your browser/device has been modified" ? I almost can't believe what I am writing about here, has it really come down to this? And I thought AMP, FLoC were bad ideas.

Why you should be worried about Web Environment Integrity API

Web Environment Integrity API is a form of DRM (Digital Rights Management). It takes away the freedom of user choice, and could negatively impact the privacy of users.

DRMs in browser are not new, Google's Widevine is commonly used by streaming services such as Netflix, Amazon Prime, etc. to protect their data (from being downloaded). You may have noticed that trying to capture a screenshot on your phone may result in a blank screen if the video is protected, that's because the DRM prevents you from recording the media. You could argue that there is some sort of logic there, because those are paid services, and that they want to prevent users from accessing the media for free.

With Web Environment Integrity API however, regular websites could kick you off, simply because you are not using the web browser that they approve on the operating system, because they think it is unsafe. You can't just change the user agent. So, is Web Environment Integrity API not a DRM for websites? It is, this is an insane level of gatekeeping.

And if an attester checks your computer and browser, stores the data in a token and this is sent to the website that requested the token, does that not qualify as fingerprinting? Google's explainer claims that the "attestation payloads will only include information about device and application integrity, as attesters will not have access to the profile information in applications." Nice try, but I'm not entirely convinced by the words of a company that makes it revenue by selling ads.

The document states that Web Environment Integrity will only depend on the underlying hardware and software stack. It will not restrict a browser's functionality, including extensions. Is that supposed to be good news, to soften the blow, perhaps?

Here's the bigger problem. Who decides which browser is trusted? A third-party attester will, but who selects the attester? How does a company qualify to be one? There are no guidelines or rules for that in place, probably because the proposal listed on Chromestatus is still cooking, it's not ready yet.

Take a look at the example given in the explainer. It clearly describes Google Play as an attester. Google has a significant foothold in the smartphone market with Android, and its default browser, Chrome. It also leads the desktop browser market share. Does this automatically grant it the powers of the attester? Well, that does seem to be the case, and it could decide which browsers should be trusted or not be trusted.

Did you know that Apple already has an attestation system in place? It is called Private Access Tokens, and shipped with Safari, iOS 16, macOS 13 Ventura. This article by Tim Perry provides an in-depth analysis of why attestation of browsers is bad.

The proposal seems to be largely in favor of advertisers, rather than users. Google has actively fought against ad blockers, and Manifest V3 could just be the tip of the iceberg which the company wants to control the web with. Remember that conversation between Captain America and Nick Fury in the Winter Soldier where they talk about freedom, this entire scenario reminds me of it.

Mozilla opposes Web Environment Integrity API

A Mozilla representative has commented that the organization opposes the Web Environment Integrity API, it believes any attempt to restrict common web standard choices are harmful to the open web ecosystem. It also notes that detecting non-human traffic could adversely affect assistive technologies, automatic testing, and archiving & search engine spiders. While it agreed that detecting fraud and invalid traffic is a problem, Mozilla says that Web Environment Integrity API is not the solution for the issues.

Vivaldi slams Google's Web Environment Integrity API proposal

Vivaldi has published a much stronger response to criticize the Web Environment Integrity proposal. It poses some questions, such as would Microsoft be the gatekeeper on the Windows Store? Will Apple be the attester on Mac? It also speculates about how this could affect Linux user, whether Canonical, the parent company of Ubuntu, would become the attester for all Linux distros?

There is some concern about browser makers not choosing to implement the API, this would likely fail the attestation process, leaving them with no choice.

The article mentions that the European Union law will likely not allow a few companies to dictate which browsers should be allowed and which shouldn't. That process would be slow, meanwhile Google could rush into things and start implementing the API before the Parliament decides to act. In an interview with The Register, Jon von Tetzchner, the CEO of Vivaldi, slammed Google's idea by saying "A big part of the reason why there is a problem is the surveillance economy, and the solution to the surveillance economy seems to be more surveillance."

Hopefully other browser vendors like Brave, DuckDuckGo, Opera will join the fight against Web Environment Integrity API. Apple already has its own attestation method, and I doubt Microsoft will oppose this if it could somehow use it to shamelessly promote Edge.

As it stands, Web Environment Integrity is an obscene attempt at tightening the noose on users' choice and privacy.

What's your take on it?

Google's Web Environment Integrity could be a disaster for the web
Article Name
Google's Web Environment Integrity could be a disaster for the web
We explain why Google's Web Environment Integrity API is a recipe for disaster.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. ilev said on August 4, 2012 at 7:53 pm

    Doesn’t Windows 8 know that www. or http:// are passe ?

    1. Martin Brinkmann said on August 4, 2012 at 7:57 pm

      Well it is a bit difficulty to distinguish between domains and files for instance.

    2. Leonidas Burton said on September 4, 2023 at 4:51 am

      I know a service made by google that is similar to Google bookmarks.

  2. VioletMoon said on August 16, 2023 at 5:26 pm

    @Ashwin–Thankful you delighted my comment; who knows how many “gamers” would have disagreed!

  3. Karl said on August 17, 2023 at 10:36 pm


    The comments section under this very article (3 comments) is identical to the comments section found under the following article:

    Not sure what the issue is, but have seen this issue under some other articles recently but did not report it back then.

  4. Anonymous said on August 25, 2023 at 11:44 am

    Omg a badge!!!
    Some tangible reward lmao.

    It sucks that redditors are going to love the fuck out of it too.

  5. Scroogled said on August 25, 2023 at 10:57 pm

    With the cloud, there is no such thing as unlimited storage or privacy. Stop relying on these tech scums. Purchase your own hardware and develop your own solutions.

    1. lollmaoeven said on August 27, 2023 at 6:24 am

      This is a certified reddit cringe moment. Hilarious how the article’s author tries to dress it up like it’s anything more than a png for doing the reddit corporation’s moderation work for free (or for bribes from companies and political groups)

  6. El Duderino said on August 25, 2023 at 11:14 pm

    Almost al unlmited services have a real limit.

    And this comment is written on the dropbox article from August 25, 2023.

  7. John G. said on August 26, 2023 at 1:29 am

    First comment > @ilev said on August 4, 2012 at 7:53 pm

    For the God’s sake, fix the comments soon please! :[

  8. Kalmly said on August 26, 2023 at 4:42 pm

    Yes. Please. Fix the comments.

  9. Kim Schmidt said on September 3, 2023 at 3:42 pm

    With Google Chrome, it’s only been 1,500 for some time now.

    Anyone who wants to force me in such a way into buying something that I can get elsewhere for free will certainly never see a single dime from my side. I don’t even know how stupid their marketing department is to impose these limits on users instead of offering a valuable product to the paying faction. But they don’t. Even if you pay, you get something that is also available for free elsewhere.

    The algorithm has also become less and less savvy in terms of e.g. English/German translations. It used to be that the bot could sort of sense what you were trying to say and put it into different colloquialisms, which was even fun because it was like, “I know what you’re trying to say here, how about…” Now it’s in parts too stupid to translate the simplest sentences correctly, and the suggestions it makes are at times as moronic as those made by Google Translations.

    If this is a deep-learning AI that learns from users’ translations and the phrases they choose most often – which, by the way, is a valuable, moneys worthwhile contribution of every free user to this project: They invest their time and texts, thereby providing the necessary data for the AI to do the thing as nicely as they brag about it in the first place – alas, the more unprofessional users discovered the translator, the worse the language of this deep-learning bot has become, the greater the aggregate of linguistically illiterate users has become, and the worse the language of this deep-learning bot has become, as it now learns the drivel of every Tom, Dick and Harry out there, which is why I now get their Mickey Mouse language as suggestions: the inane language of people who can barely spell the alphabet, it seems.

    And as a thank you for our time and effort in helping them and their AI learn, they’ve lowered the limit from what was once 5,000 to now 1,500…? A big “fuck off” from here for that! Not a brass farthing from me for this attitude and behaviour, not in a hundred years.

  10. Anonymous said on September 28, 2023 at 8:19 am

    When will you put an end to the mess in the comments?

  11. RIP said on September 28, 2023 at 9:36 am

    Ghacks comments have been broken for too long. What article did you see this comment on? Reply below. If we get to 20 different articles we should all stop using the site in protest.

    I posted this on [] so please reply if you see it on a different article.

    1. RIP said on September 28, 2023 at 11:01 am

      Comment redirected me to [] which seems to be the ‘real’ article it is attached to

  12. RIP said on September 28, 2023 at 10:48 am

    Comment redirected me to [] which seems to be the ‘real’ article it is attached to

  13. Mystique said on September 28, 2023 at 12:13 pm

    Article Title: Reddit enforces user activity tracking on site to push advertising revenue
    Article URL:

    No surprises here. This is just the beginning really. I cannot see a valid reason as to why anyone would continue to use the platform anymore when there are enough alternatives fill that void.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.