Google trashes its "DRM for the Web" API
In May 2023, privacy groups and developers were up in arms over Google's plan to integrate the Web Environment Integrity API into its Chrome web browser for the desktop and mobile devices.
Google announced the intent on a developer mailing list. The company claimed that this new API would help combat online fraud and abuse, and that it would do so in a privacy-friendly manner.
The main idea behind the API was to give websites controls to determine whether a visit is legitimate or not. In theory, this would allow (most) human users to access the contents of the website and disallow access to bots and users with malicious intent.
The sites would perform checks to determine whether the visit met certain criteria. If it did, access would be granted.
The main point of criticism leveled against the API was that it gave website owners control over visits. A site could, for instance, decide that users with content blockers would not meet the criteria for a visit. Other examples included blocking users with video downloaders, other browser extensions or even users who used specific browsers.
This API had the potential to create a DRM for the web. As is the case with these technologies, they provide benefits but also open the door for abuse.
The Register discovered that Google's changed the status of the project recently. Yesterday, Google published a notice on its Android Developers Blog in which it provided information on the future of the API.
There, the company reveals that Web Environment Integrity won't be integrated fully in Google Chrome. Google writes: "We’ve heard your feedback, and the Web Environment Integrity proposal is no longer being considered by the Chrome team". Code already integrated into Chromium and Google Chrome is being removed from the browser again.
Google plans to still use it as the Android WebView Media Integrity API, but with a narrower focus. According to Google, the feature will only be made available for WebViews embedded in apps on Android.
Google claims that it is extending existing functionality on "Android devices that have Google Mobile Services" and that the company has no plans "to offer it beyond embedded media, such as streaming video and audio, or beyond Android WebViews".
Closing Words
The Web Environment Integrity API is no more, which is a good thing for the open web and user freedom. Google will remove code from Chrome and Chromium, which it already added.
The Web has won this battle, but it is probably only a matter of time before a new proposal is going to be made that is once again attacking the very core of today's Internet.
“stupid google” ~ google.
You mean all those Captchas you run into when using Chrome don’t work? OMG! The heresy!
Article Title: Google trashes its “DRM for the Web” API
Article URL: https://ghacks.net/2023/11/03/google-trashes-its-drm-for-the-web-api/
Only to revisit it later under a new name designed to fool you the end user into thinking its for your benefit and safety.
Never trust Google, they are just biding their time on how to frame this or choose the right moment.
This is no different to what they have always done, the only difference this time is that they were not as clever or as subtle and had to shelve it for now, that and they are juggling too many balls right now to pull it off without too much fuss.
Thank you for following up on that topic and bringing it back to attention.
Most people underestimate how badly this would have screwed the net, so this is no small bullet that was dodged.
I commented on the original article on it myself, bringing up some of the points.
A more down to earth one is that lawyers could get this swept up in DCMA.
Meaning at least in the usa, and everywhere they can lean on, things like adblockers, scriptblockers, colour scheme changers (darkmode style addons), downloaders, basically anything that changes and blocks the appearance and behavior of a website would be a DCMA violation, on any site that would run that.
“over there” it would be a ‘felony’ by the toolmakers if they distribute them. For the rest of us, it would mostly mean being denied access.
Only personal creation and undistributed use is excepted, the proverbial crack in the wall to allow whitehats and redteams that companies rely on for reporting vulnerabilities and security testing. And this only because they want to avoid it going completely underground and be at the mercy of blackhats.
As you have no doubt noticed, googles focus has meanwhile shifted to something closer to home – fighting adblockers and downloaders on youtube. The other fight is probably not over, more like a timeout, while things cool off and they consider whether it is worth pushing again.
Probably not with the current president, but those things change. It would have been a fantastic powergrab and goldmine of extra data for them, while having such market dominance with chrome/chromium to cement it.
Speaking of darkmode, I find the lack of it here hard on the eyes. A lot of LED white right in the face all the time.
“Speaking of darkmode, I find the lack of it here hard on the eyes. A lot of LED white right in the face all the time.”
The 90s & 00s would have killed you, lol.