Earlier last month, four engineers from Google LLC posted a new open-source project on GitHub and called it “Web Environment Integrity.” The WEI project ignited all sorts of criticism about privacy implications and concerns that Google wasn’t specifically addressing its real purpose.

Remember the problems with web cookies? WEI takes this to a new level.

At its heart, WEI has some lofty goals of trying to combat browser fingerprinting abuses. This is a technique, also called HTML canvas fingerprinting, that uses a variety of tracking techniques to identify a user’s browser by cataloging the particular app, IP address, computer processor and operating system and other characteristics. The combination can be used to determine, for example, if I return to a particular website and deliver customized online ads and personalized content, which is sometimes creepy.

These fingerprints have been around for many years and began their life as part of the HTML v5 specifications. They are a very rich and detailed look at the inner workings of a user’s computer, and the data is collected automatically and without the user’s explicit approval with any web server. Readers can get an idea of what is collected with tools such as BrowserLeaks.com or AmIUnique.org. For example, here is what one of my computers gives up:

You can see that I am running on a Mac with OS X 10.13 running on Intel hardware and using a Chrome browser.

What makes the fingerprinting process somewhat insidious is that, unlike web cookies, no residue is left on a user’s computer – everything can be stored in the cloud. The fingerprint data can be collected even if users run private or incognito browsing sessions. Worse yet, each user’s fingerprint can be shared across websites without the user’s knowledge.

Technically, the WEI proposal is a way for browsers to attest themselves with a trusted third party, so that web servers can determine if a browser’s configuration meets certain criteria. This could show, for example, if online gamers were using modifications to their software to enable cheating, or if online ads were being displayed to actual humans or being scanned by bots.

The actual attestation process is still largely unspecified, let alone any decisions about whom these third parties will be or how they are chosen and certified. Given Google’s overarching internet presence, it’s a likely candidate for that third party. These limitations were recognized in the WEI proposal, but no solutions were offered.

Ben Wiser, the lead author of WEI, posted comments on a GitHub forum that it will “discourage cross-site tracking and lessen the reliance on fingerprinting for combating fraud and abuse.” He claimed that it will “make it easier for users to block invasive fingerprinting without breaking safety mechanisms.” Several posters took him to task, claiming that WEI is against the open web design principles and has numerous drawbacks.

In theory, WEI “sounds like it could be ideal for blocking certain types of threats, such as banking trojans and phishing sites,” Catalin Cimpanu wrote in his Risky Business newsletter last week. “But it could also be a poison pill, because it will allow Google and money-grubbing website operators to effectively kill ad-blockers.”

Others have called WEI a defacto web digital rights management. Michael Kawalec, a software engineer for Riot Games, posted on social media that with WEI, “all devices could become commodities, where ad blocking and any user modifications that go against what Google prefers would be banned.”

Another complaint came from Julien Picalausa, a software developer at Vivaldi Technologies AS. The company makes a privacy-enhancing browser, similar to the features found in DuckDuckGo and Brave browsers. He wrote on the company blog that WEI is dangerous. “While this seems like a noble motivation, and the use cases listed seem very reasonable, the solution proposed is absolutely terrible and has already been equated with DRM for websites, with all that it implies.”

Speaking of Brave, they also weighed in with comments in this post, saying, “WEI is simply the latest in Google’s ongoing efforts to prevent browser users from being in control of how they read, interact with, and use the Web. WEI is the latest step in a terrible direction Google is pushing for the Web.”

Wiser disputed these claims, saying WEI wasn’t DRM because it doesn’t lock down any content and isn’t designed to single out individuals or specific browsers or even certain browser extensions, but to balance privacy with fraud prevention.

Vivaldi Chief Executive Jon von Tetzchner told The Register that WEI provides more surveillance, and that attestation isn’t the right mechanism. He wants Google and other browser makers to move away from these tools entirely.

Kawalec also had issue with the way WEI was introduced, through a private GitHub account rather than from any official Google online source. Wiser countered this complaint, saying it was a common way to introduce a new software project before moving through the standards process.

Web cookies have cast a long shadow. Last week, Apple Inc. announced its own effort to combat device fingerprinting by changing its App Store developer terms to better control its abuse. That is certainly another solution to the fingerprinting problem, and Apple said it will begin enforcing this next spring if developers aren’t transparent about using a collection of fingerprinting APIs. Of course, this is just for mobile apps and doesn’t address the wider problem of using browsers to access web content.

But whether WEI is DOA or will survive in some fashion remains to be seen. Prior Google efforts to replace cookies, such as its “Federated Learning of Cohorts,” went nowhere.

Images: Pixabay, David Strom