The Web Environment Integrity (WEI) API, developed by Google, claims to enhance website security by verifying browser integrity and blocking malicious activities. However, this feature seemingly favours Google and its browsers while putting competitors at a significant disadvantage. The lack of transparency surrounding the API's verification process raises red flags about user privacy.
The website will ask the client environment (browser) for a token to establish its authenticity and the browser gets the token from the attestor and sends it to the website. This would assist the website in verifying that their users are genuine as claimed. This token supposedly helps the website ensure that its users are genuine and not tampering with content or functionality.
Building trust between websites and users frequently involves the collection and interpretation of the same integrity token. The token can also function as a nearly one-of-a-kind fingerprint that can be used to track individuals between sites without their knowledge or consent. This enables websites to detect ad-blockers and gather sensitive information about users' browsing behaviour, compromising user privacy and open web principles.
WEI's implementation appears to favour a closed ecosystem, placing significant reliance on attestors and their trustworthiness. The lack of public disclosure regarding the criteria for obtaining attestation raises concerns about transparency and open standards.
By concentrating trust in a select few authoritative third parties for attestation, the API grants them immense control over web security rules and guidelines. This concentration of power could lead to security and privacy risks if these attesting parties were compromised or acted inappropriately. Essentially, it functions as a DRM for the entire web, making ad-blocking nearly impossible.
Users might assume that websites employing the Web Environment Integrity API are entirely secure, which could create a false sense of security. In reality, the API is just one layer of security, and other vulnerabilities might still exist on the website.
When website owners or developers implement the API to detect ad-blockers, it inevitably restricts access or functionality for users. Users have no say in this matter, compromising their privacy and browsing experience.
In conclusion, the Web Environment Integrity (WEI) API introduced by Google raises significant concerns about user privacy and the openness of the web. While it claims to enhance website security, its implementation seems to favour Google and its browsers, potentially impacting competitors and limiting user choice.
The lack of transparency surrounding the API's verification process adds to the apprehensions. As users and stakeholders, it is essential to advocate for a web that prioritises privacy, transparency, and user-centricity.