Reporting Google's WEI to the CMA
The Web Environment Integrity proposal, authored by folks at Google, has caused quite a stir over the last week, and for good reason. It’s another familiar case of:
“Here’s a thing needed for security. Sure it ~could~ be used to lock the web down to specific browsers, extensions, operating systems and devices, but I’m sure it won’t be even though there’s a lot of business interest in doing just that. We (non-legally-binding) pinky promise! We’ve even added a bit to the proposal to make it look like we’ve considered the open web!”.
I don’t deny it could maybe offer some security value, but it comes as a massively high risk to the open web. The value just doesn’t balance with the cost, unless of course it works directly in your business interests and you already have majority browser market share.
Thinking what I can do, and being in the UK, I thought of the Competition & Markets Authority (CMA). From what I’ve seen in my minor involvement with the Open Web Advocacy, and the related interactions with the CMA in regard to Apple’s browser control, the CMA are quite active and clued-up in the world of the web and technology.
WEI poses a significant risk to open markets in the browser and web landscape, therefore I though it’d worth submitting my own concerns to the CMA which you can find below. Hopefully this can at least put it on their radar to track, or show support/pressure where others have also reported this.
If you’re in the UK, you can contact them online here.
Note: the details submission box was character limited. The below is the main description I provided. The form also asks for your own details and the details of the related business for which an issue exists.
I believe Google is intending to abuse their position in the browser market, as the browser vendor with the largest overall market share, via their intent to implement Web Environment Integrity (WEI). I believe their intent to implement WEI, while under the name of security and privacy, is primarily motivated & accelerated by their business interests, while risking the significant introduction of additional monopolisation and barriers to entry for the web.
While the exact mechanisms within the proposals for WEI have been high-level & vague so far, the wider intent alone introduces a significant change to the open nature of the web, and the control balance between users and the websites they visit. From their explainer (https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md):
websites will be able to request a token that attests key facts about the environment their client code is running in […] Websites will ultimately decide if they trust the verdict returned from the attester
Whether the attester ends up being the browser, client operating system, or a third-party service, such an API introduces unbalanced control in favour of the largest existing players within those areas. If this mechanism becomes implemented within a browser with as much marketshare as Chrome, then I fear that many services on the web will decide to use this as a low-effort route in the name of added security, but at the cost of locking out “untrusted” environments. Such environments could be new browsers attempting to enter the market, existing browsers with little marketshare, browsers configured with certain plugins/extension, browsers on alternative operating systems, new devices entering the market or new mobile operating systems trying to enter the market. Those who decide where trust lays will have significant interest in favouring their business interests in those decisions, and unbalanced control of the web.
While the explainer attempts to open the question of vendor exclusion, ultimately implementation & control will be held by those with the largest browser market-share, and once WEI is implemented in general it would only be a minor further step to remove/change the potential protections discussed so far, since protection against vendor exclusion is not a core part of the fundamental functionality proposed.
It may seem early to raise this as a concern, since it’s in the proposal stage, but the language and responses from Google representatives (Bottom of https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/28) show significant desire to proceed with these proposals in some form despite web community backlash, and this is further backed up by activity already taken place to implement WEI in the chromium project for testing (https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd). Therefore I believe it’s important for fast CMA involvement since it appears Google has interest to get this quickly established.
While this submission is primarily regarding Google/WEI, it should be noted that this is something that should be considered at a wider scale. Apple has similar mechanisms within Safari (https://developer.apple.com/news/?id=huqjyh7k) already although their lesser cross-platform browser market share means they alone do not pose as much risk to open competition and the open web, at least compared to Google with Chrome’s market share.