Word from the European Commission on Web Environment Integrity#

Well, this is certainly not the kind of article I expected to post here. But I was pretty infuriated when I stumbled upon the new Web Environment Integrity standard proposal, and I think there's a pretty good chance you will too if you delve into it.

The TL;DR is that Google is proposing a new web standard called Web Environment Integrity, whose purpose is to assert the “integrity” of browsers accessing web services in order to deny service to users who don't play by the rules — such as bots on social media platforms or modified clients in online games. The process goes like this: criteria for “integrity” are checked by new system- or network-level pieces of software called attesters, and servers provide service when an attester that they trust delivers an attestation.

That's it. That's the whole process. Make up a third party, give it unchecked power to decide who can browse the web, and pretend that it'll be reigned in by a free-for-all market of trust. This garbage is so dystopian that only the “Don't be evil” company could have thought this up. This has been summarized as “DRM for the web”, which I think captures beautifully the ratio of corporate to user interest being displayed.

Naturally, anyone who could read got pretty mad, and I think the proposal repository's issues are worth a read. These were locked to contributor-only almost immediately, but I think most of the importants points were made anyway. At some point, Thomas Whaples suggested that this might straight up violate antitrust laws and linked to instructions on contacting the US D.O.J.'s Antitrust Citizen Complain Center as well as the European Commission's DG Competition.

This is a neat idea, but also the type of suggestion with a pretty low upvote-to-action conversion ratio. While reading it I felt that it might be my turn to do something, so I drafted and sent an e-mail to the European Commision's market information service, which is basically a way to draw the Commission's attention to market practices without filing a formal complaint (which I'm not sure would be possible since this is just a proposal).

You can find my original e-mail and the response below. I did my best to clearly outline the risks and abuses of the proposal, which is harder than it looks. I included a few questions that amount to “should we file a formal complaint and when?”, although I didn't expect the Commission to do legal research to answer a random citizen's email. Sure enough, I got a minimal (but definitely hand-written) reply, so now here's to hoping this madness gets stopped.

Sébastien MICHELLAND
July 25th, 2023

Dear European Commission,

I am writing to inquire about the legal aspects of a recent proposal for a web standard called "Web Environment Integrity" by security engineers working at Google [1]. To be clear (if somewhat blunt), this proposal has raised a lot of concerns in the technical community for appearing to be an attempt by Google to further its monopoly on web browsing at the detriment of users' access to the web. It does so by promoting gatekeeping access to websites and web services behind a complex certification system where Google is the major player.

My request specifically concerns potential abuses of this technology that would violate EU competition laws (most obviously Article 102.(b) of the TFEU [see here - ed.]) as well as the Open Internet regulation 2015/2120 [see here - ed.]. Essentially, I would like to know if our fears of unfair competition and discrimination are warranted in view of EU regulations, and if so what actions should be taken.

Technical aspects of the proposed web standard and suspected abuses

At its core, the proposal [2] establishes a mechanism by which websites ask software components called attesters to attest to the integrity of web browsers browsing the websites. Websites then decide, based on the attester's response and reputation, whether to provide access to their service. The purported intent is to prevent unintended use of websites (e.g., bots on social platforms or hacked video game clients giving players unfair advantages) without relying on data collection that can be abused for fingerprinting.

Critically, the proposal does not include any technical description of what “browser integrity” is supposed to entail. Attesters are by design the sole arbiters of integrity, and the system relies entirely on a decentralized and very loosely-specified chain of trust, including but not limited to which websites trust which attesters and which attesters trust which configurations of which browsers.

The technical community has identified multiple possible abuses of this technology that would restrict users' ability to access web services and their freedom to do it using software of their choosing. These include:

1. Developing attesters that refuse to certify browsers with unofficial extensions, especially ad blocking extensions. Such practice is obviously incentivized by significant ad revenue lost to ad blockers (the prevalence of which is consistently found to be between 25 and 40% [3,4,5]).

2. Developing attesters that refuse to certify third-party browsers or prevent the adoption of new browsers by delaying or otherwise hindering their approval. This would be an effective way for an operating system developer to stifle any competition in the browser space for that particular operating system.

3. Preventing the adoption of new attesters, either by creating barriers of entry at the operating system level (e.g., making it difficult to install attesters on a mobile app store), or by pressuring websites into not accepting their certificates.

4. Discriminating users based on whether they use an attester, which attester, and (depending on whether the attestation includes such details) their browser and operating system. (Such filters are already possible by checking User-Agent strings, but trivial to bypass because user agents are extremely easy to fake.)

The proposal includes vague statements about preventing such abuses in its "Open questions" sections but falls short of formulating a technical solution that addresses any of them.

The truth of the matter is that Google is in a uniquely dominant position to abuse all aspects of this technology:

• It is a major player in the web advertisement industry, giving it significant power to force adoption of the technology, either by promising higher ad revenue from blocking ad blockers, or by rewarding client websites that lock access to their services behind certification by Google-approved attesters.

• It of course owns the Chrome browser, by far the undisputed most popular browser on the web [6]. The company would benefit from any breaking change in web services' availability because Chrome would always be supported first. Less popular browsers would have to scramble for attestations or lose access to all attestation-requiring websites, and users along with it.

• It further owns the Android operating system, which has the largest market share of any operating system the web, according to StatCounter [7]. This gives Google control of a de facto standard attester for the platform.

• It finally has complete control over the world's most popular search engine. This would allow the company to boost attestation-requiring websites in the rankings to further force adoption of the technology. The attestation mechanism would also allow for search engine discrimination; like Chrome, Google's search bot would be the first to be certified by attesters, while other search engine bots struggle to argue that their automated browsing should be recognized as authentic.

In short, this proposal sets out to solve a very narrow issue (reduce the risk of fingerprinting by servers trying to filter out inauthentic clients) and in doing so creates major threats to both open Internet technologies and the availability of content and services in an open Internet. Not surprisingly, it does so in a way that aligns with the company's financial bottom line.

I would like to echo the seemingly-unanimous sentiment of privacy-wary Internet users that such egregious threats cannot have been overlooked by Google or its more-than-capable engineers. This must be by design, and hiding it all behind an open standard pretending it's all to reduce user tracking is nothing short of insulting.

Questions about the legal implications of such practices

As a technical person, I am quite curious about the legal aspects of this whole affair. Below are some questions that I have, which I hope make legal sense.

Q: Would abuses 1-4 (assuming they are technically possible) indeed constitute violations of EU regulation, either by Google, by entities managing websites, or by entities managing attester software?

(I imagine several points of contention here: Article 102 is an obvious one, and it all seems to fall squarely under the Open Internet regulation but its details are beyond my knowledge.)

Q: If not, what would be needed to constitute a breach of the regulations?
Q: If so, when would it be appropriate to lodge a formal complaint (and with what material)?

Of course, a lot of the benefits for Google come from owning the products that will be supported first, meaning that prejudice to competitors starts as soon as popular websites require attestations to deliver their services.

Q: Would it be a violation of the regulation for a website to restrict its service to users of attester software? If so, could the technology be regulated “early” (i.e., before evidence of misuse has to be gathered)?

Q: Does the above result change if it can be technically shown that the proposed standard fails to address its original issue?

Thank you for your time reading through this. The efforts of the Commission towards building an open Internet are much appreciated and I hope that this new issue (if the community's suspicions are justified) can be resolved too.

Respectfully,
Sébastien MICHELLAND

Dear Mr Michelland,

I would like to thank you for the information you have submitted concerning Google’s proposed Web Environment Integrity API. We have taken careful note of the proposal and of the criticisms raised against it by various stakeholders, including citizens. We are taking this matter very seriously and will take your submission, and the arguments raised therein, into account when considering the proposed API’s possible effects on competition.

For the avoidance of doubt, please note that we regard your information as market information and not as a formal complaint, the latter of which would have to comply with all legal requirements set out in Article 5 of Commission Regulation 773/2004.

Kind regards,

Brice ALLIBERT
Head of Unit