DRM is Google’s newest suggested web standard. Over the weekend, word spread about this idea for a “Web Environment Integrity API.” The explainer was written by four Google employees, including at least one member of Chrome’s “Privacy Sandbox” team, which is responding to the demise of tracking cookies by integrating a user-tracking ad platform directly into the browser.
The introduction to the Web Integrity API begins, “Users frequently rely on websites trusting the client environment in which they run.” This trust may be based on the client environment being truthful about some features of itself, safeguarding user data and intellectual property, and being clear about whether or not a person is using it.”
The project’s purpose is to learn more about the person on the other side of the web browser, guaranteeing they aren’t a robot and that the browser hasn’t been tampered with in any way that isn’t authorized. According to the introduction, this data will assist advertisers in better counting ad impressions, blocking social network bots, defending intellectual property rights, preventing cheating in web games, and making financial transactions safer.
The explainer’s most telling sentence is that it “takes inspiration from existing native attestation signals such as [Apple’s] App Attest and the [Android] Play Integrity API.” Play Integrity (formerly known as “SafetyNet”) is an Android API that allows apps to determine whether your device has been rooted.
Root access gives you complete control over the device you purchased, something many app developers dislike. So, if you root an Android phone and the Android Integrity API flags you, some types of apps will simply refuse to operate. Banking apps, Google Wallet, online games, Snapchat, and various media apps, such as Netflix, will generally be blocked. You may desire root access to cheat at games or steal financial information, but you may also want root to customize your device, remove junkware, or have a reliable backup system. Play Integrity doesn’t care and will still lock you out of those apps. Google wishes the same for the web.
According to Google’s strategy, during a webpage transaction, the web server may ask you to pass a “environment attestation” test before you can access any data. At this point, your browser would contact a “third-party” attestation server, and you would be required to pass a test. If you passed, you’d obtain a signed “IntegrityToken” that ensures your environment isn’t tampered with and points to the content you wished to enable. You take this back to the web server, and if the server trusts the attestation company, the material is unlocked, and you finally obtain the data you requested.