Sign in Subscribe

Google DRMs the Web

Google DRMs the Web

We immediately need to talk about the Web Integrity API that Google is proposing, because even though "this is just a proposal", it's already being implemented in Chrome, which is, like, the most used browser out there. Aaand it's a pretty big deal. Let's talk about it.

So, you know how many applications in Android - such as Netflix - will simply refuse to work at all unless they are being run on a certified device with Google Play installed on it? Fun fact, this is why I cannot watch Netflix on my tablet, and it's frustrating.

Of course, it makes sense, for them: by, as they say, checking the "integrity" of your device they can make sure that you cannot record your favorite Netflix show and share it around, as an example. Having the certainty that your device isn't "compromised" in any way is required to have good DRM, which is what all of this is about.

Google has proposed to add a Web Integrity API that allows websites, like Netflix, to check the integrity of the device regardless of the operating system. It feels like they took the approach they went with Android, and replicated it on the entire web. This raises so many questions, though: why? how?

On the website part, it's pretty easy. The idea is that there's now a function called navigator dot get environment integrity, and simply by calling that you get an attestation. But what exactly is meant by "environment integrity"?

The general idea is that the client environment - your broswer and operating system - is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it.

Emphasis on: "keeps intellectual property secure". I think it's pretty clear what that means: DRM. Of course, it's also quite interesting to have "is transparent about whether or not a human is using it". The reasoning behind the necessity of knowing you're a human is the following: websites often rely on advertisement to work - fair enough - and advertisement is remunerative only if viewed by humans, not robots - fair enough.

But then we discover that this Web Integrity - which is supposed to distinguish between humans and robots - is also meant to be used to avoid "fake engagement" in social networks; this way, "websites can only show users content that is popular with real people, if websites are able to know the difference between trusted and untrusted environment". Which is, well, really risky: basically, it would pave the way for websites like Twitter -- X, I meant X, obviously -- to completely ignore you if you're not in a trusted environment.

If that wasn't enough, another use case - again, all taken from the project documentation itself - is anti-cheat. Online videogames want to know whether you are human to make sure you're not cheating. So, without a trusted environment, you might not be able to: watch streaming films and shows, or use a social network, or play videogames online.

So, the obvious question is: how are you going to achieve this web integrity status, given just how important it might be if websites that this is designed for actually start to use it? Well, I had to dive into the technical stuff, and I really hope I got it right.

Ignoring the, uh, cryptographic aspect of this - public keys, private keys, blah blah blah - you do need a third party, which is not going to be the browser, to attest the integrity of the system. The good news is that the operating system (platform) is expected to do that, and I would be surprised if we couldn't make sure that, even on desktop linux, there's always a component that attests for your system integrity.

The bad news, however, is that the website knows who the attester is, and the website can decide to trust or not certain attesters. Let's make an example. The one attester that the whole introduction keeps mentioning is, obviously, Google Play (for Android devices). If I open Netflix, Google Play is going to attest for my browser integrity, and Netflix is going to be like: Oh, Google Play, I trust those guys.

Whereas, if I do the same thing on Linux, I would expect the attester to be something that's related to Linux - though this is very much unclear - and Netflix could just be like... hey, you know what? No, I do not trust these guys. And given just how many streaming platforms have killed Linux support for little to no reason, I wouldn't be surprised at all if they went with an approach like that.

So... who can be an attester? Well, anyone. It just says: broswers should publish their privacy requirements for attesters, and allow websites to evaluate each attester; users should also be given the option to opt out from attesters that do not meet their personal quality expectations? I'm pretty confused about this.

This is extremely risky. The thing is, the Google employees that proposed all of this know exactly about these risks, and they say: some websites may deny service to broswers that they disfavor for any reason. Like being run on Linux. In fact, they same: some websites might exclude some operating systems. Yes. Yes. Let's see what the authors propose as solutions, then.

The first one is holdback. The idea is: sometimes, randomly, even if your browser is within a 100% attested super cool environment, this API will pretend that you are not in a trusted environment. This will happen to just a small percentage of clients, and only sometimes; but it should be enough to stop all of these worries. Of course, no website would be able to deny acces to an user simply because the environment integrity API fails, because they know that this API sometimes just pretends to fail, and they would be denying access to real customers.

But, what's the point of the whole thing then? Well, the idea would be to use this API in an aggregate analysis; as an example: let's get back to social networks. Let's say we have a tweet - agh, err, post - with thousand of likes. Let's say you only count the web integrity api certified ones. Well, then you are going to lose some actual likes from actual people because of this holdback thing, but it's just a small percetange, it shouldn't be relevant. This way, you can still get something useful out of the API, but only if you use it in an aggregated manner.

Obviously, this holdback thing... doesn't actually solve anything. Firstly, websites can still decide not to trust Linux, as an example. Maybe they won't deny the access to the website, but getting back to the twitter ... twitter example, they might decide that they don't trust Linux even on the aggregated data, which means that all tweets liked by Linux people will be considered less than tweets liked by Windows people... because we are just less trustworthy.

Finally, I'm not dumb. It's pretty obvious that all of these websites - online video games, streaming services, and such - want to actual API. Without the holdback. They are going to ask for it. And they're big websites. They're gonna win. In fact, not even the proposal says: we are going to implement holdback. They just say: you know, it's an option, but we aren't so sure about that, what do y'all think?

They are not going to implement holdback, and if they do, they are eventually going to turn it off. It can be done anytime, and boom, we're back at: you use linux? forget the internet.

So, what does the internet thing of this web integrity API? Well, without any surprise, everybody hates it. The really important point is that there is no reason whatsoever why users would want this. This has no positive side for them. It makes everything worse. Why would we want this? You know who wants this? Big streaming and advertising companies... like Google, who owns Chrome, the most used browser out there.

Mozilla said that this API contradicts their principles and vision for the web. The World Wide Web consortium said the API is not compatible with the vision of an open web. The Vivaldi browser says the API is dangerous. The Free Software foundation says this is an all-out attack on the free internet, which it is. The Brave broswer says they will not ship this API. Everybody hates this. Except Google.

And, of course, Google is pretty powerful. They already started implementing this, there's already code for it. They say: initially, this will only be supported in Android (because, obviously, they already have the Google Play attester there). Then, this feature will require active tintegration per platform, meaning that every operating system will need some component that will act as an attester.

If this gets implemented, it will be a disaster for us free software fans. Keep in mind that I've talked about Linux being untrusted a lot, but generally speaking, everything that's ever so slightly unstandard won't be trusted. If you create a new browser, boom, you won't be able to access half of the internet. This is bad.

Even worse - yes, it keeps on going - given that the attester, you know, checks for the browser integrity; if you're using a platform with an, err, annoying enough attester, like Google Play, they might actually check whether you have an Adblock enabled and - if so - they might not give you the certificate of trusted environment. The introduction of the proposal clearly states that this kind of things are not goals and should not happen, but technically speaking, as soon as you introduce the concept of trusted environment to protect advertisement, it feels like a logical next step, and it could actually be implemented, so...

Ok, so, one thing before I disappear into the void. I just wanted to say: these videos take a lot of time to research, write, record, edit, and so on - and they are not sponsored by anybody. I do also offer a lot of extra stuff that I don't have to offer, like subtitles that are handwritten, and a full transcript of the whole video if you prefer reading over watching videos. All of this takes time and money.

So, if you're able to donate something to the channel, this is going to make sure that I keep on doing all of this. You would join a pretty big community of people - whose names you should be seeing around me - and you would get some extra benefits because of that; specifically, I do make an almost-daily podcast about linux news that is patreons-only.

I also contribute to KDE Plasma, and your donation would help me spend more time working on it; so, thank you so much to everybody who's helping me out, I wouldn't be here without all of you.

Nicco out.