Google proposes a new tracking superpower in Chrome

Google logo

For the most part, Google has at least put up a little bit of an effort to reduce the amount of tracking it does, like the Privacy Sandbox for Chrome. Technically, Google is still working towards phasing out third-party cookies. Until then, though, the company is also working on alternatives — for more tracking.

Apple has its suite of features built into its software platforms to limit device and user tracking. That includes the likes of Privacy Report in Safari, which automatically limits web tracking.

Google is currently proposing what it calls the "Web Environment Integrity API," which is a new web standard that's pretty similar to something like Digital Rights Management, or DRM. It's meant to identify the user at the computer, all to reduce the usage of bots accessing sites like social media or to stop people from cheating in online games.

The new API proposal is published on GitHub, by one of the four Google employees who authored it, but it is already prototyped within Chrome. No wide launch has been announced or even hinted at yet.

First picked up by HackerNews over the weekend, Ars Technica notes that Google's proposal is one that's entirely encompassed by Google services, like Chrome and Google search. And, unsurprisingly, it's a similar standard that's already present in not just Android, but also iOS.

Android has something it calls "Play Integrity API," and it's designed to identify Android devices that have been rooted. A lot of web developers are not a fan of having their apps accessed on rooted devices, no matter the reason why that device was rooted.

As a result of the API, many apps won't function if they are downloaded on a rooted device, including Netflix, and even Google's own Wallet app. And this new web standard for Chrome would work similarly.

Apple's equivalent to the Play Integrity API is called App Attest, which checks for valid app clients.

Google's Web Environment Integrity API would require that the user pass an "environment attestation" test before that user could access any data on a website. Accessing an attestation server, the user would get the question, prove they aren't a robot, and then be given a token to access the site they are trying to reach.

This is where Google's umbrella comes in, with Chrome serving as the gateway to this particular API, one of the world's most popular web browsers. Then it's a safe bet that Google is in some way related to the website getting delivered to the user, and Google may even be associated with the attestation server.

In an available explainer, Google does say it's not trying to single out individual Chrome users, or digitally fingerprint them. However, it adds that there should be "some indicator enabling rate limiting against a physical device."

Commenters have been leaving issue reports on the proposal since its discovery. "Issue #134" calls out the idea as being "absolutely unethical and against the open web," for instance. There are even a few comments posted purely in hexadecimal, which get colorful.

For now, Chrome remains a viable option as an alternative to Apple's Safari. However, if privacy from ad tracking is a priority, Chrome may be a less useful tool in the future if its foundation is built on fingerprinting users.