Google's 'Fraud Defence' Looks an Awful Lot Like the WEI Zombie

Remember Web Environment Integrity? Google’s 2023 proposal that would have let servers cryptographically attest that your browser was “legitimate” — a pitch so badly received that Mozilla, Brave, and Vivaldi torched it in public, and Google quietly backed off in early 2024. Well, it’s 2026, and that ghost just walked into the room wearing a Google Cloud badge that reads Fraud Defence.

A Quick Refresher on Why WEI Got Killed

WEI’s premise was simple and, on paper, reasonable: prove that the client connecting to your site hadn’t been tampered with. In practice, it meant a Google-blessed attestation layer would decide which browsers counted as “real.”

The implications hit hard the moment developers thought it through. Firefox with an ad blocker? Possibly out. A custom Android build? Out. Anything Google didn’t certify? Out. Critics called it DRM for the open web — and they weren’t being dramatic. The proposal was retired before it shipped, and most of us assumed that was the end of it.

The Cloud-Product Workaround

Fast forward to Google Cloud’s Fraud Defence launch. The marketing language is all about bots, ad fraud, and credential stuffing — the kind of problems every site operator actually wants solved. But peel back a layer and you find something familiar: a system that signals client environment integrity to the site operator, sourced from Google’s view of the device.

Mechanically, it’s doing what WEI tried to do. The crucial difference is the delivery vehicle. WEI was a proposed web standard, which meant it had to survive open review at the W3C and the wider browser community. Fraud Defence is a paid product on Google Cloud. No standards body. No public comment period. Just a “buy” button.

If you can’t get the standards group to ratify your idea, sell it as a SKU. That’s the play.

Why Now

The timing isn’t an accident. AI agent traffic exploded over the past eighteen months, and site operators are drowning. Distinguishing a human from an automated client has become genuinely hard. Scraping, ad fraud, and credential stuffing are real, expensive problems — Cloudflare’s own data shows agent traffic is now a meaningful share of inbound requests on most large sites.

Google read the room. The pitch writes itself: WEI was overreach as a standard, but this is just a security product. To a site operator staring at a fraud bill, “let Google vouch for which visitors are real” sounds less like an ideological battle and more like a Tuesday procurement decision.

The Gatekeeper Problem Hasn’t Moved

The objection from 2023 hasn’t aged a day. One company deciding which clients count as legitimate is a gatekeeper position, regardless of whether it’s delivered as RFC text or a cloud API. Privacy-hardened browsers, niche forks, anonymous sessions, and anything outside Google’s certified list drift toward second-class status on the web.

EFF and a handful of standards-aligned voices have already started raising alarms — the argument being that this is de facto standardization by market adoption rather than by open process. A rejected idea that returns as a product, gains enough customers, and eventually becomes the path of least resistance is, functionally, a standard. Just one nobody got to vote on.

The Closing Thought

The 2023 fight was clean. It was a proposal, and proposals can be rejected. This round is messier. Fraud Defence is a commercial product, and adoption is a private decision made one site at a time. There’s no central body to lobby, no working group to flood with comments. That’s what makes it harder to push back on, not easier.

If your browser of choice ever throws up a “this site couldn’t verify your environment” wall, it probably won’t feel like a policy decision. It’ll feel like a bug. That’s the whole trick.