My ELI5 version:

Basically, the ‘Web Environment Integrity’ proposal is a new technique that verifies whether a visitor of a website is actually a human or a bot.

Currently, there are captchas where you need to select all the crosswalks, cars, bicycles, etc. which checks whether you’re a bot, but this can sometimes be bypassed by the bots themselves.

This new ‘Web Environment Integrity’ thing goes as follows:

1. You visit a website
2. Website wants to know whether you’re a human or a bot.
3. Your browser (or the ‘client’) will send request an ‘environment attestation’ from an ‘attester’. This means that your browser (such as Firefox or Chrome) will request approval from some third-party (like Google or something) and the third-party (which is referred to as ‘attester’) will send your browser a message, which basically says ‘This user is a bot’ or ‘This user is a human being’.
4. Your browser receives this message and will then send it to the website, together with the ‘attester public key’. The ‘attester public key’ can be used by the website to verify whether the attester (a.k.a. the third-party checking whether you’re a human or not) is trustworthy and will then check whether the attester says that you’re a human or not.

I hope this clears things up and if I misinterpreted the GitHub explainer, please correct me.

The reason people (rightfully) worry about this, is because it gives attesters A LOT of power. If Google decides they don’t like you, they won’t tell the website that you’re a human. Or maybe, if Google doesn’t like the website you’re trying to visit, they won’t even cooperate with attesting. Lots of things can go wrong here.