Page MenuHomePhabricator

Investigate Privacy Pass for Wikimedia Sites
Open, LowPublic


Privacy Pass interacts with supporting websites to introduce an anonymous user-authentication mechanism. In particular, Privacy Pass is suitable for cases where a user is required to complete some proof-of-work (e.g. solving an internet challenge) to authenticate to a service. In short, the extension receives blindly signed ‘passes’ for each authentication and these passes can be used to bypass future challenge solutions using an anonymous redemption procedure. For example, Privacy Pass is supported by Cloudflare to enable users to redeem passes instead of having to solve CAPTCHAs to visit Cloudflare-protected websites.
The blind signing procedure ensures that passes that are redeemed in the future are not feasibly linkable to those that are signed. We use a privacy-preserving cryptographic protocol based on ‘Verifiable, Oblivious Pseudorandom Functions’ (VOPRFs) built from elliptic curves to enforce unlinkability. The protocol is exceptionally fast and guarantees privacy for the user. As such, Privacy Pass is safe to use for those with strict anonymity restrictions.

Would this be benficial for us?

I note, it could be more useful in conjunction with T250227: Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha

Event Timeline

If a third party would be presenting our challenges, it could help making them not be able to link the requestors of captchas (for which they would have IP addresses, run js, etc.) and the actual wikipedia (since the token will be redeemed at a later date).

I would find it more useful for e.g. voting, where you would issue limited tokens (one per account), and have a different party tally them, both of them unable (even if colluding) to link the authenticated user to the vote they issued. seems to be another project doing basically the same thing.

This might be something to stall and look at later when things are more "standardised"

JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.

A couple of updates:

  1. Via @Maryana, at the recent WWDC, Apple presented a new Privacy Pass-like technology they are calling Private Access Tokens (not to be confused with Personal Access Tokens). And there's a related blog post about Fastly's implementation.
  2. There appears to be yet another new captcha system, referenced on the Fix Wikimedia Captchas task: T241921#8092659. This seems promising though new and not likely battle-tested. I'm also not seeing where it supports Privacy Pass or similar functionality, as hCaptcha does.