Summary
Privacy Pass is an emerging standard for preserving user privacy that we are developing in conjunction with Cloudflare and others.
How it works: a browser extension provides users with the ability to create and sign cryptographically blind tokens for websites that support the Privacy Pass protocol. The extension generates passes containing cryptographically blinded tokens that are signed by hCaptcha when a challenge is solved on any site using the hCaptcha service, except challenges shown on other Privacy Pass-supporting services that also embed hCaptcha, e.g. Cloudflare.*
These tokens are unblinded and stored by the extension for future use. When the user visits a site using hCaptcha and needs to pass the challenge (whether invisible or via the "I am human" button) they are redeemed automatically. The blinding procedure means that signed and redeemed tokens are cryptographically unlinkable from hCaptcha's perspective, and thus user privacy is preserved.
As the IETF standardization process continues, we expect major browsers will adopt some form of Privacy Pass natively. This will eventually render the extension unnecessary. For the moment, however, please follow the instructions below.
* In other words: you can get hCaptcha Privacy Pass tokens on hCaptcha.com, and use them on other sites directly using hCaptcha.com. You can not get or redeem hCaptcha Privacy Pass tokens to bypass the hCaptcha service as used by Cloudflare, since Cloudflare issues and redeems its own Privacy Pass tokens.
Getting started
First, install the extension for Firefox or Chrome. Make sure you've enabled the extension in incognito mode. Then, visit any website using hCaptcha and solve a captcha. As of version 2.0.3, you can redeem these tokens on websites using hCaptcha.
Once you've got the extension installed, click here (or on any hCaptcha-using website) to earn passes:
Please note: this feature is currently in beta, and may not work for all websites and users all of the time. In the event that it is not enabled or does not work for a particular user, the behavior will simply fall back to the standard hCaptcha experience with no loss of functionality.
A new icon will appear next to your URL bar. Now visit a website using hCaptcha. It will look like this:
which means the wallet is empty, and you are on a site that includes an hCaptcha challenge. Once you complete the challenge, you will earn tokens that can be redeemed on any other website with hCaptcha.
A count of the current total in your wallet will be shown on the icon after completing the challenge.
You can confirm the extension is working by seeing the counter go down by 1 each time you click
the challenge after your initial solve.
And that's it! Your online browsing is now more private.
Developers and cryptographers:
If you would like to track the standardization effort, efforts are currently underway at IETF CFRG to standardize the Oblivious Pseudorandom Functions underlying the cryptographic security of Privacy Pass. The protocol itself is going through the draft process as well. And the browser extension is of course open source for your contributions and review.
FAQ
Q: Is my IP and browsing history completely private from hCaptcha when using Privacy Pass?
A: Privacy Pass users of hCaptcha will never expose their IP to hCaptcha unless their browser's token wallet is empty or the site sends it. hCaptcha has no way to link the user to the token redemption, and does not ever interact directly with the user during redemption unless their token wallet is empty.
Q: How does Privacy Pass affect hCaptcha earnings?
A: You will earn a reward for the initial solve if the user completes it on your site. Redemptions follow the same response pattern as if the user had auto-passed on your site due to high client confidence: no earning occurs, and the siteverify call from your server receives a `credit: False` in the pass results.
Q: If I have Privacy Pass passes issued by another provider, can I redeem them on hCaptcha?
A: No, passes are not interoperable: they must be issued and redeemed by the same authority, in this case hCaptcha. Note that if you have passes from both Cloudflare and hCaptcha in your extension, the number available will change to the correct amount depending on the requirement of the page you are visiting. In other words, if you have 100 Cloudflare passes in your wallet and 10 hCaptcha passes, you should see 10 on the extension icon on pages with hCaptcha embedded.
Q: What other applications of Privacy Pass are you working on?
A: We are very interested in Privacy Pass for the Accessibility ("a11y") use case. Previously popular options like audio captchas discriminate against many a11y users. We believe combining our current a11y approach with Privacy Pass issuance will allow a11y users to browse safely, secure in the knowledge that their traffic is more private, while restricting the abuse by bot operators that inevitably occurs when a11y options are available.
Q: Do other online security services support Privacy Pass?
A: hCaptcha is the first service of its kind that supports Privacy Pass, and is currently the only one to do so. However, we expect other services to recognize the advantages of increasing user privacy online, and expect that in the future more will undertake implementations as the IETF standards that we are helping to develop are formally adopted.
User Guide: Debugging Issues with Privacy Pass Issuance and Validation
Privacy Pass is a new invention by the standards of the Web, and it is possible for other applications and browser extensions that are not aware of it to interfere with its functionality.
If you have issues getting or redeeming tokens:
1. Try one of the other supported browsers: if you're on Chrome, try using Firefox without importing your settings from Chrome, and install the plugin there. If that works, you may have a browser configuration issue.
2. Try disabling other extensions. If that solves it, turn them on one by one until you find the problem, and let the developer of that extension know about it, as well as giving us a heads up at [email protected]
3. If none of the above suggestions works, send us a support email and we'll be happy to help figure out what's going on.