hCaptcha + Privacy Pass (Beta)
A new option for preserving your privacy while browsing online.
Privacy Pass is an emerging standard for preserving user privacy that we are developing in conjunction with Cloudflare and others.
How it works: a browser extension provides users with the ability to create and sign cryptographically blind tokens for websites that support the Privacy Pass protocol. The extension generates passes containing cryptographically blinded tokens that are signed by hCaptcha when a challenge is solved on any site using the hCaptcha service.
These tokens are unblinded and stored by the extension for future use. When the user visits a site using hCaptcha and needs to pass the challenge (whether invisible or via the "I am human" button) they are redeemed automatically. The blinding procedure means that signed and redeemed tokens are cryptographically unlinkable from hCaptcha's perspective, and thus user privacy is preserved.
First, install the extension for Chrome or Firefox. Make sure you've enabled the extension in incognito mode. Then, visit any website using hCaptcha and solve a captcha. As of version 2.0.3, you can redeem these tokens on websites using hCaptcha.
Once you've got the extension installed, click here (or on any hCaptcha-using website) to earn passes:
Please note: this feature is currently in beta, and may not work for all websites and users all of the time. In the event that it is not enabled or does not work for a particular user, the behavior will simply fall back to the standard hCaptcha experience with no loss of functionality. We expect to take it out of beta during November 2019.
A new icon will appear next to your URL bar. Now visit a website using hCaptcha. It will look like this:
which means the wallet is empty, and you are on a site that includes an hCaptcha challenge. Once you complete the challenge, you will earn tokens that can be redeemed on any other website with hCaptcha.
A count of the current total in your wallet will be shown on the icon after completing the challenge.
You can confirm the extension is working by seeing the counter go down by 1 each time you click
the challenge after your initial solve.
And that's it! Your online browsing is now more private.
Developers and cryptographers:
If you would like to track the standardization effort, efforts are currently underway at IETF CFRG to standardize the Oblivious Pseudorandom Functions underlying the cryptographic security of Privacy Pass. The protocol itself is going through the draft process as well. And the browser extension is of course open source for your contributions and review.
Q: Is my IP and browsing history completely private from hCaptcha when using Privacy Pass?
A: Privacy Pass users of hCaptcha will never expose their IP to hCaptcha unless their token wallet is empty or the site sends it. hCaptcha has no way to link the user to the token redemption, and does not ever interact directly with the user during redemption unless their token wallet is empty.
Q: How does Privacy Pass affect hCaptcha earnings?
A: You will earn a reward for the initial solve if the user completes it on your site. Redemptions follow the same response pattern as if the user had auto-passed on your site due to high client confidence: no earning occurs, and the siteverify call from your server receives a `credit: False` in the pass results.
Q: If I have Privacy Pass passes issued by another provider, can I redeem them on hCaptcha?
A: No, passes are not interoperable: they must be issued and redeemed by the same authority, in this case hCaptcha. Note that if you have passes from both Cloudflare and hCaptcha in your extension, the number available will change to the correct amount depending on the requirement of the page you are visiting. In other words, if you have 100 Cloudflare passes in your wallet and 10 hCaptcha passes, you should see 10 on the extension icon on pages with hCaptcha embedded.