hCaptcha + Privacy Pass (Beta)
A new option for preserving your privacy while browsing online.
Privacy Pass is an emerging standard for preserving user privacy that we are developing in conjunction with Cloudflare and others.
How it works: a browser extension provides users with the ability to create and sign cryptographically blind tokens for websites that support the Privacy Pass protocol. The extension generates passes containing cryptographically blinded tokens that are signed by hCaptcha when a challenge is solved on any site using the hCaptcha service.
These tokens are unblinded and stored by the extension for future use. When the user visits a site using hCaptcha and needs to pass the challenge (whether invisible or via the "I am human" button) they are redeemed automatically. The blinding procedure means that signed and redeemed tokens are cryptographically unlinkable from hCaptcha's perspective, and thus user privacy is preserved.
First, install the extension for Chrome or Firefox. Make sure you've enabled the extension in incognito mode. Then, visit any website using hCaptcha and solve a captcha. As of version 2.0.3, you can redeem these tokens on websites using hCaptcha.
Please note: this feature is currently in beta, and may not work for all websites and users all of the time. In the event that it is not enabled or does not work for a particular user, the behavior will simply fall back to the standard hCaptcha experience with no loss of functionality. We expect to take it out of beta during November 2019.
A new icon will appear next to your URL bar. Now visit a website using hCaptcha. It will look like this:
which means the wallet is empty, and you are on a site that includes an hCaptcha challenge. Once you complete the challenge, you will earn tokens that can be redeemed on any other website with hCaptcha.
A count of the current total in your wallet will be shown on the icon after completing the challenge.
You can confirm the extension is working by seeing the counter go down by 1 each time you click
the challenge after your initial solve.
And that's it! Your online browsing is now more private.
Developers and cryptographers:
If you would like to track the standardization effort, efforts are currently underway at IETF CFRG to standardize the Oblivious Pseudorandom Functions underlying the cryptographic security of Privacy Pass. The protocol itself is going through the draft process as well. And the browser extension is of course open source for your contributions and review.
Q: Is my IP and browsing history completely private from hCaptcha when using Privacy Pass?
A: Privacy Pass users of hCaptcha will never expose their IP to hCaptcha unless their token wallet is empty or the site sends it. hCaptcha has no way to link the user to the token redemption, and does not ever interact directly with the user during redemption unless their token wallet is empty.
Q: How does Privacy Pass affect hCaptcha earnings?
A: You will earn a reward for the initial solve if the user completes it on your site. Redemptions follow the same response pattern as if the user had auto-passed on your site due to high client confidence: no earning occurs, and the siteverify call from your server receives a `credit: False` in the pass results.