This feature was apparently made to reduce the number of captchas you see while browsing the internet but I can’t find a lot of information on it’s privacy implications, it says that “sites can share a small amount of information” to verify you are not a bot.
Does anyone know what kind of data can sites share? Is this a privacy concern? It is enabled by default on Vanadium.
https://chromium-review.googlesource.com/c/chromium/src/+/4156731
Looks like it’s based on Private State Tokens which are Google’s implementation of Privacy Pass. It’s basically just a privacy-preserving way to bypass CAPTCHAs. Apple has a similar thing with their Private Access Tokens. The info they’re talking about is likely just the Private State Tokens themselves which are essentially just letting you bypass the CAPTCHAs after you complete one successfully. They’re stored in their own separate area away from other browser data.
Private State Tokens are not inherently privacy-preserving. It is debatable whether auto-verify, the name for chromium’s implementation of PST, is.
By default, an issuer can rotate their keys as frequently as they want and even serve a unique key to each unique user agent from their key commitment endpoint[1]. In addition to this, the client will accept up to 6 unique keys from every issuer at any point in time[2]. Given this, it is clear that any issuer would be able to correlate redemptions of tokens with a specific user if they abuse the API enough; they could rotate keys multiple times an hour and partition issued tokens for every single unique user agent into 6 groups. This would allow the issuer to passively surveil the usage of any site that trusts said issuer and tie it to individual users who have visited the issuers site.
So, what does Google do to mitigate this with auto-verify? They make themselves a trusted party to handle it all for you of course[3]. Google’s propriety server will only allow keys to be rotated every 60 days and acts as a proxy to fetch and serve the keys to chromium browsers.
Now, even disregarding the conflict of interest with the fact that they control 2 of the 9 certified issuers[4], do you trust Google to prevent you from being tracked on the web when its something they control at runtime? Not to even mention that Google needs to maintain the list of certified issuers in the first place, which, if grown too large, allows token redeemers to find out what sites (that are issuers) you’ve been visiting.
Mozilla still thought it was a bad idea in 2024 after outlining why they thought so in 2020.
[1] Issuer Key Fetching/Registration
[2] Limiting Encoded Information
[3] Private State Tokens Issuer Registration
[4] PST Issuers
