If you\u2019ve been running into endless CAPTCHAS or website login requests lately, you\u2019re not imagining things. <\/p>\n\n\n\n
Websites, facing a rising tide of abusive traffic from bots, are adopting increasingly aggressive countermeasures, damaging user\u2019s experience of the web, their privacy and open access to the web. <\/p>\n\n\n\n
In this post, we\u2019ll talk about a new initiative<\/a> we\u2019re launching with Cloudflare, other web browsers, and web stakeholders to address this challenge while keeping the web anonymous by default<\/a>.<\/p>\n\n\n\n Privacy and access in tension<\/strong><\/p>\n\n\n\n The fight for privacy on the web has made real progress. Browsers that put privacy first are eliminating third-party cookies, restricting fingerprinting, and hiding IP addresses, pushing back against the trackers.<\/p>\n\n\n\n But every step forward has come with a cost.<\/p>\n\n\n\n Users are seeing more CAPTCHAs, more demands to log in, and more outright block pages than ever before. Building privacy into the browser means dismantling the passive signals, like IP addresses and browser fingerprints that are used to profile users, but are also relied on by anti-abuse systems. <\/p>\n\n\n\n At the same time, sites are facing large increases in bot traffic. The response from websites is understandable; volumetric abuse like credential stuffing and spam can do real damage. But the result is a lose-lose: users face mounting friction and reduced privacy, while sites drive away the legitimate visitors they wanted to serve.<\/p>\n\n\n\n If nothing changes, users will increasingly be forced to choose between their privacy and their access to the web. <\/p>\n\n\n\n Proposals have been made to tackle this dilemma, by asking users to prove to sites that their devices and software are \u2018trusted\u2019. These proposals, such as Web Environment Integrity (WEI),<\/a> transfer control of devices away from users and to a small handful of operating system and hardware vendors. This deprives users of choice and control and gives those gatekeepers control over which devices and software can access the web, the opposite of the open web, which Mozilla is working to protect. <\/p>\n\n\n\n Finding a better way forward<\/strong><\/p>\n\n\n\n We think there\u2019s a better way forward. It starts from a simple observation: bots cause harm because they operate at scale. To stop that kind of abuse, a site doesn\u2019t need to know who you are, or that your device is restricted to running approved software. It only needs to know whether you\u2019re staying within a reasonable rate limit.<\/p>\n\n\n\n To make a rate limit work, it must be hard for attackers to create new identities and reset their allowance. That\u2019s one reason why sites demand an email address, a federated login or a device fingerprint: obtaining a new one is just costly enough to make the rate limit stick. The challenge is whether we can make rate limits work, without giving sites access to hard-to-change identifiers that also enable tracking. <\/p>\n\n\n\n Some sites naturally have a relationship with their users, like a subscription or a long-standing account. What if one of those existing relationships could quietly vouch for you elsewhere, so a site you\u2019ve never visited could trust that you\u2019re a real person within its limits, without learning who you are or even where the vouch came from?<\/p>\n\n\n\n For example, consider a VPN service. Many websites block VPN traffic entirely due to the high rates of abusive traffic blended with legitimate traffic. What if a VPN service could vouch for each of its subscribers? This would let sites manage a per-subscriber rate limit, meaning users get fewer roadblocks and sites get more of the legitimate traffic they want. Of course, this requires that the vouching system doesn\u2019t enable sites to track VPN users, which would otherwise defeat the very purpose of using the VPN. <\/p>\n\n\n\n Enabling this kind of privacy-preserving vouching is already possible in a limited sense. Apple\u2019s Private Access Tokens, built on a cryptographic protocol called Privacy Pass, let Apple devices receive single use tokens they can later present to websites without those visits being linked together. <\/p>\n\n\n\n However, Private Access Tokens have some critical shortcomings<\/a>. First, like WEI, they rely on device attestation, the very hardware gatekeeping we are determined to avoid. Second, there\u2019s no easy way to open up the system to let more parties vouch for users without compromising on user privacy, which means concentrating control in the hands of a few. To keep the web open, we need a system where any site can vouch for users, and where other sites can decide who they trust to vouch for users responsibly.<\/p>\n\n\n\n This is a much harder problem, but we think the cryptographic foundations exist to deliver it. Anonymous credentials<\/a> let one party issue you a credential that you can later present to a site a limited number of times, whilst preventing sites and issuers from tracking its use. It\u2019s even possible to hide which party issued it, proving only that it came from a set of trusted issuers.\u00a0<\/p>\n\n\n\n