Substrate

Anonymous credentials for the web (no, not those kind)

Ideas updated
anti-abusecaptchamozillaprivacyweb standards
implified diagram of PACT endorsement experience

This is a long post from Mozilla that probably won't get the attention it deserves outside of a niche, geeky audience. I'm very pleased that people are figuring out answers to these issues.

Let's start with the problem:

Browse a news site in a private window. Shop at a major retailer with a VPN. Visit a video streaming platform with anti-fingerprinting defenses tuned up. You’ll see the same responses: registration walls, block pages, and endless CAPTCHAs. The message is clear: if we think you might be a bot, you’re not welcome.

Websites have valid reasons for wanting to block bots. Bots enable volumetric abuse, abuse that wouldn’t otherwise be feasible if they had to be carried out by humans. For example: SEO comment spam, credential stuffing and DDoSing. Consequently many sites employ dedicated anti-abuse tooling which aims to keep the bots out whilst minimizing friction for human visitors.

Unfortunately, that tooling is increasingly failing at both tasks. Browser privacy protections are dismantling the passive signals that anti-abuse systems depended on to identify and distinguish visitors. Meanwhile advances in generative AI have rendered CAPTCHAs ineffective: bots now solve them faster and more reliably than humans.

Many sites are switching to more invasive mechanisms and now ask visitors to disclose identifying information, e.g. an email address, a federated login or disabling their VPN. This means greater friction for users, since providing these details on a first visit takes time. It also compromises their privacy, since these details enable the same kinds of cross-site tracking that browser privacy protections were intended to mitigate.

AI agents using browsers make this problem even worse. So what can we do? Mozilla and other major web players such as Cloudflare have iterated a solution from 2018 called Privacy Pass that helped Tor browser users avoid constant CAPTCHAs:

Solution to help Tor users bypass future CAPTCHAs through tokens

The above is in production, whereas what's described in the Mozilla post is still a design proposal rather than something you can use today. Essentially PACT (Private Access Control Tokens) is a way of carrying a kind of kind of anonymous "trust stamp" that proves you are a legitimate user – without revealing who you are. Instead of solving puzzles on every site, your browser would present these tokens to show that some trusted party has already checked you in a privacy‑preserving way.

The important point is that the token isn't saying "this is Doug" but rather "this traffic meets the site's rules". This should reduce friction for ordinary users while helping those maintaining websites avoid abuse.

Diagram showing how the PACT system works with various actors

In order to prevent centralised tracking, PACT separates out roles into several "actors":

  • Anchors: organisations that have a good sense of "personhood" (e.g. subscription services, email or phone providers, or VPN services). They issue cryptographic "endorsements" saying, basically, "this user controls some scarce, valuable resource, so they are probably not a throwaway bot account."
  • Moderators: websites (or anti‑abuse providers they use) that turn those endorsements into usable tokens and enforce rate limits or rules. Often, the website you are visiting would be its own Moderator.
  • Browsers and agents: your web browser or an AI agent acting for you. These hold and present tokens when asked, without revealing your identity.

Importantly, the Anchor shouldn't be able to see where you later use the token, and the websites shouldn't be able to link different uses of the same token back to you as an individual.

Hopefully, if it all works as intended, PACT would mean fewer CAPTCHAs, and (government legislation nonwithstanding) fewer blanket blocks on VPNs. I think it would mean a more friendly web for privacy‑conscious users and people using legitimate automation.

As ever, there are open questions about governance, power concentration, and how to avoid creating a new "trust oligopoly" on the web. Thankfully, Mozilla and collaborators plan to take the work into standard‑setting bodies like the IETF and W3C, where details and safeguards will need to be hammered out before anything ships in browsers.

Source: Original article · Are.na block · Tech channel

Related

Comments (0)

No comments yet. Be the first.

Never shown publicly, used only for Gravatar

A living collection of ideas. Updated continuously.

v0.32.0