Ready for Developer Testing: Probabilistic Reveal Tokens
Theodore Olsauskas-Warren
Contact emails
sau...@google.com, las...@google.com, nic...@google.com, erict...@chromium.org, ryan...@google.com, ayk...@google.com
Explainer
https://github.com/GoogleChrome/ip-protection/blob/main/prt_explainer.md
Specification
None
Summary
To ensure that businesses can continue to estimate the amount of fraud on their systems, train models to defend against fraud, and analyze emerging fraudulent behavior while still mitigating the ability to track users at scale using IP addresses, we propose to introduce a delayed IP sampling mechanism called Probabilistic Reveal Tokens (PRTs) alongside IP Protection for use in protected traffic.
PRTs will be included on proxied requests in a new HTTP header added by the browser for domains that indicate they want to receive them via a signup process. Each PRT will contain a ciphertext, generated by an Issuer and re-randomized for unlinkability by the browser prior to the request, that the recipient can decrypt after a delay. Google will be the issuer for Chrome's implementation. A minority of the decrypted PRTs contain the client's pre-proxy IP address (i.e. non-masked, and as observed by the token issuer), while the remaining PRTs provide no information about the client's original IP address. This results in only a small percent of PRTs containing and revealing the user's IP.
Blink component
Privacy>Fingerprinting>IPProtection
TAG review
None
TAG review status
Pending
Risks
Interoperability and Compatibility
None
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
With this dev trial, developers can configure their local Chrome instance to fetch PRTs from the Google issuer and attach them to all network requests to specific domains. Use of the IP proxy is not required.
Going forward, key publication will proceed as normal. Developers can thus store both issued and sent tokens, for later decryption when keys are published.
In a future state, developers will need to sign up their origins to receive PRTs on proxied requests. No sign-up is necessary to perform the local testing outlined here.
This is intended to allow interested developers to test PRTs and begin considering how they might integrate PRTs into their workflows.
Ongoing technical constraints
None
Debuggability
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
Supported where IP Protection is supported.
Is this feature fully tested by web-platform-tests?
No
DevTrial instructions
https://github.com/explainers-by-googlers/prtoken-reference/blob/main/prt_dev_testing.md
Flag name on about://flags
None
Finch feature name
EnableProbabilisticRevealTokens - Note that there are many subtleties to enabling this feature, please see developer guide.
Requires code in //chrome?
False
Launch bug
https://launch.corp.google.com/launch/4367692