December 27, 2024

Proton builds its very own privacy-first CAPTCHA system

0

 

The cybersecurity firm behind the popular encrypted email and VPN service has just unveiled its very own secure CAPTCHA service.

Proton CAPTCHA solves issues within existing systems that website providers use to discern between genuine login attempts and malicious bots. The new technology claims to never compromise privacy, security, and accessibility, while describing itself as “the world’s first” CAPTCHA with built-in censorship-resistant technologies.

This isn’t the first time the company behind ProtonVPN and ProtonMail has gone the extra mile to protect its customers. Just a month ago, for example, it launched Proton Sentinel to offer increased protection to users at higher risk of cyberattacks.

Fixing CAPTCHA issues

Short for “Completely Automated Public Turing test to tell Computers and Humans Apart,” there are many CAPTCHAs systems out there that websites utilize to protect users from bot and spam attacks. However, Proton wasn’t satisfied with existing solutions as it felt they were not aligned with its company’s values.

“Captchas are an incredibly important tool to protect users against increasingly sophisticated attacks. However, most Captchas are not privacy first and can divulge users’ sensitive information to internet giants,” Eamonn Maguire, Head of Account Security at Proton, told us.

He explained that in order to function, many CAPTCHAs retain a permanent record of users’ phone or computer unique identifiers. This allows them to track their activities across the web, collecting more data that might be used to train the company or a third-party AI system. Chat-GPT and similar apps are also making common CAPTCHAs obsolete, seeing as the software can easily crack the puzzles.

For this reason, and to promote better usability, tech giants like Apple and Cloudflare are switching from the classic CAPTCHA puzzle to alternative mechanisms, such as device performance and telemetry data. Yet, for Proton, this was still just a patchwork solution.

“That’s why we developed Proton Captcha, a new system that can adeptly balance security with usability, accessibility, and privacy that can evolve in tandem with the shifting tactics of malicious actors,” said Maguire.

(Image credit: Proton)

Proton CAPTCHA takes a multi-layered defense approach, combining a computational proof of work with visual challenges to determine if the login attempt comes from a genuine human. At the time of writing, the latter includes a beam alignment challenge and an intuitive 2D puzzle. The system also offers accessible alternatives for users with visual impairments.

Proton proof of work also differs from other CAPTCHA offering something similar, as the system adapts the difficulty of the task if it records suspicious behaviors. In practical terms, even if a bot can bypass the initial proof of work, after struggling with the visual challenges, it will be met with increasingly complex computations.

Proton’s privacy-first ecosystem

Proton’s security suite keeps growing as new cyber threats arise. It now includes its VPN (ProtonVPN), ProtonMail, Proton Drive, Proton Calendar, and Proton Pass.

Proton CAPTCHA promises to take a privacy-first approach that’s fully GDPR compliant. 

It also claims to be the first system ever to support anti-censorship technologies, which can be activated directly from Proton’s website and apps to grant users access to places like Russia and Iran where its services are often blocked.

On this point, Maguire told us: “By developing our own solution, we have built a CAPTCHA that navigates such issues when alternative routing is turned on whilst still working normally for those who don’t need anti-censorship tools.”

This is the most recent tool within Proton’s continuous commitment to users’ online safety and internet freedom. The company assures more innovation will arise in this space as new CAPTCHA threats evolve. Third parties caring for users’ privacy might also be able to use Proton’s system via an API in the future—there are no plans in this direction just yet, though.

“However, we are assessing third party interest in the system,” Maguire told TechRadar. “If we receive a large amount of interest and opening it up makes economic sense, then we would be open to making it available to third parties.”