Proton builds its very own privacy-first CAPTCHA system
The cybersecurity company behind the popular encrypted email and VPN service just unveiled its own secure CAPTCHA service.
Proton CAPTCHA solves problems within existing systems that website providers use to distinguish between genuine login attempts and malicious bots. The new technology claims to never compromise privacy, security and accessibility, while describing itself as ‘the world’s first’ CAPTCHA with built-in censorship-resistant technologies.
This isn’t the first time the company behind ProtonVPN and ProtonMail has gone a step further to protect its customers. For example, just a month ago it launched Proton Sentinel to provide better protection to users at higher risk of cyber attacks.
Fix CAPTCHA issues
An abbreviation of ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. There are many CAPTCHA systems available that websites use to protect users from bot and spam attacks. However, Proton was not satisfied with the existing solutions as it felt they were not in line with the company’s values.
“Captchas are an incredibly important tool to protect users from increasingly sophisticated attacks. However, most Captchas do not have privacy at heart and can expose users’ sensitive information to internet giants,” said Eamonn Maguire, Head of Account Security at Proton.
He explained that in order to function, many CAPTCHAs permanently track the unique identifiers of users’ phones or computers. This allows them to monitor their activities across the web and collect more data that can be used to train the company or a third-party AI system. Chat GPT and similar apps also eliminate the need for regular CAPTCHAs as the software can easily crack the puzzles.
For this reason, and to promote better usability, tech giants like Apple and Cloudflare are switching from the classic CAPTCHA puzzle to alternative mechanisms, such as device performance and telemetry data. Yet for Proton this was still just a patchwork.
“That’s why we developed Proton Captcha, a new system that can skillfully balance security with usability, accessibility and privacy and evolve in tandem with the changing tactics of malicious actors,” said Maguire.
Proton CAPTCHA takes a multi-layered defense approach, which combines a computational proof of work with visual challenges to determine if the login attempt came from a real human. At the time of writing, the latter includes a beam alignment challenge and an intuitive 2D puzzle. The system also provides accessible alternatives for users with visual impairment.
Proton proof of work also differs from other CAPTCHAs that offer something similar, because the system adjusts the difficulty of the task when it registers suspicious behavior. In practical terms, even if a bot can bypass the initial proof of work, after grappling with the visual challenges it will have to deal with increasingly complex calculations.
Proton’s privacy-first ecosystem
Proton’s security suite continues to grow as new cyber threats emerge. It now includes its VPN (ProtonVPN), ProtonMail, Proton propulsion, Proton calendarAnd Proton pass.
Proton CAPTCHA promises to take a privacy-focused approach that is fully GDPR compliant.
It also claims to be the first system ever supporting anti-censorship technologieswhich can be activated directly from Proton’s website and apps to give users access to places like Russia and Iran, where services are often blocked.
On this point, Maguire told us: “By developing our own solution, we built a CAPTCHA that resolves such issues when alternate routing is enabled, while still working normally for those who don’t need anti-censorship tools.”
This is the latest tool in Proton’s ongoing commitment to users’ online safety and internet freedom. The company assures that more innovation will emerge in this area as new CAPTCHA threats evolve. Third parties that care for user privacy may also be able to use Proton’s system via an API in the future. However, there are no plans in this direction yet.
“However, we are assessing third-party interest in the system,” Maguire told TechRadar. “If we get a lot of interest and opening it up makes economic sense, then we’re open to making it available to third parties.”
We test and assess VPN services in the context of legal recreational use. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protect your online security and strengthen your online privacy abroad. We do not support or tolerate the illegal or malicious use of VPN services. Consuming pirated, paid for content is not endorsed or condoned by Future Publishing.