Proton, the Swiss company that develops privacy-focused online services such as email, has developed its very own CAPTCHA service to help discern between genuine login attempts and bots — and it touts the new system as the world’s first CAPTCHA that is “censorship resistant.”
The company said it has already been testing its CAPTCHA system for several months, and has now transitioned to its home-grown solution entirely.
“As we investigated available CAPTCHA options, we weren’t satisfied, so we decided to develop our own,” Eamonn Maguire, a former Facebook engineer who now heads up Proton’s machine learning team, wrote in a blog post. “Our primary goal was to provide a system that doesn’t compromise on privacy, usability and accessibility, or security.”
CAPTCHAs, a contrived acronym that stands for the decidedly less-punchy “completely automated public Turing test to tell computers and humans apart,” have long been used on the web to prevent bots from creating multiple accounts with a specific service, or illicitly trying to access someone else’s account through credential stuffing. This is usually presented to the user in the form of a visual or cognitive challenge, one that is relatively easy for a human to complete but difficult for a machine.
CAPTCHAs, while generally effective, come with trade-offs in terms of usability, accessibility, cultural biases, and annoyances that businesses would prefer not to impose on their users. This is why companies such as Apple and Cloudflare have sought ways to tell the difference between humans and bots automatically using alternative mechanisms, such as through device and telemetry data.
And then there is the elephant in the room that is data privacy, with some CAPTCHA services — notably Google’s ReCAPTCHA — collecting hardware and software data. And for a company such as Proton, which has built an entire business off the back of privacy-focused tools such as email, a VPN, password manager, cloud storage, calendar, and password manager, it doesn’t make a whole heap of sense to compromise its reputation through relying on such third-party services.
However, that is exactly what Proton has done in the past, much to the chagrin of (potential) users who might be looking to steer clear of all-things Google. And while there are other alternative CAPTCHA services out there, given Proton’s core raison d’être, it clearly does make sense to develop its own — as resource-intensive as that may be.
Proton CAPTCHA, as its new service is called, includes several notable features designed to bypass some of the limitations of existing CAPTCHA services. For instance, it adopts a multi-pronged approach to displaying CAPTCHAs, mixing computational challenges with visual challenges and displaying the appropriate one depending on the end-user’s device, while also altering the difficulty level if it detects foul play.
“If our CAPTCHA observes a high number of failures on the visual challenges, it’s designed to increase the difficulty level of the proof of work (computational) challenge accordingly,” Maguire wrote. “In this manner, a botnet that can bypass the initial proof of work but struggles with the visual challenges will be met with increasingly complex computations. This escalating difficulty makes the process more costly for the botnet but normal people will be able to pass quickly.”
Proton has also sought to gamify things a little, introducing interactive puzzles replete with animations.
On top of that, it’s also designed to work in countries where censorship might be in place, including Iran and Russia. For this, Proton said that it uses “alternative routing,” a system it developed three years ago for users in “restricted countries” to access its email and VPN services through finding alternative paths to its servers.
“Building our own solution meant that we could resolve current CAPTCHA availability issues for members of the Proton community in countries with restricted internet issues,” Maguire wrote. “Because of our unique needs, Proton CAPTCHA is the world’s first CAPTCHA with censorship resistant technologies built-in.”