Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without passive tracking.
An issuer website can issue tokens to the web browser of a user who shows that they're trustworthy, for example through continued account usage, by completing a transaction, or by getting an acceptable reCAPTCHA score.
A redeemer website can confirm that a user is not fake by checking if they have tokens from an issuer the redeemer trusts, and then redeeming tokens as necessary.
Private State Tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover user identity.
Yep - one of those "it's possible but do we want this" situations. Something feels a bit slimy about government-approved browser tokens. Like,
"We're sorry, your revocation appeal is taking longer than expected due to ongoing unrest in your area - please refrain from using internet enabled services like ordering food, texting friends, uploading livestream videos of police, giving legal advice, finding directions to your employer - a nonprofit legal representation service, or contacting high-volume providers like the ACLU. Have a nice day!"
But it could just be "Please execute three pledges of allegiance to unlock pornhub"
you've posted this in a few threads, but i dont think i understand what the scenario it is used in would be?
every user of social media in florida now has to visit a third party (who?) that sets a cookie (private state token?) on their browser that verifies their age?
Correct - ISP requires you to visit Florida.gov (or realistically a company the government trusted to set up verification) to set your token if you’re an adult. Then each social media site checks whether a visitor is from Florida, and then if they have a valid token. If valid, load like normal. If not valid, don’t load the site.
And now the state of Florida has a receipt of every website you ever visit. That will surely never be an issue when the Governor's private law enforcement arm looks through it or the inevitable data leak happens.
The intention of the API is for that to not be possible.
> The privacy of this API relies on that fact: the issuer is unable to correlate its issuances on one site with redemptions on another site. If the issuer gives out N tokens each to M users, and later receives up to N*M requests for redemption on various sites, the issuer can't correlate those redemption requests to any user identity (unless M = 1). It learns only aggregate information about which sites users visit.
Someone has to hand the browser the token. And that token has to validated by someone's backend. You now have an issuer with knowledge of who a token belongs to and a visited with a record of where they were. They go over this on that very page:
> (unless M = 1)...
> If the server uses different values for their private keys for different clients, they can de-anonymize clients at redemption time and break the unlinkability property...
> If the issuer is able to use network-level fingerprinting or other side-channels to associate a browser at redemption time with the same browser at token issuance time, privacy is lost.
This is why Mozilla rejects the proposal. We just have to trust issuers to be good and then trust that neither issuers nor websites will "accidentally" log these tokens where a data leak creates a papertrail to real-world identities.
It would be pretty simple to determine if tokens are unique per person - I agree that for many listed use cases in their documentation its not amazing, but with specific government oversight and watchdogs for the specific Florida use case I think technically it makes sense. Morally, still not a fan.
https://developers.google.com/privacy-sandbox/protections/pr...
Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without passive tracking.
An issuer website can issue tokens to the web browser of a user who shows that they're trustworthy, for example through continued account usage, by completing a transaction, or by getting an acceptable reCAPTCHA score. A redeemer website can confirm that a user is not fake by checking if they have tokens from an issuer the redeemer trusts, and then redeeming tokens as necessary. Private State Tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover user identity.