LGTM1
I think this strikes the right balance between protecting users from
known trackers and the ability to detect fraud and abuse. I'm not sure
that 10% reveal after 24 hours is the magic recipe, but appreciate that
these are configurable such that the team will be able to adapt to
feedback / new information.
aside: I don't think we need to block on TAG review here, but encourage
the team to follow up with the relevant IETF groups to get a broader
review on the design.
On 8/1/25 12:48 p.m., 'Theodore Olsauskas-Warren' via blink-dev wrote:
Thanks for the feedback, Reilly. While the original IP Protection
feature’s TAG review covers some ground on PRTs, you’re right that
it’s possible the TAG may want to weigh in differently on PRTs
specifically as opposed to IP Protection generally. We’ve filed a TAG
request here <https://github.com/w3ctag/design-reviews/issues/1125>.
At the same time, we also recognize that the protocol introduced here
is likely best reviewed in an IETF forum, and would just flag for
reviewers that we do hope to pursue discussions at IETF 124 this fall.
Theo.
On Tuesday, July 29, 2025 at 11:13:10 AM UTC-7 Reilly Grant wrote:
Can you request a separate TAG review for this feature? The TAG's
response to the IP protection review request seemed to be about
standardizing the complete system. However this individual piece
could be adopted by other browsers even if their particular
implementations of a complete IP protection system are
implementation-specific.
Reilly Grant | Software Engineer |rei...@chromium.org |Google
Chrome <https://www.google.com/chrome>
On Mon, Jul 28, 2025 at 1:52 PM 'Theodore Olsauskas-Warren' via
blink-dev <blin...@chromium.org> wrote:
Contact emails
sau...@google.com, las...@google.com, nic...@google.com,
erict...@chromium.org, ryan...@google.com, ayk...@google.com
Explainer
https://github.com/GoogleChrome/ip-protection/blob/main/prt_explainer.md
<https://github.com/GoogleChrome/ip-protection/blob/main/prt_explainer.md>
Specification
https://datatracker.ietf.org/doc/html/draft-pfeiffenberger-prtokens-00
<https://datatracker.ietf.org/doc/html/draft-pfeiffenberger-prtokens-00>
Summary
To enable businesses to estimate the amount of fraud on their
systems, train models to defend against fraud, and analyze
emerging fraudulent behavior while still mitigating the
ability to track users at scale using IP addresses, we propose
the introduction of a delayed IP sampling mechanism called
Probabilistic Reveal Tokens (PRTs) alongside IP Protection for
use in proxied traffic. Chrome plans to launch IP Protection
<https://github.com/GoogleChrome/ip-protection>in incognito
mode later this year.
PRTs will be included on proxied requests in a new HTTP header
added by the browser for domains that indicate they want to
receive them via a signup process. Each PRT contains a
ciphertext, generated by an Issuer and re-randomized by the
browser for unlinkability prior to the request, that the
recipient can decrypt after a delay. Google will be the issuer
for Chrome's implementation. A minority of the decrypted PRTs
contain the client's pre-proxy IP address (i.e. non-masked,
and as observed by the token issuer), while the remaining PRTs
provide no information about the client's original IP address.
This results in only a small percent of PRTs containing and
revealing the user's IP.
Our explainer introduces key tunable parameters
<https://github.com/GoogleChrome/ip-protection/blob/main/prt_explainer.md#tunable-parameters>for
this proposal:
*
Reveal rate: the percentage of the time that the tokens
are revealed
*
Epoch and delay period length: the periods after which
tokens are made available
We will initially set reveal rate to 10% and epoch and delay
period length both to 24 hours each.
Developers that want to receive PRTs will need to request them
at console.privacysandbox.google.com
<https://console.privacysandbox.google.com>. Sign ups will
open when PRTs are available in pre-Stable channels.
Blink component
Privacy>Fingerprinting>IPProtection
<https://issues.chromium.org/issues?q=customfield1222907:%22Privacy%3EFingerprinting%3EIPProtection%22>
TAG review
The IP Protection TAG review, for which this feature is
closely tied, was closed by the TAG as “Resolution: Decline”
(https://github.com/w3ctag/design-reviews/issues/1083)
TAG review status
Resolution Decline
Risks
Interoperability and Compatibility
None
Gecko: No signal
(https://github.com/mozilla/standards-positions/issues/1273
<https://github.com/mozilla/standards-positions/issues/1273>)
WebKit: No signal
(https://github.com/WebKit/standards-positions/issues/529
<https://github.com/WebKit/standards-positions/issues/529>)
Web developers: Positive signal from invalid traffic detection
providers, though open questions
<https://github.com/GoogleChrome/ip-protection/issues/81>remain
about the impact on fraud detection with initial parameter
settings. As IP Protection launches, we’ll continue to solicit
feedback.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
None
Debuggability
Attached PRTs are visible in the Chrome DevTools Network panel.
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS, Android, and
Android WebView)?
No, supported everywhere IP Protection is supported (no WebView).
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No, as there is no browser API for actuating PRTs (only a
header attached as part of IP Protection), we don’t plan to
add any.
DevTrial instructions
https://github.com/explainers-by-googlers/prtoken-reference/blob/main/prt_dev_testing.md
<https://github.com/explainers-by-googlers/prtoken-reference/blob/main/prt_dev_testing.md>
Flag name on about://flags
None
Finch feature name
EnableProbabilisticRevealTokens - Note that there are many
subtleties to enabling this feature, please see DevTrial
instructions for enabling locally.
Rollout plan
Will ship enabled for all users
Requires code in //chrome?
False
Launch bug
https://launch.corp.google.com/launch/4367692
<https://launch.corp.google.com/launch/4367692>
Estimated milestones
Shipping on desktop
140
DevTrial on desktop
138
Shipping on Android
140
DevTrial on Android
138
Anticipated spec changes
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/4914046966693888?gate=6289919137546240
<https://chromestatus.com/feature/4914046966693888?gate=6289919137546240>
--
Theodore Olsauskas-Warren
Software Engineering Manager
sau...@google.com
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2B0Xr79QUTJt7bi443Ax5eMD2z%3DCsqV0o4__0tNvqKbMmLb5fg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2B0Xr79QUTJt7bi443Ax5eMD2z%3DCsqV0o4__0tNvqKbMmLb5fg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/98e6b10c-f5c5-4852-b4b5-ff4da46c43bdn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/98e6b10c-f5c5-4852-b4b5-ff4da46c43bdn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/28bd6668-bb03-48e0-88b5-d06fa2d1748f%40chromium.org.
