Fighting fraud and spam is critical to maintaining a healthy and safe online ecosystem for users, publishers and advertisers. Access to IP addresses play a critical role in accomplishing this, to prevent fraudulent commercial transactions and spam at scale.
Internet proxies provide users with increased anonymity online, but can also help attackers conceal activities such as denial-of-service (DOS) attacks. IP Protection will implement features to decrease the risk of proxies being used by potential attackers.
Probabilistic Reveal Tokens
Probabilistic Reveal Tokens (PRT) allow delayed access to a random sample of IP addresses. This provides an additional mechanism to ensure businesses can monitor levels of fraud on their systems and respond to emerging fraudulent behavior. PRTs will be included on proxied requests in an HTTP header added by Chrome for domains that enable them.
A PRT can, after a delay, be decrypted using a key issued by Google and will contain the non-proxy IP in a small percent of tokens issued. The delay ensures a user's original IP address cannot be used for tracking activities in real-time.
The Probabilistic Reveal Tokens explainer provides more detail.
Rate-limiting access to the proxies
IP Protection uses client authentication to limit the ability of bad actors to leverage the proxies to amplify attacks on services in the Masked Domain List. Therefore, IP Protection is only available to users that have signed into Chrome with their Google Account prior to opening a new Incognito window.
Chrome employs an RSA blind signature scheme for client authentication. This design is intended to prevent the proxies from linking the traffic they're handling to a user's account.
Limiting issuance of authentication tokens
There is a maximum quota of tokens issued per user per day and tokens are relatively short-lived. Additionally, proxies limit how much network traffic can be generated per token.
IP Protection aims to provide most users with a sufficient number of tokens to proxy all their traffic to domains in the MDL. In practice, this means that users with average traffic patterns will likely get enough tokens to have their IP be masked every time, but users with unusually high activity or users who show other indicators of fraud risk may experience limited access.
In the event a user has no tokens, the requests to domains in the MDL will be routed directly, without proxying. Token quotas may change over time in response to reported or observed patterns of fraudulent activity.
Reporting of fraudulent behavior
In addition to preventative measures, we provide a way for websites to report DoS or other fraudulent behavior by contacting us using ip-protection-abuse-report@google.com. Chrome will evolve tactics as necessary to limit fraud and spam through the IP proxies, as new threats emerge.
Engage and share feedback
If you have any feedback, we'd love to hear it.
- GitHub: Read the explainer or raise questions and participate in discussion.
- Developer support: Ask questions and join discussions on the Privacy Sandbox Developer Support repository.