Doubling Down on Privacy

Co-founder and former CTO of Coil

Coil's extension is with you wherever you go on the web. The extension looks for sites where Web Monetization is enabled, and tells Coil to send micropayments. The whole process happens without requiring any user interaction.

Extensions like Coil's are powerful, and with great power comes great responsibility. At Coil, we take this responsibility very seriously. We want to make sure that use of our extension doesn't expose any sensitive data, not even to us.

In our most recent effort on the privacy front, we've deployed a new feature called "sender-side privacy" which uses the cryptographic protocol from Privacy Pass to further protect your browsing history. The feature is included in version 0.0.49 of the Coil extension.

But before we get into that I want to give you a crash course on Coil's existing privacy features, before this update.

Header image by Mikel Ibarluzea on Unsplash

Wallet-side privacy

When we started building Web Monetization, we were hit with a problem: How do we pay all the sites that a user is visiting without Coil learning the user's browsing history?

It might seem impossible; how do you pay someone without knowing who they are?

To solve this problem, we use a scheme called "wallet-side privacy." Wallet-side privacy is implemented by Interledger-capable wallets to shield browsing history from Coil.

Wallet-side privacy works by only exposing essential routing information to Coil. Sensitive information like the identity of the receiver is encrypted so it's known only to the wallet. This prevents Coil from learning which sites you visited based on who you're sending micropayments to.

It's easier to understand with an example. Let's say that I'm visiting catpictures.example (a made-up web monetized site), which uses the wallet provider ExampleWallet.

Without wallet-side privacy, I might send micropayments to an Interledger address that looks like g.examplewallet.catpictures. That isn't very good--Coil can guess just from that address that I'm visiting catpictures.example.

With wallet-side privacy enabled, my Coil extension asks ExampleWallet to provide a new Interledger address each time I visit catpictures.example. ExampleWallet will return an encrypted address, which looks like g.examplewallet.8d6f329bbd0d14e5.

Coil can see that the address is for ExampleWallet, but Coil can't see who it's for on ExampleWallet. There could be hundreds or thousands of sites using ExampleWallet, and so it's not very useful for learning my browsing history.

ExampleWallet, on the other hand, can decrypt that address and make sure the money goes to catpictures.example.

ExampleWallet doesn't know my identity, they only see that there are micropayments coming in from Coil. So ExampleWallet can't determine my browsing history either.

Where does wallet-side privacy fall short?

The problem with wallet-side privacy is in its name: It's up to the wallet to protect users' browsing history.

When we only have a few wallets, it's fine. Coil has spoken to every wallet provider and ensured they're implementing wallet-side privacy correctly. But what about when we have more wallets?

If one of the wallet providers made a mistake and didn't encrypt their Interledger addresses, it would leak browsing history to Coil. Or if there were many smaller wallet providers with fewer users, Coil could guess at what site you're browsing.

In any of these failure cases the user's identity will not leak to the wallet. But these are still risks we don't want to take when it comes to sensitive data like browsing history.

Sender-side privacy

To address these risks, we don't just hide the site's URL from our servers. We also hide the user's identity. We'll call this "sender-side privacy."

Sender-side privacy vs. wallet-side privacy

The difference may not be obvious, so let's go over an example. Below is the information Coil learns under sender-side privacy and wallet-side privacy when our example user "Alice" visits "catpictures.example"

• If no privacy scheme is used, Coil learns Alice is visiting catpictures.example

• If wallet-side privacy is used alone, Coil learns Alice is visiting a site which uses ExampleWallet as its wallet.

• If sender-side privacy is used alone, Coil learns an unknown user is visiting catpictures.example.

• With the two used together, Coil learns that an unknown user is visiting some site which uses ExampleWallet as its wallet.

Now that sender-side privacy and wallet-side privacy are both available, they're combined to provide multiple layers of privacy. Even in the case of a failure in wallet-side privacy (as described in the previous section) sender-side privacy prevents your browsing history from leaking.

How does sender-side privacy work?

"Hiding the user's identity from Coil" sounds like another impossible problem: Coil must know who you are in order to let you use the service. If we don't know who you are, how do we know if you're a paying member? How can you use Web Monetization at all?

It turns out we don't need to know who you are; we only need to know whether you're a member authorized to use Web Monetization.

Fortunately for us, some very smart people have come up with schemes that let you learn whether a user is authorized without revealing the user's identity. In implementing sender-side privacy, we looked to Privacy Pass for reference.

Privacy Pass protocol

Privacy Pass is a cryptographic scheme and browser extension which comes out of Cloudflare. They use this scheme to let people quickly bypass Cloudflare's captchas without Cloudflare learning their browsing history.

Privacy Pass has two stages: issue and redeem.

In the "issue" stage, you solve a captcha for Cloudflare. This proves to them that you're a real human. Cloudflare issues you several digital signatures that say, "I'm a real human."

In the "redeem" stage, you visit a site which is protected by a Cloudflare captcha. Instead of making you solve the captcha, the Privacy Pass extension redeems one of these "I'm a real human" signatures. Cloudflare verifies the signature and lets you bypass the captcha.

You might notice the problem here. Doesn't Cloudflare remember the signatures they issued to you? If you redeem those signatures on 30 different sites won't Cloudflare know which sites you visited?

This problem is called "linkability." Because the signatures given to you by Cloudflare are the same between the issue and redeem steps, they can be used like tracking IDs to learn your browsing habits.

Privacy Pass addresses linkability by using blind signatures. With a blind signature scheme, you use a "blinding factor" to turn the signature that you've been issued into an unrecognizable (but still valid) signature before redeeming it.

This "blinding" makes the signature unusable as a tracking ID, solving the linkability problem. With linkability solved, the Privacy Pass protocol is both secure and private.

Sender-side privacy in Coil

The cryptographic scheme used for Coil's sender-side privacy is the same as the one used by Privacy Pass.

When the extension is started, Coil issues it several signatures that say, "I'm a Coil subscriber."

When the extension loads a site, it redeems the blinded "I'm a Coil subscriber" signatures. Coil verifies the signatures and starts sending Web Monetization micropayments to the site.

Coil doesn't learn which user triggered the Web Monetization micropayments, because you're using blind signatures. These blind signatures are used for a minute or less, so Coil can't build up a short-term profile of you. It's like you're constantly changing disguises.

What's next?

Sender-side privacy combines with wallet-side privacy to create a strong privacy model, but we're still working on additional ways that Coil users can increase their privacy.

Even with sender-side privacy, we want to fight side-channels like timing attacks or browser fingerprinting that could threaten to link a user's browsing habits back to them.

In order to neutralize these threats, Coil collects as little information as possible and strips IP address information and fingerprintable headers like user-agent at the CDN level via a Cloudflare worker. We're working on schemes to improve this protection further.

The Coil extension is already compatible with privacy-focused browsers like Puma, Firefox, and Brave. Next, we're working on making it compatible with the Tor browser for users who want to take extra steps to protect their privacy while they browse. You can read more about that project here.

Further reading

In this article I've tried to explain our privacy model to people who aren't cryptographers, but some readers will want to dive deeper into the technical details.

The best resource for learning more about the Privacy Pass scheme (also used by Coil) is through this document written by the Privacy Pass team. If you want to understand the math behind blind signatures, the Wikipedia article does a pretty good job at explaining it. (The Wikipedia article mainly discusses RSA blind signatures which are conceptually similar but subtly different from the elliptic-curve blind signatures used by Privacy Pass or Coil).

The Coil extension is open source. If you want to see Coil's code for the sender-side privacy scheme based on Privacy Pass, it's kept here. The cryptography is taken from Cloudflare's own implementation.