Cloudflare teams up with Chrome, Edge, and Firefox to tackle bot traffic without CAPTCHAs

midian182

Posts: 11,705   +177
Staff member
In brief: Cloudflare is working with the makers of Chrome, Edge, and Firefox on a new way for websites to tell whether incoming traffic is legitimate – without resorting to the usual mix of CAPTCHAs, logins, and extra tracking. The system is called Private Access Control Tokens, or PACT, and it arrives at a time when bots have surpassed human traffic online.

Cloudflare says it's developing the protocol with Mozilla, Google, Microsoft, and Shopify, with the group planning to submit it for standardization.

The basic idea is that sites with strong knowledge of "personhood" can issue anonymous tokens. A user's browser can then present those tokens elsewhere as proof that a human is involved, or that an automated agent is acting on behalf of one, without revealing the person's identity or browsing history.

As The Register notes, PACT can be thought of as something like a reusable, privacy-preserving CAPTCHA result, except the question is not simply whether the visitor is human. It is whether the traffic should be welcomed.

In theory, that means a website gets a useful signal without learning who the user is, which other sites they have visited, or who has already vouched for them.

Earlier this month, Cloudflare CEO Matthew Prince said bots now make up around 56% of all internet traffic, with the figure reaching as high as 62% during one week. He previously expected bots to overtake humans near the end of 2027, only for the crossover to arrive sooner.

The rise of AI agents is a big part of the problem. Traditional bot defenses were built for search crawlers, spam networks, credential stuffing, and other obvious automated abuse. But newer agents can browse pages, compare products, fill out forms, and carry out tasks on behalf of real users, making them harder to classify with older tools.

"As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse," said Dane Knecht, CTO of Cloudflare. "Now this collaboration lets us eliminate the friction caused by security protocols for every visitor – whether they are human or agent – without sacrificing privacy."

PACT is meant to offer something more nuanced than blocking anything that looks automated. The GitHub proposal describes use cases such as frictionless challenges, private access control, and local browser AI agents operating under a user's supervision. It also stresses that the system should not exclude particular devices or browsers, nor reveal information about the user.

There are still plenty of unanswered questions about the technical details. It's not yet clear what "strong knowledge of personhood" will mean in practice, especially when the term can extend to software authorized to act for a person. The criteria could make some browsers or requests less likely to receive a token, even if the goal is not to lock out particular hardware, platforms, or user agents.

Permalink to story:

 
This still won't defeat browsers controlled by remote control extensions like Selenium. Specifically, there's a tool called Undetected ChromeDriver that modifies the browser binary so a Selenium-controlled browser doesn't add signals that it's being controlled by a bot like a vanilla browser might. These tokens may add some overhead to show "personhood" with a limited set of emails, phone numbers, and more, but I think bot makers already consider that to establish a good digital trail.
 
So much of this garbage was invented to solve problems introduced by previous garbage in a highly profitable way. A controlled problem is more advantageous than a final solution when you're the one selling.
 
Last edited:
I wouldn't trust this at all. Cloudflare has been successfully bullied into dropping and censoring sites before.
 
Hmmm, sounds good in practice, especially compared to Google's atrocious new practice of needing a phone to verify someone is not a bot via google play services or an iphone (so if you want to be outside of either of those walled gardens, and / or not be identified by Google, you're screwed) but I'd still want to dive through it with a fine tooth comb to see if it actually works as detailed and won't just be another useless option like do not track, and won't just be used to plunder more info for advertising or ai training (again, Google does this aplenty with their captchas, cloudflare's current captcha system seems to be less intrusive at least)
 
Back