Cloudflare and browsers create privacy-respecting anti-bot protocol

What happened?

Cloudflare has announced a joint initiative with major browsers — Google Chrome, Mozilla Firefox, and Microsoft Edge — to develop a new internet protocol called Private Access Control Tokens (PACT). This protocol allows verifying whether web traffic is legitimate (human) without tracking users. Instead of displaying CAPTCHAs or requiring logins, browsers will issue anonymous tokens that prove the visitor is human, preserving their privacy.

The proposal, published in the IETF repository as a draft, is based on the Privacy Pass standard (RFC 9577) and uses public-key cryptography. Tokens are generated locally by the browser after evaluating behavioral signals, browsing history, or previous interactions, and are signed by a trusted issuer (e.g., Cloudflare) without the issuer knowing the user's identity. The receiving website can validate the token without needing to track the visitor.

According to Cloudflare's announcement, the initiative aims to address the growing problem of automated traffic: more than 40% of all current web traffic is generated by bots, according to the company's own data. Traditional CAPTCHAs, which started as a simple solution, have become increasingly complex and frustrating, with resolution times that can exceed 30 seconds in some cases. Additionally, login-based verification systems force users to register on sites they may only visit once, reducing conversion and increasing friction.

Why is it important?

CAPTCHAs and login-based verification systems are a constant source of friction for users and an accessibility challenge. Moreover, many of these systems rely on tracking techniques such as fingerprinting or third-party cookies, compromising privacy. PACT eliminates that need: the browser locally determines that the user is human (based on behavior, browsing history, or previous interactions) and issues a signed cryptographic token that the website can validate without knowing the user's identity.

The importance of PACT lies in its potential to resolve the dilemma between security and privacy. Until now, anti-abuse solutions relied on collecting user data, such as browser fingerprints or browsing history, raising regulatory concerns under GDPR and other privacy laws. PACT proposes a different approach: verification happens on the user's device, and the resulting token is anonymous and non-transferable. This could pave the way for a web where human verification does not require sacrificing privacy, as a Cloudflare spokesperson noted in a statement reported by The Next Web.

Additionally, PACT addresses an accessibility issue: visual or auditory CAPTCHAs are difficult for people with visual or hearing impairments. By eliminating the need to interact with these challenges, PACT makes the web more inclusive.

What consequences will it have?

• For users: smoother browsing, no CAPTCHAs or unnecessary login screens, and greater privacy by not sharing data with third parties. PACT tokens are stored locally and can be used across multiple sites without them being able to correlate user activity.
• For websites: reduced bot traffic without relying on intrusive solutions, improving conversion rates and user experience. Sites can implement PACT as a complement or replacement for CAPTCHAs, reducing operational costs associated with manual verification or third-party services.
• For the industry: an open standard that could be adopted by other browsers and security providers, changing how automated abuse is combated. Companies like Apple (Safari) and Brave have also shown interest in similar technologies, suggesting that PACT could become a de facto standard if it gains sufficient adoption.

However, challenges exist. PACT's effectiveness against sophisticated bots using artificial intelligence to mimic human behavior remains to be proven. Additionally, reliance on a token issuer (like Cloudflare) raises questions about centralization: if a single actor controls issuance, it could become a single point of failure or control. Cloudflare has stated that the protocol is open and any entity could act as an issuer, but in practice, the necessary infrastructure could limit competition.

What should readers know?

PACT is still in the proposal phase and requires implementation in browsers and Cloudflare's infrastructure. Pilot tests are expected in the coming months, possibly integrated into Cloudflare Turnstile, its CAPTCHA alternative. The protocol is based on Privacy Pass, an IETF standard, and uses public-key cryptography to ensure tokens cannot be linked to a specific user. Although promising, its effectiveness against sophisticated bots (such as those using artificial intelligence) remains to be proven.

It is important to note that PACT is not the only initiative in this space. Apple has already implemented Private Access Tokens in iOS 16 and macOS Ventura, though limited to its ecosystem. Google, on the other hand, has proposed Web Environment Integrity, a more controversial approach criticized for potentially giving too much control to browsers. PACT differs by being open and collaborative, with multiple stakeholders involved from the start.

For readers, the recommendation is to stay informed about the progress of the specification in the IETF and the pilot tests. If PACT is widely adopted, it could mean the end of CAPTCHAs as we know them, but it will also require users to trust that browsers and issuers do not abuse the system. Transparency in code and independent auditing will be key to building that trust.

“This is an important step toward a web where human verification does not require sacrificing privacy,” a Cloudflare spokesperson said in an interview with The Next Web.