Cloudflare joins Chrome, Firefox, and Edge in the first anti-bot privacy protocol
The TL;DR
Cloudflare, Mozilla, Google, Microsoft, and Shopify created PACT, the first privacy protocol to verify the legitimacy of web traffic.
Cloudflare announced a joint initiative with Mozilla Firefox, Google Chrome, and Microsoft Edge to develop a new Internet protocol that ensures web traffic is legitimate without tracking users. The protocol, called Private Access Control Tokens, is designed to replace CAPTCHA and forced logins with anonymous tokens that prove the visitor is a human or an authorized bot. Shopify has developed the technology and the team plans to submit it for formalization.
The announcement comes as bot traffic has officially surpassed human activity online. Cloudflare Radar data shows automated systems now handle about 58 percent of HTTP requests for web content worldwide, versus 42 percent for humans. Cloudflare CEO Matthew Prince shared the milestone on June 3, noting that AI programs browsing on behalf of assistants such as ChatGPT and Gemini had accelerated the crossover about 18 months ahead of his earlier predictions.
PACT works by allowing websites with strong visitor identity information to issue anonymous tokens. The user’s browser stores the token and can present it to other websites as proof that the real person is behind the session, reducing the need for repeated identity checks. The protocol is designed so that the token can be used to track users or reconstruct their browsing history.
TNW City Coworking Space – Where your best work happens
A workplace designed for growth, collaboration, and endless networking opportunities at the heart of technology.
“The way we interact with the Internet is undergoing significant change,Cloudflare CTO Dane Knecht said in the announcement.As AI-powered traffic increases, the tools available to support its use are more general and crude.” He said that the cooperation will eliminate the tension created by security regulations for every guest, whether it is a person or an agent, without sacrificing privacy.
The measure is not intended to block all automated traffic. Cloudflare has also embraced agent AI, cutting 1,100 jobs earlier this year after announcing that AI agents are now doing work that was previously done by humans. For most AI agents there is still a human somewhere in the loop who has a legitimate reason to access a website.
PACT is intended to separate those authorized agents from malicious scrapers and abusive bots, not to shut down automation altogether.
Browser makers have put effort into the open web. Bobby Holley, CTO of Firefox at Mozilla, said “an avalanche of automated traffic” has been pushing sites toward stronger security such as paywalls, identity checks, and aggressive tracking. Erik Anderson, director of web platform engineering at Microsoft Edge, called effective privacy tools essential to combat abuse without unnecessary user conflict.
Shopify’s engagement reflects the marketing stakes. Ilya Grigorik, a prominent engineer at the company, said that every additional challenge or false claim in ecommerce can make shopping an abandoned cart. Private browser fingerprinting and extension scanning have emerged as automated tools for platforms trying to identify users, a practice that privacy advocates and regulators have pushed back against.
PACT will provide a standardized alternative that does not require harvesting device features or tracking browsing behavior.
The protocol builds on previous work in the same space. Apple already uses a related system called Privacy Pass, which works with a secure device enclave to prove a user’s identity, and Cloudflare uses Privacy Pass as a signal in its bot management products. The IETF published the Privacy Pass Architecture as RFC 9576, and PACT extends that foundation with broader browser support and a focus on the agency’s traffic AI that has reshaped the web’s architecture over the past year.
No shipping timeline has been announced. Our partners are committed to developing the protocol and submitting it for standardization, but turning the specification into something that works across billions of browser sessions will take time. Users are already moving away from platforms that place AI features without permission, and the question of how to manage automated traffic without alienating human visitors is becoming more urgent by the quarter.
Whether PACT arrives quickly enough to matter depends on how quickly the standards process moves and how willing websites are to accept a system that, by design, gives them less data about their visitors than most.
