Cloudflare collaborates with Chrome, Firefox, and Edge to create a privacy-focused anti-bot protocol.

      **TL;DR:** Cloudflare, Mozilla, Google, Microsoft, and Shopify are collaborating on PACT, a privacy-focused protocol aimed at verifying the legitimacy of web traffic.

      Cloudflare has revealed a partnership with Mozilla Firefox, Google Chrome, and Microsoft Edge to create a new internet protocol that ensures web traffic legitimacy while maintaining user privacy. This protocol, named Private Access Control Tokens, aims to replace CAPTCHAs and mandatory logins with anonymous tokens that validate whether a user is a human or an approved bot. Shopify has co-developed this technology, and the team intends to pursue formal standardisation.

      This announcement coincides with the fact that bot traffic has surpassed human activity online. According to Cloudflare Radar, automated systems now represent around 58 percent of global HTTP requests, compared to 42 percent from humans. Cloudflare CEO Matthew Prince highlighted this tipping point on June 3, noting that AI programs operating on behalf of services like ChatGPT and Gemini hastened the change by approximately 18 months ahead of previous expectations.

      PACT functions by enabling websites with a strong understanding of a visitor’s identity to generate anonymous tokens. These tokens are stored in the user's browser, which can then present them to different websites as verification that a real person is engaged in the session, minimizing the need for repeated identity verification. The protocol is built to ensure that the tokens cannot be employed to track users or reconstruct their browsing histories.

      “The way we interact with the Internet is undergoing a fundamental transformation,” stated Cloudflare CTO Dane Knecht in the announcement. “As AI-driven traffic becomes commonplace, existing tools to manage its usage are too generalized and imprecise.” He noted that this collaboration would reduce the obstacles presented by security measures for all users, regardless of whether they are human or AI agents, while still protecting privacy.

      The initiative does not intend to block all automated traffic. Cloudflare has adopted agentic AI, having reduced its workforce by 1,100 positions this year, as AI agents now perform tasks once handled by humans. Many AI agents still have a human in the loop who has a legitimate reason to access a website.

      PACT aims to differentiate between authorized agents and harmful scrapers or abuse bots, rather than entirely eliminating automation.

      The browser developers emphasized the importance of this initiative for the open web. Bobby Holley, Mozilla's CTO for Firefox, mentioned that a rise in automated traffic was pushing websites toward blunt defenses like paywalls, identity verification, and invasive tracking. Erik Anderson, Microsoft Edge's director of engineering for the web platform, stressed that effective privacy-preserving solutions are crucial for countering abuse while minimizing inconvenience for users.

      Shopify's involvement highlights the business implications. Ilya Grigorik, a distinguished engineer at the company, pointed out that even minor obstacles or false positives in e-commerce can lead to abandoned purchases. Covert browser fingerprinting and extension scanning have become common strategies for platforms attempting to identify users, practices which privacy advocates and regulators have challenged.

      PACT could provide a standardized alternative that avoids the collection of device details or tracking browsing patterns.

      The protocol is based on prior developments in this area. Apple has already implemented a similar system called Privacy Pass, which utilizes a device's secure enclave to verify a user’s identity, and Cloudflare incorporates Privacy Pass into its bot management solutions. The IETF has published the Privacy Pass Architecture as RFC 9576, and PACT aims to broaden support across browsers with a focus on the agentic AI traffic that has altered the web landscape over the past year.

      No timeline for deployment has been specified. The partners are dedicated to advancing the protocol and seeking standardisation, but translating a specification into a functional system that operates across billions of browser sessions will require considerable time. Users are increasingly moving away from platforms that impose AI features without their consent, and the challenge of managing automated traffic while not alienating human visitors is becoming increasingly pressing.

      The effectiveness of PACT will depend on how quickly the standards process progresses and how willing websites are to implement a system that, by its nature, provides them with less data about their users.