Cloudflare collaborates with Chrome, Firefox, and Edge to develop a privacy-centered anti-bot protocol.

      Cloudflare, Mozilla, Google, Microsoft, and Shopify are collaborating on PACT, a protocol prioritizing privacy to authenticate the legitimacy of web traffic. Cloudflare has introduced a joint effort with Mozilla Firefox, Google Chrome, and Microsoft Edge to create a new internet protocol that ensures web traffic is legitimate without tracking users. Named Private Access Control Tokens, this protocol aims to replace CAPTCHAs and mandatory logins with anonymous tokens that confirm whether a visitor is a human or a permitted bot. Shopify has participated in developing this technology, and the group intends to propose it for formal standardization.

      This announcement comes as bot traffic has surpassed human activity online. Data from Cloudflare Radar indicates that automated systems now constitute about 58 percent of HTTP requests to web content globally, compared to 42 percent from human users. Cloudflare CEO Matthew Prince noted this milestone on June 3 and remarked that AI programs, browsing on behalf of assistants like ChatGPT and Gemini, have sped up this trend by approximately 18 months earlier than he had predicted.

      PACT enables websites that have a strong understanding of a visitor’s identity to issue anonymous tokens. A user's browser keeps the token and can present it to other sites, demonstrating that a genuine person is behind the session, thus decreasing the need for repeated identity verification. The protocol is crafted so that the token cannot track users or reconstruct their browsing history.

      “The way we interact with the Internet is undergoing a fundamental transformation,” said Cloudflare CTO Dane Knecht in the announcement. He noted that as AI-driven traffic becomes more prevalent, existing tools are too broad and simplistic. He expressed that this collaboration aims to remove the friction caused by security protocols for every visitor—human or AI—while still maintaining privacy.

      The initiative does not seek to block all automated traffic. Cloudflare has also integrated agentic AI, having reduced its workforce by 1,100 jobs this year after indicating that AI agents are fulfilling tasks previously handled by humans. Many AI agents still have a human interceding who has a valid reason to access a website.

      PACT is designed to differentiate between authorized agents and harmful scrapers or abusive bots rather than eliminating automation altogether.

      The browser developers emphasized the importance of this project for the open web. Bobby Holley, Mozilla’s CTO for Firefox, stated that an "avalanche of automated traffic" is pushing websites towards blunt defenses like paywalls, identity checks, and intrusive tracking. Erik Anderson, director of engineering at Microsoft Edge, described effective privacy-preserving tools as essential to addressing abuse without unnecessary complications for users.

      Shopify’s involvement highlights the economic implications. Ilya Grigorik, a distinguished engineer at the company, mentioned that any additional challenge or false positive in e-commerce could lead to a completed purchase becoming an abandoned cart. Covert browser fingerprinting and extension scanning are becoming the standard methods for platforms trying to identify users, practices that privacy advocates and regulators have opposed.

      PACT aims to provide a standardized option that does not involve collecting device characteristics or tracking browsing activity.

      The protocol builds on prior developments in this field. Apple has implemented a related system named Privacy Pass, which works with a device’s secure enclave to validate a user’s identity, and Cloudflare utilizes Privacy Pass as a signal in its bot management offerings. The IETF has published the Privacy Pass Architecture as RFC 9576, and PACT builds on that structure to enhance browser support and focus on the agentic AI traffic that has changed the web's dynamics over the last year.

      No timeline for deployment has been set. The partners are committed to refining the protocol and submitting it for standardization, but transforming a specification into something functional across billions of browser sessions will require time. Users are increasingly leaving platforms that deploy AI features without their consent, prompting the urgent need to manage automated traffic without alienating human users.

      Whether PACT can be implemented in time to be effective hinges on the speed of the standards process and the willingness of websites to adopt a system that, by design, provides them with less data about their visitors rather than more.