Cloudflare teams with Chrome, Firefox, and Edge on privacy-first protocol as bots overtake humans

Cloudflare teams up with Chrome, Firefox, and Edge on a privacy-first anti-bot protocol

Cloudflare, Mozilla, Google, Microsoft, and Shopify are building PACT, a privacy-first protocol to verify web traffic legitimacy. Cloudflare has announced a joint initiative with Mozilla Firefox, Google Chrome, and Microsoft Edge to develop a new internet protocol that verifies whether web traffic is legitimate without tracking users. The protocol, called Private Access Control Tokens, is designed to replace CAPTCHAs and forced logins with anonymous tokens that prove a visitor is human or an authorised bot. Shopify co-developed the technology and the group plans to submit it for formal standardisation. The announcement comes as bot traffic has officially overtaken human activity online. Cloudflare Radar data shows automated systems now account for roughly 58 percent of HTTP requests to web content worldwide, against 42 percent from people. Cloudflare CEO Matthew Prince shared the milestone on June 3, noting that agentic AI programs browsing on behalf of assistants like ChatGPT and Gemini had accelerated the crossover by about 18 months ahead of his earlier predictions. PACT works by allowing websites with strong knowledge of a visitor's identity to issue anonymous tokens. A user's browser stores the token and can present it to other websites as proof that a real person is behind the session, reducing the need for repeated identity checks. The protocol is designed so that the token cannot be used to track users or reconstruct their browsing history. "The way we interact with the Internet is facing a fundamental shift," Cloudflare CTO Dane Knecht said in the announcement. "As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse." He said the collaboration would eliminate the friction caused by security protocols for every visitor, whether human or agent, without sacrificing privacy. The initiative does not aim to block all automated traffic. Cloudflare has itself embraced agentic AI, cutting 1,100 jobs earlier this year after declaring that AI agents now perform work previously done by humans. For many AI agents there is still a human somewhere in the loop with a legitimate reason to access a website. PACT is meant to distinguish those authorised agents from malicious scrapers and abuse bots, not to shut down automation entirely. The browser makers framed the effort as essential to the open web. Bobby Holley, CTO for Firefox at Mozilla, said an "avalanche of automated traffic" was pushing sites toward blunt defences like paywalls, identity checks, and invasive tracking. Erik Anderson, director of engineering for the web platform at Microsoft Edge, called effective privacy-preserving tools critical to combating abuse without unnecessary user friction. Shopify's involvement reflects the commercial stakes. Ilya Grigorik, a distinguished engineer at the company, said every extra challenge or false positive in ecommerce can turn a purchase into an abandoned cart. Covert browser fingerprinting and extension scanning have emerged as the default tools for platforms trying to identify users, a practice that privacy advocates and regulators have pushed back against. PACT would offer a standardised alternative that does not require harvesting device characteristics or tracking browsing behaviour. The protocol builds on earlier work in the same space. Apple already uses a related system called Privacy Pass, which works with a device's secure enclave to attest to a user's identity, and Cloudflare uses Privacy Pass as a signal in its bot management products. The IETF published the Privacy Pass Architecture as RFC 9576, and PACT extends that foundation with broader browser support and a focus on the agentic AI traffic that has reshaped the composition of the web in the past year. No deployment timeline has been announced. The partners have committed to developing the protocol and submitting it for standardisation, but turning a specification into something that works across billions of browser sessions will take time. Users are already migrating away from platforms that impose AI features without consent, and the question of how to manage automated traffic without alienating human visitors is becoming more urgent by the quarter. Whether PACT arrives fast enough to matter depends on how quickly the standards process moves and how willing websites are to adopt a system that, by design, gives them less data about their visitors rather than more.

Web browsers and Cloudflare team up to authenticate human traffic to combat the growing malicious bot hordes and keep the internet authentic

Cloudflare is developing a protocol to verify legitimate traffic * Cloudflare and web browsers to develop new internet protocol * PACT protocol will help to verify legitimate web access from human and bots * Users will be given an anonymized "personhood" token to show they have a real reason to access a website Now that bot traffic on the internet has officially surpassed human HTTP requests, both web browsers and web infrastructure providers agree something needs to be done, especially as AI agents enter the fray. Today, Cloudflare has announced a joint initiative with Mozilla Firefox, Google Chrome, and Microsoft Edge to launch a new internet protocol designed to verify if web access is legitimate or malicious - without intruding on user privacy. Private Access Control Tokens (PACT) will act as anonymous tokens that verify legitimate access by both humans and authorized agents without the need for user logins or CAPTCHAs that cause friction and harm the browsing experience. Cloudflare establishes PACT with web browsers To start, PACT won't deny access to automated traffic completely. According to Cloudflare, the protocol is designed to recognize legitimate access from certain bots. As consumers and businesses turn to new automations provided by AI agents, there is still a legitimate case for allowing certain bots to access websites. For many AI agents, there is still a human at some point in the loop with a real reason for accessing a website. PACT offers an anonymous "personhood" token that is attached to the user's browser. This token uses "trusted information from contexts that have authentic relationships with people" to verify legitimate access "while keeping that information private." StatCounter places the combined market share of Chrome, Firefox, and Edge at around 77%, meaning that the PACT protocol will likely roll out to the majority of internet users. "PACT will further empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them," CloudFlare said in the announcement. "Using PACT on Cloudflare's network raises the bar for trustworthiness and integrity online without the traditional costs." "In commerce, every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but buyers shouldn't have to pay for them with unnecessary friction or invasive tracking," said Ilya Grigorik, Distinguished Engineer at Shopify. "Shopify is proud to help develop PACT as an open, privacy-preserving standard that can help the millions of businesses on our platform distinguish legitimate shoppers and authorized agents from abusive traffic while preserving buyer privacy." Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Cloudflare Collaborates With Leading Browsers to Develop a Privacy-First Protocol For the Global Internet

New Private Access Control Tokens (PACT) technology, developed alongside Mozilla, Google, Microsoft, and Shopify, pioneers a privacy architecture to secure interactions across the global Internet Cloudflare, Inc. today announced a new initiative with major Web browsers - Mozilla Firefox, Google Chrome, and Microsoft Edge - committing to developing and submitting for standardization a privacy-preserving protocol to help humans and bots prove that their traffic is not malicious. As the Internet shifts from human-driven clicks to agent activity, website operators must now figure out how to stop aggressive automated traffic, without resorting to invasive tracking. This initiative will lay the foundation for a more frictionless, secure, and private experience for every Internet user and website owner alike. "The way we interact with the Internet is facing a fundamental shift. Normal everyday tasks like ordering food previously required a user to personally navigate menus and payment gateways. Now, autonomous agents are starting to orchestrate these workflows on behalf of people," said Dane Knecht, CTO of Cloudflare. "As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse. Now this collaboration lets us eliminate the friction caused by security protocols for every visitor - whether they are human or agent - without sacrificing privacy." For decades, website operators have relied on a patchwork of imperfect defense mechanisms to manage automated abuse, but these imperfect techniques are increasingly failing to keep pace with modern threats. Now, with the explosion of Generative AI, the battlefield has shifted yet again. Malicious automation is more widespread, sophisticated, and economically damaging to site owners. As we move toward an era of agentic AI, the line between human behavior and bot activity is blurring, leaving the digital world with an unprecedented privacy problem. When websites attempt to verify that a request originates from a legitimate human or authorized bot, the traditional solutions - forced logins and invasive tracking - compromise user trust. "In commerce, every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but buyers shouldn't have to pay for them with unnecessary friction or invasive tracking. Shopify is proud to help develop PACT as an open, privacy-preserving standard that can help the millions of businesses on our platform distinguish legitimate shoppers and authorized agents from abusive traffic while preserving buyer privacy." - Ilya Grigorik, Distinguished Engineer at Shopify. Private Access Control Tokens (PACT) are designed to allow sites with strong knowledge of "personhood" to issue anonymous tokens. A user's browser can then provide these tokens to other sites to prove that a human is in the loop, reducing the need for annoying and clunky captchas or invasive tracking. PACT is designed so that sites cannot leverage it to track or identify users or their browsing history. "The health of the web depends on effective, interoperable, privacy-preserving tools that enable sites to combat abuse without unnecessary user friction. Microsoft is excited to collaborate on developing new standards and helping ensure their deployment across the open web." - Erik Anderson, Director of Engineering, Web Platform at Microsoft Edge. "Mozilla is committed to defending openness and user privacy on the web. An avalanche of automated traffic is pushing sites to adopt blunt defenses - paywalls, identity checks, CAPTCHAs, and invasive tracking - simply to tell whether a request comes from a human. We can build a better solution that maintains strong privacy and provides a much less annoying experience for real humans using the web. This project requires collaboration across the ecosystem, and we're thrilled to work with Cloudflare and other like-minded partners to bring it to life." - Bobby Holley, CTO for Firefox at Mozilla. PACT will further empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them. PACT leverages trusted information from contexts that have authentic relationships with people while keeping that information private. This provides businesses with high-integrity assurances about their audiences with minimal friction. Using PACT on Cloudflare's network raises the bar for trustworthiness and integrity online without the traditional costs.