Cloudflare, Google, Microsoft, and Mozilla Team Up on Privacy-Preserving Web Traffic Authentication Protocol
Cloudflare, Google Chrome, Microsoft Edge, and Mozilla Firefox are collaborating on Private Access Control Tokens (PACTs), a privacy-preserving protocol that lets websites issue anonymous tokens to distinguish legitimate traffic from abusive requests.
Cloudflare on Monday announced a joint effort with Google Chrome, Microsoft Edge, and Mozilla Firefox to develop Private Access Control Tokens (PACTs), a new protocol designed to help websites differentiate welcome traffic from unwelcome network requests without compromising user privacy. The initiative aims to replace blunt security measures like CAPTCHAs, paywalls, and invasive tracking with a shareable, anonymous token system that asserts whether a browsing session is run by a human or an authorized bot.
PACTs function as a privacy-preserving CAPTCHA result: a website with strong knowledge of 'personhood' can issue a digital token that a browser or designated bot can present at other sites, reducing the need for repeated identity checks. The protocol is still in early development, with technical details being harmonized between related proposals. Cloudflare CTO Dane Knecht argued that as AI-powered traffic becomes widespread, existing tools are too generic and coarse, and PACTs can eliminate friction without sacrificing privacy.
However, the privacy claim has drawn skepticism. While PACT tokens will not contain personal details, they do nothing to address other tracking vectors like browser fingerprinting. Critics also note that the definition of 'personhood' remains vague—it may extend to authorized software agents, potentially creating new access barriers. The protocol fundamentally divides internet traffic into welcome and unwelcome categories, a practice already common via firewalls but at odds with the notionally open web.
The collaboration responds to the growing challenge of AI-powered automated traffic that blurs the line between human and bot visitors. Mozilla CTO Bobby Holley stated that an avalanche of automated traffic is pushing sites to adopt blunt defenses, and PACTs offer a way to verify request legitimacy without paywalls or invasive tracking. Cloudflare's announcement emphasizes that the technology is designed to empower businesses to identify genuine visitors and focus resources on traffic that matters.
If implemented poorly, PACTs could introduce novel risks, such as excluding certain hardware, platforms, or user-agents—though past technical discussions by Google and Mozilla developers suggest that is not a goal. The protocol is still being shaped, and its ultimate impact on web openness and privacy will depend on how the 'personhood' criteria are defined and enforced.
This initiative marks a significant step toward a more nuanced approach to web traffic authentication, balancing the needs of site operators against user privacy. As AI agents become more common, the ability to distinguish legitimate automated traffic from abuse will only grow in importance. The collaboration among major browser vendors and Cloudflare signals industry recognition that current defenses are unsustainable.