CybersecurityCloud Security

Cloudflare Unveils Protocol to Distinguish Legitimate Web Traffic

Analyst 207||Source: TheRegister
Person working on laptop with blurred screen in a bright, minimalist space.

"As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse," said Dane Knecht, CTO of Cloudflare.

Private Access Control Tokens (PACTs): a shareable, privacy‑preserving test

Cloudflare and the three leading commercial browser makers — Google Chrome, Microsoft Edge, and Mozilla Firefox — announced a joint effort to build Private Access Control Tokens, or PACTs. The companies describe PACTs as a way for websites with "strong knowledge of 'personhood'" to issue anonymous tokens that browser users and designated bots can present to other sites. The comparison offered in the announcement is explicit: think of PACTs "as a shareable, privacy-preserving CAPTCHA test result," but aimed at whether a session is desirable traffic rather than merely distinguishing humans from bots.

Cloudflare, Chrome, Edge, and Firefox: a cross-vendor commitment

Cloudflare said it has joined the three major commercial browsers in committing to develop the PACT protocol. The firms are working to harmonize technical details between related proposals, but those details are not yet finalized. Cloudflare framed the work as an effort to eliminate "friction caused by security protocols for every visitor – whether they are human or agent – without sacrificing privacy," a formulation that both explains the product goal and invites scrutiny.

"Personhood" and authorized software: a fuzzy boundary

The announcement explicitly expands the idea of "personhood" beyond a simple human/bot divide. In the source material, "personhood" appears to include "software that has been authorized to act on behalf of a legitimate person for an authorized purpose." That expansion raises an immediate ambiguity: the record admits it is "not immediately clear what constitutes 'strong knowledge of 'personhood'" and acknowledges the risk that the test criteria could favor some browsers, behaviors, or network signals over others. At the same time, past technical discussion by developers from Google and Mozilla is cited to suggest that excluding particular hardware, platforms, or user‑agents is not the stated objective.

Privacy trade-offs and fingerprinting limits

Cloudflare and browser vendors stress that PACTs are "privacy-preserving" and that the tokens themselves "will not contain personal details." The source cautions, however, that saying this is "a bit of an overstatement." PACTs, as described, do nothing to repair "all the other ways browsers can facilitate digital fingerprinting and tracking," and the implementation could introduce novel risks if done poorly. Mozilla's CTO for Firefox, Bobby Holley, framed the initiative as a defense of openness and user privacy: "Mozilla is committed to defending openness and user privacy on the web," he said, adding that automated traffic is pushing sites toward "blunt defenses – paywalls, identity checks, CAPTCHAs, and invasive tracking – simply to tell whether a request comes from a human."

What this means for website operators, browsers, and end users

  • Website operators: The announcement positions PACTs as an anti‑fraud tool. Cloudflare says the technology will "empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them." For operators overwhelmed by unwanted crawlers or abusive requests, PACTs promise a way to reduce friction and triage traffic.
  • Browsers (Chrome, Edge, Firefox): The three vendors have committed to developing PACTs and to harmonize related proposals. That cooperation could accelerate deployment, but the vendors and their developers will need to resolve the open question of how "strong knowledge of 'personhood'" is established without inadvertently excluding legitimate platforms.
  • End users and authorized agents: Although tokens "will not contain personal details," users should expect that presenting a PACT may become part of how sites decide access. The source warns PACTs could "become an access barrier that demands negotiation with site publishers to have one's site visits or software deemed worthy of 'personhood.'"

Cloudflare and the browsers have sketched a practical response to a modern problem — distinguishing traffic worth serving from traffic best blocked — while promising privacy protections that, by their own account, are limited. The next concrete step is technical: the parties must finalize how PACTs are issued, what tests count as sufficient "personhood," and how implementations will avoid exacerbating fingerprinting or creating new access gatekeepers. Those unresolved choices will determine whether PACTs become a useful anti‑fraud mechanism, a new form of access control, or some mix of both.

Original story

Artificial IntelligenceBrowser SecurityCloudflareEmerging TechnologiesPrivate Access TokensPactsWeb Traffic ManagementCAPTCHA AlternativePrivacy-Preserving TechnologiesBot Management
Related Intelligence

Continue Reading

Video decoding workstation with code on laptop screen and video editing software.

FFmpeg Patch Disrupts PixelSmash Flaw in Video Decoder

Security researchers at JFrog have uncovered a high-severity flaw, CVE-2026-8461, in FFmpeg's MagicYUV decoder that can be exploited by malicious video files, posing a risk to any application using the library. This vulnerability, scoring 8.8, can be triggered by specially crafted AVI, MKV, or MOV files.

Analyst 207
Person working on laptop in modern room with cityscape background.

Cloudflare Unveils Token Protocol to Help Websites Distinguish Humans from Bots

Cloudflare is teaming up with top browsers to launch Private Access Tokens, a game-changing protocol that helps websites tell humans from bots, filtering out abusive traffic while keeping user data safe. This innovative solution is a major step forward in tackling AI-powered traffic and ensuring a smoother online experience.

Analyst 207
A coach sits at a table with an open laptop displaying heart rate and sleep data.

Wearables Expose Athletes to Data Abuse Risks

Imagine a coach scrutinizing an athlete's sleep and heart-rate logs to gauge their off-field behavior - a chilling invasion of privacy that's not as far-fetched as it sounds. As wearables become ubiquitous, athletes face growing risks of data abuse, from compromised privacy to unfair advantages in high-stakes competitions.

Analyst 207
Laptop on a neutral surface with a blurred background and a soft gradient on the screen.

Microsoft Unveils Windows 11 26H2 Upgrade Path

Get ready for the next big update to Windows 11, as Microsoft kicks off testing for version 26H2 with Windows Insiders in the Dev Channel. This upcoming annual update promises a seamless experience for organizations and IT pros, with a surprisingly small 174 KB enablement package for devices already running Windows 11 24H2 and 25H2.

Analyst 207