CybersecurityHacking

Cloudflare Unveils Token Protocol to Help Websites Distinguish Humans from Bots

Analyst 207||Source: TheRegister
Person working on laptop in modern room with cityscape background.

"As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse," said Dane Knecht in a statement.

Who signed up: Cloudflare with Chrome, Edge and Firefox

Cloudflare on Monday announced a collaboration with the three leading commercial browser makers — Google Chrome, Microsoft Edge, and Mozilla Firefox — to develop a privacy-preserving protocol called Private Access Control Tokens, or PACTs. The companies have committed to work together to let websites generate and accept these tokens as a way to separate "desirable" web traffic from requests they deem abusive or improper.

What PACTs are and how they're intended to work

PACTs are described as anonymous digital tokens that a website with "strong knowledge of 'personhood'" can issue. Browser users and "designated bots" would be able to present those tokens at other sites so that fewer identity checks are required. The announcement frames PACTs as a shareable, privacy-preserving CAPTCHA result: the test assesses the desirability of traffic — whether a session represents a visitor or a bot with legitimate intent — rather than simply whether the visitor is human or software.

Technical specifics are still being "hammered out and harmonized between related proposals," according to the report. The collaboration aims to let sites that can confidently determine personhood issue tokens so subsequent sites do not need to repeat identity checks, reducing friction while preserving anonymity in the token itself.

Privacy caveats and fingerprinting risks

Cloudflare and its browser partners present PACTs as privacy-preserving, but the announcement and accompanying analysis temper that claim. PACT tokens themselves "will not contain personal details," yet they will not address "all the other ways browsers can facilitate digital fingerprinting and tracking." The report cautions that if PACTs are implemented poorly they "may introduce novel risks," and that the technology divides traffic into welcome and unwelcome classes — a function already performed by firewalls and other measures but not easily reconciled with a notionally open web.

Questions remain about what qualifies as "strong knowledge of 'personhood'." The source material notes that "personhood" appears to extend to software authorized to act on behalf of a legitimate person for an authorized purpose. It is not clear from the current discussion what signals, behaviors, browsers, or hardware might be favored or disadvantaged by PACT criteria — though past technical discussion by developers at Google and Mozilla suggests deliberately excluding certain hardware, platforms, or user‑agents is not the goal.

An anti-fraud tool that could also be an access barrier

Cloudflare frames PACTs as an anti-fraud measure. The company says the technology is designed to "empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them." Many site operators, the announcement notes, have complained about the burden of handling unwanted traffic from disrespectful crawlers and abusive automation; PACTs may directly address that operational pain point.

At the same time, the report warns PACTs "may also become an access barrier" — effectively requiring negotiation with site publishers to have a visit or a software agent deemed worthy of "personhood." Bobby Holley, CTO for Firefox at Mozilla, is quoted saying, "Mozilla is committed to defending openness and user privacy on the web," and framing PACTs as a response to an "avalanche of automated traffic" that has driven adoption of blunt measures such as paywalls, CAPTCHAs and invasive tracking.

What PACTs mean for technologists, enterprises, and end users

  • Technologists and security teams: Expect a new protocol to integrate into site authentication and bot-mitigation stacks; engineers will need to follow the harmonization of technical details and evaluate whether PACT issuance and verification introduce fingerprinting or operational risk.
  • Affected enterprises and procurement leaders: PACTs are being pitched as an anti-fraud capability that could reduce the operational cost of handling unwanted automated traffic; organizations should weigh benefits against potential vendor lock-in and access-control consequences implied by token-based personhood.
  • End users and the general public: Tokens "will not contain personal details," yet users should be aware PACTs do not solve browser fingerprinting or tracking and may alter how sites decide who gains seamless access.

Cloudflare and the browser makers have signaled an intent to reduce friction for both humans and authorized agents: "Now this collaboration lets us eliminate the friction caused by security protocols for every visitor – whether they are human or agent – without sacrificing privacy," Dane Knecht said. The claim rests on implementation choices that are still being written; the coming months of technical work will determine whether PACTs curtail abusive automation without introducing new forms of exclusion or surveillance.

Read the original story

Browser SecurityCloudflareEmerging ThreatsBot MitigationPrivate Access TokensPactsAI-powered TrafficWeb Traffic ManagementToken ProtocolMFA Alternative
Related Intelligence

Continue Reading

Person working on laptop with blurred screen in a bright, minimalist space.

Cloudflare Unveils Protocol to Distinguish Legitimate Web Traffic

Cloudflare is shaking up the way we verify online traffic with a new protocol that helps websites distinguish between legitimate users and AI-powered bots. Meet PACTs, a game-changing solution that lets sites share anonymous tokens, essentially a private, shareable CAPTCHA test result.

Analyst 207
Video decoding workstation with code on laptop screen and video editing software.

FFmpeg Patch Disrupts PixelSmash Flaw in Video Decoder

Security researchers at JFrog have uncovered a high-severity flaw, CVE-2026-8461, in FFmpeg's MagicYUV decoder that can be exploited by malicious video files, posing a risk to any application using the library. This vulnerability, scoring 8.8, can be triggered by specially crafted AVI, MKV, or MOV files.

Analyst 207
A coach sits at a table with an open laptop displaying heart rate and sleep data.

Wearables Expose Athletes to Data Abuse Risks

Imagine a coach scrutinizing an athlete's sleep and heart-rate logs to gauge their off-field behavior - a chilling invasion of privacy that's not as far-fetched as it sounds. As wearables become ubiquitous, athletes face growing risks of data abuse, from compromised privacy to unfair advantages in high-stakes competitions.

Analyst 207
Laptop on a neutral surface with a blurred background and a soft gradient on the screen.

Microsoft Unveils Windows 11 26H2 Upgrade Path

Get ready for the next big update to Windows 11, as Microsoft kicks off testing for version 26H2 with Windows Insiders in the Dev Channel. This upcoming annual update promises a seamless experience for organizations and IT pros, with a surprisingly small 174 KB enablement package for devices already running Windows 11 24H2 and 25H2.

Analyst 207