New Private Access Control Tokens (PACT) technology, developed alongside Mozilla, Google, Microsoft, and Shopify, pioneers a privacy architecture to secure interactions across the global Internet.
Cloudflare has announced a new initiative with major web browsers, including Mozilla Firefox, Google Chrome, and Microsoft Edge, to develop a privacy-first internet protocol that helps humans and bots prove their traffic is legitimate. As internet traffic increasingly shifts from human users to AI agents and bots, website operators face growing challenges in blocking malicious automated traffic without relying on invasive tracking. The initiative aims to improve security and privacy for both internet users and website owners
“The way we interact with the Internet is facing a fundamental shift. Normal everyday tasks like ordering food previously required a user to personally navigate menus and payment gateways. Now, autonomous agents are starting to orchestrate these workflows on behalf of people,” said Dane Knecht, CTO of Cloudflare. “As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse. Now this collaboration lets us eliminate the friction caused by security protocols for every visitor, whether they are human or agent, without sacrificing privacy.”
Why Privacy-First Internet Protocol?
Cloudflare emphasizes that, for decades website operators have relied on a patchwork of imperfect defense mechanisms to manage automated abuse, which are failing to keep pace with modern threats. Now, with the explosion of GenAI, the battlefield has shifted yet again. Malicious automation is more widespread, sophisticated, and economically damaging to site owners.
As we move toward an era of agentic AI, the line between human behavior and bot activity is blurring, leaving the digital world with an unprecedented privacy problem. When websites attempt to verify that a request originates from a legitimate human or authorized bot, the traditional solutions – forced logins and invasive tracking – compromise user trust.
“In commerce, every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but buyers shouldn’t have to pay for them with unnecessary friction or invasive tracking. Shopify is proud to help develop PACT as an open, privacy-preserving standard that can help the millions of businesses on our platform distinguish legitimate shoppers and authorized agents from abusive traffic while preserving buyer privacy,” said Ilya Grigorik, Distinguished Engineer at Shopify.
Private Access Control Tokens (PACT) are designed to allow sites with strong knowledge of “personhood” to issue anonymous tokens. A user’s browser can then provide these tokens to other sites to prove that a human is in the loop, reducing the need for annoying and clunky captchas or invasive tracking. PACT allows all of this to happen without any tracking or ability for sites to identify the user or the user’s browsing history, says Cloudflare.
“The health of the web depends on effective, interoperable, privacy-preserving tools that enable sites to combat abuse without unnecessary user friction. Microsoft is excited to collaborate on developing new standards and helping ensure their deployment across the open web,” said Erik Anderson, Director of Engineering, Web Platform at Microsoft Edge.
“Mozilla is committed to defending openness and user privacy on the web. An avalanche of automated traffic is pushing sites to adopt blunt defenses like paywalls, identity checks, CAPTCHAs, and invasive tracking, simply to tell whether a request comes from a human. We can build a better solution that maintains strong privacy and provides a much less annoying experience for real humans using the web. This project requires collaboration across the ecosystem, and we’re thrilled to work with Cloudflare and other like-minded partners to bring it to life,” said Bobby Holley, CTO for Firefox at Mozilla.
PACT will further empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them. PACT leverages trusted information from contexts that have authentic relationships with people while keeping that information private. This provides businesses with high-integrity assurances about their audiences with minimal friction, concludes Cloudflare.
