TL;DR
Cloudflare, Mozilla, Google, Microsoft, and Shopify are building PACT, a privacy-first protocol for verifying the legitimacy of web traffic.
Cloudflare announced a joint initiative with Mozilla Firefox, Google Chrome and Microsoft Edge to develop a new internet protocol that verifies the legitimacy of web traffic without tracking users. The protocol, called Private Access Control Tokens, is designed to replace CAPTCHAs and forced logins with anonymous tokens that prove a visitor is human or an authorized bot. Shopify co-developed the technology, and the group plans to submit it for official standardization.
The announcement comes as bot traffic officially outpaces human activity on the internet. Cloudflare Radar data shows that automated systems currently make about 58 percent of HTTP requests to web content worldwide, compared to 42 percent by humans. Cloudflare CEO Matthew Prince shared the milestone on June 3, noting that agent AI programs running on behalf of assistants like ChatGPT and Gemini accelerated the crossover about 18 months earlier than his previous predictions.
PACT works by allowing websites with strong information about a visitor’s identity to issue anonymous tokens. The user’s browser stores the token and can present it to other websites as proof that the real person is behind the session, reducing the need for repeated identity checks. The protocol is designed in such a way that the token cannot be used to track users or reconstruct their browsing history.
“The way we interact with the Internet is undergoing fundamental change,“Cloudflare CTO Dane Knecht said in the announcement.”As AI-powered traffic becomes widespread, the tools available to support its use are too generic and crude.” He said the collaboration will remove the friction created by security protocols for every visitor, whether human or agent, without compromising privacy.
The initiative is not intended to block all automated traffic. Cloudflare itself has adopted agent AIIt cut 1,100 jobs earlier this year after declaring that AI agents are now doing jobs previously done by humans. For many AI agents, there is still a human in the loop who has a legitimate reason to visit a website.
PACT is not designed to shut down automation entirely, but rather to separate those authorized agents from malicious scrapers and abusive bots.
Browser makers saw the effort as essential to an open web. Bobby Holley, CTO of Firefox at Mozilla, said:an avalanche of automated transport” sites were pushing toward blunt defenses like paywalls, identity checks and invasive tracking. Eric Anderson, director of web platform engineering at Microsoft Edge, called effective privacy-preserving tools essential to combating abuse without unnecessary user friction.
Shopify’s participation reflects commercial shares. Ilya Grigorik, the company’s distinguished engineer, said that in e-commerce, every additional problem or false positive can turn a purchase into an abandoned cart. Hidden browser fingerprint and extension scan have emerged as standard tools for platforms trying to identify users, privacy advocates and regulators have opposed it.
PACT will offer a standardized alternative that does not require collecting device characteristics or tracking browsing behavior.
The protocol is based on previous work in the same location. Apple already uses a related system called Privacy Pass that works with a device’s secure enclave to authenticate a user, and Cloudflare uses Privacy Pass as a signal in its bot management products. The IETF published the Privacy Pass Architecture as RFC 9576, and PACT expands on this foundation with broader browser support and a focus on agent AI traffic, which has reshaped the web’s composition over the past year.
No deployment schedule has been announced. The partners have committed to developing the protocol and submitting it for standardization, but turning the specification into something that works across billions of browser sessions will take time. Users are already moving away from platforms that implement AI features without consentand the question of how to manage automated traffic without alienating human visitors becomes more pressing every quarter.
Whether PACT comes soon enough depends on how quickly the standards process moves and how willing websites are to accept a system that gives them less, not more, information about their visitors by design.
