TL;DR
Cloudflare, Mozilla, Google, Microsoft, and Shopify are creating PACT, a privacy-first protocol to verify the legitimacy of web traffic.
Cloudflare has announced a joint initiative with Mozilla Firefox, Google Chrome and Microsoft Edge Develop a new Internet protocol that verifies if web traffic is legitimate without tracking users. The protocol, called private access control tokens, is designed to replace CAPTCHAs and forced logins with anonymous tokens that prove a visitor is a human or an authorized bot. Shopify co-developed the technology and the group plans to submit it for formal standardization.
The announcement comes as bot traffic has officially surpassed human activity online. Data from Cloudflare Radar shows that automated systems now account for about 58 percent of HTTP requests to web content worldwide, compared to 42 percent for people. Cloudflare CEO Matthew Prince shared the milestone on June 3, noting that agent AI programs that navigate on behalf of assistants like ChatGPT and Gemini had accelerated the crossover about 18 months ahead of their previous predictions.
PACT works by allowing websites with strong knowledge of a visitor’s identity to issue anonymous tokens. A user’s browser stores the token and can present it to other websites as proof that a real person is behind the session, reducing the need for repeated identity checks. The protocol is designed so that the token cannot be used to track users or reconstruct their browsing history.
“The way we interact with the Internet is facing a fundamental change,“Cloudflare CTO Dane Knecht said in the announcement.”As AI-powered traffic becomes more widespread, existing tools to support its use are too generic and clunky.He said the collaboration would eliminate friction caused by security protocols for each visitor, whether human or agent, without sacrificing privacy.
The initiative is not intended to block all automated traffic. Cloudflare has embraced agent AIcutting 1,100 jobs earlier this year after declaring that AI agents now perform jobs previously performed by humans. For many AI agents there is still a human being somewhere with a legitimate reason for accessing a website.
PACT aims to distinguish authorized agents from malicious scrapers and abuse bots, not shut down automation entirely.
Browser creators framed the effort as essential to the open web. Bobby Holley, CTO of Firefox at Mozilla, said: “automated traffic rush” was pushing sites toward forceful defenses like paywalls, identity checks, and invasive tracking. Erik Anderson, director of engineering for the Microsoft Edge web platform, called effective privacy-preserving tools critical to combating abuse without unnecessary user friction.
Shopify’s involvement reflects business interests. Ilya Grigorik, a distinguished engineer at the company, said that every additional challenge or false positive in e-commerce can turn a purchase into an abandoned cart. Covert Browser Fingerprinting and Extension Scanning They have become the default tools for platforms trying to identify users, a practice that privacy advocates and regulators have rejected.
PACT would offer a standardized alternative that does not require collecting device characteristics or tracking browsing behavior.
The protocol is based on previous work in the same space. Apple already uses a related system called Privacy Pass, which works with a device’s secure enclave to attest to a user’s identity, and Cloudflare uses Privacy Pass as a token in its bot management products. The IETF published the Privacy Pass Architecture as RFC 9576, and PACT expands on that foundation with broader support for browsers and a focus on agent AI traffic that has reshaped the makeup of the web in the last year.
No implementation schedule has been announced. The partners have committed to developing the protocol and submitting it for standardization, but turning a specification into something that works across billions of browser sessions will take time. Users are already abandoning platforms that impose AI features without consentand the question of how to manage automated traffic without alienating human visitors becomes more urgent every quarter.
Whether PACT arrives fast enough to matter depends on how quickly the standards process moves forward and how willing websites are to adopt a system that, by design, gives them less data about their visitors rather than more.
