Cloudflare, Chrome, Firefox, and Edge Join Forces on Privacy-First Anti-Bot Protocol

Cloudflare has announced a joint initiative with Mozilla Firefox, Google Chrome, and Microsoft Edge to develop a new internet protocol that verifies whether web traffic is legitimate without tracking users. The protocol, called Private Access Control Tokens (PACT), is designed to replace CAPTCHAs and forced logins with anonymous tokens that prove a visitor is human or an authorized bot. Shopify co-developed the technology, and the group plans to submit it for formal standardization.

Bot traffic has officially overtaken human activity online. Cloudflare Radar data shows automated systems now account for roughly 58 percent of HTTP requests to web content worldwide, against 42 percent from people. Cloudflare CEO Matthew Prince shared the milestone on June 3, noting that agentic AI programs browsing on behalf of assistants like ChatGPT and Gemini had accelerated the crossover by about 18 months ahead of his earlier predictions.

How PACT Works

PACT allows websites with strong knowledge of a visitor’s identity to issue anonymous tokens. A user’s browser stores the token and can present it to other websites as proof that a real person is behind the session, reducing the need for repeated identity checks. The protocol is designed so that the token cannot be used to track users or reconstruct their browsing history.

• Tokens are cryptographically blinded and privacy-preserving, meaning the issuer cannot link a token to the specific site where it was redeemed.
• The protocol builds on Apple’s Privacy Pass architecture (RFC 9576), extending it with broader browser support and a focus on agentic AI traffic.
• PACT distinguishes authorized agents like a human using an AI assistant from malicious scrapers and abuse bots, not to block all automation.
• Covert browser fingerprinting and extension scanning are common but privacy-invasive alternatives that PACT would replace.
• The partners are Cloudflare, Mozilla, Google, Microsoft, and Shopify, representing major browser vendors and a leading ecommerce platform.

Industry Reaction and Deployment Timeline

Browser makers framed the effort as essential to preserving the open web. Bobby Holley, CTO for Firefox at Mozilla, said an “avalanche of automated traffic” was pushing sites toward blunt defenses like paywalls, identity checks, and invasive tracking. Erik Anderson, director of engineering for the web platform at Microsoft Edge, called effective privacy-preserving tools critical to combating abuse without unnecessary user friction. Shopify’s involvement reflects the commercial stakes: Ilya Grigorik, a distinguished engineer at the company, said every extra challenge or false positive in ecommerce can turn a purchase into an abandoned cart.

No deployment timeline has been announced. The partners have committed to developing the protocol and submitting it for standardization, but turning a specification into something that works across billions of browser sessions will take time. Cloudflare has itself embraced agentic AI, cutting 1,100 jobs earlier this year after declaring that AI agents now perform work previously done by humans. The question of how to manage automated traffic without alienating human visitors is becoming more urgent by the quarter. Whether PACT arrives fast enough depends on how quickly the standards process moves and how willing websites are to adopt a system that, by design, gives them less data about their visitors rather than more.