Cloudflare pushes PACTs with Chrome, Edge, and Firefox to sort bots from humans

Cloudflare teamed up with the makers of Chrome, Edge, and Firefox to standardize a new privacy-preserving way for websites to tell “welcome” traffic from “unwelcome” network requests. The collaboration centers on Private Access Control Tokens (PACTs), which are meant to let a website generate a digital token asserting that a given browsing session is run by a human or a bot with legitimate intent, rather than abusive or improper software requests.

In plain terms, PACTs are positioned as a shareable, privacy-preserving “CAPTCHA result,” except the test is about whether the traffic is desirable, not about whether the visitor is literally a person. The goal is to reduce the need for repeated, intrusive identity checks at each site. And Cloudflare frames this as a win for everyone who has been stuck between two bad options: letting bot traffic run wild, or punishing normal users with friction that stacks up every visit.

Why this matters now: the internet is increasingly awash in automated traffic, and the old defenses are getting dragged in two directions at once. As Dane Knecht, CTO of Cloudflare, put it in a statement, “As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse.” Knecht argues that PACTs let collaboration partners eliminate “the friction caused by security protocols for every visitor - whether they are human or agent - without sacrificing privacy.” The key operational promise is less about perfect certainty and more about lowering the cost of deciding who should be let through.

PACTs are also being sold as a practical compromise for a reality that websites already live in: traffic is constantly divided into acceptable and unacceptable classes through firewalls and other technical controls. What is different is the “shareability” angle. PACTs are designed so websites with “strong knowledge of 'personhood'” can issue anonymous tokens that browser users and designated bots can present to other websites. That means fewer identity checks per site, potentially fewer hard blocks, and less reliance on blunt friction tools that can degrade user experience.

But the phrase “strong knowledge of 'personhood'” is the part executives should zoom in on, because it hints at policy and implementation decisions that will land somewhere between “technical” and “political.” In the source, the protocol details are still being “hammered out and harmonized between related proposals,” and it is not immediately clear what qualifies as strong knowledge in this context. Notably, the source points out that “personhood” appears to extend beyond just humans. It can cover software authorized to act on behalf of a legitimate person for an authorized purpose.

That nuance could cut two ways for boards and security leaders. On one side, it suggests the system is not necessarily trying to punish particular browsers, behaviors, or user-agents. The source notes that past technical discussion by developers from Google and Mozilla suggests excluding certain hardware, platforms, or user-agents is not a goal. On the other side, it raises the risk that particular criteria could indirectly deny token dispensation to some legitimate setups if “personhood” is operationalized too narrowly or too conservatively. If a token is the gateway to smoother access, then the definition of what earns a token becomes a strategic dependency for businesses.

There is also a broader privacy and governance layer. The source is blunt that Cloudflare’s “without sacrificing privacy” claim may be overstated. PACT tokens likely will not contain personal details, but the collaboration does not magically repair other ways browsers can facilitate digital fingerprinting and tracking. Even if tokens avoid directly embedding personal information, decision-makers should assume that privacy is still a multi-factor problem. PACTs reduce one class of friction and verification, but they do not eliminate the rest of the web’s tracking surface.

Finally, the collaboration is explicitly anti-fraud in intent. The announcement language, as described in the source, says the technology is designed to empower businesses to identify genuine visitors, ensuring they can focus resources on traffic that matters. Many website operators complain about the burden of handling unwanted network traffic from disrespectful crawlers. PACTs could offer a cleaner way to separate benign automation from abusive scraping or other improper activity, which would be valuable in industries where moderation costs are constant and expensive.

Still, the strategic stakes are higher than the average “bot mitigation” press release. PACTs may become an access barrier that requires negotiation with site publishers over who is deemed worthy of “personhood.” Mozilla’s CTO for Firefox, Bobby Holley, said in a statement: “Mozilla is committed to defending openness and user privacy on the web,” and warned that “An avalanche of automated traffic is pushing sites to adopt blunt defenses - paywalls, identity checks, CAPTCHAs, and invasive tracking - simply to tell whether a request comes from a human.” PACTs are a response to that avalanche. The question for executives is whether the response reduces friction broadly, or whether it shifts friction upstream into token eligibility, browser behavior, and whatever counts as legitimate automation.