CAPTCHAs To Be Replaced With Privacy-First Web Verification

Cloudflare has joined forces with Mozilla, Google, Microsoft and Shopify to develop a new internet protocol designed to help websites distinguish genuine visitors from malicious bots without relying on CAPTCHAs, forced logins or invasive tracking, in what could become one of the biggest changes to how people prove their identity online in decades.

What Is PACT?

The initiative centres on a new technology called Private Access Control Tokens (PACT), which aims to solve a problem that is becoming increasingly urgent as artificial intelligence changes the nature of internet traffic.

According to Cloudflare, automated systems now generate more web traffic than humans. Cloudflare Radar data shows bots account for around 58 per cent of HTTP requests worldwide, driven in part by the rapid growth of AI assistants and autonomous software agents browsing the web on users’ behalf.

That creates a challenge for website operators. They need to distinguish legitimate visitors from malicious bots without creating frustrating barriers for genuine users or collecting excessive amounts of personal data.

How The System Works

Rather than asking users to complete CAPTCHAs, log in repeatedly or allowing websites to build detailed browser fingerprints, PACT introduces a different approach.

Trusted services that already have a genuine relationship with a user can issue an anonymous cryptographic token to that person’s browser. When the user later visits another participating website, the browser can present the token as evidence that a real person, or an authorised AI agent acting for one, is behind the request.

Importantly, the token is designed to prove legitimacy without revealing who the person is or allowing websites to reconstruct their browsing history.

Cloudflare says PACT allows websites to “verify that a visitor is a human or authorized agent while preserving privacy”, removing much of the friction associated with existing verification methods.

Why Existing Methods Are Becoming Less Effective

For years, websites have relied on CAPTCHAs, browser fingerprinting, account log-ins and behavioural analysis to defend themselves against automated abuse.

Those techniques are becoming increasingly problematic. CAPTCHAs interrupt the browsing experience, browser fingerprinting has attracted growing regulatory scrutiny because of its privacy implications, while AI systems are becoming increasingly capable of solving many traditional bot detection tests.

Cloudflare CTO Dane Knecht believes the internet is reaching a turning point. As he explained: “The way we interact with the Internet is facing a fundamental shift… As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse.”

Rather than treating all automated traffic as malicious, PACT is intended to distinguish authorised AI agents from abusive bots.

Why The Browser Makers Are Involved

One of the most significant aspects of the announcement is the unusually broad industry collaboration behind it.

Mozilla, Google and Microsoft collectively develop the browsers used by most internet users, while Shopify brings the perspective of millions of online retailers, where every unnecessary security check can reduce sales.

Shopify Distinguished Engineer Ilya Grigorik said: “Every extra challenge, delay, or false positive can turn a purchase into an abandoned cart.” He added that PACT could help businesses distinguish legitimate shoppers and authorised AI agents “while preserving buyer privacy.”

Mozilla also sees wider benefits. Firefox CTO Bobby Holley warned that an “avalanche of automated traffic” is pushing websites towards increasingly intrusive measures simply to determine whether visitors are genuine.

What Happens Next?

It should be noted here that PACT is still at quite an early stage. The partners intend to submit the protocol for formal internet standardisation before browsers and websites begin adopting it more widely.

The technology also builds on earlier Privacy Pass standards already used in some online services, extending those ideas to support a much broader range of browsers and AI-driven web traffic.

If widely adopted, PACT could eventually become a common feature of everyday web browsing, allowing websites to authenticate visitors with far less friction while giving users greater control over their privacy.

What Does This Mean For Your Business?

For organisations, the announcement reflects a much bigger change than simply replacing CAPTCHAs. The internet is rapidly moving from a world dominated by human visitors to one where AI agents increasingly browse, search, purchase and interact with online services on behalf of people.

Businesses will therefore need new ways to identify legitimate traffic without damaging the customer experience or creating additional privacy risks. PACT represents one possible answer by allowing trust to be established without relying on invasive tracking or repeated identity checks.

Although widespread deployment is still quite some way off, the involvement of Cloudflare, Google, Microsoft, Mozilla and Shopify suggests this is more than simply another technical proposal. If the standard gains broad industry support, it could reshape how websites balance cyber security, privacy and usability as AI becomes a routine part of everyday internet activity.