Cloudflare, Google, Mozilla, Microsoft and Shopify have announced a collaborative effort to develop and standardize the Private Access Control Tokens (PACT) protocol. This protocol aims to differentiate between legitimate users and bots, while preserving user privacy and mitigating unwanted traffic and AI bot activity. PACT will allow websites to filter bot traffic using anonymous tokens without the need for captchas, mandatory authentication, or tracking through cookies.
The concept behind PACT involves issuing anonymous tokens to users by services that have verified them as real individuals, such as through successful authentication or anti-bot checks. Users can then present these tokens to other websites as proof that their requests are not automated. This method streamlines the verification process across multiple sites without inconveniencing users with repeated checks. Additionally, the protocol ensures that tokens cannot be used for identifying users or tracking their browsing history.
The motivation behind this initiative stems from the escalating volume of automated traffic generated by AI agents, crawlers, and scrapers masquerading as genuine users. These actors disregard robots.txt directives, placing undue strain on servers. Cloudflare had previously advocated for the use of the Web Bot Auth mechanism, which authenticates bots based on cryptographic signatures attached to HTTP requests, enabling access decisions rooted in verifiable data rather than IP addresses or User-Agent field data.
One potential concern surrounding the implementation of the PACT protocol is the possibility of it transitioning from a voluntary user confirmation mechanism to a mandatory access filter. This shift could create barriers that mandate programs, browsers, and users to prove their eligibility for site access, potentially hindering user experience.
The Electronic Frontier Foundation (EFF) had previously highlighted a similar issue in their critique of the Web Environment Integrity API and remote attestation. While acknowledging the legitimacy of anti-bot challenges, the EFF expressed