Private Access Control Tokens (PACTs) let a browser vouch for whether a visitor is human, a known good bot, or something else. The protocol's eligibility rules are still TBD, and Cloudflare is shipping before the IETF and antifraud community converge.
The most consequential feature of the new Private Access Control Tokens protocol is the one nobody has written yet: the rule that decides who actually counts as a person.
Cloudflare, the cloud-infrastructure and edge-security company that sits in front of a large share of the web, announced on Monday that it is collaborating with Google Chrome, Microsoft Edge, and Mozilla Firefox on PACTs, a privacy-preserving way for a website to ask the visitor's browser whether the session is welcome, unwelcome, or somewhere in between. The token itself carries no personal data. What it attests to — the actual definition of a "person" eligible to receive one — is explicitly still being negotiated.
That negotiation is happening in two slow-moving standards venues at once. On the antifraudcg proposals GitHub repo (issue #22), engineers are hashing out how a site with strong knowledge of personhood should issue tokens that browsers and known-good bots can present elsewhere. The IETF Privacy Pass working group's expiration-extension draft is doing the same thing in a different corner of the room. Neither document yet defines the predicate that gates eligibility. The work is in flight; the ship date for the predicate is not.
Cloudflare, by contrast, is moving now. Its bot-management and edge-security products sit in front of a meaningful slice of the web, which gives the company an unusual amount of leverage over what "welcome" and "unwelcome" look like in production. The Register reports that the company's own framing calls PACTs an anti-fraud initiative that "empowers businesses to focus on traffic that matters to them." Dane Knecht, Cloudflare's CTO, argues the protocol removes friction for both human and agent traffic at a moment when AI-driven requests are surging. Bobby Holley, Mozilla's CTO of Firefox, frames it as a defense against blunt anti-bot measures like paywalls, CAPTCHAs, and invasive tracking.
Both framings are accurate, and both leave the same question open: who, exactly, gets to issue a token attesting that a visitor is a person, and on what evidence? The current draft does not require a hardware key, a phone number, a government ID, or a behavioral score. It only requires a site that is willing to make the call. If Cloudflare becomes the de facto issuer at scale, its operational definition of personhood, written into product, documentation, and the public API before the standards bodies converge, will be the one developers actually implement against. The IETF can ratify a stricter predicate later, but ratifying against an installed base is a different exercise than ratifying against a blank page.
That asymmetry is the real story. The partnership announcement reads like a coalition; the deployment order is closer to a takeover. The three-browser coalition matters because Chrome, Edge, and Firefox together cover the bulk of consumer browsing, and the protocol's value depends on the browser client implementing it. Once they ship, every other browser maker either joins the same definition or accepts that sites will treat their users differently.
The mechanism itself is a deliberate inversion of today's server-side heuristics. Right now, websites fingerprint TLS handshakes (a way of identifying the visitor's software stack by the shape of its encrypted connection), score IP reputation, and watch behavior in JavaScript to guess whether a request came from a person, a known-good bot like a search indexer or uptime monitor, or something more hostile: a scraper, a credential-stuffing script, or an AI-training crawler. Those heuristics are easy to spoof and brittle to legitimate-but-unusual traffic. A token issued by a site the browser trusts and presented at the next site is harder to fake and easier to audit, which is the privacy-preserving pitch. It is also a stronger signal, and stronger signals are more leveragable: the same attestation that lets a news site admit a Googlebot crawler can let a retailer block a competing AI trainer, a privacy-preserving browser, or a research script that did not sign up in advance.
The Register, citing the published drafts, flags that the token contains no personal details but the design does not address other browser fingerprinting or tracking surfaces, and that a poor implementation could introduce novel risks. The published proposals are explicit that excluding certain hardware, platforms, or user agents is not a stated goal, but they are silent on what positive criteria a person must meet.
What to watch is whether the IETF Privacy Pass working group and the antifraudcg community converge on a binding, machine-verifiable personhood predicate before any major issuer ships PACTs at general availability. If they do, the standards process gets the last word. If Cloudflare's deployment lands first at the scale the company operates at, the GitHub issue and the IETF draft will be retrofitted to the production definition, not the other way around. The "TBD" in the spec is not a placeholder. It is the part of the deal that has not yet been won.