The observation is now clear: automated systems represent more than half of global web traffic. Faced with this shift, traditional defenses are proving less and less effective and more and more frustrating for Internet users. It is to respond to this challenge that a coalition of web giants (Cloudflare, Mozilla, Google, Microsoft et Shopify) announced the development of a new open standard: Private Access Control Tokens, or PACT. The goal is to create a humanity verification system that no longer relies on visual puzzles, but on a shared, non-traceable trust mechanism.
How does this new system work in practice?
The principle of PACT is based on the issuance of a anonymous token by a site that already has good reason to believe that you are human, such as your email service or a social network you are connected to. This token of “ personhood » (proof of humanity) is then stored by your browser. When you visit another site, they may request the token as proof, saving you from having to fill out a CAPTCHA.
The underlying technology, which extends the work of the Privacy Pass protocol, relies on the blind cryptography. This guarantees total anonymity: the site that issues the token does not know on which other site you will use it, and the site that receives it cannot know where it comes from or who you are. This mechanism of “ hidden transfer » prevents you from connecting the dots to piece together your browsing history.
Why has such a change become essential?
If this initiative is seeing the light of day now, it is because the Internet has reached a tipping point. The traffic generated by bots has officially exceeded the volume of human requestsrepresenting nearly 58% of global activity. This wave is largely fueled by the rise of artificial intelligence and assistants that navigate on behalf of their users.
Faced with this overwhelm, websites have often reacted with brutal measures such as forced identity verifications or the multiplication of verification tests, degrading theuser experience. For platforms like Shopify, every friction like this can result in an abandoned cart. PACT therefore aims to distinguish autonomous agents legitimate bots, without penalizing human visitors.
What are the risks and outstanding questions?
Despite its promises, the PACT project raises legitimate questions. The main fear is the creation of a two-speed webwhere traffic without a valid token would be treated as suspicious by default. This could penalize users of browsers alternatives or atypical configurations, which could see themselves relegated to the rank of second-class digital citizens.
The power to certify the humanity of a visitor would also risk being concentrated in the hands of the same giants who are carrying out the project. For the moment, PACT is only a statement of intentwithout a precise deployment schedule. The protocol still has to go through a long process of standardisation. The real battle will not be so much about the disappearance of CAPTCHAs as about the identity of those who will hold them. gate keys.
