PACT: The open web doesn't need another trust oligopoly

TL;DR

• Cloudflare announced PACT — privacy-preserving tokens to distinguish humans from bots, backed by Google, Mozilla, Microsoft, and Shopify
• The cryptography is sound; the governance model doesn’t exist yet — and who gets to issue tokens is the whole ballgame
• This is Web Environment Integrity (WEI) re-skinned for the third time in three years — attesting personhood instead of client integrity, but the power structure is identical
• The “ratchet effect”: tokens start as optional convenience, end up as de facto required access pass — no single decision makes it happen, just incremental optimization across sites
• Breaks internet measurement, security research, archival crawling, RSS readers, Tor users, and alternative browsers — all legitimate traffic with no issuer relationship
• Token farming creates a new abuse layer upstream; the fix (hardware attestation) slides back into exactly what WEI was killed for
• The right time to shape governance is now, before deployment — the IETF Privacy Pass working group is where the technical levers are

Cloudflare announced on June 22, 2026, that it’s partnering with Google, Mozilla, Microsoft, and Shopify to develop something called PACT – Private Access Control Tokens. They got all the ususal suspects to regurgiate the press release:

• Major browsers join Cloudflare to create anonymous tokens for verifying traffic
• Cloudflare teams up with big browsers to help websites tell welcome from unwelcome visitors
• Cloudflare teams up with Chrome, Firefox, and Edge on a privacy-first anti-bot protocol
• Cloudflare forms pact with browser giants to protect your privacy with tokens - SDxCentral
• Cloudflare and Major Browsers Develop Private Access Control Tokens to Separate Legitimate Traffic From Bots - gHacks Tech News
• cloudflare.com/press/press-releases/2026/cloudflare-collaborates-with-leading-browsers-to-develop-a-privacy-first-protocol-for-the-global-internet/

(the full list is much longer…)

The pitch: a privacy-preserving way to help websites distinguish real human traffic from bots, built on blind-signature cryptography so tokens can’t be linked back to your identity or browsing history. The mechanism is rooted in reality and the privacy math mostly holds. The claimed justification – that automated traffic now represents roughly 58% of all web requests by Cloudflare’s own Radar data – deserves a beat of scrutiny before we accept it as a foundation. Davi Ottenheimer at flyingpenguin.com makes the case that Cloudflare’s CEO cherry-picked the HTML-only traffic segment from his own dashboard rather than the all-traffic figure, which still shows the web running about two-thirds human; the “All” selector on that same page contradicts his claim directly. The largest bot category in the actual data is search crawlers, by a factor of two, and the AI traffic that does exist is mostly training scrapers like GPTBot and ClaudeBot – not the agentic traffic Prince pointed to as the cause, which turns out to be the smallest bucket Cloudflare classifies. (Frankly, it reads like a sales pitch for Cloudflare’s pay-to-crawl product; none of which makes PACT’s governance ambitions more reassuring.)

What’s troubling is the lack of an open governance model, the “ratchet effect” that (so far) nobody’s discussing, and the fact that this is, for the third time in as many years, essentially Web Environment Integrity with better PR.

What PACT actually is, and what it isn’t yet

PACT adds a new issuance story on top of Privacy Pass: the claim that entities with “strong knowledge of personhood” should be the ones minting these tokens for general web use, not just for their own properties. That’s the entire announcement, really. There’s no deployment timeline, no IETF draft under a PACT name (I both Kagi’d and stooped so low as to google as well; there isn’t one as of writing), and no evidence of a named specification for the issuance governance. What was published June 22 is a statement of intent and a press release, which means we’re being asked to evaluate an architecture before the most consequential design decision has been made.

That decision is: who gets to be an issuer?

Who gets to be an issuer

This is the Web Environment Integrity fight from 2023, re-skinned. WEI died, loudly and publicly, when people understood that “attest your client is trustworthy” hands the platform vendor an effective veto over which software and configurations get to use the web. The Chromium team shelved it after the GitHub explainer and issue tracker turned into a comprehensive public accounting of why this class of proposal is dangerous. PACT routes around that specific objection by attesting personhood rather than client integrity – which is a real difference cryptographically – but the governance hazard is identical. A small set of parties decides legitimacy, and the parties being gated have no standing.

Mozilla’s presence in the consortium is presumably meant to hold the line on issuer plurality and unlinkability guarantees, but y’all know my opinion of Mozilla, so the attempt at initiative credibility whitewashing falls flat with me. The commercial incentives of the other partners all point toward issuer concentration, not away from it. Google’s revenue model depends on authenticated, attributable human sessions. Microsoft’s cloud and identity businesses are an issuer infrastructure business already. Cloudflare is, if we’re being direct about it, an intermediary that already terminates a large share of web TLS and has recently pivoted hard into hosting and managing AI agents – a company for which “who counts as a real visitor” is not an abstract governance question but a product decision.

Cloudflare’s own press copy is the yuge tell: it describes PACT as raising trust “on Cloudflare’s network.” Not “on the web.” On their network. A standard that works best for sites hosted behind the entity proposing it isn’t quite the global public infrastructure the announcement implies.

The “ratchet” nobody votes on

Today, tokens in headers (et al.) are friction-reducers: present one, skip the CAPTCHA, get a slightly better experience. Adoption is voluntary, the benefits are legit, and nothing looks coercive. As adoption spreads, the absence of a token starts to carry information. Defenders rationally adjust: token-bearing traffic gets through cleanly; untokened traffic gets challenged a bit more; risk thresholds shift. No one votes on any of this (kind of like when Let’s Encrypt destroyed any semblance of using certs as trust signals). Each site is just calibrating its own posture to the signals available, and the signal improves as the token corpus grows.

Follow that trajectory to its end and the token stops being optional, even though no one decided to require it. Each site just leans a little harder on traffic that shows up without one, treats it as a bit more suspect, and once enough sites do that, no token means you mostly don’t get through. No policy said so. No standard said so. It’s a pile of small, defensible calls with no single one you can point at and undo. While adoption is low the token feels like a convenience. Once most traffic carries one, it’s a wall, and you never catch the moment it flipped.

That’s the mechanism that should concern anyone who cares about the open web. It doesn’t take a villain or a power grab to get there. It just takes the everyday economics of infrastructure that traffics in trust, all the players acting in their own reasonable interest, and the open web ends up walled anyway.

The specific things that get broken, and for whom

Internet measurement and scanning sits at the top of that list. Mega-scale scanning of the kind that produces a real picture of what’s running on the internet originates from infrastructure that has no personhood and never will. It doesn’t log in anywhere and doesn’t have a Google (et al.) account. In a PACT-saturated environment, exactly the traffic you need to observe to understand the internet’s attack surface is, by construction, token-less and therefore treated as suspect. Endpoints that adopt PACT become systematically less observable to the tools whose entire job is observing them. (I’ve run into this wall doing internet-wide measurement work – the moment your scanner/client looks like non-browser traffic, the friction starts accumulating, and PACT would formalize that friction into the protocol layer itself.)

Security researchers, academic measurement projects, archival crawlers like the Internet Archive, accessibility tooling, monitoring systems, RSS readers, Tor users, people running old hardware or alternative browsers that can’t participate in whatever issuance flow eventually gets standardized – all of them end up in the same bucket: legitimate use cases with no issuer relationship and therefore no token. The announcement mentions that “smaller bot operators, independent developers, and users on less common browsers or platforms might find it harder,” which is doing a lot of work with the word “might.”

Why the abuse economics don’t actually close

Start with what the token is, mechanically: a bearer credential asserting “a human is in the loop,” reusable across sites. Transferable credentials get farmed. The moment a token has value and can be presented somewhere other than where it was minted, you’ve created a market for it – token farms, residential-proxy-style brokers selling “personhood,” compromised-but-attested clients minting on behalf of whoever pays. The arms race doesn’t end; it moves upstream from “is this request abusive” to “is this issuance legitimate,” a harder question asked by fewer parties with less visibility. The abuse economics don’t close. They relocate to a layer that’s more concentrated and more opaque than the one you started with.

The working group’s answer to this is rate-limited issuance – cap how many tokens a given client can mint in a window. But rate limiting has to count against something stable, and a stable client identifier is precisely the on-ramp to hardware binding.

And the defender comes out worse on signal. Defenders lose the behavioral and fingerprint signal they currently use to reason about traffic, because “good” traffic shows up as an opaque token rather than an observable session. The behavioral forensics that actual security research depends on get replaced with a binary that you can’t look through.

The fix that’s already lurking in the substrate is hardware binding. Apple’s Private Access Tokens (the existing PAT deployment in Safari, documented in Apple’s Privacy Pass support notes) already lean on the secure enclave for attestation – the privacy proxy round-trips through Apple’s servers precisely to prevent the issuer from seeing the client IP, and the hardware attestation is what gives the token its value. The natural defense against token farming is to require that issuance touch attested hardware. Tug just a litte on this new thread and you’ve quietly slid from blind-signed software tokens back into remote hardware attestation, which is the thing WEI was killed for, just arrived by a slightly longer road.

What a version of this worth defending would need to look like

A defensible PACT has a short list of non-negotiable properties. Issuance has to be plural – many independent issuers, with a real accreditation process and an appeals path for anyone refused a token, not a standing oligarchy of whoever already holds authenticated relationships at scale. Unlinkability has to be a hard guarantee rather than a best-effort claim that erodes the first time someone bolts on hardware attestation to fight farming. There has to be an explicit covenant that token-less traffic is never penalized, only optionally fast-pathed – the exact distinction the ratchet erases if you let it. And there has to be a carve-out for non-browser traffic with a legitimate purpose and no plausible issuer relationship: measurement, research, archival, accessibility.

Every one of those properties cuts against the commercial incentive of the entities shipping it, which is the whole problem. The failure path needs no bad actor – only each site locally optimizing. The “disaster” arrives as the sum of individually reasonable decisions, and by the time token-less internet access is second-class, there’s no single choice left to reverse.

The sequencing is the real tell

The right moment to shape this is now, before deployment, while the issuer accreditation model is still a blank page. The IETF Privacy Pass working group is at github.com/ietf-wg-privacypass and the rate-limited issuance draft (draft-ietf-privacypass-rate-limit-tokens) is the closest thing to a PACT issuance spec that currently exists – that’s where the technical levers are, and that’s where informed pushback lands with actual effect.

If the governance gets designed right, PACT could be a real improvement on CAPTCHAs without becoming an access regime for the web. If it gets designed the way infrastructure proposals usually do – with the mechanism specified and the power questions deferred until the mechanism is already deployed – the open web picks up another structural dependency on a handful of large platforms, and the transition will be too gradual to point at.