Why Tech Giants Are Building a CAPTCHA Replacement

Category: Technology | Published: 2026-06-09

If you have ever squinted at a blurry grid of traffic lights, bicycle wheels, or fire hydrants and wondered whether clicking the ambiguous square counts, you have experienced the peculiar frustration that billions of people share every day. CAPTCHAs have been a fixture of the web for so long that most people treat them as an unavoidable inconvenience, like a speed bump you just accept. That may be about to change.

A coalition of some of the biggest names in technology, including Cloudflare, Google, Microsoft, Mozilla, and Shopify, has announced a joint effort to build a CAPTCHA replacement designed around privacy rather than friction. The new system is called PACT, which stands for Private Access Control Tokens, and it represents one of the more significant attempts to rethink how websites verify that a real human being, or an authorised piece of software acting on their behalf, is the one making a request.

Why CAPTCHAs Are No Longer Fit for Purpose

The original logic behind CAPTCHAs was sound when it was conceived. Present a visual puzzle that a human can solve easily but a machine cannot, and you have a way to tell them apart. For a while, that worked.

The problem is that the fundamental premise has flipped. Modern AI systems can now solve most traditional image-based CAPTCHA challenges faster and more accurately than the average person. The tasks that were designed to be difficult for machines have become routine for them, which means CAPTCHAs are increasingly effective at frustrating genuine visitors and increasingly ineffective at stopping automated abuse.

There is also a scale problem. According to data from Cloudflare Radar, automated systems now generate more web traffic than humans, with bots accounting for around 58 per cent of all HTTP requests worldwide. A significant portion of that growth is driven not by malicious actors but by AI assistants and software agents browsing, searching, and interacting with online services on behalf of real users. The old binary of human versus bot has become much more complicated.

In 2025, the picture became clearer still when Google moved all reCAPTCHA users onto Google Cloud Platform, introducing a pricing model that capped the free tier at 10,000 assessments per month. That shift also brought renewed attention to a separate issue that had been building for some time: reCAPTCHA is not straightforwardly compliant with GDPR out of the box, raising questions for organisations that rely on it heavily and operate within UK or European data protection frameworks.

What the CAPTCHA Replacement Actually Does

PACT takes a different approach to the problem of verification. Rather than asking users to prove they are human by completing a task, it introduces a system of cryptographic tokens that do the verification on their behalf, silently and without requiring any action from the user at all.

The idea works like this. A service that already has an established relationship with a user, such as a browser, an operating system, or a platform the person has signed into, can issue an anonymous cryptographic token to that user's browser. When the user later visits a website that participates in the PACT system, the browser presents the token as evidence that a legitimate person, or an authorised AI agent acting for them, is behind the request.

Critically, the token is designed to prove legitimacy without revealing who the person is. The website gets confirmation that a genuine, trusted entity is making the request, but it does not learn anything about the visitor's identity or browsing history. That is the privacy-first element of the design: the verification works without the surveillance.

The Three Problems It Is Trying to Solve

PACT is designed to address three distinct issues that have been pulling in different directions for years.

The first is friction. Every CAPTCHA is a speed bump that some users abandon. Shopify Distinguished Engineer Ilya Grigorik put it plainly: every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. For businesses that sell online, unnecessary verification steps have a direct and measurable cost in lost conversions.

The second is privacy. Browser fingerprinting, one of the techniques websites currently use to distinguish legitimate visitors from bots, involves collecting detailed information about a user's device, browser settings, and behaviour patterns. That has attracted growing regulatory scrutiny because of its privacy implications, and Firefox CTO Bobby Holley has warned that the growing volume of automated traffic is pushing websites towards increasingly intrusive methods simply to determine whether visitors are genuine at all.

The third is the AI agent question, which is genuinely new territory. Existing bot detection systems were built in an era when automated traffic was essentially synonymous with malicious traffic. That is no longer true. A growing proportion of automated web activity is entirely legitimate, consisting of AI assistants fetching information, software agents completing tasks, and automated tools acting on behalf of real users with their knowledge and consent. PACT is designed to distinguish these authorised agents from abusive bots, a distinction that CAPTCHAs have no way to make.

Why the Browser Makers Are Involved

One of the most notable aspects of the PACT announcement is who has signed up to it. Cloudflare brings the infrastructure perspective, having processed and analysed a significant proportion of global web traffic. But the involvement of Mozilla, Google, and Microsoft is what gives the initiative real weight.

Those three organisations collectively develop the browsers that most internet users rely on. For PACT to work, browsers need to be the entities issuing and presenting cryptographic tokens, which means browser makers need to be on board from the start. Having all three major browser developers involved from the announcement stage suggests this is being approached as a genuine standard rather than a proprietary solution that one company controls.

Cloudflare CTO Dane Knecht described the current moment as a fundamental shift in how people interact with the internet, noting that existing tools for managing web traffic are too generic and coarse to handle a world where AI-powered activity is becoming routine.

Where PACT Sits Now

It is worth being clear that PACT is still at an early stage. The partners plan to submit the protocol for formal internet standardisation before widespread browser and website adoption begins. That process takes time, and broad deployment is not imminent.

The technology does build on existing foundations. Privacy Pass, an earlier set of standards already used in some online services, established some of the cryptographic principles that PACT extends. That gives the new system a base to work from rather than starting entirely from scratch.

What This Means for Businesses

For most businesses, the day-to-day impact of PACT is probably a year or more away. Standardisation, browser implementation, and website adoption all take time to work through the ecosystem. But the direction of travel is worth understanding now.

The shift away from CAPTCHAs and towards privacy-preserving verification reflects a broader change in how online security is being approached. The goal is increasingly to verify legitimacy without creating friction and without collecting data that is not strictly necessary. That alignment of security with privacy is likely to become a consistent theme as AI-driven web activity continues to grow.

For organisations currently using reCAPTCHA, it is worth reviewing the data protection implications in light of the changes Google made in 2025, particularly for businesses with customers in the UK or EU. And for anyone building or maintaining customer-facing web services, the question of how your site handles an increasing volume of authorised AI agent traffic, alongside human visitors, is worth starting to think about now rather than later.

Our Cyber Security page covers the broader landscape of digital protection and how we help businesses stay ahead of changes in the threat and compliance environment.