'Increasingly the distinction between bots and humans is moot' says one of the biggest web-infrastructure companies

(Image credit: Cheng Xin via Getty Images)

We've been at the gates of the AI era for some time, but it's during the last few months that we've seen some real movement towards an AI-centric web, primarily thanks to OpenClaw. The question is how other sectors of the web than the OpenClaw-ers 'AI bros' will respond. On that front, Cloudflare has thrown its hat into the ring of predicting an agent-neutral web.

That's according to one of its recent blog posts where the behemoth cloud service provider outlines not just why this is the case but also what can and should be done about it. The key solution, according to Cloudflare, is to prove "behavior without proving identity", which should be done in a more active way than the usual server fingerprinting.

"There is no meaningful difference between the AI assistant booking concert tickets and the human who would have done so manually. Both are distributed. Both need anonymity. In each case, an origin would want to create less friction for users who wish to use the service as intended, rather than abuse it."

However, what is a problem is what the client—whether human or AI—is using the website data for. That's in part because server capacity is only worth allocating to connections that, on the whole, will offset the cost for that server, for instance due to advertising:

"Website owners cannot tell if their fetched content is serving one private report (possibly distorted, possibly unattributed) or being ingested to train a model for a million users, which disrupts the predictable (and monetizable) traffic that keeps their sites online."

A protocol interaction diagram from a Privacy Pass architecture document, Section 3.1 of RFC 9576. — A protocol interaction diagram from a Privacy Pass architecture document. This is how Privacy Pass gives you a verification token while retaining privacy. (Image credit: Cloudflare, Privacy Pass, ISSN 2070-1721, Section 3.1 of RFC 9576)

If there isn't a way around this, Cloudflare predicts a shift towards a web that's more restrictive and expensive for end-users:

"We can expect sites to pivot: requiring an account to see any content, or tying access to a stable identifier. This means no more ad-supported login-free articles, no more 'three free articles a month.' Other content businesses may move away from the Web completely, offering their data and services directly to AI vendors for a fee, or within walled gardens operated by large platforms."

The solution, according to Cloudflare, is to move towards some kind of active validation on the client side that still retains privacy: "Instead of collecting passive signals, the server can ask the client for an active privacy-preserving signal."

For instance, the company supports Privacy Pass, a protocol and extension that essentially allows you to prove you passed a check without having the website or server know anything about you other than that you're verified. This is unlike cookies, the usual way for a website to verify proofs (such as CAPTCHAs), which track you between sessions. And the way it's designed mean even whatever issues the Privacy Pass verification token to you does so blindly, without linking it to you.

As always, though, things aren't black and white: "Once the infrastructure exists to verify anonymous proofs, what gets proven can expand."

A World Orb iris eye scanner being held by someone — A World Orb iris eye scanner that can be used for liveness verification. (Image credit: World)

In other words, there's a risk such technology could develop in a direction that enforces strict requirements on users to receive verification, such as requiring a Google account, for instance.

To combat this, Cloudflare thinks we should consider a litmus test for whether a technology is acceptable or not: "do the methods allow anyone, from anywhere in the world, to build their own device, their own browser, use any operating system, and get access to the Web. If that property cannot hold, if device attestation from specific manufacturers becomes the only viable signal, we should stop."

To my eyes, at least, I'm seeing a lot of parallels between this and the problems surrounding broader age verification and liveness verification checks. It seems the best solution will lie in the development of technologies and protocols that are open and decentralised, blind or zero-knowledge, limited, and privacy-preserving. It's just a question of whether the world will wait for those technologies to be developed and implemented, or march forwards into more problematic solutions.

Secretlab Titan Evo gaming chair in Royal colouring, on a white background

Best PC gaming kit 2026

1. Best gaming chair: Secretlab Titan Evo

2. Best gaming desk: Secretlab Magnus Pro XL

3. Best gaming headset: Razer BlackShark V3

4. Best gaming keyboard: Asus ROG Strix Scope II 96 Wireless

5. Best gaming mouse: Razer Viper V4 Pro

6. Best PC controller: GameSir G7 Pro

7. Best steering wheel: Logitech G Pro Racing Wheel

8. Best microphone: Shure MV6 USB Gaming Microphone

9. Best webcam: Elgato Facecam MK.2

👉Check out our list of guides👈

TOPICS

Jacob got his hands on a gaming PC for the first time when he was about 12 years old. He swiftly realised the local PC repair store had ripped him off with his build and vowed never to let another soul build his rig again. With this vow, Jacob the hardware junkie was born. Since then, Jacob's led a double-life as part-hardware geek, part-philosophy nerd, first working as a Hardware Writer for PCGamesN in 2020, then working towards a PhD in Philosophy for a few years while freelancing on the side for sites such as TechRadar, Pocket-lint, and yours truly, PC Gamer. Eventually, he gave up the ruthless mercenary life to join the world's #1 PC Gaming site full-time. It's definitely not an ego thing, he assures us.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.