Traditional bot-vs-human detection is becoming obsolete as AI assistants, privacy proxies, and automated agents blur the line between human and bot traffic. What website owners actually need is accountability around intent and behavior, not humanity detection. The post argues for moving toward privacy-preserving anonymous credentials (building on Privacy Pass, RFC 9576/9578) that let clients prove behavioral attributes without revealing identity. New primitives like Anonymous Rate-Limit Credentials (ARC) and Anonymous Credit Tokens (ACT) are explored as ways to enable unlinkable, multi-use proofs. The piece warns against letting this infrastructure become a gate requiring device attestation from specific vendors, and advocates for an open issuer ecosystem governed at IETF and W3C to keep the Web accessible to all clients.
Table of contents
The Web we hadThe client-server modelBot management todayA digression: the rate limit trilemmaThe important distinctions are what, not whoAnonymous credentials for the WebThe trajectory if we do nothingAnonymous authentication brings some risk, tooA new balanceSort: