Privacy-focused browsing has created an unintended side effect: websites increasingly treat legitimate users like bots. When you visit news sites in private windows or shop with VPNs, you'll encounter registration walls, block pages, and endless CAPTCHAs. Anti-abuse systems depend on signals that privacy protections are dismantling, while generative AI has rendered traditional CAPTCHAs obsolete. This forces websites toward invasive verification methods that compromise user privacy.

Existing solutions from Google and Apple rely on device attestation, embedding identifiers and privileged code into hardware. Google's abandoned Web Environment Integrity and Apple's Private Access Tokens both require users to prove they're running approved software on trusted hardware. These approaches centralize control with device manufacturers, potentially locking users into ecosystems where access depends on expensive, approved hardware.

Mozilla's Distilled team proposes PACT (Private, Attestation, Credentials) as an alternative. Instead of hardware-based attestation, PACT leverages naturally scarce resources like email addresses, phone numbers, and paid subscriptions. These signals could be vouchered across websites while maintaining user anonymity, allowing sites to rate-limit visitors without invasive identification.

VPN providers exemplify the potential: rather than blocking all VPN traffic indiscriminately, a VPN subscription could serve as a scarcity signal. Websites could rate-limit individual users instead of blocking entire IP ranges. This preserves both privacy and legitimate access, though implementing such a system without enabling cross-site tracking remains technically challenging.