If you use the internet, you’ve answered a few CAPTCHAs. (Okay, maybe more than a few.) These unavoidable tests of humanity are a hallmark of the online experience, but they’re inconvenient and intrusive. Cloudflare, a cloud server network, claims to have created a more discreet substitute. On Wednesday the company announced Turnstile, a “privacy-preserving” alternative to CAPTCHA. Unlike many Cloudflare products, this one will be free to use for any site owner—even those who aren’t Cloudflare customers.
Turnstile differs from CAPTCHA in that it doesn’t require any input from the site visitor whatsoever. Rather than asking a site visitor to click on blurry palm trees or copy down a few characters, Turnstile automatically picks from a handful of browser challenges based on recent telemetry and client behavior. It then runs the selected challenge behind the scenes. The result is a quick and easy check against malicious activity that doesn’t exclude blind site visitors and others with accessibility concerns.
But according to Cloudflare, near-universal annoyance with CAPTCHA wasn’t its only motivation to create an alternative. CAPTCHA works by assigning site visitors individual scores, which are based on various signs of legitimacy. One of these signs is the presence (or lack) of a Google cookie, which signifies that the visitor likely has a Google account and is therefore not a bot. Another is the use of a VPN: visitors with a VPN look suspicious, while those without a VPN appear more legitimate. Not only is this unfair to people who use VPNs, but it presents clear privacy risks. By looking for the aforementioned traits, Google’s CAPTCHA can view and store a visitor’s IP address, device ID, browser plug-ins, and more.
Turnstile’s browser challenges largely rely on what are referred to as Private Access Tokens (PAT), or a new type of cryptographic token built into the Privacy Pass protocol. PAT help to verify that HTTP requests are coming from legitimate devices and site visitors while isolating device and visitor data. Though Turnstile briefly checks a few aspects of visitors’ session data, like headers and browser characteristics, PAT preserve the integrity of that data by requesting validation from the device manufacturer (like Apple or Google). Cloudflare says Turnstile could eliminate a vast majority of CAPTCHA uses, thus making the web a more confidential—and less frustrating—space to be. Those who are interested in trying out Turnstile on their sites can now sign up to do so.