Cloudflare Precursor Watches Your Mouse and Keyboard To Decide If You Are Human (nerds.xyz) 52
BrianFagioli writes: Cloudflare has launched Precursor, a new behavioral bot detection system that monitors mouse movement, typing cadence, scrolling, clipboard activity, page visibility, and other signals across an entire browsing session. The system is designed to catch advanced bots that can run JavaScript, use real browsers, and pass traditional CAPTCHA challenges. Cloudflare says Precursor does not record actual keystrokes and instead studies timing and rhythm. The company also says the data is not tied to user identities or persistent profiles. Even so, software that watches how people move and type throughout a visit raises privacy concerns, especially as Cloudflare claims bots now generate roughly 57 percent of all Internet requests.
People do the same. (Score:4, Interesting)
Everyone my age knows what the stereotypical 'robotic' voice is. They changed it because they wanted to hide the fact you were talking to a machine.
We all know that a mouse moving in a perfectly straight line means a machine is controlling it, while humans do something more like a squiggly line. Basically a normal human drawing a line looks like someone with Parkinsons did it as compared to what a machine drawing a line looks like.
Similarly, humans typing have pauses that tend to end after set thoughts. New sentence = a pause. If I am seeing a long unbroken, steady text output or text that all appears in full sentences quickly, I know it is a machine.
Re: People do the same. (Score:5, Interesting)
Re: (Score:3)
I guess Antigravity (the IDE) has no problems with Googles Antigravity to remote control my browser and solve most CaptChas for me.
Yesterday I had a funny CaptCha failure, had to repeat it like 5 times. The items it wanted me to click simply were not as often in the pictures as "the algorithm" thought there should be.
Took ten minutes to finally get through ...
Re: (Score:3)
Indeed it would sound very easy, except that human movements aren't random, and with proper statistical models it's quickly possible to determine someone who didn't know the difference between natural restricted and biased variance and randomness.
You're the target audience here: the people who think that this "sounds incredibly easy" will be the first to have their bots blocked. Yeah it'll be worked around, but the bar is raised in the meantime.
Re: (Score:2)
Indeed it would sound very easy, except that human movements aren't random, and with proper statistical models it's quickly possible to determine someone who didn't know the difference between natural restricted and biased variance and randomness.
You're the target audience here: the people who think that this "sounds incredibly easy" will be the first to have their bots blocked. Yeah it'll be worked around, but the bar is raised in the meantime.
You're not wrong. But the same data that describes what is and isn't human input can be used to create activity that matches that data. If Cloudflare has gathered the information, someone else can as well.
This mirrors the spam arms-race that started a couple decades ago.
Re: (Score:2)
yes, but humans aren't random... so linear speed is a bot, totally random is a bot. Add that info from multiple inputs like cloudflare is doing and probably can guess within a error margin if it is a bot or a human... hey, even if it fails to detect 50% of the bots, it is already 50% less traffic arriving to a site.
Sadly there is no way to detect 100% of the bots/humans, but every hint helps.
Of course, people using bots could be much nicer and use correct user-agents to identify thyself and allow sites to
Re: (Score:1)
Sounds incredibly easy for bots to add some randomness to its movements and typing speed.
Sure, but are bots still economically feasible if they run as slow as humans?
Re: (Score:2)
Unless your mouse has angle snapping or is a wireless mouse and there is movement lag because of interference.
Re: (Score:2)
Re: (Score:1)
Well, you're using a machine to control your mouse, so what do you expect?
If you're gonna say that, a mouse is a machine as well. All input devices are. Maybe we all actually are machines? Oh good, fourth existential crisis of the day incoming.
Re: (Score:1)
This shit is why I quit adtech in 2014. Everything that they tout was industry practice 12 years ago.
Re: (Score:2)
cloudflare is not doing anything new actually, other that using this data to detect bots... you already have sites that mouse, keyboard and clicks, mostly to learn how you interact with the site and what features work/get used and do not work
If they could map your eyes, they would be happy to follow your eyes to guess to what you are looking at... to see if that ad is working or not
So don't blame cloudflare, while they are huge and that is already a problem, they are mostly good guys... the problem is all t
Chrome only, I assume (Score:3)
Safari and Firefox would likely block this, given it's a third party JavaScript tool.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3)
you know that these features already exist in javascript and are commonly used to monitor user behavior, either for ads or for study how you interact with sites?!
https://developer.mozilla.org/... [mozilla.org]
the only difference here is that this is being used to check for bots and cloudflare announced it... most other companies use this and do not announce it
From the article it's just browser fingerprinting (Score:2)
I'm actually a little surprised they didn't already have a fingerprinting product.
Re: (Score:2)
I suspect GP's point is that every malware blocker in every browser is likely to treat this kind of script as hostile, except for Chrome because Google are currently nerfing the ability for blockers to intercept hostile scripts in one of the most blatantly user-hostile changes they've ever made.
If Apple play along with Safari then every other browser and its malware blocking plugins are about to be toast in a huge retrograde step for Internet privacy. But not even Cloudflare is going to get away with blocki
Re: (Score:2)
Did anyone mention recently that simultaneously controlling both the most popular web browser and several of the most popular ad-supported web properties might be a little anticompetitive, and that it's about time that Google was broken up? It's probably time for that drum to start beating a bit louder again.
I remember when Microsoft got hit with an anti-trust suit because they bundled the browser with the OS. Here in 2026 Google owns the browser, the OS and the search engine. If you're on a chromebook or a Pixel they also control the hardware. Why is this allowed?
Re: (Score:2)
Safari and Firefox would likely block this, given it's a third party JavaScript tool.
I am not sure it would be considered a "third party JavaScript tool". Once you gave the key to your domain to cloudflare, the domain resolves to a cloudflare IP and cloudflare act as a reverse proxy contacting to your site thus enabling them to inject any javascript without being viewed as third party.
Re:whitelist sites that don't use Cloudflare (Score:4, Interesting)
I shouldn't have to unblock nefarious Javascript on a random website to provide I am human.
If you're worried about bots, don't punish humans.
This company is fucking EVIL.
People use Cloudflare because otherwise crawlers, mostly AI, make their websites unusable. Punish the people running the bots, not the people trying to protect themselves.
Re: (Score:2)
Well, this whole cloudfare crap also makes their websites unusable.
Re: (Score:2)
why? what is your problem with it?
yes, the captchas are annoying, but cloudflare already did their best to avoid showing them and make then as easy as click a box (instead of select 3 or 4 times images or try to read some distorted letters/numbers)
Yes, they are big and control many site traffic, that is a danger, but mostly to the sites, not the user... but they are also big because they work well and are much cheaper than most alternatives (that usually even perform worse)
Yes , a site without it would be b
Re: (Score:2)
Re: (Score:3)
This overlooks the spam traffic coming from cloudflare. Also cloudflare was an actual intelligence project (quoted here):
https://www.devever.net/~hl/cl... [devever.net]
"Back in 2003, Lee Holloway and I started Project Honey Pot as an open-source project to track online fraud and abuse. The Project allowed anyone with a website to install a piece of code and track hackers and spammers. We ran it as a hobby and didn't think much about it until, in 2008, the Department of Homeland Security called and said, 'Do you have any
Re: (Score:2)
Sorry, but wrong. Currently AI is often blatantly wrong in ways that people would never be, but most of the time it does a narrowly specified job decently. It's just that when it doesn't, you may REALLY notice it.
Re: (Score:3)
That's what CloudFlare is for. To make sure you haven't turned JavaScript off, are not blocking ads and have an acceptable level of tracking allowed.
Web site operators with ads aren't nearly as interested in blocking bots. They get paid for ad views. Prove that it wasn't a human that clicked that MongoDb banner. Or pay up.
It's the advertisers that should be screaming about the scraping. They're the ones that have to write the checks to the site owners.
Re: (Score:2)
Re: (Score:2)
hey, the site i manage have no ads, people pay money ... we actually pay money to cloudflare.
we want to protect from attacks and all the bots and AI browsers are using a huge amount of resources, that we have to pay, so it is cheaper for us to pay cloudflare than scale the infra and pay for it.
and if you disable javascript, most site will actually not work (i know, i tried, i used noscript for many years), better option is use umatrix where you choose what to load or not or using a curated list like adblock
Re: (Score:2)
and if you disable javascript, most site will actually not work
And in the final analysis, that might be a good thing. Did you (your company) write that JavaScript? Probably not. You downloaded some crap from npm and included it in your pages.
IIRC, it was some npm installation scripts that allowed a "dependencies" section to include a URL for code to be included. From anywhere in the Internet. Bypassing the repository. And allowing the owner to place new code at that location any time they saw fit. Some of the exploits did things like encrypt your disk and ransom your
The thing ... (Score:2)
The thing about computers is they can use machine learning until they generate randomness algorithms that work.
Ad agencies have been doing this (Score:2)
I understand the advertisement industry had been engaging in this, to help identify your typing cadence, mouse move, etc. This is something I read a long time ago, so the technique is not new; and I can only imagine what else they can infer from this data.
Ugh. This shit already exists. (Score:2)
And it always flags me as a bot because I type too damned fast. Or click to fast.
Re: (Score:2)
It also seems calculated to discriminate against handicapped folks that need mechanized assistance...but I may be wrong.
Re: (Score:2)
You're almost certainly not wrong. And if they can find a way to block women by accident they'll probably do that too.
Oh, fuck off (Score:2)
Cloudflare has launched Precursor, a new behavioral bot detection system that monitors mouse movement, typing cadence, scrolling, clipboard activity, page visibility, and other signals across an entire browsing session.
Nothing nefarious here, no potential for abuse, move along, move along.
Touchscreen (Score:2)
So what about people that don't use the mouse but use touchscreens?
Re: (Score:2)
it is the same, you press a random place in the area, not a exactly the center pixel.
when you type, you also have a distinct timing, not a constant speed
508 and JAWS (Score:3)
How does it interact with 508 and accessibility type devices/software like JAWS and other screen readers?
Sorry... (Score:2)
You have been deemed a non-person because you are not random enough for us. Your death certificate should arrive in the mail within two weeks.
Just use client SSL already (Score:2)
Bad guy here (Score:2)
Spoofable (Score:2)
I bet I can write a client that matches exactly the intended behaviour.
If it's in software, it can be emulated.
If it is not, it can be emulated anyway.
The problem is the server-side, not the client.