Forgot your password?
typodupeerror
The Internet Privacy

Cloudflare Precursor Watches Your Mouse and Keyboard To Decide If You Are Human (nerds.xyz) 52

BrianFagioli writes: Cloudflare has launched Precursor, a new behavioral bot detection system that monitors mouse movement, typing cadence, scrolling, clipboard activity, page visibility, and other signals across an entire browsing session. The system is designed to catch advanced bots that can run JavaScript, use real browsers, and pass traditional CAPTCHA challenges. Cloudflare says Precursor does not record actual keystrokes and instead studies timing and rhythm. The company also says the data is not tied to user identities or persistent profiles. Even so, software that watches how people move and type throughout a visit raises privacy concerns, especially as Cloudflare claims bots now generate roughly 57 percent of all Internet requests.

Cloudflare Precursor Watches Your Mouse and Keyboard To Decide If You Are Human

Comments Filter:
  • People do the same. (Score:4, Interesting)

    by gurps_npc ( 621217 ) on Monday July 13, 2026 @02:13PM (#66236564) Homepage

    Everyone my age knows what the stereotypical 'robotic' voice is. They changed it because they wanted to hide the fact you were talking to a machine.

    We all know that a mouse moving in a perfectly straight line means a machine is controlling it, while humans do something more like a squiggly line. Basically a normal human drawing a line looks like someone with Parkinsons did it as compared to what a machine drawing a line looks like.

    Similarly, humans typing have pauses that tend to end after set thoughts. New sentence = a pause. If I am seeing a long unbroken, steady text output or text that all appears in full sentences quickly, I know it is a machine.

    • by clive27 ( 889511 ) on Monday July 13, 2026 @02:17PM (#66236572)
      Sounds incredibly easy for bots to add some randomness to its movements and typing speed.
      • I guess Antigravity (the IDE) has no problems with Googles Antigravity to remote control my browser and solve most CaptChas for me.

        Yesterday I had a funny CaptCha failure, had to repeat it like 5 times. The items it wanted me to click simply were not as often in the pictures as "the algorithm" thought there should be.

        Took ten minutes to finally get through ...

      • Indeed it would sound very easy, except that human movements aren't random, and with proper statistical models it's quickly possible to determine someone who didn't know the difference between natural restricted and biased variance and randomness.

        You're the target audience here: the people who think that this "sounds incredibly easy" will be the first to have their bots blocked. Yeah it'll be worked around, but the bar is raised in the meantime.

        • Indeed it would sound very easy, except that human movements aren't random, and with proper statistical models it's quickly possible to determine someone who didn't know the difference between natural restricted and biased variance and randomness.

          You're the target audience here: the people who think that this "sounds incredibly easy" will be the first to have their bots blocked. Yeah it'll be worked around, but the bar is raised in the meantime.

          You're not wrong. But the same data that describes what is and isn't human input can be used to create activity that matches that data. If Cloudflare has gathered the information, someone else can as well.

          This mirrors the spam arms-race that started a couple decades ago.

      • by higuita ( 129722 )

        yes, but humans aren't random... so linear speed is a bot, totally random is a bot. Add that info from multiple inputs like cloudflare is doing and probably can guess within a error margin if it is a bot or a human... hey, even if it fails to detect 50% of the bots, it is already 50% less traffic arriving to a site.
        Sadly there is no way to detect 100% of the bots/humans, but every hint helps.
        Of course, people using bots could be much nicer and use correct user-agents to identify thyself and allow sites to

      • Sounds incredibly easy for bots to add some randomness to its movements and typing speed.

        Sure, but are bots still economically feasible if they run as slow as humans?

    • by Misagon ( 1135 )

      We all know that a mouse moving in a perfectly straight line means a machine is controlling it [...]

      Unless your mouse has angle snapping or is a wireless mouse and there is movement lag because of interference.

  • by 93 Escort Wagon ( 326346 ) on Monday July 13, 2026 @02:23PM (#66236588)

    Safari and Firefox would likely block this, given it's a third party JavaScript tool.

    • Block Cloudflare, maybe? But if I re call correctly I am starting to see sites that won't render until you unblock Cloudflare
      • Re: (Score:3, Insightful)

        Pretty much all of the "useful" internet is going though cloudflare these days. The whole platform just a massive CIA/NSA/FBI MITM attack.
    • by higuita ( 129722 )

      you know that these features already exist in javascript and are commonly used to monitor user behavior, either for ads or for study how you interact with sites?!

      https://developer.mozilla.org/... [mozilla.org]

      the only difference here is that this is being used to check for bots and cloudflare announced it... most other companies use this and do not announce it

    • It would run on any modern browser that runs javascript because it's just a JavaScript script that monitors everything you're doing. It's also nothing new browser fingerprinting has been around for ages and is used by basically any website of any size to try and catch bots.

      I'm actually a little surprised they didn't already have a fingerprinting product.
      • I suspect GP's point is that every malware blocker in every browser is likely to treat this kind of script as hostile, except for Chrome because Google are currently nerfing the ability for blockers to intercept hostile scripts in one of the most blatantly user-hostile changes they've ever made.

        If Apple play along with Safari then every other browser and its malware blocking plugins are about to be toast in a huge retrograde step for Internet privacy. But not even Cloudflare is going to get away with blocki

        • Did anyone mention recently that simultaneously controlling both the most popular web browser and several of the most popular ad-supported web properties might be a little anticompetitive, and that it's about time that Google was broken up? It's probably time for that drum to start beating a bit louder again.

          I remember when Microsoft got hit with an anti-trust suit because they bundled the browser with the OS. Here in 2026 Google owns the browser, the OS and the search engine. If you're on a chromebook or a Pixel they also control the hardware. Why is this allowed?

    • by ls671 ( 1122017 )

      Safari and Firefox would likely block this, given it's a third party JavaScript tool.

      I am not sure it would be considered a "third party JavaScript tool". Once you gave the key to your domain to cloudflare, the domain resolves to a cloudflare IP and cloudflare act as a reverse proxy contacting to your site thus enabling them to inject any javascript without being viewed as third party.

  • The thing about computers is they can use machine learning until they generate randomness algorithms that work.

  • I understand the advertisement industry had been engaging in this, to help identify your typing cadence, mouse move, etc. This is something I read a long time ago, so the technique is not new; and I can only imagine what else they can infer from this data.

  • And it always flags me as a bot because I type too damned fast. Or click to fast.

    • by HiThere ( 15173 )

      It also seems calculated to discriminate against handicapped folks that need mechanized assistance...but I may be wrong.

      • by ebunga ( 95613 )

        You're almost certainly not wrong. And if they can find a way to block women by accident they'll probably do that too.

  • Cloudflare has launched Precursor, a new behavioral bot detection system that monitors mouse movement, typing cadence, scrolling, clipboard activity, page visibility, and other signals across an entire browsing session.

    Nothing nefarious here, no potential for abuse, move along, move along.

  • So what about people that don't use the mouse but use touchscreens?

    • by higuita ( 129722 )

      it is the same, you press a random place in the area, not a exactly the center pixel.
      when you type, you also have a distinct timing, not a constant speed
       

  • by kyoko21 ( 198413 ) on Monday July 13, 2026 @03:46PM (#66236800)

    How does it interact with 508 and accessibility type devices/software like JAWS and other screen readers?

  • You have been deemed a non-person because you are not random enough for us. Your death certificate should arrive in the mail within two weeks.

  • At this point, webmasters should accept very short lived client TLS keys signed by neutral third parties who take care of the proof of humanity on their behalf. Since security requirements for most websites are low, even places like libraries could issue them if needs be, and webmasters could choose how many or how few authorities they trust. The standard could be used creatively such that Valid To field is used purely as an limiter for initiating trust for the first time, providing convenience to users whi
  • I will then use similar tools in my nefarious scripts to pretend that they are human.
  • I bet I can write a client that matches exactly the intended behaviour.

    If it's in software, it can be emulated.
    If it is not, it can be emulated anyway.

    The problem is the server-side, not the client.

He's like a function -- he returns a value, in the form of his opinion. It's up to you to cast it into a void or not. -- Phil Lapsley

Working...