CONCEPT Cited by 1 source
Identity vs behavior proof¶
Identity proof and behavior proof are two distinct answers to the question "should I trust this request?". Cloudflare's 2026-04-21 post argues that most web-protection decisions care about behavior, not identity, and that the dominant deployment pattern (fingerprinting + IP heuristics) conflates the two to the detriment of both privacy and mitigation.
The two proofs¶
| Question | Identity proof | Behavior proof |
|---|---|---|
| Who is this? | Answers | Does not answer |
| Did this client pass check X? | Partially (via reputation lookup) | Answers |
| Is this client over rate limit? | Only if identity is persistent and authoritative | Answers (via the rate-limit credential itself) |
| Can multiple presentations be correlated? | Yes (identifier is stable) | No, if unlinkable |
| Privacy cost | High (persistent identifier) | Low (scoped, unlinkable) |
Identity proof says "I am user X, registered with IdP Y." Behavior proof says "I passed check Z, administered by attester W." The origin usually doesn't need the first; it needs the second.
Why the distinction matters¶
Most access-control questions at the Web edge reduce to behavior questions:
- Is this attack traffic? — behavior.
- Is this crawler load proportional to attribution it returns? — behavior.
- Are ads being gamed? — behavior.
- Do I expect this user to connect from this new country? — behavior (with a side of identity).
Asking "who are you" as a proxy for behavior is wasteful: it creates persistent identifiers that become fingerprinting vectors and cross-site correlation keys, while the actual decision (allow / deny / rate limit) doesn't require identity at all.
The post's framing:
"What we discuss with the term 'bots' is really two stories. ... The [second] is the emergence of new clients that do not embed the same behaviors as web browsers historically did, which matters for systems such as private rate limit."
The second story — which motivates Privacy Pass and its successors — is entirely about behavior, not identity.
What "behavior proof" looks like¶
- Rate-limit not exceeded — presented via an ARC token.
- Good history with service — presented via an ACT token ("I have good history with this service" without "I am this user").
- Passed a CAPTCHA in the last hour — presented via a classic Privacy Pass token.
- Not on an abuse blocklist — expressible as a negative attribute credential.
All of these are anonymous credentials — the client proves the attribute without revealing identity. Unlinkability (concepts/unlinkability) is what makes them safe to deploy at Web scale.
Why identity-first schemes undermine the open Web¶
If every origin demands identity proof before serving content, the Web bifurcates:
- Content moves behind required-login walls (killing the ad-supported free-tier model).
- Access becomes tied to stable identifiers (Apple ID, Google account, phone number).
- Non-mainstream platforms lose access — the post's open-Web guardrail explicitly flags this risk.
Behavior proofs, by contrast, preserve the diversity of the client side: a device-attestation-less client can still present behavior proofs if an appropriate issuer is willing to mint them based on challenge-solving or reputation from other sources.
The trap: behavior proofs that drift into identity proofs¶
The post warns that "infrastructure for proving any attribute is infrastructure for requiring any attribute." The same cryptographic machinery that proves "I solved a CAPTCHA" can prove "I have device attestation from manufacturer X" — and a requirement for the latter turns a behavior-proof system into an identity-proof system by the back door.
The defense is governance-level: patterns/open-issuer-ecosystem + the open-Web guardrail ("anyone should be able to build their own device / browser / OS and access the Web"). No single gatekeeper, no single required attribute.
Seen in¶
- sources/2026-04-21-cloudflare-moving-past-bots-vs-humans — canonical articulation; the entire post is an argument for treating behavior proof (via anonymous credentials) as the primary primitive and identity proof as a special case only for the small identifiable-infrastructure population.
Related¶
- concepts/anonymous-credential — the primitive class that instantiates behavior proof.
- concepts/unlinkability — the property that makes behavior proofs non-identifying.
- concepts/bot-vs-human-frame — why the species question was never the right one.
- concepts/fingerprinting-vector — what happens when "identity inference" replaces behavior proof.
- patterns/anonymous-attribute-proof — the displacement pattern.