Cloudflare Turnstile is another alternative to Google reCaptcha that aims to create a more privacy-friendly experience for the end user. As stated years ago in our article, Google reCaptcha has monopolized the Captcha market share by 98% while being less than conformant with GDPR and other privacy laws.
The alternatives, for example, Friendly Captcha or hCaptcha, also focus on handling data transparently and minimizing the impact on the end-users privacy.
The ‘problem’ with automated captcha challenges, contrary to text-based or math-based challenges, is that the behavioral data of the end-user, your website visitor, is collected to differentiate between a Bot and a Human, causing privacy concerns.
Cloudflare Turnstile and Privacy Access Tokens
Cloudflare’s main aim is to use a local, device-oriented challenge that removes the need to challenge the end-user and collect and process data on a Cloudflare server.
This is done with so-called privacy access tokens, a combined effort with Apple. The browser or app will ask Apple to validate the iPhone or other device where the actions occur instead of collecting user agents, and browser statistics, e.g., to recognize the device and create a challenge based on the response.
This approach gives way to a generally quick adoption when the more prominent manufacturers conform to a new standard. Currently, however, Turnstile privacy access tokens should work with upcoming versions on iOS and MacOS but will default to a more default approach with an API call to Cloudflare.
The latter is labeled by Cloudflare as ‘privacy preserving’ and suffers a similar privacy issue as the Google Fonts API.
Blocking Cloudflare Turnstile
To block Cloudflare Turnstile, our example uses the following conditions;
- Client-side rendering https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/
- Implicitly render turnstile (Default)
We recommend client-side rendering for most cases for privacy because server-side or a cookieless approach will diminish privacy control greatly for the end-user.
Block the API call in our Script Center.
You must block the API call from ‘https://challenges.cloudflare.com/turnstile/v0/api.js’ – You can easily add ‘turnstile’ to the script center as the URL is to be blocked before consent.
You can choose either marketing or statistics as category; our current research does not suggest that this data is used for Marketing, so statistics should suffice. An explicit example of Statistics can be found in the Cloudflare dashboard.
This integration will remove the widget altogether. When integrating with a form, you will need a placeholder, so people know there’s a challenge that is blocked before consent. Use this HTML to add a placeholder to your form.