Blocking Cloudflare Turnstile

Cloudflare Turnstile is another alternative to Google reCaptcha that aims to create a more privacy-friendly experience for the end user. As stated years ago in our article, Google reCaptcha has monopolized the Captcha market share by 98% while being less than conformant with GDPR and other privacy laws.

The alternatives, for example, Friendly Captcha or hCaptcha, also focus on handling data transparently and minimizing the impact on the end-users privacy.

The ‘problem’ with automated captcha challenges, contrary to text-based or math-based challenges, is that the behavioral data of the end-user, your website visitor, is collected to differentiate between a Bot and a Human, causing privacy concerns.

Cloudflare Turnstile and Privacy Access Tokens

Cloudflare’s main aim is to use a local, device-oriented challenge that removes the need to challenge the end-user and collect and process data on a Cloudflare server. 

This is done with so-called privacy access tokens, a combined effort with Apple. The browser or app will ask Apple to validate the iPhone or other device where the actions occur instead of collecting user agents, and browser statistics, e.g., to recognize the device and create a challenge based on the response.

This approach gives way to a generally quick adoption when the more prominent manufacturers conform to a new standard. Currently, however, Turnstile privacy access tokens should work with upcoming versions on iOS and MacOS but will default to a more default approach with an API call to Cloudflare.

The latter is labeled by Cloudflare as ‘privacy preserving’ and suffers a similar privacy issue as the Google Fonts API.

Blocking Cloudflare Turnstile

To block Cloudflare Turnstile, our example uses the following conditions;

We recommend client-side rendering for most cases for privacy because server-side or a cookieless approach will diminish privacy control greatly for the end-user.

Block the API call in our Script Center.

You must block the API call from ‘https://challenges.cloudflare.com/turnstile/v0/api.js’ – You can easily add ‘turnstile’ to the script center as the URL is to be blocked before consent.

You can choose either marketing or statistics as category; our current research does not suggest that this data is used for Marketing, so statistics should suffice. An explicit example of Statistics can be found in the Cloudflare dashboard.

A Placeholder

This integration will remove the widget altogether. When integrating with a form, you will need a placeholder, so people know there’s a challenge that is blocked before consent. Use this HTML to add a placeholder to your form.

See the Pen
Untitled
by Aert (@Aert)
on CodePen.

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.