← BLACKWIRE

Every Keystroke, Every Pixel: Inside ChatGPT's Hidden Cloudflare Surveillance Machine

A security researcher decrypted 377 Cloudflare Turnstile programs embedded inside ChatGPT. What he found goes far beyond bot detection - it is a three-layer fingerprinting engine that reads your GPU, monitors your keystrokes, and inspects the React application state running in your browser. The encryption protecting it? XOR with a key sitting in the same data stream.

Every message you type into ChatGPT triggers a silent program that fingerprints your browser, your hardware, and the application itself. Photo: Unsplash

You open ChatGPT. You type a message. Before that message leaves your keyboard, a program you never consented to has already read your GPU model, measured your screen dimensions down to the sub-pixel level, catalogued your installed fonts, checked your device memory, interrogated your browser's WebGL extensions, recorded the city your ISP routes through, and confirmed that the React application powering ChatGPT has fully loaded and hydrated in your browser tab.

This is not a conspiracy theory. It is not speculation. A security researcher who goes by the handle Buchodi decrypted 377 of these programs from live network traffic, documented every one of the 55 properties they collect, mapped the 28 opcodes of their custom virtual machine, and published the methodology for anyone to verify. The success rate: 377 out of 377 decrypted. One hundred percent.

The system is Cloudflare Turnstile, the "privacy-preserving" alternative to CAPTCHAs that Cloudflare markets as invisible and user-friendly. But what Buchodi's research reveals is that "invisible" does not mean "harmless." It means you cannot see what it is doing. And what it is doing is far more invasive than asking you to click on traffic lights.

The Three Layers of Silent Fingerprinting

Turnstile's fingerprinting operates across three distinct layers, from hardware to network to application state. Photo: Unsplash

The Turnstile program that runs inside ChatGPT is not a simple bot check. Buchodi's decryption revealed a three-layer architecture that builds a comprehensive portrait of the user's environment. Every one of the 377 decrypted programs collected exactly the same 55 properties. No variation. No randomization of what gets checked. The same 55 things, every single time.

Layer One: Your Hardware

The first layer is a deep hardware fingerprint. Turnstile reads eight WebGL properties including your GPU's unmasked vendor and renderer strings - data that can uniquely identify your graphics card down to the driver version. It checks eight screen properties: color depth, pixel depth, width, height, available width, available height, and the available left and top offsets. It pulls five hardware identifiers: the number of CPU cores (hardwareConcurrency), total device memory, maximum touch points, platform string, and browser vendor.

Then it gets creative. The program creates a hidden HTML element, sets a specific font, measures the rendered text dimensions using getBoundingClientRect, and removes the element. This font measurement technique has been used in browser fingerprinting for over a decade, but most users have never heard of it. The combination of which fonts render at which pixel dimensions creates a signature that can distinguish your machine from millions of others.

It also probes eight DOM properties related to element creation and manipulation, and five storage-related properties including writing a fingerprint value to localStorage under a specific hex key (6f376b6560133c2c) for persistence across page loads. That means Turnstile does not just fingerprint you once. It stores that fingerprint in your browser so it can recognize you next time.

Layer Two: Your Network

The second layer uses Cloudflare's privileged position as the network intermediary. Five properties are injected server-side by Cloudflare's edge servers: your city (cfIpCity), your latitude and longitude (cfIpLatitude, cfIpLongitude), your connecting IP address (cfConnectingIp), and your region (userRegion).

These are not properties the browser reports. They are properties that only exist because your traffic passes through Cloudflare's infrastructure. A bot making direct requests to the origin server, or running behind a non-Cloudflare proxy, produces missing or inconsistent values. This is Cloudflare using its position as a network gatekeeper to enhance fingerprinting in ways that would be impossible for a normal JavaScript program.

Layer Three: Your Application State

The third layer is the one that made security researchers sit up. Turnstile reads three React internal properties: __reactRouterContext, loaderData, and clientBootstrap.

These are not standard browser APIs. __reactRouterContext is an internal data structure that React Router v6+ attaches to the DOM. loaderData contains route loader results. clientBootstrap is specific to ChatGPT's server-side rendering hydration process. These properties only exist if the ChatGPT React application has fully rendered and hydrated in the browser.

This means Turnstile is not just checking whether you are a real browser. It is checking whether you are a real browser that has fully booted a specific React application. A headless browser that loads the HTML but does not execute the JavaScript bundle will not have these properties. A bot framework that stubs out browser APIs but does not actually run React will not have them.

"This is bot detection at the application layer, not the browser layer." - Buchodi's research report

The implications are significant. Cloudflare has effectively created a system where bot detection is fused with application-level surveillance. The boundary between "is this a real user" and "what is this user doing inside the application" has been erased.

The Encryption Theater

The Turnstile bytecode arrives encrypted with XOR, but the decryption key sits in the same HTTP response. Photo: Unsplash

Cloudflare encrypts the Turnstile bytecode. The server sends a field called turnstile.dx in the prepare response: 28,000 characters of base64 that change on every request. This sounds secure. It is not.

The outer layer is XOR'd with the p token from the prepare request. Both the encrypted payload and its decryption key travel in the same HTTP exchange. Decrypting it requires nothing beyond reading the request and response:

outer = json.loads(bytes(
  base64decode(dx)[i] ^ p_token[i % len(p_token)]
  for i in range(len(base64decode(dx)))
))
# Result: 89 VM instructions

Inside those 89 instructions sits a 19-kilobyte encrypted blob containing the actual fingerprinting program. This inner blob uses a different XOR key. At first glance, this second layer of encryption looks more serious. But Buchodi found the key embedded as a float literal in the bytecode instructions themselves:

[41.02, 0.3, 22.58, 12.96, 97.35]
# The last argument, 97.35, is the XOR key

Buchodi verified this across 50 requests. Every time, the float from the instruction decrypted the inner blob to valid JSON. Fifty out of fifty. The "encryption" is XOR with a key that travels alongside the ciphertext. It prevents casual inspection. It does not prevent analysis.

The full decryption chain requires nothing beyond the HTTP request and response. No reverse engineering of compiled binaries. No breaking of cryptographic primitives. No access to Cloudflare's servers. Just reading the data that your own browser receives.

This raises an uncomfortable question: who is this encryption protecting the data from? Not from sophisticated attackers, who can trivially decrypt it. Not from nation-state actors, who have far more powerful tools. The encryption protects the fingerprinting from you - the user whose browser is being fingerprinted. It is obfuscation dressed as security, designed to prevent exactly the kind of casual inspection that would let ordinary people understand what is running in their browsers.

The Behavioral Biometric Layer

Beyond fingerprinting, a separate signal orchestrator monitors keystroke timing, mouse velocity, scroll patterns, and paste events. Photo: Unsplash

Turnstile's fingerprinting is only one of three challenge systems running simultaneously inside ChatGPT. The second is what Buchodi calls the Signal Orchestrator, and it is arguably more invasive than the fingerprint itself.

The Signal Orchestrator is a 271-instruction program that installs event listeners for six interaction types: keydown, pointermove, click, scroll, paste, and wheel. It monitors 36 window properties (prefixed __oai_so_*) that track:

• Keystroke timing: Not what you type, but when and how fast. The intervals between keystrokes create a behavioral signature as unique as a handwriting sample. Research published by the IEEE has demonstrated that keystroke dynamics can identify individuals with over 99% accuracy in controlled settings.
• Mouse velocity: How fast you move your cursor, the acceleration patterns, the micro-corrections. Human mouse movement follows specific biomechanical patterns that are extremely difficult for bots to replicate convincingly.
• Scroll patterns: How you scroll through content - whether you use the wheel, trackpad, or keyboard, the speed, the direction changes, the pauses. Scroll behavior correlates with reading patterns and can indicate whether a human is actually consuming content.
• Idle time: How long you pause between interactions. Real humans have irregular idle patterns. Bots tend toward either constant activity or fixed-interval pauses.
• Paste events: Whether you type or paste text. This single signal can distinguish between a user composing a prompt from scratch and one copying text from another source, which has implications for detecting prompt injection attacks and automated usage.

This is a behavioral biometric system running continuously underneath the fingerprint. It does not just identify your hardware. It identifies how you use your hardware. The distinction matters: hardware fingerprints can be spoofed by changing your browser configuration or using a VM. Behavioral biometrics track the human behind the machine.

The third challenge is a proof-of-work system. It collects a 25-field fingerprint and requires a SHA-256 hashcash computation. The difficulty is uniformly random between 400,000 and 500,000, with 72% of solves completing in under 5 milliseconds. The PoW includes seven binary detection flags with names like "ai," "createPRNG," "cache," "solana," "dump," "InstallTrigger," and "data." All seven were zero across 100% of Buchodi's 100-sample test. The proof-of-work adds compute cost but is not the real defense - it is a supplementary signal.

Why "Bot Detection" Is Not the Full Story

The line between bot detection and user surveillance blurs when fingerprinting reaches into application state. Photo: Unsplash

Cloudflare's official marketing positions Turnstile as a privacy-respecting bot detection service. Their documentation claims it "doesn't look for human behaviors like mouse movements" and "never gathers browsing data, tracks users, or fingerprints visitors." Buchodi's findings directly contradict these claims.

The Signal Orchestrator explicitly monitors mouse movements (pointermove), keystroke patterns (keydown), and scroll behavior. The fingerprint explicitly includes hardware identifiers, screen dimensions, font measurements, and storage writes that persist across sessions. If writing a unique identifier to localStorage and reading GPU vendor strings does not constitute fingerprinting, the word has lost its meaning.

But the deeper issue is not whether Cloudflare's marketing is accurate. It is what happens when infrastructure companies become the default gatekeepers of the internet. Cloudflare sits between an estimated 19% to 30% of all web traffic. Their services are embedded in millions of websites. When Cloudflare deploys a fingerprinting system, it does not affect one website. It potentially affects a significant fraction of the internet.

The Electronic Frontier Foundation has raised concerns about centralized infrastructure providers having outsized surveillance capabilities for years. In a 2023 report, the EFF noted that Cloudflare's position as a reverse proxy gives it the technical ability to inspect, modify, or log traffic for a substantial portion of the web. What Buchodi's research shows is that this capability is not theoretical. It is actively deployed, running in production, and collecting 55 data points from every user of the world's most popular AI chatbot.

OpenAI's ChatGPT has over 400 million weekly active users as of early 2026. Every one of those users triggers the Turnstile program with every message. That is potentially billions of fingerprints per week, each containing GPU models, screen dimensions, network locations, keystroke timing patterns, and application state data.

The Custom Virtual Machine

Turnstile runs on a custom 28-opcode virtual machine with randomized register addresses that change per request. Photo: Unsplash

The fingerprinting programs do not run as normal JavaScript. They execute inside a custom virtual machine embedded in Cloudflare's Turnstile SDK (sdk.js, 1,411 lines after deobfuscation). This VM uses 28 opcodes including ADD, XOR, CALL, BTOA, RESOLVE, BIND_METHOD, and JSON_STRINGIFY.

Each request generates a new program with randomized float register addresses. The instruction [96.05, 3.99, 3.99] in one request might mean JSON.stringify, while the same operation uses completely different addresses in the next request. This polymorphism makes static analysis difficult - you cannot write a simple signature to detect what the program does because the program looks different every time.

Buchodi mapped the opcodes from the SDK source and found that the programs ranged from 417 to 580 instructions, with a mean of 480. Despite the varying instruction counts, all 377 decrypted programs collected the same 55 properties. The randomization is cosmetic - the functionality is identical.

The exit sequence of every program follows the same four-instruction pattern:

[96.05, 3.99, 3.99],  // JSON.stringify(fingerprint)
[22.58, 46.15, 57.34], // store
[33.34, 3.99, 74.43],  // XOR(json, key)
[1.51, 56.88, 3.99]    // RESOLVE - becomes the token

The fingerprint is serialized to JSON, encrypted with another XOR key, and resolved back to the parent context. The result becomes the OpenAI-Sentinel-Turnstile-Token header sent with every conversation request. Every message you send to ChatGPT carries your hardware fingerprint, behavioral biometric profile, and application state verification, encrypted with XOR and transmitted to OpenAI's servers via Cloudflare.

The custom VM approach is itself noteworthy. Building a bytecode interpreter for fingerprinting scripts is expensive to develop and maintain. Cloudflare chose this architecture deliberately because it makes the fingerprinting resistant to browser extensions, content security policies, and ad blockers that operate at the JavaScript level. The VM executes within the browser's JavaScript engine but its instructions are opaque to tools designed to monitor JavaScript execution.

Who Holds the Keys

The token flows from your browser to OpenAI via Cloudflare, but the privacy boundary is a policy decision, not a cryptographic one. Photo: Unsplash

The XOR key for the inner program is a server-generated float embedded in the bytecode. Whoever generated the turnstile.dx payload knows the key. In this case, that is Cloudflare. But the token is sent to OpenAI as a header with every API request. Can OpenAI read it?

Buchodi's analysis is precise on this point: "The privacy boundary between the user and the system operator is a policy decision, not a cryptographic one." The obfuscation serves real operational purposes - it hides the fingerprint checklist from static analysis, prevents the website operator from trivially reading raw fingerprint values, makes each token unique to prevent replay, and allows Cloudflare to change what the program checks without anyone noticing.

But "prevents the website operator from trivially reading" is doing a lot of heavy lifting. Buchodi decrypted all 377 programs using only the HTTP request and response data. OpenAI, as the customer deploying Turnstile, has access to the same data plus their contractual relationship with Cloudflare. The question of whether OpenAI can or does read the fingerprint data inside the tokens is not answered by the encryption. It is answered by whatever agreement OpenAI and Cloudflare have signed, and neither company has disclosed the terms.

This matters because OpenAI's privacy policy already permits broad data collection. The company collects "information about your device, such as device type, operating system, unique device identifiers, device settings, and network information." The Turnstile fingerprint contains a superset of this information. If OpenAI can access it - and the "encryption" does not prevent them from doing so - then the Turnstile data substantially expands OpenAI's surveillance capabilities beyond what their own application collects.

There is also the question of Cloudflare's obligations. As of early 2026, Cloudflare processes data from approximately 57 million HTTP requests per second. Their privacy policy permits processing personal data for security purposes, fraud detection, and service improvement. The Turnstile tokens from ChatGPT - containing behavioral biometrics, hardware fingerprints, and geolocation data - flow through Cloudflare's infrastructure before reaching OpenAI. Whether Cloudflare retains, aggregates, or analyzes this data is governed by their terms of service, not by any technical limitation.

The Consent Problem

More than 400 million weekly ChatGPT users trigger this fingerprinting system. Almost none know it exists. Photo: Unsplash

When you visit ChatGPT, you are not presented with a consent dialog for Cloudflare Turnstile. There is no banner explaining that a program will measure your GPU, read your screen dimensions, time your keystrokes, track your mouse velocity, write identifiers to your localStorage, check your geolocation via Cloudflare's edge network, and verify that you are running the ChatGPT React application.

OpenAI's terms of service reference the use of third-party services for security and fraud detection. Cloudflare's documentation describes Turnstile as a "smart CAPTCHA alternative." Neither adequately describes what Buchodi found actually running in users' browsers.

Under the European Union's General Data Protection Regulation (GDPR), processing personal data requires a lawful basis. The most commonly cited basis for security measures is "legitimate interest." But the GDPR requires that legitimate interest be balanced against the data subject's rights and expectations. A user who expects a simple bot check might not expect a system that fingerprints their GPU, tracks their keystroke timing, and persists identifiers in localStorage.

The ePrivacy Directive adds another layer. Writing data to a user's browser storage (as Turnstile does with its localStorage fingerprint) generally requires consent unless it is "strictly necessary" for providing the service requested by the user. Bot detection might qualify as strictly necessary. Behavioral biometric profiling is a harder sell.

In practice, enforcement of these provisions against major tech companies and infrastructure providers has been slow and inconsistent. The Irish Data Protection Commission, which has jurisdiction over many US tech companies' European operations, has faced criticism for its pace of enforcement. A formal complaint about Cloudflare's Turnstile practices would likely take years to resolve, by which time the technology will have evolved beyond whatever the complaint described.

The US has no comprehensive federal privacy law equivalent to the GDPR, though state-level legislation like the California Consumer Privacy Act (CCPA) provides some protections. Under the CCPA, consumers have the right to know what personal information is collected about them and to opt out of its sale. Whether Turnstile fingerprints constitute "personal information" under the CCPA - and whether OpenAI's use of Cloudflare constitutes a "sale" - are questions that have not been tested in court.

The Broader Pattern: Infrastructure as Surveillance

When infrastructure companies become surveillance platforms, the entire internet's trust model shifts. Photo: Unsplash

Cloudflare's Turnstile is not an isolated case. It represents a broader pattern where infrastructure companies leverage their privileged network position to extract data that would be impossible for application-level tools to collect.

Consider the architecture. A normal website can fingerprint your browser using JavaScript. It can check your screen size, probe your fonts, read your WebGL renderer. But it cannot inject server-side geolocation data into the fingerprint, because it does not sit between you and the server. It cannot verify that you are specifically running their React application at the framework level, because standard bot detection operates at the browser level.

Cloudflare can do all of these things because it is not a normal website. It is a reverse proxy. Your traffic passes through Cloudflare before it reaches OpenAI. That position - what network engineers call a "man in the middle," though Cloudflare would prefer a friendlier term - gives Cloudflare capabilities that no client-side script could match.

This is infrastructure leverage. The same dynamic plays out across the modern web. Content delivery networks see what content is requested. DNS providers see what domains are resolved. Certificate authorities see what connections are established. Cloud hosting providers see what data is processed. Each of these infrastructure layers has a trust relationship with end users that is qualitatively different from the trust relationship with an application.

When you visit ChatGPT, you make an explicit choice to interact with OpenAI. You may or may not read their privacy policy, but you are at least aware that you are using their service. Your interaction with Cloudflare is invisible. You did not choose Cloudflare. You may not know Cloudflare exists. Yet Cloudflare collects 55 data points from your browser, including behavioral biometrics that can identify you as an individual.

The Cognitive Dark Forest essay by Ryelang, trending alongside Buchodi's research on Hacker News, articulates a related anxiety. The author argues that as AI platforms become the default interface for creative and technical work, every prompt becomes "a signal that reveals intent." The platform does not need to spy on you specifically. It just needs to see where the questions cluster. A demand curve made of human interests. Combined with Cloudflare's device-level fingerprinting, this means the AI platform ecosystem can correlate not just what you ask, but which specific device asked it, from which location, with which behavioral profile.

What Can Users Actually Do

The honest answer is: not much, without giving up ChatGPT entirely.

Turnstile runs before you can interact with the application. It is not a cookie you can reject. It is not a tracker you can block without breaking the site. The fingerprint is collected as part of the authentication flow. Block it, and your messages will not send.

That said, there are partial mitigations:

• Tor Browser: Standardizes many fingerprinting vectors (screen size, fonts, WebGL) to reduce uniqueness. However, Cloudflare has historically challenged or blocked Tor exit nodes more aggressively, and the behavioral biometric layer (keystroke timing, mouse patterns) still operates.
• Firefox with resistFingerprinting: Mozilla's privacy.resistFingerprinting flag spoofs or standardizes many of the hardware properties Turnstile checks. WebGL data, screen dimensions, and font metrics are altered. But again, the behavioral layer persists.
• API access: Using ChatGPT through the API rather than the web interface bypasses the Turnstile challenge entirely, since there is no browser to fingerprint. API access requires a paid account and does not include the ChatGPT web interface's features like custom GPTs and canvas.
• Alternative AI chatbots: Anthropic's Claude, Google's Gemini, and other competitors may not use identical fingerprinting systems. However, they likely employ their own bot detection measures, and many also use Cloudflare.
• Browser extensions: Some anti-fingerprinting extensions can intercept and modify the data Turnstile collects. However, Turnstile's custom VM architecture makes it resistant to many extension-based mitigations, and updates to the VM could break extensions without notice.

The fundamental problem is structural. You cannot meaningfully consent to or opt out of fingerprinting by an invisible infrastructure provider. The choice is binary: use the service with full fingerprinting, or do not use the service. There is no middle ground, and no regulation currently requires one.

The Hacker News Reaction

Buchodi's research hit the front page of Hacker News on March 29, 2026, accumulating over 200 points and more than 150 comments within hours. The reaction was a mix of grudging admiration for the engineering, alarm at the surveillance implications, and cynicism about the possibility of change.

Several commenters with Cloudflare experience noted that the Turnstile system has evolved significantly since its 2022 launch. Early versions performed simpler checks. The three-layer architecture with application state verification appears to be relatively recent, likely deployed in response to increasingly sophisticated bot frameworks that could pass browser-level fingerprinting.

Others pointed out the irony of Cloudflare's marketing. The company has positioned Turnstile as a privacy improvement over traditional CAPTCHAs, which require users to complete annoying image recognition tasks. Turnstile replaces visible friction with invisible surveillance. The user experience is better. The data collection is worse. As one commenter put it: "CAPTCHAs respected you enough to at least tell you they were there."

The legal discussion was particularly heated. European commenters raised GDPR concerns, noting that localStorage writes for fingerprinting persistence likely require consent under the ePrivacy Directive. US commenters were more resigned, pointing to the absence of federal privacy legislation. Several lawyers in the thread noted that while the collection might violate EU law in theory, enforcement against Cloudflare - a US company processing data through globally distributed edge servers - would face jurisdictional challenges.

A minority of commenters defended the system, arguing that ChatGPT faces real and significant bot abuse, including credential stuffing, automated scraping of model outputs, prompt injection attacks at scale, and usage by sanctioned entities. From this perspective, aggressive fingerprinting is a proportionate response to genuine security threats. The counterargument, made by others in the thread, is that proportionality requires transparency. A system that fingerprints users without their knowledge cannot claim to be proportionate because proportionality requires informed consent as a baseline.

What Comes Next

The boundary between bot detection and human surveillance is dissolving. The question is who draws the new line. Photo: Unsplash

Buchodi's research is a snapshot. The 377 programs he decrypted represent what Turnstile did at a specific point in time. Cloudflare can change what the programs check without updating the SDK, without notifying website operators, and without any user-visible change. The custom VM architecture was designed for exactly this kind of silent evolution.

The trajectory is clear. Bot detection and user surveillance are converging. As AI-powered bots become more sophisticated - capable of running real browsers, executing JavaScript, and even mimicking human behavioral patterns - fingerprinting systems will need to dig deeper. Application state verification is just the beginning. Future systems might check the contents of other open tabs, the state of browser extensions, the history of recent network requests, or the output of device sensors like accelerometers and gyroscopes.

The W3C's Privacy Interest Group (PING) has been working on specifications to limit fingerprinting surface area in browsers. Firefox and Safari have implemented various anti-fingerprinting measures. Chrome has been slower, which is unsurprising given Google's advertising business model. But these efforts target passive fingerprinting through browser APIs. Active fingerprinting through infrastructure providers like Cloudflare operates at a different layer entirely and is not addressed by browser-level protections.

The regulatory landscape is also evolving, slowly. The EU's proposed ePrivacy Regulation, intended to replace the ePrivacy Directive, has been stuck in negotiations since 2017. The US continues to lack comprehensive federal privacy legislation, though the American Privacy Rights Act introduced in 2024 may eventually provide a framework. In the meantime, the gap between what is technically possible and what is legally constrained continues to widen.

What Buchodi's research ultimately demonstrates is that the trust model of the modern web is broken. We trust browsers to execute code honestly. We trust infrastructure providers to route traffic neutrally. We trust application developers to collect only what they disclose. Every one of these trust assumptions is violated by the ChatGPT-Cloudflare-Turnstile system. The code is obfuscated. The infrastructure provider collects data independently. The application developer may or may not have access to fingerprints they did not directly collect.

The solution, if there is one, is not technical. It is institutional. Users need the legal right to know what runs in their browsers. They need the practical ability to refuse fingerprinting without losing access to services. They need infrastructure providers to be held to the same transparency standards as application developers. Until those rights exist, every keystroke you type into ChatGPT will continue to feed a surveillance machine you never knew was watching.