Researchers can now identify web agents by how they type, scroll, and move a cursor. Paste-based form fills, direct jumps to click targets, repeated delete-and-retype loops. One study detected all seven agents tested; Cloudflare caught one. A June preprint went further, fingerprinting agents at the network layer too. Within weeks, developers were publishing techniques to mimic human mouse trajectories.
Sharper fingerprints produce sharper evasion, and the cycle keeps tightening without ever touching the useful question: is this automation allowed to act here? Early proposals for permission manifests hint at an alternative, but nothing is deployed. Recognition keeps improving. The ability to say "yes, this agent is authorized to be here on behalf of this user" remains at zero. Every gain in detection just funds the next round of camouflage.
Browser fingerprints: Limited power. Agents share browser configurations, making them hard to distinguish from each other at the browser level alone.
Behavioral fingerprints: Highly distinctive. Typing patterns, scrolling behavior, and mouse movement reliably separate agents from humans and from one another.
Model identification: A passive JavaScript tracker identified the underlying LLM powering an agent with 96% accuracy across 14 frontier models.
What detection can answer: "Is this a bot?" Answerable with high confidence today.
What detection can't answer: "Is this bot authorized to act here?" Requires a delegation protocol that doesn't exist yet.
Permission manifests: A proposed agent-permissions.json standard, analogous to robots.txt, would let sites declare what agent interactions are permitted. Still a research proposal.

