# Most of your audience isn't human

Authentic Media is an edge bot-intelligence system on Fastly Compute. From the signals every
connection already exposes — its TLS/JA4 fingerprint, network, User-Agent and client hints — it scores
each visitor human, bot, or spoofed, works out why they came, and verifies who a bot really claims to
be. No invasive in-browser fingerprinting, operator-side only, nothing sold. This is the markdown-first
version of https://app.jacobrosenbacher.com/bots, served to answer engines and AI crawlers.

## The web is mostly bots
By Imperva's annual Bad Bot Report, automated traffic crossed 50% of all internet traffic in 2024 —
bots outnumbered humans for the first time; on a small site the ratio is usually worse. "Private
browsing" is a misnomer: HTTPS hides the content of a request, never the connection — your IP, rough
location, and a detailed TLS fingerprint of your software are exposed before a byte of content.

## It scores every visitor
Every request is scored human, bot, or spoofed from edge-visible signals alone — no invasive
fingerprinting. Each is weak by itself; together they're hard to fake all at once, because faking one
usually breaks another.

- **IP → network (geo + ASN)** — Your address resolves to a rough location and an ASN — the network that owns it. Before you send one byte of actual content, we can tell a home or mobile ISP apart from a datacenter, a VPN, or a Tor exit. Eyeball networks read human; hosting networks are where bots live.
- **JA4 — the TLS handshake fingerprint** — The very first encrypted “hello” spells out your client’s exact crypto preferences: TLS version, cipher and extension counts, and the protocols it offers (ALPN). Real browsers offer HTTP/2 (“h2”) first. A client that claims to be Chrome but only offered HTTP/1.1 is a script in a costume — the single highest-signal tell we have.
- **JA4_b — a confirmed-browser hash** — The sorted cipher list hashes to a value that’s stable per TLS stack. A match positively confirms a genuine browser. We only ever confirm with it — a missing match is NEVER treated as guilt, because our catalogue is incomplete and we will not false-flag a real visitor.
- **HTTP/2 frames + header order** — How a client builds its HTTP/2 frames, and the order it lists its headers, are a fingerprint of their own. Automation libraries (Python, Go, headless Chrome) order things differently than real Chrome or Safari — even when they’ve copied the User-Agent perfectly.
- **User-Agent vs. client hints** — Every modern Chromium sends Sec-CH-UA “client hint” headers next to its User-Agent. A request claiming a current Chrome that sends none — or carries a build number from years ago — is almost always a hand-typed string. The UA is a claim; the hints are the receipts.
- **Behavior over time** — navigator.webdriver outs an automated browser outright. Repeat page-views with zero input events, on a datacenter network, read as a crawler. Real clicks, scrolls, and a watched video read as a person. We add these up to corroborate — we never convict a visitor for simply being quiet.

Example — a real caught visit, scored **spoofed, 80/100** (JA4 t13d1812h1): a client posing as an
ordinary phone that negotiated HTTP/1.1 (real mobile Chrome offers HTTP/2), ran a 2017 Chrome 60 build,
sent no client hints, and routed through a Belgrade hosting network (AS215930) while flying an Iranian
flag. The connection confessed; no person had to be unmasked.

## It works out why they're here
The same signals separate a citation bot (an AI or search crawler indexing you) from a content
scraper, a vulnerability scanner probing for /wp-login or /.env, and an ordinary human — so the
response to each can differ.

## Naming who runs a bot (operator attribution)
A User-Agent is just a claim. When a visitor calls itself Googlebot, GPTBot or ClaudeBot, we check its
IP against the crawler-IP ranges that operator publishes itself — Google, OpenAI, Anthropic, Bing,
Apple and Perplexity all post the addresses their crawlers use — plus forward-confirmed reverse DNS as
a backstop. A genuine crawler from its own network is VERIFIED (and welcome); a client forging that
identity from a network the operator has never used is flagged an IMPERSONATOR. Same check, opposite
outcomes — without identifying a person.

## Recognizing the same bot across an operator's sites
When the same crawler visits more than one site the SAME operator runs, we can tell it's the same one
— without a cookie, because a cookie can't travel between different domains. The join key is the shape
of the connection: the TLS fingerprint + the network (ASN) + a one-way hash of the IP (never a raw IP).
It's deliberately narrow: only across a single operator's OWN first-party properties, never the wider
web or other people's sites — runs entirely operator-side, and is never sold or shared.

## Optional: choosing what to turn away
Detection is only half the story; the operator decides what to do with it, and the default is to do
NOTHING — everyone is served and the site just keeps count. Off by default, opt-in and per category, it
can act:
- **Verified search & answer engines** — verified Google, Bing, Apple and the answer engines (ChatGPT,
  Claude, Perplexity) are NEVER blocked; that floor is enforced in code. Being cited accurately is the
  whole point.
- **Scanners & forged crawlers** — vulnerability scanners probing for /wp-login, /.env and clients
  forging a crawler identity can be answered with a plain 403 Forbidden.
- **Unverified scrapers** — an unverified harvester can get 402 Payment Required plus a link to
  licensing terms instead of the content.

This is opt-in and conservative by default. We don't block "everything" and don't claim to — the good
bots are the ones we most want to keep.

## AEO: serve robots what robots want
Not every bot is bad — answer engines (ChatGPT, Claude, Perplexity, Google AI) are the
fastest-growing crawlers. The best practice isn't to block them but to serve them clean, markdown-first
content they parse accurately. This document is that, generated from the same source as the human page.
Humans get the full interactive site; machines get the gist.

— Authentic Media · honest, sourced, no-algorithm video · no data to big tech or government
