You are here

You are here

Google FLoC is a flop? Not so fast

Richi Jennings Your humble blogwatcher, dba RJA

Third-party cookies will soon go away, because people are fed up with being tracked. That’s bad news for advertisers, unless there’s something to replace them.

So here comes Google, on horseback, wielding its magical sword of FLoC: Federated Learning of Cohorts. It’s la GOOG’s proposed solution to targeted advertising without tracking.

But privacy wonks hate it. And so do most other browser makers. In this week’s Security Blogwatch, we munch on a tasty lettuce leaf.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Majestic macro.

Would you care for a cookie?

What’s the craic? Lawrence Abrams reports—Microsoft disables Google's FLoC tracking in Microsoft Edge:

This month, Google began testing a … controversial FLoC browser-based tracking feature. … Called Federated Learning of Cohorts [it] places users in anonymous buckets, or cohorts, based on their interest and browsing behavior.

Unlike third-party cookies used by advertisers to track your behavior and interests across different sites, FLoC is built into the web browser, which assigns you to behavior cohorts and shares that information with websites and advertisers. [In] Chromium-based browsers, Google has enabled support for FLoC by default.

[But] with Microsoft Edge … the component is not available in the browser. … Privacy advocates … have already stated that they believe FLoC is a bad idea.

It’s not just Microsoft. Dieter Bohn pens this “hilarious” pun—Nobody is flying to join Google’s FLoC:

Google is going it alone with its proposed advertising technology to replace third-party cookies. [Mozilla and] every major browser that uses the open source Chromium project have declined to use it, and it’s unclear what that will mean for the future of advertising on the web.

I am relieved that nobody else is implementing FLoC right away, because the way FLoC is constructed puts a very big responsibility on a browser maker. If implemented badly, FLoC could leak out sensitive information. It’s a complicated technology that does appear to keep you semi-anonymous, but there are enough details to hide dozens of Devils.

John Wilander is a WebKit engineer at Apple who works on Safari’s privacy-enhancing Intelligent Tracking Prevention features. He was asked on Twitter whether or not Safari would implement FLoC and here’s his reply: “We have not said we will implement, and we have our tracking prevention policy. That’s it for the time being. Serious standards proposals deserve thinking.”

All of this is happening because every major browser already has or will soon block third-party cookies, the default way of identifying you and tracking you across the web. And every major browser has committed to ensuring that you can’t be personally identifiable to third-party advertisers.

And Thomas Claburn had a similar idea—FLoC flies into headwinds:

Uncertainty about potential problems and growing legal support for privacy is shaking up the digital ad industry. … In place of third-party data, a number of ad industry firms expect first-party platforms – e.g., Amazon selling ads on its own website … using the customer data it has collected – will prosper and perhaps challenge the Google/Facebook duopoly.

Google hopes FLoC and related web plumbing proposals … (Privacy Sandbox), will serve as substitutes for the sort of interest-based advertising … made possible by third-party cookies. … It makes its calculations locally, in the browser, thereby preventing people's web histories from being shared with third parties—in theory. [But] the unfinished nature of FLoC makes it difficult to be certain how it will really function. It's essentially a placeholder for an improved version of itself.

The recent W3C Privacy Interest Group (PING)'s assessment … argues the technology's use case is "a privacy harm in itself." … Steven Englehardt, privacy engineer at Mozilla, [says it] "makes false claims about the privacy properties provided by the anonymization techniques." … EFF technologist Bennett Cypher's [warns] that FLoC's SimHash algorithm may leak data. … But more damning is the disinterest coming from other browser makers.

It’s already happening. The EFF’s anonymous gnomes warn—Google is testing FLoC on Chrome users worldwide:

Third-party cookies are the technology that powers much of the surveillance-advertising business today. But cookies are on their way out, and Google is trying to design a way for advertisers to keep targeting users based on their web browsing once cookies are gone.

Each [cohort] receives a label, called a FLoC ID, which is supposed to capture meaningful information about your habits and interests. FLoC then displays this label to everyone you interact with on the web. This makes it easier to identify you with browser fingerprinting, and it gives trackers a head start on profiling you.

The Chrome origin trial for FLoC has been deployed to millions of random Chrome users without warning, much less consent. … It will give trackers access to even more information about subjects.

If you are a website owner, your site will automatically be included in FLoC calculations if it accesses the FLoC API or if Chrome detects that it serves ads. You can opt out of this calculation by sending the following HTTP response header:
Permissions-Policy: interest-cohort=()

But who wants to fight with an 800-pound gorilla? Not Fabermetrics, for one:

It's initiatives like this that show the real danger of chrome. Google, by controlling Chromium and major sites like YouTube, can toss around their weight.

All the companies who felt it was expedient to fork their work will find it gets harder and harder to keep it out of their projects. We saw it with Manifest V3 and we are seeing [itdec] here.

Chrome is fruit of the poison tree.

In full agreement, vikbytes bites:

Google doesn't have to listen to anyone, this is what having a browser market share of 70%+ grants you. Question is, will their move chip away at that market share? If people actually care, it should.

It’s hard to find balance. But Scott Helme kinda-sorta offers the case for the Defense—What the FLoC?!

Many people dislike privacy invasive tracking online. … I'm not opposed to the idea of adverts, I've found out about a lot of cool stuff from adverts and they support a lot of things I like, but I'm sure we all hate the heavy, bloated, distracting adverts that worst of all, are tracking you everywhere you go. FLoC aims to remove the need for invasive tracking to serve relevant ads to users by categorising users based on their browsing history.

The client would then provide a FLoC ID to the server upon request and the site would know what your interests are. I might have a FLoC ID of 721954 generated which means I'm interested in cars and infosec, along with thousands of other people who may end up with the same FLoC ID as they have the same interests. The site can't tell us apart, or who we are, based on our FLoC ID, but it can now serve us more relevant ads [without] 3rd party cookies.

interest-cohort=() … prevents the browser from including your site in the 'cohort calculation' for the current client. [And] it means that nothing can call document.interestCohort() to get the FLoC ID of the current client. … This doesn't work or do anything outside of the context of the current site being visited and doesn't 'disable' FLoC on the client.

Sounds almost reasonable. But graylshaped seems to speak for many:


No, thank you.

Wait. Pause. Surely personalized advertising has some good points? big_D throws peanuts at what looks like a scam:

How have papers managed to survive centuries without this technology? Or radio and TV for the best part of a century? They could never provide personalized advertising, the advertisers had to rely on looking at what was being shown and position their adverts in the appropriate slots, based on content and number of expected viewers/readers.

"Personalized" advertising has consisted of trying to sell me high-priced, one-off items that I have just purchased. "Just bought a new dishwasher? Here are 20 other dishwashers for the kitchens in your house!" Or, "just bought a new high-end smartphone? Here are a dozen other high-end smartphones you don't want to buy any more."

[It] is conning the advertisers out of money. For example, Amazon knows I have just bought a dishwasher or a smartphone, yet it keeps charging advertisers for supplying me with adverts for products it knows I already have and wouldn't be interested in buying.

Meanwhile, DontBeAMoran foresees our dystopian future:

Chrome: FLoC detected you are Canadian. Would you like to buy maple syrup?

Me: Why the hell would I want … yeah, okay sure.

The moral of the story?

If your brand/culture has a pro-privacy stance, consider opting your sites out of the trial.

And finally

Another perspective

Hat tip: Carla Sinclair

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Candace McDaniel (via StockSnap)

Keep learning

Read more articles about: SecurityData Security