Privacy » FLoC

Sebastian Greger This is a living document
Last update:

FLoC in a nutshell

Key problems:

  • exposes cohort ID to every website
  • allows for fingerprinting as the cohort ID adds to entropy (and is unrelated to other variables commonly used for fingerprinting)
  • enables profiling by trackers based on collecting cohort IDs or by reverse-engineering the cohorts from other information they have about users (connecting their own data about a user with their cohort IDs, hence deriving information about others with that ID)
  • crosses privacy contexts (contextual integrity), as the browser history combines different use scenarios (such as online shopping vs. looking for health information)
  • opaque to users and regulators; even more so than the current cookie system
  • power imbalance: advertisers opt in, users have to opt out
  • “privacy washing”: Google promiting FLoC as the privacy-preserving alternative to cookies (that many have by now understood are problematic) while still maintaining the old problems of behavioural surveillance

Intial trial phase:

  • rolled out to millions (0.5% of users in selected countries, not in the EU) of Chrome users without notification
  • only

No longer based on unique pseudonymous IDs as with cookies (i.e. one person or browser gets assigned a semi-permanent ID for re-identification and is hence individually identifiable), the FLoC ID indeed eliminates some of the problems with current tracking practice. At the same time, having the FLoC ID (a hash calculated weekly from websites visited over the past 7 days, hence not an individual pseudonym but kind of a “membership badge” for a certain cohort of “thousands” of users) exposed to every website visited provides opportunities for tracking and fingerprinting.

Most importantly, as the EFF points out, exchanging one form of behavioural targeting for another does not mitigate its underlying large-scale harms: discrimination, predatory behaviour like targeted scams etc. They also highlight that the short lifespan of the cohort identfier may appear like a privacy benefit, but actually improves the ability to identify current behaviour patterns (the way I read it: instead of targeting a person who once looked up baby clothes, cohorts can be targeted for looking up baby clothes in the past week).

For individual users

The EFF and other sources suggest two ways to opt out on individual basis:

  • not using Chrome (a smart choice anyways)
  • disabling third-party cookies in Chrome (may break use of some websites)

The proof-of-concept spec by the Chromium team also indicates several conditions to be met in order for FLoC cohorts to be logged in the trial:

  • incognito mode is not active
  • logged into a Google account and opted to sync history data with Chrome
  • not blocking third-party cookies
  • “Google Activity Controls” have “Web & App Activity” and “Include Chrome history and activity from sites, apps, and devices that use Google services” enabled
  • Google Ad Settings have “Ad Personalization” and “Also use your activity & information from Google services to personalize ads on websites and apps that partner with Google to show ads.” enabled

The EFF provides a service for Chrome users to check whether their browser is currently included in the “origin trial”; the website also has a very thorough summary of the technical context and the privacy implications.

For website owners

During the trial period, a website is only included in FLoC calculations if

  • its IP address is publicly accessible (no intranets, test environments etc.)
  • it accesses the FLoC API, or
  • Chrome detects that the website serves ads (description of the detection mechanism)

“Opting out” from the server side

Google announces that opting out is possible by adding the header Permissions-Policy: interest-cohort=() to a server response.

A site should be able to declare that it does not want to be included in the user’s list of sites for cohort calculation. A new interest-cohort permissions policy enables this. The policy will be allow by default.

Important here: this opt-out is defined as an ability for “a site” to declare it does not want to be included. Once this header is sent out in bulk by the majority of websites, this will both invalidate its semantic (it’s no longer an experssion of intent by the site owner, but a default of the CMS) and ultimately the business model Google operates on (hence encouraging to ignore this header).

Why CMSs should not send the FLoC opt-out header by default
Google is rolling out an early-stage experiment with a new behavioural targeting technology: Federated Learning of Chorts (FLoC) […]

I'm Sebastian, Sociologist and Interaction Designer aiming to bring toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. This is my "digital garden" with carefully curated resources. For a more stream-like outlet, see my journal.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.