What the FLoC? Browser makers queue up to decry Google's latest ad-targeting initiative as invasive tracking

'Federated Learning of Cohorts' groups users together and is already being tested in Chrome

Updated Google's FLoC (Federated Learning of Cohorts) mechanism for ad personalisation, currently being trialled in the Chrome browser, has been rejected as privacy-invasive tracking by other browser makers including Vivaldi and Brave.

FLoC is part of what Google calls the Privacy Sandbox initiative, a proposal to "support business models that fund the open web in the absence of tracking mechanisms like third-party cookies," according to now-retired Chrome engineering director Justin Schuh and product manager Marshall Vale in January.

Third-party cookies are widely used (or abused) for tracking users across the web, and are increasingly likely to be blocked. Google is determined to preserve its ability to target and personalise advertising and claims the Privacy Sandbox APIs "enable use cases such as ad selection and conversion measurement, without revealing individual private and personal information."

floc diagram via web.dev/floc/

Diagram of how FLoC works via web.dev/floc/ (click to enlarge) Licensed under CC 4.0

The idea of FLoC is that each web browser has a cohort ID which groups it with other browsers that have a similar browsing history. Google runs a FLoC service that defines the cohorts and sends data to the browser. The cohort ID is then calculated by the browser. The browser does not send its history to the FLoC service.

Websites can query the browser for its cohort ID and select advertising accordingly. Advertising networks – such as Google's own – are expected to record data such as "a browser from cohort 1354 showed interest in hiking boots." It is profiling, but of groups rather than individuals.

FloC is controversial. Last month the Electronic Frontier Foundation (EFF) declared it "a terrible idea" and said that "the technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process." The EFF also noted that having behavioural ads at all is an issue and that FLoC may exacerbate problems such as "discrimination and predatory targeting." One might imagine cohorts that identify users as looking for help with debt, for example.

Browser maker concerns

Browser maker Vivaldi said yesterday: "FLoC off! Vivaldi does not support FLoC." Co-founder and CEO Jon von Tetzchner added: "Our privacy policy is simple and clear; we do not want to track you."

He added that FLoC would expose personal data in new ways. "You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site," he said.

These risks could go beyond embarrassment to have "serious implications for society" if used by authoritarian governments. "A dictatorship may be able to work out that dissenters often seem to have one of the same five FLoC IDs. Now anyone who visits a nationally controlled website with that ID could be at risk," he added. "We will not support the FLoC API and plan to disable it, no matter how it is implemented."

Two days ago, Brave CEO Brendan Eich and senior privacy researcher Peter Snyder also voiced their objection to FLoC. "Brave has removed FLoC in the Nightly version of both Brave for desktop and Android. The privacy-affecting aspects of FLoC have never been enabled in Brave releases; the additional implementation details of FLoC will be removed from all Brave releases with this week’s stable release," they said.

According to Eich and Snyder, "FLoC tells sites about your browsing history in a new way that browsers categorically do not today."

They dispute the claim that cohorts protect privacy because each cohort has thousands of users – a method called k-anonymity. "Any useful concept of privacy should include some concept of 'don't tell others things you know about me, without my permission'," they said.

FLoC tells sites about your browsing history in a new way that browsers categorically do not today

As for Mozilla, their spokesperson told us: "We are currently evaluating many of the privacy preserving advertising proposals, including those put forward by Google, but have no current plans to implement any of them at this time."

We don’t buy into the assumption that the industry needs billions of data points about people, that are collected and shared without their understanding, to serve relevant advertising. Advertising and privacy can co-exist. And the advertising industry can operate differently than it has in past years."

Yesterday Google mathematician Michael Kleber, on the Chrome team, claimed that "FLoC is not useful for tracking. There are thousands of people with the same FLoC, so someone trying to use it to track you would end up seeing a huge amount of not-you mixed in with a very small amount of you."

Apple WebKit Security Engineer John Wilander disputed Kleber's claim, saying that "the user's cohort will not be partitioned per first party site so multiple sites can observe the cohort ID in sync as it changes week after week. A hash of the cohorts seen so far will likely get more and more unique as the weeks go by... to take this to the crowd metaphor: Before the pandemic and some time back, I attended a Mew concert, a Ghost concert, Disney on Ice, and a Def Leppard concert. At each of those events I was part of a large crowd. But I bet you I was the only one to attend all four."

Although Google's Schuh said the web giant was encouraging feedback on the privacy sandbox proposals, including FLoC, which are listed on GitHub here, the company appears to be full steam ahead on implementation.


W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin


In Chrome 89, the current version, FLoC was implemented as an "origin trial," meaning that websites and advertisers can apply to start using it on an experimental basis. "We hope that during the Origin Trial, the ad tech community will collectively figure out which tasks are well served by the FLoC approach," said Kleber.

The EFF noted that while websites and advertisers could opt in, users were not asked permission. "A small portion of Chrome users – still likely millions of people – will be (or have been) assigned to test the new technology," it said. Security site Malwarebytes said: "Chrome users had no choice in whether they were included in the FLoC trial, they received no individualized notification, and, currently, they have no option to specifically opt-out."

Last week the W3C Technical Architecture Group (TAG) stated that First Party Sets, another part of the privacy sandbox proposals, are "harmful to the web in its current form" and also warned against browser vendors working on or implementing additional features that depend on them.

The suspicion is that Google may rely on its Chrome market share – around 65 per cent, according to Statcounter, followed by Safari at 19 per cent, and all others with tiny percentages – as being sufficient that it will not wait to achieve consensus but simply go ahead on its own.

Google User Trust Product Manager Chetna Bindra describes here how the privacy sandbox will enable Google to continue with targeted advertising, ad tech bidding and conversion measurement because "advertising is essential to keeping the web open for everyone."

Does advertising have to include tracking, though? Privacy search engine DuckDuckGo said that tracking is not necessary in order to advertise successfully. "When you search on DuckDuckGo, we can show you an ad based on the keywords you type in. That's it. And it works." It added that "FLoC IDs will also be accessible by third-party trackers lurking on websites" and is offering a Chrome extension to block FLoC.

Niche privacy-focused vendors like Brave and DuckDuckGo base their appeal on being more private than Google so there is self-interest in their complaints. That said, it is obvious that Google has not achieved cross-industry consensus with its Privacy Sandbox proposals. Less obvious is the extent to which it intends to respond.

We have asked Microsoft about its plans for FLoC in Edge and will update with any information received. We have also asked Google for comment on how it is responding to feedback. ®

Updated to add

A Google spokesperson has been in touch to clarify how Chrome users can, for now, avoid the FLoC trial:

The Privacy Sandbox proposals are developed as part of a collaborative, open-source effort and we welcome feedback as we continue working with the W3C and broader web community to find solutions that improve privacy while maintaining a healthy ecosystem.

We believe that FLoC improves user privacy while still supporting the relevant advertising that’s fundamental to maintain a free and open web. FLoC is based on large anonymous groups, not tracking individuals across the web as third-party cookies do today.

If a user has chosen to block third-party cookies with the current version of Chrome, they won’t be included in the FLoC origin trial, and this month, we’ll introduce a control in Chrome Settings that users can use to opt out of inclusion in FLoC and other Privacy Sandbox proposals while they’re in trials.

Similar topics

Broader topics

Other stories you might like

  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading
  • Broadcom buying VMware could create an edge infrastructure and IoT empire
    Hypervisor giant too big to be kept ticking over like CA or Symantec. Instead it can wrangle net-connected kit

    Comment Broadcom’s mooted acquisition of VMware looks odd at face value, but if considered as a means to make edge computing and the Internet of Things (IoT) more mature and manageable, and give organizations the tools to drive them, the deal makes rather more sense.

    Edge and IoT are the two coming things in computing and will grow for years, meaning the proposed deal could be very good for VMware’s current customers.

    An Ethernet switch that Broadcom launched this week shows why this is a plausible scenario.

    Continue reading
  • Ex-spymaster and fellow Brexiteers' emails leaked by suspected Russian op
    A 'Very English Coop (sic) d'Etat'

    Emails between leading pro-Brexit figures in the UK have seemingly been stolen and leaked online by what could be a Kremlin cyberespionage team.

    The messages feature conversations between former spymaster Richard Dearlove, who led Britain's foreign intelligence service MI6 from 1999 to 2004; Baroness Gisela Stuart, a member of the House of Lords; and Robert Tombs, an expert of French history at the University of Cambridge, as well as other Brexit supporters. The emails were uploaded to a .co.uk website titled "Very English Coop d'Etat," Reuters first reported this week.

    Dearlove confirmed his ProtonMail account was compromised. "I am well aware of a Russian operation against a Proton account which contained emails to and from me," he said. The Register has asked Baroness Stuart and Tombs as well as ProtonMail for comment. Tombs declined to comment.

    Continue reading
  • As Microsoft's $70b takeover of Activision nears, workers step up their organizing
    This week: Subsidiary's QA staff officially unionize, $18m settlement disputed, and more

    Current and former Activision Blizzard staff are stepping up their organizing and pressure campaigns on execs as the video-game giant tries to close its $68.7bn acquisition by Microsoft.

    Firstly, QA workers at Raven Software – a studio based in Wisconsin that develops the popular first-person shooter series Call of Duty – successfully voted to officially unionize against parent biz Activision. Secondly, a former employee appealed Activision's proposed $18 million settlement with America's Equal Employment Opportunity Commission regarding claims of "sex-based discrimination" and "harassment" of female staff at the corporation. 

    Finally, a group of current and ex-Activision employees have formed a Worker Committee Against Sex and Gender Discrimination to try and improve the company's internal sexual harassment policies. All three events occurred this week, and show how Activision is still grappling with internal revolt as it pushes ahead for Microsoft's takeover. 

    Continue reading
  • Nvidia shares tumble as China lockdown, Russia blamed for dent in outlook
    Sure, stonking server and gaming sales, but hiring and expenses to slow down, too

    Nvidia exceeded market expectations and on Wednesday reported record first-quarter fiscal 2023 revenue of $8.29 billion, an increase of 46 percent from a year ago and eight percent from the previous quarter.

    Nonetheless the GPU goliath's stock slipped by more than nine percent in after-hours trading amid remarks by CFO Colette Kress regarding the business's financial outlook, and plans to slow hiring and limit expenses. Nvidia stock subsequently recovered a little, and was trading down about seven percent at time of publication.

    Kress said non-GAAP operating expenses in the three months to May 1 increased 35 percent from a year ago to $1.6 billion, and were "driven by employee growth, compensation-related costs and engineering development costs."

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading

Biting the hand that feeds IT © 1998–2022