This article is more than 1 year old
Google's FLoC flies into headwinds as internet ad industry braces for instability
Reinventing web advertising tech at a time of heightened privacy concern proves difficult
Analysis With Google testing its FLoC ad technology in preparation for the planned elimination of third-party cookies next year, uncertainty about potential problems and growing legal support for privacy is shaking up the digital ad industry.
The move away from third-party cookies will have significant financial impact on the ad industry, and the internet ecosystem that depends on advertising – assuming you accept studies that credit third-party cookies with meaningful [PDF] rather than minimal [PDF] revenue.
"Our analysis suggests that the publishing industry will have to replace up to $10 billion in ad revenue with a combination of first-party data gathered through a combination of paywalls and required registrations, and updated contextual targeting and probabilistic audience modeling (analytics that incorporate an array of unknown elements)," said consultancy McKinsey in a recent report.
What the FLoC? Browser makers queue up to decry Google's latest ad-targeting initiative as invasive trackingREAD MORE
In place of third-party data, a number of ad industry firms expect first-party platforms – e.g. Amazon selling ads on its own website to marketers using the customer data it has collected – will prosper and perhaps challenge the Google/Facebook duopoly.
"In contrast to third-party data, which is built from third-party cookies, first-party data is gathered by businesses which have interacted directly with consumers," said Gowthaman Ragothaman, CEO of Aqilliz, a blockchain marketing analytics firm, in an email to The Register.
"Of course, digital marketers understand that it is the most powerful source of information for targeting and personalization purposes, as it provides more accurate and valuable insights into consumers’ behavior and buying patterns."
Ragothaman believes there will be more focus on first-party data, though he expects a difficult transition. "Every publisher whether in emerging markets or developed markets understands the need to build its own first-party data platform," he said. "But it is not easy. It cannot be done overnight either."
Chocolate Factory plans
Google hopes FLoC and related web plumbing proposals, referred to collectively as Google's Privacy Sandbox, will serve as substitutes for the sort of interest-based advertising and remarketing made possible by third-party cookies.
FLoC stands for Federated Learning of Cohorts. It's being built into Google Chrome browser to replace the interest-based targeting made possible by third-party cookies, which other browser makers now mostly block by default for privacy reasons and Google has agreed to drop in Chrome next year.
FLoC is a browser API that groups people into cohorts or flocks of people with similar interests, based on the web domains they visit. It makes its calculations locally, in the browser, thereby preventing people's web histories from being shared with third parties, in theory. It's supposed to provide more privacy than third-party cookies though recent repudiations by other browser makers and privacy groups show that issue hasn't been settled.
Google's 'privacy-first' ad tech FLoC squawks when Chrome goes Incognito, says expert. Web giant disagreesREAD MORE
Google has a number of ad tech allies that have already expressed support for FLoc, like Criteo, NextRoll, Magnite, and RTB House. But other ad tech firms like LiveRamp, Mediamath, Pacvue, and The Trade Desk are working on alternative ad targeting schemes, in part because there's an opportunity to innovate and in part because FLoC may fail.
FLoC's requirement that Chrome users be signed-in to their Google Accounts, Ragothaman observes, presents problems under Europe's GDPR data privacy rules where explicit user consent is required.
"At the moment, selected Google Chrome users are automatically added to the cohorts, without the option to opt out for their trials, which has not gone down well in the industry," he said. "If Google fails to implement measures that sufficiently address lawmakers' privacy concerns, there’s a possibility that FLoC will not become a reality in the EU."
"This would certainly have a significant impact on the advertising supply chain in the bloc once third-party cookies are phased out, given that Google commands as much as 90 per cent of the search engine market share in Europe. As such, Google has delayed their next solution, FLEDGE, by almost a year."
Zach Edwards, co-founder of web analytics biz Victory Medium, told The Register that he expects FLoC will be deployed but hopes it will be abandoned for more promising Privacy Sandbox proposals like FLEDGE.
"FloC is an automated audience creation process that is obviously not compliant with GDPR due to FLoC's opt-out framework, and FloC is brushing right up against non-compliance with value transfer user data restrictions in CCPA and other frameworks restricting automated profiling," he said. "FLoC was dreamed up by math bros at Google who wanted to try and break consent on the internet just one more time."
That sentiment has been expressed by organizations like The Electronic Frontier Foundation, which recently called FLoC "a terrible idea." But more damning is the disinterest coming from other browser makers.
Browser makers not keen
Earlier this week, Apple WebKit security and privacy engineer John Wilander expressed concern that Google's FLoC algorithm, being tested in Google's Chrome browser, can be used to construct identifiers for tracking people as they visit different websites.
Doubts about FLoC have become more evident in the past few days. Rival browser makers Brave and Vivaldi have indicated they believe FLoC poses a privacy threat and say they won't support it. Mozilla has been more cautious, merely signaling current indifference. And Wilander's worries suggest Apple isn't likely to adopt the technology in Safari, which is hardly surprising given Apple's public stance on privacy. (Apple didn't respond to a request for comment.)
That leaves Microsoft Edge as the only plausible ally among the major browser makers. Edge users have recently asked for clarification about FLoC but Microsoft has not made any formal commitment. The Register understands that's because FLoC isn't currently a web standard. If Google manages to finesse FLoC to an acceptable state then support could be forthcoming.
What concerns Wilander is that over time, Cohort IDs, the numbers assigned to the multiple interest groups that become associated with a web user, may prove useful to create a unique identifier for that individual, perhaps in combination with other device-derived data points used for browser fingerprinting.
"Before the pandemic and some time back, I attended a Mew concert, a Ghost concert, Disney on Ice, and a Def Leppard concert," he said, to illustrate his concern about the potential misuse of interest group identifiers. "At each of those events I was part of a large crowd. But I bet you I was the only one to attend all four."
The Register asked Google whether it cared to address Wilander's observations. A company spokesperson declined to comment directly but noted that FLoC is a collaborative project that is still underway and pointed out that Google mathematician Michael Kleber on Thursday posted a response to Wilander.
"This is indeed the "Longitudinal privacy" question," Kleber said. "We've been considering a few different mitigations. As you know, this is an iterative and open process, and we expect to implement one or more of these solutions in future versions of FLoC."
Work to be done
Aside from concerns about its technical soundness, the unfinished nature of FLoC makes it difficult to be certain how it will really function. It's essentially a placeholder for an improved version of itself.
Clearly, a lot of work still needs to be done. Take for example the recent W3C Privacy Interest Group (PING)'s assessment of FLoC, which argues the technology's use case is "a privacy harm in itself." Or the issue raised by Steven Englehardt, privacy engineer at Mozilla, that Google's FLoC proposal "makes false claims about the privacy properties provided by the anonymization techniques." Or Terrence Eden's question about why users would want FLoC. Or EFF technologist Bennett Cypher's observation that FLoC's SimHash algorithm may leak data.
FLoC's state of flux is compounded by Google's handling of the FLoC rollout. Edwards observes that Google's decision to opt every website into the FLoC has put visitors to government websites at risk of deanonymization by linking them to cohort groups derived from their site visits.
The way to opt-out requires setting the Permissions-Policy header
interest-cohort=(), which isn't feasible for people with websites on some hosting platforms and, Edwards worries, may not have been clearly communicated to government IT admins.
Adalytics, an ad tech firm, confirmed as much when it found that websites for the European Data Protection Supervisor, the Irish Data Protection Authority, and the US National Security Agency, among others, all triggered updates for Chrome users' FLoC IDs. So in theory, an adversary operating a website could read this ID and perhaps draw conclusions about whether a visitor had previously visited specific government websites.
EFF urges Google to ground its FLoC: 'Pro-privacy' third-party cookie replacement not actually great for privacyREAD MORE
Edwards said he'd be happy if FLoC flops but said he expects it will be deployed despite its rocky start. "For Google, FloC is 'just the right amount of privacy, with a ton of revenue benefits' – but for end users, this automated audience creation process baked into the browser has been a cluster-FLoC since day one," he said.
Edwards expressed more enthusiasm for FLEDGE, another Privacy Sandbox proposal due for future testing that better aligns with privacy laws.
Even so, change isn't easy. Witness the W3C Technical Architecture Group's panning of First-Party Sets, another Privacy Sandbox proposal.
Gowthaman said there's still a long way to go before the industry can make a transition from third-party data to first-party.
"It requires a complete overhaul to the existing technological infrastructures that are at play," he said. "We need to capture the consent and convey the same across the digital supply chain, which requires large scale re-architecture. The industry understands the jobs to be done and the time is running out."
In the meantime, he expects cohort-based targeting is inevitable, at least until the ad tech industry settles on a solution that scales. "There are quite a few players in the ad tech ecosystem experimenting with the cookie replacement solution," he said. "Today there are as many as 80 Identity solutions in the marketplace, all trying to offer an alternative to cookies."
Whatever happens, he argues, it's imperative that the new technology infrastructure allows for legally compliant data-sharing across the digital supply chain.
Likewise, Marc Goldberg, chief revenue officer of Method Media Intelligence, a marketing analytics business, says that whatever technologies rise to replace third-party cookies, they must avoid repeating past mistakes.
"It is important that all of these options don't resurface the problem of privacy in another form," he said. "While the rates might go down (read premium for advanced targeting) and some things will break (or not work as well) in the end, the shift of spend to other mediums won't happen. Eyeballs are still online and buyers will find them. The tactics and strategies will change, which is not a bad thing." ®