Google's FLoC flies into headwinds as internet ad industry braces for instability

Reinventing web advertising tech at a time of heightened privacy concern proves difficult

Analysis With Google testing its FLoC ad technology in preparation for the planned elimination of third-party cookies next year, uncertainty about potential problems and growing legal support for privacy is shaking up the digital ad industry.

The move away from third-party cookies will have significant financial impact on the ad industry, and the internet ecosystem that depends on advertising – assuming you accept studies that credit third-party cookies with meaningful [PDF] rather than minimal [PDF] revenue.

"Our analysis suggests that the publishing industry will have to replace up to $10 billion in ad revenue with a combination of first-party data gathered through a combination of paywalls and required registrations, and updated contextual targeting and probabilistic audience modeling (analytics that incorporate an array of unknown elements)," said consultancy McKinsey in a recent report.

disgusted man wincing

What the FLoC? Browser makers queue up to decry Google's latest ad-targeting initiative as invasive tracking


In place of third-party data, a number of ad industry firms expect first-party platforms – e.g. Amazon selling ads on its own website to marketers using the customer data it has collected – will prosper and perhaps challenge the Google/Facebook duopoly.

"In contrast to third-party data, which is built from third-party cookies, first-party data is gathered by businesses which have interacted directly with consumers," said Gowthaman Ragothaman, CEO of Aqilliz, a blockchain marketing analytics firm, in an email to The Register.

"Of course, digital marketers understand that it is the most powerful source of information for targeting and personalization purposes, as it provides more accurate and valuable insights into consumers’ behavior and buying patterns."

Ragothaman believes there will be more focus on first-party data, though he expects a difficult transition. "Every publisher whether in emerging markets or developed markets understands the need to build its own first-party data platform," he said. "But it is not easy. It cannot be done overnight either."

Chocolate Factory plans

Google hopes FLoC and related web plumbing proposals, referred to collectively as Google's Privacy Sandbox, will serve as substitutes for the sort of interest-based advertising and remarketing made possible by third-party cookies.

FLoC stands for Federated Learning of Cohorts. It's being built into Google Chrome browser to replace the interest-based targeting made possible by third-party cookies, which other browser makers now mostly block by default for privacy reasons and Google has agreed to drop in Chrome next year.

FLoC is a browser API that groups people into cohorts or flocks of people with similar interests, based on the web domains they visit. It makes its calculations locally, in the browser, thereby preventing people's web histories from being shared with third parties, in theory. It's supposed to provide more privacy than third-party cookies though recent repudiations by other browser makers and privacy groups show that issue hasn't been settled.


Google's 'privacy-first' ad tech FLoC squawks when Chrome goes Incognito, says expert. Web giant disagrees


Google has a number of ad tech allies that have already expressed support for FLoc, like Criteo, NextRoll, Magnite, and RTB House. But other ad tech firms like LiveRamp, Mediamath, Pacvue, and The Trade Desk are working on alternative ad targeting schemes, in part because there's an opportunity to innovate and in part because FLoC may fail.

FLoC's requirement that Chrome users be signed-in to their Google Accounts, Ragothaman observes, presents problems under Europe's GDPR data privacy rules where explicit user consent is required.

"At the moment, selected Google Chrome users are automatically added to the cohorts, without the option to opt out for their trials, which has not gone down well in the industry," he said. "If Google fails to implement measures that sufficiently address lawmakers' privacy concerns, there’s a possibility that FLoC will not become a reality in the EU."

"This would certainly have a significant impact on the advertising supply chain in the bloc once third-party cookies are phased out, given that Google commands as much as 90 per cent of the search engine market share in Europe. As such, Google has delayed their next solution, FLEDGE, by almost a year."

Zach Edwards, co-founder of web analytics biz Victory Medium, told The Register that he expects FLoC will be deployed but hopes it will be abandoned for more promising Privacy Sandbox proposals like FLEDGE.

"FloC is an automated audience creation process that is obviously not compliant with GDPR due to FLoC's opt-out framework, and FloC is brushing right up against non-compliance with value transfer user data restrictions in CCPA and other frameworks restricting automated profiling," he said. "FLoC was dreamed up by math bros at Google who wanted to try and break consent on the internet just one more time."

That sentiment has been expressed by organizations like The Electronic Frontier Foundation, which recently called FLoC "a terrible idea." But more damning is the disinterest coming from other browser makers.

Browser makers not keen

Earlier this week, Apple WebKit security and privacy engineer John Wilander expressed concern that Google's FLoC algorithm, being tested in Google's Chrome browser, can be used to construct identifiers for tracking people as they visit different websites.

Doubts about FLoC have become more evident in the past few days. Rival browser makers Brave and Vivaldi have indicated they believe FLoC poses a privacy threat and say they won't support it. Mozilla has been more cautious, merely signaling current indifference. And Wilander's worries suggest Apple isn't likely to adopt the technology in Safari, which is hardly surprising given Apple's public stance on privacy. (Apple didn't respond to a request for comment.)

That leaves Microsoft Edge as the only plausible ally among the major browser makers. Edge users have recently asked for clarification about FLoC but Microsoft has not made any formal commitment. The Register understands that's because FLoC isn't currently a web standard. If Google manages to finesse FLoC to an acceptable state then support could be forthcoming.

What concerns Wilander is that over time, Cohort IDs, the numbers assigned to the multiple interest groups that become associated with a web user, may prove useful to create a unique identifier for that individual, perhaps in combination with other device-derived data points used for browser fingerprinting.

"Before the pandemic and some time back, I attended a Mew concert, a Ghost concert, Disney on Ice, and a Def Leppard concert," he said, to illustrate his concern about the potential misuse of interest group identifiers. "At each of those events I was part of a large crowd. But I bet you I was the only one to attend all four."

The Register asked Google whether it cared to address Wilander's observations. A company spokesperson declined to comment directly but noted that FLoC is a collaborative project that is still underway and pointed out that Google mathematician Michael Kleber on Thursday posted a response to Wilander.

"This is indeed the "Longitudinal privacy" question," Kleber said. "We've been considering a few different mitigations. As you know, this is an iterative and open process, and we expect to implement one or more of these solutions in future versions of FLoC."

Work to be done

Aside from concerns about its technical soundness, the unfinished nature of FLoC makes it difficult to be certain how it will really function. It's essentially a placeholder for an improved version of itself.

Clearly, a lot of work still needs to be done. Take for example the recent W3C Privacy Interest Group (PING)'s assessment of FLoC, which argues the technology's use case is "a privacy harm in itself." Or the issue raised by Steven Englehardt, privacy engineer at Mozilla, that Google's FLoC proposal "makes false claims about the privacy properties provided by the anonymization techniques." Or Terrence Eden's question about why users would want FLoC. Or EFF technologist Bennett Cypher's observation that FLoC's SimHash algorithm may leak data.

FLoC's state of flux is compounded by Google's handling of the FLoC rollout. Edwards observes that Google's decision to opt every website into the FLoC has put visitors to government websites at risk of deanonymization by linking them to cohort groups derived from their site visits.

The way to opt-out requires setting the Permissions-Policy header interest-cohort=(), which isn't feasible for people with websites on some hosting platforms and, Edwards worries, may not have been clearly communicated to government IT admins.

Adalytics, an ad tech firm, confirmed as much when it found that websites for the European Data Protection Supervisor, the Irish Data Protection Authority, and the US National Security Agency, among others, all triggered updates for Chrome users' FLoC IDs. So in theory, an adversary operating a website could read this ID and perhaps draw conclusions about whether a visitor had previously visited specific government websites.


EFF urges Google to ground its FLoC: 'Pro-privacy' third-party cookie replacement not actually great for privacy


Edwards said he'd be happy if FLoC flops but said he expects it will be deployed despite its rocky start. "For Google, FloC is 'just the right amount of privacy, with a ton of revenue benefits' – but for end users, this automated audience creation process baked into the browser has been a cluster-FLoC since day one," he said.

Edwards expressed more enthusiasm for FLEDGE, another Privacy Sandbox proposal due for future testing that better aligns with privacy laws.

Even so, change isn't easy. Witness the W3C Technical Architecture Group's panning of First-Party Sets, another Privacy Sandbox proposal.

Gowthaman said there's still a long way to go before the industry can make a transition from third-party data to first-party.

"It requires a complete overhaul to the existing technological infrastructures that are at play," he said. "We need to capture the consent and convey the same across the digital supply chain, which requires large scale re-architecture. The industry understands the jobs to be done and the time is running out."

In the meantime, he expects cohort-based targeting is inevitable, at least until the ad tech industry settles on a solution that scales. "There are quite a few players in the ad tech ecosystem experimenting with the cookie replacement solution," he said. "Today there are as many as 80 Identity solutions in the marketplace, all trying to offer an alternative to cookies."

Whatever happens, he argues, it's imperative that the new technology infrastructure allows for legally compliant data-sharing across the digital supply chain.

Likewise, Marc Goldberg, chief revenue officer of Method Media Intelligence, a marketing analytics business, says that whatever technologies rise to replace third-party cookies, they must avoid repeating past mistakes.

"It is important that all of these options don't resurface the problem of privacy in another form," he said. "While the rates might go down (read premium for advanced targeting) and some things will break (or not work as well) in the end, the shift of spend to other mediums won't happen. Eyeballs are still online and buyers will find them. The tactics and strategies will change, which is not a bad thing." ®

Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022