WordPress core contributor proposes treating Google FLoC as a security vulnerability

Let's opt every WordPress site out of FLoC. Nice idea, but security update? Really?

A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology.

FLoC (Federated Learning of Cohorts) is Google’s scheme to replace third-party cookies with an ad personalisation system based on groups of users. It has run into wide opposition from privacy advocates and browser makers, but Google has nonetheless pressed ahead with trials in the current version of Chrome.

Now a WordPress Core contributor has proposed treating “FLoC as a security concern.”

The proposal is significant because WordPress is the most popular content management system on the web, with around a 40 per cent market share according to builtwith. It relies on the fact that websites can opt out of FLoC via a new interest-cohort permission policy. This involves sending an HTTP response header:

Permissions-Policy: interest-cohort=()

If WordPress were to treat FLoC as a vulnerability and apply this header to all WordPress sites that automatically apply security patches, a substantial proportion of the web would be opted out.

Sites that specifically want to use FLoC, most likely because the site owners believe it will improve income from advertising, would be able to enable it. In effect, for WordPress sites the scheme would become opt-in rather than opt-out.

The author of the proposal, Carike, added that there is also a feature request to make the next version of WordPress, 5.8, opt-out of FLoC by default – but remarked that “5.8 is only scheduled for July 2021. FLoC will likely be rolling out this month.”

The WordPress proposal won immediate support and offers for help from other developers. “WordPress should be taking an Apple like stance on privacy with this,” said one.

Security... or privacy?

There are of course also naysayers, such as this one arguing that “those websites who want to block FLoC are likely to have the technical know-how to add in the header and disable it ... Where do we draw the line at what WordPress should be blocking in core for privacy? ... Calling it a “security concern” is just absolutely false and sets a dangerous precedent for what is security, and what is privacy.”


Google's FLoC flies into headwinds as internet ad industry braces for instability


This concern was echoed by another who said “while I agree with the overall sentiment here, I think it is a mistake to treat this as a security update and risks abusing user trust in automatic updates.”

Despite opposition from the development community, there are likely to be plenty of site owners who would rather have FLoC enabled than risk reduced advertising revenue. Much of what is called SEO (Search Engine Optimisation) is focused on how to optimise a site for Google and it is likely that supporting FLoC will simply be added to the list of steps web sites should take in order to perform at their best from a commercial perspective.

This unusual proposal does demonstrate the depth of opposition to FLoC. It also suggests that Google needs to secure W3C support in order to win support for the scheme beyond Chrome. That currently looks difficult, with WC3 bodies like the Technical Architecture Group (TAG) calling First Party Sets, another part of Google’s privacy sandbox, “harmful to the web in its current form”. Google has requested a TAG review of FLoC, but given the speed of its rollout, it is not clear how much weight the company attaches to the W3C’s views.

Last week, Google told us: "The Privacy Sandbox proposals are developed as part of a collaborative, open-source effort and we welcome feedback as we continue working with the W3C and broader web community to find solutions that improve privacy while maintaining a healthy ecosystem." ®

Similar topics

Broader topics

Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading

Biting the hand that feeds IT © 1998–2022