What is FLoC? Everything you need to know about Google’s new advertising technology to replace third-party cookies
Will “federated cohort learning” preserve user privacy? The jury is still out
Over the years, web developers have come up with dozens of cute error pages to remind visitors to enable cookies in their browsers.
Most are riffs on the eponymous baked snack (“will work for cookies”) or Sesame Street’s Cookie Monster.
But the Cookie Monster may soon have fewer job opportunities – at least that’s if Google is successful. The internet giant plans to replace at least part of the cookie ecosystem with its own technology. And these changes could have a huge impact on security and privacy on the web.
The cookie crumbles
In 2020, Google ad that it would phase out support in Chrome for “third party” cookies, which are used by advertisers, and others, to track users as they navigate the Internet.
According to Gareth Haken, an analyst at the Information Security Forum (ISF), third-party cookies are favored by large social media companies and are often placed on sites via social media buttons. But, he says, the tide has been turning against third-party cookies for some time.
Keep up to date with the latest news and data privacy breaches
Safari and Firefox blocked the technology a while ago, so Google is catching up.
“This will hasten the death of third-party cookies, especially with Chrome banning them … but it will only affect those looking to track Internet users, such as advertisers,” Haken said. The daily sip.
What will not change is the way websites use their own cookies. Cookie technology is here to stay, Google – and others – now that first-party cookies are essential for the Internet to function properly. “First party cookies are really helpful. For example, they mean you don’t have to log in every time you navigate to a new page on a website, ”says Haken. “It’s the third-party cookies that are more contentious.”
Google joins FLoC
Unlike Apple and Firefox developer Mozilla – and unsurprisingly given its reliance on ad revenue – Google isn’t removing tracking altogether. Instead, it aims to replace third-party cookies with its own technology: FLoC.
The system is part of the larger Google program Privacy sandbox initiative.
FLoC – or “Federated cohort learning” – allows advertisers to follow Internet users without revealing their identity. Instead, users will be placed into cohorts, based on their interests.
Internet privacy watchers say it’s not yet clear how this will work, although it is understood that browser history will play a role. All information will however be processed on the client side.
Google FLoC allows advertisers to track Internet users without the need for cookies
According to an article provided by Google to The daily sip, “Federated learning simply means using machine learning and analytics without collecting or storing raw data away from users’ devices.
“The main benefit of federated learning is that it enables product enhancements and privacy without requiring the upload of sensitive data to data centers. Instead, machine learning models run on users’ devices, and only calculation results are securely uploaded to servers.
“It also helps guard against potential risks associated with centralized data collection, such as theft and misuse of data from many users at a time.” (Google declined to comment further.)
Advertisers will be able to target ads to these interest groups. And, because the system combines cohorts, Google should be able to offer more granular targeting.
But it’s the intersection between the cohorts that is causing concern among privacy advocates.
FLoC and privacy red flags
Removing the need to store web user information on servers should increase privacy. And Google strongly supports that FLoC offers stronger privacy controls than third-party cookies, or alternatives such as browser fingerprint.
Google describes FloC as a “privacy-preserving API,” in part because advertisers only have access to the Cohort ID, not the identity of individual users.
But as cohorts shrink – or in advertiser discourse, become more focused – the risk of inadvertent identification increases.
“If I’m a performance motorcycle trader, anyone visiting my site will be placed in a cohort based in part on their interest in performance motorcycles,” says ISF’s Haken.
“If we say 1,000 people visit my site in a month and 500 of those people visit a soccer website as well, in theory they would be part of the football-loving motorcycle enthusiast cohort. If 300 of this cohort also visited craft beer sites, a new cohort would be formed and so on.
DON’T FORGET TO READ Raising the bar: the Tiki app aims to give data ownership back to the individual
The risk to privacy would become even greater if cohorts were created based on small geographies or other ties, such as an employer. If a single craft beer-drinking biker worked for a particular employer, it might be possible to identify that person.
Certain interests will be kept out of the cohorts – adult sites and medical information will not be tracked, for example. But, says Haken, these interests are grouped together as “sensitive” by FLoC; the system might not be able to distinguish between a history of viewing adult material and looking for, for example, symptoms of Covid-19.
Potentially, a website owner with access to their customers’ personally identifiable information could use that data to associate cohorts with individuals, Haken warns.
At this time, it’s unclear exactly how the FLoC cohorts will work in practice, but Google staff have admitted the system will not be tested in the EU, fearing it violates parts of the GDPR and the ePrivacy directive.
Instead, FLoC is tested in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the United States.
Privacy groups called for caution on FLoC deployment
At the barricades: why is FloC meeting resistance?
Support for FloC outside of Google appears to be limited.
The privacy group, the Electronic Frontier Foundation (EFF), for example, described technology as “a terrible idea”.
Maintainers of WordPress, the most widely used content management system (CMS), suggest that FLoC should be treated as a safety issue, while developers working with Drupal, another popular CMS platform, have similar concerns.
“So far, no major browser outside of Google Chrome is considering including an implementation of FLoC,” said Joshua Long, chief security analyst at Intego. The daily sip.
Mozilla, the developer of Firefox, has explicitly stated that it has’ no current plans to implement [FLoC] at the moment’.”
Developers of other Chromium-based browsers, including Brave and Vivaldi, are even stronger in their opposition, even though they share much of the same codebase as Google Chrome.
ADVISED Google Android’s implementation of privacy-preserving contact tracing is ‘flawed’
Since last year, the most used Chromium-based browser has been Microsoft’s Edge.
If Microsoft chooses not to support FLoC – and the company is working on its own alternative proposition, Budgie – the system might find it difficult to gain ground.
There is also skepticism about Google’s motives.
“What I’ve been saying from the start, whether it’s FLoC or [other] alternatives to cookies, it’s up to you to make the money here, ”said Cory Munchbach, privacy advocate and former industry analyst, and now COO of the platform of BlueConic customer data The daily sip.
“That’s why you can insert a layer of skepticism about this proposal. FLoC benefits Google and consolidates its influence under the guise of confidentiality. “
Most privacy and security experts, however, agree that FLoC is better than the status quo.
Whether many internet users worry about FLoC will largely depend on their perception of targeted advertising and data sharing.
Without the revenue from targeted advertising, some web businesses would undoubtedly have a hard time, although publishers will, of course, still be able to use first-party cookies.
“We’re heading to the point where we need to have a conversation about why we say the internet is free,” says Munchbach. “It has never been free!”.
Many Internet users will undoubtedly continue to voluntarily trade their privacy for free access to content.
Otherwise, blocking FLoC is relatively straightforward. “The easiest way to avoid FLoC is to literally use any browser other than Google Chrome,” says Long from Intego. And even Chrome users can block the technology by blocking third-party cookies in browser settings.
Web developers can also turn off FLoC. Consumer web applications are unlikely to be directly affected, as they use first-party cookies rather than third-party cookies.
An uncertain future for web tracking
The main impact of replacing third-party cookies by FLoC will be on advertisers. To continue tracking, they may need to join FLoC or accept that advertising can no longer be so finely targeted.
Intego’s Long suspects a cynical motive behind FLoC.
“The general idea seems to be that since a lot of people block third-party cookies anyway, Google needed an excuse to develop new tracking technology that they believe is better than cookies,” says -he.
“Google is well known as a company that derives the majority of its revenue from advertising and tracking. The fact that everyone in the industry seems to be saying ‘no’ to FLoC is quite telling.”
In the late 1800s, US retailer John Wanamaker reportedly said, “Half the money I spend on advertising is wasted; the problem is, I don’t know which half ”.
If privacy advocates are successful, this could eventually hold true for online advertisers.
YOU MAY ALSO LIKE Google and Mozilla will integrate HTML disinfection in their browsers