Third-party cookies are going extinct, but that doesn’t mean tracking is going away. Google is introducing a new tracking method called Federated Learning of Cohorts, or FLoC, as part of the “privacy sandbox” initiative it announced in 2019. Google claims its replacement for cookies will better protect user data, but many people remain unconvinced.
What Is FLoC?
With tracking cookies on the decline—partially due to many browsers blocking third-party cookies by default—Google wants to come up with another way to track user data for targeted ads. That’s where FLoC comes in.
FLoC lets advertisers use behavioral targeting without cookies. It runs in Google’s Chrome browser and tracks a user’s online behavior.
Then, it assigns that browser history an identifier and adds it to a group of other browsers with similar behaviors called a “cohort.” Supposedly, advertisers would be able to see the behaviors that people in a cohort share without being able to identify individuals within that cohort, because each person’s browser is given an anonymized ID.
User’s cohort IDs would be recalculated on a weekly basis, providing a new summary of their online behavior every week. Google claims that since there would be thousands of people in each cohort, no single person could be picked out of the group and paired with their unique browsing data.
The Case for FLoC-ing You
Google says that FLoC will allow personalized ads without the collection of data that can be tied to specific people using its products. By assigning each browser an anonymized ID and then adding that ID into a large group where only the overall patterns are accessible to advertisers, the idea is that your privacy will remain intact while advertisers still get your eyeballs.
If their proof of concept test is anything to go by, FLoC will use an algorithm called SimHash to create user IDs and assign people to cohorts. SimHash was originally created for use by Google web crawlers to find nearly identical web pages.
Since this happens on your computer, your data wouldn’t get stored on a server, which is one of the privacy concerns associated with third-party cookies. Massive amounts of user data that could be paired to individual people were harvested and then stored under unclear security protocols for an indeterminate length of time.
Google also claims that cohorts with “highly sensitive content” won’t be used. If someone frequently visits a medical website or a site that routinely publishes religious or political content, that information won’t be used to add them to a cohort and will remain private.
According to a statement published by Marshall Vale, the product manager of Google’s privacy sandbox:
“Before a cohort becomes eligible, Chrome analyzes it to see if the cohort is visiting pages with sensitive topics, such as medical websites or websites with political or religious content, at a high rate. If so, Chrome ensures that the cohort isn’t used, without learning which sensitive topics users were interested in.”
Many People Aren’t Buying It
While it may seem benign on the surface, many are speaking out against FLoC. In a post entitled “Google’s FLoC Is a Terrible Idea,” the Electronic Frontier Foundation (EFF) says that Google is using a false dichotomy when it comes to privacy.
“Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads,” writes the article’s author Bennett Cyphers. He argues that our options shouldn’t be reduced to “You either have old tracking or new tracking”—there just shouldn’t be tracking, period.
And others appear to agree. Mozilla, the company behind the Firefox web browser, has said that it won’t adopt FLoC, although it is looking into other advertising options that preserve privacy. Browsers that have branched from Chrome, like Brave and Vivaldi, aren’t going to implement it. Apple has also said that it won’t use it in its Safari browser. As of April 2021, Microsoft has disabled the feature in Microsoft Edge, its Chromium-derived browser.
New Privacy Concerns
Cyphers writes that although FLoC can keep users semi-anonymous, it creates new privacy concerns by trying to address old ones while still keeping targeted ads. One of those concerns is fingerprinting.
Browser fingerprinting is the ability to take separate pieces of information from someone’s browser and construct them into a reliable identifier for a specific person. The more unique your browsing behavior, the easier you are to fingerprint because that behavior sets you apart from the group.
Since FLoC takes your browsing behavior and uses it to create an identifier before assigning you to a group, Cyphers argues that whoever wants to track you already has a lot of the work done for them. Someone trying to track a pre-FLoC Chrome user would have to pick them from a pool of millions—a cohort is only a few thousand.
In order to work for advertisers, FLoC has to share your cohort data. Sometimes, it will share that data with companies that can already identify you from, say, your login information.
If you’ve logged in to a site with Google to use a service, for example, information like your name and login credentials will already be saved. That information can be used to tie your cohort ID, which is supposed to be anonymous, to your user profile.
Cyphers argues that this sort of cross-contextual information may actually help illicit trackers be more effective. He also says that it just doesn’t make sense for every site you visit to know everything about you on first contact:
“You should have a right to present different aspects of your identity in different contexts. If you visit a site for medical information…there’s no reason it needs to know what your politics are.”
Google is already running a trial of FLoC on about 0.5% of users in regions that include Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the United States. You can check to see whether you’re one of those users at the EFF’s site “Am I FLoCed?“