What is FLoC, Google’s cookie alternative?

Anton P. | May 11, 2021

FLoC is a new type of web tracking that Google expects to pick up after the demise of third-party cookies. The latter has been a cornerstone of the advertising industry for years. Now, we finally got a glimpse of what the future of online advertising and ad targeting might look like. Unfortunately, the current proposal does not necessarily satisfy the longing for a more privacy-preserving technology. FLoC, the experimental successor to cookies, might settle a portion of the privacy concerns. However, as critical opinions come to light, we notice that FLoC might be just as problematic as cookies.

How will FLoC work?

FLoC (Federated Learning of Cohorts) is a technology that can reinvent the advertising industry. It is a part of Google’s initiative called Privacy Sandbox, prioritizing the safety and privacy of consumers.

In essence, Google’s FLoC strives to resolve individual targeting. As we have it now, third-party cookies associate online behavior with a specific user. The identifiers cookies use are anonymous, not necessarily linked to your name or other personal information. However, our browsing generates tons of data, and most of it ends up being somewhat personal.

As reported, FLoC does not create an individual ID relating to an user’s activities and preferences online. Instead, it uses the “blend in with the crowd” principle. The behavioral targeting here relies on “cohorts” or groups of people with similar interests. Let’s investigate the main principles:

  • Google will integrate FLoC into Chrome browsers.
  • These browsers will collect information on users’ habits and assign each individual to an appropriate group (cohort).
  • Cohorts will include people with similar interests, and they all will share the same ID. Thus, the ID will not identify you but the group you belong to.
  • Google claims that all cohorts will have at least a few thousand users. The more people belong to a group, the less identifying it becomes.
  • The system uses SimHash to create groups and IDs. The advantage here is that SimHash can work locally on users’ devices. It means that there might be no need to store the behavioral data externally.

A controversial beginning

So, Google FLoC will make your browser (Chrome) be the one to identify you instead of third-party trackers. The trial for FLoC began in March, affecting 0.5% of Chrome users. Currently, Google limits its testing to consumers in Canada, Australia, Brazil, Indonesia, India, Mexico, Japan, New Zealand, the US, and the Philippines. Some key points of the trial include the following details:

  • Any Google Chrome user can sign up for the trial.
  • Google states to work with over 33,000 cohorts during this stage of testing.
  • Google has said to work against grouping people into sensitive categories. The latter means that cohorts would not relate to race, sexuality, or medical conditions.
  • One of the red flags is that Google started its experiment somewhat secretly and without getting consent from participants.
  • In addition to regular users, websites started participating in the trial without prior notice. As a result, they lost some of their control over visitors’ data. There seems to be a fix: web owners can send an HTTP header to opt-out of the trial. However, not everyone can perform this as some do not have control over headers.
  • The tech giant also predicts the trial to continue until July 2021. By then, it should affect 5% of Chrome users.
  • EFF has actively discussed FLoC, arguing that it is far from a privacy-preserving system. According to the Electronic Frontier Foundation, starting a trial on unsuspecting Chrome users violates their trust.

Furthermore, the current trial amplifies the tracking users get to experience. Third-party cookies are still alive and well. Thus, FLoC IDs complement the behavioral profiles advertisers already have.

The only way to avoid this trial is by turning off third-party cookies in Chrome. In the future, Google promises to add more control over their Privacy Sandbox. EFF has also introduced a page for checking whether users are a part of the trial.

What are the main issues with FLoC?

Digital privacy advocates highlight the problems that Google’s FLoC would bring. Many browsers that use the open-source Chromium project have subtly rejected the new technology. Brave, Edge, Vivaldi, and Mozilla have all stated to have no current plans for integrating FLoC into their services.

Other competitors also take the stage to announce their plans to block FLoC. For instance, DuckDuckGo offers its extension for evading the new tracking scheme.

But why is Google, for the most part, alone in this new proposal?

FLoC as a possible supplement to browser fingerprinting

Browser fingerprinting means identifying users according to their browsers. Specialists argue that cohorts can assist fingerprinting by narrowing down the scope. Instead of distinguishing your browser from millions, it will only have to deal with thousands.

While Google promises to address the issue, there are no exact proposals mentioned. Fingerprinting has been a problem for years, and browsers like Firefox and Safari have contributed to its resolution. In many ways, FLoC will create a whole new set of issues with no practical risk mitigation.

Problems in Europe

The European Union has relatively high standards for new technology, namely thanks to GDPR. Thus, the FLoC trial does not include users from Europe. Instead, many regulators express concern over the new technology and whether it violates the current GDPR guidelines. According to them, FLoC is essentially all about processing personal data.

Therefore, such acts require two things: explicit consent and full disclosure about these procedures. There are also other concerns like just how identifying cohorts would be. As a result, Google has a long way to go to satisfy the GDPR requirements.

Cross-content exposure

EFF also fears that entities could associate specific cohorts with individuals. They could pair cohorts with other means of identification, like login. The problem intensifies since every website you visit will know a lot about you without tracking you. And, depending on the cohort you belong to, the revealed information could be unnecessary. For instance, retailers should not learn your political views, medical conditions, or other sensitive details.

Many issues, no practical solutions

Specialists have pointed out many problems that FLoC faces. Even though Google pledges to resolve most of them, the controversial technology is not a fan favorite for a reason. Many issues mentioned have deep roots, such as fingerprinting. Thus, experts fear that Google might not address them adequately.

FLoC and sensitive characteristics

Google will use an unsupervised algorithm to generate cohorts. In theory, it should group people according to their interests and behavior. But how can Google prevent clustering according to gender, ethnicity, income, or mental health? No matter how you look at it, avoiding this correlation is difficult.

Google claims to monitor the outputs for mitigating such risks. However, that would mean massive audits and the continuous reconfiguration of the whole algorithm.

Final notes

Google’s decision to phase out support for third-party cookies was a celebration. Many saw it as an opportunity to transform the world’s leading browser. However, Google’s decisions and claims have been a let-down. Instead of building a privacy-preserving ecosystem, they chose to invent a new way of tracking users.

Thus, FLoC does not really address any of the issues users currently face. Instead, it is more about helping advertisers target ads after third-party cookies. In the end, it might seem that Google simply swaps the old tracking system for a new one.

If FLoC is not something, you wish to be a part of, turn off third-party cookies in Chrome. This change means that Google will not include you in the trial. However, if FLoC seems to be the last straw for you, turn to more privacy-focused alternatives like Mozilla or Brave. For a search engine, try DuckDuckGo.

Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

cookiesduckduckgotracking

© 2021 Atlas VPN. All rights reserved.