About FLoC (Federated Learning of Cohorts)
#28 · 2021-04-11 (updated 2021-06-10) · privacyWhat is FLoC?
FLoC is an initiative from Google to cluster similar users into groups. They claim, it is a "privacy-preserving mechanism" while it actually makes user tracking even easier. FLoC is already included in Chrome 89 and above. It is being trialed on millions of its users, but will likely be activated for all Chrome users in the future.
As a user moves around the web, their browser uses the FLoC algorithm to work out its "interest cohort", which will be the same for thousands of browsers with a similar recent browsing history. The browser recalculates its cohort periodically, on the user's device, without sharing individual browsing data with the browser vendor or anyone else.
Advertisers (sites that pay for advertisements) can include code on their own websites in order to gather and provide cohort data to their adtech platforms (companies that provide software and tools to deliver advertising). [...] From other advertisers, the adtech platform learns about other interests of those cohorts.
Subsequently, the ad platform can use this data to select relevant ads (such as an ad for hiking boots from the shoe store) when a browser from one of those cohorts requests a page from a site that displays ads, such as a news website.
— https://web.dev/floc/
Why it is problematic
FLoC does not stop tracking of users at all. It even gives sites another way to track them.
Sites that know a person’s [personally identifiable information] (e.g., when people sign in using their email address) could record and reveal their cohort. This means that information about an individual's interests may eventually become public.
[...]
The expectation is that the user’s FLoC will be updated over time, so that it continues to have advertising utility. The privacy impacts of this need to be taken into consideration. For instance, multiple FLoC samples means that more information about a user’s browsing history is revealed over time.
[...] if cohorts can be used for tracking, then having more interest cohort samples for a user will make it easier to reidentify them on other sites that have observed the same sequence of cohorts for a user.
— https://github.com/WICG/floc
Google has promised that the vast majority of FLoC cohorts will comprise thousands of users each, so a cohort ID alone shouldn’t distinguish you from a few thousand other people like you. However, that still gives fingerprinters a massive head start. If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others (rather than a few hundred million).
[...]
This means every site you visit will have a good idea about what kind of person you are on first contact, without having to do the work of tracking you across the web. Moreover, as your FLoC cohort will update over time, sites that can identify you in other ways will also be able to track how your browsing changes. Remember, a FLoC cohort is nothing more, and nothing less, than a summary of your recent browsing activity.
— https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
Disable it as a Website Owner
[...] a site can opt out of all FLoC cohort calculation by sending the HTTP response header:
Permissions-Policy: interest-cohort=()
Avoid it as a User
Do not use Chrome. Use Firefox or most other browsers that are not based on Chrome.