If you’ve been paying any attention recently to the world of web security, you’ve no doubt heard rumblings and mentions of Google’s latest attempt to replace third-party tracking cookies: Federated Learning of Cohorts, or FLoC.
In order to keep data tracking persistent across cohorts and allow for the differentiation of specific users, FLoC’s API generates unique IDs for all cohorts by using a hashing technique called “SimHash”. With all of these methods combined, alongside others mentioned in the whitepaper, Google guarantees that with their new tracking methodology, interest-based advertising can remain while still keeping users “private”. Although, this claim is considered dubious at best by multiple, respected privacy advocates and media outlets, including the EFF.
One of the concerns I see mentioned repeatedly is that FLoC doesn’t address or seem to bypass “discrimination and predatory targeting,” according to the EFF. Another concern about FLoC is that it doesn’t contain any features, right now at least, that allows the user to decide what data they retain and share, if at all. It seems like FLoC doesn’t change or remove the practice of invasive targeting, it just moves the methodology.
What all of this means to web developers is, as I am typing this, not fully known. There are a few “solutions” to blocking FLoC cohorts data collection from your site via a simple HTTP header, but this isn’t a band-aid fix as one would think. While the addition of the
Permissions-Policy header is a step in the right direction, it isn’t a fix-all.
So, what can web developers do to combat FLoC in our own systems? Right now, there’s really only two things to do: include the aforementioned
Permissions-Policy HTTP header for every page on your site and never use the
The most reliable way to keep FLoC away from your site is to do the following, according to Rohan Kumar:
- Don’t utilize untrusted third-party services or content that could be considered an ad by Chromium.
As mentioned before, FLoC is still in an origin trial phase as of the creation of this post. There are a lot of unknowns and uncertainties right now, so a lot of misinformation, done with malice or not, is going around. However, the origin of blame should not be on the web developers and system administrators of sites that don’t enact these precautions against FLoC, but instead the onus should be on Google and their R&D teams for creating FLoC in the first place.
FLoC may not exactly be the scary beast that some may portray it to be, but it sure as hell isn’t a solution to any preexisting concerns over invasive tracking.