Glad to see WP taking a stand - I never knew that FLOC would be so bad. The WP proposal made it clear that it’s a discriminatory technology.
So if Googles find that too many people uses the header, they can just decide to ignore it from now on. Who is going to prevent them to do that ?
This blows my mind every time. Even though I know it.
Why do you think Google hasn't prevented adblockers from running on it? If they did so, it would sink the browser so quickly.
By domains or by visits?
Currently, for A/B testing, FLoC is automatically opting-in 0.5% of sites that serve ads, but that's only for a small testing population, the idea is that FLoC history contribution will be opt-in exclusively. (There's a proposal that you have to contribute to FLoC history calculations to get access to a user's FLoC identifier)
You send me a bunch of data, including headers, and I'm more or less free to do with that what I want within the privacy of my own browser. I don't have to listen to any of your headers if I don't want to.
All of this has been happening with tracking cookies, fingerprint tracking, pixel tracking and so on. And will continue to happen.
I find it so bizarre it took Google to talk about phasing out 3rd party cookies and replacing it with a much lesser technology in the face of FLoC, for people to suddenly be all up in arms about it.
FLoC is a new thing which is just being rolled out, so it's a lot easier for people to resist adding a new thing that makes the internet more crappy and less private.
I think it's unnecessarily fatalist to say that all of this will continue to happen so what's the point of resisting it. Public awareness and negative opinion of the pervasiveness and creepiness of internet tracking continues to grow, and advocacy against tracking mechanisms helps create the type of groundswell which could actually shift public policy to forbid such tracking.
Google specifically is catching some heat for potential antitrust problems, so raising a ruckus about Google abusing its dominant browser position to cram FLoC into the internet is more likely to have positive effect than ever before.
Not true, FireFox and Safari have had them off by default for over a year now. Additionally Chrome had planned to turn them off last year but then cried "covid" which for some reason = delay... because... think of the adverts! i mean covid!
Anyway, I'm pretty sure any large websites relying on 3rd party cookies for functionality will have already experienced users blocking issues. We have and have already been forced to change, we don't do ads, but our use case is a bit esoteric in that it needed 3rd party cookies for sessions.
I don't see really any non-tracking reason for FLoC
What exactly about FLoC is making the internet less private though? Every time I see the technology it seems that it's deliberately built to keep private data in your Chrome browser and leak significantly less than anything else Ad related right now.
Also, why is WordPress allowing so many ad and anlytics tracking plugins and not considering those as security issues?
Also what's this "predatory targeting of unsophisticated consumers" about? You don't need targeting for this. Heck you don't need anything for this. The way it's usually carried out is you hack some sites and redirect them to you landing page about "this one magic trick to riches, banks hate her".
Here we find people saying (through legislative and regulatory action) that they want to end the use of 3rd party cookies because the bad behaviors they enable, and they are rightly outraged at the efforts to comply with the letter of the law while running roughshod over the intent of the laws.
And FLoC is... well, it's new.
It's not pretty but on the other end... ads do serve a function. And not all ads are bad. The focus should be on getting rid of the scammy ones, and not tracking won't help much with that.
As other comments point out, it would be more difficult for people to "be all up in arms" about third party cookies because third party cookies is not an issue that is easily attributable to one entity nor one set of documentation.
The idea that you can explain FLoC, third party cookies or any other digital advertising technology to the public is crazy talk.
Ad tech is extremely complex and constantly evolving - “the public” includes children, the intellectually disabled, the mentally ill, the elderly and the illiterate.
No amount of documentation is going to help these people reach a point where they could actually be considered as giving “informed consent” to their “use” of an ad-tech stack that often involves dozens of different legal entities and software components.
#####
“why it is not a threat to privacy”
The entire purpose of FLoC is to maximise profit for Google by minimising my privacy.
1. People are starting to get fed up with tracking of all kinds (including third-party cookies). This is happening gradually, but is increasing. A consequence of this can also be seen from the legal side in the form of GDPR.
2. Google sees the tides on tracking are turning and tries to preempt by proposing a superficially less problematic alternative (FLoC) that will be least detrimental to their tracking business.
3. People dislike FLoC because it is not sufficiently lessened in this new normal and is therefore also unacceptable.
"Kill it before it lays eggs." but do we worry about what evolves from this if it dies?
Nothing really evolves here - status quo is what stays. You continue to be tracked head to arse on everyones servers, the media keeps adding 150 trackers to every webpage and the internet moves on.
Thinking that one of the biggest profit making industries in US will just go away if you scream loud enough on HN is utterly naive and will require a better push. This approach is inherently negative and just STOPS a process - but it doesn't IMPROVE on the current state and that will require more work.
I'm not quite sure what that work would be though - it seems that current approach is "this gigantic multibillon industry must be banned and completely destroyed" which is great on a personal level, but I don't feel like it's realistic on a purely political level.
Either they realize third party cookies are on a (regulated) dead end. Or they realize there is a bigger moat. Or something else that helps them.
But in any case, seeing the current Google, this is not something benefitting their users(products?) primarily. Unless some benefits accidentally aligned.
So, pushing back towards the broken status quo may be the right thing, if you know, or believe, how Google is going to benefit from the new FLoC.
I cannot evaluate that. But Googles track record does not offer me confidence their new tech is going to help me overcome the issues I have with the status quo.
Which industry? Online advertising? Or the whole sector with Google at the front? I think it's a mistake to assume that tracking and the massive trading in personal information that takes place now is somehow foundational to either industry. Advertising worked before that was a thing and it will continue to work after. The amount of money flowing into advertising won't be dramatically changed because advertising is necessary.
It might be that if online advertising was significantly dumber, money would be shifted from online to print/tv/whatever, but that doesn't mean it's somehow "gone".
Also, if dumber ads are the only ads you can buy, then dumber ads will cost more. Now clever ads cost money (ads with fraud prevention mechanism, conversion tracking, fantastic targeting) costs a lot money. A dumb ad shown to every visitor to a website without any targeting or followup wouldn't bring much money per visitor. But if that dumb ad was what you could do and your other option is a bus stop ad - then you might have to pay a premium for that too. The loss of the ability to track people wouldn't change the laws of supply and demand for advertising space.
[1] https://www.statista.com/statistics/183523/online-advertisem...
We just need to continue to make it increasingly impractical and expensive to track users until it stops being considered a viable business strategy.
That sounds... optimistic since you needed Google to form that "we".
This seems disanalogous. FLoC requires browser cooperation. The user can simply use a browser other than Chrome.
> WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code:"
function disable_floc($headers) {
$headers['Permissions-Policy'] = 'interest-cohort=()';
return $headers;
}
add_filter('wp_headers', 'disable_floc');
https://news.ycombinator.com/newsguidelines.html
Cherry-picking a detail you find most provocative in an article and importing it here to express how provoked you feel is a way of setting the thread on fire—no doubt unintentionally [1], besides which the greater part of the problem is caused by the upvotes such things attract—but still, we don't want threads-on-fire. We're trying for something different than that.
Readers should leave tangential provocations where they find them, and commenters should comment on what gratifies their intellectual curiosity, as the guidelines ask.
Edit: also, please don't use HN primarily for political or ideological battle. It's not what this site is for, and it destroys what it is for, so we ban accounts that cross that line [2], and your account's recent history seems to have crossed it. Fortunately that seems to be a recent development so it should be easy to fix.
[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
[2] https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
But it really makes me distrustful of the whole proposal when people make wild claims like that and don't feel like they need to make even the briefest attempt to back it up. It seems a lot more like they're just taking the currently trending social cause and co-opting it to support their own unrelated agenda.
> Observers may learn that in general, members of a specific cohort are substantially likely to be a specific type of person. For example, a particular cohort may over-represent users who are young, female, and Black; another cohort, middle-aged Republican voters; a third, LGBTQ+ youth. This means every site you visit will have a good idea about what kind of person you are on first contact, without having to do the work of tracking you across the web.
I could be wrong of course, if so, please explain how.
This is the digital equivalent of trying to be “race blind.” You can’t just remove the race column in your db and assume that’s it fine to torture your data for patterns secure that your results won’t correlate to race.
A lot of this is reminiscent of the hyperbole over AMP.
https://www.theverge.com/2021/4/16/22387492/google-floc-ad-t...
If they are not benefiting and Google is benefiting they may pass on that.
We've reverted the title in keeping with the site rule: "Please use the original title, unless it is misleading or linkbait; don't editorialize." (https://news.ycombinator.com/newsguidelines.html).
However, this does have more gravitas than a random blog post elsewhere, as those with the ability to publish are contributors to the project who have made significant contributions.
Take this post as if it’s an emailed proposal to a project’s mailing list.
"The WordPress core development team builds WordPress! Follow this site for general updates, status reports, and the occasional code debate."
Users: We hate cookies, because they are abused to hurt our privacy by allowing advertisers to build a profile about us
Google: We have a great idea! We can get rid of 3rd party cookies and instead make your browser build profile about you and share it with everyone.
So while it’s not the holy grail it does appear to be a small step in the right direction from the status quo.
Do I understand the situation correctly? Genuinely curious.
> If I go to thing W, X, Y, and Z (where those are distinct elements with distinct fans), people within those cohorts will be indistinguishable but I will likely be the only person who has been to all 4. Therefore, you can easily identify individuals. FLoC is a crock of shit. At least you could block 3rd party cookies
While the whole framing of EFF et. al. is put in a way that does not allow for even a small doubt that the proposal is just the worst thing ever with no redeeming qualities. That framing disallows working within this feature to modify browsers to send the required headers.
Not quite? Maybe this will add more bits that will be useful for fingerprinting, but this seems like an absurd way for google to go about making it easier to fingerprint browsers, considering that most browsing happens over Chrome where Google can see what pages everyone visits anyway. And Google is currently proposing adding anti-fingerprinting measures [0] that observe how many bits of information a website has gathered and block API access after it reaches a certain threshold.
A straightforward analysis of Google's motivations makes sense here: they want to keep their ad business profitable while improving their reputation on privacy. FLOC allows targeted ads, keeping their business profitable, and doesn't rely 3rd parties observing your browser history, improving privacy.
From https://web.dev/floc/ :
> With FLoC, the browser does not share its browsing history with the FLoC service or anyone else. The browser, on the user's device, works out which cohort it belongs to. The user's browsing history never leaves the device.
> There will be thousands of browsers in each cohort.
A further privacy improvement is that they're designing it to avoid leaking whether you're a member of a "sensivitive category":
> The clustering algorithm used to construct the FLoC cohort model is designed to evaluate whether a cohort may be correlated with sensitive categories, without learning why a category is sensitive. Cohorts that might reveal sensitive categories such as race, sexuality, or medical history will be blocked. In other words, when working out its cohort, a browser will only be choosing between cohorts that won't reveal sensitive categories.
[0]: https://techcrunch.com/2019/08/22/google-proposes-new-privac...
For websites, FLoC cohort computation only triggers if you call the document.interestCohort API or load ads - these actions are considered an opt-in. (https://github.com/WICG/floc/issues/103)
For users, it's sort of opt-in, too: You must be logged into a Google account, must have enabled Chrome history data sync, must not block third-party cookies, must have enabled Google web activity tracking and must have enabled ad personalization. (https://github.com/WICG/floc#qualifying-users-for-whom-a-coh...)
Also, you can disable FLoC via chrome://settings/privacy or chrome://flags. (https://github.com/WICG/floc/issues/103#issuecomment-8218146...)
It's not a perfect opt-in, but it's also not malware.
User agents, for example, or even cookies, are not malware by any reasonable definition of the term. They present risks to the user and must be managed, but this is bounded.
I tend to roll my eyes at the blind hatred of corporations, but we also have to have both feet firmly on the ground, that these products and services are strictly tied to long-term plans for ROI. What kind of a ROI would the biggest advertising network have? Tracking, profiling and serving profiled ads.
This feels like something that should get more attention/discussion. It flew for Samesite because "better security defaults" is a good argument. Not sure it works that way for FLOC.
Despite being involved in the Samesite rollout I hadn't quite made the same connection as that commenter, as I am not as connected to the FLOC work.
>Tracking people via their cohort
>A cohort could be used as a user identifier. It may not have enough bits of information to individually identify someone, but in combination with other information (such as an IP address), it might.
Whose purpose is:
>A FLoC cohort is a short name that is shared by a large number (thousands) of people, derived by the browser from its user’s browsing history.
I wonder if it's possible to define a large enough number X that people are OK with the idea. (Cookies are effectively "1" and nothing is "3,010,000,000" ie on the internet)
Could the cohort minimum size be configurable?
Given the IP address can be known today: what's the existing accidental "FLoC proxy" or "How unique are you online?" Or "online finger print" (something I'd not thought of before: my timezone can significantly narrow down who I am) You can try using yourself on: https://amiunique.org/fp
this is a good idea, but unfortunately it would just lead to MORE ways to track users, since "size of cohort" is now a (probably very, very high entropy, given how many users never configure anything) source of information
This is not quite an opt-in. But a blanket opt-out isn't necessary either.
Then again: "final design is still subject to change based on [Origin Trial] feedback".
In the raw browser history, prior to ~hashing it to a FLoC ID, can Google anon PII while still maintaining good data analytics from the rest* of the dataset’s fields?
Priv engineer, as an engineering discipline, would argue yes.
If this is what Google does and the privacy is put through its paces (can a FLoC ID de-anon into a user?), then yeah this isn’t a bad trade off.
Use case: Google has to make money, I love Chrome’s and GSuite’s UX, priv eng’ing lets them use my data to pay for that UX while moving all the tracking in-house and ending 3rd party cookies.
Currently yes and seems like a though problem to solve (there are trade offs but it's likely that this will never be fully solved, like encryption, you can only make it so difficult that it isn't worth doing it but not impossible to do): https://github.com/WICG/floc/issues/100
I’ll push back on it being tough to solve — unless you’ve looked into privacy engineering and have some further data in that direction.
Whole field exists to de-link PII to data that supports business analytics, and the tech is there at a non-tough level for Google to achieve.
disclosure: I don't know what FLoC is, and the OP page doesn't load. Seems to be something about web ads security.
The cohort you're in currently determined by 1) third-party cookies 2) fingerprinting techniques. Removing third-party cookies and introducing FLoC will probably reduce the entropy provided by the user. Recall that the FLoC proposal aims to put each user in a group of several thousand other users. That's about 12 bits of entropy. A third-party cookie would probably provide more, though I don't know the number off the top of my head. You only need log2(3 billion internet users) = 32 bits to identify every internet user hyper-precisely.
So, moving to FLoC probably reduces the tracking entropy provided by the user. But it still leaves fingerprinting as a viable way to identify users. Even if both third-party cookies and FLoC were eliminated, there would still be fingerprinting.
So, I think the Google approach is "provide a minimum tracking entropy via FLoC, and try to bound maximum entropy by limiting fingerprinting." Privacy advocates want a world where browsers try aggressively to limit tracking entropy, perhaps ideally eliminating it altogether.
See the "privacy budget" mentioned here for a similar idea: https://blog.chromium.org/2019/08/potential-uses-for-privacy...
Disclaimer: I work at Google.
Or facebook saying "we have this idea that would improve the experience on our platforms, and we think it's a great idea despite hurting our ability to grow, show ads and our short term bottom line. It actively discourages 'engagement'".
If I had any stock in either company I'd still be delighted about these. I think it's the best long term growth strategy they can have. Focusing not on growth but on users and goodwill.