undefined | Better HN

0 pointsmanigandham4y ago0 comments

No, web and apps are very different environments. Websites used cookies to track users across sites from a 3rd-party company/domain. But cookies were constantly deleted and each domain had its own cookies so matching profiles was always rough. Apps all used the same long-lived device-level ID, allowing them to share data about the same profile much easier while having access to more details from APIs (like GPS and bluetooth).

The web saw ad blocking, tracking protection, and privacy regulation which eliminated 3rd-party cookies - but apps were overlooked for a long time. Apple and Google finally added more API permissions and removed this device ID meaning that apps are now in the same place as websites. FLoC is just a way to solve for targeting by creating interest-based cohorts within your browser that don't reveal personal details.

However none of this affects 1st-party tracking. The more you share with an app or site, the more they know, and if you login then they obviously know who you are. They can also still share that data with Facebook (subject to regulations). The major change here is to stop tracking in anonymous situations (like app installs that won't know which device clicked on an ad and then installed on app), not to stop all data collection.

0 comments

choppaface4y ago

> The major change here is to stop tracking in anonymous situations (like app installs that won't know which device clicked on an ad and then installed on app), not to stop all data collection.

Let's suppose you use Google or Facebook to discover an e-commerce site, and then you visit that site "anonymously", and then put something in your cart. Maybe you even convert.

If the site has a "log in with {Google,Facebook,etc}" pop-up, then Google/Facebook (even if you do NOT log in) can join your visit with whatever else data they have. (I think Faceboook says, or said, something in their TOS that they won't but I wouldn't trust that-- they're recording the hit to their pop-up after all).

Google / Facebook will already record your click that lead to the site. Now, you might not be logged in to Google or Facebook on the device visiting the third party site, but if anything else on the local network is logged in, then they derive data from your visit even if it's "anonymous." Even the regional impression gives them value.

So here's the deal though: that e-commerce site "owns" that session and impression. At the very least, they paid to serve it. What FLoC and this Android change do is make it harder for Google/Facebook competitor (e.g. Amazon ads, Microsoft, Verizon/Oath, AT&T, etc) from finding something that can join the user visit to whatever data they already have. That makes the impression to the e-commerce site less valuable because now only Google/Facebook can derive data from it.

Moreover, Google / Facebook are going to target ads based upon that visit. Maybe not ads delivered to that user, and maybe not delivered on that e-commerce site (or for them), but they're going to derive targeting value nevertheless. So if the e-commerce site ever wants to run ads, FLoC and this Android setting should in theory make competitors to Google weaker.

So there's a lot of discussion about privacy here, but in the macro I can't help but see FLoC and this Android change as a way to protect Google's monopoly, and Facebook's moat over their own space.

When it comes to mobile, though, I thought there was already so much fragmentation between browsers / quirks, display settings, other User Agent meta, and IP addresses that fingerprinting without cookies was a lot easier than on the Desktop. And by now, many users have transitioned from Desktop to Mobile, making any other previously joined fingerprints more valuable (something Google or Facebook could do, but maybe not ATT/Verizon). So the Android opt-out really only hurts new properties or ad providers who are starting fresh, right?

manigandhamOP4y ago

Yes, Facebook and Google both learn from your actions on their site, including the outbound links. They can infer interests from that.

However most sites, like in your example, also include their analytics tools and directly send them data. Ecommerce stores will often report conversions with your email address to G/FB so that you can be targeted for ads as a return customer. A lot of the data collection is done like this where other businesses do the actual collecting and sending.

Mobile is much worse with privacy. The web has to deal with constantly changing security rules, limited APIs, and purged data. On mobile, most usage is in apps which have strong identifiers that never change, and access to far more system level data and APIs. They can - and do - leak far more data. That's why you have expose articles that show that people were tracked by location for entire weeks at a time, which is not possible at all with websites.

FloC is only for anonymous situations. If you're already logged into G/FB and are on their sites, or accessing their resources as a 3rd-party, then they already know you are. FLoC and similar tech is used for when you identity isn't known, and then your browser provides rough categories of interests based on what sites you saw before. Remember the ultimate control over privacy is you and what data you willingly send. Many people login and post everything themselves, thereby being their own worst enemy when it comes to privacy.

j / k navigate · click thread line to collapse