Federated Learning of Cohorts

Type of web tracking based on browsing history

Federated Learning of Cohorts
AbbreviationFLoC
StatusReplaced by Browsing Topics API
Year started2019
OrganizationGoogle
SeriesPrivacy Sandbox
Websiteprivacysandbox.com/proposals/floc/

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising.[1][2] FLoC was being developed as a part of Google's Privacy Sandbox initiative,[3] which includes several other advertising-related technologies with bird-themed names.[1][4]: 48  Despite "federated learning" in the name, FLoC does not utilize any federated learning.[5]

Google began testing the technology in Chrome 89[6] released in March 2021 as a replacement for third-party cookies. By April 2021, every major browser aside from Google Chrome that is based on Google's open-source Chromium platform had declined to implement FLoC. The technology was criticized on privacy grounds by groups including the Electronic Frontier Foundation and DuckDuckGo, and has been described as anti-competitive; it generated an antitrust response in multiple countries as well as questions about General Data Protection Regulation compliance. In July 2021, Google quietly suspended development of FLoC;[7] Chrome 93,[8] released on August 31, 2021, became the first version which disabled FLoC, but did not remove the internal programming.[9]

On January 25, 2022, Google officially announced it had ended development of FLoC technologies and proposed the new Topics API to replace it.[10][11] Brave developers criticized Topics API as a rebranding of FLoC with only minor changes and without addressing their main concerns.

Function

FLoC in Google Chrome components.

The Federated Learning of Cohorts algorithm analyzes users' online activity within the browser, and generates a "cohort ID" using the SimHash algorithm[12] to group a given user with other users who access similar content.[13]: 9  Each cohort contains several thousand users in order to make identifying individual users more difficult,[14] and cohorts are updated weekly.[15] Websites are then able to access the cohort ID using an API[13]: 9  and determine what advertisements to serve.[16] Google does not label cohorts based on interest beyond grouping users and assigning an ID,[1] so advertisers need to determine the user types of each cohort on their own.[4]: 47 

Opting out of cohort calculation

FLoC experiment was active only in Google Chrome browser and ran from Chrome 89[6] (inclusive) to Chrome 93 (not inclusive). Modern browsers do not support FLoC. While the experiment was active, users could opt out of FLoC experiment by disabling third-party cookies. Website administrators could opt out from cohort calculation via special HTTP headers. It can be accomplished with a new interest-cohort permissions policy or feature policy, the default behavior is to allow cohort calculation. To opt-out of all FLoC cohort calculations a website could send either of the following HTTP response headers:[17]

Permissions-Policy: browsing-topics=()

or

Feature-Policy: browsing-topics 'none'

Google Chrome applies interest-cohort Feature Policy restrictions to Browsing Topics API as well.[18]

Timeline

Initial prototype

On August 22, 2019, Google Chrome developers coined the term FLoC and first started discussing the upcoming replacement for cookies.[19] In July 2020, the United Kingdom's Competition and Markets Authority found the FLoC proposal to be anti-competitive, since it would "place the browser in a vital gatekeeper position for the adtech ecosystem." Instead, the authority recommended adoption of a competing proposal called SPARROW, which maintains the same privacy-enhancing objectives but creates a different completely independent "Gatekeeper" which does not have any other role in the adtech ecosystem and does not have access to user-level information.[20]

Testing

Google began testing FLoC in the Chrome 89[6] released in March 2021[15] as a replacement for third-party cookies,[21] which Google plans to stop supporting in Chrome by mid-2023.[22] (Initially Google announced plans to remove third-party cookies by late 2021,[16] then postponed it to early 2022,[2] and then to 2023 due to delay of FLoC technology.) The initial trial turned on FLoC for 0.5% of Chrome users across 10 countries:[15] the United States, Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand and the Philippines.[23] Users were automatically placed in the trial and were not notified, but could opt out by turning off third-party cookies. Furthermore, site administrators could disable FLoC and opt out from interest calculation via a Feature-Policy header.[citation needed] The initial trial did not include users in the United Kingdom or the European Economic Area due to concerns about legality under the area's privacy regulations.[24]

FLoC shutdown

In July 2021, Google quietly suspended development of FLoC; Chrome 93, released on August 31, 2021, became the first version which rendered FLoC feature void, but did not remove the internal programming.[9][7] As of March 2022, the underlying FLoC implementation is still shipped in Chrome and can be observed on internal page chrome://components/.[citation needed] Chrome 100, released on March 29, 2022, removed most of old FLoC code.[25]

Topics API

On January 25, 2022, Google officially announced it had ended development of FLoC APIs and proposed a new Topics API to replace it.[10][11] This API would use three weeks of the browser's history to identify user interests based on defined topics. Participating websites could then call this API to get three topics which could be used to tailor advertising.[26] Developers of the Brave web browser called Topics API a "rebranding [of] FLoC without addressing key privacy issues.[27]

Reactions

Google claimed in January 2021 that FLoC was at least 95% effective compared to tracking using third-party cookies, but AdExchanger reported that some people in the advertising technology industry expressed skepticism about the claim and the methodology behind it.[28] As every website that opts into FLoC will have the same access about which cohort the user belongs to, the technology's developers say this democratizes access to some information about a user's general browser history, in contrast to the status quo, where websites have to use tracking techniques.[29][12]

The Electronic Frontier Foundation has criticized FLoC, with one EFF researcher calling the testing of the technology in Chrome "a concrete breach of user trust in service of a technology that should not exist" in a post on the organization's blog.[30][31] The EFF also created a website which allows Chrome users to check whether FLoC is being tested in their browsers.[32] The EFF criticized the fact that every site will be able to access data about a user, without having to track them across the web first.[33] Additionally on the EFF blog, Cory Doctorow praised Chrome's planned removal of third-party cookies, but added that "[just] because FLoC is billed as pro-privacy and also criticized as anti-competitive, it doesn't mean that privacy and competition aren't compatible", stating that Google is "appointing itself the gatekeeper who decides when we're spied on while skimming from advertisers with nowhere else to go."[34]

On April 10, 2021, the CEO of DuckDuckGo released a statement telling people not to use Google Chrome, stating that Chrome users can be included in FLoC without choosing to be and that no other browser vendor has expressed interest in using the tracking method.[35] The statement said that "there is no such thing as a behavioral tracking mechanism imposed without consent that respects people's privacy" and that Google should make FLoC "explicitly opt-in" and "free of dark patterns".[36] DuckDuckGo also announced that its website will not collect FLoC IDs or use them to target ads,[37] and updated its Chrome extension to block websites from interacting with FLoC.[35]

On April 12, 2021, Brave, a web browser built on the Chromium platform, criticized FLoC in a blog post and announced plans to disable FLoC in the Brave browser and make company's main website opt out of FLoC.[38] The blog post, co-written by the company's CEO Brendan Eich, described Google's efforts to replace third-party cookies as "Titanic-level deckchair-shuffling" and "a step backward from more fundamental, privacy-and-user focused changes the Web needs."[39][40]

Tech and media news site The Verge noted that not all possible repercussions of FLoC for ad tech are known, and that its structure could benefit or harm smaller ad tech companies, noting specifically that larger ad tech companies may be better equipped to "parse what FLoCs mean and what ads to target against them."[1]

On April 18, 2021, a WordPress development team proposal suggested disabling FLoC by default on WordPress websites over possible privacy issues. The proposal stated that "WordPress powers approximately 41% of the web."[41][42]

On April 27, 2021, GitHub disabled FLoC on their websites, including github.com and GitHub Pages domain github.io by introducing HTTP header Permissions-Policy: interest-cohort=(). However, GitHub Pages websites with custom domains are not affected.[43][44]

In April 2021, Drupal disabled FLoC by default in their products.[45]

In June, 2021, Amazon disabled FLoC on all websites of its companies, including its online store amazon.com, Whole Foods, Zappos, and Woot. Specialists speculated that Amazon staff might have decided to block FLoC not out of concern for user privacy, but rather as a strategic move to keep user data away from Google.[46]

Every major browser based on Google's open-source Chromium platform (other than Google Chrome) had declined to implement FLoC, including Microsoft Edge, Vivaldi, Brave, and Opera.[47]

In May 2021, The Economist reported that it may be hard for Google to "stop the system from grouping people by characteristics they wish to keep private, such as race or sexuality."[15]

Fingerprinting concerns

In May 2021, The Economist said some critics have suggested that the cohort system will facilitate fingerprinting of individual devices, compromising privacy.[15]

Wired magazine additionally reported that FLoC could "be used as a point of entry for fingerprinting".[14]

Mozilla, the creators of the Firefox browser, expressed concerns that FLoC can be used as an additional fingerprinting vector. Furthermore, they stated that a user's FLoC group can be tracked during multiple visits and correlated via different means and, based on a user's membership in multiple FLoC cohorts, a website might be able to infer information about the user which FLoC aimed to keep private. Since a FLoC cohort is shared across websites, its ID might be abused as an alternative to a unique cookie in third-party contexts.[48]

Antitrust response

In July 2020, the United Kingdom's Competition and Markets Authority found that the FLoC proposal "place[s] the browser in a vital gatekeeper position for the adtech ecosystem."[20]

In March 2021, 15 attorneys general of U.S. states and Puerto Rico amended an antitrust complaint filed in December; the updated complaint says that Google Chrome's phase-out of third-party cookies in 2022[49] will "disable the primary cookie-tracking technology almost all non-Google publishers currently use to track users and target ads. Then [...] Chrome, will offer [...] new and alternative tracking mechanisms [...] dubbed Privacy Sandbox. Overall, the changes are anticompetitive".[50][51]

In June 2021, EU antitrust regulators launched a formal investigation to assess whether Google violated competition rules, with a focus on display advertising, notably whether it restricts access to user data by third parties while reserving it for its own use. Among the things that will be investigated is Google's plan to prohibit the placement of third-party cookies and replace them with the Privacy Sandbox set of tools.[52]

GDPR compliance

As of April 2021[update], Google was not testing FLoC in the United Kingdom or the European Economic Area due to concerns about compliance with the General Data Protection Regulation and the ePrivacy Directive.[53][24][54]

Johannes Caspar, the Data Protection Commissioner of Hamburg, Germany, told Wired UK that FLoC "leads to several questions concerning the legal requirements of the GDPR," explaining that FLoC "could be seen as an act of processing personal data" which requires "freely given consent and clear and transparent information about these operations." A spokesperson of the French National Commission on Informatics and Liberty said that the FLoC system would require "specific, informed and unambiguous consent".[53]

As of April 2021[update], the Irish Data Protection Commission, which is the lead data supervisor for Google under GDPR,[24] was consulting with Google about the FLoC proposal.[53]

References

  1. ^ a b c d Bohn, Dieter (March 30, 2021). "Privacy and ads in Chrome are about to become FLoCing complicated". The Verge. Retrieved April 10, 2021.
  2. ^ a b Burgess, Matt (March 24, 2021). "Google's rivals are fighting back against Chrome's big cookie plan". Wired UK. ISSN 1357-0978. Retrieved April 10, 2021.
  3. ^ Lomas, Natasha (March 24, 2021). "Google isn't testing FLoCs in Europe yet". TechCrunch. Retrieved April 10, 2021.
  4. ^ a b Geradin, Damien; Katsifis, Dimitrios; Karanikioti, Theano (November 25, 2020). "Google as a de facto Privacy Regulator: Analyzing Chrome's Removal of Third-party Cookies from an Antitrust Perspective". Tilburg Law and Economics Center (DP2020-038). Rochester, NY. doi:10.2139/ssrn.3738107. ISSN 1572-4042. S2CID 234583355. SSRN 3738107.
  5. ^ "The Topics API - Evolution from FLoC". patcg-individual-drafts. GitHub. March 24, 2022. Archived from the original on January 25, 2022. FLoC didn't actually use Federated learning
  6. ^ a b c "Federated Learning of Cohorts". Chrome Platform Status. January 26, 2021. Retrieved February 10, 2022.
  7. ^ a b Karlin, Josh. "The Topics API - Evolution from FLoC". patcg-individual-drafts. GitHub. Retrieved January 26, 2022. FLoC ended its experiment in July of 2021.
  8. ^ Xiao, Yao (July 26, 2021). "[floc] Disable floc computation. Remove fieldtrial testing config. · chromium/chromium@5d059e4". GitHub. Archived from the original on October 31, 2023. Retrieved September 29, 2023.
  9. ^ a b "Issue 1230149: Disable floc computation". bugs.chromium.org. August 26, 2021. Retrieved September 29, 2023.
  10. ^ a b Roth, Emma (January 25, 2022). "Google abandons FLoC, introduces Topics API to replace tracking cookies". The Verge. Retrieved January 25, 2022.
  11. ^ a b Li, Abner (January 25, 2022). "Google drops FLoC and proposes new Topics API for replacing third-party cookies used by ads". 9to5Google. Retrieved January 25, 2022.
  12. ^ a b Cyphers, Bennett (March 3, 2021). "Google's FLoC Is a Terrible Idea". Electronic Frontier Foundation. Retrieved April 13, 2021.
  13. ^ a b Geradin, Damien; Katsifis, Dimitrios (February 19, 2020). "Taking a Dive Into Google's Chrome Cookie Ban". Tilburg Law and Economics Center (DP2020-042). Rochester, NY. doi:10.2139/ssrn.3541170. ISSN 1572-4042. S2CID 216269022. SSRN 3541170.
  14. ^ a b Nield, David (May 9, 2021). "What's Google FLoC? And How Does It Affect Your Privacy?". Wired. ISSN 1059-1028. Retrieved May 19, 2021.
  15. ^ a b c d e "Why is FLoC, Google's new ad technology, taking flak?". The Economist. May 17, 2021. ISSN 0013-0613. Retrieved May 19, 2021.
  16. ^ a b Morris, Ian (April 1, 2021). "Google Chrome FLoC is replacing cookies — what it means for your privacy". Tom's Guide. Retrieved April 10, 2021.
  17. ^ "1158851 - chromium - An open-source project to help move the web forward. - Monorail". bugs.chromium.org. Retrieved February 10, 2022.
  18. ^ Dutton, Sam (March 22, 2022). "Clarify interest-cohort Feature Policy directive in Browser Topics API". GitHub. Retrieved May 24, 2022. if EITHER the interest-cohort OR the browsing-topics directive turns off the API, then the API is off
  19. ^ Karlin, Josh (August 22, 2019). "Update README.md · WICG/floc@a263efa". GitHub. Retrieved January 29, 2022.
  20. ^ a b "Appendix G: the role of tracking in digital advertising" (PDF). Online platforms and digital advertising: Market study final report (Report). Competition and Markets Authority. July 1, 2020. p. 116.
  21. ^ Bruell, Alexandra (March 16, 2021). "Five Things We Know About Google's Ad Changes After Cookies". Wall Street Journal. ISSN 0099-9660. Retrieved April 10, 2021.
  22. ^ Amadeo, Ron (June 24, 2021). "Google delays FLoC rollout until 2023". Ars Technica. Retrieved June 29, 2021.
  23. ^ Clark, Kendra (May 17, 2021). "DuckDuckGo, Firefox & GitHub say 'no FLoCing way' to Google's privacy updates". The Drum. Retrieved May 19, 2021.
  24. ^ a b c Lomas, Natasha (March 24, 2021). "Google isn't testing FLoCs in Europe yet". TechCrunch. Retrieved May 1, 2021.
  25. ^ "Remove FLoC code · chromium/chromium@9255aec". GitHub. Retrieved September 18, 2023.
  26. ^ Nguyen, George (January 25, 2022). "Google kills FLoC, introduces Topics API as its next-gen targeting tech". Search Engine Land.
  27. ^ Peter, Snyder (January 26, 2022). "Google's Topics API: Rebranding FLoC Without Addressing Key Privacy Issues". Brave Browser. Retrieved March 16, 2022.
  28. ^ Schiff, Allison (January 26, 2021). "The Industry Reacts To Google's Bold Claim That FLoCs Are 95% As Effective As Cookies". AdExchanger. Retrieved April 10, 2021.
  29. ^ "Federated Learning of Cohorts (FLoC)". GitHub. Retrieved April 13, 2021.
  30. ^ "EFF technologist cites Google "breach of trust" on FLoC; key ad-tech change agent departs IAB Tech Lab". Information Trust Exchange Governing Association. Retrieved April 10, 2021.
  31. ^ Cyphers, Bennett (March 30, 2021). "Google Is Testing Its Controversial New Ad Targeting Tech in Millions of Browsers. Here's What We Know". Electronic Frontier Foundation. Retrieved April 10, 2021.
  32. ^ Lekach, Sasha (April 11, 2021). "Chrome users, check if Google is tracking you with new targeted advertising". Mashable. Retrieved April 11, 2021.
  33. ^ Davis, Wendy (March 17, 2021). "Google Plan For Cookie-Less Targeting Is Anticompetitive, States Claim". MediaPost. Retrieved April 10, 2021.
  34. ^ Doctorow, Cory (April 21, 2021). "Fighting FLoC and Fighting Monopoly Are Fully Compatible". Electronic Frontier Foundation. Retrieved May 1, 2021.
  35. ^ a b "DuckDuckGo is asking people to block Google's new tracking method". Hindustan Times. April 10, 2021. Retrieved April 11, 2021.
  36. ^ Saroha, Aditya (April 12, 2021). "Google's new ad tracking tool called into question by rival search engine". The Hindu. ISSN 0971-751X. Retrieved April 12, 2021.
  37. ^ Khan, Sieeka (April 10, 2021). "Google to Launch Replacement for Third-Party Cookies, and DuckDuckGo Wants to Block it". Tech Times. Retrieved April 12, 2021.
  38. ^ Thurrott, Paul (April 12, 2021). "Brave is Blocking Google FLoC". Thurrott.com. Retrieved April 13, 2021.
  39. ^ Varghese, Sam. "Brave browser chiefs slam Google's new experimental ad-targeting tech". IT Wire. Retrieved April 13, 2021.
  40. ^ Snyder, Peter; Eich, Brendan (April 12, 2021). "Why Brave Disables FLoC". Brave blog. Retrieved April 13, 2021.
  41. ^ Carike (April 18, 2021). "Proposal: Treat FLoC like a security concern". WordPress. Retrieved April 20, 2021.
  42. ^ Schoon, Ben (April 19, 2021). "WordPress could turn FLoC off by default". 9to5Google. Retrieved April 20, 2021.
  43. ^ "GitHub disables Google FLoC user tracking on its website". BleepingComputer. Retrieved June 2, 2021.
  44. ^ "GitHub Pages: Permissions-Policy: interest-cohort=() Header added to all pages sites". The GitHub Blog. April 27, 2021. Retrieved June 2, 2021.
  45. ^ "Add Permissions-Policy header to block Google FLoC". Drupal.org. April 19, 2021. Retrieved March 9, 2022.
  46. ^ "Amazon is blocking Google's FLoC — and that could seriously weaken the system". Digiday. June 15, 2021. Retrieved July 17, 2021.
  47. ^ Bohn, Dieter (April 16, 2021). "Nobody is flying to join Google's FLoC". The Verge. Retrieved April 17, 2021.
  48. ^ Rescorla, Eric (June 10, 2021). "Privacy analysis of FLoC". The Mozilla Blog. Retrieved June 12, 2021.
  49. ^ Robertson, Adi (March 16, 2021). "Google antitrust suit takes aim at Chrome's Privacy Sandbox". The Verge. Retrieved April 13, 2021.
  50. ^ Holt, K (December 16, 2020). "Texas announces a multi-state antitrust suit against Google". Engadget. Retrieved April 13, 2021.
  51. ^ Masnick, Mike (March 16, 2021). "Google's Efforts To Be Better About Your Privacy, Now Attacked As An Antitrust Violation". Techdirt. Retrieved April 13, 2021.
  52. ^ Brodkin, Jon (June 22, 2021). "EU antitrust regulators launch probe into Google's FLoC plan". Ars Technica. Retrieved June 22, 2021.
  53. ^ a b c Burgess, Matt (April 29, 2021). "Google's plan to eradicate cookies is crumbling". Wired UK. ISSN 1357-0978. Retrieved May 1, 2021.
  54. ^ Lepitak, Stephen; Southern, Lucinda; Shields, Ronan (March 24, 2021). "Google's Post-Cookie Targeting Plans Hit GDPR Hurdle". AdWeek. Retrieved May 1, 2021.

External links

  • Am I FLoCed?—EFF website reporting to users if FLoC is enabled[1]
  • FLoCs explained at the Privacy Sandbox Initiative website
  • More detailed
  • FLoC Origin Trial & Clustering – infos from the Chromium project
  • v
  • t
  • e
Company
Divisions
People
Current
Former
Real estate
Design
Events
YouTube
Projects and
initiatives
Criticism
YouTube
Operating systems
Libraries/
frameworks
Platforms
Apigee
Tools
Search algorithms
Others
File formats
Entertainment
Play
YouTube
Communication
Search
Navigation
Business
and finance
Organization
and productivity
Docs Editors
Publishing
Education
Others
Chrome
Images and
photography
Hardware
Smartphones
Laptops and tablets
Wearables
Others
  • v
  • t
  • e
Advertising
Antitrust
Intellectual property
Privacy
Other
  • Category
Terms and phrases
Documentaries
Books
Popular culture
Others
  1. ^ Lekach, Sasha (April 11, 2021). "Chrome users, check if Google is tracking you with new targeted advertising". Mashable. Retrieved April 11, 2021.