What is Google FLoC?

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

⚠️ The author of this article is Bennett Cyphers and the original was published on the website of ANDelectronic Frontier Foundation.
The article What is Google FLoC? it is a translation made by Thirty-nine – The network to come.

Both works, and consequently this one too, are below Creative Commons Attribution license. ⚠️

It's news these days and there has been a lot of talk about it on some sites. For example, they talked about it Courier, IT point And Digital Agenda. But what is Google FLoC? How many of you actually understood this?

We liked it a lot the article from the EFF, a very famous foundation that rarely makes mistakes. To make you understand: they are the authors, among many other things, of extensions Privacy Badger, HTTPS Everywhere and the online tool Cover Your Tracks. In this article, in fact, it is explained in detail what is Google FLoC in an easy way.

What is Google FLoC?

What you will read is the translation of the article that appeared on their site. The translation is the work of Thirty-nine – The network to come. We only made some spelling and editorial corrections. Enjoy the reading!

— start of translation article —

Google's FLoC is a terrible idea

Of Bennett Cyphers – March 3, 2021

The Cookies third-party is dying and Google is trying to create a replacement for it.

No one should mourn the death of Cookies as we know it. For more than two decades, the Cookies third party was the hub of a dark system, sleazy, multibillion-dollar Web advertising surveillance operation (THE Cookies advertising are useless?); the gradual elimination of Cookies tracking and other persistent third-party identifiers is long overdue. However, while the fundamentals of the advertising industry are changing, its biggest players are determined to remain standing.

Google is leading the charge for replace i Cookies of third parties with a new group of technologies "designed" to target ads across the Web. And some of its proposals show that it hasn't learned the right lessons from the ongoing backlash to the surveillance business model. This post will focus on one of these proposals, Federated Learning orf Cohorts (FLoC), which is perhaps the most ambitious and potentially the most harmful.

What is Google FLoC?

FLoC it wants to be a new method because yours Browsers perform the profiling that i Trackers third parties used to do it themselves: in this case, reducing your recent browsing activity to a behavioral label and then sharing it with websites and advertisers. Technology will avoid risks to the privacy of Cookies third-party ones, but will create new ones in the process. It can also exacerbate many of the worst non-privacy problems of behavioral ads, including discrimination and predatory targeting.

Google's assist for privacy advocates is that a world with FLoC (and other elements of the “privacy sandbox”) will be better than the world we have today, where data brokers and ad tech giants track and profile with impunity. But that framework is based on the false premise that you have to choose between “old tracking” and “new tracking.”. It's not one or the other. Instead of reinventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.

We are at a crossroads.

Behind us is the era of Cookies third party, perhaps the biggest mistake on the web. There are two possible future "scenarios" before us.

In one, users can decide what information to share with each site they choose to interact with. No one has to worry about their past browsing being used against them or exploited to manipulate them when they open a new tab.

In the other, the behavior of each user follows them from site to site like a label, apparently invisible but full of meaning for those who know "where to look". Their recent history, distilled into a few bits, is democratized and shared with dozens of anonymous actors who contribute to the content of each web page. Users begin each interaction with a confession: here's what I've been up to this week, please treat me accordingly.

Users and supporters must refuse FLoC and other misguided attempts to reinvent behavioral targeting. We implore Google to abandon FLoC and redirect its efforts towards creating a truly user-friendly Web.

What is FLoC?

In 2019, Google introduced Privacy Sandbox ¹, his vision for the future of privacy on the web. At the heart of the project is a range of wireless protocols Cookies designed to meet the myriad of practical applications that i Cookies third parties currently provide to advertisers. Google took its proposals to the W3C, the standards-setting body for the Web, where they were discussed primarily within the Web Advertising Business Group, a body composed primarily of advertising technology providers. In the next months, Google and other advertisers have proposed dozens of technical standards with themed names birds: PIGIN, TURTLEDOVE, SPARROW, SWAN, SPURFOWL, PELICAN, PARROT… the list goes on. Seriously. Each of the proposals bird is designed to perform one of the functions currently performed by the targeted advertising ecosystem Cookies.

FLoC is designed to help advertisers perform behavioral targeting without Cookies of third parties.

A Browsers with FLoC enabled collects information about the user's browsing habits, then uses it to assign the user to one cohort or group. Users with similar browsing habits, by any definition of “similar,” would be grouped into the same cohort. The Browsers of each user will share a cohort "identifier" ID, indicating which group they belong to, with websites and advertisers. According to the proposal, at least a few thousand users should belong to each cohort (although this is not a guarantee).

If it seems obscure, think about it this way: your FLoC identifier will be like a short summary of your recent activity on the web.

An example demonstration by Google used the domains of the sites visited by each user as the basis for grouping people together. He then used an algorithm called SimHash to create the groups.

SimHash can be calculated locally on each user's machine, so there is no need for a central server to collect behavioral data. However, a central administrator may have a role in enforcing privacy safeguards. To avoid any cohort being too small (i.e. too identifying), Google proposes that a central entity can count the number of users assigned to each cohort. If some are too small, they could be combined with other similar cohorts until enough users are reached in each.

The proposal

According to the proposal, most of the specifications are still to be defined. The draft spec states that a user's cohort identifier will be available via JavaScript, but it's unclear whether there will be restrictions on who can access it or whether the ID will be shared in other ways. FLoC could group based on URLs or page content instead of domains; could also use a system based on federated learning (as the name FLoC suggests) to generate the groups as an alternative to SimHash.

It's also unclear exactly how many possible cohorts there will be. The experiment of Google used 8-bit cohort identifiers, meaning there were only 256 possible cohorts. In practice that number could be much higher; the documentation suggests a 16-bit cohort identifier consisting of 4 hexadecimal characters. The more cohorts there are, the more specific they will be; Longer cohort identifiers mean advertisers will learn more about each user's interests and be made easier to Fingerprinting.

One element that is specified is the duration. The cohorts FLoC they will be recalculated on a weekly basis, each time using navigation data from the previous week. This makes the cohorts FLoC less useful as long-term identifiers, but also makes them more effective measures of how users behave over time.

What is Google FLoC? New privacy issues

FLoC It's part of a suite intended to bring targeted ads into a privacy-preserving future. But its basic concept involves sharing new information with advertisers. Not surprisingly, this also creates new privacy risks.

Fingerprinting

The first problem is the Fingerprinting. The Fingerprinting of the Browsers is the practice of gathering lots of discrete information from the Browsers of a user to create a unique and stable identifier for that Browsers. The project Cover Your Tracks Of EFF demonstrates how the process works: in short, more yours Browsers appears or behaves differently from others, the easier the Fingerprinting.

Google has promised than the vast majority of cohorts FLoC will include thousands of users each, so a cohort identifier alone shouldn't distinguish you from a few thousand other people like you.

However, this still offers the Fingerprinting a huge advantage. If a Trackers start with your cohort FLoC, it just needs to distinguish yours Browsers by a few thousand others (rather than by a few hundred million). In information theory terms, cohorts FLoC will contain several bits of entropy, up to 8 bits, in Google's proof of concept. This information is even more powerful given that it is unlikely to correlate with any other information that the Browsers exposes. This will make it much easier for you Trackers put together a Fingerprinting unique to FLoC users.

Privacy Budget

Google recognized this as a challenge, but committed to solving it as part of the broader plan.”Privacy Budget” which carries forward to address the Fingerprinting in the long term. Solve the Fingerprinting It's an admirable goal and his proposal is a promising avenue to pursue. But according to the FAQ, that plan is “an early-stage proposal and does not yet have an implementation Browsers”. Meanwhile, Google will begin testing FLoC already this month.

The Fingerprinting it is notoriously difficult to stop. Browsers as Safari And Tor they engaged in long battles against the Trackers, sacrificing large parts of its feature sets in order to reduce attack surfaces Fingerprinting. The mitigation of Fingerprinting it generally involves eliminating or limiting unnecessary elements of entropy, which is what FLoC is instead. Google should not create new risks related to the Fingerprinting until he figures out how to deal with the existing ones.

What is Google FLoC? Cross-context exposure

The second problem is less easy to explain: technology will share new personal data with i Trackers which can already identify users. So that FLoC is useful to advertisers, a user's cohort will necessarily reveal information about their behavior.

The project's Github page ² address this issue upfront: This API democratizes access to some information about an individual's general browsing history (and thus, general interests) to any site that opts into it. … Sites that know a person's PII (eg, when people sign in using their email address) could record and reveal their cohort. This means that information about an individual's interests may eventually become public ³.

As described above, the cohorts FLoC they should not by themselves function as identifiers. However, any company that can identify a user in other ways, for example by offering services through “Log in with Google” to sites on the Internet, will be able to link information learned from FLoC to the user's profile.

Two categories of information can be exposed in this way:

• Specific information about your browsing history. THE Trackers they may be able to reverse engineer the cohort assignment algorithm to determine that any user who belongs to that specific cohort probably or definitely visited specific sites.

• General information about demographics or interests. Observers may learn that, in general, members of a specific cohort are very likely to belong to a specific type of person. For example, a particular cohort may overrepresent young, female, and black users; another cohort, middle-aged Republican voters; a third, young LGBTQ+ people.

This means that every site you visit will have a good idea of what kind of person you are from the first contact, without having to do the work of tracking you across the web. Also, since your cohort FLoC will update over time, sites that can identify you in other ways will also be able to track how your browsing changes. Remember, a cohort FLoC it is nothing more and nothing less than a summary of your recent browsing activity.

You should have the right to present different aspects of your identity in different contexts. If you visit a site for medical information, you might trust it with information about your health, but there's no reason it needs to know your political affiliations. Likewise, if you visit an online store, this one shouldn't need to know if you've recently read about treatments for depression. FLoC it erodes this separation of contexts and instead presents the same behavioral summary to everyone you interact with.

Beyond privacy

FLoC it is designed to prevent a very specific threat: the type of individual profiling that is currently enabled by cross-context identifiers. The goal of FLoC and other proposals is to avoid that i Trackers can access specific information attributable to specific people.

As we have shown, FLoC it can actually help i Trackers in many contexts. But even if Google is able to strengthen its project and prevent these risks, the harms of targeted advertising are not limited to privacy violations. FLoC's primary focus is at odds with other civil liberties.

The power to target is the power to discriminate. By definition, targeted ads allow advertisers to reach some types of people while excluding others. A targeting system can be used to decide who can see job ads or loan offers as easily as advertising shoes.

What is Google FLoC? The targeting

Over the years, the mechanism of targeted advertising has often been used for exploitation, discrimination and harm. The ability to target ads to people based on their ethnicity, religion, gender, age, or ability allows for discriminatory ads for jobs, housing, and credit.

Targeting based on credit history, or characteristics systematically associated with it, enables predatory ads for high-interest loans. Targeting based on demographics, location, and political affiliation helps spread political misinformation and voter disaffection. All types of behavioral targeting increase the risk of credible scams.

Google, Facebook and many other advertising platforms already try to curb certain uses of their targeting platforms. Google, for example, limits advertisers' ability to target ads to people in "sensitive interest categories." However, these efforts often fail; Certain actors can usually find workarounds to platform-level restrictions on certain types of targeting or certain types of ads.

The FLoC algorithm

Even with absolute power over what information can be used to target whom, platforms are too often unable to prevent the abuse of their technology. But FLoC it will use an unsupervised algorithm to create its groupings. This means that no one will have direct control over how people are grouped. Ideally (for advertisers), FLoC it will create groups that have significant behaviors and interests in common.

But online behavior is linked to all sensitive characteristics: demographics such as gender, ethnicity, age and income; “big 5” personality traits; mental health too . It is very likely that FLoC will also group users along some of these axes. The groupings of FLoC they may also directly reflect visits to websites related to substance abuse, financial hardship, or support for trauma survivors.

Google has proposed being able to monitor the system's outputs to check for any correlations with its sensitive categories. If it finds that a particular cohort is too closely related to a particular protected group, the administrative server can choose new parameters for the algorithm and tell the Browsers of users to regroup again.

This solution sounds both Orwellian and sisyphea.

To monitor how FLoC groups relate to sensitive categories, Google will have to carry out massive checks using data on users' race, gender, religion, age, health and financial situation. Every time it finds a cohort that correlates too strongly along any of these axes, it will have to reconfigure the entire algorithm and try again, hoping that no other “sensitive categories” are implicated in the new iteration. This is a much more complex variant of the problem it is already trying, often unsuccessfully, to solve.

In a world with FLoC, it may be more difficult to target users directly based on age, gender, or income. But it won't be impossible. THE Trackers with access to ancillary information about users they will be able to learn what FLoC groupings “mean” and what kind of people they contain, through observation and experimentation.

Those who are determined to do so will still be able to discriminate. Furthermore, this type of behavior will be more difficult for platforms to control than it already is. Advertisers with bad intentions will have plausible deniability: after all, they are not directly targeting protected categories, but reaching people based on behavior. And the entire system will be more opaque for users and regulators.

Google, please don't do this

We wrote about FLoC and the other initial group of proposals when they were first introduced, defining FLoC “the opposite of privacy-preserving technology“. We hoped that the standardization process would shed light on the fundamental flaws of FLoC, inducing Google to reconsider the possibility of carrying it forward.

In fact, several problems on the official Github page they raise the exact same concerns we've highlighted here. However, Google continued to develop the system, leaving its fundamentals almost unchanged. He started proposing FLoC to advertisers, boasting that FLoC is a “95% effective” replacement for I-based targeting Cookies. And starting with Chrome 89, released March 2, it's rolling out the technology for an early trial. A small portion of Chrome users, likely millions of people, will be (or have been) assigned to test the new technology.

FLoC and Google Chrome

Don't make any mistakes, if Google will carry out his plan to introduce FLoC in Chrome, will likely give those involved “options.” The system will likely be opt-in for advertisers who benefit from it and opt-out for users who risk being harmed. Google will certainly advertise it as a step forward for “transparency and user control”, knowing full well that the vast majority of its users will not understand how FLoC works and that very few will do anything to disable it.

He'll pat himself on the back for ushering in a new private era on the Web, free from evil Cookies third-party, the “same” technology that Google helped extend well beyond its shelf life, earning billions of dollars in the process.

It doesn't have to be this way.

The most important parts of the privacy sandbox, such as the elimination of third-party identifiers and the struggle Fingerprinting, they will truly change the Web for the better. Google it can choose to dismantle the old surveillance framework without replacing it with something new and uniquely harmful.

We definitely reject the future of FLoC.

This is not the world we want, nor the one users deserve. Google it needs to learn the right lessons from the era of third-party tracking and design its own Browsers so that it works for users, not advertisers.

— end of translation article —

What is Google FLoC? Comments

What can I say, let's hope the article What is Google FLoC? it was to your liking. We are waiting for you as always on ours group Telegram, in our room Matrix or on our subreddit to talk about it together!

1. Charting a course towards a more privacy-first web[↩]
2. Federated Learning of Cohorts (FLoC) on GitHub[↩]
3. Revealing People's Interests to the Web[↩]

Join communities