Google's FLoC: Privacy Gone Amok?

Written by

Google’s cookie replacement, FLoC, is coming under heavy criticism from privacy experts. So what is the new browser tracking technology, what’s the problem with it and when will it arrive? Kate O’Flaherty investigates

Third-party cookies are on their way out. Mozilla’s Firefox ditched them in 2019, and Apple’s Safari stopped using the privacy-invading tracking technology in 2020. Last year, Google announced it would also stop using third-party cookies in its Chrome browser by 2022.

Subsequently, Google, which bases its business model on advertising, needed a replacement tracking technology to be able to target users. It is with this in mind that the technology giant is launching Federated Learning of Cohorts (FLoC), which it argues is more private because it groups people with similar browsing patterns into ‘cohorts’, rather than tracking them as individuals.

Google says FLoC’s ‘safety in numbers’ approach – a cohort consists of thousands of people – effectively blends Chrome users into a crowd with similar interests. A person’s history doesn’t leave the browser or device, and it’s not shared with anyone.

Part of Google’s larger cookie replacement initiative, ‘Privacy Sandbox’, FLoC is starting to roll out as a developer origin trial in Chrome to users in countries including the US. There is currently no set date for launch in the UK.

Yet FLoC is coming under heavy criticism from privacy experts, who say it is no better than the technology it replaces. FLoC “just replaces one type of tracking with another,” says Karen Gullo, analyst at privacy organization the Electronic Frontier Foundation (EFF).

Toni Vitale, data protection expert and partner at Gateley Legal agrees: “Google would say FLoC provides privacy through some anonymity, but it has a creepy element.”

Google Says FLoC is Private, Experts Argue Otherwise

Globally, digital advertising spend has exceeded $325bn, representing a massive market that will be impacted once third-party cookies are blocked. It would make sense to assume a large portion of this revenue is made through Google’s Chrome, the biggest browser on the market, with around 70% market share and two billion users.

"FLoC just replaces one type of tracking with another"

Google says it has built robust measures into FLoC to remove groups that may be more strongly associated with sensitive topics such as race, sexuality or personal hardships. But organizations such as the EFF argue the use of targeted advertising heightens the risk of exploitation, discrimination and harm.

“FLoC uses an unsupervized algorithm to create cohorts, and this creates an opportunity for abuse,” says Kai Koppoe, a Fordham Law student. “Google says it will monitor cohorts and request browsers regroup the individuals if the group correlates too closely with sensitive categories. However, this means that Google will need to access sensitive information about users to protect them from discriminatory or harmful practices by advertisers.”

At the same time, people are worried that cohorts, while intended to be anonymous, are an easier way for advertisers to re-identify individuals, says Koppoe. “For example, when a user is placed into a cohort and visits a website, the site receives that person’s cohort ID.

“However, if that same person then signs on using their Google account or with other identifying information, the advertiser is able to identify the specific user and tie that information to what it has learned from its FLoC. There is an increased risk of sensitive information leaking as cohorts may share the same race, sexual orientation or identity, medical conditions or hardships.”

Sean Wright, SME application security lead at Immersive Labs, is also concerned about the implications of Google’s new cookie replacement: “FLoC is being touted as private since your individual data will blend in with the masses. It’s like saying an individual is wearing a police uniform within a police station,” Wright explains.

“It will be difficult to individually identify that person. While on the face of it, it sounds great, as you start digging deeper, the cracks start to appear. One of the problems is the sheer volume of data. This can start singling you out from the crowd.”

For example, continues Wright: “What if I said the individual was also a woman? That narrows it down. Now what if I told you the color of their hair? What if I told you they had a tattoo on their left wrist? You can see how quickly numerous data points could suddenly be used to narrow down individuals.”

"You can see how quickly numerous data points could suddenly be used to narrow down individuals"

Jake Moore, cybersecurity specialist at ESET agrees: “Although FLoC is meant to be the new way of understanding and sharing advertising practices in a privacy-focused world, it might just be circumnavigating an old problem into a new one.”

More concerning still, there is no way of switching off FloC – at least not since Google started trialling the technology to US users on April 1. However, Google says the opt-out option will be added “this month.” At the same time, if users have chosen to block third-party cookies with the current version of Chrome, they won’t be included in the origin trials.

EU Issues

FLoC is on trial in the US, and Google says it is “committed” to launching the Privacy Sandbox in Europe and is working to begin testing as soon as possible. But in the EU and UK, FLoC’s roll out could be challenging due to privacy regulations such as the EU General Data Protection Regulation (GDPR).

FLoC will still need consent within the UK and EU thanks to ePrivacy regulation, confirms Emily Overton, managing director of RMGirl. With this in mind, Overton wonders if FLoC is ever going to reach the UK. “I can’t see how it can be implemented as it still needs consent under our current legislation.”

“In the UK, we have the Privacy and Electronic Communications Regulations 2003 (PECR), which sit alongside the Data Protection Act, the UK’s implementation of GDPR. They give people specific privacy rights in relation to electronic communications.”

As Vitale points out, it is contrary to GDPR to fail to build privacy into the design of products. “In Europe and the UK, Google would have had to do a Data Protection Impact Assessment – and think about how intrusive FLoC is, protecting individuals and their right to privacy.”

Regulation such as the GDPR also requires transparency and the ability to opt out of data collection and sharing. “It is very difficult for me to say this is good for privacy, or individual rights,” says Vitale. “We like individuality; we respect that in the EU. We don’t want to be treated as part of a homogenous crowd, and GDPR is supposed to give the user control.”

What Happens Next

Google says FLoC is still in development and will evolve based on input from the web community and learnings from its first trial. The initial testing of FLoC is taking place with a “small percentage” of users in countries including Australia, Canada, India, Japan, Mexico, New Zealand and the US.

But by 2022, third-party cookies will no longer be available by default on the three largest browsers globally. It creates a need for some type of technology to replace it. “One way or another, advertisers will need to adapt and find a new way to reach their intended audiences,” says Koppoe. “Advertisers that have the technology and ability to decipher the commonalities of cohort users will likely fare better as they can target their ads.”

Even so, FLoC continues to be unpopular in the tech community. Browsers including Microsoft Edge, DuckDuckGo, Vivaldi and Brave have announced plans to block the technology from their search engines and browser extensions. Wordpress, which hosts approximately 40% of websites, recently announced it is considering a proposal to block FLoC too.

It’s not surprising that Google’s rivals are trying to block FLoC, but the impact may be limited given Chrome’s majority share of the market. It’s likely FLoC will continue to roll out – at least in some form – in all of Google’s markets, unless a major backlash sees users ditching the Chrome browser en masse. As Koppoe says: “It remains to be seen how users will react once FLoC takes effect: if there will be a general outcry, or if no one will care at all.”

What’s hot on Infosecurity Magazine?