Google has come up with a new way to collect user behavior for targeted advertising. He called it FLoC and painted the reality so pink that he immediately garnered a storm of wind from other players on the Internet.
Cohorts instead of cookies
So first of all, what is FLoC, aka Federated Learning of Cohorts: A Google-designed standard for web browsers to replace cookies or other user tracking techniques in order to personalize the advertising displayed on websites by advertising systems. Instead of a specific user being identified by the browser/website, FLoC would automatically make it a member of some user cohorts (more precisely, one aggregate cohort) with the same interests based on their browsing history, and only this essentially anonymized information would be used by advertising systems.
At the same time, the cohorts would be large enough that it would not be possible to identify the user, even if only vaguely, as a member of a very small group of people. Thus, FLoC is not a system of perfect anonymization of the user in terms of personalization of the displayed ads: It is a system that should anonymize the user as much as possible, but while maintaining the highest possible degree of personalization of the displayed ads. In short: FLoC is a compromise. That's not what Brave, Vivaldi or DuckDuckGo like.
In short, the browser, here Google Chrome, will based on the user's history, which is only local in the browser and not shared with anyone, assign the user to a cohort number such as 123456. It will then pass this information to websites and how to load with the fact that the user falls into the cohort 123456 in terms of interests, ie what advertising they will serve to him within the page.
Google says the cohorts will not run until there are at least a few thousand, which should ensure a sufficient degree of anonymization. Chrome will then not assign any labels to the cohorts themselves (eg "Trekkie with an interest in photography, BMW and ginger recipes"), which will be on the strength of the advertising industry. It is probably clear to everyone that one of those who will have it done perfectly will be Google itself, resp. in general Alphabet.
Here you can surely imagine where it will scrub. Little players just don't have the resources to analyze the cohorts themselves. In addition, one way or another, someone will sooner or later draw the attention of a neural network to the cohorts, which will make some statistical analysis out of it.
However, FLoC is now in the design stage, anyone can get bogged down on GitHub and comment.
Brave, Vivaldi, DuckDuckGo, and more
FLoC has already caught it from the Electronic Frontier Foundation (an interesting read in itself) and the creators of the Vivaldi and Brave browsers. The DuckDuckGo search engine also doesn't like it.
Vivaldi completely refuses
Vivaldi responded with a blog post called Well, Google! Vivaldi users will not get FLoC'ed . In it, he explains at length his view of the matter.
Old habits are said to die hard. Google's new approach is described as dirty data mining and the possible introduction of FLoC as a dangerous step that damages users privacy. FLoC is now being tested on Google Chrome and is part of the Chromium project, the project that powers Vivaldi.
Vivaldi makes it clear that although their browser builds on the Chromium project, it only uses it to display pages properly, and all similarity ends. Vivaldi continues to stand behind the privacy of users and will not allow any profiling and tracking techniques in the browser, including this local variant, on which FLoC is based.
He also rightly notes that while cookies and local storage are still used, FLoC only moves this inside the browser, but in principle also profiles the user. By the way, the FLoC component in Chrome needs to communicate with Google's servers just to check if it can run. Google uses this mechanism only in countries outside the EU, outside the scope of the GDPR directive. Vivaldi logically raises the rhetorical question of whether the FLoC is compatible with GDPR at all, and they intend to continue to monitor it.
Vivaldi also points out that third-party cookies are often used to log in to websites, but have over time been misused for the advertising industry. As such, they have it envisaged, they will gradually stop working everywhere, and Google simply had to look for a way to continue to track/profile users.
Vivaldi names one thing perfectly: if people in the 112233 cohorts regularly go through websites about erection problems, for example, it may one day happen beautifully that the websites will not know that you, František Vopršálek, are part of the 112233 cohorts, but simply advertising on Viagra will be served everywhere. Although the system will work with anonymized data, it can still get users in trouble. After all, the same as the current system of third-party cookies.
In principle, FLoC can also give advertising systems data from a much wider user base than they would reach with their cookies. Because cohorts will aggregate, although anonymized, but data from a much wider range of users and websites (see the section above that cohorts will be launched only when there is a lot of data). In fact, the FLoC system will provide advertising systems with more data than they get today, also because it will collect data about the user locally and on sites where otherwise the advertising system is not deployed.
At a time when your professional career may be buried by a tweet from 10 years ago or photos from 30 years ago, it's high risk. It is not just a question of what problems this system can get into, for example, protesters in Hong Kong, Uyghurs in China, otherwise hiding their religion, or, for example, Navalny supporters in Russia.
In short and well: Vivaldi does not contain the FLoC API and never will, regardless of its implementation in Chromium. So Vivaldi completely rejects FLoC.
Brave says the same mildly
They add boldly at the beginning that FLoC techniques have never been enabled in Brave, they are now removed in Nightly Brave builds for both desktops and Android, and all parts of the FLoC implementation will soon be removed with the next stable release of Brave.
The reasoning on the Brave blog is very similar to Vivaldi, so we will not discuss the same reasons here again. Of course, Brave also talks about the fact that FLoC is rather the opposite of the mechanism for increasing user privacy and also talks about the conflict (not only) with GDPR. They also consider FLoC to be harmful to creators and publishers and encourage everyone not to use FLoC.
DuckDuckGo advises to block
DuckDuckGo talks in the headline about using the Chrome extension to block FLoC. In the introductory points, he summarizes several things. According to him, first of all, Google created a new method of tracking users called FLoC and turned it on for millions of people. FLoC is bad for users' privacy, as each site can target a given FLoC ID and perform user fingerprinting. Just use the DuckDuckGo browser extension to block. Likewise, the DuckDuckGo search engine is set so that it does not use FLoC regardless of the user's settings, browser, or application.
DuckDuckGo recalls Google's claim that FLoC is 95% effective in ad targeting compared to traditional third-party cookie tracking.
In conclusion, people around the search engine add that they are disappointed that, despite publicly expressed concerns about FLoC, Google simply turned it on, forcing users to ask for their consent at all.
What will happen to us?
In conclusion, let's just add that these are just three examples of leading players on the Internet who have sharply opposed FLoC. They are certainly not the only or the last. On the other hand, there will be a lot of other players who, on the other hand, will want to use its potential from FLoC. FLoC significantly changes the functioning of Internet advertising and related user tracking. How the system will eventually settle, and whether Google will push it at all, no one knows the answer.
However, these days are exactly the moment when it is worth remembering that we also have some mechanisms in the EU that are for the benefit of ordinary people. In this case, I mean the often hated GDPR directive or the Czech General Regulation on Personal Data Protection.
It does not make sense to meditate extensively here on what appropriate compromise setting would be between the interests of websites, users, and advertisers. It is a compromise with which all parties involved will never be satisfied. As a user, I want to see as few ads as possible (ideally 0). As an author, I know that I am paid from advertising revenue. But I'm also glad that this potential headache called FLoC doesn't fall on my shoulders. This will still be very nutritious, we are still at the beginning of the first act and the game is just starting.