back to article EFF urges Google to ground its FLoC: 'Pro-privacy' third-party cookie replacement not actually great for privacy

With the arrival of Google Chrome v89 on Tuesday, Google is preparing to test a technology called Federated Learning of Cohorts, or FLoC, that it hopes will replace increasingly shunned, privacy-denying third-party cookies. Bennett Cyphers, staff technologist at the Electronic Frontier Foundation, argues FLoC is "a terrible …

  1. babaganoush

    Why anyone would install a "browser" on their machine that uses machine learning across their browse history to assign them to marketing groups that is then exposed to absolutely anyone completely eludes me.

    Why would anyone in his/her right mind ever even contemplate doing that?

    1. needmorehare
      Trollface

      We should support it

      So that we can all gimp it with fake/generic info. The EFF should think ahead and write extensions with this approach in mind rather than shooting it down!

      1. Charles 9 Silver badge
        Mushroom

        Re: We should support it

        Arms race. They just figure out ways to winnow out the chaff, and they have more resources than we do.

      2. babaganoush

        Re: We should support it

        There is a much, much more elegant solution to this particular problem:

        sudo apt-get remove google-chrome-stable

        And this solution has no nasty side effects. In fact it has a hell of a lot of collatoral benefits.

    2. alain williams Silver badge

      Re: Why anyone would install a "browser" on their machine ...

      because most of them would not know about it. Chrome will come with it enabled by default, you might be able to switch it off, but most would not know how to and probably not understand why they might be at disadvantage by being tracked.

      1. TFL

        Re: Why anyone would install a "browser" on their machine ...

        I think there's some benefit in promoting alternatives, including the Chromium-derived ones where it makes sense. For example, I use Vivaldi when I run into sites which seem to demand "Chrome", and it generally works well. For everything else, I still have Firefox as a generally-great default.

  2. Anonymous Coward
    Anonymous Coward

    Targeted advertising is bunk anyway

    Maybe I'm getting old and delusional but didn't it used to be possible to advertise without creepy espionage? Like if you bought a copy of Anglers' Times you could expect to see adverts for fishing waders and no one needed to know your innermost thoughts and secrets. The only cookies kept on you could fit in a lunch box. And while on the subject this is not a problem with cookies per se, if cookies were outlawed Facebook would still exist and would still record everything about you and then sell it to criminals like Cambridge Analytica. The "accept cookies" banners we're all forever clicking on were a response to demands of the GDPR but the GDPR never said you have to agree to cookies to view a website. Ironically you can no longer view a website about GDPR without first clicking on an "accept cookies" banner.

    Obligatory and timely XKCD, https://xkcd.com/2432/

    1. This post has been deleted by its author

    2. Dinanziame Silver badge
      Boffin

      Re: Targeted advertising is bunk anyway

      While the Anglers' Times is able to reasonably assume that all their readers are interested in fishing waders, it is more of a problem for general interest newspapers and TV shows. It used to be a truism that half of the advertising budget was wasted, but you didn't know which half. Not anymore: The "great" contribution of Internet tracking is that advertising is far more cost-efficient than before.

      And really, it's not 100% bad: It is really possible to build a successful business selling, say, donkey's milk on the Internet starting with a tiny advertising budget. Before, that would have been practically impossible because you just couldn't reach interested people without a massive campaign you couldn't afford.

      1. ThatOne Silver badge

        Re: Targeted advertising is bunk anyway

        > Before, that would have been practically impossible because you just couldn't reach interested people without a massive campaign

        Yeah, that's the ad-slingers' argument. Yet none has been able to explain to me yet how inundating me with ads for a second washing machine would help me find that donkey milk business.

        "Targeted advertising" is a scam, in which the point is to sell profiles, and their only use is to help the marketing department argue to the board they didn't waste money: "No, it's highly targeted, a surgical strike, every cent counts!". For the victim subject, it's just an annoyance and a potential security risk. No benefit whatsoever.

        In the past, the classic, blind advertising has sometimes shown me stuff I didn't even know I needed or wanted. The targeted brainwashing of "This is a washing machine buyer - Go at him!" is totally counter-productive, especially for your donkey milk business.

        1. Anonymous Coward
          Anonymous Coward

          Re: Targeted advertising is bunk anyway

          The advertisers only have to pay Google if the user clicks on the ad. On one side, it means that indeed every cent counts. On the other side, it means Google only makes money if users find the ads interesting... And Google makes a shitload of money.

          1. ThatOne Silver badge

            Re: Targeted advertising is bunk anyway

            > only have to pay Google if the user clicks on the ad

            For each human who clicks, you get thousands of bot clicks. Click fraud is a thriving industry, and the hapless victims are the companies who think they are "reaching out", "consolidating brand awareness" and generally gaining new clients.

            (Didn't downvote you though.)

      2. Warm Braw Silver badge

        Re: Targeted advertising is bunk anyway

        If there isn't currently a market for "donkey milk", there won't be a "likes donkey milk" flag in anyone's advertising profile and you'd have to infer likely marks from their preference for dream-catchers or some other proxy for gullibility, so the "targeting" is not that useful in that scenario.

        On the other hand, the low cost of advertising is a boon for scammers of all kinds.

        There used to be pages of classified advertising in newspapers and, at least for some classes of commercial ads, publishers often ran a compensation scheme for disappointed or defrauded customers. The real issue with this "targeted" advertising is that the publishers are adding legitimacy to promotions they are entirely unaware of. The best way around this problem would be to make the publishers legally responsible for the advertisements they "host" and to see how fast Google washes its hands of its involvement.

      3. Richard 12 Silver badge

        Re: Targeted advertising is bunk anyway

        That kind of "Targeted advertising" is a Big Lie.

        It doesn't work, never has.

        Advertising donkey's milk to the thousands of people Google or Facebook think are interested in your products because they've been following them is fundamentally a bad idea.

        People immediately reject anything that feels creepy. This is basic psychology. Getting a stack of adverts for the same product on different sites after vaguely expressing an interest somewhere else is creepy as heck.

        Showing the same ad to the same person a hundred times generally makes them *less* likely to buy it - as anything being pushed that hard must be rubbish.

        Showing an advert for your version of donkey milk the day after they bought a month's supply is massively wasteful.

        Advertise to people when they do the search for donkey milk. Before hands sales to competitors, after is wasted *at best*.

        1. Claptrap314 Silver badge

          Re: Targeted advertising is bunk anyway

          You haven't talked to any average people, I take it.

      4. Anonymous Coward
        Anonymous Coward

        Re: Targeted advertising is bunk anyway

        > it is more of a problem for general interest newspapers and TV shows

        .. which have all done ok.

        As others said, it's a scam. And to your point, most sites aren't generic - target based on the websites typical audience, after all, that's the best way to tell if I'm currently in "buy new computer" or "buy gift for girlfriend" mode.

        The reason the scam is perpetuated is that google and facebook have all this information, and they want advertisers to believe it's useful.

        If advertisers didn't care, google/facebook would lose that power - any ad company would do.

        We need to educate the advertisers...

  3. spold Silver badge

    It would seem to give you less control

    Mostly you have to give people choices about cookies these days (at least in GDPR-land, California, etc.) which means that typically there is an option in small print on the cookie banner to allow you to make more fine-grain choices - typically essential ones are prechecked otherwise the website will collapse in a heap of springs and cogs, secondly functional ones (meaning analytics, etc.), lastly advertising ones... you have to opt-in to last two categories they cannot be pre-ticked... OK, generally people will do the usual thing and click accept without going into the fine-grain options.

    Ah, we have put you in with the other hamster-porn aficionados.

    Hopefully, there is a FloC-off option.

    1. SImon Hobson Silver badge

      Re: It would seem to give you less control

      Mostly you have to give people choices about cookies ... you have to opt-in to last two categories they cannot be pre-ticked

      Ha, if only !

      I still see plenty of sites that should come under GDPR which either pre-tick stuff they are not allowed to , or simply presentblot out all the content behind a "accept cookies, it's your only option" message.

  4. Foxglove
    Coat

    Let's be reasonable here

    Who amongst us would want to put Don Draper, who is clearly a decent upstanding man, out of a job,

  5. eldakka Silver badge

    As an example, Englehardt cited how more than 30m Americans have diabetes. "While we’re very unlikely to re-identify any of those users based solely on the knowledge that they have diabetes, I suspect we can agree that nearly every individual in this group would not want this information used by advertisers," he said.
    It's even worse than that. A person is unlikely to be in just one of theses groups.

    Maybe there's a group for how affluent one is? e.g. Earns more than 100K.

    And a more specific, but still generalised location, e.g. State, Rhode Island.

    And several interest groups, Gaming, Adventure Sports, Sports Cars, Motorbikes, Romance Novels, SciFi/Fantasy Movies, Sports (maybe even specific sports, Football, Grid Iron, Tennis, Cricket, Baseball, Hurley, Rounders, Cross-country skiing, Water ski-ing, Snooker, Ice Hockey, etc.).

    So, how many people would match the set of:

    Diabetic, Rhode Island, Affluent, Romance Novels, Rounders, Cricket ? Not many I'm willing to bet.

    And the more groups there are, the matching becomes even narrower, say you add age brackets and gender and gender identity to those sets. Along with information like browser agent strings, pretty soon you are going to be able to track specific individuals anyway.

    1. NetBlackOps Bronze badge

      That's precisely the problem with any approach that tags people with group identifiers and research conducted by MIT and other institutions prove time and again that it doesn't take much to reidentify people.

      So Google and others that tink they can prevent this are living in a fantasy world, or more accurately projecting a narrative that the problem is solved when it's unsolvable.

      1. Janne Smith

        "Google and others that tink they can prevent this are living in a fantasy world,"

      2. Anonymous Coward
        Anonymous Coward

        Google and others that tink they can prevent this

        I thought they were only pretending to prevent it, so as to buy themselves more time, a better image, or both.

        1. RyokuMas Silver badge
          Meh

          Re: Google and others that tink they can prevent this

          "... so as to buy themselves... a better image..."

          Well, since there are still people on here who have a massive grudge against Microsoft almost quarter of a century on, I don't know how that's going to work out...

    2. Neil Barnes Silver badge

      Easily solved. All we have to do is invent a time machine, go back to Hull in the 1830s, and somehow prevent John Venn's parents meeting. For added safety, we could another twenty years and provide the same service for George Boole's parents in Lincoln. Not too far away.

      Without the influence of those two, it would be impossible for anyone to make these sorts of connections. Er, probably.

      I'm sure there's an app for it.

    3. claimed

      That's the point

      The highest revenue is charged for ads that *purport* to be shown only to some specific group, or intersection of groups. The idea is to get that as fine as possible, and this proposal sounds like 3rd party cookies - just created and stored in the browser and voluntarily provided to *any* site, rather than only those in the same syndicate (although in practice I'm sure Chrome would only co-operate with paying customers). So, worse actually than the status quo

    4. Anonymous Coward
      Anonymous Coward

      Actually, the entire point of k-anonymity is to make it impossible to re-identify people based on this approach. I know a guy doing his PhD on this; it's a serious theory with guarantees.

      Though most of the time, I think the uselessness of it is that people just identify themselves directly, click "allow all tracking" because they don't care, and can't be arsed.

      1. Charles 9 Silver badge

        "Actually, the entire point of k-anonymity is to make it impossible to re-identify people based on this approach. I know a guy doing his PhD on this; it's a serious theory with guarantees."

        Nope. The article itself notes that it only assures anonymity given just the data given. All an attacker needs is a little more data to finish connecting the dots. Also, some data is innately identifying.

  6. Mike 137 Silver badge

    How about missing the point entirely?

    "because they're lucrative for the ad business, Google and other companies have been trying to come up with alternative tracking tech that passes muster with privacy regulators."

    The concentration on "cookies" has completely failed to recognise that it's the cross-domain tracking itself that's the problem, not the specific way it's done. There is no way this can be considered other than as an invasion of privacy.

    1. Falmari Silver badge

      Google Floc off

      @Mike "There is no way this can be considered other than as an invasion of privacy." Exactly it is not how you invade our privacy it's you're invading our privacy.

      So Google just take all you're privacy invading schemes and FloC off.

  7. Wade Burchette Silver badge

    FLoC

    FLoC correctly stands for "Filthy Lucre is our Choice". You can bet your life that Google will find a way to monetize your browsing habits. This idea of Google is not about privacy, but about doing what cookies used to do while using a new name nobody knows about. Many people have heard about cookies, but this is something new and not easy to remember.

    This is real simple: If I am tracked in any way, shape, or form, it is not going to satisfy my privacy requirements.

    1. alain williams Silver badge

      Re: FLoC

      More to the point: it would be usable by Google and others would not find it useful.

    2. LDS Silver badge

      Re: FLoC

      Google has just devised a way to take full control of the personal data business of those using Chrome - with FLoC it can keep out any third party tracker and only Google can track people - so all those looking for targeting advertising has to pay Google, and only Google, for it.

      It's just another attempt to build a monopoly of user data. Sure, the users products can see fewer trackers, but the tracking will be exactly like before - and less avoidable.

  8. Saul Dobney

    A missing dimension is that group-based systems may be vulnerable to knowledge leaking to other individuals in the group.

    To take an example, even with privacy barriers up, it is clear that companies target advertising and marketing by IP address. Technically, because the IP is an ISP provided address, individuals themselves cannot be identified, but Google et all know the approximate location of the users and can use this to target based on group-based interests. But what happens is that information leaks across the individuals in the group. Adverts that one of the individuals sees, will contain information and clues as to what neighbours have been searching for. So although the advertiser is technically acting anonymously, anonymity may be breached as other individuals in the group speculate on which of their neighbours is looking for certain items - for instance health related, new jobs etc.

  9. Howard Sway

    Fiendish levels of confuusion

    This proposal is designed to confuse people, and direct them into wasting their time discussing the complicated implications, rather than confronting what is really the intention : trying to get an ever greater majority of people to use Chrome. So it will be the company's browser that does the tracking and assigns you to your pigeonhole, possibly irreversibly and for ever, and without your knowledge of which pigeonhole you are in. The key quote is :

    "A browser with FLoC enabled would collect information about its user’s browsing habits, then use that information to assign its user to a 'cohort'"

    So the real question is do you want your software watching what you do and then passing a judgment on you? And would you be happy for other companies / governments to be aware of what 'cohort' you are in?

    1. babaganoush

      Re: Fiendish levels of confuusion

      Indeed. The interesting question is why anyone would actually install the piece of spyware called Chrome-FLoC ...

  10. aldolo

    problems for business apps

    cookies are not used for ads only. there are many business apps using them. my customers are in trouble even now with the latest same-origin policy. not to mention other "minor" changes in chrome who are breaking very old and very used behaviours

    1. SImon Hobson Silver badge

      Re: problems for business apps

      And which is a real problem everywhere - tools and techniques that are genuinely useful for legitimate and honest purposes are misused by scum with no interest but their own wealth. It's because some people can't be trusted that the rest of us can't have nice things.

  11. Tree
    Pirate

    I do not want GURGLE to know anything about me. A

    Ads ar ok. Tracking is not. GURGLE claims they will not let others know my info. Please. I do not want them to learn my info. I do mot trust them.

    1. Charles 9 Silver badge
      Mushroom

      Re: I do not want GURGLE to know anything about me. A

      Then got off the Internet, period. That's the only way to avoid them, as they hold more control over it than you. That's the long and short of it. If you want to do business with them, you're going to be tracked. Your only other option at that point is to simply walk away.

      1. ThatOne Silver badge

        Re: I do not want GURGLE to know anything about me. A

        > Then got off the Internet, period

        Going down without a fight isn't a solution either. Remember the late 1930ies in Europe: There was lots of "Well, whatcha gonna do" going around in European governments at that time. Until the problem came and bit them directly, after which they were all about doing something about it... It might be advisable to not wait till it's too late.

        I agree it's an uphill battle, but one which has to be fought if we want to keep living like humans, and not like cattle.

        1. Charles 9 Silver badge

          Re: I do not want GURGLE to know anything about me. A

          The problem with your scenario is you're currently playing a game of Global Thermonuclear War against an opponent willing to go MAD. Fight or no fight, as Rincewind would put it, you're still going to die. Your only hope is to change the game, meaning find alternatives to the Internet and other media prone to private control. If that's not possible...well, then we're staring down the avalanche at that point.

          1. ThatOne Silver badge

            Re: I do not want GURGLE to know anything about me. A

            > Your only hope is to change the game, meaning find alternatives to the Internet

            I beg to differ: Google/Facebook haven't (IMHO, yet) such a hold on Internet that you can't still excise them, or at least make them inoffensive less offensive.

            Besides, "alternatives to the Internet"? First of all, it took about half a century to get off the ground, and second, nowadays any alternative is bound to be controlled by Google/Facebook right from the start, making them even harder to remove than from the original Internet. You can run but you can't hide, so better make a stand and fight for your dignity.

            (Didn't downvote you.)

            1. Charles 9 Silver badge

              Re: I do not want GURGLE to know anything about me. A

              "I beg to differ: Google/Facebook haven't (IMHO, yet) such a hold on Internet that you can't still excise them, or at least make them inoffensive less offensive."

              And I disagree with your disagree. If it's not those two, it's other large players OR governments. Ronald Reagan once said that the worst words one can hear are, "I'm from the government and I'm here to help you." Well, when you're at the end of your rope, which would you rather have grab your hand before you tumble into the abyss: the government or the Really Big Corporation of America?

              "You can run but you can't hide, so better make a stand and fight for your dignity."

              If you can't hide, then you're up against a Panopticon and, like I said, you're staring at the avalanche at that point. Running isn't much of an option anymore as it's already outracing you, but neither is fighting something that big, as the odds of you coming out of an avalanche alive are quite small and tend to be unaffected by any actions you may take prior.

              1. ThatOne Silver badge

                Re: I do not want GURGLE to know anything about me. A

                > the odds of you coming out of an avalanche alive are quite small

                So, what's the solution, curl up and die? I agree that it's not easy, but it has to be tempted, because the alternative is much worse. You can't just accept the power of Google and Facebook over your and your children's life and destiny, it won't end well.

                As for the governments, they are (usually) not malicious, just very incompetent. They are way less profit-driven than private corporations, and (most of the time) less unscrupulous, since they (usually) need to keep their voters happy.

                Of course governments want to control the Internet too, because they always, since ever, wanted to keep tabs on the unruly masses (which tend from time to time to do harsh things, like behead their rulers...). The big difference is that modern governments answer to their voters (assuming those are not totally brainwashed), while corporations only answer to the greed of their shareholders. I personally would trust voters more than just pure unadulterated greed, but I admit that's me.

                1. Charles 9 Silver badge

                  Re: I do not want GURGLE to know anything about me. A

                  "So, what's the solution, curl up and die?"

                  Or pray, because that is pretty much all you have left.

                  "You can't just accept the power of Google and Facebook over your and your children's life and destiny, it won't end well."

                  What makes you think you have a choice in the matter? It's always been that way; we've just been living in denial for the last few tempestuous decades, but the PTB have gotten smart now, and it's coming back to bite us in the butt worse than a hungry croc.

                  1. ThatOne Silver badge

                    Re: I do not want GURGLE to know anything about me. A

                    > What makes you think you have a choice in the matter?

                    What I seriously think, is that you need professional help with your anxiety/self-esteem issues (Seriously, I'm not making fun or teasing you). Back to topic, there are two things we clearly don't (and most certainly won't) agree upon:

                    First, the assessment of the power of Google/Facebook. You seem to consider they are all-powerful and invincible, while I consider they are extremely powerful and thus not very vulnerable. But I think they can be brought down, because their power mostly resides on other people accepting it.

                    Second, the reaction to have facing overwhelming or even desperate odds. What does a cornered animal do? It makes a last stand! Since it is doomed, it has nothing to lose, so it will make the aggressor pay, even if it has no chance to win. Don't go down without a fight! Give them hell!

                    1. Charles 9 Silver badge

                      Re: I do not want GURGLE to know anything about me. A

                      "First, the assessment of the power of Google/Facebook. You seem to consider they are all-powerful and invincible, while I consider they are extremely powerful and thus not very vulnerable. But I think they can be brought down, because their power mostly resides on other people accepting it."

                      But it's not just them. Worse, they've written the playbook, it looks very clearly to be working, and the worst part is that it seem to rely on Stupid, and as a comedian once said, you can't fix Stupid because they're often too far gone to save...and there are a lot of them out there to take the rest of us with them. Even if these two disappear, others will take their place, and probably with more savvy.

  12. Pseu Donyme

    The writing is on the wall

    GDPR* recital 72 explicitly subjects profiling** to GDPR so it is hard to see how targeted ads based on user profiles could survive in the long run, especially under GDPR's consent regime***. I suppose it will take quite a while for this work its way trough the courts though if Facebook's efforts to obstruct**** are any indication. The first significant blow to Google seems to be coming sooner though:

    https://noyb.eu/en/data-transfers-us-and-insufficient-cookie-information-noyb-files-complaint-against-european.

    This seeks to enforce the recent ECJ 'Schrems II' judgment (in a nutshell: data transfers to the US are illegal due to insufficient data protection over there); the thing is that this particular complaint is on fast track to the ECJ (instead of the usual detour via national courts) because it is against the European Parliament (for an internal website apparently making use of Google Analytics, among other things).

    * https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

    ** defined as: "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements" (Article 4(4)).

    *** Article 7, in particular Article 7(4): "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

    **** 7.5 years so far, might be coming to an end relatively soon though: https://noyb.eu/en/irish-dpc-agrees-decide-swiftly-facebooks-eu-us-transfers

  13. alain williams Silver badge

    A cookie by any other name will break privacy as much

    (Apologies to W Shakespeare)

    I think that part of the purpose is to evade the cookie laws in the EU, California & other places.

    So: back to normal for a few years while Google tracks everyone. It will take legislators many years to catch up ... I suspect that Google has draft a FLoC replacement for then.

  14. Anonymous Coward
    Anonymous Coward

    I'm not so sure...

    ..that all this surveillance and profilng of users is just to serve targeted ads.

    (Sees ad for aluminum foil pop up)

  15. Anonymous Coward
    Anonymous Coward

    google will do what google wants to do

    and to hell with the rest of us.

    The same goes for the like of Facebook, Microsoft, Amazon and all the other usual suspects. We all know who they are.

    They don't care about governments. They are bigger than many nation-states so why would the worry about a few politicians eh? (little or not so little back books containing all the sordid details that those politicos want to keep hidden really helps)

    These megacorps control so much of our lives that we now find it hard to avoid them and their mind-control games.

    Big Brother is alive and getting bigger each and every day.

  16. Pascal Monett Silver badge

    "Google [..] believes it can monitor FLoC"

    Of course it does. Google is going to believe anything that allows it to keep flinging targetted ads.

    Except that the problem is, it is the targetting that violates privacy. Doesn't matter how it's done, as Mike 137 says quite rightly.

    Get rid of targetted ads.

  17. big_D Silver badge

    Profile the site...

    Just profile the site and basta!

    Show me ads based on the content I'm viewing. You don't need to track me, you don't need to know anything more about me than the page I am currently viewing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Profile the site...

      But if advertisers realise that, google/facebook lose their perceived value!

      1. big_D Silver badge

        Re: Profile the site...

        And? Who cares?

        1. Anonymous Coward
          Anonymous Coward

          Re: Profile the site...

          google and facebnok care, which is why we are in this situation! I was actually agreeing with you, and upvoted you!

          1. big_D Silver badge

            Re: Profile the site...

            Exactly. The post was supposed to be provocative.

            Yes, it is bad for the stock holders. But, too much these days is based around whether it harms the company, or more importantly its stock. If it could damage their income and profit, it is bad. Damage to the environment? Leave it, it would sink our stock price. Be fair to our users? Screw them, it would sink our stock price.

            The stock price mentality needs adjusting. We need to look at the sustainability of companies and a certain corporate "morality". Where companies are actually praised, on the stock market, for doing the right thing, instead of ignoring the right thing or doing the wrong thing, just for market cap.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021