EFF urges Google to ground its FLoC: 'Pro-privacy' third-party cookie replacement not actually great for privacy

Targeted advertising is bunk anyway

Maybe I'm getting old and delusional but didn't it used to be possible to advertise without creepy espionage? Like if you bought a copy of Anglers' Times you could expect to see adverts for fishing waders and no one needed to know your innermost thoughts and secrets. The only cookies kept on you could fit in a lunch box. And while on the subject this is not a problem with cookies per se, if cookies were outlawed Facebook would still exist and would still record everything about you and then sell it to criminals like Cambridge Analytica. The "accept cookies" banners we're all forever clicking on were a response to demands of the GDPR but the GDPR never said you have to agree to cookies to view a website. Ironically you can no longer view a website about GDPR without first clicking on an "accept cookies" banner.

Obligatory and timely XKCD, https://xkcd.com/2432/

It would seem to give you less control

Mostly you have to give people choices about cookies these days (at least in GDPR-land, California, etc.) which means that typically there is an option in small print on the cookie banner to allow you to make more fine-grain choices - typically essential ones are prechecked otherwise the website will collapse in a heap of springs and cogs, secondly functional ones (meaning analytics, etc.), lastly advertising ones... you have to opt-in to last two categories they cannot be pre-ticked... OK, generally people will do the usual thing and click accept without going into the fine-grain options.

Ah, we have put you in with the other hamster-porn aficionados.

Hopefully, there is a FloC-off option.

As an example, Englehardt cited how more than 30m Americans have diabetes. "While we’re very unlikely to re-identify any of those users based solely on the knowledge that they have diabetes, I suspect we can agree that nearly every individual in this group would not want this information used by advertisers," he said.

Maybe there's a group for how affluent one is? e.g. Earns more than 100K.

And a more specific, but still generalised location, e.g. State, Rhode Island.

And several interest groups, Gaming, Adventure Sports, Sports Cars, Motorbikes, Romance Novels, SciFi/Fantasy Movies, Sports (maybe even specific sports, Football, Grid Iron, Tennis, Cricket, Baseball, Hurley, Rounders, Cross-country skiing, Water ski-ing, Snooker, Ice Hockey, etc.).

So, how many people would match the set of:

Diabetic, Rhode Island, Affluent, Romance Novels, Rounders, Cricket ? Not many I'm willing to bet.

And the more groups there are, the matching becomes even narrower, say you add age brackets and gender and gender identity to those sets. Along with information like browser agent strings, pretty soon you are going to be able to track specific individuals anyway.

How about missing the point entirely?

"because they're lucrative for the ad business, Google and other companies have been trying to come up with alternative tracking tech that passes muster with privacy regulators."

The concentration on "cookies" has completely failed to recognise that it's the cross-domain tracking itself that's the problem, not the specific way it's done. There is no way this can be considered other than as an invasion of privacy.

FLoC

FLoC correctly stands for "Filthy Lucre is our Choice". You can bet your life that Google will find a way to monetize your browsing habits. This idea of Google is not about privacy, but about doing what cookies used to do while using a new name nobody knows about. Many people have heard about cookies, but this is something new and not easy to remember.

This is real simple: If I am tracked in any way, shape, or form, it is not going to satisfy my privacy requirements.

A missing dimension is that group-based systems may be vulnerable to knowledge leaking to other individuals in the group.

To take an example, even with privacy barriers up, it is clear that companies target advertising and marketing by IP address. Technically, because the IP is an ISP provided address, individuals themselves cannot be identified, but Google et all know the approximate location of the users and can use this to target based on group-based interests. But what happens is that information leaks across the individuals in the group. Adverts that one of the individuals sees, will contain information and clues as to what neighbours have been searching for. So although the advertiser is technically acting anonymously, anonymity may be breached as other individuals in the group speculate on which of their neighbours is looking for certain items - for instance health related, new jobs etc.

Fiendish levels of confuusion

This proposal is designed to confuse people, and direct them into wasting their time discussing the complicated implications, rather than confronting what is really the intention : trying to get an ever greater majority of people to use Chrome. So it will be the company's browser that does the tracking and assigns you to your pigeonhole, possibly irreversibly and for ever, and without your knowledge of which pigeonhole you are in. The key quote is :

"A browser with FLoC enabled would collect information about its user’s browsing habits, then use that information to assign its user to a 'cohort'"

So the real question is do you want your software watching what you do and then passing a judgment on you? And would you be happy for other companies / governments to be aware of what 'cohort' you are in?

problems for business apps

cookies are not used for ads only. there are many business apps using them. my customers are in trouble even now with the latest same-origin policy. not to mention other "minor" changes in chrome who are breaking very old and very used behaviours

The writing is on the wall

GDPR* recital 72 explicitly subjects profiling** to GDPR so it is hard to see how targeted ads based on user profiles could survive in the long run, especially under GDPR's consent regime***. I suppose it will take quite a while for this work its way trough the courts though if Facebook's efforts to obstruct**** are any indication. The first significant blow to Google seems to be coming sooner though:

https://noyb.eu/en/data-transfers-us-and-insufficient-cookie-information-noyb-files-complaint-against-european.

This seeks to enforce the recent ECJ 'Schrems II' judgment (in a nutshell: data transfers to the US are illegal due to insufficient data protection over there); the thing is that this particular complaint is on fast track to the ECJ (instead of the usual detour via national courts) because it is against the European Parliament (for an internal website apparently making use of Google Analytics, among other things).

* https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

** defined as: "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements" (Article 4(4)).

*** Article 7, in particular Article 7(4): "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

**** 7.5 years so far, might be coming to an end relatively soon though: https://noyb.eu/en/irish-dpc-agrees-decide-swiftly-facebooks-eu-us-transfers

A cookie by any other name will break privacy as much

(Apologies to W Shakespeare)

I think that part of the purpose is to evade the cookie laws in the EU, California & other places.

So: back to normal for a few years while Google tracks everyone. It will take legislators many years to catch up ... I suspect that Google has draft a FLoC replacement for then.

I'm not so sure...

..that all this surveillance and profilng of users is just to serve targeted ads.

(Sees ad for aluminum foil pop up)

google will do what google wants to do

and to hell with the rest of us.

The same goes for the like of Facebook, Microsoft, Amazon and all the other usual suspects. We all know who they are.

They don't care about governments. They are bigger than many nation-states so why would the worry about a few politicians eh? (little or not so little back books containing all the sordid details that those politicos want to keep hidden really helps)

These megacorps control so much of our lives that we now find it hard to avoid them and their mind-control games.

Big Brother is alive and getting bigger each and every day.

"Google [..] believes it can monitor FLoC"

Of course it does. Google is going to believe anything that allows it to keep flinging targetted ads.

Except that the problem is, it is the targetting that violates privacy. Doesn't matter how it's done, as Mike 137 says quite rightly.

Get rid of targetted ads.

Profile the site...

Just profile the site and basta!

Show me ads based on the content I'm viewing. You don't need to track me, you don't need to know anything more about me than the page I am currently viewing.