Google wants to change the way we're tracked around the web, and given the widespread use of its Chrome browser, the shift could have significant security and privacy implications. But the idea has been less well received by companies that aren't Google.
The technology in question is FLoC, or Federated Learning of Cohorts, to give it its full and rather confusing name. It aims to give advertisers a way of targeting ads without exposing details on individual users, and it does this by grouping people with similar interests together: football fans, truck drivers, retired travelers, or whatever it is.
"We started with the idea that groups of people with common interests could replace individual identifiers," writes Google's Chetna Bindra. "This approach effectively hides individuals 'in the crowd' and uses on-device processing to keep a person’s web history private on the browser."
These groups (or "cohorts") are generated through algorithms (that's the "federated learning" bit), and you'll get put in a different one each week—advertisers will only be able to see its ID. Any cohorts that are too small will get grouped together until they have at least several thousand users in them, to make it harder to identify individual users.
FLoC is based on the idea of a Privacy Sandbox, a Google-led initiative for websites to request certain bits of information about users without overstepping the mark. Besides FLoC, the Privacy Sandbox covers other technologies too: gor preventing ad fraud, for helping website developers analyze their incoming traffic, for measuring advertising effectiveness, and so on.
Google wants FLoC to replace the traditional way of tracking people on the internet: cookies. These little bits of text and code are stored on your computer or phone by your browser, and they help websites figure out if you've visited before, what your site preferences are, where in the world you're based, and more. They can be helpful for both websites and their visitors, but they're also heavily used by advertisers and data brokers to build up patterns of our browsing history.
As Google points out, cookie tracking has become more and more invasive. Embedded, far-reaching trackers known as third-party cookies keep tabs on users as they move across multiple websites, while advertisers also use an invasive technique called fingerprinting to know who you are even with anti-tracking measures turned on (through your use of fonts, or your computer's ID, your connected Bluetooth devices or other means).
Companies including Apple are already fighting back against this kind of tracking, primarily by simply blocking it altogether without the express permission of users (Apple is taking a similar approach with apps). Google would prefer to continue to allow targeted advertising while keeping users anonymous, and it wants to replace cookies with FLoC by 2022—but the idea has been met with a wave of opposition from other parties.
Bennett Cyphers of the Electronic Frontier Foundation admits the need to do away with cookies, but calls FLoC a "terrible idea" that's just as bad. "The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process," writes Cyphers. "It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting."
The EFF—and many others—would rather do away with targeted advertising altogether. In other words, online advertisers don't know anything about your preferences or habits, and everybody sees the same ads as they browse around the internet. Fundamentally, the argument goes, any kind of targeting is both invasive and discriminatory.
Makers of the popular Vivaldi browser aren't supporting FLoC either: They describe it as a "privacy-invasive tracking technology" that's just as bad as what it's replacing. As the Vivaldi team points out, a FLoC ID is still presenting your private browsing history to other advertisers, even if it is in aggregated, anonymized form; and it gives even more power to Google as it develops both FLoC and the popular Chrome browser.
There are problems with FLoC that are acknowledged on all sides. As it groups users in clumps of thousands, it can still be used as a point of entry for fingerprinting, as long as ad tech companies find ways to identify you from those other people—this is something Google is promising to tackle, but not as quickly as it's promising to implement FLoC. There are also dangers that FLoC data could be combined with other indicators (like a site sign-in) to further erode privacy and anonymity online.
Google is pushing ahead. Version 89 of Chrome included a test run for FLoC, and you may already have been enrolled without your knowledge: Head to the Am I FLoCed? website run by the EFF to check. If you are part of the trial and don't want to be, go to the Chrome Settings pane and choose Privacy and security, then Cookies and other site data, and check the Block third-party cookies option to disable FLoC. (You can also install this extension from DuckDuckGo to block FLoC.)
Microsoft, Apple, and Mozilla are still very much on the fence about FLoC: It's possible that their browsers may eventually adopt the technology, but it looks as though FLoC will need to be a lot tighter from a security and privacy point of view, and a lot more transparent for users, before other major browsers besides Chrome are going to adopt it. It's also not yet clear if FLoC clears the GDPR data regulations in Europe—for now, Google isn't testing the tech in European countries.
With third-party cookies now blocked by default by a lot of users and a lot of browsers, anyone who makes a lot of money out of targeted advertising—Google, Facebook, ad tech companies—are keen to get a replacement in place. Whether or not a replacement is actually needed, or if FLoC is it, depends on your point of view, but if you're firmly in the "no" camp then you might want to avoid Google Chrome for your web browsing for the foreseeable future.