“A nearly impenetrable thicket of geekitude…”

No FLoC Here

Posted on May 10, 2021 at 16:21

Every HTTP request to this site now includes the following header in the response:

Permissions-Policy: interest-cohort=()

Read on for the rant explaining why.

I think it’s fair to say that HTTP cookies have turned out to be more trouble than anyone expected when they were introduced as a simple state mechanism for the web. That’s mostly because they have been hijacked by the advertising industry as a way of persistently tracking people across web properties. Attempts to legislate this privacy nightmare away by requiring “informed consent” have not helped at all: we’re still being tracked, and now we have to navigate intentionally hostile “consent” popups.

One way of making things slightly better is to try and constrain cookies to the less harmful use cases by eliminating third-party tracking cookies. Some browsers now do this by default. There are some downsides to this approach because the legitimate uses of third-party cookies are thrown out with the tracking bathwater, but there’s enough of a trend there that the advertising industry is looking for something new to get back to their desired “you bought shoes over there, let me show you many more adverts for shoes on every other site you visit” status quo.

Enter Google, with FLOC (Federated Learning of Cohorts). The basic idea here is that your browser will assign you to a cohort of people who have recently visited the same web sites. This assignment of a cohort identifier will allow our civilisation’s slow approach to the shoe event horizon to continue unabated, as if that whole “worrying about our privacy” thing was just a passing phase.

I concur with the EFF’s assessment that FLoC Is a Terrible Idea. On some axes, it’s “more private” than the current advertising ecosystem. On other axes (such as the potential for fingerprinting) it’s much worse. But the most important issue is that the problem is not the cookies, it’s the targeted ads. FLOC is just a new mechanism to track people for the purposes of targeted advertising because the old one is becoming unviable. It solves a problem for the advertising industry, not a problem for web users.

FLOC requires your browser to support it, compute your cohort ID and send it to web sites. Most browser vendors have rejected FLOC, but of course Google’s Chrome browser has a large market share today and lack of support from anyone else may not cool Google’s ardour. FLOC also currently proposes some limits to the technology such as the choice of the cohort size and only including web sites a heuristic says presents ads. None of these limits are convincing: parameters will undoubtedly be tweaked in favour of the advertising industry if the initial parameters give unacceptable results by not enabling enough targeting for their business model to be preserved.

The FLoC proposal (currently) contains an opt-out mechanism for web sites: if a Permissions-Policy header is returned containing interest-cohort=() then that site won’t be included. This site now includes such a header, so the very small number of people visiting Technology Stir Fry need not be concerned that their visits will be held against them, at least not by FLoC, and in particular can’t be used for fingerprinting.

This is of course largely symbolic: there’s no long-term guarantee that Chrome will honour this header. I think it’s worth making the statement nevertheless, as Chrome is undoubtedly listening and reporting home.

If you want to know more about FLoC, I’d recommend starting with the EFF article. If you are a Chrome user, you can try the Am I FLoCed? site to see if you’ve been silently enrolled in the technology trial.