Why we left the FLoC

Why we left the FLoC

By Nate Eldridge. May 21st 2021

For decades, advertisers relied on third-party cookies to follow and understand how consumers behave online. These tracking data packets provided them with valuable information that helped them figure out how to target and display their ads. However, as users became more aware of the implications of ad surveillance, more and more tech companies started incorporating smart cookie-blocking technology to give them peace of mind.

As a result, many cookie laws and numerous ad-blocking apps started to emerge. This new norm has pretty much left the cookie tracking system to die. And, as the ad surveillance era seemingly comes to its end, Google has come up with some interesting ideas for data sources in the future of marketing. That's where the Federated Learning of Cohorts (FLoC) enters the picture.

The Privacy Sandbox is Google’s new proposal for how to conduct behavioral targeting without third-party cookies doing all the leg work. The FLoC might be the most dangerous element within this initiative. It’s meant to be the new way for browsers to do user profiling. It will observe and label what millions of people do online.

At Trustpage, we believe businesses should start paying more attention to their security policies as more data collection techniques like FLoC develop, and we believe that consumers have a right to online privacy. As the ad surveillance era faces its imminent death, we must demand more transparency. That's why we — and many other tech companies — are taking a stand against Google's FLoC in order to protect our users and stay true to our mission.

Now, before you jump to any conclusions, we want to start by making one thing very clear: Google's great at what they do, and we rely on many of their products and services to keep Trustpage going. But there are some things they've come up with that we fundamentally disagree with, FLoC being one of them. This doesn't make them evil, or a bad company, it just makes for an opportunity—we think—to improve.

What Is FLoC?

Before we define the future of ad tracking according to Google, let's get some context.

Google introduced the Privacy Sandbox initiative in 2019. This project presents an outline of what online privacy should look like in the near future. It pretends to replace cookies by instating protocols to fill the gap they'll leave behind — and by that, we mean to satisfy the needs of marketers and advertisers. It puts revenue ahead of user privacy.

Since Google’s announcement, the ideas behind its Privacy Sandbox, which includes FLoC, have been discussed in the Web Advertising Business Group of the World Wide Web Consortium (W3C). The issue here is that the Web Advertising Business Group is mainly composed of tech vendors, so there's an obvious conflict of interest.

Google and these other ad-tech representatives have come up with a myriad of proposals in which they design the functions FLoC will serve in the targeted advertising world once cookies are gone for good.

Defining FLoC

The Federated Learning of Cohorts (FLoc) is an API that will integrate with Chrome to replace third-party cookie tracking in helping marketers perform interest-based tracking. The project was announced in January 2020. It claims to offer several privacy advantages to internet users while still providing them with a tailored advertising experience.

How Does FLoC Work?

A browser with this controversial API enabled would gather data on people's browsing preferences and habits. This information would later be used to classify users into different groups. This way, people who have somewhat similar interests and browsing habits would belong to the same "cohort." Each member in a group would have their own cohort ID, which would later be used by different sites to better target their ads.

Every cohort would represent an audience made up of thousands of users. Its members would all have things in common, helping the FLoC SimHash algorithm — a technology that estimates similarities between sets — classify them more accurately.

However, as if this whole cohort analysis approach wasn't dystopic enough, FLoC would also have a pretty comprehensive summary of who users are, what they like, what they recently searched for, and more.

Initially, Google experimented with 8-bit identifiers, which compare data of up to eight bits and offer a low output when a match is made. This method yielded a limited possible number of cohorts, as they were limited to 256. Yet, new documentation hints the number of cohorts will be much higher. After all, the more cohorts there are, the more specific the data on their users can become.

There's no conclusive information about how small each cohort might be or whether some groups will be blended together if they don't have enough members.

The SimHash algorithm is meant to recalculate cohorts within the FLoC every week using the most recent information from the previous weekly cycle. This method would make cohorts only useful for short-term identification. However, the accumulated data would result in a more robust indicator of user habits over the long haul.

Cohort Assignment, Step by Step

FLoC decides which users belong in which cohort applying the following method:

‌1. Cohort Creation

The FLoC algorithm generates numerous interest groups and assigns a unique cohort ID to each one.

‌2. Cohort ID Assignment

When a user searches for something through a browser equipped with the FLoC API, the algorithm determines the most suitable cohort for them. Users will be assigned to the same cohort if their interests are similar enough.

‌3. Advertiser Access

Once a user gets assigned to a specific cohort, their cohort ID will follow them from one site to another. This way, every time a user visits a site, they're giving advertisers access to the latest data FLoC has gathered about the habits, interests, and behavior of their cohort.

When the ad platform provider gains access to a user's cohort information, they can determine which ads are the most relevant for them. Sites and ad platform providers will be able to learn:

  • Numerous cohort IDs
  • Interest-based data of all browser users with the same ID
  • Other behavior-based data provided by the advertiser‌

Is This a Good Idea?

The idea of having no more third-party cookies sounds great. But surveillance will still be there, potentially at a closer (and more harmful) distance.

This innovation from Google might be more than users and businesses bargained for. It may create new privacy risks we're not prepared to handle just yet. FLoC will increase the opportunities that behavior-based ads have to discriminate against or harass their audience, among other things.

Also, let's not forget that Google is one of the internet titans that have allowed the old ad trackers to make it this far. It might not have its priorities straight or the user's best interests at heart. Now it firmly believes it has come up with a good solution to the impending cookiepocalypse. But can we trust it will work?

The Premise and the Promises

The FLoC aims to help advertisers succeed without neglecting the privacy of millions of users attempting to navigate their favorite sites online. Google’s intentions are seemingly good: stopping data brokers and big ad tech companies from profiting off of user information with zero accountability. Yet, here's where the transparency issues start.‌

Is Google Reinventing the Ad-Tracking Wheel?

Google is sustaining this scheme on two concepts: the so-called "new tracking" vs. "old tracking." It claims people will be able to choose between these two alternatives when they're actually interchangeable. ‌

At the end of the day, new and old tracking are both behavior surveillance. Trying to rebrand it doesn't take away the many problems targeted ads bring to the table. Google is not coming up with a new idea. It’s just marketing it under a new label, and it's insulting to users to assume they can’t tell the difference. People want no tracking, plain and simple.

Keeping Advertising Alive and Well

Google has stated that advertising is fundamental to keeping the web alive and open to all users. However, these users need a solid guarantee that their identities and sensitive data will stay safe during and after their online experience. We can't help but worry about transparency when it comes to privacy and security matters after the implementation of FLoC's cohort system.

Are We Standing in the Middle of a Crossroads?

There's no denying that third-party cookie tracking is maybe one of the worst mistakes of the digital era. However, with this technology becoming obsolete, internet users stand before two possible scenarios.

In the first, somewhat utopic, scenario, FLoC will allow people to share their information freely with full knowledge of what the tracking system is gathering. Users will be able to hand-pick the data they're willing to share and which sites they share it with, giving them the peace of mind that only comes from knowing their information won't be used to manipulate them.

The second scenario’s crude reality is much more likely to happen. In it, the data collected by FLoC will become a cloud that follows each user across the web and shares information indiscriminately from one site to another. Their user history will serve as some sort of presentation card that comes up every time the user begins a new online interaction.

The second scenario is why we must cut behavioral targeting off at the root. Google should instead invest its time and resources into finding a new way to build a healthy internet environment — one in which users come first so that they can thrive.

Everything Wrong with FLoC

As good as the FLoC suite might look on paper, it's very vulnerable to privacy breaches and flaws. Here's how implementing this cookieless alternative might impact data security over time:

Browser Fingerprinting

With browser fingerprinting, trackers can create a unique identifier for a specific browser. This means that over time they can recognize the different habits of each browser and distinguish particular users. This information is often unethically used to target ads.

Fingerprinting is nothing new. However, FLoC might facilitate fingerprinting attacks by providing the right information to the wrong people. Google has asserted that cohorts identify vast groups and won’t single out its users. However, trackers would only have to go through the few thousand users in a group to find what they're looking for rather than navigating millions of users as was necessary before FLoC came along.

Context Breaches

FLoC provides easy, indiscriminate access to an individual's browsing data, including their history and general interests. When a user accesses sites that require signing in or entering personally identifiable information (PII), these sites could easily record their cohort ID, making it more possible that their data gets leaked.

Besides browsing habits, FLoC might inadvertently reveal:

  • Age
  • Gender
  • Race
  • Political affiliation
  • Sexual preference

‌This information will be served to trackers on a silver platter, sparing them the effort of tracking users across the web. Over time, sites will be able to identify changes in the behavior of certain users online. This issue strips users of their right to share the information they want in different contexts. It presents a "naked," unfiltered version of them on every site they visit.

Here's how to block FLoC

Given that so many of us use Google products and services in our everyday lives, finding a comprehensive way out of FLoC won't be easy, but there is a quick way any website can help: The addition of a simple bit of code to a website's header will block FLoC on the domain, and it only takes a few minutes to implement. We did this to trustpage.com on May 19th, 2021, which you can verify here.

Just add this string to the header of your website to block FLoC:

permissions-policy: interest-cohort=()

As for the everyday user, the easiest way to block FLoC is to not use Google Chrome.

If that's not feasible, there are a few settings you can adjust within Chrome to block FLoC:

  1. Opt out of syncing history data
  2. Block third-party cookies
  3. Disable "Web & App" activity
  4. Disable ad personalization

Work With a Company You Can Trust

At first glance, FLoC might seem like a pretty good idea — that is, of course, until it's not. Again, Google does a lot of great things, some of which we use at Trustpage, but FLoC just isn't one of them. That's why many platforms, including Trustpage, have decided to avoid this problematic API altogether. We believe the internet should be a surveillance-free place where users can decide what data they share and with whom.

At Trustpage, we practice what we preach. We know that we don't need to put our users and visitors under a microscope, and our own Trust Center proves that we don't track you. As you may have noticed, we don’t even use a cookie banner, because our anti-cookie stance allows us not to have one. We've blocked FLoC from our website, and encourage other companies to do the same.

Protect your business with a reliable and surveillance-free Trust Center from Trustpage, and get your customers to trust you with their data.


Nate Eldridge is the Senior Marketing Manager at Trustpage. After work, you can find him kayaking. He lives in Connecticut.

Join the community: 🐦 👔

Copyright © 2021 Trustpage. All rights reserved.