SecureMac, Inc.

What is Google’s FLoC (and does it harm privacy)?

April 20, 2021

What is Google’s FLoC? In this article, we’ll explain what FLoC is, why it may be a privacy threat, and how to check for it in your browser.

FLoC ...
FLoC ...

What is Google’s FLoC (and does it harm privacy)?

Google’s FLoC is a web browser technology designed to collect user data without using tracking cookies. Google says that FLoC will allow companies to serve targeted ads to people based on their interests, while at the same time preserving their privacy. Critics disagree, saying that FLoC “materially harms privacy” and calling it “a terrible idea”.

In this article, we’ll answer some of the most common questions about FLoC, including:

What is Google’s FLoC?

FLoC (Federated Learning of Cohorts) is intended to replace the third-party cookies that websites and advertisers currently use to track and profile you. With FLoC, your web browser itself would monitor your web activity, and help create a marketing profile for you based on your behavior.

A FLoC-enabled browser would use machine learning to observe your web activity and place you in a “cohort” with other users who have similar web browsing patterns. FLoC wouldn’t assign you a unique identifier, though — just the same generic “cohort ID” as everyone else in your cohort.

Your web browser would then share your cohort ID with websites and third-party ad networks. This would allow advertisers to show you targeted ads based on your perceived interests. In theory, each cohort would contain so many users (all lumped together by behavior) that a cohort ID couldn’t be used to identify an individual user. 

So that’s what Google’s FLoC is. But why are so many people calling it a privacy threat? Well, it turns out that FLoC could still harm user privacy in some pretty serious ways:

FLoC is invasion of privacy (by design)

Google is presenting FLoC as an improvement over the current tracking cookie paradigm. But it’s worth asking a very basic question here: What is Google’s FLoC really designed for? The answer is pretty clear: FLoC is intended to track and profile you, and serve you ads based on this tracking. 

So while FLoC may be better than tracking cookies, it’s hardly anyone’s definition of genuine privacy. To give just one practical example of how FLoC could impact user privacy, consider what might happen if you shared a computer with other people in your household. Ads based on your browsing activity could very easily reveal details of your personal life to others — details that you might prefer to keep private.

FLoC overshares with sites that already know you

As privacy researchers at Brave web browser point out, FLoC may also give websites that know you far more information than they would ordinarily have. 

For example, at the moment, if you have an online account with some company, that company is probably going to have some information about you: the personal details you gave them when you signed up, a record of your activity on their site, and your order history. With FLoC, however, the company would not only have all of that, but also data about you based on your full web browsing history!

FLoC could make browser fingerprinting easier

In addition, FLoC could threaten user privacy via browser fingerprinting. Web browsers transmit all kinds of information to websites — things like what browser and version you’re using, what plugins or add-ons you have installed, information about your system and your hardware, and much more. Taken individually, none of those data points is enough to identify any one user. But lots of different data points, taken together, produce a “browser fingerprint” — a profile of one particular browser that’s different enough from all the others that can be used to identify individual users.

Researchers at Electronic Frontier Foundation (EFF), a digital privacy watchdog group, say that FLoC “gives fingerprinters a massive head start”, because:

If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others (rather than a few hundred million).

Have I been opted in to FLoC?

Right now, FLoC is just a proposed web standard. However, Google has already started testing it in their Chrome browser. Unfortunately, they did this by “opting in” a small group of Chrome users from around the world … without telling them. If you use Chrome, and want to see if you’re part of the FLoC test, EFF has a free web tool that can help. 

If you find that your browser is running FLoC, you can opt out by erasing and disabling all third-party cookies. You can find your Chrome browser’s cookies settings by going to Settings > Privacy and security > Cookies and other site data. 

Does FLoC affect other browsers?

At the moment, Chrome is the only browser that uses FLoC — and as mentioned above, this is just part of a trial run. But Google has proposed FLoC as a web standard, which means that it could one day be adopted by other browsers.

However, there has already been substantial pushback to FLoC from web browser vendors. Brave vehemently opposes it, and Mozilla (makers of the Firefox web browser) issued a statement expressing skepticism about FLoC and saying that they have no plans to implement it. Browser manufacturers Opera and Vivaldi have also gone on record saying that they won’t implement FLoC.

As for Safari, Apple hasn’t made any definitive public statement about the issue, but it’s hard to imagine the company going along with anything like FLoC — especially after introducing so many privacy features in Safari just last year. 

Join our mailing list for the latest security news and deals