Federated Learning of Cohorts

Summary

Federated Learning of Cohorts
StatusIn testing
Year started2021
OrganizationGoogle
SeriesPrivacy Sandbox
AbbreviationFLoC

Federated Learning of Cohorts (FLoC) is a type of web tracking through federated learning. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising.[1][2] Google began testing the technology in the Chrome browser in March 2021 as a replacement for third-party cookies, which it plans to stop supporting in Chrome by early 2023. FLoC is being developed as a part of Google's Privacy Sandbox initiative,[3] which includes several other advertising-related technologies with bird-themed names.[1][4]: 48 

As of April 2021, every major browser aside from Google Chrome that is based on Google's open-source Chromium platform has declined to implement FLoC. The technology has been criticized on privacy grounds by groups including the Electronic Frontier Foundation and DuckDuckGo, and has been described as anti-competitive; it has generated an antitrust response in multiple countries as well as questions about General Data Protection Regulation compliance.

Function

The Federated Learning of Cohorts algorithm analyzes users' online activity within the browser, and generates a "cohort ID" using the SimHash algorithm[5] to group a given user with other users who access similar content.[6]: 9  Each cohort contains several thousand users in order to make identifying individual users more difficult,[7] and cohorts are updated weekly.[8] Websites are then able to access the cohort ID using an API[6]: 9  and determine what advertisements to serve.[9] Google does not label cohorts based on interest beyond grouping users and assigning an ID,[1] so advertisers need to determine the user types of each cohort on their own.[4]: 47 

The process used to generate cohorts without sending user browsing data outside the device is similar to the method behind Google's predictive keyboard.[4]: 46 

Testing

Google began testing FLoC in the Chrome browser in March 2021[8] as a replacement for third-party cookies,[10] which Google plans to stop supporting in Chrome by mid-2023.[11] (Initially Google announced plans to remove third-party cookies by late 2021,[9] then postponed it to early 2022,[2] and then to 2023 due to delay of FLoC technology.) The initial trial turned on FLoC for 0.5% of Chrome users across 10 countries:[8] the United States, Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand and the Philippines.[12] Users were automatically placed in the trial and were not notified, but could opt out by turning off third-party cookies. The initial trial did not include users in the United Kingdom or the European Economic Area due to concerns about legality under the area's privacy regulations.[13]

Reactions

Google claimed in January 2021 that FLoC was at least 95% effective compared to tracking using third-party cookies, but AdExchanger reported that some people in the advertising technology industry expressed skepticism about the claim and the methodology behind it.[14] As every website that opts into FLoC will have the same access about which cohort the user belongs to, the technology's developers say this democratises access to some information about a user's general browser history, in contrast to the status quo, where websites have to use tracking techniques.[15][5]

The Electronic Frontier Foundation has criticized FLoC, with one EFF researcher calling the testing of the technology in Chrome "a concrete breach of user trust in service of a technology that should not exist" in a post on the organization's blog.[16][17] The EFF also created a website which allows Chrome users to check whether FLoC is being tested in their browsers.[18] The EFF criticized the fact that every site will be able to access data about a user, without having to track them across the web first.[19] Additionally on the EFF blog, Cory Doctorow praised Chrome's planned removal of third-party cookies, but added that "[just] because FLoC is billed as pro-privacy and also criticized as anti-competitive, it doesn’t mean that privacy and competition aren’t compatible", stating that Google is "appointing itself the gatekeeper who decides when we’re spied on while skimming from advertisers with nowhere else to go."[20]

On April 10, 2021, the CEO of DuckDuckGo released a statement telling people not to use Google Chrome, stating that Chrome users can be included in FLoC without choosing to be and that no other browser vendor has expressed interest in using the tracking method.[21] The statement said that "there is no such thing as a behavioural tracking mechanism imposed without consent that respects people’s privacy" and that Google should make FLoC "explicitly opt-in" and "free of dark patterns".[22] DuckDuckGo also announced that its website will not collect FLoC IDs or use them to target ads,[23] and updated its Chrome extension to block websites from interacting with FLoC.[21]

Brave, a web browser built on the Chromium platform, criticized FLoC in a blog post on April 12, 2021, and announced that it would be disabled in the Brave browser and not accessed by the Brave website.[24] The blog post, co-written by the company's CEO Brendan Eich, described Google's efforts to replace third-party cookies as "Titanic-level deckchair-shuffling" and "a step backward from more fundamental, privacy-and-user focused changes the Web needs."[25][26]

Tech and media news site The Verge noted that not all possible repercussions of FLoC for ad tech are known, and that its structure could benefit or harm smaller ad tech companies, noting specifically that larger ad tech companies may be better equipped to "parse what FLoCs mean and what ads to target against them."[1]

On April 18, 2021, a WordPress development team proposal suggested disabling FLoC by default on WordPress websites over possible privacy issues. The proposal stated that "WordPress powers approximately 41% of the web."[27][28]

On April 27, 2021, GitHub disabled FLoC on their websites, including github.com and GitHub Pages domain github.io by introducing HTTP header Permissions-Policy: interest-cohort=(). However, GitHub Pages websites with custom domains are not affected.[29][30]

In June, 2021, Amazon disabled FLoC on all websites of its companies, including its online store amazon.com, Whole Foods, Zappos, and Woot. Specialists speculated that Amazon staff might have decided to block FLoC not out of concern for user privacy, but rather as a strategic move to keep user data away from Google.[31]

Every major browser based on Google's open-source Chromium platform (other than Google Chrome) had declined to implement FLoC, including Microsoft Edge, Vivaldi, Brave, and Opera.[32]

In May 2021, The Economist reported that it may be hard for Google to "stop the system from grouping people by characteristics they wish to keep private, such as race or sexuality."[8]

Fingerprinting concerns

In May 2021, The Economist said some critics have suggested that the cohort system will facilitate fingerprinting of individual devices, compromising privacy.[8]

Wired magazine additionally reported that FLoC could "be used as a point of entry for fingerprinting".[7]

Mozilla, the creators of the Firefox browser, expressed concerns that FLoC can be used as an additional fingerprinting vector. Furthermore, they stated that a user's FLoC group can be tracked during multiple visits and correlated via different means and, based on a user's membership in multiple FLoC cohorts, a website might be able to infer information about the user which FLoC aimed to keep private. Since a FLoC cohort is shared across websites, its ID might be abused as an alternative to a unique cookie in third-party contexts.[33]

Antitrust response

In July 2020, the United Kingdom's Competition and Markets Authority found that the FLoC proposal "place[s] the browser in a vital gatekeeper position for the adtech ecosystem."[34]

In March 2021, 15 attorneys general of U.S. states and Puerto Rico amended an antitrust complaint filed in December; the updated complaint says that Google Chrome's phase-out of third-party cookies in 2022[35] will "disable the primary cookie-tracking technology almost all non-Google publishers currently use to track users and target ads. Then [...] Chrome, will offer [...] new and alternative tracking mechanisms [...] dubbed Privacy Sandbox. Overall, the changes are anticompetitive".[36][37]

In June 2021, EU antitrust regulators launched a formal investigation to assess whether Google violated competition rules, with a focus on display advertising, notably whether it restricts access to user data by third parties while reserving it for its own use. Among the things that will be investigated is Google's plan to prohibit the placement of third-party cookies and replace them with the Privacy Sandbox set of tools.[38]

GDPR compliance

As of April 2021, Google was not testing FLoC in the United Kingdom or the European Economic Area due to concerns about compliance with the General Data Protection Regulation and the ePrivacy Directive.[39][13][40]

Johannes Caspar, the Data Protection Commissioner of Hamburg, Germany, told Wired UK that FLoC "leads to several questions concerning the legal requirements of the GDPR," explaining that FLoC "could be seen as an act of processing personal data" which requires "freely given consent and clear and transparent information about these operations." A spokesperson of the French National Commission on Informatics and Liberty said that the FLoC system would require "specific, informed and unambiguous consent".[39]

As of April 2021, the Irish Data Protection Commission, which is the lead data supervisor for Google under GDPR,[13] was consulting with Google about the FLoC proposal.[39]

References

  1. ^ a b c d Bohn, Dieter (March 30, 2021). "Privacy and ads in Chrome are about to become FLoCing complicated". The Verge. Retrieved April 10, 2021.
  2. ^ a b Burgess, Matt (March 24, 2021). "Google's rivals are fighting back against Chrome's big cookie plan". Wired UK. ISSN 1357-0978. Retrieved April 10, 2021.
  3. ^ Lomas, Natasha (March 24, 2021). "Google isn't testing FLoCs in Europe yet". TechCrunch. Retrieved April 10, 2021.
  4. ^ a b c Geradin, Damien; Katsifis, Dimitrios; Karanikioti, Theano (November 25, 2020). "Google as a de facto Privacy Regulator: Analyzing Chrome's Removal of Third-party Cookies from an Antitrust Perspective". Tilburg Law and Economics Center. Rochester, NY (DP2020-038). doi:10.2139/ssrn.3738107. ISSN 1572-4042. S2CID 234583355. SSRN 3738107.
  5. ^ a b Cyphers, Bennett (March 3, 2021). "Google's FLoC Is a Terrible Idea". Electronic Frontier Foundation. Retrieved April 13, 2021.
  6. ^ a b Geradin, Damien; Katsifis, Dimitrios (February 19, 2020). "Taking a Dive Into Google's Chrome Cookie Ban". Tilburg Law and Economics Center. Rochester, NY (DP2020-042). doi:10.2139/ssrn.3541170. ISSN 1572-4042. S2CID 216269022. SSRN 3541170.
  7. ^ a b Nield, David (May 9, 2021). "What's Google FLoC? And How Does It Affect Your Privacy?". Wired. ISSN 1059-1028. Retrieved May 19, 2021.
  8. ^ a b c d e "Why is FLoC, Google's new ad technology, taking flak?". The Economist. May 17, 2021. ISSN 0013-0613. Retrieved May 19, 2021.
  9. ^ a b Morris, Ian (April 1, 2021). "Google Chrome FLoC is replacing cookies — what it means for your privacy". Tom's Guide. Retrieved April 10, 2021.
  10. ^ Bruell, Alexandra (March 16, 2021). "Five Things We Know About Google's Ad Changes After Cookies". Wall Street Journal. ISSN 0099-9660. Retrieved April 10, 2021.
  11. ^ Amadeo, Ron (June 24, 2021). "Google delays FLoC rollout until 2023". Ars Technica. Retrieved June 29, 2021.
  12. ^ Clark, Kendra (May 17, 2021). "DuckDuckGo, Firefox & GitHub say 'no FLoCing way' to Google's privacy updates". The Drum. Retrieved May 19, 2021.
  13. ^ a b c Lomas, Natasha (March 24, 2021). "Google isn't testing FLoCs in Europe yet". TechCrunch. Retrieved May 1, 2021.
  14. ^ Schiff, Allison (January 26, 2021). "The Industry Reacts To Google's Bold Claim That FLoCs Are 95% As Effective As Cookies". AdExchanger. Retrieved April 10, 2021.
  15. ^ "Federated Learning of Cohorts (FLoC)". GitHub. Retrieved April 13, 2021.
  16. ^ "EFF technologist cites Google "breach of trust" on FLoC; key ad-tech change agent departs IAB Tech Lab". Information Trust Exchange Governing Association. Retrieved April 10, 2021.
  17. ^ Cyphers, Bennett (March 30, 2021). "Google Is Testing Its Controversial New Ad Targeting Tech in Millions of Browsers. Here's What We Know". Electronic Frontier Foundation. Retrieved April 10, 2021.
  18. ^ Lekach, Sasha (April 11, 2021). "Chrome users, check if Google is tracking you with new targeted advertising". Mashable. Retrieved April 11, 2021.
  19. ^ Davis, Wendy (March 17, 2021). "Google Plan For Cookie-Less Targeting Is Anticompetitive, States Claim". MediaPost. Retrieved April 10, 2021.
  20. ^ Doctorow, Cory (April 21, 2021). "Fighting FLoC and Fighting Monopoly Are Fully Compatible". Electronic Frontier Foundation. Retrieved May 1, 2021.
  21. ^ a b "DuckDuckGo is asking people to block Google's new tracking method". Hindustan Times. April 10, 2021. Retrieved April 11, 2021.
  22. ^ Saroha, Aditya (April 12, 2021). "Google's new ad tracking tool called into question by rival search engine". The Hindu. ISSN 0971-751X. Retrieved April 12, 2021.
  23. ^ Khan, Sieeka (April 10, 2021). "Google to Launch Replacement for Third-Party Cookies, and DuckDuckGo Wants to Block it". Tech Times. Retrieved April 12, 2021.
  24. ^ Thurrott, Paul (April 12, 2021). "Brave is Blocking Google FLoC". Thurrott.com. Retrieved April 13, 2021.
  25. ^ Varghese, Sam. "Brave browser chiefs slam Google's new experimental ad-targeting tech". IT Wire. Retrieved April 13, 2021.
  26. ^ Snyder, Peter; Eich, Brendan (April 12, 2021). "Why Brave Disables FLoC". Brave blog. Retrieved April 13, 2021.
  27. ^ Carike (April 18, 2021). "Proposal: Treat FLoC like a security concern". WordPress. Retrieved April 20, 2021.
  28. ^ Schoon, Ben (April 19, 2021). "WordPress could turn FLoC off by default". 9to5Google. Retrieved April 20, 2021.
  29. ^ "GitHub disables Google FLoC user tracking on its website". BleepingComputer. Retrieved June 2, 2021.
  30. ^ "GitHub Pages: Permissions-Policy: interest-cohort=() Header added to all pages sites". The GitHub Blog. April 27, 2021. Retrieved June 2, 2021.
  31. ^ "Amazon is blocking Google's FLoC — and that could seriously weaken the system". Digiday. June 15, 2021. Retrieved July 17, 2021.
  32. ^ Bohn, Dieter (April 16, 2021). "Nobody is flying to join Google's FLoC". The Verge. Retrieved April 17, 2021.
  33. ^ Rescorla, Eric (June 10, 2021). "Privacy analysis of FLoC". The Mozilla Blog. Retrieved June 12, 2021.
  34. ^ "Appendix G: the role of tracking in digital advertising" (PDF). Online platforms and digital advertising: Market study final report (Report). Competition and Markets Authority. July 1, 2020. p. 116.
  35. ^ Robertson, Adi (March 16, 2021). "Google antitrust suit takes aim at Chrome's Privacy Sandbox". The Verge. Retrieved April 13, 2021.
  36. ^ Holt, K (December 16, 2020). "Texas announces a multi-state antitrust suit against Google". Engadget. Retrieved April 13, 2021.
  37. ^ Masnick, Mike. "Google's Efforts To Be Better About Your Privacy, Now Attacked As An Antitrust Violation". Techdirt. Retrieved April 13, 2021.
  38. ^ Brodkin, Jon (June 22, 2021). "EU antitrust regulators launch probe into Google's FLoC plan". Ars Technica. Retrieved June 22, 2021.
  39. ^ a b c Burgess, Matt (April 29, 2021). "Google's plan to eradicate cookies is crumbling". Wired UK. ISSN 1357-0978. Retrieved May 1, 2021.
  40. ^ Lepitak, Stephen; Southern, Lucinda; Shields, Ronan (March 24, 2021). "Google's Post-Cookie Targeting Plans Hit GDPR Hurdle". AdWeek. Retrieved May 1, 2021.

External links

  • Am I FLoCed?—EFF website reporting to users if FLoC is enabled[1]
  • FLoCs explained at the Privacy Sandbox Initiative website
  • More detailed
  • FLoC Origin Trial & Clustering – infos from the Chromium project
  1. ^ Lekach, Sasha (April 11, 2021). "Chrome users, check if Google is tracking you with new targeted advertising". Mashable. Retrieved April 11, 2021.