Will FLoC get Google off the privacy hook?


As Google faces a class-action lawsuit over tracking in Chrome's Incognito mode, the company is promising a new API to replace third-party cookies.

Federated Learning of Cohorts (FLoC) forms part of Chrome's Privacy Sandbox set of APIs, aimed at preserving anonymity. Rather than using third-party cookies, it works by placing users into different cohorts - groups of users with similar browsing habits and common interests.

While the Chrome browser will still track which sites are visited, the information will be kept on users' devices, with only the information about the larger groups shared for advertising purposes. This means that users will receive ads tailored to the group as a whole, rather than their own individual interests.

ADVERTISEMENT

As a user's interests change, so may their cohort, with cohorts being updated every seven days.

"Once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products," writes David Temkin, Google's director of product management, ads privacy and trust, in a blog post

"Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers."

The company plans to make FLoC-based cohorts available for public testing through origin trials with its next release this month, and to start testing FLoC-based cohorts with advertisers in Google Ads during the second quarter.

The first set of new user controls will be made available in April, and will be expanded as trials and feedback continue.

Will FLoC improve privacy?

"In a nutshell, FLoC may be a band-aid, but it won’t be the fix-all solution to keep Google off the hook, privacy-wise," says Inna Ushakova, CEO and co-founder at mobile ad fraud detection firm Scalarr.

"What’s more, inevitably this change in privacy will exacerbate the problem of ad fraud. By removing third-party cookies, it makes it much easier for ad fraud to pose as real traffic, meaning that businesses will need to be extra alert."

ADVERTISEMENT

And according to the Electronic Frontier Foundation (EFF), the draft specification for FLoC still leaves much up in the air.

While a user’s cohort ID will be available via Javascript, for example, it’s unclear whether there will be any restrictions on who can access it, or how the ID will be shared. Nor is the size of cohorts specified.

"This might be a marginal improvement to the status quo, but still does not solve the privacy issues, nor other issues like discrimination and competition," says EFF director of consumer privacy engineering Andrés Arrieta.

Meanwhile, it's possible that advertisers will be able to use fingerprinting - gathering enough separate pieces of information from a user’s browser to be able to reliably identify it - if cohorts aren't large enough.

Google is still not in the clear

Google's move comes as the company faces a lawsuit over its use of tracking in Chrome - a lawsuit that has now been expanded to include Privacy Sandbox. Google is 'trying to hide its true intentions behind a pretext of privacy,' alleges the complaint.

"Generally speaking, FLoC may help Google find a good compromise to handle personal data privacy," says Ushakova. "But recent reports show that the tech giant may still be subject to face the consequences of questionable privacy practices, like users being tracked while in 'Incognito' mode."