Monday, December 27, 2021

FLoC and Manifest V3

Dieter Bohn:

If Google sticks to its roadmap, by this time next year Chrome will no longer allow websites to use third-party cookies, which are cookies that come from outside their own domains. The change theoretically makes it vastly more difficult for advertisers to track your activities on the web and then serve you targeted ads. Safari and Firefox have already blocked those cookies, but when it comes to market share, Chrome is currently the leader and so its switchover is the big one.


And so today, the company is forging ahead with an “origin trial” for one of these new technologies, the Federated Learning of Cohorts (FLoC). In an origin trial, websites are able to begin testing without asking browser users to turn on specific flags. The feature itself will be slowly turned on inside Chrome via the usual process of introducing it into developer builds, then beta, then finally in the shipping version most people use.


FLoC will be part of that privacy sandbox and further should protect your identity by only associating you with a cohort if that cohort is sufficiently large. Chrome will also change what FLoC cohort your browser is associated with on a regular basis, say once a week or so.


But whether FLoC is actually anonymous is very much up for debate. Bennett Cyphers at Electronic Frontier Foundation recently put up a handy post detailing some of the biggest concerns with FLoC.

Dieter Bohn (Hacker News):

Google is going it alone with its proposed advertising technology to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it’s unclear what that will mean for the future of advertising on the web.

See also: Amazon (Hacker News), Brave, DuckDuckGo (Hacker News), GitHub (Hacker News), Vivaldi, WordPress (Hacker News).

Paramdeo Singh:

The primary way an end-user can avoid being FLoC’d is to simply not use Chrome, and instead choose a privacy-respecting browser such as Mozilla Firefox.

But website owners can also ensure that their web servers are not participating in this massive network by opting-out of FLoC.

To do so, the following custom HTTP response header needs to be added[…]

Eric Rescorla (via Hacker News):

Although any given cohort is going to be relatively large (the exact size is still under discussion, but these groups will probably consist of thousands of users), that doesn’t mean that they cannot be used for tracking. Because only a few thousand people will share a given cohort ID, if trackers have any significant amount of additional information, they can narrow down the set of users very quickly. There are a number of possible ways this could happen[…]

Daly Barnett (tweet, Hacker News):

Manifest V3, Google Chrome’s soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as “a step in the direction of privacy, security, and performance.” But we think these changes are a raw deal for users. We’ve said that since Manifest V3 was announced, and continue to say so as its implementation is now imminent. Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.

Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities. Google’s efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.


Update (2022-01-26): Paul Wagenseil (via John Gruber):

Google has ditched its planned user-profiling system, FLoC, and is instead developing a new system called Topics, the company announced today (January. 25).

Comments RSS · Twitter

Leave a Comment