Beyond Web Cookies: Google’s FLoC

A lone Canadian Goose sits among a flock of ducks sitting in the snow.
You’re about as “anonymous” as the goose in this flock with FLoC.
Image source – https://www.flickr.com/photos/see-through-the-eye-of-g/5480240484/ (CC BY 2.0)

It’s been a while since we last wrote about the many ways companies track users with cookies and beyond. This week we’re coming back to our “Beyond Web Cookies” series with the latest development in site tracking and why your library should consider opting out to protect patron privacy.

(Puns in this post are fully intended.)

Ditching the Cookie for the FLoC

 Web cookies come in several flavors, from session and persistent cookies to first- and third-party cookies. A cookie can track your behavior online, across sites, and collect personal information for marketing, advertising, and other purposes. End users can block cookies through various browser settings and plugins, but that blocking can only go so far when websites find alternative ways to track users beyond web cookies, such as privacy-invasive WordPress plugins. Nonetheless, the majority of companies rely on cookies to collect information for marketing and advertising to end-users. When end users block cookies, the company that relies on advertising revenue has limited options in creating targeted marketing.

Enter Google. Early in 2021, Google announced a new ad-tech called the Federated Learning of Cohort, or FLoC, that reports being less privacy-invasive than web cookies. This “privacy-first” technology aims to create large groups of people with similar interests based on browsing activity. Advertisers can then target these large groups grouped by topics without the possibility of identifying unique individuals through tracking data. Sounds too good to be true, right?

FLoC’ing Problems

While FloC promises a privacy-preserving way to continue making money through advertising, the ad-tech does not escape the potential of violating user privacy. The first problem is, well, Google. Google already has many ways to track users outside of Google Analytics through their products and sites that use Google APIs and services. As Shoshana Wodinsky points out, FLoC expands Google’s access to user data in the online advertising world, giving Google almost full unrestricted access to user data used for targeted advertising. Wodinsky points out that FLoC’s grouping of people by topics can lead the system to create groups of people around sensitive, personal topics. That grouping creates potential future harm and discrimination if these groups were part of a data leak or breach. Grouping people by topic will most likely increase predatory targeting, scams, and discrimination practices.

FLoC’s promise of privacy is weakened further by continuing the cross-site tracking behavior we find in web cookies, but with a twist. According to FLoC, the information gathered about a user’s browsing history can be matched up to other trackers that already have personally identifiable information. If a user logs into a site and doesn’t log back out for the duration of their browsing session, this service can potentially take the FLoC information and tie it back to the user account.

Getting the FLoC Out to Protect Patron Privacy

Google recently rolled out a “test” of FLoC to a random group of Chrome users. If you are not sure if you are in this test group, visit EFF’s Am I FloCed? to check if your Chrome browser has FLoC enabled. Google claims that there will be an opt-out option for Chrome users by April, but it’s late April and there is no sign of the opt-out option. Libraries can help patrons protect their privacy by disabling third-party cookies in the Chrome browser settings on public computers in addition to installing privacy-preserving browser plugins and privacy-preserving browsers such as Brave and Tor.

How can libraries protect patrons from having their activity tracked on library websites and services? Libraries that have some control over their library website can include an opt-out in the HTTP header of the library website. However, this might not be an option for libraries that do not have that level of control over their website or the server that hosts their library website. There are some workarounds to this, such as the FLoC opt-out plugins for WordPress (disclosure – LDH has installed the Disable FLoC plugin to opt-out of the FLoC test).

But what about vendor sites? You can use https://tanck.nl/floc-check/ to find out if a website has opted out of FLoC. Vendor sites that have not opted out of FLoC might not be aware that their website is included in this test. Use this opportunity to talk to your vendor about FLoC and ask how they will protect the privacy of your patrons on their site. This is also an opportunity to check your vendor’s privacy policy and contracts to find if your vendor is collecting patron data for advertising and marketing purposes. Now is the time to renegotiate those terms or start shopping for other vendors that better protect patron privacy if the vendor won’t budge on their use of patron data for advertising.

In short, FLoC doesn’t really replace cookies. Instead, it adds more personal information – some of it sensitive – into the targeted advertising environment controlled by one company. Because FLoC includes all websites into the FLoC test by default, libraries must take action to protect patron privacy now to ensure that patron data does not end up in the ever-growing collection of and access to user data by Google.

Deception by Design

Author’s note – This post uses “deceptive design” and “deceptive design patterns” instead of “dark patterns.” Read more about this choice in the “dark UX” entry of Intuit’s content design manual.

Take a moment to study the following toggle button for the following privacy setting for “Don’t Not Sell My Personal Information”:

The California Consumer Privacy Act (CCPA) Opt-Out Icon. A long rounded horizontal oval containing a blue checkmark on white on one side, and a white X on blue on the other side.
The official California Consumer Privacy Act (CCPA) opt-out icon. You might have guessed that I have Opinions on this design. You guessed correctly.

Now answer this – are we telling the business not to sell our data or telling them that it’s okay? Which symbol is selected? Is it the blue checkmark with the white background? Or is it the white X with the blue background?

Confusing, isn’t it?

That is just one example of deceptive design patterns. Deceptive design creates confusion, obfuscating options or creating barriers to trick and frustrate users into making decisions that are not in their best interests. These patterns serve many purposes, ranging from making users pay more for services and products to extract personal information from users. It’s hard for users to protect their privacy when they are not aware that the company or designer uses deceptive patterns to prioritize their benefit over the user’s privacy.

There are many types of deceptive design patterns that users encounter daily. While commercial businesses tend to get the most attention in deceptive design discussions, library products and services also engage in deceptive design patterns. These design choices put patron privacy at risk in several ways, including creating confusion with patrons around their data privacy choices and rights and the additional collection of patron data by both libraries and library vendors.

Let’s take a short tour of deceptive design patterns in practice in libraries:

Did you really turn it off? – Some electronic resource products have a setting that lets patrons “turn off” borrowing history. What patrons might not know, though, is that their borrowing history hasn’t turned off.  It’s just that they can no longer visibly track their history on the app or site. Here’s an example from the OverDrive app:

A privacy setting option in the Overdrive App: "History - Display your borrowing history, with the option to add and remove individual titles. Learn more. [hyperlinked]"
Image screenshot from the OverDrive app.

At first read, patrons might think that not checking this box will tell OverDrive not to track their borrowing history. If patrons don’t click on the “Learn More” link, they most likely won’t know that this option only hides their borrowing history and that their digital reading/listening is still being tracked by the company.

Public by default – Being a library service or product means that the default settings for any new user account would be private, right? Not exactly. Patrons creating user accounts on library websites and services might not be aware that their account is sharing information with the public. For example, despite many libraries’ requests, user accounts in BiblioCore default to publicly sharing patron activity, such as what items are on a patron’s shelves. Some libraries have tried to work around this default through log-in page messages, FAQs, and blog posts informing patrons to change their privacy settings.

Fill in the blank – Find a fill-in box, fill in the box? Library patrons filling out forms for library cards or user accounts might not realize that they do not have to provide all their data to use the library. Library card registrations are a very good example of where libraries collect more patron data than absolutely needed. (Libraries who still collect gender identity data, I’m looking at you.) What data does the application ask from patrons? How many of those data fields are absolutely necessary for creating a library account? Does the application process mark those fields as required, or are there no clear indicators as to which fields are required and which fields are optional?

“Pay” to play – Similar to “fill in the blank”, patrons might not realize that there are ways they can use the library without having to give up more of their data, such as using the classic version of the library catalog over the discovery layer that requires a separate user account. Nonetheless, many vendors, along with some libraries, actively encourage patrons to “pay” with their data if patrons want to make full use of their services or products. How many of your library’s electronic resources or services direct patrons to create user accounts even though an account isn’t required to use the service? Does the website contain clear and accessible messaging to patrons that they can use the resource or service without creating an account or submitting to web tracking?

These are only a selected sample of the deceptive design patterns you can find at your library. Do you have any examples of these deceptive patterns you’ve come across as either a patron or a library worker? Share them with us at newsletter@ldhconsultingservices.com and we’ll do a follow-up post! These examples can help libraries in identifying and resolving deceptive patterns that put patron privacy at risk.

Vendor Ethics and You, Or Giving a Damn About Who’s Sharing Your Patron Data

A red sticker on a metal utility pole reads "do you want a future of decency, equality, and real social justice"
Photo by Jon Tyson on Unsplash

The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.

It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.

“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:

  • What patron data does the vendor collect from patrons? From the library?
  • Under what circumstances does the vendor disclose patron data to fourth parties?
  • Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
  • Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?

After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?

This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.

Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is).  Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.

With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.”  Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.

In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.

Cherry Blossom Break

We’re taking some time to appreciate the cherry blossoms this week.

The Space Needle framed by blossoms on the cherry trees on the side of a road.
Image source: https://www.flickr.com/photos/punkjr/416092591/ (CC BY ND 2.0)
Blossoming cherry trees lining the sidewalks on the UW Seattle campus.
Image source: https://www.flickr.com/photos/brianholsclaw/25617194540/ (CC BY ND 2.0
Cherry blossoms partially covering the street signs for Maiden Lane and Madrona Drive in Seattle
Image source: https://www.flickr.com/photos/joebehr/8607884604/ (CC BY ND 2.0)

Take some time to appreciate the flower blossoms wherever you are – we’ll be back next week with the latest library privacy news and updates.

In the meantime…

Do you have a library privacy question for us? Email us at newsletter@ldhconsultingservices.com with your question or idea and we’ll feature it in a future newsletter. We also welcome guest writers for the newsletter. If you have an idea for a guest post, let us know for a chance to be featured on the blog. We look forward to your questions and ideas!