Beyond Web Cookies: Google’s FLoC

A lone Canadian Goose sits among a flock of ducks sitting in the snow.
You’re about as “anonymous” as the goose in this flock with FLoC.
Image source – https://www.flickr.com/photos/see-through-the-eye-of-g/5480240484/ (CC BY 2.0)

It’s been a while since we last wrote about the many ways companies track users with cookies and beyond. This week we’re coming back to our “Beyond Web Cookies” series with the latest development in site tracking and why your library should consider opting out to protect patron privacy.

(Puns in this post are fully intended.)

Ditching the Cookie for the FLoC

 Web cookies come in several flavors, from session and persistent cookies to first- and third-party cookies. A cookie can track your behavior online, across sites, and collect personal information for marketing, advertising, and other purposes. End users can block cookies through various browser settings and plugins, but that blocking can only go so far when websites find alternative ways to track users beyond web cookies, such as privacy-invasive WordPress plugins. Nonetheless, the majority of companies rely on cookies to collect information for marketing and advertising to end-users. When end users block cookies, the company that relies on advertising revenue has limited options in creating targeted marketing.

Enter Google. Early in 2021, Google announced a new ad-tech called the Federated Learning of Cohort, or FLoC, that reports being less privacy-invasive than web cookies. This “privacy-first” technology aims to create large groups of people with similar interests based on browsing activity. Advertisers can then target these large groups grouped by topics without the possibility of identifying unique individuals through tracking data. Sounds too good to be true, right?

FLoC’ing Problems

While FloC promises a privacy-preserving way to continue making money through advertising, the ad-tech does not escape the potential of violating user privacy. The first problem is, well, Google. Google already has many ways to track users outside of Google Analytics through their products and sites that use Google APIs and services. As Shoshana Wodinsky points out, FLoC expands Google’s access to user data in the online advertising world, giving Google almost full unrestricted access to user data used for targeted advertising. Wodinsky points out that FLoC’s grouping of people by topics can lead the system to create groups of people around sensitive, personal topics. That grouping creates potential future harm and discrimination if these groups were part of a data leak or breach. Grouping people by topic will most likely increase predatory targeting, scams, and discrimination practices.

FLoC’s promise of privacy is weakened further by continuing the cross-site tracking behavior we find in web cookies, but with a twist. According to FLoC, the information gathered about a user’s browsing history can be matched up to other trackers that already have personally identifiable information. If a user logs into a site and doesn’t log back out for the duration of their browsing session, this service can potentially take the FLoC information and tie it back to the user account.

Getting the FLoC Out to Protect Patron Privacy

Google recently rolled out a “test” of FLoC to a random group of Chrome users. If you are not sure if you are in this test group, visit EFF’s Am I FloCed? to check if your Chrome browser has FLoC enabled. Google claims that there will be an opt-out option for Chrome users by April, but it’s late April and there is no sign of the opt-out option. Libraries can help patrons protect their privacy by disabling third-party cookies in the Chrome browser settings on public computers in addition to installing privacy-preserving browser plugins and privacy-preserving browsers such as Brave and Tor.

How can libraries protect patrons from having their activity tracked on library websites and services? Libraries that have some control over their library website can include an opt-out in the HTTP header of the library website. However, this might not be an option for libraries that do not have that level of control over their website or the server that hosts their library website. There are some workarounds to this, such as the FLoC opt-out plugins for WordPress (disclosure – LDH has installed the Disable FLoC plugin to opt-out of the FLoC test).

But what about vendor sites? You can use https://tanck.nl/floc-check/ to find out if a website has opted out of FLoC. Vendor sites that have not opted out of FLoC might not be aware that their website is included in this test. Use this opportunity to talk to your vendor about FLoC and ask how they will protect the privacy of your patrons on their site. This is also an opportunity to check your vendor’s privacy policy and contracts to find if your vendor is collecting patron data for advertising and marketing purposes. Now is the time to renegotiate those terms or start shopping for other vendors that better protect patron privacy if the vendor won’t budge on their use of patron data for advertising.

In short, FLoC doesn’t really replace cookies. Instead, it adds more personal information – some of it sensitive – into the targeted advertising environment controlled by one company. Because FLoC includes all websites into the FLoC test by default, libraries must take action to protect patron privacy now to ensure that patron data does not end up in the ever-growing collection of and access to user data by Google.

Cookie Break

LDH is proud to announce that it will now serve cookies to our blog readers! Enjoy your digital cookie without guilt! Just be sure that you don’t leave any crumbs trailing behind you as you munch away while browsing the Web…

… yeah, we thought that was a cheesy* early April Fool’s joke, too.

With April Fool’s Day in a few days, let’s take a moment to appreciate the lighter side of data privacy. Cookies are a perennial privacy humor topic by the very nature of its name, and the infamous cookie banner has become the focus of many privacy humor skits. This skit answers the question of what happens when you hit a cookie wall when you want a cookie recipe:

Do you remember all those “We’ve Updated Our Privacy Policy” emails in May 2018 as GDPR came into enforcement? There’s a meme for that:

There are times where humor can educate users about data privacy, but only when it is done well and within an appropriate context. An example of this comes from The Onion. Another example is the segment from an Adam Ruins Everything episode explaining the cost of using “free” internet services:

[Yes, we are fully aware of the irony of linking to a YouTube video of this segment.]

We can’t forget that humor has a time and place for it to be effective, though. More often than not, humor backfires like Mark Zuckerberg’s joke about Facebook privacy at their developer conference in 2019. Going back to the beginning of this post, cookies are the subject of many privacy jokes because of the nature of the web tracker’s name. It’s an easy joke that doesn’t take much effort to think about, but the lack of thinking through a joke can leave users more frustrated with the person telling it than not. The context of when you use humor matters – cookie popups are already confusing and frustrating to end-users, and a joke in the popup is more likely to backfire than lighten the end user’s mood. And because the web tracker’s name is already confusing to end-users, joking that your staff like chocolate chip cookies in the popup banner doesn’t tell users anything about what the actual web tracker cookie does.

In short, humor has its place in communicating important privacy topics when done thoughtfully and within an appropriate context. Your privacy notice and cookie banners are not places for humor, but instead places where you need to be clear about your privacy practices and what the user can do to protect their privacy. This doesn’t mean that all data privacy jokes are off-limits. You can still serve cookies (accommodating for dietary considerations!) in the library staff area to start a discussion or awareness program about web tracking – but be mindful of your audience and the context of data privacy humor when attempting to add some levity to end-user communications.

* Cheesy cookies are a thing and are as delicious as their sweet counterparts.