31 votes

Google’s FLoC is a terrible idea

12 comments

  1. [12]
    UniquelyGeneric
    Link
    Google has sent shockwaves through adtech with their recent announcement to not support any alternative / email based IDs to replace cookies. While it can be debated whether companies own user...

    Google has sent shockwaves through adtech with their recent announcement to not support any alternative / email based IDs to replace cookies. While it can be debated whether companies own user data that is freely given up, the hypocrisy in their announcement is that Google will still continue to use their email-based data to track their users.

    Not only is it a highly anti-competitive move, the EFF also highlights just how dangerous the alternative they offer is for user privacy. Never before has collecting someone’s psychographics been so readily available.

    With enough personal data to augment with the behavioral, many companies in the future will be able to build an entire longitudinal profile of you without your knowledge. You don’t even have to be the one broadly exposing data to be implicated: your peers in your cohort can be more loose with protecting their privacy and expose your own demographic details without your input. This is akin to FB users selling out their friends via Cambridge Analytica’s personality test honeypot.

    This is a truly disturbing development and a far cry from “Don’t be evil.”

    8 votes
    1. [9]
      skybrian
      Link Parent
      I’m not particularly worried about it being anticompetitive when the people complaining are adtech firms. Google at least has some incentive to please its users, and is being watched by everyone....

      I’m not particularly worried about it being anticompetitive when the people complaining are adtech firms. Google at least has some incentive to please its users, and is being watched by everyone. Adtech firms are a thicket of often-shady companies that most people haven’t even heard of, and they work solely for advertisers.

      Who do you think is going to attempt to do the fingerprinting?

      2 votes
      1. [8]
        UniquelyGeneric
        (edited )
        Link Parent
        My fear with it being anticompetitive is that we would be entrusting almost all digital advertising (read: the revenue that keeps most of the open web alive) to run through Google. It already...
        • Exemplary

        My fear with it being anticompetitive is that we would be entrusting almost all digital advertising (read: the revenue that keeps most of the open web alive) to run through Google. It already accounts for 52% of global digital ad spend, and it's gearing up to get even more market share by showcasing how it can do better targeting on its own web properties (because, despite headlines saying they "won't sell ads that track you," those don't apply to Google owned properties: rules for thee, not for me).

        In Europe there is legislation that adtech companies have been earnestly trying to adhere to proper opt-in models. Google has basically signaled that this is all a waste of time, and has fired the starting shot for the race to the bottom. Adtech companies' hands are now forced into fingerprinting just to survive. Many won't (read: people will lose their jobs), and the ones that do will be shadier than ever.

        Google at least has some incentive to please its users

        What happens when we all submit our digital autonomy to the almighty Google? It's a company that has a long track record of not caring about user-loved products/features when it no longer suits their capitalistic goals. It will have even more power when there's even less competition. What happens to people too poor to afford iPhones? The alternative is Android or no phone at all. What's the alternative to YouTube? Do we truly think Firefox can continue to be a viable alternative to Chrome with an already dwindling user base? I personally use DDG whenever possible, but the average user probably isn't even aware of its existence.

        What happens to dissenters Google does not approve of? Many were happy when Trump got deplatformed, but what about investigative journalists or whistleblowers decrying Google's practices? It's already in their playbook, and they've already shown they're more than willing to kowtow to China's censorship for the sake of profits.

        Google has a history of creating web standards under the farce of an open source community, and sideskirting web standards bodies' approval process. Google's AMP was shoved down the industry's throats, forcing publishers to give up their relationship with their users, and giving Google more data to harvest (they also stopped branding it as "Google AMP" to avoid giving the impression that it was a framework solely for Google's benefit). FLoC is just the next iteration of a "standard" that no one else gets meaningful input on.

        This may all sound like a slippery slope, but this is already the world we currently live in. Google's decision has decided to accelerate these trends and capture more market share for their ever-growing monopoly on the web. Their future censorship may come as a seemingly innocuous de-prioritization from search results, which is a death knell for publishers (and the reason they could force AMP adoption).

        The remains of the open web would be a dangerous place, full of unscrupulous business looking to prey on users. Google out of its paternalistic benevolence could seek to ramrod a new Internet standard (given that they run most of the Internet anyways) to "protect" users on the open web and shepherd them back to the "safe" environment of Google's walled garden (a term they are attempting to whitewash away) where their browsing history can be exploited for the capitalist machine we've boiled ourselves alive in.

        3 votes
        1. [5]
          skybrian
          (edited )
          Link Parent
          The way I see it is that Federated Learning of Cohorts needs to be judged on its own merits: should it be added to browsers or not? Yes, it's true that it's proposed by Google. Many good ideas...

          The way I see it is that Federated Learning of Cohorts needs to be judged on its own merits: should it be added to browsers or not? Yes, it's true that it's proposed by Google. Many good ideas come out of Google. HTTP/3 was based on a Google proposal, for example.

          The fingerprinting argument is true of many web standards. Browsers weren't designed to prevent fingerprinting and for many years, nobody worried about it. I think it's reasonable to look for ways for browsers to avoid fingerprinting, and perhaps FLoC could be improved in this respect? But I'm not sure fingerprinting can be entirely prevented without essentially starting over.

          The thing is, there's no reasonable way to discuss its merits as a web standard unless you buy into the premise that web advertising should exist and it's okay, good even, for it to be somewhat customized to users' interests. And at the same time, advertisers need to get much less data about users. As the user's agent, the browser seems like a good place to enforce this, and if the user doesn't want it, they can turn it off.

          This is a compromise position that isn't going to appeal to anyone who just wants all advertising to go away, never mind its effect on web sites' revenue. But they can turn it off and install an ad blocker instead. It's also true that it pisses off advertisers and ad tech companies who like the status quo, but I'm okay with that.

          There are few organizations willing and able to take a middle ground between advertising and user privacy, so Google's kind of in a unique position here. At the same time, this makes the whole thing unpopular with almost everyone. Few people are going to support the compromise, and more likely, the war over advertising continues - unless Google just implements the thing in Chrome. I think the odds are against it, but it seems like a worthy attempt?

          I'm also pretty much okay if it fails and targeted advertising goes away. I'll be fine; I can pay for subscriptions at places like Substack and contribute to sites like Tildes. Google will be fine too, I'm sure, running first-party ads. Fingerprinting will probably become widespread and ad tech will be as shady as ever, which people will get upset about but it probably won't do much real damage.

          It does bug me a bit that people are arguing against FLoC without even appreciating what it was supposed to do, though.

          2 votes
          1. [4]
            UniquelyGeneric
            Link Parent
            As someone who lives with the constant cognitive dissonance of working in adtech while also a privacy advocate, I know this is a tough pill to swallow. That being said, I'm going to assume...
            • Exemplary

            unless you buy into the premise that web advertising should exist and it's okay, good even, for it to be somewhat customized to users' interests

            As someone who lives with the constant cognitive dissonance of working in adtech while also a privacy advocate, I know this is a tough pill to swallow. That being said, I'm going to assume advertising is needed for the open web to survive, and this large comment is meant to address where I find issue with FLoC's adoption (rather than a personal disagreement with yourself).

            I suppose my complaint can be boiled down to two areas:

            1. Google is forcing its way through proper vetting processes for the presumptive adoption of FLoC as a standard, negating related industry initiatives
            2. FLoC introduces too many vectors for privacy exposure

            While Google announced their Privacy Sandbox in August 2019, details have been sparse up until they officially submitted FLoC to WICG less than a year ago (even here, in its debut to the world, most of the discussion is about the legal compliance of pushing a "standard" through a non-standard approving body).

            There's a clear time pressure to get FLoC railroaded through approvals because the death of 3rd party cookies is imminently arriving in early 2022 (ironic, given that Google is the one who set this timeframe in the first place). As an example, here's a GitHub issue where the lead on the FLoC initiative is moving forward with an invite-only trial without allowing publishers to opt-out (despite the potential for sensitive websites being included in the cohort clustering algorithm). The issue has been open for 10 months.

            It begs the question, which is a bigger priority: user privacy, or Google's business? Google's recent announcement to abandon alternative identifiers flies in the face of existing industry initiatives, such as:

            • Unified ID 2.0 submitted to Partnership for Responsible Addressable Media- which is an email-based ID gathered from user authentication on a publisher's website (which has a global opt-out along with user agreement to T&C's)
            • Transparency & Consent Framework 2.0 - which requires a user to view vendor-specific opt-ins and now explicit opt-in is required within Germany (and expected to be adopted across the EU). Google has ignored a related issue for 1.5 years.
            • World Federation of Advertisers' Proposal for Cross-Media Measurement Reach and Frequency - This proposes the use of assigned Virtual People IDs and email-based Secure Universal Measurement IDentity in a privacy-safe environment that leverages Differential Privacy techniques. Most curious about this proposal is that Google was one of the companies to submit this proposal. Is the left hand not talking to the right?

            Many good ideas come out of Google. HTTP/3 was based on a Google proposal, for example.

            Both HTTP/2 and HTTP/3 were preceded by Google adding SPDY and QUIC to Chrome before official standards were set. Eventually the IETF modified and adapted the Google protocols, and it can be argued that the process to do so takes too long. However, Google's prevalence as the largest browser shouldn't be a reason to make it the de facto arbiter of web standards. By surprising the industry through abandoning alternate identifiers in lieu of FLoC, it gives little time for businesses to react. They see their hands forced to adopt a protocol that still has yet to be fully defined, during a year they have already started investing into privacy-safe alternatives to 3rd party cookies.

            Regarding issues with FLoC itself, there are 39 open issues, many with no further discussion in over a year. I can count ~16 that have very direct privacy concerns, 6 of which have received no comment whatsoever from Google. This does not feel very collaborative or concerned with seeking industry approval.

            This issue in particular points out a major ethical concern:

            a evil dictator on a budget could use FLoC to

            • prioritize assignment of surveillance personnel to individuals
            • allocate public services preferentially to favored religious and language groups
            • encourage self-reeducation by members of marginal groups

            And this was posted just yesterday. It seems clear that the full implication of this initiative hasn't been fully thought through and yet it's being pushed as the only way for some businesses to run. I'm personally concerned about the ease of lookalike modelling when there is a mix of PII (due to previously referenced industry initiatives) and FLoC cohort IDs available in the same metadata.

            I'm also pretty much okay if it fails and targeted advertising goes away.

            This is my preferred state of affairs. Advertising may be a necessary evil, but targeting does not have to be. Advertising for decades prior relied on contextual relevance for ad placements (i.e. beer ads during sporting events, or cleaning products during soap operas), I don't see why we can't return to that world and avoid exposing a user's browsing history. Furthermore, if targeting must occur, why can't a user submit their interests to their browser to ensure relevant and useful ad placements without divulging more personal details?

            Browsers have the responsibility of interacting with the web on the behalf of their user. Safari and Firefox prevent fingerprinting by limiting and standardizing the details present in the User Agent String. However, Google's attempt at addressing browser fingerprinting with FLoC divulges more information than was present before (via a cohort ID / browser history) and its insistence that the industry abandon alternatives seems to only benefit Google, who has conspicuously not decided to prevent their own tracking in place of FLoC. In fact, they have yet to confirm that they would stop leveraging a user's Chrome login for tracking across the web.

            6 votes
            1. [3]
              skybrian
              Link Parent
              Interesting, it sounds like you have some specialist knowledge here. It might be a good idea to go back to basics on some of this and help us get us up to speed? I’m just going to talk about my...

              Interesting, it sounds like you have some specialist knowledge here. It might be a good idea to go back to basics on some of this and help us get us up to speed? I’m just going to talk about my ignorance a bit to give some context.

              I had never heard of Unified ID 2.0 before. It seems to be some adtech thing? When I search for it I see articles about it in adtech publications, but I don’t see any clear explanation of what it is. It’s 2.0 so I guess there was a 1.0, but I don’t know what that was either.

              The web page you linked to (at adexchanger.com, whoever they are) doesn’t explain what it is either. It seems to assume industry knowledge?

              I don’t know who “Partnership for Responsible Addressable Media” is either. They don’t have a Wikipedia page.

              Weirdly, there is a page on the Washington Post PR blog supporting this, but unlike articles in the actual newspaper, they don’t explain what it is so general readers can understand.

              There are people in r/adops talking about it as if they knew what it is, but I didn’t get a whole lot out of it.

              This seems less transparent than Google’s PR speak? At least they say what they want to do.

              4 votes
              1. [2]
                UniquelyGeneric
                Link Parent
                Yeah, sorry for the overload of domain-specific knowledge. Let me see if I can break things down a bit. Unified ID 2.0 is an initiative proposed by The Trade Desk, the largest independent...

                Yeah, sorry for the overload of domain-specific knowledge. Let me see if I can break things down a bit.

                Unified ID 2.0 is an initiative proposed by The Trade Desk, the largest independent demand-side platform (i.e. where advertisers go to buy ad inventory that's not Google's). It's based on the IAB's Project Rearc guiding principles (the IAB is about the closest thing to an official standards body in the adtech world) on how to transition off of 3rd party cookies and preserve privacy.

                UID 2.0 does this by taking email addresses (acquired via user authentication) and hashing them with rotating salts (which are distributed by a central & independent governing authority) to allow the UIDs to be distributed without exposing user's plaintext emails directly. This allows advertisers to connect an ad impression to a purchase online, for example, but requires all parties to have legally acquired the UID. A user maintains control over this interaction by having access to a global opt-out that would prevent their email from being convertible to a UID 2.0.

                UID 1.0 was an identifier that The Trade Desk created that leveraged a 3rd party cookie. By sending traffic to The Trade Desk's endpoint, it would return with the UID 1.0 it had associated with the user. This was a way to connect various adtech vendor's cookie IDs via a single common ID-space. It's arguably the type of tracking the industry has gotten flack for, and is now what adtech is moving away from.

                The "Partnership for Responsible Addressable Media" is a consortium of adtech that was spun up to address the industry challenge of moving off of 3rd party cookies (something that businesses have relied on for 20+ years). This is where UID 2.0 was initially vetted and workshopped. The Trade Desk has taken the output of this consortium and presented it to the IAB's Tech Lab, which is currently vetting governance processes and final spec details. The IAB (or a similar independent party) is expected to run the central infrastructure that maintains the UID 2.0 and it is expected to go through given the industry input and alignment that's already been achieved.

                Google basically went around the industry and has been pushing FLoC through a side channel of the W3C, where most of the industry is not a member (they are more likely to be a member of IAB). Most of adtech (which includes publishers, advertisers, and everyone in between) are only privy to Google's public statements regarding FLoC, and so they were blindsided by Google's recent announcement that says that they will not support UID 2.0 in their ad stack. This upset a lot of people, as many companies (such as WaPo, which you listed) have already invested time and resources into UID 2.0 and now have to completely reevaluate product roadmaps for the rest of the year (and time is running out on cookies, so there's a huge risk to their businesses).

                Now, there's still some outstanding issues with all this, namely:

                • UID 2.0 only works on authenticated traffic, which could incentivize publishers to require logins for all users to harvest emails as well as "consent"
                • Both the IAB and W3C require businesses to pay a membership fee that creates a barrier to entry for smaller companies and prevents much crossover between the groups
                • There has not been a prevailing standard for "anonymous" (i.e. unauthenticated) traffic. Some theorized a rise in contextual advertising. Google sees FLoC as the future. None of these options appear mature enough for full adoption before 2022, which may force Google to push out its self-imposed death of 3rd party cookies
                3 votes
        2. [2]
          Wes
          Link Parent
          I can't say I agree on many of those points, but I want to specifically address this line: AMP was moved to an open governance model in 2018. It dropped the tag "Google" because it was no longer a...

          I can't say I agree on many of those points, but I want to specifically address this line:

          they also stopped branding it as "Google AMP" to avoid giving the impression that it was a framework solely for Google's benefit

          AMP was moved to an open governance model in 2018. It dropped the tag "Google" because it was no longer a Google project.

          The power to make significant decisions in the AMP Project will move from a single Tech Lead to a Technical Steering Committee (TSC) which includes representatives from companies that have committed resources to building AMP, with the end goal of not having any company sit on more than a third of the seats.

          https://blog.amp.dev/2018/09/18/governance/

          In the past, I've written more about AMP here (expand the bottom-most comment).

          1 vote
          1. UniquelyGeneric
            Link Parent
            While it may have changed governance in name, I can speak from personal experience that getting changes incorporated into the AMP framework required reaching out to Google business contacts to get...

            While it may have changed governance in name, I can speak from personal experience that getting changes incorporated into the AMP framework required reaching out to Google business contacts to get Google engineers to commit my change. Otherwise it seemed I would have been ignored.

            2 votes
    2. [2]
      alex11
      Link Parent
      Is this an inevitable consequence of capitalism? Do this dirty, shady thing, or if you refuse we'll find someone who will?

      Is this an inevitable consequence of capitalism? Do this dirty, shady thing, or if you refuse we'll find someone who will?

      1 vote
      1. UniquelyGeneric
        Link Parent
        I believe the inevitable consequences of capitalism are consolidation of wealth into increasingly exploitative companies. In this case it's either let Google grow a monopoly to take advantage of...

        I believe the inevitable consequences of capitalism are consolidation of wealth into increasingly exploitative companies. In this case it's either let Google grow a monopoly to take advantage of their captive audience, or foster predatory practices in the remaining companies as they struggle to survive (read: humans trying to keep their jobs in a shrinking employment pool).

        1 vote