The current state with third-party cookie tracking is terrible. This is terrible in a different way. It gives Google even more control over the ad-tech industry. Rather than a diversity of ad-tech kings using third-party cookies to track people and invade privacy, this becomes the "One Ring to Rule Them All" that makes Google even more dominant in ad-tech, while allowing them to pretend that they care about privacy as a prophylactic to anti-trust action. It's nothing if not clever.
What about FLoC gives Google "even more control"? Isn't it something any ad-company can use? Maybe I don't understand how it works, but from what I've read, any website has the exact same access as Google does to the data.
Yes it is absolutely worse. The very notion that we need a identification profile that tracks are behavior is ridiculous. Contextual advertising works. If you visit a blog that covers tech hardware... advertisers can pay to put ads here or PC parts etc. If you visit a website that covers hiking trails .. advertisers can buy ads here for camping gear etc.
It is utter ridiculous to think we need to be tracked from site to site and profiled to this degree.
It would, unfortunately advertising agencies have showcased advertisers that they can hijack focus of an average website visitor with rich graphics irrespective of the context e.g. Say toothpaste ad on a tech blog; And the toothpaste company doesn't care as long as they get a click(even if the conversion is abysmal).
Other side of the story is that the tech blog would find it very hard to get a proper referral link for PC parts they're covering for contextual advertising unless they're of considerable size. Where as getting a banner ad to display what ever it wants is just usually couple of clicks.
As a result, whole Internet is full of rich graphics built by and built for these advertisers making simple text based readable websites an endangered species; Further making the lives of those with accessibility needs miserable.
> For pages that haven't been excluded, a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
> if Chrome detects that the page load ads or ads-related resources.
Let me guess, “ads-related resources” are not defined, but in a court case in 5-10 years time it’ll be accidentally revealed that internally Google considers this to include “JavaScript, css, or HTML files”...
Excluding a page is a manual process however, requiring to set the header mentioned in the blog post. So website owners have to explicitly opt-out of FLoC.
Definitely worse, but also the next logical step given that an ad company has achieved relative browser dominance and has such weight to throw around in defining web standards.
Moves like this were inevitable. Writing's been on the wall a while now too.
I do not currently see it as worse and in fact I see it as better. If Google becomes the boundary behind which my information is shielded they are also the target for accountability. They generally seem a preferred option for this role relative to the others in the market (the little I know much about it). Further this seems a general good fit for their capabilities, business goals and role in society broadly, which is a position counter to the assertions the EFF appears to make. My position and argument is that Google should do what they are naturally doing and be held accountable for sensible privacy, etc by the law and watch that evolve. This seems both fair leverage of their market position and sensible use of it. Competition is freely able to develop their own niche, as is Brave and anyone else able to do. (For example why Mozilla hasn't developed VPN services, etc sooner is beyond me.) Hope this is constructive.
> "[..] use my visitors data for advertising and surveillance [..]"
..and to improve a search engine empire that is arguably the basis for the majority of their ad business and which is already a factual monopoly.
If you successfully avoided giving Google your visitor traffic data so far (by passively avoiding Google analytics, fonts, maps, etc.) then from now on you will have to take active steps to keep their fingers out of your cookie jar.
I run a website with no trackers, no ads, nothing at all to do with Google or any other company in any way.
You come along, with Google Chrome, and visit my site.
Google adds the fact that you visited my site to their massive dataset (as well as who-knows-what-else)
And to opt out of something I have never been asked to be involved with in any way, I need to contact Google and ask them to please leave my site alone?
Am I understanding this shit correctly?
Whether I like it or not, my site, by proxy, is participating in Google's data mining?
If my guess is correct, how the actual fuck is this not illegal?
Edit: Ok, I guess I'm off the mark here with my assumptions so I'll put my pitchfork down.
Google are just using your Chrome browsing data, matching it with site id's (or hashes?) and then analysing the shit out of it for their gain.
As a website owner, nothing has changed other than I can tell them not to use my site as part of their analysis... that sound about right?
> I run a website with no trackers, no ads, nothing at all to do with Google or any other company in any way.
Then your site will not be included in FLoC: "A page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources." -- https://web.dev/floc/
(Disclosure: I work for Google, speaking only for myself)
That "During the current FLoC origin trial" bit scares me though. Why should I assume the scope of implicit inclusion in FLoC won't be expanded in the future?
I don't exactly trust this opt-out header. The spec makes it sound like it's not so much a request to the user agent not to use cohorts in general. Rather it's a security-in-depth measure to prevent third-party scripts or injected spyware from exploiting certain functions. So those functions are disabled for resources loaded from that domain. Chrome, meanwhile, can still do whatever it likes.
Thanks for the clarification. It appears I can't edit my original comment to add in a mea culpa!
No idea how I managed to get it so far off the mark there... :(
For anyone reading this, downvote my original comment up the top please to get it off the top as it's inaccurate: I know it's cool to bash Google on here but my original assumption was waaaaaay off.
I'm 100% against this whole FLoC thing but I really cannot understand this conclusion.
If I drive through a McDonald's drivethrough, and Android/iOS/Fitbit/Tesla/whomever records my journey via GPS, they know I ate a McDonald's but McDonald's the company has not directly "participated" in any tracking of any kind.
I don't think your website is participating really. There are a lot of posts describing this opt-out but none really say what you are opting out of.
It seems that the content of your website may be used to identify the users interest.
It isn't illegal because the browser is allowed to do whatever you want with your website. This is really no different than an extension that can access your website content to recommend other pages you may be interested in.
In the same way it isn't clear to me why I would want to opt-out. I guess it is 1. Sending Google a signal and 2. Protecting users from themselves?
But if I want to protect users from themselves I'm probably better off showing a banner recommending Firefox. (And this also helps the open web at the same time)
> If my guess is correct, how the actual fuck is this not illegal?
Because Google has effectively embedded and interwoven itself so tightly into the fabric of the web, that simply having no association with them is impossible. Vint Cerf is their evangelist. The creator of The Internet is an evangelist for Google! Read more:
> Vinton G. Cerf is vice president and Chief Internet Evangelist for Google. He contributes to global policy development and continued spread of the Internet.
Seems similar to the Google Street View issue. They took pictures of public places, and you had to manually request to have your face or identifying info removed, if they were revealed.
The website is public in the same way as it can be accessed by any browser and isn't blocking search robots.
Why would you control what people use to visit your website? By leaving your website on the open web, you contribute to a bunch of other things, bots parse it left and right, rank it among other websites, archive.org makes snapshots, and not one of them had you opt in. How is this current case different?
The purpose of this permission is to prevent embedded third-party content from using FLoC. Besides that it’s a no-op.
FLoC does not track arbitrary websites, it tracks sites which retrieve the FLoC cohort via JS. So instead of dropping a unique third party cookie, and associating it with the data on the page, sites can now retrieve a k-anonymous cohort id and associate it with the data on the page. If you’re not doing that (or serving ads) there’s nothing you need to do.
That’s not to say that FLoC doesn’t deserve criticism just that most criticism I’ve encountered is not grounded in reality.
According to the W3C Federated Learning of Cohorts
Draft Community Group Report, 13 April 2021, Paragraphs 3 & 7.1.1:
"The interest cohort API lives under the Document interface since the access permission is tied to the document scope, and the API is only available if the document is in secure context."
and
"The page can opt itself out of the interest cohort computation through the "interest-cohort" policy-controlled feature. [PERMISSIONS-POLICY]" [1]
>During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
"During trial we had so much success with our auto-opt-in mechanism (and grew so fond of being omnipotent) we've decided to make it a permanent feature."
Only a little bit of time before the opting out process is made redundant by some API that will break somewhere or something that will be brought in as an RFC in chrome.
Chrome's & Android's entire existence is to ensure Google ads business survives. This until Google can find another business that produces the same returns or dies.
I wish there were more entities that would focus on developing tools for open web. Open web as we used to know is dying.
I think the state of affairs with the mobile world is the worst. I can't help but think that Android was the worst disaster that happened to software industry.
Android corrupted the ethos of FOSS, decimated all hopes for privacy, contributed to destroying the environment, stripped users of freedom of choice. I think it'll take a very special group of people to reverse the tide.
Can you elaborate on why you think Android is a disaster? Particularly the environmental aspect and freedom of choice.
If android didn't exist then iOS might be the only major mobile OS, so in that sense at least it seems to be good that Android exists. It would be much better if it wasn't widely used as a carrier for Google's ecosystem and spyware, of course.
Today I looked at the source code of Chrome where this is implemented, so I'd understand it better.
It made me realize that there is indeed (of course) software engineers (meaning: people) working on this who actually write that code. Does a high salary justify working on such features, or are modern day software engineers more like factory workers? I think not because most software engineers have a choice.
People around the world build machines that melt skin off of children in Middle East for quarter of that pay. Even in America. And they're proud of it too.
> People around the world build machines that melt skin off of children in Middle East
There is a problem with that statement and I will try to highlight it by creating a couple more of the same:
- There are people working to build software to allow people to share child porn without getting caught (about Moxie and anyone working to bring e2e-encryption to the masses)
- there were people working in factories that created hammers that were used to crush peoples skulls in Cambodia
There's two sides to every story. Reducing the amount of third-party tracking cookies on the web, and implementing a novel application of federated learning are definitely things some engineers would do, money aside, because they're technically challenging.
> I think not because most software engineers have a choice.
most people care more about their own interests than the interests of society in general. Only when collectively devising laws would society take the interest of society over individuals.
Therefore, software engineers are fully justified at making software that is deemed unethical, but still take the stance that it is unethical. You might call it hypcracy but i say it's practicality.
Legislation should be introduced to perform the function of ensuring ethical standards, not altruism on the part of the individual.
They’re allowed to take that stance, sure, but I’m allowed to judge them for it. Ignoring your own morals just to make a buck isn’t a good thing. Otherwise we should all just become drug dealers.
It is. If you’re not calling ‘document.interestCohort()’ or serving ads from an ad network on your page then FLoC does nothing. The purpose of this permission is to prevent embedded third-party content from using FLoC.
*If Google does not detect ads. Which can mean anything depending on how they stretch the definition. And Google has a bad history with this kind of thing, see unwarranted and unexplained account bans as well as automated "malicious website" flagging that's notoriously hard to get rid of because Google won't even tell the website owner what part of the site was detected as malicious.
Genuine question: any ads from any network? Not just googles? Because if so, I fully expect someone to mess up and have that detection mark sites with zero ads as having them, thus tracking their users. Detection is never 100%. Never ever.
Unless I’m misunderstanding, which is likely (and I hope I am)
Yeah that should be the default configuration shipped with Apache httpd. If apache is refuse to add the header, I'm sure it will be possible to convince many distros to add it
No, we should absolutely not bloat every HTTP response just because Google wants to abuse its users. Not to mention that widespread use of this header will result in it being ignored entirely just like happened to DNT. The proper reponse is to a) convince people to stop using Chrome and other Google software and b) campaign for legislation and antitrust enforcement and c) remove google ads, analytics and any other Google scripts from your websites.
Unless Google make it a benefit in search rankings in which case some (possibly many) will for SEO purposes, bit still not enough I'd wager (and the balance would be such that lower quality sites, that prioritise SEO over actually useful content, would be the majority of those that went for it).
This feels a bit like way-back-when, when BT and a couple of other UK ISPs toyed with a system that would insert ads into web content, sometimes replacing existing ads, simultaneously bothering their users (to make money out of them on top of existing subscription payments), screwing site runners (being associated with ads they had no control or even knowledgeless knowledge of, and potentially losing ad revenue), and screwing other advert providers.
Maybe it's time for developers to help with the fight back. Break things in Chrome, and encourage people to use Firefox. The amount of time I've been told to use Chrome is ridiculous. I regret being part of the crowd who jump on the Chrome bandwagon when it came out all those years ago.
Having to explicitly opt out regardless of what you do is terrible. So now you're telling me that I have consciously disable it every time I create a new website/page? How do we force Google to stop this?
Sadly most users don't even know that they are using Chrome or Firefox or that these have a version number. So breaking up things for them won't help, they won't make the switch...
It has to be a regulatory decision imposed on Google, much like when Microsoft was forced to do something about Internet Explorer long time ago.
That said, according to that StackOverflow page, the error only appears in DevTools. That's not as bad as it sounded at first. I was worried it would be an IE-style alert on page load, for example, or a visible bar across the top of the page. It's not, it's just spam in the DevTools console.
That's correct. I posted that answer on StackOverflow, and as far as I can tell from testing so far, it is just a warning in the DevTools console as noted on the StackOverflow answer, and there shouldn't be any other negative impact :)
Isn't this the sort of thing .well-known is for? Presumably Google are doing it this way because less people can create headers than can make a text file.
Readit News
Does anyone else see FLoC as worse than the current state we're in?
It is utter ridiculous to think we need to be tracked from site to site and profiled to this degree.
It would, unfortunately advertising agencies have showcased advertisers that they can hijack focus of an average website visitor with rich graphics irrespective of the context e.g. Say toothpaste ad on a tech blog; And the toothpaste company doesn't care as long as they get a click(even if the conversion is abysmal).
Other side of the story is that the tech blog would find it very hard to get a proper referral link for PC parts they're covering for contextual advertising unless they're of considerable size. Where as getting a banner ad to display what ever it wants is just usually couple of clicks.
As a result, whole Internet is full of rich graphics built by and built for these advertisers making simple text based readable websites an endangered species; Further making the lives of those with accessibility needs miserable.
> For pages that haven't been excluded, a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
Let me guess, “ads-related resources” are not defined, but in a court case in 5-10 years time it’ll be accidentally revealed that internally Google considers this to include “JavaScript, css, or HTML files”...
https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf
Tell them it's time for the government to step in and remove Google's ability to run a browser.
Google cannot be allowed to continue running Chrome. They've abused this position time and time again to the detriment of us all.
..and to improve a search engine empire that is arguably the basis for the majority of their ad business and which is already a factual monopoly.
If you successfully avoided giving Google your visitor traffic data so far (by passively avoiding Google analytics, fonts, maps, etc.) then from now on you will have to take active steps to keep their fingers out of your cookie jar.
How is "not using Chrome" not passive?
I run a website with no trackers, no ads, nothing at all to do with Google or any other company in any way. You come along, with Google Chrome, and visit my site. Google adds the fact that you visited my site to their massive dataset (as well as who-knows-what-else) And to opt out of something I have never been asked to be involved with in any way, I need to contact Google and ask them to please leave my site alone?
Am I understanding this shit correctly?
Whether I like it or not, my site, by proxy, is participating in Google's data mining?
If my guess is correct, how the actual fuck is this not illegal?
Edit: Ok, I guess I'm off the mark here with my assumptions so I'll put my pitchfork down.
Google are just using your Chrome browsing data, matching it with site id's (or hashes?) and then analysing the shit out of it for their gain.
As a website owner, nothing has changed other than I can tell them not to use my site as part of their analysis... that sound about right?
Then your site will not be included in FLoC: "A page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources." -- https://web.dev/floc/
(Disclosure: I work for Google, speaking only for myself)
I don't exactly trust this opt-out header. The spec makes it sound like it's not so much a request to the user agent not to use cohorts in general. Rather it's a security-in-depth measure to prevent third-party scripts or injected spyware from exploiting certain functions. So those functions are disabled for resources loaded from that domain. Chrome, meanwhile, can still do whatever it likes.
No idea how I managed to get it so far off the mark there... :(
For anyone reading this, downvote my original comment up the top please to get it off the top as it's inaccurate: I know it's cool to bash Google on here but my original assumption was waaaaaay off.
how does it make this decision?
Dead Comment
I'm 100% against this whole FLoC thing but I really cannot understand this conclusion.
If I drive through a McDonald's drivethrough, and Android/iOS/Fitbit/Tesla/whomever records my journey via GPS, they know I ate a McDonald's but McDonald's the company has not directly "participated" in any tracking of any kind.
It seems that the content of your website may be used to identify the users interest.
It isn't illegal because the browser is allowed to do whatever you want with your website. This is really no different than an extension that can access your website content to recommend other pages you may be interested in.
In the same way it isn't clear to me why I would want to opt-out. I guess it is 1. Sending Google a signal and 2. Protecting users from themselves?
But if I want to protect users from themselves I'm probably better off showing a banner recommending Firefox. (And this also helps the open web at the same time)
Because Google has effectively embedded and interwoven itself so tightly into the fabric of the web, that simply having no association with them is impossible. Vint Cerf is their evangelist. The creator of The Internet is an evangelist for Google! Read more:
https://research.google/people/author32412/
> Vinton G. Cerf is vice president and Chief Internet Evangelist for Google. He contributes to global policy development and continued spread of the Internet.
"Just"? Google should have absolutely no access to your non-Google browsing history whatsoever.
That alone is pitchfork-worthy.
Seems similar to the Google Street View issue. They took pictures of public places, and you had to manually request to have your face or identifying info removed, if they were revealed.
The website is public in the same way as it can be accessed by any browser and isn't blocking search robots.
The purpose of this permission is to prevent embedded third-party content from using FLoC. Besides that it’s a no-op.
FLoC does not track arbitrary websites, it tracks sites which retrieve the FLoC cohort via JS. So instead of dropping a unique third party cookie, and associating it with the data on the page, sites can now retrieve a k-anonymous cohort id and associate it with the data on the page. If you’re not doing that (or serving ads) there’s nothing you need to do.
That’s not to say that FLoC doesn’t deserve criticism just that most criticism I’ve encountered is not grounded in reality.
"The interest cohort API lives under the Document interface since the access permission is tied to the document scope, and the API is only available if the document is in secure context."
and
"The page can opt itself out of the interest cohort computation through the "interest-cohort" policy-controlled feature. [PERMISSIONS-POLICY]" [1]
[1] https://wicg.github.io/floc/
Edit for para reference.
> By default, a page is eligible for the interest cohort computation if the interestCohort() API is used in the page.
I'm certainly not defending FLoC, I've been using Firefox for 20 years. But creative editing isn't called for.
>During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
Who's to say how this evolves in the future?
Dead Comment
Chrome's & Android's entire existence is to ensure Google ads business survives. This until Google can find another business that produces the same returns or dies.
I wish there were more entities that would focus on developing tools for open web. Open web as we used to know is dying.
Android corrupted the ethos of FOSS, decimated all hopes for privacy, contributed to destroying the environment, stripped users of freedom of choice. I think it'll take a very special group of people to reverse the tide.
If android didn't exist then iOS might be the only major mobile OS, so in that sense at least it seems to be good that Android exists. It would be much better if it wasn't widely used as a carrier for Google's ecosystem and spyware, of course.
It made me realize that there is indeed (of course) software engineers (meaning: people) working on this who actually write that code. Does a high salary justify working on such features, or are modern day software engineers more like factory workers? I think not because most software engineers have a choice.
Been thinking about this a lot afterwards.
Time to look outside of tech bubble perhaps?
There is a problem with that statement and I will try to highlight it by creating a couple more of the same:
- There are people working to build software to allow people to share child porn without getting caught (about Moxie and anyone working to bring e2e-encryption to the masses)
- there were people working in factories that created hammers that were used to crush peoples skulls in Cambodia
See where I am going?
Also link to that source code mentioned: https://source.chromium.org/chromium/chromium/src/+/master:c...
Why would anyone care about that, as opposed to, you know, reducing the amount of tracking?
most people care more about their own interests than the interests of society in general. Only when collectively devising laws would society take the interest of society over individuals.
Therefore, software engineers are fully justified at making software that is deemed unethical, but still take the stance that it is unethical. You might call it hypcracy but i say it's practicality.
Legislation should be introduced to perform the function of ensuring ethical standards, not altruism on the part of the individual.
I'm sick of having to add yet another config option every time some Web giant decides it is OK to abuse my website and my visitors.
Unless I’m misunderstanding, which is likely (and I hope I am)
Who would opt in if it was?
What benefit would there be to opting in?
Unless Google make it a benefit in search rankings in which case some (possibly many) will for SEO purposes, bit still not enough I'd wager (and the balance would be such that lower quality sites, that prioritise SEO over actually useful content, would be the majority of those that went for it).
This feels a bit like way-back-when, when BT and a couple of other UK ISPs toyed with a system that would insert ads into web content, sometimes replacing existing ads, simultaneously bothering their users (to make money out of them on top of existing subscription payments), screwing site runners (being associated with ads they had no control or even knowledgeless knowledge of, and potentially losing ad revenue), and screwing other advert providers.
I imagine google analytics scripts would find a way to opt people in.
Having to explicitly opt out regardless of what you do is terrible. So now you're telling me that I have consciously disable it every time I create a new website/page? How do we force Google to stop this?
It has to be a regulatory decision imposed on Google, much like when Microsoft was forced to do something about Internet Explorer long time ago.
`permissions-policy: interest-cohort=()`
It's only deployed on a test set of Chrome browsers so far, and it does create a warning message on browsers that don't support it. [1]
[1] https://stackoverflow.com/questions/66997942/error-with-perm...
Edit to note support for blocking this!
Dead Comment
Deleted Comment