Quick Links

Google's FLoC initiative has prompted a lot of discussion and no small measure of controversy. Here's what FLoC is, how it works and how it impacts the future of privacy on the web.

The Background on FLoC

Federated Learning of Cohorts (FLoC) is a Google proposal to group web users together into "cohorts." Each member of a cohort will have broadly similar interests, inferred from their browsing habits. This data will be exposed to marketers which will use it to personalise online ads.

It's important to understand the context in which FLoC is being introduced. Personalised advertising is currently driven by third-party cookies that let ad networks track you across websites. Browsers have been moving to eradicate third-party cookies in order to protect user privacy.

Chrome is no exception to the move away from cookies. It intends to make third-party tracking "obsolete" by the end of the year. The removal of third-party cookies means the end of personalised advertising as we know it. FLoC, presented to browser users as "Chrome Privacy Sandbox," fills the void.

How FLoC Works

FLoC aims to let advertisers serve personalised content in a world without third-party cookies. Users are said to benefit from increased privacy protection as all data will be assessed in aggregate.

Ad networks won't be able to track users individually anymore. You'll receive content based on the cohorts you've been added to. Google likens it to being hidden "in the crowd."

The data that defines your cohorts will be collected and stored by your browser. Chrome will build an advertising profile based on your browsing activity. Advertisers will be able to use an API to determine your cohort ID. Using your cohort ID, advertisers will be able to determine your interests and serve up relevant ads.

Cohorts will be managed by the FLoC service. Each cohort will represent a set of users with broadly similar browsing histories. Your local Chrome instance will compare your browsing history to the centralised model held on the FloC service. It'll use the model to determine the cohorts you're most similar to.

Code on websites will be able to ask the browser which cohort you belong to. The site can then report your cohort ID back to ad networks.

Let's say you're in cohort 100. If you visit a site selling gaming computers, the site's ad network could learn that a user from cohort 100 expressed an interest in gaming. You might later visit the online store of a smartphone retailer. This retailer also reports your visit to the ad network.

The ad network can't know you made both visits. All it knows from the FLoC reports is that users from cohort 100 have visited both computer and smartphone stores.

Google flowchart showing how FLoC works

Now let's consider what happens if another user visits a different website. The ad network serves ads on this site and needs to select an ad to show to the user. As the new user also happens to be in cohort 100, they're statistically likely to be interested in computers or smartphones, so a relevant ad is displayed.

The ad network cannot be certain the user's actually interested in the topics you previously explored. Their presence in the shared cohort suggests there is a degree of alignment with your earlier visits. FLoC is built on similarities and aggregate data, instead of the individual identification facilitated by third-party cookies.

FLoC Implementation

FLoC has been submitted to the W3C as a draft web standard. Google wants to see it accepted as the universal replacement for tracking cookies.

Each browser will be able to implement its own backend FLoC service. The backend is responsible for creating cohorts. It provides the model used by on-device browser instances to determine the most relevant cohort for the user. The process of determining the user's cohort is based on a mathematical algorithm which will be adjusted over time.

Website developers can determine your cohort ID using a single line of JavaScript: 

const {id, version} = await document.interestCohort();

id will be the ID of the cohort you've been placed into; version gives the active FLoC version. This will vary between browsers.

Chrome tries to include every website you visit in its cohort calculations. Individual websites can opt-out of FLoC by setting the Permissions-Policy: interest-cohort=() HTTP header. Several high-profile sites have already added this header, effectively protecting their users from FLoC. When the header is present, Chrome won't add your visit to your FLoC browsing history.

FLoC and Privacy

FLoC is placed between users and ad networks. Google is presenting it as a compromise solution which allows advertisers to continue operating post-third-party cookies, while offering users enhanced privacy protection.

The project's been widely criticised for moving tracking out of cookies and into the browser. Instead of each site adding a tracker, Chrome now monitors your activity and shares it back to ad networks.

Privacy organisations are concerned that FLoC could result in past browsing histories being "held against" users. The system breaks down contextual boundaries between types of browsing data.

There are particularly grave implications for the exposure of information to sites which already know who you are. When you login to a site, that service might have a comprehensive picture of your identity. It could then look at your cohort ID to learn additional information about you, based on your browsing history.

FLoC directly compromises user privacy in this scenario. It exposes aspects of your personal information to sites that could combine it with an existing profile. If enough users from the same cohort logged in, a site might be able to come to a conclusion about the personalities represented by the cohort, such as young males in higher education.

The inference from above would be will within the reach of sites like Facebook or LinkedIn. By tracking cohort IDs against logged-in sessions, a site could add its own data to see that most users in cohort 100 are young males in higher education. This is problematic for users who haven't shared their gender or education level. If they're in cohort 100, the site could begin filling in gaps in their profile next time they login.

Google's approach to mitigating privacy concerns relies on the exclusion of "sensitive" information from FLoC cohorts. Data such as race, sexuality, health and religion won't be used to compute your FLoC cohort. While this prevents sites from directly determining sensitive personal data, it won't stop them from accessing other details of your browsing history. It's also ineffective against sites that could utilise their own data to deconstruct FLoC cohorts, as seen above.

Beyond these direct privacy concerns, FLoC also has an accountability problem. The entire system will be opaque to users, publishers and regulators. You won't be able to see how FLoC is categorising your browsing history, or which sites are accessing it. This will make it harder for users to understand why their ads are personalised, or how a particular ad was selected.

As a consequence of these concerns, Chrome is currently the only browser which intends to implement FLoC. Safari, Firefox, Vivaldi, Brave and Microsoft Edge have all said they've no current plans to add the technology.

Conclusion

FLoC is a response to the cross-browser effort to phase out third-party cookies. Google positions FLoC as a safer alternative to cookies. The browser will track your activity, lump it together with similar users, and expose your interests to advertisers. Sites won't be able to directly identify you as a specific user, although concerns remain that committed parties might be able to fingerprint your device.

FLoC is already undergoing trials in countries including the U.S. It's not yet been rolled out in Europe due to doubts over its compliance with GDPR legislation. Current Chrome versions include support for FLoC but it's only enabled for a subset of users. You can prevent your data from being tracked by FLoC by disabling third-party cookies in Chrome.