Google’s Federated Learning of Cohorts: why you need to give a FLoC

Third-party browser cookies are facing extinction, though not without pushback from some factions. Google plans to phase them out over the next couple of years. This has significant implications for entire industries, like global publishing and advertising, and at a more granular level, for many individuals online, as Google’s Chrome browser has a nearly 70 percent market share.

Google’s plan, back in mid-2021, was to replace third-party browser cookies with Federated Learning of Cohorts, or FloC. As of late January 2022, however, FloC is dead, and Google’s proposed replacement for it is Topics. Whether Topics will be viable long-term, or face the same future as FloC, remains to be seen.

To learn more, read our article on Google Topics.

The following article about FLoC from mid-2021 is for informational and archival references purposes only as of January 2022.

Google does have a replacement in the works in its Chrome browser, which relies on grouping people based on similar interests, rather than personal details. They’re calling it Federated Learning of Cohorts (FLoC), which is a bit of a mouthful. This technology will be packaged with other tools into the Privacy Sandbox, which was rolled out and was active in the Chrome browser by default. (More on that below.) Google claims it is 95% as effective as third-party cookies.

However, Google has updated its rollout and milestones for the Privacy Sandbox and associated technologies in order to “allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.”  Currently Google plans to complete the project and phase out support for third-party cookies by late 2023.

Algorithms will generate the cohorts, and browser users will be put into a new one weekly. Advertisers will only have access to see the cohorts’ ID, rather than more identifying details. If cohorts are too small for effective anonymization and consistent interests, users get grouped together until there are at least a few thousand of them to achieve that. Advertisers can then analyze and target cohorts, rather than individual users and profiles of their interests and activities. 

Learn more: Google Chrome Privacy Sandbox: this is what website operators will have to adjust to now.

Cookies are fairly simple technology, bits of text and code stored on individuals’ desktops or phones by browsers. They’ve been around for a long time (in internet years). In addition to providing browsers and advertisers with a lot of information about you, your preferences, and your interests, they also contribute to users’ online experience. Have you been to this site before? Did you store preferences regarding how you want it to work for you? Where are you located to customize what you see and can access?

However, over time the degree of tracking that cookies provide has become increasingly invasive. Third-party cookies track you across multiple platforms and websites, essentially looking over your shoulder and recording your every move as you go about your day online. This data then gets sold, over and over.

Even more invasive, fingerprinting, a technique used by advertisers, can identify individuals by several means even if you’ve adjusted your settings to prevent tracking.

Governments and individuals are becoming increasingly intolerant of largely unchecked and nonconsensual use of these technologies, and tech companies are gradually acknowledging the issues and addressing them. Apple rolled out an update to its iOS operating system that blocks tracking on apps without explicit user consent, for example.

FLoC is part of Google’s efforts on this front. However, it has not been widely embraced. The Electronic Frontier Foundation (EFF) has criticized the technology, noting that while it will get rid of the risks and invasiveness of third-party cookies, it will create new risks, and potentially exacerbate other issues like predatory or discriminatory targeting. 

Fundamentally, the EFF and other groups argue that any targeting is invasive and discriminatory. And indeed, a number of browser providers – including Microsoft (Edge), Mozilla (Firefox), Brave and Vivaldi – are publicly against FLoC and any other “features” designed to collect or share users’ personal data without consent. These features have not been enabled or have  been actively blocked in those browsers.

FLoC still shares a lot of behavioral information from your browsing history with third parties (websites and advertisers), including information they wouldn’t have had access to just from third-party cookie use. Sites that already “know” who you are, like ones where you have an existing account, for example, end up with an even more detailed dataset about you, which is not at all anonymized. This information is then available to all third parties on those sites (like ad-tech companies), without your consent.

FLoC actually increases fingerprinting, rather than getting rid of it, which makes you even more trackable across different websites. Google’s argument is that this functionality helps build the “cohorts”.

Now, say you’re grouped into a cohort of vintage Porsche fans this week, or one of rare orchid growers next week. So what, right? That’s not particularly sensitive. But what if the cohort was about sexual orientation, or political affiliation? In some places that information could put personal safety at risk. 

Google claims that some categories of sensitive data will not be used to create cohorts, and that they are looking into ways of preventing other sensitive categories of information from being used. At this point, though, it’s a “take our word for it” scenario from a company that made over $55 billion last quarter, in good part thanks to our personal data.

Additionally, if there are data leaks that get traced back to specific sites (accurate or not), it won’t matter what measures the site provider or company has taken to secure users’ privacy. They will be branded as at fault and likely lose massive amounts of hard-won user trust, not to mention the expense of further security measures, fines, and other penalties.

Speaking of hard-won audiences, FLoC can also enable intentionally grown customer bases or user communities to become accessible outside of their “home” sites, enabling other companies and sites to engage in poaching efforts on these known, highly engaged and prequalified “cohorts”. In case you thought you were safe from competing with Amazon.

The Competition and Markets Authority and the Information Commissioner’s Office (data protection regulator) in the UK are reviewing the impact of the Privacy Sandbox on the advertising industry, as are regulators in Germany, France, and Belgium. Additionally, the European Commission has launched an anti-competitive investigation into FLoC and the deprecation of third-party cookies. More inquiry into these initiatives is likely.

As an individual user, if FLoC and the Privacy Sandbox are of concern, you can opt out in Chrome. From the Chrome browser menu, click Preferences, which will open the Settings. Click on Privacy and security, then click on Privacy Sandbox. The Privacy Sandbox tab will open, and you can move the slider by the Privacy Sandbox trials to the left to the off position to deactivate it.

It is unlikely that browser companies or the ad-tech industry are going to embrace a (re)turn to untargeted advertising. These changes, restrictions, and further education of the public will spur innovation in technologies to enable them to continue to thrive. And with Google’s updated roll-out plan, there will now be more time for discussion and investigation into these new technologies. What eventually gets rolled out will depend, at least in part, on our ongoing attention and consent.