Disabling FLoC, Google’s new advertising technology

2021-05-04 Birds of a similar browsing history FLoC together

Google has started rolling out FLoC, currently to 0.5% of Chrome users, and some sites are already disabling it. In this post we’ll cover what FLoC is, who’s disabling it, why, and how to do so on a Django site.

What is FLoC?

FLoC stands for Federated Learning of Cohorts. It was developed by Google and at current only Chrome implements it.

FLoC uses a machine learning model in the browser to transform your browsing history into a fingerprint. That fingerprint places you in a bucket of “a few thousand users worldwide”. Advertisers can use this to determine your interests without knowing exactly who you are.

FLoC is an alternative to the many advertising providers tracking your browsing using third party cookies and building their own fingerprints. Browsers are gradually phasing out third party cookies, so advertisers are eager to have an alternative. Google has a key interest here, since they both make the most popular browser and sell the most ads.

This feature is being rolled out incrementally across Chrome users, without any notification or opt-in. At time of writing, 0.5% of Chrome users are “being FLoCed”, with a fingerprint available to registered sites calling the JavaScript API document.interestCohort(). If you use Chrome, you can use an Electronic Frontier Foundation (EFF) tool to check if you “have been FLoCed”.

For a complete guide on FLoC, see Scott Helme’s “What the FLoC?” article, the EFF’s coverage, and Google’s own write-up.

How to disable FLoC

Chrome doesn’t provide an option for users to disable FLoC without also disabling third party cookies, which will break many sites. But users can install DuckDuckGo’s privacy essentials extension to disable the FLoC, along with many other privacy-enhancing benefits.

If you operate a site, you can set it to opt-out from FloC. This does two things:

To opt-out, set the Permissions-Policy HTTP header on all responses with interest-cohort=(), for example:

Permissions-Policy: interest-cohort=()

If you already have an existing Permissions-Policy header, add interest-cohort=() to its list, for example:

Permissions-Policy: camera=(self), geolocation=(), interest-cohort=(), payment=()

Permissions-Policy is a draft security header for disabling browser features - see more in its specification.

Who is disabling FLoC?

Scott Helme’s aforementioned article reported that on 19 April, 86 out of the top 1 million domains had disabled interest-cohort in their Permissions-Policy header. That list included some big sites such The Guardian and IKEA.

The list is growing quickly. As of 3 May, his crawler reports 966 sites have now added the header.

Notably for developers, GitHub have added the header, for github.com and all github.io GitHub Pages sites.

Why disable FLoC?

Privacy is a complex topic, and at least in theory FLoC is a better model than every advertiser tracking everyone’s browsing with cookies. But we can see that many sites are disabling FLoC before it even “takes flight”. They are doing this for a few reasons.

First, to preserve the privacy of their visitors. As the EFF points out:

You should have a right to present different aspects of your identity in different contexts. If you visit a site for medical information, you might trust it with information about your health, but there’s no reason it needs to know what your politics are. Likewise, if you visit a retail website, it shouldn’t need to know whether you’ve recently read up on treatment for depression. FLoC erodes this separation of contexts, and instead presents the same behavioral summary to everyone you interact with.

For example, Guardian visitors might not want their (potential) political affiliation to be visible to their bank.

Second, to avoid concentrating too much power in Google’s hands. Whilst FLoC has been developed in the open, in the Web Incubator Community Group, but it is very much a Google-led effort. Google dominates both the web browser and advertising markets. Controlling “the” way of doing targeted adverts going forwards would only cement their position.

Third, it’s simply too rushed. Even if you’re not opposed to the concept of a privacy-preserving grouping fingerprint, FLoC is being pushed by one big player. 9to5google reports that no other browser is even considering FLoC, and Microsoft even has their own alternative proposal. Deploying such a momentous feature without consensus is a step away from an open web.

Disabling FLoC in Django

You can easily disable FLoC on your Django site by setting the header as above with django-permissions-policy. Follow its install instructions and ensure you have interest-cohort in your PERMISSIONS_POLICY setting:

PERMISSIONS_POLICY = {
    # ...
    "interest-cohort": [],
    # ...
}

You might also need to set the header in the config for your server or CDN which serves your static and media assets.

Fin

May you follow the flock only when it makes sense,

—Adam


Want better tests? Check out my book Speed Up Your Django Tests which teaches you to write faster, more accurate tests.


Subscribe via RSS, Twitter, or email:

One summary email a week, no spam, I pinky promise.

Related posts:

Tags: django, python