A Complete Guide To Google FLoC – What it Does and How it Works

Shanika W.

By Shanika W. . 19 February 2022

Cybersecurity Analyst

Miklos Zoltan

Fact-Checked this

In this guide we will discuss what Google FloC is and how it could potentially improve (or affect) your privacy.

What is Google FloC

FLoC is a new model from Google which gives interest-based advertising a more privacy-preserving experience for consumers. Currently, planning to roll out in 2023, it will deprecate the use of third-party cookies, which have become a privacy-invasive way of user tracking for many years.

Below you will learn about:

  • How did the Google FLoC model initiate?
  • What is FLoC?
  • How does FLoC work?
  • How to select interest-based ads using FLoC?
  • How does FLoC ensure privacy over third-party cookies?
  • When will Google plan to rollout FLoC?
  • How can businesses prepare for this change?
  • What are the current concerns and challenges of FLoC?

FloC is based on federated learning and has a distinct way of serving advertisements using information from both publishers and advertisers.

In contrast to third-party cookies, FloC preserves consumers’ privacy mainly by hiding individuals within a crowd. If you are a publisher or an advertiser, there are many ways you can better prepare for this change.

Despite the private space it promises to offer, there are severe backslashes against this technology which you should make aware of and take precautions where necessary.

Related guide: How to block Google Analytics from tracking you
Related guide: Privacy friendly Google alternatives – Search, Mail & Maps

Google FLoC Guide

Rising Concerns Over Third-Party Cookies

For long years, consumers have raised concerns about third-party cookies on websites as their data is overly exposed, leading to privacy violations.

Third-party cookies allow ad publishing and advertising companies to collect information about consumer browsing habits.

This information is used to create interest-based advertisements to attract consumers to their products and services.

However, the problem is that not only can the cookies track the sites you visited, but they also can expose sensitive data like personally identifiable information (PII) and credit card information.

Would blocking third-party cookies solve the problem? The technology giant Google has been trying to find answers to these nagging problems associated with third-party cookies.

As a result, in August 2019, Google announced its new initiative of building a more private web: The Privacy Sandbox, a set of open standards to enhance privacy.

The Creation of FLoC: The Privacy Sandbox

Google has identified that merely blocking third-party cookies does not improve consumer privacy.

Instead, it encourages other privacy-invasive tracking techniques like fingerprinting on which users do not have control.

Not only that but also blocking cookies will cut down publisher funding that primarily comes through advertising.

Thus, Googles’ Privacy Sandbox initiative targeted creating a web ecosystem that respects users’ privacy in several aspects. To achieve this ultimate goal, they suggest a set of proposals around three significant tracks.

  • Replacing Functionality Served by Cross-site Tracking
  • Turning Down Third-Party Cookies
  • Mitigating workarounds

What is FloC?

FLoC is part of Googles’ Privacy Sandbox initiative, which will make current third-party cookies obsolete.

In other words, it is a new way of tracking consumers with similar browsing habits for interest-based advertising. Through FloC, advertising will be more relevant to people, but at the same time, it will keep individual user information hidden from the advertisers.

Moreover, that information will be stored only on consumers’ devices to ensure their privacy in every manner.

How does it work?

The FLoC or Federated Learning of Cohorts clusters individuals with similar browsing patterns into large groups or cohorts and assigns unique cohort IDs.

Unlike in third-party cookies that reveal information about each individual, in the FLoC model, the only information revealed to third parties is this cohort ID.

Hence, FloC essentially hides the individuals in the cluster, preserving their privacy. In addition to that, it only keeps users’ browsing history on their devices locally.

FLoC uses the machine learning approach of federated learning to develop the cohorts. This algorithm depends on the URLs of the navigated websites, those website content, and many more that store on the users’ web browser.

As you browse through the web, the browser updates your cohort. A cohort contains thousands of users, and the algorithm updates the cohorts weekly. Then websites can retrieve the ID of the cohort using an API and decide what advertisements they should show to the cohort.

For example, let’s take five users A, B, C, D, and E. The following shows two different Cohort assignments of these users based on their interests and the pages they visited. For interest-based advertisements, the second cohort assignment (3 and 4) is the most likely to be produced.

Google FloC

Selecting Interest-based Ads Using FLoC

  1. Browsers use a FLoC service to get the mathematical model, consisting of many calculated “cohorts.” In this model, each cohort corresponds to many web browsers having similar recent browsing histories and contains a unique ID.
  2. Using that FLoC Model algorithm, your browser calculates your cohort.
  3. Let’s say you visited the site of an advertiser abc.com that sells kitchen appliances. Then that site requests the cohort ID from your browser.
  4. If you visited additional pages of the advertiser, like searching kitchen utensils, it would record those interests.
  5. Advertisers record these cohort activities periodically and share that information with the ad tech company that helps to deliver advertisements.
  6. In the same manner, let’s say you visited a publisher site that sells ad space; it will also request your cohort ID.
  7. Then the publisher site requests advertisements relevant to that cohort from the ad tech company.
  8. The ad tech company combines the data received from the advertiser company about the cohort’s interests and data from the publishing company.
  9. Next, the ad tech company chooses suitable ads according to the interests of the cohort.
  10. The publisher site then displays the selected advertisement relevant to the interests of the cohort.

Related guide: How to Block Ads On All Your Devices With pfSense, Squid & SquidGuard
Related guide: How to Set Up IP Filtering and DNS Blackholing on pfSense Using pfBlockerNG

How FLoC Improves Consumer Privacy over Third-Party Cookies?

So, how exactly does FLoC ensure your privacy?

  1. FloC considers that you are part of a larger group rather than an individual. – When you are browsing through the web, FloC automatically calculates which cohort you belong to, and it keeps changing based on your browsing habits. Publishers and advertisers can only identify this cohort, meaning that they cannot individually identify anyone in the cohort. So the advertising is targeted to the entire cohort, not specifically to you as an individual.
  2. FloC keeps your browsing history private – Your web browser determines the cohort based on your browsing history, making you part of thousands of people with similar browsing habits. In contrast to third-party cookies, FLoC only shares the cohort IDs to third-party companies when requested. Furthermore, it works on your device and never shares your browsing history with anyone.
  3. FLoC does not generate cohorts with sensitive information – A cohort can consist of a set of users that continuously visit sensitive pages like medical, religious, and political websites. To mitigate revealing such sensitive information about users, Google Chrome measures the sensitivity of cohorts and creates a block list of sensitive cohorts.
  4. Websites can be eliminated from inclusion in cohort calculation – If any website does not want to track users’ visits to their sites, they can opt-out from using FLoC. They can accomplish this by the interest-cohort permissions policy, which comes as ‘allow’ by default.

When Will FLoC Replace Third-Party Cookies?

As this is ultimately a new technology from Google, it is still in its development phase and has not fully come into effect at the time of this writing.

In March 2021, Google announced that they have started to roll out this new technology as a trial in Google Chrome to improve their model by incorporating feedback from the web community.

Recently, Google announced that they are delaying the rollout of FLoC until 2023 because of the criticism and the feedback they received from their tech partners.

Therefore, everyone, from consumers to marketers to publishers, keeps an eye on this new technology and has started to assess its direct impact.

How to Prepare for FLoC?

According to Google’s initial trials, they have identified that FLoC performs nearly as well as third-party cookies. Any company that currently makes use of third-party cookies should be well-prepared before fully embracing this change.

Stay up-to-date with the progress of FloC

Google continuously updates its progress in its Chromium and Chrome blogs, especially its rollout plan and testing strategy.

The results of those trials give you a clear picture of where the model currently stands and how much time you have before it gets fully implemented.

While Google is preparing for this change, other browsers will take a different user privacy approach. Therefore, keeping up-to-date as it moves and educating your clients about its potential impacts can help better prepare for this change.

Avoid third parties to maintain customer relationships

Do not rely on external parties to build relationships with your customers. Instead, maintain relationships directly with the customers with a first-party data strategy.

This direct relationship essentially helps you protect the trust between you and consumers. In addition, with the help of tactics like loyalty programs and offers, you can get closer and understand your consumers better.

Maintain clean first-party data

First-party data or the data you directly get from customers are a valuable source of information as you prepare for third-party data changes. You need to make sure they are well-cleaned and connected when moving away with third-party data.

Using Googles’ global site tags

Conversion measurements measure whether the user clicks on an ad that leads to purchasing that particular product or not.

Adding Google global site tags to pages of your website can provide better results for conversion measurements. It will help you manage future changes and allow you to easily integrate new functionality when they become available.

Current Criticisms and Challenges to FLoC

Publishers and advertisers heavily rely on third-party cookies for interest-based advertising. There are many criticisms and doubts around this initiative whether it will be able to achieve its goal without impacting their businesses.

FLoC can still reveal individual information

In its recent article, Verge pinpoints that Google FLoC is not as private as Google claims it to be. Instead, it is likely to provide data for fingerprinting, which Google needs to fight.

They also highlight that FLoC is a straightforward method that the sites can get to know enough information about individuals, and it is no worse than third-party cookies.

The Electronic Frontier Foundation (EFF) has launched Am I FLoced, which will let you find out if you have become a test of this latest tracking model or not.

Also, in its article in March, they criticize FLoC saying it is a terrible idea. They highlight that the number of cohorts can be very high, and a more significant number of cohorts can reveal more about users’ interests, making fingerprinting significantly easier.

Cohorts contain a certain amount of entropy which is enough to deduce a unique fingerprint from them.

Fingerprinting is possible

The second concern the EFF highlights are that there can still be ways to identify individual users in a cohort.

For example, providing a ‘log in with Google’ facility can combine with the information they get from the cohorts. Because of this ability, trackers may reverse engineer the FLoC algorithm and deduce the sites they visited.

Furthermore, the cohort you are in periodically updates, which makes sites track your browsing changes easily.

Blocking Google FLoC

The cloud giant Amazon is blocking Google FLoC because of two reasons.

The first is to protect their intellectual property that consists of people’s buying habits that they do not want to reveal to other parties.

Secondly, Amazon aims to use its own unique ID for tracking and measuring product advertising through its services.

In addition, DuckDuckGo and GitHub have already blocked Google FloC.

DuckDuckGO has developed a chrome extensionthat blocks Google FloC.

Moreover, WordPress also has expressed its concerns over the security of this model.

Summary

FLoC is the newest user tracking and advertising model introduced as part of Google’s Privacy Sandbox initiative.

Its central feature is its – claimed – ability to ensure user privacy, continuing to provide interest-based advertising. This guide explained in detail what FLoC is, including details on how it works and how it claims to improve consumers’ privacy.

In addition, as FLoCs’ ultimate goal is replacing third-party cookies, this article discussed current concerns and criticisms around this model, which has further delayed its full implementation.

FAQ

How do I enable FLoC?

FloC has not yet developed entirely and is still in the trial state. FLoc trails are now available as a third-party origin trial in Chrome 89 and 91 versions. You need to register it for a trail token which you can obtain from the registration website.

Can I opt out of FLoC?

Before opting out, check whether you are a test subject of Google’s FLoC trial using the EFF’s website Am I FLoCed. It indicates to Chrome users whether the FLoC algorithm is running in their browser or not. If you are part of this trial, you can go to the browser’s settings, select and select ‘privacy and security, and choose to disable privacy sandbox trials.

When will FLoC fully replace third-party cookies?

Google initially intended to release FloC in 2022. But based on trials and feedback and criticisms from the web community, they have planned to roll out the change in 2023.

Do other browsers use FLoC?

Other browsers like Microsoft Edge, Safari, and Mozilla Firefox have informed they still don’t have immediate plans to use FLoC. Mozilla Firefox in a statement has expressed concerns over the severe privacy loopholes it has.

Shanika W.

Shanika Wickramasinghe is a software engineer by profession. She works for WSO2, one of the leading open-source software companies in the world. One of the biggest projects she has worked on is building the WSO2 identity server which has helped her gain insight on security issues. She is keen to share her knowledge and considers writing as the best medium to do so. Cybersecurity is one of her favorite topics to write about.

Being a graduate in Information Technology, she has gained expertise in Cybersecurity, Python, and Web Development. She is passionate about everything she does, but apart from her busy schedule she always finds time to travel and enjoy nature.

Shanika W.
  • Connect with the author:

Leave a Comment