Google is going it alone with its proposed advertising technology to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it’s unclear what that will mean for the future of advertising on the web.
A couple of weeks ago, Google announced it was beginning to test a new ad technology inside Google Chrome called the Federated Learning of Cohorts, or FLoC. It uses an algorithm to look at your browser history and place you in a group of people with similar browsing histories so that advertisers can target you. It’s more private than cookies, but it’s also complicated and has some potential privacy implications of its own if it’s not implemented right.
Google Chrome is built on an open source project, and so FLoC was implemented as part of that project that other browsers could include. I am not aware of any Chromium-based browser outside of Google’s own that will implement it and very aware of many that will refuse.
One note I’ll drop here is that I am relieved that nobody else is implementing FLoC right away, because the way FLoC is constructed puts a very big responsibility on a browser maker. If implemented badly, FLoC could leak out sensitive information. It’s a complicated technology that does appear to keep you semi-anonymous, but there are enough details to hide dozens of devils.
Anyway, here’s Brave: “The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly.” And here’s Vivaldi: “We will not support the FLoC API and plan to disable it, no matter how it is implemented. It does not protect privacy and it certainly is not beneficial to users, to unwittingly give away their privacy for the financial gain of Google.”
We’ve reached out to Opera for comment as well. DuckDuckGo isn’t a browser, but it’s already made a browser extension to block it. And the Electronic Frontier Foundation, which is very much against FLoC, has even made a website to let you know if you’re one of the few Chrome users who have been included in Google’s early tests.
But maybe the most important Chromium-based browser not made by Google is Microsoft Edge. It is a big test for Google’s proposed FLoC technology: if Microsoft isn’t going to support it, that would pretty much mean Chrome really will be going it alone with this technology.
In the grand tradition of Congressional tech hearings, I asked Microsoft a yes or no question: does it intend to implement FLoC in Edge? And in the same grand tradition, Microsoft answered:
We believe in a future where the web can provide people with privacy, transparency and control while also supporting responsible business models to create a vibrant, open and diverse ecosystem. Like Google, we support solutions that give users clear consent, and do not bypass consumer choice. That’s also why we do not support solutions that leverage non-consented user identity signals, such as fingerprinting. The industry is on a journey and there will be browser-based proposals that do not need individual user ids and ID-based proposals that are based on consent and first party relationships. We will continue to explore these approaches with the community. Recently, for example, we were pleased to introduce one possible approach, as described in our PARAKEET proposal. This proposal is not the final iteration but is an evolving document.
That is a LOT to unpack, but it sounds very much like a “no” to me. However, it’s a “no” with some important context. But before I get too deep into it, let’s talk about a couple of non-Chromium browsers — because one important piece of all of this is that Google’s FLoC technology is still a proposal. Google is saying it would like to make it a fundamental part of the web, not simply a new feature in its browser.
Here’s a statement that a Mozilla spokesperson provided to us on the plans for Firefox:
We are currently evaluating many of the privacy preserving advertising proposals, including those put forward by Google, but have no current plans to implement any of them at this time.
We don’t buy into the assumption that the industry needs billions of data points about people, that are collected and shared without their understanding, to serve relevant advertising. That is why we’ve implemented Enhanced Tracking Protection by default to block more than ten billion trackers a day, and continue to innovate on new ways to protect people who use Firefox.
Advertising and privacy can co-exist. And the advertising industry can operate differently than it has in past years. We look forward to playing a role in finding solutions that build a better web.
As for Apple’s Safari, I will admit I didn’t reach out for comment because at this point it’s not difficult to guess what the answer will be. Apple, after all, deserves some credit for changing everybody’s default views on privacy. However, the story here is actually much more interesting that you might guess at first. John Wilander is a WebKit engineer at Apple who works on Safari’s privacy-enhancing Intelligent Tracking Prevention features. He was asked on Twitter whether or not Safari would implement FLoC and here’s his reply:
We have not said we will implement and we have our tracking prevention policy. That’s it for the time being. Serious standards proposals deserve thinking and I appreciate Brave sharing theirs.
— John Wilander (@johnwilander) April 12, 2021
Wilander’s reply jibes with Microsoft’s statement that “the industry is on a journey” when it comes to balancing new advertising technologies and privacy. But it speaks to something really important: web standards people take their jobs seriously and are seriously committed to the web standards process that creates the open web.
I often make light of that process as being slow, contentious, and frustrating. It is all those things. But it’s also the last line of defense against the complete and total fracturing of the web into pages that are only compatible with specific web browsers. That isn’t the web at all.
And so what you’d expect to be a hard “no” from Apple (and what will almost surely be a hard “no” in the end) instead becomes a commitment to the web standards process and taking Google’s proposals seriously. Ditto from Microsoft.
All of this is happening because every major browser already has or will soon block third-party cookies, the default way of identifying you and tracking you across the web. And every major browser has committed to ensuring that you can’t be personally identifiable to third-party advertisers. Even Google’s own ad team has said as much.
The end of those cookies is called the Cookiepocalypse, and it’s apocalyptic because nobody really knows what advertisers will do once those tracking methods are raptured. And so right now, major browser vendors are proposing different, new solutions.
Apple, Google, and Microsoft all have ideas for how advertising on the web should work. We’ve discussed Google’s FLoC at length, but you might be surprised to hear that Apple isn’t just trying to stop all ads; it has privacy-enhancing ad proposals of its own. And that random reference to PARAKEET in Microsoft’s statement? Another ad proposal.
The problem here is that the Cookiepocalypse is already nigh. Many browsers are already blocking third-party cookies. Google Chrome is the big holdout on blocking third-party cookies, but it’s also the browser with the biggest market share.
Google has committed to cutting off third-party cookies in 2022, but it seems very unlikely that the web standards process will get to an answer by then. In fact, one of Google’s other proposals isn’t going to begin testing until late this year — far too late to be implemented by the ad industry if Google sticks to its original promise. Who knows what advertisers will do then?
The technology here is complicated, the process is slow, and the outcome is unclear. That’s par for the course for the web. Normally I’d tell you not to worry about it and just let the W3C run its course. But the stakes are very high: your privacy, vast pools of money, and the interoperable nature of the web itself could all go up in a puff of smoke if these browser makers don’t figure out a way to thread all these needles. Cookiepocalypse, indeed.