Millions of people are already part of a global experiment to eradicate cookies once and for all. Since last month, Google has been trialling new browser-based tech in Chrome that could upend the global advertising industry. Most people involved in the trial probably don’t even realize it—but as the project gathers pace, critical voices are raising the alarm.
This story originally appeared on WIRED UK.
Regulators in Germany, France, and Belgium are all scrutinizing Google’s proposals. At the same time, some of the world’s biggest websites have decided to skip Google’s trials entirely, with a number of companies developing ways for people to dodge the system.
The system, known as Federated Learning of Cohorts (FLoC), is part of Google’s bigger Privacy Sandbox plan that will bring about the end of third-party advertising cookies early in 2022. There are broadly three ways websites pick which ads to show you. You might see an ad for a pair of sneakers because you put them in a shopping basket last week; if you’re reading an article about cars, the ads may also be about cars; or the ads you see might be based on your interests. FLoC, like third-party cookies, deals with advertising based on what you like.
Currently, cookies let advertisers show you ads that are specific to you because they’re based on your individual browsing history. FLoC is designed to get rid of this individual targeting by widening the net. If you’re using FLoC, Chrome will gather your web history and compare it with the habits of others. You’ll then be lumped into a group, or cohort, with thousands of other people like you. Advertisers can then target entire groups of people rather than specific individuals.
It’s not just the scale of the change but also who’s behind it. Google, whose parent company Alphabet brought in record $55 billion revenue during the last three months, dominates the global advertising industry. Regulators are understandably skittish.
“The FLoC technology leads to several questions concerning the legal requirements of the GDPR,” says Johannes Caspar, the data protection commissioner for Hamburg, Germany. “Implementing users into the FLoCs could be seen as an act of processing personal data. And this requires freely given consent and clear and transparent information about these operations.” In short: Google needs to make sure people are actively choosing to use FLoC rather than having the system turned on by default in Chrome. Caspar adds that there are risks with how cohorts could “allow conclusions” to be made about people’s browsing behavior and how specific FLoC’s cohorts will be.
And it isn’t just German regulators who have concerns about FLoC. A spokesperson for the Commission nationale de l’informatique et des libertés, or CNIL, France’s data regulator, says it is being “particularly attentive” to tech that might replace cookies, as it may require access to information already stored on people’s devices. The CNIL is clear that such a system would require “specific, informed and unambiguous consent.” If Google fails to do so, it could prove costly. In December 2020, the French regulator fined Google $120 million for not obtaining people’s permission before using cookies.
Other regulators are more concerned about antitrust. In Belgium, officials are keen to understand how competitive future systems are, as well as how they comply with data protection laws. In the UK, the Competition and Markets Authority and data protection regulator, the Information Commissioner’s Office, have been investigating Google’s proposals since January. And the Irish Data Protection Commission, which has responsibility for a lot of major technology companies with European headquarters in Dublin, says it has been consulting with Google on the proposals.
Google is well aware of FLoC’s potential pitfalls. Case in point, the technology is yet to be trialled in the European Union. “EU privacy law sets high standards for user transparency and control, and that’s what we envision for FLoC,” says Marshall Vale, a Chrome product manager at Google. “We know that the input of data protection authorities is key to getting this right, which is why we have begun early stage conversations about the technology and our plans.” Google has previously said it plans to introduce tools that will let people opt out of being placed into FLoC cohorts.
While Google is working out if its changes will completely break the advertising industry, it has been facing a backlash from developers, publishers, and rivals. Even though the FLoC trials only involve a small percentage of people using Chrome, pretty much all websites that show ads have been auto-enrolled in the trials. The Guardian has stepped back from FLoC while it looks at the “commercial and privacy implications of the technology.” The publication says it may test the technology in the future but is trying “a range of other privacy-respecting identity solutions.” Other media organizations have been stronger in their approach. Investigative journalism website The Markup says it has opted out of FLoC so its readers won’t be “targeted with ads based on visiting our site.”
Google’s most privacy-focused rivals are also, perhaps unsurprisingly, against FLoC. Vivaldi, Brave, and DuckDuckGo have all pledged not to use the tech—with the creators of Vivaldi going as far to say that “Google’s new data harvesting venture is nasty.” Microsoft has disabled FLoC in its Edge browser—although has not made a long-term commitment as to whether it will use the tech. The company has also put forward its own proposals of how cookies should be reinvented.
The growing movement against FLoC has now started to spread beyond Google’s direct rivals and into the wider developer community. One contributor to the open-source publishing tool WordPress proposed the group disable FLoC by default. It seems unlikely WordPress will go down this route, but other software developers have been disabling FLoC. And this is all before Google has any firm data on whether FLoC is effective for advertisers.
Google has been developing FLoC and the rest of its Privacy Sandbox proposals in a relatively open way—through communities connected to the World Wide Web Consortium (W3C). This means there’s more scrutiny of Google’s proposals than if it developed them secretively and then released them to the world. Don Marti, the vice president of ecosystem innovation at ad management firm CafeMedia, points out that FLoC proposals have been available publicly since August 2019. “The big opportunity for Google to learn here is to go back to the issues that were raised early in the process and see how well they predict the mainstream,” he says. “This is a huge win from their decision to participate in the W3C process and share the project at an early stage.”
And there’s plenty of feedback that Google can act upon. A technical group at W3C recently called another part of Google’s cookie replacement proposals “harmful to the web in its current form” and said it “undermines” the structure of the web. The same technical group is now reviewing the impact of FLoC—at Google’s request. Vale says Google wants FLoC to be an “open source effort” and welcomes feedback from the web community and also data protection authorities. But the big question is this: How much will Google really change?
Perhaps the biggest threat to FLoC, as reiterated by ad tech engineer Aram Zucker-Scharff, is Google being Google. The company, which holds vast quantities of data on billions of people, is in a unique and powerful position.
It owns the world’s largest browser, biggest search engine, a huge advertising network, and can collect huge swathes of data. For many people, Google’s services are the internet. Nine of its apps are used by more than a billion people each. That’s an awful lot of data and an awful lot of power. Google’s historic abuse of people’s information has led many not to trust it—and that includes competitors and regulators, as well as consumers.
But ultimately Google can win by being Google. If FLoC is used in the real world, Marti adds, there may be perceived benefits for websites that use its technology. “If FLoC turns out to help your site move up in Google Search, the way that SEO articles claimed Google+ did,” he says, “or if it helps your site get prime placement in Google News, like AMP did, then it’s going to be hard to justify not using it.” Whether or not, after years of inaction, regulators agree, will be the true test not just of FLoC, but also the continued dominance of many major technology firms.
This story originally appeared on WIRED UK.