This feels like a classic “don’t piss on my leg and tell me it’s raining” situation.
What I don’t understand is why Google thinks that any other browser vendors would agree to implement this. The only reason they want to do it is that they’re an advertising company that happens to also produce a browser in order to sell more ads. No other browser vendor has this perverse incentive structure. (except kinda Brave, I guess)
Are they just so used to their position of dominance that they assume everyone will do their bidding regardless of whether it’s a good idea or not?
They don’t need to. 85-90% of people use Chrome. They can implement it, force it through, and then blame non-standards-conforming browsers when people’s sites have problems.
Sites will just block you if your browser doesn’t send the right reply, like they do now if you don’t press the button to allow cookies or ads or whatever.
Now most sites work if I block ads, tracking scripts or whole third-party js services (i.e. ubiquitous “chat with sales”). Blocking these is more invasive than non-supporting some tracking mechanism. Only most pervert websites are actively trying to ban me from adblocking/script blocking, and such sites are quite rare (mostly in “gadget news” and “gaming news” category).
I can imagine FLoC being used as an additional signal for services like reCAPTCHA. People whose browsers don’t provide these fingerprints could get locked out or antagonized by spam prevention systems, similar to people who use anti-tracking addons today.
Hmm, so federated learning was exciting to me because it allowed learning to happen in a more de-centralized fashion.
But it looks like FLoC specifically is just changing how data gets aggregated / bucketed without necessarily solving the problem that people actually worry about: i.e. my behavior on the internet is being broadcast to others in a way that I can’t really control (i.e. as the author writes, no ability to convey different parts of my profile, etc. it’s everything).
So it solves the “problem of cookies” without actually solving the real problem behind cookie based tracking that was problematic.
it seems as though users can opt out of this? i.e. not all browsers have to send this data, and a user can control what ID the browser sends (the real one, a random one, etc.) Or did I miss something that says browsers are required to do this (will Google services for example not work on Firefox now if they don’t partake?)
It solves one problem of cookies, namely that cookies send a lot of information to companies that they don’t particularly want. They want to serve advertising for things to mostly people who might buy that, they don’t want to know your age or whether you like anime. Knowing your age is just helpful for computing they thing they want. If they can serve ads such that 30% of the ads go to the target group and only 70% are wasted, fine! No GDPR issues, and the waste isn’t too bad.
It’s not obvious to me whether it solves the other big problem, namely that it publishes a lot of information from users and users don’t like that. It does publish part of the information, but very approximate and with plausible deniability. Maybe that’s good enough for most people, maybe it isn’t. I personally the creepy ads, as I suppose most people do, but if FLoC serves fuzzy half-wrong information and I get some specific ads and as many misses, will it seem creepy in the same way, or will the misses make it look like the billboards? I won’t bet, either way. People don’t complain that billboards differ in different parts of town, so… I’ve no idea really.
(AIUI, FLoC will say “this browser is part of a group that’s 80% female and 80% 30-50”, which is fuzzy, but accurate enough to really matter for advertiser budgets, and inaccurate enough to elimiate GDPR issues etc.)
That’s a worthwhile distinction, and I agree. When I said “problem of cookies”, I meant that the general public thinks cookies are bad (at least in my circles…), and with this Google can say they’ve moved away from relying on them (without solving the real underlying privacy issues).
A lot of people think cookies are bad, but how did that happen? What made people think that, what’s the deeper issue?
I suspect that the key issue is the creepy ads many of us have seen sometimes, when you’d be followed around the web by ads for one thing. Sites setting eleventy third-party cookies were blamed for it (IMO rightly) and cookies got a bad name. If FLoC doesn’t doesn’t let targeters set a screenful of UUIDs, if it doesn’t enable that creepy targeting, then it won’t build a negative public reaction.
It sounds as if you think the key issue is browsers revealing anything private, and by private you mean any information of any kind that can be used for targeting ads, at all, right?
Haha, the creepy ads certainly did not help! Just a few weeks ago my partner’s mother was on the phone with me because she gave a gift to her neighbor (vintage clothing she purchased in cash at a local auction house) and suddenly she started getting Facebook ads for very similar things – she was worried they were listening to her, etc.
(AIUI, FLoC will say “this browser is part of a group that’s 80% female and 80% 30-50”, which is fuzzy, but accurate enough to really matter for advertiser budgets, and inaccurate enough to elimiate GDPR issues etc.)
This is also my understanding, but I think depending on how the cohorting process works, what type of cohort you fall in, and the relative size of that bucket, it might still be enough in certain cases for someone to know too much about a user. To be fair I am still reading the whitepaper and trying to understand this, so I can’t judge fully yet.
It sounds as if you think the key issue is browsers revealing anything private
Personally, yes
by private you mean any information of any kind that can be used for targeting ads, at all, right?
Hmm, I would say it’s more about me being in control of who gets to see what information I generate. The article covered it nicely (“separation of contexts”), but I want to be able to decide what someone sees (in the same way I can control that in real life). As I understand it, I would not be able to hide certain parts of my browsing behavior from a website, for example.
To be honest, I have no problem with ads, but it seems like advertisers feel they need to “guess” what someone wants and build all these convoluted systems that have far broader societal implications than just innocuously serving ads. I would much rather just have a flag in my browser that says “I’m interested in x, y, z at the moment, please show me ads for that while I surf” and I’d have no issue, especially because it puts me back in control. Feels like a pipe dream at this point.
This is also my understanding, but I think depending on how the cohorting process works, what type of cohort you fall in, and the relative size of that bucket, it might still be enough in certain cases for someone to know too much about a user. To be fair I am still reading the whitepaper and trying to understand this, so I can’t judge fully yet.
From my reading of the whitepaper, it looks like in most cases, you only have to leak a few bits of the cohort ID in order to judge whether the cohort is large enough or not to make a decision, so you should be limited to how much info you leak. That said, this opens the question about who decides whether a cohort is large enough or not. If a malicious actor wanted to hoover up as much information as possible, they could just return “valid cohort ID” to every cohort sent, and trick the browser into sending small cohorts, thereby deanonymizing a user.
As I understand it, I would not be able to hide certain parts of my browsing behavior from a website, for example.
From my reading, it seems like you have no control over what you send if you decide to send info at all. You can opt for a random (generated regularly, since this becomes a fingerprint elsewise) cohort ID, which leaks no relevant information, or your browser calculates cohorts based on the algorithm chosen. Other than trying to avoid “sensitive contexts” (as linked in the paper), the system seems all-or-nothing to me.
The problem is that most sites are relying on ad revenue. If this does not change, the situation will not change. Web ads are only worth as much because they are personalized.
I think there needs to be a service/interface which transmit a small amount of money to the website owner per visit. The amount should roughly be what the ad company pays the website owner nowadays. No sign ups per website. Currently if I want to watch one video on YouTube ad-free or read an article behind a paywall I need a full subscription. This would make the web user oriented instead of ad oriented. The problem here is that so many users (including me) are so used to the fact that most of the content on the internet is free.
This would make the web user oriented instead of ad oriented.
Well, it would make the web wealthy-user oriented, anyway. Ad-supported models have the (in my opinion) highly desirable characteristic of not restricting access to information based on the viewer’s income level because ad revenue is aggregated across the entire user base.
Discussions about moving toward an ad-free micropayments model, from what I’ve seen, generally assume that everyone has enough disposable income to replace their share of the ad money, but the Internet is global. A resource that is priced at a level such that a German user pays for it without a second thought may be prohibitively expensive to someone in rural Kenya trying to use the web on their cheap Android phone to educate themselves out of subsistence farming.
Thanks for your response. I might want to add two thoughts:
The same pricing mechanism also applies to ads (especially targeted ads). Companies pay according to the possible revenue of a future customer. Also like other online services there could be different prices, depending on your country (e.g. Netflix). Sadly this is not compatible with an anonymous service.
This proposal would not be mandatory, but an alternative way to browse websites.
Content targeted ads aren’t possible to do when the user visits eg facebook.com or some similar aggregator; it’s not possible to know what content is shown at a particular URL. So the site owner is the only one who can match ads to content, but then they need to know more about the user by tracking them on other sites.
Content/URL targeted ads require that URL contents don’t change, basically, and that the content is accessible to the ad companies’ classifiers and scanners. This doesn’t work well with timeline based sites.
The 2000s was a very wealth-based web. Many poorer households even in developed countries didn’t have computers at home, and having broadband was hit-or-miss. Developing countries only really embraced the internet en masse after mobile phones became cheap and ubiquitous.
The received wisdom is that sites make all their money from advertising but I’d be interested to see numbers on what that looks like today.
Sites (YouTube included, as you mentioned) are increasingly pushing subscription models and I suspect it is because ad revenue is actually not brilliant - unless you’re Google or Facebook, because you are providing the ads and you’ve virtually cornered the market between you.
Certainly when I worked for a major newspaper, management were in the process of realising that online ads would not bring in the profits they wanted and could not replace subscription revenue.
All that said, even if I’m right, not everyone will be easily convinced. There are sunk costs, advertisers who rely on the market, and no clear alternative business model for the web at the moment.
Something like what you suggest might be the most palatable option.
I wish it were so but check the annual reports that Alphabet, Facebook, etc. file with the SEC. Ads account for an overwhelming proportion of their revenue.
There are good reasons for them to offer subscriptions as well. Maybe it’s a hedge against the ad bubble bursting, maybe it serves a particularly desirable group of consumers, maybe investors like it, or maybe it keeps the regulators away. I don’t know.
Alphabet and Facebook are precisely the companies that @owent predicted would be making money from ads. They’re talking about everyone else: news sites, blogs, forums, etc. Are they getting much money from ads? Could they do better with subscriptions or another revenue model?
Personally, most of the sites I use are either paid for by their owners out of charity, vanity or self-interest or they are supported by subscriptions, or product sales. Exceptions include reddit (which is mostly a time-vampire anyway), youtube, stackoverflow (whose ads don’t seem that obnoxious), and search engines.
The point is that your question is flawed to begin with. Why do we assume users’ behaviour being tracked and monetized is the de facto way to run the Internet?
Instead of “improving” this twisted Big Brother, why don’t we try to step back and find alternatives not relying on users being sold?
I don’t think we have found anything perfect yet but that doesn’t mean we should give in and give up all our rights like that. At least I’d like to be given the choice.
I am all for building infrastructure to pay for content, but there will always be demand for products that are subsidized by advertising. What this think piece lacks is productive suggestions on improving privacy even further or specific benchmarks outlining what they would be comfortable with. It’s just an anti-tracking rant with a click bait title.
I agree that simply serving interest identifiers based on group browsing history isn’t good enough, but FLoC is a necessary intermediate step that proves you can 95% revenue parity with 3rd party cookies while maintaining k-anonymity in the thousands. One could improve on the results further by sending multiple ads but letting the browser determine which one is shown based on browsing history. Or introducing browser permissions to block access entirely, allowing news sites to put up an advertising paywall of sorts. And that’s without using into any complex zero-knowledge, trusted intermediary, or P2P schemes.
Shitting on Google takes very little effort and it ignores the very real danger of sticking with the status quo. As advertising revenue dries up, advertising companies will throw (more) money at fingerprinting. And fingerprinting is waaaay scarier than third party cookies, seriously go try the EFF’s fingerprinting scanner. I’m unique 100% unique, despite having plenty of anti-tracking tech enabled.
Are cookies the problem or IP tracking? It happens to me all the time that I search for something on my laptop and for days afterwards on the IPad where I’m not logged into an account I get Ads for that thing.
This feels like a classic “don’t piss on my leg and tell me it’s raining” situation.
What I don’t understand is why Google thinks that any other browser vendors would agree to implement this. The only reason they want to do it is that they’re an advertising company that happens to also produce a browser in order to sell more ads. No other browser vendor has this perverse incentive structure. (except kinda Brave, I guess)
Are they just so used to their position of dominance that they assume everyone will do their bidding regardless of whether it’s a good idea or not?
They don’t need to. 85-90% of people use Chrome. They can implement it, force it through, and then blame non-standards-conforming browsers when people’s sites have problems.
What are the problems though? The ads aren’t … targeted enough? Isn’t that a good thing?
Sites will just block you if your browser doesn’t send the right reply, like they do now if you don’t press the button to allow cookies or ads or whatever.
Now most sites work if I block ads, tracking scripts or whole third-party js services (i.e. ubiquitous “chat with sales”). Blocking these is more invasive than non-supporting some tracking mechanism. Only most pervert websites are actively trying to ban me from adblocking/script blocking, and such sites are quite rare (mostly in “gadget news” and “gaming news” category).
I can imagine FLoC being used as an additional signal for services like reCAPTCHA. People whose browsers don’t provide these fingerprints could get locked out or antagonized by spam prevention systems, similar to people who use anti-tracking addons today.
Hmm, so federated learning was exciting to me because it allowed learning to happen in a more de-centralized fashion.
But it looks like FLoC specifically is just changing how data gets aggregated / bucketed without necessarily solving the problem that people actually worry about: i.e. my behavior on the internet is being broadcast to others in a way that I can’t really control (i.e. as the author writes, no ability to convey different parts of my profile, etc. it’s everything).
So it solves the “problem of cookies” without actually solving the real problem behind cookie based tracking that was problematic.
Skimming through their whitepaper here: https://github.com/google/ads-privacy/blob/master/proposals/FLoC/FLOC-Whitepaper-Google.pdf
and also this github repo: https://github.com/WICG/floc
it seems as though users can opt out of this? i.e. not all browsers have to send this data, and a user can control what ID the browser sends (the real one, a random one, etc.) Or did I miss something that says browsers are required to do this (will Google services for example not work on Firefox now if they don’t partake?)
Uhm, I have one big and one other point here.
It solves one problem of cookies, namely that cookies send a lot of information to companies that they don’t particularly want. They want to serve advertising for things to mostly people who might buy that, they don’t want to know your age or whether you like anime. Knowing your age is just helpful for computing they thing they want. If they can serve ads such that 30% of the ads go to the target group and only 70% are wasted, fine! No GDPR issues, and the waste isn’t too bad.
It’s not obvious to me whether it solves the other big problem, namely that it publishes a lot of information from users and users don’t like that. It does publish part of the information, but very approximate and with plausible deniability. Maybe that’s good enough for most people, maybe it isn’t. I personally the creepy ads, as I suppose most people do, but if FLoC serves fuzzy half-wrong information and I get some specific ads and as many misses, will it seem creepy in the same way, or will the misses make it look like the billboards? I won’t bet, either way. People don’t complain that billboards differ in different parts of town, so… I’ve no idea really.
(AIUI, FLoC will say “this browser is part of a group that’s 80% female and 80% 30-50”, which is fuzzy, but accurate enough to really matter for advertiser budgets, and inaccurate enough to elimiate GDPR issues etc.)
That’s a worthwhile distinction, and I agree. When I said “problem of cookies”, I meant that the general public thinks
cookies are bad(at least in my circles…), and with this Google can say they’ve moved away from relying on them (without solving the real underlying privacy issues).A lot of people think cookies are bad, but how did that happen? What made people think that, what’s the deeper issue?
I suspect that the key issue is the creepy ads many of us have seen sometimes, when you’d be followed around the web by ads for one thing. Sites setting eleventy third-party cookies were blamed for it (IMO rightly) and cookies got a bad name. If FLoC doesn’t doesn’t let targeters set a screenful of UUIDs, if it doesn’t enable that creepy targeting, then it won’t build a negative public reaction.
It sounds as if you think the key issue is browsers revealing anything private, and by private you mean any information of any kind that can be used for targeting ads, at all, right?
Haha, the creepy ads certainly did not help! Just a few weeks ago my partner’s mother was on the phone with me because she gave a gift to her neighbor (vintage clothing she purchased in cash at a local auction house) and suddenly she started getting Facebook ads for very similar things – she was worried they were listening to her, etc.
This is also my understanding, but I think depending on how the cohorting process works, what type of cohort you fall in, and the relative size of that bucket, it might still be enough in certain cases for someone to know too much about a user. To be fair I am still reading the whitepaper and trying to understand this, so I can’t judge fully yet.
Personally, yes
Hmm, I would say it’s more about me being in control of who gets to see what information I generate. The article covered it nicely (“separation of contexts”), but I want to be able to decide what someone sees (in the same way I can control that in real life). As I understand it, I would not be able to hide certain parts of my browsing behavior from a website, for example.
To be honest, I have no problem with ads, but it seems like advertisers feel they need to “guess” what someone wants and build all these convoluted systems that have far broader societal implications than just innocuously serving ads. I would much rather just have a flag in my browser that says “I’m interested in x, y, z at the moment, please show me ads for that while I surf” and I’d have no issue, especially because it puts me back in control. Feels like a pipe dream at this point.
From my reading of the whitepaper, it looks like in most cases, you only have to leak a few bits of the cohort ID in order to judge whether the cohort is large enough or not to make a decision, so you should be limited to how much info you leak. That said, this opens the question about who decides whether a cohort is large enough or not. If a malicious actor wanted to hoover up as much information as possible, they could just return “valid cohort ID” to every cohort sent, and trick the browser into sending small cohorts, thereby deanonymizing a user.
From my reading, it seems like you have no control over what you send if you decide to send info at all. You can opt for a random (generated regularly, since this becomes a fingerprint elsewise) cohort ID, which leaks no relevant information, or your browser calculates cohorts based on the algorithm chosen. Other than trying to avoid “sensitive contexts” (as linked in the paper), the system seems all-or-nothing to me.
The problem is that most sites are relying on ad revenue. If this does not change, the situation will not change. Web ads are only worth as much because they are personalized.
I think there needs to be a service/interface which transmit a small amount of money to the website owner per visit. The amount should roughly be what the ad company pays the website owner nowadays. No sign ups per website. Currently if I want to watch one video on YouTube ad-free or read an article behind a paywall I need a full subscription. This would make the web user oriented instead of ad oriented. The problem here is that so many users (including me) are so used to the fact that most of the content on the internet is free.
Well, it would make the web wealthy-user oriented, anyway. Ad-supported models have the (in my opinion) highly desirable characteristic of not restricting access to information based on the viewer’s income level because ad revenue is aggregated across the entire user base.
Discussions about moving toward an ad-free micropayments model, from what I’ve seen, generally assume that everyone has enough disposable income to replace their share of the ad money, but the Internet is global. A resource that is priced at a level such that a German user pays for it without a second thought may be prohibitively expensive to someone in rural Kenya trying to use the web on their cheap Android phone to educate themselves out of subsistence farming.
Thanks for your response. I might want to add two thoughts:
/save
It somehow worked in 2000s, when ads were linked to page content, not to dossier on user.
I doubt if current targeting technology works at all, I always see ads completely unrelated to my interests and needs.
Content targeted ads aren’t possible to do when the user visits eg facebook.com or some similar aggregator; it’s not possible to know what content is shown at a particular URL. So the site owner is the only one who can match ads to content, but then they need to know more about the user by tracking them on other sites.
Content/URL targeted ads require that URL contents don’t change, basically, and that the content is accessible to the ad companies’ classifiers and scanners. This doesn’t work well with timeline based sites.
The 2000s was a very wealth-based web. Many poorer households even in developed countries didn’t have computers at home, and having broadband was hit-or-miss. Developing countries only really embraced the internet en masse after mobile phones became cheap and ubiquitous.
The received wisdom is that sites make all their money from advertising but I’d be interested to see numbers on what that looks like today.
Sites (YouTube included, as you mentioned) are increasingly pushing subscription models and I suspect it is because ad revenue is actually not brilliant - unless you’re Google or Facebook, because you are providing the ads and you’ve virtually cornered the market between you.
Certainly when I worked for a major newspaper, management were in the process of realising that online ads would not bring in the profits they wanted and could not replace subscription revenue.
All that said, even if I’m right, not everyone will be easily convinced. There are sunk costs, advertisers who rely on the market, and no clear alternative business model for the web at the moment.
Something like what you suggest might be the most palatable option.
I wish it were so but check the annual reports that Alphabet, Facebook, etc. file with the SEC. Ads account for an overwhelming proportion of their revenue.
There are good reasons for them to offer subscriptions as well. Maybe it’s a hedge against the ad bubble bursting, maybe it serves a particularly desirable group of consumers, maybe investors like it, or maybe it keeps the regulators away. I don’t know.
Alphabet and Facebook are precisely the companies that @owent predicted would be making money from ads. They’re talking about everyone else: news sites, blogs, forums, etc. Are they getting much money from ads? Could they do better with subscriptions or another revenue model?
Personally, most of the sites I use are either paid for by their owners out of charity, vanity or self-interest or they are supported by subscriptions, or product sales. Exceptions include reddit (which is mostly a time-vampire anyway), youtube, stackoverflow (whose ads don’t seem that obnoxious), and search engines.
Gemini to the rescue. I’m spending more and more time these days in gemini and it certainly feels like the good old days.
And what’s the alternative to some sort of federated solution which uses pools of users? Fingerprinting is worse!
The point is that your question is flawed to begin with. Why do we assume users’ behaviour being tracked and monetized is the de facto way to run the Internet?
Instead of “improving” this twisted Big Brother, why don’t we try to step back and find alternatives not relying on users being sold?
I don’t think we have found anything perfect yet but that doesn’t mean we should give in and give up all our rights like that. At least I’d like to be given the choice.
I am all for building infrastructure to pay for content, but there will always be demand for products that are subsidized by advertising. What this think piece lacks is productive suggestions on improving privacy even further or specific benchmarks outlining what they would be comfortable with. It’s just an anti-tracking rant with a click bait title.
I agree that simply serving interest identifiers based on group browsing history isn’t good enough, but FLoC is a necessary intermediate step that proves you can 95% revenue parity with 3rd party cookies while maintaining k-anonymity in the thousands. One could improve on the results further by sending multiple ads but letting the browser determine which one is shown based on browsing history. Or introducing browser permissions to block access entirely, allowing news sites to put up an advertising paywall of sorts. And that’s without using into any complex zero-knowledge, trusted intermediary, or P2P schemes.
Shitting on Google takes very little effort and it ignores the very real danger of sticking with the status quo. As advertising revenue dries up, advertising companies will throw (more) money at fingerprinting. And fingerprinting is waaaay scarier than third party cookies, seriously go try the EFF’s fingerprinting scanner. I’m unique 100% unique, despite having plenty of anti-tracking tech enabled.
Are cookies the problem or IP tracking? It happens to me all the time that I search for something on my laptop and for days afterwards on the IPad where I’m not logged into an account I get Ads for that thing.