Skip to main content

Google Chrome FLoC is replacing cookies — what it means for your privacy

Google Chrome on Android
(Image credit: Rafapress/Shutterstock)

Google has started the process of removing third-party-cookie support from its Chrome browser. By the end of 2021, the browser will no longer allow advertising networks to place tracking codes on your machine that can follow your visits to any site that uses that ad network. 

That’s good news, of course, but you’re probably asking, “Isn’t Google’s entire business model based around advertising?” and “Doesn’t Google own the world’s largest advertising network?” Well, yes, that’s absolutely correct!

And that’s why the end of third-party cookies does not signal the end of highly personalized internet-based advertising. 

Instead, Google is introducing a new targeted-advertising system called FLoC, or the Federated Learning of Cohorts. It’s a browser standard that will be integrated into Chrome over the coming months, and it aims to provide a more private way to keep tabs on your monetizable interests. 

How does FLoC work?

As a way to protect your online privacy, FLoC will not consider you as an individual. Instead, it will place you into a group, or cohort, with other people who have similar interests. 

This cohort-sorting will happen within the browser, and websites will simply be able to ask your browser which cohort you belong to. The theory is that marketers can make ads tailored to your cohort, but not to you specifically. 

The cohort you end up in — you can be in only one cohort at a time — will be decided by your activity online. It can be based on  specific URLs you visit as well as the actual content on those pages. 

For example, if you visit a lot of sites that feature cats, you will be added to a cohort for that. Have a keen interest in cars? There’s a cohort for that. You will be assigned a FLoC cohort ID based on which sites you visit, and your cohort assignment will be re-calculated on an ongoing basis, which may open up even deeper tracking potential. 

The FLoC system is private, Google says, because you’ll never be added to a cohort of less than a few thousand people. Cohorts aren’t named but represented by a string of data, so you’ll never be in a group called “iPhone owners who search for best Android phones”. If there are enough people looking for that, a cohort will be created and assigned an ID, such as FD5642. 

It’s then up to advertising companies to take that information and try and work out what people in a given cohort want. The fact that these cohorts are quite vague is part of the appeal, as it will be hard to reverse-engineer why certain individuals were placed within one. 

That means a site can’t simply record your IP address and a cohort tying that data to you. They will be able to make assumptions about cohorts, though, and for big ad companies this gives them something of an advantage. 

Should I be worried about FLoC tracking me?

You should be worried about all attempts to track you online. However, the current FLoC system makes it fairly straightforward to opt out of. 

One word of warning: this applies only during the “proof of concept” phase. If FLoC is adopted, there may be different rules for opting out. 

Google will use your Chrome login as the first requirement to include you. If you block third-party cookies, you won’t be included, nor will you be if you’ve disabled ad personalization in your Google Ad settings. You can read about the other ways to opt out on the GitHub project page

There’s another really important issue. What if you’re searching and reading up on a sensitive subject? 

Say you’ve been a victim of domestic violence, or you’re worried about a health condition. Could you be assigned to a cohort that potentially reveals that to an advertiser? 

It’s certainly possible, but Google will exclude certain topics from inclusion. It has a list of things that can’t have personalized ads run against them. 

The problem is that there is an algorithm in charge of managing this. While it might discard any pages that contain keywords, it may not be able to do this effectively for everything. 

There’s also some considerable concern that companies will use FLoC to "fingerprint" your browser

Browser fingerprinting is used to track individual web users when tracking cookies are blocked. The method creates a browser profile using data like your IP address and details that browsers provide web servers, such your browser type, monitor resolution, operating system and even devices attached to the computer, such as a game controller or specific audio hardware. 

Browser fingerprinting is not endorsed by Google, but is possible to fingerprint any web browser if a website or ad network wishes to use this information. However, even the best browser fingerprinting is imperfect. With billions of people online, there will be at least a few others who share your browser profile.

But then when you're placed into a FLoC with only a few thousand other people, that narrows the profiling scope considerably. Identifying you as an individual might actually be quite easy if you combine a browser fingerprint with a FLoC ID. This would give ad networks considerable power to keep an eye on you as you head around the web. 

The big question may be about how easy it is to undermine a cohort. Some questions on an online FloC discussion page covered the idea of bad actors using bots to game a cohort and make it seem large enough to offer its occupants a greater degree of anonymity. 

But what if a cohort contained only one legitimate user and 10,000 bots? That would be a very simple way to identify someone.

Will FLoC be adopted by other browsers?

Google hopes that the idea of FLoC will be taken up by other browser makers. It’s unlikely that Apple will accept it for Safari. Microsoft and Firefox will have to make their own decisions on its acceptability. 

It’s worth pointing out that of the main web browsers, Safari and Firefox already both block third-party cookies by default. Edge and Chrome (in its current version) do not. 

You can disable third-party cookies in Chrome, but Edge has been reported to be a bit unreliable in its blocking of these tracking cookies. 

  • More: The best VPNs right now to protect your privacy