Third-party cookies are dead, Long live FLoC (or burn it with fire)
17, April 2021

Aahh, Cookies. What a delicious way to track people online. It's even better when served to/from third party. But how do they work and why everyone wants it to be dead?

Lets say,

  • you are visiting Site A
  • Site A uses Google Analytics to track it's visitors
  • So, when you visited Site A, it calls Google Analytics and then Google Analytics assigns a cookie to your browser. This cookie is called Third-party cookie, because instead of the site you're visiting, it came from a third party site.
  • This third-party cookie contains a unique id that references that you've visited Site A
  • Now, few moments later, You go to Site B. And, site B also uses Google Analytics, so your browser will now send previous cookie to Google Analytics.
  • As Google Analytics already knows you from your previous visit to Site A, it can now build a profile of your online presence.

Umm, Why should I care?

We should care because, not always these gathered data are used with good intention. Privacy should be always your primary concern when connected online. Any data you send online can be used to harm you.

Okay got it, Third-party cookies are bad. So why don't every browser stop supporting it?

They are stopping supporting third party cookies. Fire´╗┐fox & safari Browsers are very much strict in third party cookie support. But Google is different story. As they are the largest advertising company, tracking is their main source of income. Targeted advertisement sells big time, so they need a way to track users online to serve them with personalized targeted ad. And, that's the reason they are least eager to let third party cookies die.

NEWS: Google Chrome is planning to "phase out" Third-party cookies

As users are being more careful about privacy day by day, Google has realized even they need to stop supporting third-party cookie at some time. So, they have started to plan to slowly phase out third-party cookie support from their browser, Chrome browser. It is definitely a good news as chrome being the most used browser, it not supporting third-party cookies means the death of third-party cookie altogether.

YAY, We won, right?

Unfortunately, not actually. You didn't actually thought Google would give up it's multi-billion dollar advertisement market that easily, did you?

Meet "FLoC", Google's new approach to track us

FLoc means "Federated Learning of Cohorts". This new fancy word is what Google is planning to use as substitute for Third-party cookies. This will allow google to mark Chrome users as a specific group with "common interests". Chrome will analyze our browsing history and decide which "group" we belong to. As our "Group ID" will be shared with Google Advertisement partners, Personalized targeted ad will continue to thrive even in absence of Third Party cookies.

How does this FLoC work?

FLoC utilizes Chrome's browser history list. Once a week, chrome will analyze your last 7 day's browsing history and assign you to a Cohort (Group) which consist of people those have same interest as you. Each Cohort/Group has a unique ID. When you visit a website, chrome will send this Group ID to that site so they can serve targeted ad based on the group you belong. If you belong to a group for "Gamers", then you'll be served with game-related advertisements.

For example, lets imagine google has 5 cohorts/groups:

  1. Group: Artists => ID: 0cc175b9c0f1b6a8
  2. Group: Gamers => ID: 92eb5ffee6ae2fec
  3. Group: Programmers => ID: 4a8a08f09d37b737
  4. Group: PHP programmers => ID: 8277e0910d750195
  5. Group: Javascript programmers => ID: e1671797c52e15f7
  6. Group: PHP & Javascript programmers => ID: 8fa14cdd754f91cc

Now, google will assign you a group ID based on your browsing habit. If you frequently visit programming related websites such as stackoverflow, you'll be part of "Programmers" Group and your Cohort ID will be something like "4a8a08f09d37b737". If you start to visit PHP related sites a lot, maybe you'll become part of "PHP programmers" Group. Your Cohort ID will be shared with any website you visit so they can show you programming related ads. But it is not only limited to serving ads, they can be used for surveillance too.

By utilizing Simhash, they will be able to detect similar groups even if their ID is different.

This process violates user privacy already, but there are yet another set of privacy risks:

  • Browser Fingerprinting: Our browser usually leak some data (eg. screen size, Lan ip) and those can be use to fingerprinting its user. The more data browser leaks, the better they can pinpoint us. It is very hard to prevent browser fingerprinting, and FLoc will make it even harder because now that our browsing habit is available to the sites too, they can more precisely detect user profiles.
  • Third-party exposure: Usually we provide some personal data to websites to create account on them. Currently they only have data that we've provided by ourselves. But FLoC will enable them to collect our previous/current browsing data too. They can cross-match our cohort ID with our email. That means they are able to know more thing about us than we want them to know. Also data breach will make these data public. Are you sure all the websites you visit is secure enough to know about your browsing history?
  • Reverse Engineering Cohort ID: Current implementation indicates that reverse engineering the cohort ids to websites are very much possible. IT People can monitor cohort id to check that visiting which site changes cohort ID. And these data can be used in several harmful way. Read the next point for that.
  • Discrimination: Would you want to be treated differently just because you've visited a website two days ago? Would anyone like if a website denies to provide a specific service just because they are active on Black/LGBT/Women related community? Should we have different cohort for our political views? These all are unanswered question if we leave them in the hand of any company such as Google.

Okay, I'm convinced. But what can we do?

We should ditch Google chrome as much as we can. My Personal favorite is Mozilla Firefox, as it is the most privacy focused browser available. Other chromium based browsers are okay, though they have some other concern too.

If you are stuck with chrome, disable its sync feature. Currently FLoC is disabled during "Incognito Mode", so start using incognito more and more. There should be an option to disable FLoC in chrome but I don't trust it.

Please, give Mozilla Firefox a chance.

I am a website owner/developer, what can I do?

If you have a website and love your users privacy, you should opt your site out of FLoC. By Default Google enables FLoC for all public website, unless you opt-out.

To opt-out, websites need to return a header

Permissions-Policy: interest-cohort=()

To send header, you can add it in PHP:

header('Permissions-Policy: interest-cohort=()');

OR, in Nginx conf:

add_header Permissions-Policy interest-cohort=();

Or, if you are using Apache:

Header always set Permissions-Policy: interest-cohort=()

Also, visit to check if you've already been part of it.

Let your friends and family know about it and help them to protect their privacy. This is not only about targeted advertisement. As we are being more dependent on internet day by day, issues like this can make impact on our real life too. Due to current monopoly-oriented nature of internet, companies like Google, Facebook, Amazon have too much control over our digital and real life. Lets not let them manipulate our online presence anymore. Stay safe.

Read More: