Aahh, Cookies. What a delicious way to track people online. It's even better when served to/from third party. But how do they work and why everyone wants it to be dead?
Umm, Why should I care?
We should care because, not always these gathered data are used with good intention. Privacy should be always your primary concern when connected online. Any data you send online can be used to harm you.
Okay got it, Third-party cookies are bad. So why don't every browser stop supporting it?
They are stopping supporting third party cookies. Firefox & safari Browsers are very much strict in third party cookie support. But Google is different story. As they are the largest advertising company, tracking is their main source of income. Targeted advertisement sells big time, so they need a way to track users online to serve them with personalized targeted ad. And, that's the reason they are least eager to let third party cookies die.
NEWS: Google Chrome is planning to "phase out" Third-party cookies
As users are being more careful about privacy day by day, Google has realized even they need to stop supporting third-party cookie at some time. So, they have started to plan to slowly phase out third-party cookie support from their browser, Chrome browser. It is definitely a good news as chrome being the most used browser, it not supporting third-party cookies means the death of third-party cookie altogether.
YAY, We won, right?
Unfortunately, not actually. You didn't actually thought Google would give up it's multi-billion dollar advertisement market that easily, did you?
Meet "FLoC", Google's new approach to track us
FLoc means "Federated Learning of Cohorts". This new fancy word is what Google is planning to use as substitute for Third-party cookies. This will allow google to mark Chrome users as a specific group with "common interests". Chrome will analyze our browsing history and decide which "group" we belong to. As our "Group ID" will be shared with Google Advertisement partners, Personalized targeted ad will continue to thrive even in absence of Third Party cookies.
How does this FLoC work?
FLoC utilizes Chrome's browser history list. Once a week, chrome will analyze your last 7 day's browsing history and assign you to a Cohort (Group) which consist of people those have same interest as you. Each Cohort/Group has a unique ID. When you visit a website, chrome will send this Group ID to that site so they can serve targeted ad based on the group you belong. If you belong to a group for "Gamers", then you'll be served with game-related advertisements.
For example, lets imagine google has 5 cohorts/groups:
Now, google will assign you a group ID based on your browsing habit. If you frequently visit programming related websites such as stackoverflow, you'll be part of "Programmers" Group and your Cohort ID will be something like "4a8a08f09d37b737". If you start to visit PHP related sites a lot, maybe you'll become part of "PHP programmers" Group. Your Cohort ID will be shared with any website you visit so they can show you programming related ads. But it is not only limited to serving ads, they can be used for surveillance too.
By utilizing Simhash, they will be able to detect similar groups even if their ID is different.
This process violates user privacy already, but there are yet another set of privacy risks:
Okay, I'm convinced. But what can we do?
We should ditch Google chrome as much as we can. My Personal favorite is Mozilla Firefox, as it is the most privacy focused browser available. Other chromium based browsers are okay, though they have some other concern too.
If you are stuck with chrome, disable its sync feature. Currently FLoC is disabled during "Incognito Mode", so start using incognito more and more. There should be an option to disable FLoC in chrome but I don't trust it.
Please, give Mozilla Firefox a chance.
I am a website owner/developer, what can I do?
If you have a website and love your users privacy, you should opt your site out of FLoC. By Default Google enables FLoC for all public website, unless you opt-out.
To opt-out, websites need to return a header
To send header, you can add it in PHP:
OR, in Nginx conf:
add_header Permissions-Policy interest-cohort=();
Or, if you are using Apache:
Header always set Permissions-Policy: interest-cohort=()
Also, visit https://amifloced.org/ to check if you've already been part of it.
Let your friends and family know about it and help them to protect their privacy. This is not only about targeted advertisement. As we are being more dependent on internet day by day, issues like this can make impact on our real life too. Due to current monopoly-oriented nature of internet, companies like Google, Facebook, Amazon have too much control over our digital and real life. Lets not let them manipulate our online presence anymore. Stay safe.