# FLoC privacy nightmare

Apr 17, 2021

Recently Google started rolling out FLoC (Federated Learning of Cohorts) as a drop-in replacement for third-party cookies on which they and other advertisers relied on. Google themselves decided to block third-party cookies as a turn to be more privacy friendly to the public which was, in fact a move to hide FLoC coming in.

FLoC works by letting a browser (yes, YOUR BROWSER) track you search and browsing history and then assign you to a group shared by a lot of people (cohort). Google added this feature in their flagship browser, Chrome a while ago and some parts even ended up in the Chromium project. We don't know some details as Chrome is proprietary and the services it talks to are proprietary as well. But what we know is that now Google will definitely lead targeted advertising as this feature is in exclusive control of this corporation.

Now that most people in the privacy and FOSS communities are getting pissed off by this change, normal users are unaware that their browser now does even more tracking than ever.

Fortunately, there's a way to opt out of this: you need to send a header with a claim that your users shouldn't be added to any cohort. But this doesn't strictly stop FLoC unlike blocking third-party cookies. And here's a header that you would need to send if you don't already:

Permissions-Policy: interest-cohort=()

=> Aral Balkan deploying FLoC out-out in site.js

=> Sourcehut opting out of FLoC

This example also shows why Web is such a mess. With Google Chrome (or projects based on it) having the biggest market share, a single company can control what most people see and do on the internet. That is insanely dangerous.

The problem of making Web browser compete with each other by the number of features and always growing specification which is near impossible to re-implement correctly made up all of this.

=> The reckless, infinite scope of web browsers

There are alternative Web protocols like Gemini which can't suffer from this as they are much simpler than the current state of the Web and it's very hard to build a monopoly of Gemini that the client can be built in a bunch of evenings.

=> Gemini protocol (http)

=> Gemini protocol (gemini)

And also, this site is available on Gemini as first-class feature (HTML version mirrors Gemini site):

=> This website on gemini://