Hacker News new | ask | show | jobs
by manuelflara 1895 days ago
I'll leave this quote from the EFF article on FloC[1]

> Google’s pitch to privacy advocates is that a world with FLoC (and other elements of the “privacy sandbox”) will be better than the world we have today, where data brokers and ad-tech giants track and profile with impunity. But that framing is based on a false premise that we have to choose between “old tracking” and “new tracking.” It’s not either-or. Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.

[1] https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-...
3 comments
remus 1895 days ago
To me it seems FLoC is more about trying to stop a fingerprinting arms race between browsers and adtech, as will happen if third party cookies are removed and no other alternative is provided. In an ideal world adtech companies would just hold up their hands and say 'games up, on to something else' but it's an industry worth hundreds of billions of dollars so if the more honest players leave the shadier companies will be only too happy to cash in.
link
danShumway 1895 days ago
Part of the problem is that I don't believe FLoC will stop a fingerprinting arms race.

FLoC in many ways makes it easier to fingerprint users, and I don't think that advertisers are going to look at the brand new opportunity FLoC-enhanced fingerprinting presents and just leave it sitting there untouched. There's nothing built into the FLoC spec that prevents advertisers from adding in additional fingerprinting on top of FLoC, and we've been down this road already with stuff like DNT. If any technology at all can be abused for fingerprinting, they'll abuse it. The market they're in doesn't allow them to have restraint, somebody will cross the line and then everyone else will follow under the excuse of being competitive.

So I'm just not willing to give advertisers the benefit of the doubt anymore, or to assume that if we meet them halfway they'll be satisfied. They've already burned that bridge, I'm not inclined to keep offering them new bridges to burn.

link
luckylion 1895 days ago
> we've been down this road already with stuff like DNT

Let's not forget that Microsoft deliberately murdered DNT by making it the default value. Had they not made that move, there's a good chance, we'd have seen DNT honored and eventually codified.

> They've already burned that bridge, I'm not inclined to keep offering them new bridges to burn.

I agree, if you give them no option whatsoever, there will never be legislation reining them in. With FLoC, you could outlaw other forms of tracking and add significant fines. Without it, politicians will not move a finger over concerns to damage the industry.

link
danShumway 1894 days ago
> Let's not forget that Microsoft deliberately murdered DNT by making it the default value

I totally disagree. Just going to link to a few previous comments I've made on this subject rather than rehash the entire discussion here:

https://news.ycombinator.com/item?id=24294280

https://news.ycombinator.com/item?id=24289186

It is not Microsoft's fault that DNT failed; a privacy option that can't be turned on by default is not a real privacy option. Microsoft made the decision to turn on DNT by default because it determined that most of its users didn't want to be tracked, and the ones that did want to be tracked could go turn the header off. That's a very reasonable determination for any privacy-respecting browser to make. Users should be able to have defaults that closely align with their preferred user-agent behavior.

The reason DNT failed was not because of underhanded sabotage. It's because it got adoption. Advertisers were unwilling to remain in a world where the majority of people didn't get targeted. That's why I say they burned the bridge, because DNT's wide adoption was never a real option for them in the first place -- it's entire existence was predicated on the assumption that most people would not use it.

> there will never be legislation reining them in

We could do this anyway. We don't need to present an option ahead of time to make advertisers happy. I guarantee if you go to anyone in Congress and ask them why they're not supporting a privacy bill, they are not going to respond, "we would if better technology and standards existed for targeting." Senators and Congresspersons aren't thinking about browser standards in that level of detail. And if you're worried about advertisers lobbying, I do not believe that FLoC is going to make advertisers lobby less to block any privacy bill.

link
luckylion 1894 days ago
> That's a very reasonable determination for any privacy-respecting browser to make. Users should be able to have defaults that closely align with their preferred user-agent behavior.

I understand this as "Microsoft produced a privacy-respecting browser and had their user's best interest on their mind", and I find it hard to engage that, because we seem to be living in wildly different realities.

> We could do this anyway. We don't need to present an option ahead of time to make advertisers happy.

We won't, so let's enjoy the situation we have, because change in the right direction that doesn't get us 100% of the way is bad and we'd prefer to remain where we are right now.

link
danShumway 1894 days ago
> and I find it hard to engage that

Fair enough. If Firefox and Chrome enabled DNT by default, do you think the outcome would have been different? Ie, do you think that advertisers rebelled specifically because they thought Microsoft was hypocritical about tracking?

I don't. I don't think there's evidence that advertisers were mad at Microsoft, and the reasoning I have for that is that they stopped respecting DNT across the entire browser ecosystem, not just on IE. The other point of evidence I have is that advertisers are similarly angry about every other privacy-mechanism that gives users choice, even in browsers like Safari and on platforms like iOS.

I think my theory is a pretty consistently reasonable explanation for all of those scenarios. Why are advertisers mad about iOS privacy changes? Is it because Apple is hypocritical? Or is it because a lot of people use iOS, and advertisers don't want to see widespread adoption of any privacy tools? You can find a consistent correlation between how angry advertisers get about any privacy-enhancing proposal and the number of people it would impact.

> so let's enjoy the situation we have, because change in the right direction that doesn't get us 100% of the way is bad

I don't think that's what anyone at all is saying. I disagree that FLoC is a change in the right direction, and I disagree that it will make any legislation any more likely.

I could just as easily make the same point back to you. You're arguing that we should embrace a new tracking standard that makes privacy worse just because an arms race where browsers try to stop tracking entirely on their own isn't a perfect solution.

But an arms race where browsers close tracking vectors where they find them is better than a legal status quo where browsers add new tracking vectors of their own volition. And I don't see any evidence that adding FLoC is going to make US Senators feel better about privacy bills, or that it's going to change how advertisers lobby those Senators.

link
MiddleEndian 1894 days ago
>Let's not forget that Microsoft deliberately murdered DNT by making it the default value. Had they not made that move, there's a good chance, we'd have seen DNT honored and eventually codified.

I always thought this was a naive take. People would say "Of course websites and ad services will respect DNT, it's in the spec!" as if that was a magic incantation that would prevent corps from tracking you.

link
luckylion 1894 days ago
You don't necessarily need to rely on the spec, you can get it into law. Like GDPR.

Politicians will not destroy an industry, but they will regulate it. If regulation == destruction, they won't touch it.

link
MiddleEndian 1894 days ago
I suppose you could, assuming the law had teeth and was actually enforceable in a meaningful sense.

But in my opinion, the idea that a flag begging companies not to track them would be respected was always a naive fantasy, regardless of whether it was turned on by default (because why wouldn't I want this turned on by default if it worked?).

link
danShumway 1894 days ago
GDPR passed without FLoC though.

Do we have evidence that advertisers are going to stop lobbying politicians if FLoC is introduced? Have they promised to do that anywhere?

link
jnxx 1895 days ago
> But that framing is based on a false premise

Another false premise is that the "old tracking" will stop because of the "new tracking".

link
halflings 1895 days ago
Chrome is entirely removing third-party cookies by 2022.

https://www.theverge.com/2020/1/14/21064698/google-third-par...

link
gkbrk 1895 days ago
Chrome is also hard-coding exemptions to Google and DoubleClick domains from their so-called privacy features.

This includes things like clearing the cookies leaving Google cookies alone, to sending a header with a browser ID to Google domains. I really doubt Google will get rid of all theirs methods to tie in their scripts on third-party websites to one user ID, as that will greatly reduce the effectiveness of Google Analytics or ReCAPTCHA.

link
jnxx 1895 days ago
That's very generous. However, with the plethora of browser fingerprinting techniques, cookies today have become almost irrelevant:

https://coveryourtracks.eff.org/

https://scrapebot.com/browser-fingerprinting-techniques/

link
creata 1895 days ago
Regardless of how simple fingerprinting is, I'm pretty sure that cookies are still the main way in which advertisers track users. Why make their job cheaper than it has to be?
link
jnxx 1895 days ago
I agree. What I wanted to point out is that this is not intended as a privacy-enhancing move by Google. More that they make life a bit harder for their own competitors.
link
Macha 1895 days ago
Fingerprinting and connecting to logins has been a thing forever, just look at advertising companies offering cross-device targeting.

Or just how aggressively google wants you to login to youtube these days.

link
halikular 1895 days ago
Facebook Instagram and Linkedin is worse in that it is impossible to use these sites without logging in.
link
bombcar 1895 days ago
I wish there was a way to whitelist SOME third party cookies in Safari - the only options seem to be all/none. Many “enterprise” integrations (Box in Salesforce for example) break if third party cookies are blocked.

Maybe Chrome doing it will get them assed to fix it.

link
StavrosK 1895 days ago
The old tracking is stopping whether sites want to or not, since users are now wise to uBlock Origin and browsers have finally started pushing for privacy.
link
ArneBab 1895 days ago
Too few.
link
discordianfish 1895 days ago
This isn't a false premise. Either you get the ad supported industry behind some solution or whatever privacy respecting solution will be incompatible with these sites.
link
ArneBab 1895 days ago
Or the ad supported industry finds ways to be supported without ads. That would be the ideal outcome. It would align them with the needs of their customers.
link
bnj 1895 days ago
To paraphrase something I saw on twitter recently: The ad supported industry needs to track users; users don't need the ad supported industry.

If the effort to increase user control and privacy continues, sites that can't support themselves without targeted ad revenue will either adapt or fold.

link