[eterevsky]

While I do understand that some people may not like it, I don't see how FLoC is particularly harmful. I've read several articles about it, and most of them just say something like "you are being put in a advertising cohort -- see how creepy it is", which doesn't really prove anything.

One more specific argument against FLoC is that it will make help tracking users via fingerprinting. I don't really buy it. First of all, the estimations from [EFF article](https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-...) are just plainly wrong. They are talking about narrowing down to thousands of users, while in fact if Chrome has on the order of a billion users, and if FLoC has only 8 bits of entropy, the actual number of users in a cohort is on the order of millions. Secondly, from my understanding this cohort is based on your recent activity, so it will change over time.

[papaf]

and if FLoC has only 8 bits of entropy

From the EFF article that you don't like:

> Google’s experiment used 8-bit cohort identifiers, meaning that there were only 256 possible cohorts. In practice that number could be much higher; the documentation suggests a 16-bit cohort ID comprising 4 hexadecimal characters.

Also, its since someone can belong to more than 1 cohort, the 8bits is a bare minimum and not a maximum. For instance, techie who likes hiphop, buys whisky and is looking for a washing machine is 32bits of entropy and covers the billion users with ease.

[htoiewur2434]

> In practice that number could be much higher; the documentation suggests a 16-bit cohort ID comprising 4 hexadecimal characters.

Yes, but Google already has atleast 32-bits from the ip address already (which I know for a fact that they don't use).

[eterevsky]

Ok, I agree that it is plausible that eventually more than 8 bits will be used. But in that case, the users will likely change their cohorts at a much higher rate, which will make them less useful for tracking.

> someone can belong to more than 1 cohort

I'm pretty sure you will only belong to one cohort at a time. Otherwise it would defeat the purpose of this change. It seems like k-anonymity is an express goal of FLoC.

[kemonocode]

> While I do understand that some people may not like it, I don't see how FLoC is particularly harmful.

Sure, I can give an example: it goes beyond simple basic fingerprinting, it allows you to be associated with a group of "others" (your cohort) in ways that can be dangerous to you.

Suppose you live in a country where you may not enjoy certain freedoms or some behaviors may be outlawed; end up in the wrong cohort(s) and a state actor will be able to know these things rather easily, this is not to say there aren't already means to do it today, but why make the job even easier for them?

[ranguna]

> state actor will be able to know these things rather easily

But state actors won't be able identity me individually, so I don't see the harm either. And you can actually reset you FLoC id at any time.

I think advertisers (like Facebook) know that this will damage their revenue and doing mass brain wash to make people think this is harmful for everyone (Cambridge Analytica style).

[feanaro]

> But state actors won't be able identity me individually, so I don't see the harm either.

Why wouldn't they be able to? FLoC tells them you're a dissenter, your IP tells them who you are.

Just because you can reset it doesn't mean that you should have to be constantly afraid of your browser working against you. You're just listing ways in which FLoC is slightly less terrible than some maximally terrible hypothetical version. It doesn't make FLoC proper less bad.

I would argue the very notion that your recent browsing history affects what you see in the present is a wrong and dangerous one.

[ranguna]

My browser is already working against me by allowing 3rd party cookies. When FLoC comes along 3p cookies will eventually be disabled by chrome as a long term goal. I see FLoC as less bad than 3p cookies in this case, because I can't tell trackers "hey, please reset all knowledge you have of the tracking of this specific cookie".

> I would argue the very notion that your recent browsing history affects what you see in the present is a wrong and dangerous one.

It already does, 3p cookies do exactly that and deleting them is a pain because you would also be getting rid of legitimate cookies, so you have very little or no control. Reseting your FLoC id is as easy as pressing a button and you don't have to worry about having to re-login everywhere.

[feanaro]

Third-party tracking cookies have not been a problem in my browser (Firefox) for quite a while now, since they get blocked by default. Firefox also recently introduced Total Cookie Protection, which is a feature isolating cookies by the origin on which they were created on. (https://www.theregister.com/2021/02/24/firefox_cookies_86/)

So the argument for FLoC is moot because this is actually a false dilemma. We shouldn't be acting as if it is a choice between either third-party cookie or FLoC. Rather, we should reject both.

Aside: In some ways, FLoC is worse than third-party cookies since the latter are not under central control and do not provide a way of automatically grouping an entire browser user population into similarity groups based on past browser history.

[aww_dang]

https://web.dev/floc/

Replace "hiking boots" with "dissent" in this example.

[ranguna]

I'm afraid I don't get what you mean.

[eterevsky]

As someone who lived in such country and has a lot of friends who still live there, I wouldn't care about it too much. The governments of such countries are usually not interested in find every single citizen who's interested in some topic. What they are interested in is suppressing people who are promoting "wrong" values. And you don't need a vague advertising identifier to find such people.

[o_m]

It can be a death sentence in countries where homosexuality is illegal. Say you are FLoC branded as being LGBT (sort of like the pink triangle in nazi concentration camps) and you visit a government website, they will know about your sexuality and can arrest you.

[froh]

Political tags are explicitly banned from the FLoC tagging data which identifies locally your 'secular', a-political preferences.

in contrast to that Facebook can identify you as LGBT+ today based off your likes and dislikes and shares.

https://www.pnas.org/content/112/4/1036

[feanaro]

> Political tags are explicitly banned from the FLoC tagging data which identifies locally your 'secular', a-political preferences.

Just because this is said to be so on paper doesn't mean it would actually be so. How would this work in practice with the LGBT example? Would every LGBT-related website be tagged as a "political" website in Google so that it is not included in the calculation? What about clearly non-problematic a-politicial categories which nevertheless serve as a good proxy for detecting LGBT members because of e.g. their increased interest in the topic?

> in contrast to that Facebook can identify you as LGBT+ today based off your likes and dislikes and shares.

This is irrelevant because we're not choosing. Facebook tracking is also terrible.

[o_m]

There are 33000 group IDs. A service with your identity could track how your group ID is changing over time a triangulate your political view or sexuality based on ID patterns of people they have arrested already.

[htoiewur2434]

Don't think floc tags be shared b/w domains

[o_m]

The entire point of FLoC is to track you across all domains and collect all of your browser history to put you into a group. If it was only for one domain every user would be in the same group.

[htoiewur2434]

cookies do the same thing, but you can't access cookies stored for other domains.

(i'm surprised people screaming apocalypse have such poor understanding of the web).

[edf13]

From the article...

> EFF brings up a second concern which is also novel and scary in terms of privacy. If you sign up to an online service with your email address, they can immediately tie your last week’s browsing data with the email address that you supply them (or physical address, phone nr, etc). It means any service you use now knows what you’ve been up to and not just in an anonymous way

[robertlagrant]

How can they do that? They only have an ID, don't they?

[feanaro]

They only have an ID until you decide to deanonymise yourself on purpose by registering.

[robertlagrant]

Understood, but from that ID how can they query what sites people have visited? I thought it was just "I belong to this cohort" with no knowledge of what that cohort is?

[throw_m239339]

> While I do understand that some people may not like it, I don't see how FLoC is particularly harmful.

FLoC, AMP, ... With Chrome, Google is hijacking the web in a more cunning way than Microsoft and IE. The revolt against that needs to happen now. When Firefox is dead, it will be too late...

[ehnto]

> "you are being put in a advertising cohort -- see how creepy it is", which doesn't really prove anything.

Are you wanting proof for how it is harmful?

One possibility is that with a FLoC and a few other details, you can be fingerprinted as an individual not a cohort. So it's not effective at anonymizing the data advertisers are tracking from you.

[sanxiyn]

FLoC is not particularly harmful, but Google is harmful, and harming FloC will harm Google. So I fully support fighting against FLoC.