The Mozilla Foundation, responsible for the Firefox browser, published a note signed by Eric Rescorla, on Thursday (10) where he comments on the implementation of Google FLoC. The tool is still being tested within Chrome and promises to deliver a more private cookie experience, but it has received criticism just at this point.
FLoC is a way to collect data from the user who browses the internet, in order to deliver information for advertising that guarantees free access to a large part of the web, keeping the advertisements published based on the person’s interest. The biggest difference between this system and traditional cookies is in the grouping of data to gather many people into one profile, no longer into an individual list.
The idea is potentially interesting to maintain some privacy within browsing, but Mozilla says its analysts have found several details that don’t help that goal. The first of them, according to the foundation, is in the ability of FLoC to follow the group of users in a similar way to cookies, thus managing to narrow down the information to almost individualize the profile of each one.
One of the ways to bring the group together and get closer to a more individual profile is in the browser used, which does not always try or manage to limit the so-called browser fingerprinting.
“Let’s take an example using some numbers that are plausible. Imagine you have a fingerprinting technique that divides people into about 8,000 groups (each larger than a zip code). This is not enough to identify people individually, but if combined with a FLoC using a cohort of around 10,000, then the number of people in each fingerprinting group could be quite small, potentially as small as one,” says Eric Resolves.
Another privacy issue in Google FLoC pointed out by Rescorla is the frequency of data collection on visits from different websites, which tends to be weekly. The tool can then use other ways of numbering weeks to distinguish nearly individual profiles. Mozilla further comments that even Firefox’s cookie protection tool (called TCP) can’t prevent the collection of information about multiple hits on a single site.
Finally, the note points to collecting more data than the user can imagine. “Since FLoC IDs are the same across all sites, they become a shared key to which crawlers can associate data from external sources. For example, it is possible for a crawler with a considerable amount of data of interest to operate a service that only answers questions about interests on a specific FLoC ID. For example: “Do people who like cars have this cohort ID?” The site only needs to call a FLoC API to get the identification of this cohort and then use it to look up information in this service”, says Rescorla.
The UK has its eye on Google FLoC
In a deal between Google and the UK, regulators in the region will oversee the search giant’s proposed changes to FLoC. The concern arose when government officials and also from the advertising market raised more questions about the privacy of this type of screening, even going to the possibility that the company might end up increasing its power in this segment.
Google has promised to be transparent in this process and could be forced to stop its tests for 60 days if more doubts or fears reach regulators, particularly for issues raised and unresolved.
With information: Mozilla and Engadget.