Google, Privacy, and FLoC: Lamb or Wolf in Sheep’s Clothing?

In January, Google announced a major shift in its approach to ad privacy. At the core of its announcement was a more privacy-friendly replacement for third-party cookies called Federated Learning of Cohorts (FLoC) to be integrated into the Chrome browser in 2022. FLoC would prevent Google and other advertisers from collecting data about where individuals go on the web, and instead target ads by aggregating users into buckets of shared interests, all without sending their browsing histories to Google’s servers.

This past spring, when Google pushed an experimental version of FLoC to a small segment of Chrome users, it raised near-universal outcry from a confusing alliance of advertisers and privacy advocates. Advertisers claimed FLoC threatened their business models and would drastically degrade the relevance of ads users would see. In contrast, privacy advocates such as the Electronic Frontier Foundation argued that FLoC, when combined with other fingerprinting techniques, could actually be used to more easily track users around the web than the third-party cookies they were meant to replace. Privacy-minded organizations, such as The Guardian and DuckDuckGo, as well as the other major browsers promised to block FLoC. In response to the backlash, Google stopped its trials and pushed the release of FLoC back from 2022 to 2023.

Today, with the worldwide release of FLoC less imminent, we have time to look beyond its heated news coverage to ask the more coolheaded questions: is FLoC a good idea that fell victim to anti-Google public sentiment? Or is it yet another threat to user privacy and wellbeing sugarcoated in the language of data protection?

Before exploring these questions, it’s worth diving a bit into how FLoC works. FLoC categorizes Chrome users into “cohorts” of at least a couple thousand people with similar web browsing histories that advertisers can use to target ads. That cohort is not determined by Google’s servers but rather is calculated inside the web browser itself every time a user visits a new website, through a decentralized mathematical process called “federated learning”.

So say for example you visit a website that sells sweat-wicking flannel shirts. Under FLoC, that website will collect your cohort number — instead of the trove of personal information they collect today through third-party cookies — and ask an ad exchange (for 80% of the web, that’s Google) to place an ad for that sweat-wicking flannel shirt on other websites that people in that cohort visit. FLoC means neither Google nor the advertisers collects data on the person seeing the ad. Yet at least according to Google itself, the method is 95% as effective as the company’s current approach to targeting ads.

FLoC does have some clear benefits over the existing cookie-based model for online advertising. By targeting ads based on anonymized categories instead of individual profiles, the curious Google employee would no longer be able to look up a user’s entire life on the internet. Furthermore, if Google did not collect information on user browsing habits, it could not send that data to governments asking for it. And once Google finished rolling out FLoC to everyone and removed third-party cookies from Chrome (which makes up nearly two thirds of the world’s browser market share), it would potentially force other advertisers and data brokers to abandon some of their own pernicious data collection practices.

Why would Google technologically tie its hands like this? It may be a change of heart around privacy concerns. But it also may be because years of rampantly collecting data and allowing others to do so have put Google in the crosshairs of regulators around the world, posing an existential threat to its entire business model. For Big Tech in general, personal data may become more of a liability than an asset, and Google is not the only one trying to pivot away. Apple is making it more difficult for app developers to track users around the web. Even Facebook is looking beyond personal data with its notorious cryptocurrency project Diem (formerly known as Libra).

While FLoC may address some problems of individual privacy, it is hardly a panacea for all the privacy problems raised by Google’s search engine and its advertising business. Google may no longer collect attributes about specific people, but by determining cohorts based on the ads they click and the sites they visit — for example, who buys shea butter, who visits an online hijab shop — it can continue to inadvertently serve ads based on race, religion, class, and other sensitive traits, blurring the line between “targeted” and “predatory” advertising. And just as importantly, FLoC comes with none of the second-order benefits of empowering users and disempowering platforms that are typically associated with reduced data collection.

In theory, Google’s creation of FLoC and the industry’s larger shift away from individual data collection should mean the system is working — regulators signaled their disapproval of certain practices and Big Tech adjusted in anticipation. Instead, Google is using FLoC to define the problems of data collection and mass surveillance in a way convenient to itself, where what matters are harms to individuals, not harms to collectives such as disenfranchised groups or democracy as a whole. Or to borrow the framing of information law scholar Salomé Viljoen, FLoC treats data as an “individual medium”, through which people can only be harmed by misuse of their own data, as opposed to a “democratic medium”, where everyone’s data is connected and the potential for collective harm is greater than the sum of its individual parts.

FLoC may stop curious Google employees (a legitimate concern) but it does nothing to check Google’s capacity to manipulate popular opinion en masse, nor does it stop Google and other Big Tech companies from profiting off of the disinformation, misinformation, and demagoguery that drive so much internet traffic. Google does not need to collect our data to be a power that few politicians, media outlets, or funding-starved regulators would dare go toe-to-toe with. FLoC implicitly brushes these problems with the data economy under the table and frames individual privacy as all important.

FLoC is gone for now, but not forever. Google has already gone back to the drawing board to address some of the concerns raised by privacy advocates, making FLoC less useful for fingerprinting and possibly shifting to a more transparent, less potentially discriminatory topic-based approach to determining cohorts. But the bigger, more pernicious problem with FLoC — its hyper-narrow focus on individual privacy — cannot be patched out. Rather, it is strategically baked into the technology’s core premise. FLoC cannot be seen as the be-all end-all for privacy. To address the collective harms of the data economy, we will likely have to look beyond Big Tech companies for new frameworks, new technologies, and new laws.