Google's FLoC has 'significant' privacy problems, Mozilla says

Posted:
in General Discussion edited June 11
Google's new proposal for targeted ad tracking has a number of properties that could pose "significant" privacy risks to users, according to Firefox maker Mozilla.

Credit: AppleInsider
Credit: AppleInsider


On Thursday, Firefox published the results of an analysis of Google's Federated Learning of Cohorts, or FLoC, proposal. Google believes the new "privacy-preserving" system could be used to replace third-party cookies for ad tracking purposes. Rescorla, however, says there are major privacy problems with the system.

FLoC works by using a new "cohort" identifier. Compared to cookies, "cohorts" identify a group of users with similar interests instead of a single person. Advertisers can then use these cohorts for ad tracking purposes without needing the browsing history of a specific user.

However, cohorts will likely only consist of thousands of users. That could allow trackers to narrow down specific users very quickly, Firefox CTO Eric Rescorla wrote.

For example, tracking companies could use browser fingerprinting to narrow down the list of potential users in a cohort to just a few. Firefox says trackers would only need "a relatively small amount of information" when combined with a FLoC cohort.

Additionally, trackers could use combinations of FLoC IDs in a given timeframe to distinguish individual users. That's because neither FLoC identifiers or user interests are constant.

FLoC identifiers also leak more information than cookies. Unlike site-specific cookies, FLoC IDs are the same across websites. Because of that, "they become a shared key to which trackers can associate data from external sources."
For example, it's possible for a tracker with a significant amount of first-party interest data to operate a service which just answers questions about the interests of a given FLoC ID. E.g., "Do people who have this cohort ID like cars?". All a site needs to do is call the FLoC APIs to get the cohort ID and then use it to look up information in the service. In addition, the ID can be combined with fingerprinting data to ask "Do people who live in France, have Macs, run Firefox, and have this ID like cars?" The end result here is that any site will be able to learn a lot about you with far less effort than they would need to expend today.
Google has proposed several countermeasures to mitigate these privacy problems, including making FLoC opt-in for websites and suppressing cohorts that it believes are too connected to "sensitive" topics. However, Firefox believes they're not enough.

"While these mitigations seem useful, they seem to mostly be improvements at the margins, and don't address the basic issues described above, which we believe require further study by the community," Rescorla wrote.

He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis.

Since the announcement of the FLoC proposal, a number of browser companies -- including Brave, Vivaldi, and Opera -- have spoken out against the idea.

Follow all of WWDC 2021 with comprehensive AppleInsider coverage of the week-long event from June 7 through June 11, including details on iOS 15, iPadOS 15, watchOS 8, macOS Monterey and more.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get the latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 17
    lmasantilmasanti Posts: 92member
    FLoC is like Little Red Riding Hood asking the Wolf why his mouth is so big!
    BeatsStrangeDayscornchipwatto_cobra
  • Reply 2 of 17
    significant privacy problems? No surprise there then. After all, this is Google we are talking about. Their mantra seems to be 'All your data and life is ours to do with as we please'.
    twokatmewBeatsStrangeDaysOferDogpersoncornchipwatto_cobra
  • Reply 3 of 17
    sphericspheric Posts: 2,068member
    Say it ain’t so!

    BeatsdewmeWgkruegerOfercornchipwatto_cobra
  • Reply 4 of 17
    Apple_BarApple_Bar Posts: 100member
    you mean the same Mozilla that gets money from Google.
    williamlondonOfer
  • Reply 5 of 17
    gatorguygatorguy Posts: 22,899member
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."
    edited June 11 muthuk_vanalingamOfer
  • Reply 6 of 17
    BeatsBeats Posts: 2,320member
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    OferDogpersonwatto_cobra
  • Reply 7 of 17
    gatorguygatorguy Posts: 22,899member
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    That's why open-sourcing it works so well. Almost impossible to hide anything, and a good policy that Google very often uses. Personally I'd love to see other big techs be more transparent and open-source software more. Tens of thousands of eyeballs do tend to keep things honest and upfront. 
    edited June 11 muthuk_vanalingamspheric
  • Reply 8 of 17
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    And once again @gg ignores and whitewashes the entire intent of that evil fucking company, like getting caught at this is so utterly out of character of Google when it is absolutely NOT. It's like he really doesn't know Google at all, but merely ignorantly and blindly defends them and their antics incessantly. How pathetic and insulting to those who know better (i.e. certainly most if not all of this entire forum).
    StrangeDayswatto_cobra
  • Reply 9 of 17
    WgkruegerWgkrueger Posts: 312member
    gatorguy said:
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    That's why open-sourcing it works so well. Almost impossible to hide anything, and a good policy that Google very often uses. Personally I'd love to see other big techs be more transparent and open-source software more. Tens of thousands of eyeballs do tend to keep things honest and upfront. 
    Excellent point about open source. 
    Ofer
  • Reply 10 of 17
    gatorguygatorguy Posts: 22,899member
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    And once again @gg ignores and whitewashes the entire intent of that evil fucking company, like getting caught at this is so utterly out of character
    "Caught" at what exactly Mr London? Did you see the word "Google" and just started foaming at the mouth and blathering with no idea what you were actually commenting on? What exactly are you claiming they were "caught at? I'd LOVE to hear it.
    edited June 11
  • Reply 11 of 17
    MplsPMplsP Posts: 3,045member
    Isn't having Google design a privacy paradigm kind of like having a bank robber design a lock?
    williamlondonStrangeDaysOfercornchipwatto_cobra
  • Reply 12 of 17
    StrangeDaysStrangeDays Posts: 11,305member
    gatorguy said:
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    And once again @gg ignores and whitewashes the entire intent of that evil fucking company, like getting caught at this is so utterly out of character
    "Caught" at what exactly Mr London? Did you see the word "Google" and just started foaming at the mouth and blathering with no idea what you were actually commenting on? What exactly are you claiming they were "caught at? I'd LOVE to hear it.
    I believe he is plainly referring to Google’s proposal, a weak solution that fails to protect privacy. Sure you are saying it’s not final, but it’s a weak initial offering. Google supposedly has the most brilliant minds in software, right? And they couldn’t propose something that’s hardened? Why does their proposal as is, not do the job? Don’t they have privacy advocates on their working group who would have expressed these same concerns during the design & drafting phase?
    williamlondonwatto_cobra
  • Reply 13 of 17
    This may not be Google's final proposal, but they've been aware of the issues since the week following their announcement of the technology. EFF has been writing about the evils of FLoC since 2019 (https://www.eff.org/deeplinks/2019/08/dont-play-googles-privacy-sandbox-1). Two years later and still issues exist, hmmmm, that's progress indeed.
    Ofercornchipmike egglestonwatto_cobra
  • Reply 14 of 17
    gatorguygatorguy Posts: 22,899member
    gatorguy said:
    Beats said:
    gatorguy said:
    FLoC has not been finalized, still a work in progress just as the article mentions, and a paragraph that all the commenters so far have appeared to have missed reading.

    "He added that the issues would only be a problem if FLoC was pushed out in its current form -- they could still be fixed. Mozilla has published more information, and has offered some potential solutions, in a deeper analysis."

    “Sh**!! Someone found our exploit!”
    And once again @gg ignores and whitewashes the entire intent of that evil fucking company, like getting caught at this is so utterly out of character
    "Caught" at what exactly Mr London? Did you see the word "Google" and just started foaming at the mouth and blathering with no idea what you were actually commenting on? What exactly are you claiming they were "caught at? I'd LOVE to hear it.
    I believe he is plainly referring to Google’s proposal, a weak solution that fails to protect privacy. Sure you are saying it’s not final, but it’s a weak initial offering. Google supposedly has the most brilliant minds in software, right? And they couldn’t propose something that’s hardened? Why does their proposal as is, not do the job? Don’t they have privacy advocates on their working group who would have expressed these same concerns during the design & drafting phase?
    No, I don't think that's what he was saying at all. He simply didn't understand (or take the time to) and jumped to the conclusion this was something nefarious and sneaky that no one knew about until Mozilla told us, which is not true in any way.

    Be that as it may even Apple with all their brilliant engineers and scientists also develops software requiring changes as it goes along, even ones involving privacy issues. Recent example might be AirTag software. Other examples would include iOS betas and advertising and location features.

     I thought you also developed software at some point? If so has it been your experience that it's perfect out of the gate?
    edited June 11
  • Reply 15 of 17
    OferOfer Posts: 94unconfirmed, member
    MplsP said:
    Isn't having Google design a privacy paradigm kind of like having a bank robber design a lock?
    Yup, this right here. Well-said!
    williamlondoncornchipwatto_cobra
  • Reply 16 of 17
    gatorguy said:
    No, I don't think that's what he was saying at all. He simply didn't understand (or take the time to) and jumped to the conclusion this was something nefarious and sneaky that no one knew about until Mozilla told us, which is not true in any way.

    Be that as it may even Apple with all their brilliant engineers and scientists also develops software requiring changes as it goes along, even ones involving privacy issues. Recent example might be AirTag software. Other examples would include iOS betas and advertising and location features.

     I thought you also developed software at some point? If so has it been your experience that it's perfect out of the gate?
    Actually, I think the biggest problem here is that this has been in draft for multiple years. To me, it seems obvious that Google has no desire to harden this proposal at all. And this is not some sort of Google-hate thing. This has to do with more of "Follow the money". Google's main bread-and-butter is their Ad revenue, so of course they want to keep that going. As a software developer, I can tell you with absolute certainty, if they really wanted to harden this proposal, they could have at this point.

    williamlondonwatto_cobra
  • Reply 17 of 17
    gatorguygatorguy Posts: 22,899member
    gatorguy said:
    No, I don't think that's what he was saying at all. He simply didn't understand (or take the time to) and jumped to the conclusion this was something nefarious and sneaky that no one knew about until Mozilla told us, which is not true in any way.

    Be that as it may even Apple with all their brilliant engineers and scientists also develops software requiring changes as it goes along, even ones involving privacy issues. Recent example might be AirTag software. Other examples would include iOS betas and advertising and location features.

     I thought you also developed software at some point? If so has it been your experience that it's perfect out of the gate?
    Actually, I think the biggest problem here is that this has been in draft for multiple years. To me, it seems obvious that Google has no desire to harden this proposal at all. And this is not some sort of Google-hate thing. This has to do with more of "Follow the money". Google's main bread-and-butter is their Ad revenue, so of course they want to keep that going. As a software developer, I can tell you with absolute certainty, if they really wanted to harden this proposal, they could have at this point.

    I don't think that FLoC, as it relates to targeted advertising and improving privacy, has been in development for "multiple years" has it, as least according to this?
    https://github.com/WICG/floc
Sign In or Register to comment.