62 comments

[ 2.5 ms ] story [ 126 ms ] thread
What's good for privacy in the short term will likely simply allow Google to be far more dominant and ultimately will harm rather than help privacy. Third party cookies can be easily blocked. Anything integrated deeply into chrome is going to be a lot harder to de-activate.

What's really broken is that we end up giving control over the revenue streams of millions of websites to a couple of US based companies.

Agreed.

The goal of these companies is to have end-to-end control as this gives them control and security of their revenue.

This might not be a stated goal publicly but the deeper they can take things and the more things that they can put a moat around, the more they can rely upon and grow their revenue and profits in future. I can see how each step feels like a natural increment over the prior.

I loathe the privacy impact of the way cookies have been used, but these changes merely push the same issues inside a behemoth who can capitalise upon that data in a more opaque way. This feels like a transfer of control and a land-grab on a colossal scale.

> Third party cookies can be easily blocked

My understanding is there are a minority of legitimate use cases that require them. If Chrome stops supporting them, those flows will get rewritten, and anyone not using Chrome benefits? Add to that an aggressive anti-trust action splitting Chrome from the bit of Google that sells ads (I can dream?), and this all works out fantastically well. Probably too much misplaced optimism.

I suspect what actually happens is that ad-tech companies end up using clever tricks at the CDN or server level to work around this.

What would be the business model of a Chrome separate than Google?

Google paying anyway to keep it alive through a search engine deal like Firefox? that doesn't remove the link between the two financially.

An independent Chrome could provide this cohort data to other advertisers, as they clearly think it's very valuable. Google paying to keep it the default link doesn't remove the financial link, but it doesn't need to, it needs to remove the joint strategy and management decisions.
> Anything integrated deeply into chrome is going to be a lot harder to de-activate.

There IS still the option of not using Chrome.

Yes, but with Mozilla an endangered species with funding troubles, regular lay-offs and a fragmented (and confusing) mission FireFox does not seem like it has the best of futures ahead.
the binary world of "ff vs chrome"

ff is not even second

I find it insane that the European Union doesn't really seem to care about any of this. It's a massive drain on their economy.

They only seem to talk about chip manufacturing, which only recently started in the first place.

If they only used 20M€/a (which is a fraction of investitions in R&D and minuscule compared to the subsidies for agriculture), they could hire 10 managers (or just reuse the R&D infra) and pay 190 devs at competitive salaries (for Europe!) to develop Firefox the way the developers want it to be (and let the stupid Mozilla foundation do their BS of value-adds...).
It's really interesting to see the things you can do with nation-state level funding... it just takes political will.
They’ll just make a high speed monorail version of a browser
It occurs to me that one of Google's motivations for neutering adblockers could be that something like uBlock Origin might be able to interfere with the system if it had its full capabilities. Google could easily ensure anything about their ad system bypassed blocking, but when you're looking at several antitrust investigations plus the threat of more from this you probably don't want to look like you're giving yourself special treatment. It's a bit late given how badly they've sold this, but every bit helps.
I like privacy but I don't like this development. I am afraid for the future of the web due to Googles dominance.
Seems like Google can't build other products to generate revenue, so its doubling down on advertising
Google is an ad company. Not a software company.
It's a technology company. Tech companies have been doing much more than just software for long
(comment deleted)
Quite misleading, one only needs to expand the FAANG label to see Facebook and Google the odd ones out.
And AT&T was just a phone company that invented transistors.
AT&T, as Bell Labs, was a phone company that created the first working version of the transistor, a concept invented and patented by Julius Lilienfeld twenty years earlier.
But they were at the time, a technology company. Technology isn't defined by silicon and code, but by the fact that a company grows by inventing new things. Google may be on track to becoming an advertising company, but they seem damn resistant to the idea given how many of their new businesses they're burning through to find new revenue.
10% time was an interesting idea, but have any valuable revenue generating products ever actually come out of it?
Gmail, no? G Suite brings revenue.
It doesn't look like Gmail came out of 20% time, Paul Buchheit was asked to work on it so it looks like it was an assigned project not a spare time thing, and Google Docs was an acquisition (Writely).
20% time is mostly used for side projects which aren't about coding or products anymore. But back in the day most new things Google was making came out of it.
(comment deleted)
The article doesn't offer a very good summary of Google FLoC, but I'm sure we'll be hearing much more about it in future.

> FLoC uses your browsing history to assign you to interest-based cohorts, the end result is akin to a super-tracker that is present on even more websites than Google Analytics

If they plan on using a new JavaScript API for this, as they apparently do, [0] do they really expect other browsers to implement it? I can't imagine Mozilla or Apple doing anything like this in a million years. If anything they're more likely to build countermeasures into their browsers.

> Google’s plan is to target ads against people’s general interests

I have to wonder if the double meaning here was intentional.

[0] https://github.com/WICG/floc

If Firefox and Safari implement this API but set it to return a hardcoded generic set of "interests" for everyone, that seems like a pretty good outcome to me. Chrome users can "enjoy" personalized ads and everyone else gets better privacy.

I don't object to seeing adverts, I do object to having all my personal data hoovered up by ad-brokers.

> set it to return a hardcoded generic set of "interests" for everyone

That wouldn't improve privacy over simply not supporting the protocol at all.

It would if it means advertisers use that protocol instead of devising a zillion underhanded workarounds (html5 canvas fingerprinting, proxying third-party cookies as first-party, etc.)
What if, we will have a new form of “this site works better on chrome”?

By this I mean, check if protocol returns something, else, “this site only works on chrome”.

This would effectively force, Firefox at least, to implement this protocol.

A version of this protocol with randomly generated data might be better for the user.

Thankfully, major websites know that 'Chrome only' isn't an option. Alienating all Safari users isn't something they'd be willing to consider.
> implement this API but set it to return a hardcoded generic set of "interests" for everyone

Or just let people select their own interests. There's quite a few (particularly news / media) sites I'd be fine in disabling an ad-blocker on if the ads I was served were in any way useful to me rather than bottom-of-the-barrel "one weird trick"s

Better, they could return interests that maximize revenue for the sites you visit.

I imagine a distributed machine learning algorithm could probe floc with random categories, and hill climb using the results of auctions.

sounds like a future violation of terms of service..
I don’t agree to their non-consensual tracking TOS.
Ooh, that sounds like fun! How about returning some kind of randomized set of interests, or one of various curated sets, or even adversarial ones. You could even select from several personas.
Is this going to be left out of Chromium or is it part of Chromium core?
I cannot imagine how it could be in Chromium. It's a service, not software.
If it is a service, Google will be sent all of my browsing history. That sounds like a very bad idea that hopefully will get shot down.
> Google will be sent all of my browsing history

No, the browser locally determines what cohort to assign you to (based on your browsing behavior, etc). Only the resulting cohort gets exposed to Google (or other advertisers).

So they don't get your browsing history, they get the derived conclusion that you're one of X thousand people who share a certain collection of interests.

(You may still be unhappy about that, but it's certainly not the same as exposing your browsing history.)

Yes, but then it isn't a service, it is a locally running piece of software that can be included in chromium.
Google is sent most of what people type into the location bar anyway (in real time character by character), except if they start by some prefix that makes it look like they're typing a link. Regardless of whether they have an account or hit enter.

That sounds like a much worse idea than this ad thing, yet here we are.

I tried to download a file from Google Drive with third party cookies disabled a few days ago. Drive told me to enable them and retry, because of security checks or something.
Yes, third party cookies from googleusercontent.com are actually needed to download from google drive.
Marketing companies are already side-stepping this. They already recommend (require?) customers that I work for create aliases/CNAMEs under the website domain precisely so they can plant first-party cookies on the site.
How would this enable cross site tracking?
will this get rid of the dreaded cookie popup dialog?

or is that GDPR nonsense still going to make those persist?

A solution that works in every browser and gives the user choice is hardly nonsense (also cookie law != GDPR). It's much, much better than a dominant ad company forcing through a solution that works in their browser and which users presumably can't opt out of.
3rd party !== 1st party.

Same site cookies aren't going anywhere for the foreseeable future, the vast majority of user session capability is built on the existence of cookies. 3rd party cookies only affect embedding of sites hosted on other domains, (mainly ads), which don't use cookies for user sessions but user tracking... or to use the ad industries euphemism "personalisation"

Those popups are not only necessary for cookies but for any kind of tracking that requires consent, e.g. all tracking for purposes of advertisements. So if you do browser fingerprinting instead of setting cookies, you still need that popup.

For using FloC data, if the granularity is sufficiently coarse so that a person cannot be identified by it and no specially protected groups can be identified (i.e. sexual orientation, religion, minors, etc.), then presumably using FloC data won't need that popup. But that remains to be seen, I guess it will take a few years of discussions in court until this is settled.

Letting google be in charge of this is completely insane.

Current Wild West situation isn’t great but nominating a global king to make the rules doesn’t seem much better. Especially one who’s business model is literally the biggest conflict of interest possible of all the parties you could nominate.

Won't that drive fingerprinting to become the tool for the job? Much harder to prevent.
Could someone eli5 this to me?

It seems to me that a cohortised approach is intrinsically better for privacy as a whole as you don't care about individuals but rather a group of individuals with similar interests.

If this standard is not abused / de-anonymised then surely this approach is a good thing?

So Google replaces third party cookies with FloC?

What did Safari and Firefox do when they limited third party cookies? If the answer is that they just improved privacy while not “compensating” in any other way, then why would I use chrome?

Also, when things like these happen in chrome, I assume it doesn’t happen in Chromium, ms Edge? So if we want to run a chrome-ish browser and not have FloC we’ll just run any non-Google chrome browser?