The third-party cookie is on its way out, with Google announcing in August 2019 that they would be eliminating third-party cookies from its Chrome browser over a three-month period, starting in mid-2023 and ending in late 2023. This road map has left digital advertisers, publishers, and Google themselves scrambling for an alternative.
Third-party cookies have long been tracking users' activity on the web, largely for collecting data and tracking users for online advertising purposes.
But increasing concerns from an internet savvy public have led to their demise, with Firefox and Safari already blocking third-party cookies from their browser offerings.
With third-party cookies playing an integral role in the ad tech industry, what will replace them?
Google has been looking at several new technologies that will allow targeted advertising while protecting user's anonymity. One of these has entered and completed the origin trial phase. It is called the Federated Learning of Cohorts (FLoC), and it is already facing intense scrutiny.
This article looks at the death of third-party cookies and how FLoC may operate to provide an adequate replacement for the Ad Tech industry.
The Death of Third Party Cookies
Third-party cookies have been the source of much debate in the ad tech industry, with increasing privacy concerns around ad targeting.
Cookie tracking has become more and more invasive over time. Embedded, far-reaching trackers, known as third-party cookies, are used for behavioral advertising and the ever-pervasive use of ad retargeting where users are ‘stalked’ around the net by websites they have previously interacted with.
Industry feedback has left no doubt that it is time to block third-party cookies and find a suitable alternative. This alternative needs to address privacy concerns and continue allowing online advertisers to serve the ad industry.
The federated learning of cohorts is one such alternative. However it is not without industry scrutiny. Bennett Cyphers of the Electronic Frontier Foundation has called FLoC a ‘terrible’ idea, stating:
‘The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process," writes Cyphers. "It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting.’
Despite Cypher's scathing review, FLoC may not be as bad as it seems. Let’s look more closely at FLoC and how it plans to replace cookie-based advertising.
Google FLoC - Federated Learning of Cohorts
When Google announced its Privacy Sandbox in 2019, the initiative detailed its aim to create more privacy for web users. However, ultimately most publishers are looking to generate revenue from their sites by selling ad inventory.
The Privacy Sandbox website states that it is currently 'developing innovative, privacy-centric alternatives for key online business needs, including serving relevant ads'. One of the privacy sandbox proposals is the Federated Cohort of Learnings(FLoC).
FLoC aims to continue to give advertisers a way to target ads without exposing the details of individual users, essentially acting to replace third-party cookies.
FLoC is a proposed browser standard that will allow 'interest-based advertising on the web' while protecting user privacy. Instead of exposing a user's personal identity, users will be associated with a 'cohort' of a group of people with similar browsing habits and interests, small enough to allow ad targeting but large enough to keep an individual's identity private.
While the technical side of this new tracking technology may be quite complex, here is a basic synopsis.
Chrome browsers will use algorithms(federated learning) to create a large number of cohorts. Google Chrome then looks at an individual's general browsing history and assigns the user to a particular cohort based on their user behavior. This cohort assignment algorithm keeps a person's web history private, so ad tech vendors can never individually identify users.
When chrome users visit a website, Chrome will inform the site the user is part of cohort #123. It is then up to the website to know that cohort #123 is interested in, for example, running shoes and organic food.
Users with FLoC id #123 will be placed in a group with thousands of other marathon-running foodies with the aim to protect user data.
Chrome will not be using federated learning to provide websites with content labels for these FLoCs. Instead, it will be up to the ad tech industry to figure it out themselves.
It is also important to note that assignment to a particular cohort is not fixed but rather is continually changing to reflect browsing behavior.
“Cohorts are dynamic and will update every seven days during the initial trial.
As a person’s browsing behavior changes, their browser will assign them to a different FLoC cohort that reflects those interests.
For example, at one point, they might be in a FLoC cohort with thousands of other people who have also recently visited websites about gardening and travel overseas, and then at another point in time they could be in a group of people who have recently visited sites about art supplies and cooking.”
Cohort Eligibility – Who Can Be Tracked?
Cohorts that include a history of visiting sites with sensitive topics at a high rate will not be eligible to be advertised to. This is in line with Google’s current policy on personalized advertising, which states:
‘When employing user behavior or interest data to provide more relevant ad content, it’s important to handle that information appropriately. We recognize that certain interests are sensitive and that targeting based on them could negatively impact user experience.’
Therefore, publishers will not be able to access or advertise to cohorts who fall into the following sensitive categories:
Access to Opportunities: Ads may not limit access to opportunities based on societal biases.
Identity and Belief: Ads should not target users based on categories prone to systemic discrimination or unfair stigmas.
Sexual Interest: Ads may not target users based on their sexual preferences or experiences.
Personal Hardships: Ads should not target users based on their personal hardships or struggles.
New User Privacy Concerns
The Federated Learning of Cohorts has been designed to deliver personalized advertising while moving into a privacy-preserved future for the free and open web. However, the core design of FLoC means that new and different information will be shared with advertisers, which inevitably means new and different privacy risks.
The first privacy concern is fingerprinting. Browser fingerprinting involves gathering information from a user’s browser to create a unique, stable identifier for that browser. Essentially the more ways a browser looks or acts differently, the more identifiable it becomes. This digital fingerprint includes a whole host of sensitive data, including the user’s browser, their hardware setup, and the location of websites they are visiting. It also includes seemingly insignificant data that is collected by tracking scripts, such as screen resolution and fonts. This information is then stitched together to create a user’s unique fingerprint.
While Google has stated that users will be placed in cohorts made up of thousands of people- hence protecting their privacy- in reality, fingerprinters will actually be more likely to identify users than ever before.
This is because, in theoretic terms, FLoC cohorts will contain several bits of entropy—up to 8 bits, in Google’s proof of concept trial. As this information is unlikely to be correlated with other information that the browser exposes, it will seemingly be far easier for trackers to put together a unique fingerprint for FLoC users.
While Google has acknowledged this risk, it has pledged to solve it as part of the broader “Privacy Budget” plan it has to deal with fingerprinting long-term. However, it is well known that mitigating fingerprinting generally involves restricting unnecessary sources of entropy. Considering that’s what FLoC is, there are concerns from privacy advocates and industry specialists alike that Google should deal with existing fingerprinting risks before introducing any new ones into the web ecosystem.
The second privacy concern concerning FLoC is a little more complex. FLoC enabled browsers will share new personal user data with trackers who are already able to identify that user. For FLoC to be of use to advertisers, it must reveal a certain amount of information about user cohort behavior.
The FLoC project’s GitHub page makes no secret of this stating upfront:
This API democratizes access to some information about an individual’s general browsing history (and thus, general interests) to any site that opts into it. … Sites that know a person’s PII (e.g., when people sign in using their email address) could record and reveal their cohort. This means that information about an individual's interests may eventually become public.
So while a cohort itself won’t work as an individual identifier, any company that can identify users in another way- through a ‘Login in With Facebook’ option, for example- will be able to tie the information it learns from FLoC to a user’s profile.
Two types of information can be exposed in this way:
- Trackers may be able to reverse engineer the cohort algorithm to determine that a user probably or definitely visited specific sites.
- General information about demographics
What it Means for Ad Tech Companies
The initial FLoC origin trials quietly finished their testing phase in mid-July 2021, with Google senior software engineer Josh Karlin announcing on the Chromium’s Blink Developers group forum:
“We’ve decided not to extend this initial Origin Trial. Instead, we’re hard at work on improving FLoC to incorporate the feedback we’ve heard from the community before advancing to further ecosystem testing.”
Further to this, Google does not intend to disclose any of the private feedback the company received during FLoC’s origin trial, leaving ad tech companies largely in the dark as to where and when they will be able to implement FLoC.
This is no doubt, in part, due to pushback from privacy advocates such as the Electronic Frontier Foundation and the makers of the Brave browser, who have expressed concerns about FLoC as an effective way to replace third-party cookies. In fact, many such companies want targeted ads removed from the ecosystem altogether.
Amazon, Drupal, DuckDuckGo, Firefox, GitHub, Joomla, and Vivaldi have also chosen to block FLoC- as it currently stands- by default.
WordPress VIP also recently chimed in with their hesitations:
‘FLoC has its plus points. But it isn’t as privacy-focused as we would like, and can lead to discriminatory practices, as described above. Then there’s the concern of letting Google dominate yet another aspect of tech. Google also plans to charge any third-party tracking company for use of any of the data it has collected.’
At this stage, it appears that the only major platform that is currently on board with FLoC is Twitter, who recently referenced it in their source code.
This may well explain why Google has pushed out the death of third-party cookies from the originally proposed 2022 to 2023.
While there are certainly some refinements to be made to FLoC, it may still have its moment of glory, with Google stating that early trials show promising results for ad platforms looking to replace their targeting system.
Publishers and advertisers looking to prepare themselves for the ‘Cookie Apocalypse’ as it has become known in the industry should remind themselves that while third-party cookies are crumbling, first-party cookies are not. Therefore, first-party data has never been more valuable.
Advertisers should be looking to collect as much first-party information from users’ browsers as possible.
Google themselves has recommended that publishers should ensure all websites are tagged with the Google Ads universal tag.
Are you a publisher looking to get a jump on the ‘Cookie Apocalypse?’ At Publift, we are at the forefront of the latest advertising technologies. Contact us today to get started.