Hacker News new | past | comments | ask | show | jobs | submit login
Privacy Analysis of FLoC (blog.mozilla.org)
288 points by jonchang 10 days ago | hide | past | favorite | 164 comments

Ongoing related thread: Ad tech firms test ways to connect Google’s FLoC to other data - https://news.ycombinator.com/item?id=27459247 - June 2021 (183 comments)

What bothers me the most about FLOC is that there is no reason or advantage for me as a user to run it unless I'm forced to. Cookies, even if they get hijacked for tracking, are genuinely useful to persist state and having them on results in a better experience. Even in the case of something more invasive like DRM/EME, I might want to turn it on in exchange to be able to watch some new show on a streaming service. Turning on FLOC brings nothing to the user in return and feels like charity towards advertisers.

I like personalized ads. If I have to suffer with ads to support the websites I like, I'd rather have them personalized. Instagram is really good at this -- I probably click on at least 1/4 of the ads I get, and have definitely made purchases based on Instagram ads.

So as a user, the benefit would be better ads. Honestly I'll probably leave FLOC on if given the option (although I use Firefox and Safari, and as far as I know neither will really support it).

FWIW, I am "personally" sick of the Internet reminding me of the thing I already bought yesterday, along with doubling down on ads for things I only engage with because I want to show my friends how stupid the ad/product is, which seems to be the state of the art of "personalized" Internet ads. I would honestly get more value--if I am forced to see ads--out of less personalized ads.

https://m.youtube.com/watch?v=KbKdKcGJ4tM <- best commentary on ads ever

"This person bought a vacuum cleaner yesterday, they will probably want to buy another tomorrow" is what personalised ads are.

I wanted to check the price of the cheapest SSD price I could find on Amazon, and I've been getting sale notifications of cheap-ass 64GB SSD since. Of course these advanced AIs are not so intelligent to see that I've bought multiple 1TB and 2TB SSDs lately or hundreds of different products, but it has decided I'm actually interested in crappy disk drives instead.

Yeah :/.

It should be "this person bought a vacuum cleaner today, so let's wait two months and start showing them ads for vacuum cleaner bags" or "maybe they are buying equipment for a new apartment, so maybe they would also like a toaster oven and a lamp".

Like, imagine you had an actual salesman--a good one, as opposed to the "targeted salesman" from the video--who you bought all your stuff through and who was excited to make commissions off of you. They would never waste your time or attention or trust asking you to buy a second vacuum cleaner.

If someone buys a treadmill, they probably don't want a second one, but maybe they now want some free weights. The current algorithms are just so stupid... like, I almost appreciate the premise that if you had an "actual AI" helping find you stuff to buy that could be fun, but what we have is just wasting everyone's time.

This seems like sloppy ML, there are sub-fields that deal with sequences and time series and would be great at modelling such complex interactions. Language models do something like that.

My bet is that all the fancy ML is useless because the sellers are not adapted to the buyers. They want to sell X and buyers need/want to buy Y. If they used proper targeting they would reach a much smaller audience.

So they have an order to show 1000 crappy flash drive ads, but you only want to buy other things - what are they going to do? Skip you? No, that's money lost. They will show you the ad even if it is ineffective. Greed explains the bad targeting.

If FLoC ends up working — right now it seems to have several deficiencies — that kind of personalized tracking would presumably stop. If your individual purchases can't be linked to your cohort group, you'd only get the interest-based cohort ads, not the follow-you-around-forever-with-your-existing-purchases ads.

I agree with the OP that I like Instagram's personalized ads and have bought many things through them. (FWIW I used to work at IG — on messaging, not on ads — but I felt this way even before I worked there, and I continue to feel this way after leaving.) Everyone else seems to suck at it though and just do the "show me what I bought yesterday" type of advertising, which is far more annoying than just picking a product to advertise at random.

Maybe a working FLoC would be better than the cookie-based ultra "personalized" ads that most companies use? If it stops the annoying persistent yesterday's-shopping-cart around the internet, at least, it would be an improvement.

We have centuries of evidence that unpersonalized ads are both the best for brands (if you aren't preaching to the choir you are opening the door widest for expanding your buying audience) and individuals (discovering things that you didn't know you needed, discovering things that other people in your life might need but aren't directly relevant to you, avoiding the mental health detriments of how the more targeted an ad becomes the more likely it uses psychological tricks to manipulate you [all advertising is manipulation; but the amount of manipulation you can get away with in a general ad is very different that what we are seeing in targeted ads], etc).

The only people really benefitting from targeted ads are the companies making the ad tech (including and especially Google) making billions of dollars from "platforms" that do way too much to prop up "metrics" that mean way too little in practice (but are great for creating fancy invoices to charge just about whatever you want to the rubes [sorry, advertisers]).

(I've been taking a lot of steps to opt out of personalized ads, without outright running ad blockers, though these days a lot of sites now believe Firefox to be an ad blocker, and the ads are better unpersonalized. It's just amazing that so much of our culture on either side of the ad tech "platforms" has been sold such a bill of goods to think that personalized ads are doing anything but sucking money out of good companies into at the very least morally gray if not unethical ones.)

that was in deed brilliant!

Interesting. I just dislike ads altogether. Especially Instagram feels very manipulative. So far nothing we have bought based on Instagram or Facebook ads has been useful in the long run.

Personally I prefer to either have a need for something (I want to solve problem X) and do some research based off of that. Or I share an experience with a friend where they make a recommendation.

Funniest Facebook ad by the way: I work for <employer> and my partner gets ads for <products of employer> on Facebook.

I dislike ads too. I'd rather just pay to use the sites. But I also understand not everyone can afford that. The ads are there for them.

So examples of things that I've bought from Instagram ads: The most recent Pride lego set. I would have never known it existed, but I'm glad I know now, because I want to give my kids something fun to build that sparks a conversation about Pride and what it means and why it's important.

The comma2 (autopilot for my Honda van). I knew OpenPilot existed, but until I saw that ad, I didn't know there was a product I could buy with it already installed. I liked the idea but didn't have time to get it all set up on my own. The existence of a commercial product vastly improved my life. I've already used it for over 1000 miles of self driving in just a couple weeks. It's a night and day difference when driving. I suppose I would have eventually heard about the product, but I'm glad I heard about it when I did.

Are there many people who can't afford to pay for a pageview but can afford the product being advertised on that page?

No, but that's the whole point of ads. They're like a progressive tax system. Also some ads are awareness campaigns. Like you see a bunch of ads for Coke and the subconsciously when you want a soda you grab a Coke.

Of course exist. It is often said that some people who often buy $5 coffee don't sign up $10 web subscription or app. Also we can't sign up all paid subscription. I wish latter is solved by micro payment or combined subscription .

Thank you for mentioning the comma2. I also knew about OpenPilot but didn't realize there was a commercial product where most things are ready to go. I checked it out and am thinking about getting one now.

Advertising is linked to depression, body dysmorphic disorders like anorexia, and numerous other adverse mental conditions. The advertising industry has a whole lot of blood on their hands. This is an industry that doesn't think twice about exploiting people's feelings of vulnerability or isolation to help sell products. The more vulnerable the demographic, the more abusive the advertising industry gets. Just look at the shit they subject teenagers to; almost all the advertising to teenagers is focused on how buying [product] will make the teenager like the popular and attractive models being used to shill the product.

Do you have a source (or more than one :) ) for that first statement? I believe it intuitively but would like to know if it's actually true.

On the plus side it gives free information to billions of people, now everyone can have free gps maps, email, websites

It’s not free if you’re paying with your health.

How is your health affected?

>On the plus side it gives free information to billions of people, now everyone can have free gps maps, email, websites

We've had that all along; for free. Nothing in this list is thanks to advertising.

Really? I remember people buying Satnavs and maps, and paying for email and hosting

I like Good Ads. Non Invasive, Non Repetitive, Good / High Quality / Personalised ad. And preferably not slowing down the site.

Ads are also like news in a sense. And News is the most addictive form of media. You find new product, services, or announcement from Ads.

The problem is the quality of Digital / Online ads are generally quite low.

> So far nothing we have bought based on Instagram or Facebook ads has been useful in the long run.

Why do you buy things you don't need just because you see an ad?

Well the ad has had it’s effect.

Hey this seems like an interesting appliance, tech gadget, item for camping or toy for a child. And then after some use and the novelty wore off it isn’t really that useful anymore.

I can see why entirely unrelated ads could be seen as a bad thing... but the problem with FLoC - or really any ads personalization - is that it's fundamentally based upon a privacy violation. Ergo, even if the data is only being used to serve more relevant advertising, you're still trusting some process or third-party not to use your data for more nefarious purposes.

FLoC is not immune to this: it relies on the device being able to track users and then provide advertisers "blurry" access to that tracked data. The problem is that we already have plenty of other tracking mechanisms that we can't reasonably restrict and that will interfere with the privacy protections built into FLoC. You will always be able to fingerprint and FLoC will always provide some fingerprintable entropy.

Even if FLoC was trustworthy enough to do what it claims, your interest cohorts alone can reveal your secrets. There's the classic example of Target knowing a woman was pregnant before her father was, for example. Yes, Google is going to try and filter out sensitive interests in cohorts, but that's an additional layer of trust you can't control. What if Google's definition of sensitive interest differs from yours?

They give you cohort ID 0 branding you as someone with sensitive issues. That's just another way of disclosing information about us.

I don't mind ads if they're not intrusive or even useful.

HN has ads, in the form of job listings for YC companies. They don't bother me in the slightest, and if i lived in the US they might even provide value to me.

The hundreds or thousands of ads i'd see if i'd surf without an adblocker do not.

Maybe you do have a product i'm interested in and don't know about. But there's not hundreds of things i'm going to buy every month.

If it was like: here's 5 products we think might be highly relevant to you every month. Sure, sign me up.

But it's (almost) never that. Most of the time the entity selling ad slots realizes, hey, if we sell more ad slots, we make more money. So they keep pushing the button to get a reward. Until they die because they overdosed on ads.

I tend to agree, although I hate ads on principle.

But there are a lot of things I hate and don't have to think about. I don't go around protesting the war because in my country that's not something I have to care about, for example.

But advertisers made me have to care. If I didn't have adblock, I'd be running JS from some unverified third party on every other site. Couldn't they restrict it to pictures? Of course not.

So now I have to care, and I'm not going to cooperate with advertisers, who - before adblock got so mainstream - were content to serve us literal viruses as long as someone paid them.

HN has ads, but don't I have to go searching for them to find them? I think it's Stack Overflow's ad model too. We'll curate a group of readers that are appealing to people seeking jobs, put up a "jobs" tab, and charge companies to list openings.

Nope, they're injected into the frontpage sometimes. It's the entries without an upvote button and comment page.

Ah, I see them now. That is a well done ad system. They even get around a default ad blocker.

Idea: Send ads to jedberg but not everyone.

The problem with ads, no matter how "personalised", is that they are sent to everyone by default. Almost no one changes defaults. Often there is not even an option to opt-out. Whether two users got the same or different ads ("personalisation") is not the issue. The issue is that they were sent ads when they did not conscisouly request them.

Thus, the fact that jedberg likes ads is not an argument for sending ads to everyone. In the same way that if some user dislikes ads it is not an argument to stop sending ads to jedberg.

Users are not being given a choice. When they are given a choice, e.g., to reject tracking on their smartphones, the result can be a decision that the online advertising industry dislikes.

Tech company employees can call themselves users, but there is a serious bias and conflict of interest that other users being subjected to ads do not have.

What if we just send ads to tech company employees. The tech worker cohort. They will not complain because they believe ads are "necessary". Problem solved.

>>> I like personalized ads.


no, seriously, why?

"personalized" ad creeps me out, and I really don't understand how people can tolerate a banner like "We know you buyed Some Thing from amazon so we think you would like to purchase Related Thing from us" and not freak out

There are different levels of personalization. I won't be okay with something based on my search/purchasing/location history, psychological profile, personal details etc. But I would be okay with something targeted at my age, gender, and the content of the page I'm visiting.

Better ads isn't a product I have much interest in. I have very much literally never seen a targeted ad I like or even found useful. This sounds like Google employee speak to me.

I don’t work for Google, but I don’t mind ads for guitars and synthesizers :-)

HN is the only place on the internet I've seen people expound their love for personalized advertising.

I don't mind the concept of ads. I didn't really mind early ads on the web. They were a lot like magazine ads, the website owners would run ads in the same broad interest category as their site. Then early AdTech happened and went fucking insane. Google's early text ads, before the DoubleCkick reverse takeover, were a sane reaction to insane web ads. Google's ads too went insane.

Now ads aren't just ads but crazy tracking mechanisms. Because of the opaque system of ad brokers they're also a malware vector because no one vets anything because money. They also very helpfully push me towards monthly data caps by loading megabytes of extra scripts on every page load and things like auto-playing videos.

So while I don't mind advertising conceptually, fuck ads and AdTech. I do everything possible to block ads just to make browsing usable, to say nothing of privacy or malware. I just hit the good ol' Back button whenever I get a "disable your adblocker" message. Disabling ad blocking doesn't just mean I see ads, it means I can barely read a web page and have to run megabytes of scripts that do who knows what.

Exactly that. If ads were like they were back in the early days I wouldn't feel forced to run an adblocker to protect myself from the malware they've become.

Definitely agree. Blocked ads since 2003 or so, when they started going crazy. I even remember the name of the site I used for CSS ad blocking - https://www.gozer.org/mozilla/ad_blocking/

> They were a lot like magazine ads, the website owners would run ads in the same broad interest category as their site.

Funnily enough, this is targeted advertising. Before the current shitshow, ads were targeted, then came tracking and they became targeted in a different manner. Now we block trackers and people decry "but how will they target ads?!". Well, the same way they did before.


There's an interesting article regarding behavioral observations on personalized advertisements, though it's in Korean. Summary for those who doesn't want to use a translator (KR to EN performance is typically bad):

  * Generation Z's reaction to ads personalization category (from Google and FB) is somewhat positive in that they don't really care about its creepiness but think more accurate categorization on each personality as a better thing. The report thinks that they consider it as more of utility rather than just privacy invasion.
  * More interestingly, sometime they "guide" ad targeting systems to show information that matches to their interests to save their efforts on searching for perfect matches. Honestly, I was super surprised since I haven't thought about this kind of usage even though I'm working on ads.
  * Some of them (though the tone indicates that it's not majority?) does not skip video ads to "pay" a subscription fee for creators who they want to support. I saw some similar cases even in the US though.
  * Sometime they're actively looking for explicitly sponsored reviews, which is actually an ad. It's because they sometime decide to buy specific products before watching its ads. This inversion of causality seems very odd to me, but the rationale is that they just want to better understand the product and don't care whether it's an ad or not.
It's written by a marketer who seems to be negative about personalized ads and genuinely surprised by these observations. Honestly... I still cannot get this but yeah, it seems there's some people who consider personalized ads as a tool.

I hate ads. They hijack my attention and they promote things for the companies that have the most money to spend on screaming at me about their products. I wish the advertising industry simply disappeared.

In fact if I had three wishes they would be 1. End poverty and allow everyone in the world to pursue their dreams while still being able to live acceptably well. 2. Make it impossible for anyone to amass more than some to-be-determined ceiling amount of times more money than everyone else. 3. Make advertising simply stop existing - everyone forgets what it is and it is never invented again.

I second those wishes :)

It’s not surprising considering that employees and founders of ad funded companies hang out here. In this case, jedberg (correct me if I’m wrong) was an early employee at Reddit, which is almost entirely ad funded.

I’m not saying he’s being malicious - he probably genuinely believes he likes personalized ads. The “self” or “ego” is a very tricky thing. It can rationalize almost anything to maintain its world view. Everyone likes to think they’re doing good in the world. When faced with the fact that may not be the case, it’s natural to rationalize it away. It takes an extreme level of awareness to be objectively neutral whenever your “self” is involved.

I'm sure there are some forums where people who sell ads like them too. :)

But what can I say, I'm a realist. I spent a lot of years working on a website supported by advertising. I understand not everyone will or can pay for the websites they enjoy, and advertising is a good second option.

And if we're going to have to live in a world with ad supported websites, I'd rather those ads be good.

You're defining "good" here to mean "effective at manipulating me to spend money", which is strange! I'd rather not be manipulated into buying things I didn't realize would finally fill the gaping hole inside my soul until two seconds ago. Would be perfectly content seeing ads for, I don't know, farm equipment until I happily perish of old age never once experiencing the fomo of not possessing a theragun.

I'm defining good as "informing of things I didn't know existed". I consider advertising just another news channel.

Copying from my comment above, here are some examples of things I've bought. I like trying out new things because I can afford it, but I don't always have time to go out and look for them.

So examples of things that I've bought from Instagram ads:

The comma2 (autopilot for my Honda van). I knew OpenPilot existed, but until I saw that ad, I didn't know there was a product I could buy with it already installed. I liked the idea but didn't have time to get it all set up on my own. The existence of a commercial product vastly improved my life. I've already used it for over 1000 miles of self driving in just a couple weeks. It's a night and day difference when driving. I suppose I would have eventually heard about the product, but I'm glad I heard about it when I did.

The most recent Pride lego set. I would have never known it existed, but I'm glad I know now, because I want to give my kids something fun to build that sparks a conversation about Pride and what it means and why it's important.

The end doesn’t justify the means. Finding out about some cool stuff doesn’t justify the insane amount of collection of ones personal data by hundreds of companies in a manner which is basically impossible for a person to reasonably prevent.

And if they could do it workout gathering that much personal data? Isn't that what FLOC is trying to do?

That's what FLoC is trying and failing to do according to basically every analysis, including this one. Ads can exist without having to be based on users' personal data, as they were for 100+ years before (even on the internet itself, they used to be based on the content of the site rather than users' personal data)

An internet with no ads will have much less content.

Most content is being produced by end users that are paid nothing. In the early says of the internet, when there was no advertising, there was plenty of content. But what made the internet truly exciting was not the "content" but the potential ability to communicate and share with people anywhere in the world without expensive telephone calls or slow postal service. Think of the internet not as a "destination" but as a medium. It is a way to reach someone, like a telephone line, but with much greater capabilities. (Originally, that is how we accessed it, over telephone lines.) The internet is not a collection of popular websites run by companies that spy on you for the purposes of online advertising. They are just middlemen exploiting that desire of users to connect with each other. They sit in the middle and spy on everything. The internet is a medium, not a collection of middlemen. When you remove the ads, the "business model" of the middlmen disappears, and the incentive for spying is reduced.

True but probably a lot better content. It would disincentivise clickbait.

Imagine a world where OpenStreetMap is financially sustainable but Google maps were not. That's where we would be without ads, and it's beautiful.

That's a false dichotomy. You can have ads without tracking user activity; for example, contextual ads.

OK, so someone has "my data", ie a partial list of websites I may have visited. Now what? What harm has been caused to me?

It'd just be nice to have a little more control, for starters. So advertisers try to figure out what we want by what websites we visit and are not too good at it. They could also just ... ask? I'd like to have an ad service that I can tell what I'm actually interested in these days, and that forces the companies to provide lots of information about the product they are advertising for (documentation and stuff). So if I see an interesting ad, I can easily find out if its actually something I want. And money only flows if I actually buy something, affiliate-link style.

Unfortunately asking users doesn't usually work out well. My favorite example is from Netflix. They asked users, "What movie needs to be on the service for you to consider it a good service with good movies that you would want to see repeatedly". A lot of people answered "Schindler's list". But when you looked at those same user's actual viewing, they never once watched Schindler's list, but they watch Jackass multiple times. So what they really wanted was Jackass, but either were too ashamed to admit it, or didn't actually understand their own preferences.

FWIW, I feel like a good restaurant serves wine. I don't drink wine, but if your restaurant doesn't serve it, and I am tasked with choosing between two restaurants based on some quick glance at their menu sections and photos of their interior (as of course I am not informed about either: I am supposed to come up with some quick heuristic), it might not matter if you have the world's best hamburger (what I am actually going to order at your fancy restaurant, along with a glass of plain soda water, as I am a philistine). So I dunno: that could still be consistent, given the question phrased the way you did.

That may be true but what the advertisers do doesn't work well at all either.

Yeah the difference between the things we know we should want, and the things we actually want in the moment. Its incredible in how many ways the brain can be annoying ;-)

But then it seems the problem is not ads, but the gaping holes in peoples souls?

The ads are opening those holes. It doesn't take long for them to close again, but by that time you've decided to buy the thing.

I strongly believe that gaping holes did exist in peoples souls waaaay before ads were invented.

Don't know, though ... when I asked the all-knowing internet if "gaping holes did exist in people's souls before ads were invented", the first search result is a link to the Harry Potter Fandom-Wiki article about Dementors:

"Dementors are among the foulest creatures that walk this earth. They infest the darkest, filthiest places, they glory in decay and despair, they drain peace, hope, and happiness out of the air around them... Get too near a Dementor and every good feeling, every happy memory will be sucked out of you. If it can, the Dementor will feed on you long enough to reduce you to something like itself... soulless and evil. You will be left with nothing but the worst experiences of your life."

It's more of a hierarchy, to me. I prefer no ads, but I'd rather have personalized ones than the raunchy shlock they serve you if you're a "nobody".

I understand the reasoning, but I prefer schlock versus the cross-site data required to serve me personalized ads.

With the internet at our disposal I don't understand why anyone would ever click on an ad. If you need or want something, a quick search on even the worst search engine is outrageously more informative.

Personalised ads imply data collection, privacy violations and tracking across websites. That doesn't sound like a good deal. Especially as personalised ads are just as annoying and unhelpful because the algorithms are simply useless. No, when I bought a game I don't want to buy the Collector's Edition one day later. And that won't change over the 3 months I'm getting the same stupid recommendation. Might as well show me literally a random product, I'd be more likely to buy it.

Why not install an ad blocker and have no ads then?

I used to like the idea many years ago (think 10-15 or so) since if i'm going to see ads might as well have them be about stuff that interest me - which can actually be useful now and then.

But the thing is, what i wanted was for Google to let me actually choose what sort of ads i see, not try to guess.

Nowadays i just use an adblocker.

I mean there are only a few on HN who dare to post this contrarian view. 99.98% of people on HN still hate Ads. To the point they want to cancel people working on Google Ads or in Adtech industry.

99% of nerds hate ads, but 99% of consumer aren't nerds.

Is there any research on people's preferences in this regard?

It helps that that's where the money comes from.

I don't understand this. If you want personalized ads, wouldn't you rather subscribe to consumer newsletters, that you can specifically tailor to your interest and are working for you and showing genuine reviews, rather than ads sold to the highest bidder and that try to manipulate you?

Additionally why do you want to view those recommendations while you are actively trying to do something else?

I do subscribe to newsletters and I don't want to see those recommendations while I'm doing something else.

But sites are gonna run ads. And if my choice is unpersonalized ad or personalized, I'd rather it be personalized.

> If I have to suffer with ads to support the websites I like

You don't. Use an adblocker and be done with them.

And then how is the website jedberg likes supported?

That's the website's problem, not jedberg's.

If they can come up with an unintrusive and frictionless way for me to support them financially, and I think their service is worth supporting, I'll do so.

The problem is that the advertising business model is forced upon users. It's like the sleazy salesman holding the service hostage, and the only way to use it is to agree to be exploited and manipulated.

To hell with that nonsense. Either come up with a business model that respects your users, or close up shop as far as I'm concerned.

>And then how is the website jedberg likes supported?

What a bizarre argument; the implication that advertising is the sole method of remuneration and sourcing support for some venture is the responsibility of anyone besides the venture. The idea just reeks of entitlement.

The author works on ads, so I can't say I'm surprised.

I agree. I like personalized ads. Where I'm bothered is when they're "too" personalized.

Like I buy an oven, why are you showing me ovens? Stop over fitting. Just know that I'm an active nerd and advertise me active nerd stuff.

Interesting. I really like(d) to be included in the bigger picture. What goods there are and how they are advertised is part of our culture (as is the quality part of advertising in it self). Being cut from most of it (to see the same over and over again, things I usually made up my mind on long ago) hurts.

> I probably click on at least 1/4 of the ads I get, and have definitely made purchases based on Instagram ads.

In an anonymized (or not) way, can you tell me something you found via an Instagram ad that you were not aware existed and then purchased?

Copying from my comment above, here are some examples of things I've bought. I like trying out new things because I can afford it, but I don't always have time to go out and look for them.

So examples of things that I've bought from Instagram ads:

The comma2 (autopilot for my Honda van). I knew OpenPilot existed, but until I saw that ad, I didn't know there was a product I could buy with it already installed. I liked the idea but didn't have time to get it all set up on my own. The existence of a commercial product vastly improved my life. I've already used it for over 1000 miles of self driving in just a couple weeks. It's a night and day difference when driving. I suppose I would have eventually heard about the product, but I'm glad I heard about it when I did.

The most recent Pride lego set. I would have never known it existed, but I'm glad I know now, because I want to give my kids something fun to build that sparks a conversation about Pride and what it means and why it's important.

I am kind of amazed, because you are the first person I've interacted with who (a) claims to like personalized ads and (b) has actually answered that question. Those are interesting. I understand the Pride Lego set being an ad, but the comma2 was?

Do you know why the comma2 was advertised to you?

Why wouldn’t the comma2 have an ad? It’s a commercial product.

No idea why it was marched to me, but it worked.

I'm surprised that comma2 would assume anyone interested in their product wouldn't have ad blockers. Or that anyone would want to context switch to looking into it from Instagram.

I would have assumed ads for comma2 to revolve around sponsored content on various DIY/hacker sites. But I am not a good marketer, nor do I pretend to be (I do recognize it's value and wish I was, but I just don't get it.)

I suppose comma2 doesn't pay for blocked ads. So that is less surprising on reflection.

> feels like a charity towards advertisers.

This. FLoC has no value proposition for end users.

Your position regarding cookies lumps two categories of cookies together. Cross-site cookies, and same-site cookies. Tracking isn’t exclusive to cross-site cookies, but the effectiveness (and invasiveness) of tracking is orders of magnitude more effective with cross site cookies. With the near-elimination of cross-site cookies, it turns out you can have your useful client side state and eat it too.

> Turning on FLOC brings nothing to the user in return and feels like charity towards advertisers.

I would call it a charity to the site owner whose (presumably) free content you're consuming. What it brings to the user is the ability of the site owner to continue making content.

FLoC isn't needed to show ads any more than cookies are. If we hadn't gotten everyone used to the gravy of personalized ads, this wouldn't be an issue. But going back to placing ads based on, say, the website or the expected audience in general is like getting the camel out of the tent[0].

[0]: The Camel's Nose - https://en.wikipedia.org/wiki/Camel%27s_nose

Isn’t the DRM comparison exactly right, though? Improving ad targeting enables an ad-supported online ecosystem.

Admittedly, there’s a tragedy of the commons issue: I have no individual incentive to enable FLOC. But, similarly to your DRM example, at some point publishers could require it, no?

> at some point publishers could require it, no?

They could. However they wouldn't have a way of enforcing you play along and don't have a separate floc ID for every site you visit

AFAIK, FLoC is only for third-party cookies, which don't really add any value these days other than tracking you across websites.

Which means that the most likely outcome is that Google won't let Chrome users disable it, or they'll hide it behind some dark patterns, re-enable it after every update, etc.

"because FLoC IDs are the same across all sites, they become a shared key to which trackers can associate data from external sources"

"FLoC leaks more information than you want"

"The end result here is that any site will be able to learn a lot about you with far less effort than they would need to expend today."

Hmm. From someone (Firefox Team CTO) that probably knows this space well.

It's really a genius level move by Google here. Get rid of the cookie, implement your own solution, make it seem somewhat unique and rely on other data to identify users and claim impunity since it's nothing to do with them.

So how about this, Google must not, and cannot implement FLOC without it being a cross-browser standard; that is to say if anyone of Microsoft, Apple or Mozilla veto FLOC, it's dead.

This is how standards are supposed to work. Google should not be given the power to make a thing (like AMP) and just force it upon everyone.

We MUST start regulating Google's every product development, I'd rather it get held up for a year in court before it sees the light of day.

Google has zero incentive to adhere to any standards because they already own the majority of the browser market.

The fact that Google is an ad provider and a browser vendor and trying to implement a browser-level tracking API is very alarming.

As mentioned in the Mozilla analysis, Google is also saying that they're who determines which sites are considered "protected" categories... which is the cherry on top of all of this nonsense.

I'd really like to understand how someone working on this thinks that it improves the web for everyone... not just Google.

> Google must not, and cannot implement FLOC without it being a cross-browser standard; that is to say if anyone of Microsoft, Apple or Mozilla veto FLOC, it's dead. This is how standards are supposed to work.

This isn't how internet standards work, or the how they have ever worked. Take the development of HTTP/2:

[2009] Google researches how HTTP could be improved and develops SPDY: https://blog.chromium.org/2009/11/2x-faster-web.html https://dev.chromium.org/spdy/spdy-whitepaper

[2010] Chrome implements SPDY, and they start gathering real world performance data.

[2011] Several rounds of iteration to make it faster, more reliable, and fix bugs.

[2012] Major websites built out support, Firefox adds support, the process of standardizing it with the IETF begins: https://datatracker.ietf.org/doc/html/draft-mbelshe-httpbis-...

[2013] More and more sites build support, CDNs enable it by default

[2014] Safari adds support.

[2015] Standardized as HTTP/2: https://datatracker.ietf.org/doc/html/rfc7540

Standardization follows cross browser support, and cross browser support follows single browser support.

This is the path FLoC is following: it's currently incubated under the WICG (https://github.com/WICG/floc) and Chrome is developing it. Other browsers are paying attention and evaluating: that's what this Mozilla article is about. If at some point we get to a version that other browsers are happy with and choose to implement, then it could potentially be standardized.

(Disclosure: I work on ads at Google, speaking only for myself)

> So how about this, Google must not, and cannot implement FLOC without it being a cross-browser standard; that is to say if anyone of Microsoft, Apple or Mozilla veto FLOC, it's dead.

Google couldn't care less about "cross-browser standards". They've been ramming Google-designed and Google-authored "standards" through standards bodies for years now, and increasingly disregard any objections from other browser implementors. And, sadly, there are only two browser implementors left that have any relevance: Safari and Firefox.

FLoC: micro market segmentation. Profiles versus data.

It requires on 33 bits to uniquely identify an individual. [0].

I would be interested to learn whether FLoC employed k-anonymity measures, and their report on it.

If I am retired, female, live in the 830* zip3, and own a sedan, it is probably hard to identify me. Add that I am Korean and am searching for thyroid cancer treatments on Tuesday at 8:43AM local, then I am way more identifiable. I don't understand how FLoC works, and how it gets around this type of intrusion.

The only solution I am aware of is to dramatically limit the category depth. But that sort of defeats the purpose of micro market segmentation. And that's a good thing, IMO.

[0] https://www.eff.org/deeplinks/2010/01/primer-information-the...

The article you linked relies on low-precision guessing that only reduces the entropy in the system, but doesn't eliminate it. No reasonable jury would consider their 33 bits to be "uniquely identifiable".

Remember that's 33 bits right now. You can be represented, uniquely, by 33 chained 0s and 1s as a GUID with no loss of fidelity. Add to that ongoing observation over time compared to a FLoC profile and the FLoC profile is a huge boon to the bit increase.

Think OutBrain a few years ago, who were egregiously intent on serving certain clickbait to certain consumer sets. With FLoC, your winnowing and funnel becomes much easier (rather than serving rotten banana ads with just one trick, you KNOW your consumer has a propensity for Dunkin Donuts and you can increase your ad coverage). Everyone wins but the product -- your eyeballs.

plenty of places don't have that requirement, and bias goes a long way beyond that. But more to the point, why should google, etc, get to know that about you?

I'm worried the Floc fingerprint will be used to censure content from certain parts of the public. Will sites define lists of undesirables? Floc discrimination made easy? It can be used like the yellow badges.

> searching for thyroid cancer treatments

Subtle note, this would probably fall under the "sensitive topics" category discussed and not be tracked, but insert niche hobby here and your point still stands

Though the categories are defined [1], how does the browser determine a site falls into one of these categories?

[1] https://support.google.com/adspolicy/answer/143465?hl=en

It's not a secret, the whitepaper and proposed algorithm is linked in TFA: https://docs.google.com/a/google.com/viewer?a=v&pid=sites&sr...

If you don't understand how FLOC works, then maybe you should look into how it works before commenting? FLoC was designed with K-anonymity as their main goal and measure from the ground up, and the results of their trials are publicly available: https://www.chromium.org/Home/chromium-privacy/privacy-sandb...

If you peel away the buzzwords, FLOC is basically just your browser tracking you, and telling advertisers which ads you are most likely to click on. Google claims to do this in a way that preserves your privacy, but ultimately these are empty promises. There is no way to spy on people without being creepy. Many (most?) people don't want to be tracked at all, "privately" or not.

It's such a pity that online advertising has turned in this direction. It started out so well intentioned! Search ads showed ads related to your search, Google adwords showed ads related to the content of the page you viewed. No invasive tracking necessary!

And now we have come to this. Tracking everyone everywhere has become so pervasive that an operating system vendor has just announced this week that they are building a first party VPN into the OS in a desparate attempt to reduce this ubiquitous tracking...

> There is no way to spy on people without being creepy.

What "creepy" is, is an entirely subjective opinion that changes from person to person. I'd say there are totally ways.

When I go to a grocery store and swipe that card for a discount, I know it's just being used to correlate purchases and track me, but I don't view it as creepy at all. All they got from me was my payment information, but they literally already have that, they get that every time I swipe my credit card anyway. So what is creepy about me explicitly awknowleding I'm being tracked in a reasonable way when I'm in their store?

> I know it's just being used to correlate purchases and track me, but I don't view it as creepy at all.

The creepy part is when people do things without telling you. That stores keep a record of your purchases when you swipe the card is probably not creepy. I'd assume most people assume that's what happens.

But if they then share the information they collected on you with others, without asking for your explicit permission, that's where it's starting to get creepy.

I'm not sure Chrome users are aware that their browser tracks every website they visit, create a profile on you, and then share that profile (in a supposedly privacy preserving way) with others.

If advertising can change ads based on FLOC id, then what would prevent content publishers from displaying different versions to different FLOC ids? It could empower deception, outright discrimination, group cancellations and censure. Will the truth be dependent on your FLOC id?

> FLoC is premised on a compelling idea: enable ad targeting without exposing users to risk

The second you open your browser you are exposed to risk. Many times I have had to tweak the default settings of my browser to comply with my (non paranoid) requirements. Basic things like putting DuckDuckGo as the default search engine, turning off various JS APIs like HTML5 Canvas, WebGL, using AD-blockers and other addons, tweaking about:config and hardening it, etc

Call me a power user if you want, but all this hardening stuff should ship out-of-the-box.

Opinions are my own.

I'm not sure if we're being led to focus on a wrong problem. I hate intrusive Ads as much as everyone else. However, it's not only that "when you open your browser, you are exposed to risk". It's also:

- Every time you use Windows (without turning off all the bad settings)

- Every time you connect to a Cell tower (telcos openly sell your location data)

- Every time you use your credit cards

Now, I'm not saying those are OK, or to justify intrusive Ads. However, I see a magnitude difference in the "violation of my privacy" for the above cases. The media and certain communities keep focusing on Ads tech because it drives clicks. But then we let the Telcos, Insurance, and Credit Card companies establish a creeping normality on our privacy violation.

We don't spend as much effort to stop Telco from directly selling our location data [1], but we have daily threads about companies indirectly use our location data for targeting Ads. Are we having our priority wrong? I couldn't shake the feeling that we're being led by a different narrative. The best situation of course is when we have good privacy laws and practices. However, focusing on the wrong priority like this is how we let other (much more severe) violators (Insurance, Telcos) get away with their creeping normality.

[1] https://www.marketplace.org/2020/02/28/fcc-set-to-fine-big-t...

Telecoms are heavily regulated, and your link reinforces that: The FCC is able to directly fine telcos from selling our location data. Tech companies generally aren't subject to the same fines as telecoms are for doing... exactly the same things.

And while Verizon, T-Mobile, etc. all have programs that opt-in to data collection and marketing practices, it's often impossible to opt out of tech companies' behaviors. Because telecoms are required to get your opt-in consent to use your data, generally they offer incentives to join rewards programs that have the additional marketing permissions as a requirement.

For example, Verizon Up Rewards requires you enable Verizon Selects, where they can collect information about your web browsing activity and such: https://www.androidauthority.com/verizons-new-rewards-progra... Not something I'd want to participate in, but Verizon is paying it's users for that data in effect, something tech companies never do.

> Opinions are my own.

I find it impressive how well this line still singularly identifies the employer of anyone who uses it. :)

It doesn't matter anymore. The world is literally covered in tracking technologies from satellites orbiting the earth to radiowaves that are invisible to us but are monitoring our interactions within the world.

By existing in 2021 (whether you use computers/tech or not) you need to accept your data will be collected, analyzed and sold. It will be leaked, combined/processed and abused in many different ways. I would be surprised if there was a single human on earth Facebook did not have a profile on at this point. I'd suspect the NSA can bring up the profiles of all 7 billion humans and recollect their entire lives from the digital/physical breadcrumbs they leave every day.

Now that we can collect so much data, so rapidly (at the speed of light) and can analyze it in real time and store it forever it seems every digital application is focused on obtaining that valuable information and storing it to use in some way (usually, for profit).

Even electric cars require apps and digital connectivity before they can be used/charged.

Data is the new gold.

It's trivially easy to break into my house. No measures exist that I could realistically take to prevent it with 100% certainty. Any measures I stubbornly take anyway, are done out of spite, and to somewhat minimise the risk of my home being chosen over a neighbour's.

In this data collection context, any efforts I take to hide parts of my identity and actions from these privacy rapists, I do out of obstinacy and vicious spite.

The funny thing is that customizing your browser in this way can be its own kind of fingerprint.

Yes but disabling JS as a default wipes out whole classes of attacks against your browser.

On top of disabling JS, just a simple AD blocker like uBlock Origin greatly diminishes the amount of profiling. There is no silver bullet however. It depends on your threat model.

If you really don't want to be tracked and profiled, using the Tor Browser Bundle is worthwhile, but even that is problematic since it's heavily surveilled (both at the entry node and exit nodes).

That's the number 1 reason it should be the default.

Not happening. All those anti-tracking measures break websites more often than not.

"more often than not" is a vast overstatement, it breaks a tiny handful of sites at best.

They break sites that are broken by design. If a site isn't usable with html and css it's the devs fault. They don't get to dictate my browser's capability or assume I don't have special accessibility needs.

That is flat wrong in my experience. I browse with javascript and CSS both disabled by default, using uMatrix. Only a minority of sites I browse require me to whitelist JS or CSS; maybe 1-in-10. Most newspapers and blogs do not require JS or CSS.

I note that uMatrix is archived, do you have a plan for when it stops working? (I'm also a user)

I fear I don't. Probably I'll end up using the web in general a lot less.

Realistically, can you ship a website where everything happens client side? - reflow, adjusting layout, computing locations/sizes and whatnot. I am not a web person so my thinking may be outdated on this. I'm imagining something like a stand-alone self-contained "docker" type thing.

That's how most websites work. The JavaScript code that runs on the browser then reports back to a server, because it makes money for the people who wrote the app.

Yeah, I meant without the 'reporting back to a server'. Like for e.g., the website sends a 'package' to the browser - The package is built on the fly and contains all the dependencies. The package is then unarchived and files are opened in the browser w/o the server being involved.

That is the standard static html + css + JavaScript without further requests. Aka Web 1.0. (Should you make all in one page with inline images that is)

Then how are the people who wrote the app supposed to make money by selling your personal information to advertisers?

> all this hardening stuff should ship out-of-the-box.

I mean, Brave kinda does that. It’s much more “hardened” by default.

Disabling canvas...

Given that the cohort id is computed client-side, FLoC also sounds like a nice opportunity to fool trackers. Why not send a random cohort id with every request? In the worst case they’ll fall back to conventional tracking techniques, in the best case it will add some noise to their data.

I’ve read here that in prison, if inmates are learning to code without internet access that they’re given offline dumps of stack overflow. Or maybe offline Wikipedia in the library is a better example.

I’d really like to be able to buy preloaded offline versions of certain websites to be able to use indiscriminately.

For things like embarrassing questions which I might want to search for within a given subreddit without broadcasting it to who knows what systems.

I don’t even necessarily care if there’s a result, or even if the information/responses/comments are a decade stale - i can live without current events.

I just want the peace of mind that I’m not being observed. That’s something that I’d pay for.

For wikipedia it's pretty easy if you've got even the most basic systems administration experience...


Well that's a great argument that it isn't perfect, but the real question is whether it's an improvement. Is it better than the state of the art, which is everyone dropping a shit ton of completely untraceable cookies? For example the browser fingerprinting piece that they highlight is already a problem with or without FLoC.

I don't have an opinion about FLoC per se but this piece feels like it's focused on finding flaws with it in the absolute, as if we didn't have pretty awful tracking now. I don't believe we can get to perfect, what with shadow browser fingerprinting techniques and all, I just want to know if it's an improvement.

If all other fingerprinting techniques would magically disappear, then FLoC is an improvement.

If other fingerprinting techniques stay, then it's actually worse, since there is now an extra data point to better identify users.

This is the reason they're introducing FLoC in the first place: https://www.chromium.org/Home/chromium-privacy/privacy-sandb...

This is a summary of the more detailed findings in their paper, which I found easy to read and has some intriguing suggestions for fixing privacy issues with the original proposal: https://mozilla.github.io/ppa-docs/floc_report.pdf

I doubt everyone behind a single household IP address is a homogeneous blob of interests. Their interests + the IP address will be enough to uniquely identify them if trackers are able to accurately identify a single home resident.

Did google ever seek proper peer review for FLoC before they started testing it on people?

FLoC is inherently anti-user, it serves literally no purpose other than to support tracking, while breaking all current anti-tracking tech by mandating its user across domains (a nice solid break of Same Origin policy).

That it came from google is hardly surprising, as they are hell bent on stealing every bit of information they can from everyone, whether or not that person has a relationship with them, let alone consented to the abuse.

I would be stunned if FLoC lasted more than a few months in the real world before google just started using it as an additional source of entropy to spy on people across domains.

Removing effective ads from the internet would be even more anti user. I dont think most people will be happy when everything is paywalled effectively.

The abusive tracking hasn't made ads more effective. I mean it means advertisers spend more paying for bigger and noisier ads sure, but that's also anti-user.

There's also nothing stopping ads from being relevant, when google started AdWords (when "don't be evil" was still a thing) you got useful ads based on what you were actually looking at. Now you getting nothing but repeat ads for something you searched for last week.

that relevant ads requires spying and abuse is nonsense, and google's original destruction of the ad tech industry demonstrated that non-spying ads that were based on page content were more than effective enough.

Of course your uid implies that at best you're a pro-google fan, if not an actual employee, so I don't see me convincing you of anything.

That's a false dichotomy. Paywalls aren't the only alternative to ads. If companies can come up with user-respecting business models, I'd be happy to support them. If their business is worth supporting.

What is this alternative?

Something that a publisher can use to fund itself that's neither paywall nor advertisement. I'm genuinely curious.

The fact it doesn't exist doesn't mean it can't exist. The only reason ads are so prevalent is because they're the easiest and most lucrative way to monetize, at the expense of the user.

FWIW I think the Brave Browser model is a step in the right direction, even though Brave Inc. has made some missteps along the way. Give the user the choice of which services they want to support, and make that process as frictionless as possible.

If the tech giants had incentives to come up with a user-friendly business model, I'm sure those genius minds would think of something. Alas, the status quo benefits their shareholders and they have no reason to change.

FLoC is just marketing fluff to paint their predatory practices in a better light, not an indication that they actually care about their users. Their #1 priority is still profit from advertisers.

You didn't answer the question.

How about this: you have a business that sells stuff online and but then a buyer suddenly refuses to give you money in return and says "I don't like money as it has corrupting power. I prefer an alternative means of compensation but can't think of any but it doesn't mean it cannot exist. Since you have a profitable business it's on you to find the alternative payment that I like".

The Brave model is innovative but I don't understand it. They're trying to pay the consumer BAT tokens for consuming. Isn't the consumer the one that needs to pay to consume?

>How about this: you have a business that sells stuff online and but then a buyer suddenly refuses to give you money in return and says "I don't like money as it has corrupting power. I prefer an alternative means of compensation but can't think of any but it doesn't mean it cannot exist. Since you have a profitable business it's on you to find the alternative payment that I like".

I don't think I understand your complete train of thought here, but...

>then a buyer suddenly refuses to give you money in return [...]

In return? In this scenario does this customer receive your product before paying for it?

If the customer refuses to pay for a thing you sell, they simply do not get that thing.

> They're trying to pay the consumer BAT tokens for consuming.

Not quite. Publishers are paid in BAT by consumers that choose to do so. Consumers can earn BAT by watching ads, or by purchasing it directly and (hopefully?) avoiding ads. See [1].

I haven't tried it myself, and it's had its share of controversy[2], so it's not a perfect implementation, but certainly a prototype of more user respecting business model.

The idea is that the transaction should be a conscious decision initiated by the user. Not something that is forced upon them by stealing their attention from the content they're actually interested in to focus on product placements that might be--but often are not--relevant to their interests. Then you add the intrusive UI changes some sites adopt to show ads, the pervasive tracking and shady practices, and I can't understand how someone outside of the advertising industry would defend it.

The solution is not smarter and more relevant interests ads, nor simple text based "promise, no tracking" ads. The solution is a reversal of the business model and putting the user in charge of how, what they pay with, and to whom. You know, like it works in the real world when you purchase something. Yes, this would be a financial hit to a lot of companies and the advertising industry, but it seems like a good alternative to these hostile practices that are ruining the internet. What with the constant cookie consent forms and pervasive advertising the web has become increasingly annoying and hostile to use. We should fight to fix that.

For all its shortcomings Brave Inc. is attempting to change this, and we should applaud and promote that. Unfortunately unless the big tech firms adopt similar models, this is unlikely to have mass adoption. And like I said, they have no incentives to do so.

As for answering your question, I'm not paid to come up with user respecting business models for companies. :) But off the top of my head, they could try donations, merchandise, "pro" subscription plans (free for everyone, advanced features for paying users; just don't be crippleware/nagware), or an entirely paid-only model. Yes, it wouldn't be as lucrative and "easy" as ads, but there doesn't have to be a single source of revenue.

[1]: https://basicattentiontoken.org/

[2]: https://en.wikipedia.org/wiki/Brave_(web_browser)#Controvers...

The article itself mostly just retreads existing thoughts, but the linked PDF is actually quite good. That might be the better submission URL.

Will there be a way to turn this off as a user so I'm never included in any cohort calculations?

Yes, at least for now. Websites can also opt out entirely using HTTP headers.

Use Firefox.

I'll continue to just block everything, thanks but no thanks. I don't need or want any of this tracking garbage. I definitely don't want whatever Google is pushing.

No matter how they dress it, the FLoC id gives away personal information. That's unacceptable.

This needs to be opt in. Both from a web site and from a user.

How does the browser determine the category of a website?

Is there anyone on HN who believes Mozilla will not implement FLoC in Firefox. Mozilla has stated over and over that it is a firm believer in advertising as "essential" for the internet to survive. In practice, they never phrase it as an opinion or even an underlying assumption (that can be questioned), they try to state this as a "fact".[1] This is called advocacy. Mozilla is an advocate for online advertising. They derive their salaries from payments from a deal with an online advertising company and in return they send search queries on Firefox to that company. (This argument that ads are critical is total BS, IMO. The internet worked great without ads. It would work even better now. Anyone who tests these things can see the web without ads works much better than it does with ads.) What Mozilla really needs to state is that Mozilla believes online ads are critical to Mozilla's survival as an employer. If web browser authors and their bosses want to be paid, then they assume they must to sell out to advertisers. Why is there no privacy by default when using web browsers. This is why.

1. Note first sentence, underlying assumption, of Mozilla communications. This company is blinded by advertising payola and cannot see non-commercial use of the web as worth protecting.



Yes I believe Mozilla will not implement FLoC or at least offer a way to turn it off.

If Mozilla enables it by default but "offers a way to turn it off", this would still count as enabling FLoC.

Google could enable FLoC in Chromium by default and then, correct me if I am wrong, the browsers based on Chromium would have to disable it.

Mozilla of course is not based on Chromium.

However, Mozilla does try to match Chrome feature for feature and Google also is the hand that feeds Mozilla.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact