FLoC: the privacy scapegoat

If you’ve read about privacy or web tech in the past few months, you’ve probably heard of FLoC. For those less familiar: it’s Google’s proposed Web standard to replace ad-tracking cookies with browser-generated interest groupings(‘cohorts’)— a technology Google claims will preserve user privacy and everyone else claims is a privacy nightmare.

FLoC has been a hot-button topic in the privacy and web news cycles for the past few months, with articles from every major news outlet, countless online discussions, and scathing responses from the EFF as well as numerous companies like DuckDuckGo and Mozilla. The general consensus is that FLoC is bad, for both conceptual and technical reasons, and that it probably will allow advertisers to target users individually, despite its explicit claims of not doing that. Google, for its part, seems to have mostly ignored these comments and has gone ahead and implemented a beta version into Chrome, making users even more infuriated.

But amongst all of this, there’s something that’s gotten lost.

When asked by several different news outlets about its plans for FLoC in the Edge browser, Microsoft responded with a strangely long, meandering answer:

“We believe in a future where the web can provide people with privacy, transparency and control while also supporting responsible business models to create a vibrant, open and diverse ecosystem. Like Google, we support solutions that give users clear consent, and do not bypass consumer choice. That’s also why we do not support solutions that leverage non-consented user identity signals, such as fingerprinting. The industry is on a journey and there will be browser-based proposals that do not need individual user ids and ID-based proposals that are based on consent and first party relationships. We will continue to explore these approaches with the community. Recently, for example, we were pleased to introduce one possible approach, as described in our PARAKEET proposal. This proposal is not the final iteration but is an evolving document.”

I’ll summarize this in a second, but first consider some of the headlines news outlets chose when faced with this response:

Microsoft Edge becomes latest browser to disable Google’s FLoC (TechRadar)

Firefox, Edge, Safari, and other browsers won’t use Google’s new FLoC ad tech (The Verge)

Nobody wants anything to do with Google’s new tracking mechanism FLoC (Android Police)

Just from reading the titles, you’d expect that Microsoft had put down a resounding ‘no’ to FLoC. That’s certainly not the case, as the response effectively said ‘we support the general idea and we don’t know what we’re going to do yet’. But there’s something more important stuffed in there at the end: the PARAKEET proposal.

What is PARAKEET, you ask? Well, I did us all the hard work of reading the dense, wordy spec. Essentially, it’s the same thing as FLoC from an end-user perspective, with the key improvement that the browse, not the site, makes the request to the ad network, meaning the site can’t add arbitrary data beyond the threshold defined by PARAKEET. Unfortunately, it completely ignores the fact that browsers (and servers) can make arbitrary network requests at any time, which could be used to add additional identifying data.

In fact, I’ll tell you exactly how a site could get around this limitation of PARAKEET:

1. The user goes to https://cool-site.com.
2. cool-site.com uses JS to collect as much identifying info as it can from the user’s browser, such as user-agent, browser version, screen size, etc. It also generates perhaps a single random byte to use as a source of entropy. It sends this back to the cool-site.com server, which additionally adds the IP address and then sends this data to the ad network.
3. cool-site.com initiates a PARAKEET request, using only the single byte of entropy as an interest. PARAKEET fills in a bunch more interests, the user’s location, some User-Agent parameters, the site-identifying ad unit ID, etc.
4. The ad network now can combine the origin site, a coarse location, the interest byte, some coarse user agent parameters, and most importantly the request timestamp to have nearly a 100% success rate at matching the cool-site server’s request to the PARAKEET request, meaning that an adversary can easily add additional identifying info to a PARAKEET request.

Beyond this, PARAKEET also:

• Proposes the use of a hosted service which advertisers would pay for access to, creating a clear conflict between the monetary interest of the host (e.g. Microsoft) and the user’s interests;
• Uses specific interest, location, and user-agent data as identifiers instead of FLoC’s cohort hash, making it potentially more identifiable out-of-the-box,
• Requires trust in the opaque, hosted service to strip data and to not collect any of this data itself.

So here we have a WICG proposal being pushed by a company almost as big as Google, with similar and in some ways worse privacy issues as FLoC. But here’s where it gets concerning: in stark contrast to FLoC, as far as I can tell, there’s only one consumer-facing article that mentions PARAKEET in its headline at all — on a site specifically catering towards fans of Microsoft, and it still mentions FLoC in the headline as well. Clearly, news outlets don’t think PARAKEET is as marketable of a topic as FLoC, but why? Perhaps people think of modern-day Microsoft as a ‘good company’, while Google is the ‘big bad’. Or perhaps, to consider a conspiracy, FLoC is being purposefully used as a scapegoat to deter people from looking into other proposals. Maybe — likely — that wasn’t even the initial goal, but it evolved into that role over time.

Unfortunately, that doesn’t mean PARAKEET has gone completely unnoticed, because while consumer-facing articles are absent, there are actually numerous articles about it targeted at people in the advertising industry. Ad execs are catching on that FLoC may have a hard time surviving in anywhere other than mainline Chrome, and they’re clearly paying attention to their other options. So I decided to take a look and see what else we might’ve missed.

As it turns out, there are a shocking number of other proposals for interest-based advertising being considered by the WICG: TURTLEDOVE, FLEDGE, SPARROW, DOVEKEY, PARRROT, TERN, and PETREL, to name just some. And they all seem to have the same concerning property: several articles in ad-industry magazines and papers, and zero from mainstream news outlets. In fact, some of them are even sponsored by Google and still have little to no consumer articles.

So unfortunately, it seems that in a way FLoC has already accomplished its goal — it just wasn’t the same goal we (and probably Google) initially thought.