The current state with third-party cookie tracking is terrible. This is terrible in a different way. It gives Google even more control over the ad-tech industry. Rather than a diversity of ad-tech kings using third-party cookies to track people and invade privacy, this becomes the "One Ring to Rule Them All" that makes Google even more dominant in ad-tech, while allowing them to pretend that they care about privacy as a prophylactic to anti-trust action. It's nothing if not clever.
What about FLoC gives Google "even more control"? Isn't it something any ad-company can use? Maybe I don't understand how it works, but from what I've read, any website has the exact same access as Google does to the data.
"When third-party cookies are replaced by FLoC, Google will have a way to track consumers that isn’t available to other companies, which could give Google a steep advantage in the advertising business." [1]
According to the EFF, Google controls the algorithms, and will also be running its implementation and auditing its outputs, a task the EFF describes as "both orwellian and sisyphean". The EFF also notes that "Users and advocates must reject FLoC and other misguided attempts to reinvent behavioral targeting."
It's about writes, not reads. With cookies, the tracking networks get to decide what data to store, and they're bounded by what browser APIs allow. FLoC data is computed by Chrome itself, so Google and only Google gets to decide what data is exposed, and it has full access to your browsing behavior even if you're blocking (or visiting sites that don't use) trackers.
The "data" is just a not further specified number and then they waxed a bunch of lyric about how this number will only be determined through privacy-preserving magic algorithms.
So yes, controlling how that number is calculated is infinitely more control than reading it.
Yes it is absolutely worse. The very notion that we need a identification profile that tracks are behavior is ridiculous. Contextual advertising works. If you visit a blog that covers tech hardware... advertisers can pay to put ads here or PC parts etc. If you visit a website that covers hiking trails .. advertisers can buy ads here for camping gear etc.
It is utter ridiculous to think we need to be tracked from site to site and profiled to this degree.
It would, unfortunately advertising agencies have showcased advertisers that they can hijack focus of an average website visitor with rich graphics irrespective of the context e.g. Say toothpaste ad on a tech blog; And the toothpaste company doesn't care as long as they get a click(even if the conversion is abysmal).
Other side of the story is that the tech blog would find it very hard to get a proper referral link for PC parts they're covering for contextual advertising unless they're of considerable size. Where as getting a banner ad to display what ever it wants is just usually couple of clicks.
As a result, whole Internet is full of rich graphics built by and built for these advertisers making simple text based readable websites an endangered species; Further making the lives of those with accessibility needs miserable.
> For pages that haven't been excluded, a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
> if Chrome detects that the page load ads or ads-related resources.
Let me guess, “ads-related resources” are not defined, but in a court case in 5-10 years time it’ll be accidentally revealed that internally Google considers this to include “JavaScript, css, or HTML files”...
> During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources. (Ad Tagging in Chromium explains how Chrome's ad detection mechanism works.)
> Ad Tagging works by matching resource requests against a filter list (...) to determine if they’re ad requests. Any requests matching the filter are tagged as ads. Further, requests (and some DOM elements such as iframes) made on behalf of previously tagged scripts are also tagged as ads by the AdTracker. An iframe will be marked as an ad iframe if its url matches the filter list, if tagged script is involved in the creation of the iframe, or if its parent frame is an ad iframe. The main frame of a page will never be tagged as an ad. Any request made within an ad iframe is considered an ad resource request.
I can't find what is included in this filter list, I'm not sure it's open source.
(mandatory disclaimer: I work at Google, not on Chrome nor ads)
The court case will reveal that google used the string "ad" to search within html documents, thy completely missed that <head> will contain the ad substring...
Excluding a page is a manual process however, requiring to set the header mentioned in the blog post. So website owners have to explicitly opt-out of FLoC.
If Google is going to shift to using almost unblockable tracking calculations, then servers are the next most logical place to push back against it.
Anyone who runs a site and wants to opt in against a default block should have to take extra action to reduce their visitors privacy, and should be called out for their behavior.
As others have noted, there are already plenty of workarounds in use for many reasons... this is a BETTER reason than most.
They own the entire .dev gTLD namespace - they aren't hiding it, but it's probably not common knowledge.
I am not defending Google behavior, I have no dog in this fight, just sharing. In fact, there was a weird behavior I detected inadvertently last year 2 employers ago where I couldn't load any .dev public internet sites due to preloaded rules that hadn't been updated since before the .dev gTLD was publicly available. Some would load, and others (web.dev in particular) wouldn't load. Anyways yeah this sucks, it seems that any new advancements in web related technologies that could enable new privacy measures are just side stepped by the dark wizards out of Mountain View...
I kept thinking that web.dev is the same as webplatform.org, which was positioned as a community-driven replacement for Mozilla's MDN Web Docs and heavily pushed by Google at the time.
Turns out webplatform.org was discontinued some time in 2015 and put up a notice pointing people at the MDN Web Docs. Then in 2017 Mozilla announced most of the key players (including Google) would now support the MDN Web Docs[0], which still seems to be true except they fired the entire MDN team in 2020[1]. It seems the advisory meetings are still happening and someone is maintaining MDN, but with Mozilla essentially only existing because Google continues to pay the bills, its future seems a lot less certain now.
Meanwhile web.dev makes no mention of MDN and instead mixes discussion of Google's proprietary "experimental" features and Chrome-specific behavior with general advice on "building better websites", duplicating some of the content already covered by the MDN Web Docs' guides section (except this gives them opportunities to cross-market their own interests while also not discussing support of features in other browsers).
I don't think Google is hiding who's behind as the footer literally has the Google Developers logo in it. They are however not acknowledging anything other than Chrome even exists and heavily blurring the lines between Chrome or Google-specific features and stable web standards. Coupled with certain public Google developers continuously chanting "use the platform" while criticizing people for using other web frameworks instead of custom elements, this certainly creates an impression of deception and dishonesty.
Youtube is very old and has its own reputation and a made-up trademark name. It's not trying to hijack the entire concept of a generic idea like "web dev" that existed before Google existed.
Definitely worse, but also the next logical step given that an ad company has achieved relative browser dominance and has such weight to throw around in defining web standards.
Moves like this were inevitable. Writing's been on the wall a while now too.
I do not currently see it as worse and in fact I see it as better. If Google becomes the boundary behind which my information is shielded they are also the target for accountability. They generally seem a preferred option for this role relative to the others in the market (the little I know much about it). Further this seems a general good fit for their capabilities, business goals and role in society broadly, which is a position counter to the assertions the EFF appears to make. My position and argument is that Google should do what they are naturally doing and be held accountable for sensible privacy, etc by the law and watch that evolve. This seems both fair leverage of their market position and sensible use of it. Competition is freely able to develop their own niche, as is Brave and anyone else able to do. (For example why Mozilla hasn't developed VPN services, etc sooner is beyond me.) Hope this is constructive.
> "[..] use my visitors data for advertising and surveillance [..]"
..and to improve a search engine empire that is arguably the basis for the majority of their ad business and which is already a factual monopoly.
If you successfully avoided giving Google your visitor traffic data so far (by passively avoiding Google analytics, fonts, maps, etc.) then from now on you will have to take active steps to keep their fingers out of your cookie jar.
I meant that you have to do something to use Google Analytics, Fonts, etc. If you do nothing you don't give data to Google. With FLoC this changes. If you do nothing you are complicit in sending your user data to Google. If you want to avoid it you actively have to add a header to your site.
I run a website with no trackers, no ads, nothing at all to do with Google or any other company in any way.
You come along, with Google Chrome, and visit my site.
Google adds the fact that you visited my site to their massive dataset (as well as who-knows-what-else)
And to opt out of something I have never been asked to be involved with in any way, I need to contact Google and ask them to please leave my site alone?
Am I understanding this shit correctly?
Whether I like it or not, my site, by proxy, is participating in Google's data mining?
If my guess is correct, how the actual fuck is this not illegal?
Edit: Ok, I guess I'm off the mark here with my assumptions so I'll put my pitchfork down.
Google are just using your Chrome browsing data, matching it with site id's (or hashes?) and then analysing the shit out of it for their gain.
As a website owner, nothing has changed other than I can tell them not to use my site as part of their analysis... that sound about right?
> I run a website with no trackers, no ads, nothing at all to do with Google or any other company in any way.
Then your site will not be included in FLoC: "A page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources." -- https://web.dev/floc/
(Disclosure: I work for Google, speaking only for myself)
That "During the current FLoC origin trial" bit scares me though. Why should I assume the scope of implicit inclusion in FLoC won't be expanded in the future?
I don't exactly trust this opt-out header. The spec makes it sound like it's not so much a request to the user agent not to use cohorts in general. Rather it's a security-in-depth measure to prevent third-party scripts or injected spyware from exploiting certain functions. So those functions are disabled for resources loaded from that domain. Chrome, meanwhile, can still do whatever it likes.
> That "During the current FLoC origin trial" bit scares me though. Why should I assume the scope of implicit inclusion in FLoC won't be expanded in the future?
It's the other way around: it's saying that normally "a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page" but to support this specific origin trial it will also include pages "if Chrome detects that the page load ads or ads-related resources". This is needed to avoid the chicken and egg problem that you would otherwise have in a proof-of-concept experiment.
While I don't like ads, and so by association I blindly don't like FLoC or cookies, I've been following your comments via RSS out of interest and I'd like to say thanks for always popping up in these threads to untangle some of the misconceptions (from your point of view).
That doesn't necessarily mean that I, or others, trust what Google, as a business, might do tomorrow compared to what it says today but given how little the wider world tends to hear from Google (that isn't editorialised in some sense), it's nice to see Google employees engaging on Hacker News :)
Thanks for the clarification. It appears I can't edit my original comment to add in a mea culpa!
No idea how I managed to get it so far off the mark there... :(
For anyone reading this, downvote my original comment up the top please to get it off the top as it's inaccurate: I know it's cool to bash Google on here but my original assumption was waaaaaay off.
I'm 100% against this whole FLoC thing but I really cannot understand this conclusion.
If I drive through a McDonald's drivethrough, and Android/iOS/Fitbit/Tesla/whomever records my journey via GPS, they know I ate a McDonald's but McDonald's the company has not directly "participated" in any tracking of any kind.
I don't think your website is participating really. There are a lot of posts describing this opt-out but none really say what you are opting out of.
It seems that the content of your website may be used to identify the users interest.
It isn't illegal because the browser is allowed to do whatever you want with your website. This is really no different than an extension that can access your website content to recommend other pages you may be interested in.
In the same way it isn't clear to me why I would want to opt-out. I guess it is 1. Sending Google a signal and 2. Protecting users from themselves?
But if I want to protect users from themselves I'm probably better off showing a banner recommending Firefox. (And this also helps the open web at the same time)
> If my guess is correct, how the actual fuck is this not illegal?
Because Google has effectively embedded and interwoven itself so tightly into the fabric of the web, that simply having no association with them is impossible. Vint Cerf is their evangelist. The creator of The Internet is an evangelist for Google! Read more:
> Vinton G. Cerf is vice president and Chief Internet Evangelist for Google. He contributes to global policy development and continued spread of the Internet.
Seems similar to the Google Street View issue. They took pictures of public places, and you had to manually request to have your face or identifying info removed, if they were revealed.
The website is public in the same way as it can be accessed by any browser and isn't blocking search robots.
Why would you control what people use to visit your website? By leaving your website on the open web, you contribute to a bunch of other things, bots parse it left and right, rank it among other websites, archive.org makes snapshots, and not one of them had you opt in. How is this current case different?
The purpose of this permission is to prevent embedded third-party content from using FLoC. Besides that it’s a no-op.
FLoC does not track arbitrary websites, it tracks sites which retrieve the FLoC cohort via JS. So instead of dropping a unique third party cookie, and associating it with the data on the page, sites can now retrieve a k-anonymous cohort id and associate it with the data on the page. If you’re not doing that (or serving ads) there’s nothing you need to do.
That’s not to say that FLoC doesn’t deserve criticism just that most criticism I’ve encountered is not grounded in reality.
According to the W3C Federated Learning of Cohorts
Draft Community Group Report, 13 April 2021, Paragraphs 3 & 7.1.1:
"The interest cohort API lives under the Document interface since the access permission is tied to the document scope, and the API is only available if the document is in secure context."
and
"The page can opt itself out of the interest cohort computation through the "interest-cohort" policy-controlled feature. [PERMISSIONS-POLICY]" [1]
No, I linked to the source and quoted the relevant point. I believe all three sentences in the paragraph are cumulative but independent points that explicitly do not preclude each other. Any item of itself is sufficient to preclude the calling of the API.
By default, the page is eligible if the API is used in the page, but the website owner can opt out of that using the header setting, and the user agent should offer a permission setting to disallow sites for inclusion by users. The second and third sentences would not exist or make any sense if the first sentence precluded them.
The full text of the paragraph is:
'''
7. Privacy considerations
7.1. Permission
7.1.1. Eligibility for a page to be included in the interest cohort computation
By default, a page is eligible for the interest cohort computation if the interestCohort() API is used in the page.
The page can opt itself out of the interest cohort computation through the "interest-cohort" policy-controlled feature. [PERMISSIONS-POLICY]
The user agent should offer a dedicated permission setting for the user to disallow sites from being included for interest cohort calculations.
'''
There are multiple reasons why the API could be included in the page, but a website owner choose to opt out using the header, or a user disallow it. I agree it is confusingly phrased but it is a draft, and the meaning seems clear to me.
High percentages of pages are using GA, and it would be trivial for GA to start calling document.interestCohort() at an indeterminate point in the future. Better safe than sorry.
>During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources.
"During trial we had so much success with our auto-opt-in mechanism (and grew so fond of being omnipotent) we've decided to make it a permanent feature."
Only a little bit of time before the opting out process is made redundant by some API that will break somewhere or something that will be brought in as an RFC in chrome.
Chrome's & Android's entire existence is to ensure Google ads business survives. This until Google can find another business that produces the same returns or dies.
I wish there were more entities that would focus on developing tools for open web. Open web as we used to know is dying.
I think the state of affairs with the mobile world is the worst. I can't help but think that Android was the worst disaster that happened to software industry.
Android corrupted the ethos of FOSS, decimated all hopes for privacy, contributed to destroying the environment, stripped users of freedom of choice. I think it'll take a very special group of people to reverse the tide.
Can you elaborate on why you think Android is a disaster? Particularly the environmental aspect and freedom of choice.
If android didn't exist then iOS might be the only major mobile OS, so in that sense at least it seems to be good that Android exists. It would be much better if it wasn't widely used as a carrier for Google's ecosystem and spyware, of course.
Most of the people outside the US cannot afford an iOS device, so my guess is that missing Android there would be something else (Blackberry ? Windows Mobile ? who knows how it would have gone)
honestly with the rise of the web-app based phone app platforms (react/ionic etc) becoming almost "standard" the friction for porting to a hypothetical third platform goes down substantially.
Ignoring the branding law of duality (that generally only 2 brands occupy the supermajority of a product category) and looking only at technical barriers, now looks to be better than ever for a third platform to possibly arise - especially given the rise of ARM SoCs.
> web-app based phone app platforms (react/ionic etc)
Those are cost cutting choices that don’t automatically lead to porting to other platforms. Small players will still churn a single app for iOS based on their site’s react code, for instance.
Basically those who didn’t care for other platforms before still don’t care that much, but instead of being their 1298th priority in the list, it might have rosen to the 34th or 35th position.
Would you be willing to entertain that maybe they died because most people who used phones found those platforms to be weaker product offerings with the things they cared about and that your value system may have fundamentally differences?
Would you further entertain that the inability to perceive such realities and differences and manufacturers inability to navigate these preferences is a major determinant of success? (Microsoft failed here for instance and Amazon's fire is on life support. If piles of money were the primary cause we'd all be using Sharps, Psions, IBM Simons and AT&T Eo, there's something else to say, the failure of At&t hobbit, they had a solid monopoly position)
Capturing the consumer is tricky business and maemo simply wasn't the right it. Nor was Windows Mobile or FirefoxOS or WebOS or, ultimately, Palm or BlackBerry
That it were weaker offerings is not always true. Google is the Gorilla in the room who simply squeezed out any competition by offering Android “for free”
Microsoft Explorer did the same earlier with Netscape. Simply bundle your own software with the OS and watch the competition flutter.
Your average consumer really doesn’t know the difference.
Yet they failed to gain a foothold in Windows Mobile after literally decades trying and they had to take 4 swings at Netscape before they really gained inroads.
I question that common folklore and claim it uses anecdotal cherry picked non rigorous evidence. It's just a bad theory.
Of course monopolies try to leverage their position as IBM tried with their failed MCA bus and failed XGA standard and failed OS/2 product. As it turns out, monopoly thuggery can't seem to reliably zombie walk terrible products that nobody wants.
Instead, people have dramatically different concerns and if you read into each one of these cases you'll find that out. That's the real reliable truth here
Stop fighting realities you don't like. All of humanity isn't going to bend the ways you want it.
That last point you make is crucial. Your average user just wants to go “on the web”, but doesn’t really know any difference between one browser or the next. This is why IE6 thrived, plus companies adopting it as their default install.
Exactly. Talk all the shit you want, and we can do it all day with IE6 but it did what people needed and it hit numbers north of 90% and had staying power unlike any other browser/version pair since.
If you want to understand how humans relate to technology, writing such things off as irrelevant, simply because IE6 was technical swiss cheese, is foolish.
Most people probably never got around to try them. The list of smart phones released with Maemo is near non existent. However the cause of that might have been less Android and more Elop preparing Nokia for acquisition by Microsoft.
I take it you didn't use webOS. webOS had multitasking before iOS or Android did, and Android's multitasking implementation was taken directly from webOS' card-based multitasking. The interfaces are identical. It took Android something like 6-8 years to finally implement true multitasking that webOS had from the get-go.
webOS in 2009-2010 was unironically better than Android's been over the last decade.
> Would you be willing to entertain that maybe they died because most people who used phones found those platforms to be weaker product offerings with the things they cared about
That is true to a large extent, but it doesn't preclude Google from creating a situation where new contenders are effectively locked out. No matter how good Android is, they're not entitled to that.
That would be a possibility if people acted rationnally and chose to spend their money after a thorough evaluation of the market, their players and perspectives for the future. This just never happens for a majority of phone consumers.
humans have never worked that way. it's why advertising exists.
if we want different products to succeed we can't just close our eyes, cross our fingers, and hope that humanity acts the way we fantasize it ought to.
This is exactly what I'm saying: you're saying first that those devices failed because they were weaker, which is the premise behind free market. That is wrong, they failed because they didn't have the marketing machine pushing them to the top. Buyers don't buy based on whether the product is better or not, they buy based on more emotional values. That's the whole Information Asymetry thing (https://en.wikipedia.org/wiki/Information_asymmetry)
It's like the vintage synth people. Those are really popular products but most are not popular enough. The popular ones get reissues but most of the time the financials simply don't support a production run.
This response in the thread reminds me of what happened in the 1936 landon/fdr election. A magazine asked people to volunteer who they wanted to vote for. The landon voters were super passionate so they outnumbered the fdr voters who wrote in causing the magazine to falsely believe landon would win in a landslide. A guy named Gallop was watching this unfold, thought something was up, used statistical random sampling to guess what the magazine and general election would yield, got both right and changed polling forever. http://historymatters.gmu.edu/d/5168/
The handful of people downvoting and passionately responding to me are the Landon voters here. HN is exactly where this small group congregates.
There's simply not enough to keep the platform afloat. That's why the reboots have all eventually failed
"Would you be willing to entertain that maybe they died because most people found those platforms to be simply weaker product offerings?"
No.
I mean hahahahahah HELL NO not even close.
WebOS was great.
The only thing that made Android win was the brute force of Google, and the fact that Android was open source and WebOS was not (somehow, despite being Linux), and mismanagement by Palm.
"Weaker product offerings" isn't really an applicable idea for new entire ecosystems. He who can put up the most cash and marketing and special deals can create a new ecosystem from scratch that is by definition and necessity far weaker than others that have already existed for years, and still win by plain force.
When the iPhone came out, it had no 3rd party apps at all, while Palm and Windows devices existed for years. Particularly PalmOS had a massive rich diverse mature ecosystem of 3rd party apps.
I had a full screen, color, touch, grid icon home screen of 3rd party apps, internet connected, smartphone... In 2000, SEVEN YEARS before the first iPhone came out. I had a web browser, an ssh client, even a vnc client, Audible.com audio book player app, .. And every random app for every big and little purpose I coukdbthink of, from db apps to odd little things like a netmask calculator and resistor color code decoder, irc client, book reader, integrated contacts db phone dialer... Just like today, except better, no app store, and so no app store saying I can't have an app I want but Google or Apple doesn't. All this in 2000. 7 years before the "revolutionary" iPhone.
And even after the iPhone came out, not only were it's offerings weaker, they didn't exist at all. No 3rd party apps allowed at first.
Apple won because they are Apple. The phone hardware was a technical and design marvel, and Apple could afford to create a whole new world from scratch to displace an existing mature rich one thanks to plain money and size from years of iPod sales.
Google didn't have a stunning new device that blew away anything that came before, but they did have the money and the ability to make deals with carriers, and the open source angle. (I don't mean that consumers cared about that, I mean that letting everyone and their dog make a phone for free was an effective way to match Apple's deep with a Google wide.)
Android frankly sucked balls compared to WebOS for quite a while, both the os itself and the "offerings". But, Google. Palm. Come on.
I would agree that in the contest between Windows phone and either Android or IOS, MS had the size and resources to compete, and failed because they failed, not because there was no possible contest once someone that big decides to get in your game.
I bought the HP Touchpad w/ WebOS. It was laughably bad. Maybe PalmOS had apps, but WebOS came with pretty much nothing, meaning that for entertainment you went to the web browser. And that was very slow and laggy. You could only load one tab at a time.
A few months later, an unofficial Android ROM was created, and it was a huge upgrade, even though it was only Android 2.2.
Had Palm's management not had a series of stroke-like horrible decisions, I can imagine a present where the PalmOS 5.0 clusterfuck and just-barely-good-enough Treos gave way to WebOS devices that could have recovered the company, and the iPhone would have had to compete against _that_ potentially much more solid platform.
All these years later, I still wish I could have sat in on those meetings and told Palm management just how badly they were screwing themselves.
Today I looked at the source code of Chrome where this is implemented, so I'd understand it better.
It made me realize that there is indeed (of course) software engineers (meaning: people) working on this who actually write that code. Does a high salary justify working on such features, or are modern day software engineers more like factory workers? I think not because most software engineers have a choice.
People around the world build machines that melt skin off of children in Middle East for quarter of that pay. Even in America. And they're proud of it too.
> People around the world build machines that melt skin off of children in Middle East
There is a problem with that statement and I will try to highlight it by creating a couple more of the same:
- There are people working to build software to allow people to share child porn without getting caught (about Moxie and anyone working to bring e2e-encryption to the masses)
- there were people working in factories that created hammers that were used to crush peoples skulls in Cambodia
I see where you are going and OP's overly emotive language damaged the credibility of his point.
However not all technology/engineering is neutral even compared to other technology.
For example I made the decision years ago that there are some lines I won't cross for software development - one of them been gambling systems (even though they are quite lucrative) - (Note: I'm not saying they should be banned (that is not for me to say)) because morally I can't see an acceptable use that outweighs the bad.
Same with weapons systems (though of course one mans freedom fighter is anothers terrorist).
Your examples refer to tools that are being misused, whereas weapons or tracking software is a negative for humanity precisely when they're working as intended
Weapons are tools too. Mostly to scare away an attacker before they strike but sadly sometimes also to strike back.
Double sadly they also come with the possibility to strike first.
But in the choice of us being armed and Russia and China and the middle East being armed or everyone being armed except us I take the first option. Every time.
Edit to add: modern weapons are actually about reducing the chance the skin is melting of children.
It is fully possible to think that your country should have access to the best conventional weapons possibly while still voting for politicians that want us to stop weapons sales to madmen.
Think: if you try to remove all guns overnight the ones you get is the ones from the good guys. If you make guns illegal only criminals will have guns.
Also: the biggest crimes against humanity have typically been made by the local rulers: Hitler can be discussed, Stalin, Pol Pot and a number of others cannot.
Good guy with a gun tends to hit a bystander, or cause dangerous escalation in situations that don't warrant it, or have their gun stolen.
> If you make guns illegal only criminals will have guns.
That's one way to look at the very short term. But then since "criminal" is not an immutable quality of a person, millions of people that weren't criminals that then commit a crime will have no gun.
Trying to sort people into "good guys" and "bad guys" is a terrible idea in general.
It doesn't matter what you call the groups, or even how many groups you come up with. The point is that some are more compliant than the others - the conformists, the law-abiding etc - and it's those that you'll disarm first. The ones who don't actually care about the laws beyond the extent to which they can be meaningfully enforced will retain the means for violence. The only way to pretend-break this recursion is to outsource the violence (e.g. to the police and the military), and then claim that the rest of society is peaceful. But that's a sham - if you back a law that ultimately results in a cop enforcing it breaking the nightstick on someone's back, you're complicit in that act of violence.
The goal isn't to pretend there's no violence, the goal is to reduce the number of violent deaths.
And the police are going to need some weapons whether or not you have gun control.
So sure, some groups are more willing to give up guns than others. And we should perform a cost/benefit analysis while keeping that in mind. Plans don't have to meet some standard of ideological purity before we can evaluate them.
Look, I understand your point. But this bizarre handwringing over "how dare you work on advertising?" just feels like there's something wrong with worlds perception of the poster.
There are literally millions of people that deliberately do jobs that knowingly hurt people (and are built AROUND hurting and scamming people) and asking yourself "why would anyone try to improve on an ads tracking system while keeping ads around?" just really really comes out as horribly naive and oblivious. Not to mention that there are even millions more of jobs where significantly more harm is done as a side effect that doesn't come close to showing a damn ad based on their amazon purchase.
There's two sides to every story. Reducing the amount of third-party tracking cookies on the web, and implementing a novel application of federated learning are definitely things some engineers would do, money aside, because they're technically challenging.
FLoC does reduce tracking: instead of many third parties building a thorough picture of your activity server-side, your page-level activity stays in the browser. Which already needs to know that, so it can maintain your history and turn links purple. Only the aggregated "cohort" is available to sites.
(Disclosure: I work on ads at Google, speaking only for myself)
When one of those cohorts is narrow enough to reveal something specific and highly private (like a specific disease / medical / legal / societally high interest issue) - what then? Sites get to learn that you are associated with that very private concern.
No. I am against any and every form of personalized AND aggregated categorization, because until the associations created are no longer used as criteria by others, no form of tracking is neutral.
Cookies AND FLoC and any other replacement all need to stop.
And those who want to characterize others need to stop, because the information WILL be abused.
If this were to succeed, then not too far out any website a user visits on the Internet can basically reverse engineer to a high degree (and at least approximate) the sites a Chrome user was on.
Additionally, combined with just IP address its probably a 99+% precise user identifier.
> It uses SimHash, so any website a user visits on the Internet can reverse engineer the sites a Chrome user was on.
How so? A user's cohort is shared by many other users, and for any individual site you have visited it is very likely there will be another user with an identical cohort who has not visited that site. This means you cannot tell exactly which sites any individual has visited.
> combined with just IP address its probably a 99+% precise user identifier.
IP address alone is already a massive fingerprinting leak, and needs to be addressed if browsers are to prevent cross-site tracking. Chrome is also working on this: https://github.com/bslassey/ip-blindness
> I think not because most software engineers have a choice.
most people care more about their own interests than the interests of society in general. Only when collectively devising laws would society take the interest of society over individuals.
Therefore, software engineers are fully justified at making software that is deemed unethical, but still take the stance that it is unethical. You might call it hypcracy but i say it's practicality.
Legislation should be introduced to perform the function of ensuring ethical standards, not altruism on the part of the individual.
They’re allowed to take that stance, sure, but I’m allowed to judge them for it. Ignoring your own morals just to make a buck isn’t a good thing. Otherwise we should all just become drug dealers.
It is. If you’re not calling ‘document.interestCohort()’ or serving ads from an ad network on your page then FLoC does nothing. The purpose of this permission is to prevent embedded third-party content from using FLoC.
*If Google does not detect ads. Which can mean anything depending on how they stretch the definition. And Google has a bad history with this kind of thing, see unwarranted and unexplained account bans as well as automated "malicious website" flagging that's notoriously hard to get rid of because Google won't even tell the website owner what part of the site was detected as malicious.
Genuine question: any ads from any network? Not just googles? Because if so, I fully expect someone to mess up and have that detection mark sites with zero ads as having them, thus tracking their users. Detection is never 100%. Never ever.
Unless I’m misunderstanding, which is likely (and I hope I am)
Yeah that should be the default configuration shipped with Apache httpd. If apache is refuse to add the header, I'm sure it will be possible to convince many distros to add it
No, we should absolutely not bloat every HTTP response just because Google wants to abuse its users. Not to mention that widespread use of this header will result in it being ignored entirely just like happened to DNT. The proper reponse is to a) convince people to stop using Chrome and other Google software and b) campaign for legislation and antitrust enforcement and c) remove google ads, analytics and any other Google scripts from your websites.
Unless Google make it a benefit in search rankings in which case some (possibly many) will for SEO purposes, bit still not enough I'd wager (and the balance would be such that lower quality sites, that prioritise SEO over actually useful content, would be the majority of those that went for it).
This feels a bit like way-back-when, when BT and a couple of other UK ISPs toyed with a system that would insert ads into web content, sometimes replacing existing ads, simultaneously bothering their users (to make money out of them on top of existing subscription payments), screwing site runners (being associated with ads they had no control or even knowledgeless knowledge of, and potentially losing ad revenue), and screwing other advert providers.
I would assume that anyway. Who other than sites using Google analytics or ads (so part of the tracking network anyway) would opt in to being part of the tracking network that (unless they switch to Google's ads too) offers little or no benefit to them?
Maybe it's time for developers to help with the fight back. Break things in Chrome, and encourage people to use Firefox. The amount of time I've been told to use Chrome is ridiculous. I regret being part of the crowd who jump on the Chrome bandwagon when it came out all those years ago.
Having to explicitly opt out regardless of what you do is terrible. So now you're telling me that I have consciously disable it every time I create a new website/page? How do we force Google to stop this?
Sadly most users don't even know that they are using Chrome or Firefox or that these have a version number. So breaking up things for them won't help, they won't make the switch...
It has to be a regulatory decision imposed on Google, much like when Microsoft was forced to do something about Internet Explorer long time ago.
That said, according to that StackOverflow page, the error only appears in DevTools. That's not as bad as it sounded at first. I was worried it would be an IE-style alert on page load, for example, or a visible bar across the top of the page. It's not, it's just spam in the DevTools console.
That's correct. I posted that answer on StackOverflow, and as far as I can tell from testing so far, it is just a warning in the DevTools console as noted on the StackOverflow answer, and there shouldn't be any other negative impact :)
Isn't this the sort of thing .well-known is for? Presumably Google are doing it this way because less people can create headers than can make a text file.
That’s probably already the case. This is a common area of speculation in the SEO community. Trying to figure what factors are used by Google to determine the ranking.
People will add it in their configs and anecdotally perceive that it has an impact in their rankings. It would likely become a must for SEO.
This a reflection of how incredibly genius the original PageRank was. It’s what makes Google the business it is. It’s almost like a small model of free market behavior. Except that in this case Adam Smith’s invisible hand is Google. That’s what makes Google so powerful and scary.
This is my problem. I can circumvent Facebook, Apple and other bigtech companies in my work, if I so wished. But Google is everywhere and almost any business I work for has some connection to it (be it Adwords, Market, Business Tools or a simple Drive)
This is why Google is a monopoly that needs to be looked into. We need to have choice again by allowing competition to thrive again.
may be search is a natural monopoly, and with it, there must be net neutrality legislation made so that the search rankings cannot be used to further a different business agenda.
If the electrical utility company said that they'd supply more (or better/stable) power to your premise because you were willing to buy a certain brand of electrical appliance, then it'd be grounds for anti-consumer action from the DoJ.
SEO is 100% pure speculation, as there is no way to validate why Google ranks things the way they do. The only people who do know for sure are closely monitored Google employees who value their bonuses.
No, if anything it will affect your site negtivly because it will make your site slightly slower. I suggest ignoring the tinfoil hat SEO community and follow the official Google guidelines.
Very dystopian to think Google is normalizing the idea enabling an ad tracking profile built into the browser itself.
The very notion that users need to be tracked and fingerprinted/profiled from site to site is asinine.
Advertising worked before the concept of tracking on the web. Companies simply paid for contextual ads based on the site. For example visit a site that covers college basketball and advertisers would pay to put ads here for sports gear, sports equipment etc, Go to a site that covers how to keep a nice lawn and advertisers would pay to place ads for mowers, fertilizers, etc.
The very idea that it is normal to have a specific adverting profile assigned to you to track you all over the web is disturbing.
If your site does not call document.interestCohort() or include ads, Chrome will already not consider your site in computing FLoC:
A page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page load ads or ads-related resources. -- https://web.dev/floc/
I looked into this, and it's way harder than you think. Several browsers report themselves as Chrome, Chrome itself is about to get rid of its user agent, and all the javascript feature detection methods I could find no longer work.
I don't see how that helps at all. I couldn't find any reliable method for distinguishing between Brave (or Vivaldi?) and Chrome. A any whitelist would exclude other Chrome-based browsers.
That's interesting and ethical by providing suggestions as alternatives!
I'd be interested too, but I can't find much on the web... do you guys have any instructions/link?
In the end, I managed to add a banner on my Hugo blog[1] that should appear with all the browsers (for now) except for Firefox and Brave. I did it in two steps:
1- CSS "supports" feature to identify Mozilla Firefox[2]
I think browser diversity is important to ensure that web platform features are thoroughly planned. While FLoC shows that chromium-based browser will oppose the worst features that Google attempts to push through Google has already been know to implement web features that all other browsers have expressed no interest in implementing, often due to privacy concerns. So while I think many other Chromium based browsers are better than Chrome giving market share to an alternate browser engine is a huge benefit for the open web.
An example where Firefox felt that the privacy concerns of a feature were not sufficiently addressed is https://chromestatus.com/feature/4733392803332096. There are many more examples, especially around many of the APIs to expose local devices.
Another option is Safari which I consider a better option than Chrome but they also seem to prefer pushing native apps over the open web and Safari seems to purposely lag behind on implementing some critical web features (especially on mobile).
Ha. This just occurred to me - Google is a search engine of websites for many people, but at the same time it is a search engine of people for many advertisers.
We thought we were looking for something but actually we were constantly searched.
Ha. They do this everywhere not just on Chrome. In your gmail. Youtube. In your smartphone, google apps. Basically any google product should be expected to spy on you.
You are the product in Google's grand scheme. The ad buyers are their customers.
I think web directories might come back. It's not a search engine per se, but like how Craigslist works....websites listed under a bunch of categories.
I miss the days when you'd click on sites inside the Yahoo! directory just because they had a cool or funny domain name. Search probably saved us several years worth of time, but at the same time made it almost impossible to randomly come across sites in your category that are bizarre or unconventional.
Done, just added the the header to my .htaccess. No big deal. 1 minute work.
In general a good idea to just be on top on what headers your web site actually sends and generally know what you are doing with things like cookies, etc. on behalf of your users.
That's already something you need to do and be on top off for legal reasons. Just because lots of website maintainers are kind of indifferent/hands off/sloppy/ignorant on this front does not mean it's OK for you to be that way. This is just another thing to take a conscious decision about and pay attention to. Things that you are in any case supposed to know and pay attention to. Comes with the job of running a website. Your content, your problem to deal with. Or not. Normal due diligence. Should be business as usual.
Say you are running a page selling car parts, but aren't paying Google to run ads. Not opting out means that your customers now get targeted ads from your competition.
Unless your are paying Google large amounts of money to mainly show your ads not opting out seems like the wrong choice.
Your last point would more accurately be stated as "If we are going to have tracking, ..."
To which I say, let's not have tracking at all, instead of choosing between crappy cookies and even more potentially crappy FLoC.
Reverting to advertising without tracking is entirely possible, it just disenfranchises a whole host of greedy manipulative jerks who will do anything for a buck.
- FLoC is still far better than third party cookies
I'd take issue with 'far' better, and it has the additional problem of turning the privacy issue in to a moving target. How long did it take to get the wider public and legislators moving on tracking cookies? Now it's a similar issue, just it's called FLoC and its code on your own machine doing the spying.
- A world without advertising
Super disagree that this at all an issue. Most of the revenue that gets eliminated is for stuff that people wont pay for anyway, and I question its value if that's the case. Personally I think all advertising is an utter blight, and couldn't care less if it goes away forever and takes its revenue with it. It will be a struggle for a while, and many small sites will fall. The stuff that will be left is stuff that's hopefully worth the money people pay for it, or run as a passion project.
Advertising without any sort of tracking just based purely on inbound search queries is still really good advertising and better than older ways. What most people don't want is a profile following you around everywhere.
Neither is good, but that doesn't necessarily make the topic you're attempting to pivot to relevant in this situation.
Also, Cloudflare (provider of the external service you mention, assuming you're talking about DNS-over-HTTPS) definitely isn't Google. At least not yet.
On an individual level it doesn't. It takes time and makes such a small difference that it's pointless. Google knows this of course. The result is that they can claim people can opt out, while in practice they run a giant surveillance network.
No, it benefits google and google margins only. Ads have been on a downward trend for ad partners for years, you will never see a dime from giving google more data.
This FLoC network should be opt in and it should be revenue sharing for all partners that participate.
We need to stop giving google all our work for free.
Let me turn the question around: to what extent are website owners who do not opt out accomplices with Google in the privacy violations implicit in their creepy surveillance profiling tech?
accomplices invokes images of people “in” on the conspiracy.
In my rough estimation based on nothing, I’d guess most website owners have no idea this is an issue that needs fixing.
Your rhetoric is inflammatory, inaccurate, and does your side of the argument harm by making the whole argument look absurd.
I often think of it as: As a website owner, will partnering with Google - a market leader in the advertisement space have a direct negative impact on me and my stakeholders?
If not, it has been observed that there's very little incentive to communicate that change through.
As much as I'd like to believe that altruism will win in the end, it has been established that ultimately the capacity to gain materialistic advantages can often triumph over individual's judgements.
Let's rephrase that... to what extent are website owners who do not opt accomplices with Google, Microsoft, Facebook, Twitter, Instagram, Amazon, etc. Please also note that Firefox enables multiple telemetry features by default, such as safe browsing lists that checks links you visit presumably also tracking your URLs in the process.
if all it takes to block is adding header `permissions-policy: interest-cohort=()
1. Github has all those bots that suggest security improvements to your code - maybe they should also suggest privacy improvements to your code.
2. Governmental sites should be changed to always require this.
3. How about a plugin that when it gets a site without the header informs user via colored tab or similar solution. I suppose Google would try to remove it from add-ons, but then that would be fuel for the inevitable lawsuits complaining this whole thing was anti-competitive and monopolistic behavior on Google's part.
There are also tools that check your HTTP headers. While securityheaders checks for Permission-Policy being used, I can imagine it will be improved to check for the "interest-cohort" value in the future.
How many of you actually brought something just because a machine/stranger recommended it to you? For me, it's almost never.
I watch YouTube a lot, as a free tier user, of course. When a video starts to play, all my focus is automatically dead-locked on the "Skip Ad" button, and sometimes "Skip trial". It's a game for me now to see how fast I can tap the "Skip". As for the content of the Ad, well, usually I ignored it all together.
Sometimes, when I'm away from the phone and suddenly a some 50 hours long Ad starts to play, I'll just continue finishing what's on hand first, and then go to my phone to tap "Skip" or switch to Twitter or Telegram to see whats fun over there -- all without notice what the Ad was saying.
Yes, sometime, some annoying Ad got into my head anyway, but ... why should I buy something that annoys me?
For me, the most effective Ad are those what I'm actively looking for. For example, if I'm looking for a running shoes, I'll click the Ad on the search page and/or listings page to see if there is a good product/deal. And I'll stop click those as soon as I made the purchase.
So personally, I don't really understand the idea of Tracking Your Every Move So We Can Sell You Stuff. How it even works?
Yesterday on Reddit, I saw a meme with a picture of a dish rack sitting atop a sink, with a funny caption about the kind of stuff you get excited about in your 30s.
For me, I did get excited, as such a contraption would save a ton of counter space in my small apartment. I ended up searching for it on [big ecomm store] and almost bought one. Still looking for one that's designed for use over a single sink.
It sound funny, but sometimes, those ads contains some information that might spark the curiosity in me.
For example, there was an ad about some gangster/mafia game, the ad itself was absolute ridicules for my taste, however, the game itself received ~4.3 stars rating on Google Play, which is completely contrary to my expectation -- other people think it's not a bad game, it's just me not understanding it well enough.
Look, I live a simple life, the world in my eyes is narrow, which is bad for me as a (self entitled LOL) developer. So if getting harassed for 5 seconds is what it takes to widen my view a bit, I think I'll take it :D
Of course I never downloaded the game, so it's still an ineffective advertisement for them.
I was convinced to switch from GoogleFI (mobile carrier) to Mint Mobile because of ads on YouTube. That made me feel great pay less ($15/mo) and slightly de-google myself a bit, via adverts on YouTube of all places!
I think the obvious thing to do is block the user agent, and inform the user that they need to upgrade to access this content without forfeiting a collective right to privacy
Is it really necessary to add this header to each and every response?!
I feel like it might be sufficent to add this header just to documents like *.html.
Perhaps someone will set up a remote^1 web proxy that adds the suggested "Permissions-Policy: interest-cohort=()" HTTP header to disable FLoC. Browser extensions are great but there is nothing to stop Google from removing access to them through the Play Store at any time.
1. Another alternative is to run the proxy locally. I run a web proxy bound to the loopback.
The browser I use does not process Javascript or CSS. I therefore have to do nothing. :)
However, I would guess switching browsers is extremely unlikely for a great number of users. Google must know that. That is why they can do something like FLoC. They must know that not many users are going to switch browsers.
I was not suggesting it would be users who set up the proxy. On the contrary I was suggesting we might see someone set up a proxy to help users who are unable/unwilling to help themselves. There are so many simple things I do for myself that I see being set up as "SaaS"-type projects/businesses and then posted/discussed on HN.
Thank you, I've been made aware of this and have amended the post to clarify that it's ineffective w.r.t. FLoC; for the technical reason that you mentioned.
Not when the algorithm is controlled by Google. Just like SEO efforts. Google will tweak their FLoC generation to ensure they get what they want out of it.
I don't think the meta version of Permissions-Policy ever got implemented. "http-equiv" isn't a magic "here's a HTTP header I forgot to mention" pixie dust.
Better stick to the actual recommendation of adding the header in the server configuration.
Whilst http-equiv is said to be an enumerated value, so far as I know in Chrome, it actually is "magic HTTP Header pixie dust": [0]
And whilst in Firefox parsing of the element is more spread out, they accept a very wide number of headers that aren't documented, and you'll find examples on MDN for any number of headers using http-equiv which aren't specified in the standard or on their docs for http-equiv itself [2] (For example, X-DNS-Prefetch-Control [1]).
This will generally be a HTTP Header. How you add that depends on your server/framework. (And will be well documented).
If you've only got a static site, then you can always fallback and use HTML to achieve the same thing with http-equiv, which gets added to the head element:
<meta http-equiv="Foo" content="things" />
For example to redirect to /foo after 3 seconds:
<meta http-equiv="Refresh" content="3; /foo" />
It's a little off the beaten track for most people, but the kind of knowledge a web developer can be expected to know, or know where to look in the documentation.
Hopefully that can help you in your future endeavours.
OK I'm thinking you could write a simple extension that could add the header for every request and disable this everywhere effectively disabling FLoC. I am missing something or would this be really easy to hack and disable?
It adds a header "permissions-policy" to the HTTP response with the value "interest-cohort=()". This turns off the FLoC feature for the site in Google Chrome.
im specifically asking about the nature of the value "interest-cohort=()" , it's being presented as some thing to just inject into your nginx conf file to make floc go away or whatever, but im wondering why the value needs to equal "()" etc.
The format of the Permissions-Policy header is roughly <permission>=(<allowlist>). An empty list allows no origins (not even the current page), so the feature is turned off.
Theres a price to privacy. When I was younger I jumped on the bandwagon and for a period only used Firefox with cookie autodelete and cache cleared every exit.
Now I just see it as being asocial. If Google didn't monetize search with ads how would you discover new products? Without ads websites would not be able to deliver premium content and we would all still be stuck in the early 90s. The internet would work like some broken socialist version of wikipedia.
I have ad free YouTube and sometimes I consider turning it off just to see what kinds of ads are out there that I've missed.
Without tracking-fed ads, the internet would work like a super powered version of the directory style setup like we had before Google suborned the very idea of 'the web'.
I'd love to see an internet of individual directory sites, some of which could be 'pay for placement', some of which would be hand curated, others could be algorithmically built...
So much better than Web == Google homepage == "What's a search? I type in where I want to go and click on the first thing I see"
Does anyone else see FLoC as worse than the current state we're in?