Joomla has announced plans to block Google’s Federated Learning of Cohorts (FLoC) by default going forward. The 220.127.116.11 security update, released yesterday, added a Permissions Policy header to disable FLoC. Users can now find a new setting in Global configuration on the Site tab in the Site Settings area, where they can toggle FLoC on if desired. This change will also affect existing sites updated from older versions.
The Joomla Developer Network blog outlined a few concerns contributors have about fingerprinting, the technology Google uses to gather information from a user’s browser to create a unique, stable identifier. They also highlighted cross-content exposure as another concern:
The technology will share new personal data with trackers who can already identify users. For FLoC to be useful to advertisers, a user’s cohort will necessarily reveal information about their behavior.
This means every site you visit will have a good idea about what kind of person you are on first contact, without having to do the work of tracking you across the web.
If you visit a site to buy a jumper they will have access to your cohort identifying number. This could also give them your political thinking or reveal that you are also in certain defined medical groups. There is nothing to stop these groups being backward engineered and your movement between the cohorts will reveal a lot about you over time.
A similar permissions policy header was added to Drupal 9.2.0-beta1 on May 14, after a lengthy discussion with overwhelming consensus to block FLoC. It is expected to be part of Drupal core on June 16, 2021, when 9.2 is scheduled to be released.
“I’d love to see this added to core and enabled by default,” Drupal founder Dries Buytaert commented on the implementation discussion. “We should provide an option/mechanism to disable it though.” He said he has already added a Permissions-Policy header on his personal blog.
Drupal makes disabling it a bit more of a hurdle than Joomla, as it requires setting
block_interest_cohort to FALSE in the settings.php file.
Although FLoC is still in the experimental stage, many other frameworks and tools have blocked it or are planning to block it. The DuckDuckGo Chrome extension has been reconfigured to block FLoC’s tracking, in addition to DuckDuckGo Search opting users out. GitHub is also blocking FLoC on GitHub Pages and all sites served from the github.io domain. Although Chrome is the market leader by a wide margin, Google has not yet been able to sway any other major browsers to get on board. At this time, Microsoft Edge, Safari, and Firefox do not plan to adopt FLoC.
“It is disappointing to see Google, instead of taking the present opportunity to help design and build a user-first, privacy-first Web, proposing and immediately shipping in Chrome a set of smaller, ad-tech-conserving changes, which explicitly prioritize maintaining the structure of the Web advertising ecosystem as Google sees it,” Brave CEO and co-founder Brendon Eich and senior privacy researcher Peter Snyder wrote in a statement on the company’s blog. “The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly.”
Brave has disabled FLoC and the company recommends that all sites do the same, advising that “any new privacy-risking features on the web should be opt-in.” The post concludes that FLoC will not be an improvement on current ad tech:
Overall, FLoC, along with many other elements of Google’s “Privacy Sandbox” proposal, are a step backward from more fundamental, privacy-and-user focused changes the Web needs. Instead of deep change to enforce real privacy and to eliminate conflicts of interest, Google is proposing Titanic-level deckchair-shuffling that largely maintains the current, harmful, inefficient system the Web has evolved into, a system that has been disastrous for the Web, users and publishers.
What the Web desperately needs is radical change, one where “would users want this?” is the most important question asked for each new feature. Instead, FLoC and “Privacy Sandbox” ask “how can we make this work for ad-tech, in a way that users will tolerate or not notice.”
The open source Umbraco CMS is taking a more hands-off approach to the controversial issue. In response to a PR suggesting suggesting Umbraco block FLoC, Umbraco project manager Sebastiaan Janssen said, “We feel it’s not our place or task to enforce this kind of blocking, we believe site implementers should be free to use whatever services they think make sense for their sites (as well as block them when they want).”
At this point in Google’s Chrome’s Origin Trial, Chrome representatives do not yet know how the FLoC API will be finalized for determining which pages will be included in FLoC calculations. WordPress has not yet made a determination about whether to block FLoC or leave it site owners to decide. Multiple FLoC blocking plugins are already available to users who want to opt out now. After a lengthy and heated discussion on a proposal to block FLoC by default, WordPress core leadership moved the conversation to Trac where contributors are monitoring Google’s experiment.
The ticket has not yet received much feedback as WordPress is taking a more cautious approach that will depend on how Google decides to implement its FLoC API. Without the support of any major browsers, WordPress’ support or opposition may be critical to the success or failure of FLoC adoption on the web. Once more information from the FLoC trial becomes available, WordPress contributors will be in a better position to decide a course of action.