floc VS proposals

Draft: https://github.com/WICG/floc

"The browser uses machine learning algorithms to develop a cohort based on the sites that an individual visits. The algorithms might be based on the URLs of the visited sites, on the content of those pages, or other factors. The central idea is that these input features to the algorithm, including the web history, are kept local on the browser and are not uploaded elsewhere — the browser only exposes the generated cohort." Source: https://github.com/WICG/floc

Google (or other third-party tracking) is also not effected by VPN. These groups use cookie syncing to assign you a unique ID and then collect this ID again as you browse the internet. That buyerID can then be cross-referenced (even with other buyerIDs) to generate all sorts of different demographic/psychographic information and used to fingerprint your online life for audience targeting. Google actually is in the works to take this a step forward with the FloC experiment. FloC (Federated League of Cohorts) actually deprecates the Set-Cookie header in favor of in-browser history scanning. Basically, in a year or two they plan to incorporate Chrome into their adtech stack and have it report your history/behavior to Google (regardless of whether you save history or not). Here is some good info on that: https://github.com/WICG/floc

Instead they propose new standards, like HTML Imports or FLoC, and the W3C decides as a whole whether or not they become official standards.

With cross-site cookies, adnetwork.com has full information about what sites you've visited (among sites that incorporate their cookies). This isn't good either! But generally speaking, an individual site using adnetwork.com for advertising won't have or want access to that vector of your interests; many site operators don't even have visibility into what ads win real-time bidding, just that they're receiving money for providing their inventory. Certainly there are players that can provide demographic targeting metadata to site operators, but to my knowledge they are less widely known and certainly not cheap, and I imagine (or hope) any players with wide enough cookie reach would be discouraged from maintaining a database that could associate metadata with PII.

With FLoC, though, the idea was that the browser would provide document.interestCohort() and the individual site's JS could react accordingly: https://github.com/WICG/floc . This means that any site, regardless of its contracts with ad networks, could immediately identify your cohort and associate it with your activity. Web developers working in good faith would be encouraged to have user.cohort or user.topic fields from day one "just so you have it" - imagine all the ways someone could use this in bad faith. Inevitably this data would leak (or be intentionally leaked) and could trivially become a target list for doxxing closeted people. It's a dangerous, dangerous proposal.

You can't find any info about this because there isn't really any. Josh Karlin, who is the maintainer of the FLoC working document, said at an event that it might make sense to swap to topics. It's essentially just reducing the entropy of the cohorts and giving them a more comprehensible (and probably less useful) taxonomy. That's all the info there is.

https://github.com/WICG/floc explains the overall goals.

It's pretty complicated and my understanding could be wrong and definitely not an expert. All the stupid CIA-style names that keep changing don't help. Turtledove, fledge, sparrow lol.

But from what I think I know that's kind of right technically, but kind of not in terms of actual real privacy.

Yes, the actual browsing data, e.g. for the basic floc cohorts only what amazon product page you visited, is no longer 'sent' to ad networks (that's a pretty big oversimplification of how ad networks track you but for brevity). That data is parsed in your browser to generate a cohort ID for you.

But this cohort ID is exposed to the world document.interestCohort() and is what's used for targeting and tracking.

To me it seems that the cohorts are so small "thousands of people" + IP or UA it's basically the same as a semi-long lasting uuid.

Here's an image from google's site.

https://web-dev.imgix.net/image/80mq7dk16vVEg8BBhsVe42n6zn82...

It also seems like Chrome/google might be still defaulting browser settings to give themselves even more data just like they currently do?

https://github.com/WICG/floc#qualifying-users-for-whom-a-coh...

BUT when you layer on the other proposals (Fledge/Turtledove/Dovekey or whatever) - which I don't understand that much maybe someone else can explain - it seems like it basically collect this page/product level data and makes it available to DSP etc for tracking/ad serving (again if not technically 1:1 basically in consequence given the sizes of these groups).

Like one of the proposals talks about a 'trusted' key/value server which doesn't seem that different from what already happens? The original proposal wanted to move the entire ad bid/target/serve process into the browser.

Ideally, Argon2, like PBKDF2 would just get added to SubtleCrypto (GitHub issue here), which would allow to forgo WebAssembly entirely.

I'd like to use Argon2 for web stuff but WebCrypto doesn't support it yet (https://github.com/WICG/proposals/issues/59) and the WASM flavor creates problems with bundling and testing.

ref: W3C Web Incubator Community Group (WICG)

Yeah, looking forward to switching it out if/when argon2 enters webcrypto.

> The problem is that people look at the Apple / Google duopoly and say "look we have competition! How can you compare this to Microsoft in the 90s!?"

Strong agreement. There's also a flacid, weak, shitty, useless anti-trust system, which was stripped of power by Borkism in the Reagan era. My generation has literally never seen effective anti-trust. Not once has a case been made against exploitative, anti-competitive practices that really has resonated in America, in decades, and it's not for lack of shitty, no good villians. It's because of Borkism[1][2], because of redefinition of what anti-trust meant under Reagan.

> The sheer amount of anticompetitive behavior both these companies have done over the years is insane when you put in prospective what Microsoft went to court over.

That Microsoft faced so much shit for such a relatively small act is amazing. What Apple does is absurd to me, that there's seemingly no legal challenge to their dominion-without-question of 30% of the web. I've looked at quite a number of anti-trust complaints against Google, and frankly, I owe it to myself/all to go re-review.

Google like Apple has suits against them for the 30% cut they charge at their store, which is both valid & respectable but also- on Android- easily avoidable & the open-source OS itself (& it's releases) actively supports alternative delivery platforms such as F-Droid and sideloading: Google actively supports competition. But we're seeing a lot of apps drop in-app sales, and I think that's a telling & real response: 30% is absurd. There's a number of suits against ads, and search. To be honest, none of these have left a distinct impression, have really clicked for me. I am fully able to believe there may be some serious fuckery here-abouts. There's a suit about Google Assistant systems being unable to also support alternative systems like Alexa: as a fan of general-purpose computing & competitive competition, I think this is absolutely a place that there should be straightforward & clear mandates for all companys, Google included, to be compelled to allow interopation: restricting people making devices to have to pick one and only one partner is basically a reasonable battle against Qualcomm-ism[3], against coersion, is a move to enable basic device-maker and consumer choice.

Against all of this backdrop though, one critical thing I think most of the world really has no sense of is that Google is somewhat alive under a weird patronage model. Their cash cows feel serve as patrons to the artists, and the artists are there just to make the ecosystem healthy & alive. The cash registers ring because of a semi-open market, because the web is a pretty damned good place to connect, host shit, do shit; better than AOL, better than Microsoft Windows, better than apps.

Trying to stack the deck laterally, to make the web be Google's web, or Android be Google's Android: they are extremely liable to kill the cash cow. These need to be healthy, independent, functional systems, that are getting better & remaining at the very forefront of competition against all others. This health is absolutely the pinnacle concern, is existentially important. Android or the web could readily collapse if things go poorly, if corruption takes root, if whiffs of real genuine misdealings gets into the air. And frankly, the problem solves itself internally. Google historically & famously has been an engineering lead organization. They have a long history of employing very good, public figures who care about the web, who know about the web, who have wanted to make the web better, who seem motivated by strong intrinsic desires. These people sit on standards boards, they help align Chrome. These people don't take shit from traditional corporate lackies trying to make some fast bucks by dodgy inter-dealings.

Again, given Google's strong first & second party relationships (search and ads), no matter what happens with browsers, webtech (& to a lesser degree Android), Google will have an incomparable vast & mighty perch to understand & analyze & model the web from, and not unfairly, not by cheating, not by underhandedness. The objective is to keep the shared, common, competitive platform alive, shared, & competitive. By doing good engineering. By making development better & easier & giving them better superpowers. By not hazarding gross breakage that would sabotage public belief/faith. This isn't a super complex system. It's nicely isolated parts, which each do their own thing: make better systems, use free-market search & ads to be top of the game (to make $ & to keep funding/patronizing the essential ecosystem).

> Many of us saw projects like Firefox grow in the 2000s, giving hope that open source and standards would win out in the end. But we dwindled, lulled by the sweet promises of Chrome and their open core.

True true. Will has been lost. Chromium is remarkably accessible, there are remarkably good hooks still in place to go build our own sync systems or what not. Few have chased up, have tried to really amplify & enhance Chromium into an open browser. That's unfortunate.

In general I'd say the real frontier for advancement is on https://wicg.io . This has been a very compelling case for how the web really needed to advance all along. An extremely low barrier to entry to start proposing ideas, where other standards folks & standards-adjacent folk can chime in & help steer, help sheppard young web ideas into desireable, promising standards that stand a fair chance of being adopted.

I definitely wish there were more alternatives out there, more efforts. I have hope we'll see some new arisals show up. But at the same time, I don't see Chrome as bad or scary or problematic. There's very few cases people have made against it that seem, well, real. Emotion & fear & doubt run rampant. Even when the team makes decisions I truly detest (e.g. squandering awesome HTTP Push potential then abandoning the capability) I generally understand & can see where folks are coming from. We're not accelerating to where I'd wish to go, but it's incredibly rare that I see Chrome/Chromium as going in actively bad directions, building "bad" web platform. Very few have made a case that I can really see or grasp, that's worth agreeing or disagreeing with about Chrome or Android, about how Google invests & shapes these forwards. I continue to see this more as a patronage system, as investment in the necessary & worthy ecosystem, that supports the existence of a separate, more corporate entity. And I don't see the anti-competitive practices taking root in this web or android space, generally.

[1] https://pluralistic.net/2021/02/06/calera/#fuck-bork

[2] https://pluralistic.net/2022/05/09/rest-in-piss-robert-bork/...

[3] https://news.ycombinator.com/item?id=31628094

> I'm so tired of Google inventing arbitrary stuff for the web, implementing it, and everyone then expecting Mozilla and Apple to just follow suit.

I agree, the situation is awful.

Personally, I'm so tired of Apple & Mozilla having complete veto power on the web.

The lack of will to standardize, the push back against doing good things, is way way way way way too high. Apple has long been the foot dragging, complaining, miserable laggard, with lots of their own ideas & little willingness to play with others. Mozilla recently seems to have switched sides: having given up on WebOS, they now seem to spend more time claiming to be "pro-privacy" & fighting against really good new capabilities than working things forwards. Apple and Mozilla both know Google is widely revilved & mistrusted, and are marketing the shit out of their anti-platform stances.

Thankfully we see a ton of really really good work happening on https://wicg.io. It's a good neutral territory to make the platform better. Tons of the web improvements happening are vendor-neutral, are just people with good ideas, that eventually, with support & community, stand a chance of getting sensible improvements implemented. Alas, Apple. :'(

> This means that software development is a failing discipline. All we can do is to come up with ever more ridiculous layers of complexity on top of mindboggling complexity, recursively. All of this is totally self-inflicted. The problem domains that our software needs to deal with are complex enough. But we keep piling on shit of our own making.

Awwhhh why so glum? This sounds so alarmist, so fraught & bleak!

I don't see anyone as having a bead yet on what the final destination is, on what is right or perfect. I see change & innovation & exploration as necessary, ongoing, and this layering of platforms atop each other is part of that larger bigger quest for us all to learn what serves ourselves well, to figure out how we align.

Overall these Adapter layers are quite performant, quite fast, and they isolate rather than leak complexity quite effectively. Electron's doesn't have to invent a ton of stuff to create this pleasant, familiar environment for developers or users- the operating system is simply not that relevant, is easily adapted, by a pretty boring regular programming language (Node.JS) and the world's most popular multimedia page/resource system (the browser).

Right now, yes, we have the web platform as a layer above native in many cases, but I'm not sure that that is so alarming. Maybe it's transitional? The early smartphones were both enormously web first, decided to use something great rather than reinvent: the Palm Pre and original iPhone (which was webapps only). In modern times, there's ChromeOS, and Palm's webOS continues under new stewartship, mainly on TVs. If the complaint is layers of complexity, maybe we just need to get rid of proprietary & legacy platforms, & embrace the common, shared medium that all computing has. Or find new unifying better platforms!

In general, I see these new platforms as being extremely liberating, as helping reduce the complexity developers have to mess with, by offering a set of well-defined standards & well known constraints & behaviors. Rather than a complicated, particular OS tied to some specific devices, with it's own quirks, with ever evolving platform capabilities & changing toolchain

> If this is what software development has become, then there's no way it won't end in total and utter disaster when people start to recognize the already all too common piss poor products that barely manage to do the absolute minimum and rebel against them. It may not be marketing department of the Sirius Cybernetic Corporation who'll be lined up against the wall first, but software developers when the revolution comes.

Again I think moderation is good council here, but I also agree in principle that there is some awareness software can be a bit of a disaster, and it's visible that sometimes updates & "improvements" serve external interests not the users.

Where I differ is I see Electron as a fairly hopeful, possible open future for computing, that does embrace users, more so than most software. Most software is not malleable, not adaptable. Electron, on the other hand, offers the very slick, open ended DevTools Protocol for most every app, which allows users control & automation & expansion of software. We can write some userscript & change the behavior of webplatform & electron systems, which is hugely powerful, is a far fairer shake & far more liberty than most computing platforms, where apps are usually compiled down, fixed in form & nature.

This second paragraph really brings me back to where we started: I don't think we have a bead yet, as a larger world. It feels like there's so much discovery, so much understanding to develop. What makes me hopeful is groups like https://wicg.io , which try to understand & consider how we might do better, which work to build open standards for the internet, for our shared multimedia platform, as a community, securely. There's so much further for all computing to go, so much we need to do to better serve users. I don't see anyone has having a strong lock on that, it feels like there's more to learn & become than there is that we've locked down, by far, so I am hopeful & excited & happy to see us staying malleable, working to unblock innovation at all levels, in all computing. Electron is a great & positive force here, albiet I look forward to other projects listed in the comments such as Tau providing similar-ideas with slightly-different execution.

The problem is certificates and WAN access, and lack of MDNS on Android. There's basically no way to do anything that doesn't involve some manual setup, aside from developing a new purpose built app, and maintaining it in addition to the product, probably on two platforms.

If Mozilla still had FlyWeb things could be plug and play.

I have a set of proposals here to bring some of that back: https://github.com/WICG/proposals/issues/43

And some are considering the Tox protocol, but in general, we have not solved the most basic issue of self hosting. How do I connect to my device in a way that just works, LAN or WAN, without manually serting up the client or registering for a service?

Yes, it is 100% time fot that.

Mozilla FlyWeb was close, but didn't handle remote access. It could have been extended to, but they dropped it.

I wrote a proposal here for how this could be done with Bluetooth-like pairing, using URLs that embed a certificate hash, a random sequence as an extra security layer, and a lookup URL that one can ask where to find the host for a service, for access over the WAN.

By using a URL instead of normal non-HTTP DNS, the lookup URL can be another web service self hosted using the same TLD, or a Data URI if one is hosting from a static IP.

No part of the URL besides the key is used to determine the origin for CORS and local storage, so you can change discovery methods and the random string freely.

Initial connection is by directly sending a link, or by LAN discovery.

Unless discovery is enabled and you are on the same network, it should be impossible to connect without already knowing the URL, so even if your home automation hub is very badly coded, they can't even start hacking it till they find your URL, which can't be found just by sniffing(Because of that random string).

Clients track the "last seen" address of servers, so even if lookup goes down, access still works until your home IP changes.

When nodes connect over LAN, the server sends it's "Find me on the WAN at" IP. So even with no discovery server at all and no static IP, it creates a very convincing illusion of "just working" 99% of the time.

Which means that if you buy a device that uses a cloud lookup service, and they drop that service, your device will still be remote accessible, most of the time. Which might be good enough, or at least good enough to get by until you can find a more permanent solution.

Proposal:

https://github.com/WICG/proposals/issues/43

And a partial implementation of a very close version(Lookups always use OpenDHT in this), plus a notetaking app based on it.

https://github.com/EternityForest/hardlinep2p

I really think this is one of those critical missing technologies that would really enable a lot of amazing things.