floc VS standards-positions

Draft: https://github.com/WICG/floc

"The browser uses machine learning algorithms to develop a cohort based on the sites that an individual visits. The algorithms might be based on the URLs of the visited sites, on the content of those pages, or other factors. The central idea is that these input features to the algorithm, including the web history, are kept local on the browser and are not uploaded elsewhere — the browser only exposes the generated cohort." Source: https://github.com/WICG/floc

Google (or other third-party tracking) is also not effected by VPN. These groups use cookie syncing to assign you a unique ID and then collect this ID again as you browse the internet. That buyerID can then be cross-referenced (even with other buyerIDs) to generate all sorts of different demographic/psychographic information and used to fingerprint your online life for audience targeting. Google actually is in the works to take this a step forward with the FloC experiment. FloC (Federated League of Cohorts) actually deprecates the Set-Cookie header in favor of in-browser history scanning. Basically, in a year or two they plan to incorporate Chrome into their adtech stack and have it report your history/behavior to Google (regardless of whether you save history or not). Here is some good info on that: https://github.com/WICG/floc

Instead they propose new standards, like HTML Imports or FLoC, and the W3C decides as a whole whether or not they become official standards.

With cross-site cookies, adnetwork.com has full information about what sites you've visited (among sites that incorporate their cookies). This isn't good either! But generally speaking, an individual site using adnetwork.com for advertising won't have or want access to that vector of your interests; many site operators don't even have visibility into what ads win real-time bidding, just that they're receiving money for providing their inventory. Certainly there are players that can provide demographic targeting metadata to site operators, but to my knowledge they are less widely known and certainly not cheap, and I imagine (or hope) any players with wide enough cookie reach would be discouraged from maintaining a database that could associate metadata with PII.

With FLoC, though, the idea was that the browser would provide document.interestCohort() and the individual site's JS could react accordingly: https://github.com/WICG/floc . This means that any site, regardless of its contracts with ad networks, could immediately identify your cohort and associate it with your activity. Web developers working in good faith would be encouraged to have user.cohort or user.topic fields from day one "just so you have it" - imagine all the ways someone could use this in bad faith. Inevitably this data would leak (or be intentionally leaked) and could trivially become a target list for doxxing closeted people. It's a dangerous, dangerous proposal.

You can't find any info about this because there isn't really any. Josh Karlin, who is the maintainer of the FLoC working document, said at an event that it might make sense to swap to topics. It's essentially just reducing the entropy of the cohorts and giving them a more comprehensible (and probably less useful) taxonomy. That's all the info there is.

https://github.com/WICG/floc explains the overall goals.

It's pretty complicated and my understanding could be wrong and definitely not an expert. All the stupid CIA-style names that keep changing don't help. Turtledove, fledge, sparrow lol.

But from what I think I know that's kind of right technically, but kind of not in terms of actual real privacy.

Yes, the actual browsing data, e.g. for the basic floc cohorts only what amazon product page you visited, is no longer 'sent' to ad networks (that's a pretty big oversimplification of how ad networks track you but for brevity). That data is parsed in your browser to generate a cohort ID for you.

But this cohort ID is exposed to the world document.interestCohort() and is what's used for targeting and tracking.

To me it seems that the cohorts are so small "thousands of people" + IP or UA it's basically the same as a semi-long lasting uuid.

Here's an image from google's site.

https://web-dev.imgix.net/image/80mq7dk16vVEg8BBhsVe42n6zn82...

It also seems like Chrome/google might be still defaulting browser settings to give themselves even more data just like they currently do?

https://github.com/WICG/floc#qualifying-users-for-whom-a-coh...

BUT when you layer on the other proposals (Fledge/Turtledove/Dovekey or whatever) - which I don't understand that much maybe someone else can explain - it seems like it basically collect this page/product level data and makes it available to DSP etc for tracking/ad serving (again if not technically 1:1 basically in consequence given the sizes of these groups).

Like one of the proposals talks about a 'trusted' key/value server which doesn't seem that different from what already happens? The original proposal wanted to move the entire ad bid/target/serve process into the browser.

You can check why Mozilla and Apple have opted to not support this.

https://github.com/mozilla/standards-positions/issues/154

https://github.com/WebKit/standards-positions/issues/28

Neither Mozilla or Webkit are satisfied that the proposal is safe by default, and contains footguns for the user that can be pretty destructive.

FWIW Mozilla updated their position on Web Serial API to "neutral" and clarified that they might be okay with enabling the API with an add-on.

https://mozilla.github.io/standards-positions/#webserial

Allowing serial but not HID would be really strange. With HID you get standard identifiers that let you filter out devices that are too dangerous for the web. With serial you get nothing. Even if you know a device is dangerous, there's no way to protect users from it.

Hasn't FireFox been dragging their asses on @scope? https://github.com/mozilla/standards-positions/issues/472

It took years to just convince them of the need for it. And I'm not sure anyone got convinced vs Chrome had already shipped it and Safari has it planned so they caved in.

Hard to believe FireFox used to be a leader of the modern web.

As mentioned by others, OK idea, but not a fan that this isn't standardized. After a quick search+peruse, these seem to indicate that it's not around the corner either. Happy (/hope) to be corrected.

https://github.com/whatwg/html/issues/4180

https://github.com/mozilla/standards-positions/issues/990

Mozilla's position on these specs is nicely outlined publicly and transparently as part of their standards-positions project: https://github.com/mozilla/standards-positions/issues/100

I'm kinda glad it's not implemented in my browser, to be honest, because the whole thing seems like a security nightmare.

It's a shame it impacts some hobby usecases, but I don't think this outweighs the reasoning set out on the GitHub issue.

This should have big warnings on it. Some of these are not web standards; they are features implemented unilaterally by Google in Blink that have been explicitly rejected by both Mozilla and Apple on privacy and security grounds.

Take Web Bluetooth, for example:

Mozilla:

> This model is unsustainable and presents a significant risk to users and their devices.

— https://mozilla.github.io/standards-positions/#web-bluetooth

Apple:

> Here are some examples of features we have decided to not yet implement due to fingerprinting, security, and other concerns, and where we do not yet see a path to resolving those concerns

— https://webkit.org/tracking-prevention/

This is Microsoft’s Embrace, Extend, and Extinguish bullshit applied to the web platform by Google. Google keeps implementing these things despite all other major rendering engines rejecting them, convinces people that they are part of the web, resulting in sites like this, then people start asking why Firefox and Safari are “missing functionality”. These are not part of the web platform, they are Google APIs that have been explicitly rejected.

Is BLE a PWA requirement? I think they explained their position pretty well here, regardless of whether I agree:

https://github.com/mozilla/standards-positions/issues/95#iss...

I took a glance at Can I Use what the difference between the last public release of Firefox and Chrome is [1] and they don't really have that big of a difference in the eyes of normal use-cases? Some of these aren't implemented purely because of privacy reasons, the proposals aren't finished yet or complexity [2].

Why would Firefox need to change to Chromium engine? The only websites I notice that don't work with Firefox is because of user-agent targetting or just putting 5-second time-outs in Youtube code on non-chrome webbrowsers [3].

Can you give some examples of websites not working on Firefox?

[1] https://caniuse.com/?compare=chrome+120%2Cfirefox+121&compar...

[2] https://mozilla.github.io/standards-positions/

[3] https://www.neowin.net/news/youtube-seemingly-intentionally-...

Mozilla are dragging their heels on @scope:

https://github.com/mozilla/standards-positions/issues/472

https://connect.mozilla.org/t5/ideas/implement-css-scope-rul...

Someone who clearly didn't get it was wasting three years time "well actually"ing everything. The latest news is "it's worth prototyping". Meanwhile Chrome has released it(steam rolled?) and Safari has it in tech preview.

I question if FireFox has the resources to keep up with the pace of the modern web.