The Evolution of Browser Privacy: Federated Learning of Cohorts (FLoC)

By soon I mean the beginning of 2022. Lots of time still to go but regarding the number of internet companies relying on third-party data in their doing, this time perspective is rapidly shrinking. So the last stand of cross-site retargeting is going to fall… or is it?

In this article, you will:

• Learn something about cookies history
• Understand the impact of the cookie embargo
• Understand which cookies are in fact third-party cookies (and why we call the change cookie embargo)
• And how companies deal with the embargo
• Meet FLoC (Federated Learning of Cohorts) – third party cookies replacement.

Historical recap 🍪

The fourth stand of third party cookies is about to fall. There’s no surprise here. Cookies found a receptive audience not long after their arrival. In the past things like browser privacy barely existed, and Internet Explorer introduced cookies without any info or warning – to its own harm, as it soon appeared. A lot of public discussions started and the issue soon after ended with Federal Trade Commission hearings.

More time passed and the internet became more and more familiar to all of us. Along with that, the users became more aware of their own digital fragility, and began to demand more privacy. We might say that public disputes about cookies (and internet privacy generally) continues to this day.

In fact, Apple and Mozilla Crp. have eagerly sprinkled ashes on their heads some time ago, enabling privacy supporting features in their products.

• 2019/3 – Safari (Intelligent Tracking Protection 2.3)
• 2019/9 – Firefox (Enhanced Tracking Protection as a standard mode)
• 2019/12 – Safari (Referrer clamping, additional 3rdp cookies restrictions)
• 2020/1 – Edge (additional tracking mitigations)

Oh, and Microsoft too. It is worth underlining that Apple has particularly strong communication with its data security. The message got even more straightforward during and after the Cambridge Analytica epoch, and Apple leveraged it a lot.

Honestly stroking their heads because of that is I think not an option (and not because of ash). Besides trends and regulations, they simply have nothing to lose. On the contrary, they even enhanced their party line as companies that will fight with privacy violations at any costs (but with no particular fervor), downgrading the other companies (often and eagerly charged of its violation) position.

To be fair, Google also made a few moves in this direction in the past infamous year 2020:

• 2020/1 – Chrome announces Privacy Sandbox
• 2020/2 – Chrome cookies SameSite enforcement
• 2020/8 – Chrome SameSite default policy to None

As Google owns Chrome and simultaneously runs one of the biggest display ads networks, blocking third party cookies was for them like a shot in their own foot. However, there was talk of a giant getting ready to join cookie-haters-club, and so it happened—starting from 2022 no more digital treats of the third sort.

Consequences

We revolve now mostly around ad display systems, but let’s keep in mind that it’s not only ad networks that are using third parties. In general a trend, in theory, should affect the biggest players, but as always in practice, it hit small ones the most.

At the end of the day, a small company providing ads networks may have more agility than a giant, but at the same time, they are vulnerable to changes influencing – sometimes – their entire business model. I hope you’re not one of these companies!

Yet, consequences cannot be understood without making clear certain issues.

Third-Party Misconception

To be fair, there was never anything third-party cookies understood as a special mark on it, saying “this is 3rd party cookie”. In practice “third-party cookies” can still work in 2022, and first-party cookies will be blocked. How can this happen?

1st and 3rd party refers to the relation between a domain that reads a cookie, and a domain that writes the cookie, more correctly, is written under it (inside of it). If you block 3rd party cookies, the cookie stored data are read (and included within request) only in the first-party context.

Here is an example:

You enter a website with Facebook Pixel on it. This short script writes a third party cookie on your browser. Then you get bored and you enter Facebook. For it, the cookie that was just established is a first-party cookie.

Why blocking third-party cookies scares Google so much…

Simply because of that Google cannot identify you between pages. Products you viewed in one domain may be still stored in a cookie after the embargo, but they cannot be read on a second domain with display containers on them.

This affects mostly Google’s AdSense. Whilst search engine recommendations can work without disruptions—your queries go directly to Google, feeding its recommendation algorithm. AdSense, on the other hand, relies strictly on third party cookies. Ad frames are unable to receive any input information about your browsing history, and preferences.

…but not Facebook.

Let’s assume you are logged out of Facebook, and all of Facebook cookies ever are removed. Then you enter a website mentioned above. Pixel places third party cookies while browsing the domain, and also sends anonymized data to its own servers. Anonymized but not unable to identify. Its previously third party cookie contains a unique number, which is passed along with your onsite activity.

When you got bored and entered facebook, after logging it Facebook established the first-party relation with your browser, and synchronized previously anonymized data, matching them with your account—with you.

FLoC

Everything that touches the end-user—phone calls, numbers, pages visited—is data. Algorithms use these data to pick the right content for display. Previously the processing unit was an external server. In this case, it’s Google, where your data are processed, and the model is learned.

Federated Learning of Cohorts, a.k.a FLoC, is a technology that allows personalization of ads display—without the necessity for sharing personal data with an external source.

Suppose you entered the website and saw a display box, Google’s algorithm based on your data generated by your profile. In this particular case, it’s third party cookies you’ve gathered strolling around the internet. The algorithm immediately made an auction, and the winning ad was displayed. They were then using the ad’s final performance (click-trough) to furtherly train the model.

This time is slightly different.

Google’s pre-trained algorithm is downloaded on your end device – phone or browser. It’s your device that decides what is your profile or, more precisely, cohort.

The algorithm is trained locally and does not share your cohort with the whole network. After the successful display, it shares a few hyperparameters with the primary model, which helps the overall algorithm to learn. So this is why we say the process is federated; it’s decentralized.

Let’s talk about cohorts.

According to research papers, the interest cohort is a user’s assigned interest group under a particular cohort assignment algorithm. Cohorts should be rather big (a few thousand users), and as coherent, as possible.

A total number of cohorts shouldn’t exceed 2^32 (4 294 967 296) for according to (unofficial) papers we want to store cohort ID as a 32-bit integer.

• The browser does not share cohort’s interests ID’s to any given site and does not reveal the browsing history.
• The ID of the cohort is also not related to any sensitive data.
• Users can still block access to interest cohorts any time they want.

It is also about the balance between targeting precision, and privacy protection. Cohorts contain this version, related to the vendor’s name to avoid naming conflict between different browsers.

Pretty smart, isn’t it?

Now I hope Federated Learning of Cohort seems to be a bit self-explanatory. Data of users are decentralized, but still, Google is able to learn about user behavior and present personalized content without violating privacy. Still, if anyone feels uncomfortable with that, they can disable personalization on selected or all pages.

What about the efficiency of this model of advertising? Google says that it equals 95% of the third party based advertising. Fair price for enhanced privacy policy protection… for all!

Browser fingerprinting

Google declares that FLoC will be entirely available to other ad vendors. Why? In my opinion, Google doesn’t want to be treated like it just developed technology only for its own usage, and at the same time crush smaller players like we mentioned above.

It’s all about privacy and protection. It’s worth mentioning that third party cookies weren’t the only method of tracking users between sites. In fact, it was one of the most ‘transparent’ methods.

Example: Browser fingerprinting is a significantly less ethical method. It uses all available data about the version of the browser, plugins used, and hardware data: screen ratio, size, orientation, model name and version… everything that somehow allows you to distinguish your device from the rest.

When this practice became widely known, leading browsers started to fight it in various available ways. But what I’m saying is that if we are banning any widely used, morally debatable technology without giving ‘right’ alternatives, we are in most cases prohibiting it for the use of ‘good people’.

I believe that this is what Google does, which solves the problem because sooner or later, an alternative that helps track traffic across the web will appear. With no right alternative, we could only expect efficiency from it, but without respecting your privacy.