Lots of people have been spreading the often-unnecessary advice to add a Permissions-Policy response header to their sites to opt-out of Google’s FLoC, and some have been going so far as to ask FLOSS maintainers to patch their software to make this the default. When discussions got heated to the point of accusing webmasters who don’t implement these headers of being “complicit” in Google’s surveillance, I felt I had to write this.
Everybody: please calm down, take a deep breath, and read the spec before you make such prescriptive advice about it.
FLoC is terrible, but telling everyone to add a magic “opt-out header” in every situation conveys a misunderstanding of everything you need to know about the opt-in/out process.
Look what the Father of modern Browsers, Jon von Tetzchner, said about FLoC https://vivaldi.com/blog/no-google-vivaldi-users-will-not-get-floced/
Are you sure this issue is not about webmaster excluding their content from floc categorisation vs tracking their users via the cohort script? I will look at it later but it seems like two different though related issues.
I updated the article to explicitly address this; check the “What explicitly opting out actually entails” section.
I had a chance to read over the full article and its links. Here’s my conclusion:
- As stated in your piece, during the “Origin Trial” Google will use those who have enabled ads on their site.
However, this is not true imo:
If your website does not include JS that calls document.interestCohort(), it will not leverage Google’s FLoC. Explicitly opting out will not change this.
This will stop you from participating on the client side of FLoC, not the server-side. Server side categorization for sites with ads is where this Permissions action is aimed at. What this is saying is that if an ad tries to get a cohort id from an opted-out site, it will receive a meaningless default value. This knowledge is for the benefit of advertisers, not webmasters.
- The article basically says, it doesn’t matter anyway because the impact judged by the author to be insignificant:
This may or may not reduce the entropy gained by a FLoC ID, depending on how well or poorly your site serves as an identifier. Given this marginal improvement, I don’t think it’s right to place a burden or blame on webmasters when the burden and blame should rightfully be directed at those responsible for rolling this antifeature out in Chromium. We shouldn’t expect webmasters to add a tag or header every time Google advances the war against its own users
However, being categorized as a frequent visitor of Free and Open Sites (think of being put in the Stallman cohort) may well be significant for advertisers, authorities, creditors and so on.
- This has happened before (DNT)
While DNT isn’t a great success, the number of companies who could face legal repercussions for ignoring this round of protections is quite small and risk could be quite large.
- Breathe
Agreed. This is no cause for mass hysteria, but lets get the information out there so webmasters can make informed choices (setting a Permissions Policy is the best option for those who do not want their content to included, especially as Google moves from Origin Trial into full on deployment and other browser vendors start to adopt the scheme).
Server side categorization for sites with ads is where this Permissions action is aimed at. What this is saying is that if an ad tries to get a cohort id from an opted-out site, it will receive a meaningless default value. This knowledge is for the benefit of advertisers, not webmasters.
The solution is not to include trackers on your page in the first place, such as third-party ads. Permissions-Policy applies to the page requested and its contents.
As for cohort calculation, things are messy. If one site is opted out and another consequently has a greater weight, the implications wrt. fingerprinting are vague. Opting out doesn’t necessarily reduce a user’s fingerprint. FLOSS is one aspect of a user’s interests, but there are countless others. There is/was no legal or technical obligation to obey either the DNT header or this permissions-policy header (strictly for the purposes of cohort calculation), since the latter isn’t standard usage of the permissions-policy header and the former isn’t even a standard header in the first place.
A coordinated effort is better spent getting users off Chrome than getting upstream software and webmasters to add this band-aid to their sites.
The fingerprinting implications are not good no matter whether a site opts out or not. Theoretical protection against fingerprinting relies on a fairly ridiculous notion of Privacy Sandbox which seems easily skirted. Things like Trade Desk Unified ID combined with cohort ID actually makes FLoC privacy negative as it gives another data point to add to your already known identity.
The point is that the only way for a site to opt out of participating is by using this W3C ordained way. It basically useless for end users but necessary for sites who don’t want to participate in the program.
Google’s point is that all this and more is already going on with 3rd party system so why don’t we make this other crappy system which consolidates control further in their hands.
It’s not misinformation however to provide to site operators information about how to opt-out of participation.
I updated the “What explicitly opting out actually entails” section to further elaborate on why adding this header might not really improve user privacy.
Thanks I am out and about now, will read it.
Devs should use it period