Should you Worry about FLoC? How to Opt your Site out # Should you Worry about FLoC? How to Opt your Site out #

🤖 What is FLoC? #

Before looking at if you should worry about FLoC, we'll first take a look at what is. We'll then see how it impacts web users before next looking at whether you should opt your site out. Finally we'll look at how to opt your site out of FLoC. Now we know the plan, let's look at what FLoC is first.

FLoC (Federated Learning of Cohorts) is presented as a privacy-preserving mechanism for interest-based ad selection  . The problem they are solving is targeting ads at the right people. In particular, if an advertiser can only show ads to web users who are potential customers they can spend their budget more efficiently. For web site users it might provide a better experience as they see more relevant ads (in reality, this is debatable). One resource companies currently use, for example, is tracking cookies. Noting which sites customers visit and how they interact it is possible to build up a profile of their interests.

FLoC takes a different approach. FloC calculates which cohort you belong in your browser. Particularly, your browser uses your history to determine which cohorts you belong to. People with similar interests will be placed in the same cohort. Now when an advertiser has an an ad prepared, it queries which cohorts you belong to and then decides whether to show you their advert. The website is able to access your cohort by calling document.interestCohort().

🧑🏽 How FLoC Affects Web Users #

With Google facing a privacy investigations in the EU  and recent fines under EU privacy laws  users may have privacy concerns over FLoC. Google does claim that Chrome will not create groups that it deems sensitive  though.

You probably will not notice that your browser is making FLoC calculations. However, you can check if your Chrome browser is being included in FLoC trials using a free Electronic Frontier Foundation website: Am I FLoCed  . Chrome users can only opt out of FLoC by disabling all third-party cookies. On the other hand, browsers like Firefox and Microsoft Edge do not currently have FLoC enabled  .

🔐 Should you Opt your Site out of FLoC? #

Currently, if your website does not include any adverts and nothing on the page uses document.interestCohort() it should not automatically be included in FLoC calculations  . This may mean you do not need to opt your site, if you do not want it to be used in FLoC calculations. That said, you may still wish to opt your site out from the FLoC calculations of your site users.

🖥 Should you Worry about FLoC? How to Opt Your Site out of FLoC #

Opting your site out is not difficult. You just need to set an HTTP header; the Permissions Policy header. The Permissions Policy header is an updated version of the Feature Policy  header. As a web site owner, you can set this header to improve security for visitors. As examples you might block access to the camera, geolocation or gyroscope.

    
Permissions-Policy: geolocation=(self "https://example.com"), microphone=()

  

These header values will allow geolocation access from the host website and example.com, and block all microphone usage.

The permissions policy parameter of concern for FLoC is interest-cohort. To exclude your site from being included in users' FLoC calculations, set:

    
Permissions-Policy: interest-cohort=()

  

If you are hosting your site yourself, you can update the header values in your Apache, Nginx or Relayd configuration file. If you have a Gatsby site hosted on Netflix or Gatsby Cloud, install either gatsby-plugin-netlify or gatsby-plugin-gatsby-cloud. The configuration is similar for these. In the gatsby-config.js for the plugin's options add the following as an example:

    
{
  resolve: 'gatsby-plugin-gatsby-cloud',
  options: {
    headers: {
      '/': [
        'Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()',
        'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload',
      ],
    },
    mergeSecurityHeaders: true,
    mergeLinkHeaders: true,
    mergeCachingHeaders: true,
    transformHeaders: (headers) => headers,
    generateMatchPathRewrites: true,
  },
},

  

You can do a check on your site's HTTP headers using Mozilla Observatory  or securityheaders.com  .

So, should you worry about FLoC? I would say it is healthier not to worry. Hopefully the explanation of FLoCs aims as well as details on how to opt out will give you peace of mind.

🙏🏽 Should you Worry about FLoC? Feedback #

I really do hope you have you found this post interesting as well as useful. Let me know your own thoughts on FLoC. Do you still think you should worry about FLoC? Have you decided to opt your site out or are you going all in? Also get in touch if you want to see other posts in this area. Finally, feel free to share the post on your social media accounts for all your followers who might find it useful. You can get in touch via @askRodney on Twitter and also askRodney on Telegram  . Also, see further ways to get in touch with Rodney Lab. If you have found this post useful and can afford even a small contribution, please consider supporting me through Buy me a Coffee

We post regularly on OpenBSD-centric content and security as well as online privacy. Also subscribe to the newsletter to keep up-to-date with our latest projects.