WICG / floc

This proposal has been replaced by the Topics API.
https://github.com/patcg-individual-drafts/topics
Other
936 stars 90 forks source link

Cookies are not the problem #107

Open drdsgvo opened 3 years ago

drdsgvo commented 3 years ago

One main motivation behind FLoC is to make cookies vanish because of privacy reasons, as far as I understood it.

In Germany and Europe, the law is simple: Do not use marketing cookies without user consent. We do not need FLoC. Also, see extensive data transfers. These are happing even, when a YouTube Video in privacy-enhanced mode is embedded. This violates article 5 GDPR, if there is no explicit user consent. Google knows this, but offers the YouTube video script in this way.

At first - before thinking further about FLoC - Google should learn to stick to privacy rules (besides YouTube, see the massive use of cookies by Google tools, which I cannot follow completely, e.g. with Google Maps or Google reCAPTCHA). Also see the Android Advertising ID, against which a complaint has been filed by noyb. BTW: Is Google Ireland operating solely independent from Google US? I am just asking because of article 44 GDPR (data transfer into third countries without appropriate safe guards). Sorry for leaving the road, here is the main track:

Regarding FLoC itself: Google wants each individual to provide her terminal and her computing power to let the browser analyze the individual 's behavior and even to let an auction happen which determines the ads provider who shall be allowed to influence the individual on her own system with an ad. This sounds nothing but inhuman.

Beneficiaries are - at first - Google and the ad ecosystem. What is the benefit for the individual here? Does the individual get paid by someone (Google?) for providing her ressources? Data is valuable, right?

Security of personal data is paramount. The "opaque iframe" is an approach that was mentioned, but is it really safe? Timed attacks where mentioned, too. I do not want to claim that none of these problems can be addressed properly. But it should better work perfectly on the first try and forever. What if a hacker intrudes a terminal of an individual? Is the hacker able to read the FLoC findings or even manipulate the system to get a constant feed of FLoC findings about the individual?

The k-anonymity itself is attackable. See the exploit of facebook custom audience data by a team of scientists in 2018.

For me, the approach sounds like bullshit. A possibly good mathematical approach, but very weak when it comes to practical considerations.

I hope, that if FLoC will come, the user is clearly and unambiguously asked for her consent before FLoC is getting activated.

michaelkleber commented 3 years ago

Thanks for the comments, though it seems like a lot of them are not actually about FLoC.

I agree that cookies are not the problem — they are one particular technology that enables widespread data collection, but of course there are others. Check out the privacy model underlying Chrome's efforts for the bigger picture here.

You're correct that some of the Privacy Sandbox proposals involve moving more work onto the browser instead of having it happen in someone else's server. That certainly is a trade-off that means using some small amount of additional computing resources. The benefit is that when things happen in the browser, you can be sure that nobody else learns about them, which is a big privacy win. This isn't the only possible answer here; indeed there alternatives being actively discussed which rely on a server that is highly trusted to receive some information but not store it or use it in certain ways. Those raise hard questions of how the browser can really know that a server is trustworthy — but maybe that's a problem that can be solved.

I'm sorry that you don't like opaque iframes or k-anonymity, but I don't think your worries are anything new. You say "What if a hacker intrudes a terminal of an individual? Is the hacker able to read the FLoC findings or even manipulate the system to get a constant feed of FLoC findings about the individual?" But this kind of thing is a problem with everything about computers already: if a hacker gets to install sufficiently malicious software on your computer, then sure, perhaps they can see everything you do, no matter what browser or other program it's in. FLoC doesn't add anything here.

Maybe all computers are "bullshit. A possibly good mathematical approach, but very weak when it comes to practical considerations." But that's what we've got to work with.

ph00lt0 commented 3 years ago

@michaelkleber, I believe it is time for google to withdraw this proposal. The internet community clearly isn't waiting for your next spyware project. I believe, it is clear that we have had enough of it. Google should try to find other ways to make money. I believe that contextual ads should be very okay in Google Search and you could turn Gmail, Drive and the other products that have not been killed yet to subscription based services. The consumers demand privacy, you might be wondering why? Not because we all hate relaxant ads. But because citizens dislike your power, and the abuse of it. This whether it is by your clients or Google themselves. FloC won't kick off, and neither will any other proposal. I hope that you realize that as long as you do not let users opt-in to this, most frameworks and other open source projects will try to block you from making money and ruin your business modal. It is time for Google to reflect and reposition. A market is been served by it's demands and legislation. Google has made a fortune from the uncontrolled internet, this era is over.

michaelkleber commented 3 years ago

Hi @ph00lt0,

"Google should try to find other ways to make money" is a very surprising thing to say in this conversation. FLoC is not about Google making money: as you pointed out, the ads in Google Search don't need it! They are based on what you just searched for.

But that makes Google different from most ads-supported sites on the web, which are at risk of losing most of their money. I don't know what sites you spend all your time on — and I wouldn't even if you told me your FLoC!! — but they are the ones whose future might be at risk here.

ph00lt0 commented 3 years ago

Google surely doesn't do this for charity. Please stop the theater. Google sells targeted ads, google defends this.... I don't feel like i need to explain this to you. I am just generally making you see the bigger picture, that Google as a company needs to change. I do believe you that this doesn't directly give Google a financial benefit. Google already knows what people are browsing, if they are using Chrome. Google's own tracking via Chrome (which brings the money), surely is more effective as FLoC. FLoC is in my eyes, as I wrote in another issue, the perfect excuse for Google's statement not to be eliminating competitors. It is a matter of antitrust. The only one at risk is Google. Oh and I honestly do not care about the ads-supported website, you mention, I gladly see them disappear.

drdsgvo commented 3 years ago

I'm sorry that you don't like opaque iframes or k-anonymity, but I don't think your worries are anything new. You say "What if a hacker intrudes a terminal of an individual? Is the hacker able to read the FLoC findings or even manipulate the system to get a constant feed of FLoC findings about the individual?" But this kind of thing is a problem with everything about computers already: if a hacker gets to install sufficiently malicious software on your computer, then sure, perhaps they can see everything you do, no matter what browser or other program it's in. FLoC doesn't add anything here.

Thank you for your reply. I'm not saying that I don't linke opaque frames etc. I am just saying that these raise security issues, which you confirmed. Indeed, FLoC adds new security risks, if I understand correctly, because with FLoC there is much more delicate information about an individual on the individual's computer than before. By intruding a PC, a hacker could, as I said, let the browser do the work with FLoC and then fetch the results, which is not possible yet, because there are no such results yet on most personal computers or smartphones wordwide.

Of course, computers are not "bullshit", but computers are a huge progress in human history, whereas FLoC is neither such a huge progress nor necessary.

michaelkleber commented 3 years ago

Indeed, FLoC adds new security risks, if I understand correctly, because with FLoC there is much more delicate information about an individual on the individual's computer than before.

For the first Origin Trial, at least, that is certainly not true. FLoC doesn't involve storing any new information — it is computed just based on your recent browsing history, which your browser has been storing for years. (Check out the "History" menu, or see chrome://history for the full experience.)

I think changing the web from a model of "knowing detailed stuff about individuals" to "knowing aggregated stuff about large crowds of people" is substantial progress. But of course you can disagree.

voidgraphics commented 3 years ago

@michaelkleber and we do disagree.

The only two options are not "knowing detailed stuff about individuals" and "knowing aggregated stuff about large crowds of people". These two options are equally morally wrong, just on different scales. You are pretending to solve the problem, when in fact you are just moving it elsewhere. The only acceptable solution is to make targeted advertising disappear.

The argument that "most websites are going to lose 50-70% of profits" if targeted ads were to disappear, while most likely true, only serves to gaslight people into thinking that this is an industry we cannot do without. The websites that currently run on privacy invasion-based advertising revenue are part of the problem, and should seek other ways to monetise.

dmarti commented 3 years ago

There are two effects of cross-site tracking that have to be balanced here.

  1. Incremental revenue for legit sites that @michaelkleber pointed out. Any ad-supported medium can get higher revenue if the advertisers can see data about how that medium reaches a valuable audience. (This is not just an Internet thing, the same goes for magazine ads, billboards, bus ads, whatever.)

  2. Data leakage from more trusted sites to less trusted sites. Walt Mossberg explained, "About a week after our launch, I was seated at a dinner next to a major advertising executive. He complimented me on our new site’s quality and on that of a predecessor site we had created and run, AllThingsD.com. I asked him if that meant he’d be placing ads on our fledgling site. He said yes, he’d do that for a little while. And then, after the cookies he placed on Recode helped him to track our desirable audience around the web, his agency would begin removing the ads and placing them on cheaper sites our readers also happened to visit. In other words, our quality journalism was, to him, nothing more than a lead generator for target-rich readers and would ultimately benefit sites that might care less about quality."

If the browser is being designed for a general audience that probably wants to maximize quality and quantity of ad-supported content for a minimum amount of ad annoyance and risks, the cohort implementation can be optimized to increase incremental revenue for sites that the user likes, and decrease rewards for unwanted sites. For example, a browser that already tracks "Site Engagement Score" could limit FLoC calls by low-engagement sites so they aren't incentivized to create large quantities of deceptive content in hopes of landing an ad impression from a member of a valuable cohort. (1205888 - Set a minimum Site Engagement Score for document.interestCohort - chromium)