Please consider opt in instead of opt out

[fungiboletus]

If I understand the concept correctly, now Google Chrome tracks users across all websites using floc, with the exception of the very few websites who opted out using a weird HTTP header, and not the European users because the GDPR is actually pretty neat.

As a modest website publisher, I used to have a blog when it was cool and I still have a few random webpages, I don't want my websites to be used for tracking. And I don't want to have the burden of adding a HTTP header. I don't even know how to do so on many webpages as I don't have control of the HTTP headers.

I also believe most websites owners will not opt out their websites because they do not know about floc or its implications, or they don't have the technical possibility or simply the right competences.

Could you require a HTTP header or a JavaScript call to enable floc ? Trackers could still use floc but websites without trackers would not be involved in this.

[Sora2455]

I think that only websites that call the JavaScript API will be included in FLOC calculations (at least initially), it's just that websites with ads on them are likely have have their ads call the API.

[dmarti]

The opt out HTTP response header will prevent your site from being used for FLoC training even if a script on the page does call document.interestCohort. This may be useful in the case of a site that uses third-party scripts.

Currently the only way to do this opt-out is with the HTTP header (opting out of computation). There is another issue that covers adding an opt-out tag in the HTML that would not require access to set a header on the site: https://github.com/WICG/floc/issues/13

[fungiboletus]

By default, a page is eligible for the interest cohort computation if the interestCohort() API is used in the page.

This sounds like opt-in actually, I did focus on the opt-out HTTP header while missing that the whole FLOC was opt-in by default.

To make the adoption easier, the user agent may relax the opt-in requirement while third-party cookies still exist. For example, pages with ads resources are an approximation of the pages that are going to opt-in to interest cohort computation in the long run. Thus, at the adoption phase, the page can be eligible to be included in the interest cohort computation if there are ads resources in the page, OR if the API is used. Floc 7.1.4 Adoption Phase

I checked the Chromium source-code and it seems that the implementation matches the specifications. Floc is enabled only when you call the API of if a website calls a resource tagged as an ad, and it's not enabled when explicitly disabled (through the header or permissions). At least in the open-source part of the project. But to detect whether a resource is an ad is not very clear. The documentation says that Chrom·e·ium uses a filter list for ad tagging, but without mentioning which one. The example filter list is easylist but is Google using easylist to track people more ?

[fungiboletus]

I found the filter list.

[paradonym]

FLoC actually has to be an opt-in in order to comply with EU GDPR. There's little to no other ways to get around it...

I'm not a lawyer, but ways to get around GDPR could be a part in terms of use of webbrowsers, but I think the GDPR needs something like those annoying cookie warnings so opt-in each single use if it's active. So FLoC is - via concept - something you can't do in the EU.

[Sora2455]

@paradonym The FLoC experiment is not being run in the EU, and while I'm not sure if there's been a statement from Google as to why, most people I've heard from assume that it's the reason who just mentioned.