FLoC OFF!

As we recently discussed the Http Permissions header, I have been queried about Google FLoC and how to disable it from using a website to aggregate users’ visits into overall FLoC score.

I will not offer my opinion on this but instead, refer readers to relevant articles. I will, however, provide a quick pointer on how to deny FLoC access to a user’s site visit. I will paraphrase an oft-quoted quote; “If you are NOT a paying customer, you are the product.” As such, I leave you to make your own determination as to the privacy and security of your website.

From Google:

Federated Learning of Cohorts (FLoC) proposes a new way for businesses to reach people with relevant content and ads by clustering large groups of people with similar interests. This approach effectively hides individuals “in the crowd” and uses on-device processing to keep a person’s web history private on the browser.

From the EFF:

FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers. The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process. It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting.

Using the Permissions header to deny FLoC:

 sudo nano /etc/apache/sites-available/000-default-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
# ---SNIP FOR BREVITY ----
#
# MODIFY THIS HEADER TO ADD ,interest-cohort=() to the end of the string and close with a "
Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=(),interest-cohort=()"
## End Permissions Policy
#
# End Header Directives
# ---SNIP FOR BREVITY ---
</VirtualHost>
</IfModule>

# Test our config and restart Apache

Confirm that the permissions header does infact include our directive.

I will open a new incognito window in Chrome, navigate to the test site; https://test.techhell.org. Whence the page renders, right-click to open the”Inspect Elements” console:

We shall select the NETWORK tab of the inspector window:

We shall refresh the page with Control-R, select the Headers sub-tab and note our permissions policy.

In this we note the the Permissions-Policy does deny the interest-cohort function.