Privacy Limitations Of Interest-based Advertising On The Web: A Post-mortem Empirical Analysis Of Google's FLoC

In 2021, Google announced they would disable third-party cookies in the Chrome browser in order to improve user privacy. They proposed FLoC as an alternative, meant to enable interest-based advertising while mitigating risks of individualized user tracking. The FLoC algorithm assigns users to 'cohorts' that represent groups of users with similar browsing behaviors so that third-parties can serve users ads based on their group. After testing FLoC in a real world trial, Google canceled the proposal, with little explanation, in favor of new alternatives to third-party cookies. In this work, we offer a post-mortem analysis of how FLoC handled balancing utility and privacy. In particular, we analyze two potential problems raised by privacy advocates: FLoC (1) allows individualized user tracking rather than prevents it and (2) risks revealing sensitive user demographic information, presenting a new privacy risk. We test these problems by implementing FLoC and compute cohorts for users in a dataset of browsing histories collected from more than 90,000 U.S. devices over a one-year period. For (1) we investigate the uniqueness of users' cohort ID sequences over time. We find that more than 95% are uniquely identifiable after 4 weeks. We show how these risks increase when cohort IDs are combined with fingerprinting data. While these risks may be mitigated by frequently clearing first-party cookies and increasing cohort sizes, such changes would degrade utility for users and advertisers, respectively. For (2), although we find a statistically significant relationship between domain visits and racial background, we do not find that FLoC risks correlating cohort IDs with race. However, alternative clustering techniques could elevate this risk. Our contributions provide example analyses for those seeking to develop novel approaches to monetizing the web in the future.