Privacy Limitations Of Interest-based Advertising On The Web: A Post-mortem Empirical Analysis Of Google's FLoC

In 2020, Google announced it would disable third-party cookies in the Chrome browser to improve user privacy. In order to continue to enable interest-based advertising while mitigating risks of individualized user tracking, Google proposed FLoC. The FLoC algorithm assigns users to cohorts that represent groups of users with similar browsing behaviors so that third-parties can serve users ads based on their cohort. In 2022, after testing FLoC in a real world trial, Google canceled the proposal, with little explanation, in favor of another way to enable interest-based advertising. In this work, we offer a post-mortem analysis of how FLoC handled balancing utility and privacy. We analyze two potential problems raised by privacy advocates: (1) Contrary to its privacy goals, FLoC enables individual user tracking, and (2) FLoC risks revealing sensitive user demographic information. We test these problems by implementing FLoC and computing cohorts for users in a dataset of browsing histories collected from more than 90,000 U.S. devices over a one-year period. For (1) we investigate the uniqueness of users' cohort ID sequences over time. We find that more than 95% are uniquely identifiable after 4 weeks. We show how these risks increase when cohort IDs are combined with fingerprinting data. While these risks may be mitigated by frequently clearing browser storage and increasing cohort sizes, such changes would degrade utility for users and advertisers. For (2), we find a statistically significant relationship between domain visits and user race and income, but do not find that FLoC risks correlating cohort IDs with race or income. However, alternative clustering techniques could elevate this risk. Our contributions provide insights and example analyses for future novel approaches that seek to protect user privacy while monetizing the web.