WordPress could treat Google FloC as a security issue

An idea is being floated to backport FLoC blocking code to existing WordPress users.
Written by Chris Duckett, Contributor

The backlash against Google's Federated Learning of Cohorts (FLoC) has continued, with a proposal raised in WordPress Core to block the controversial alternative identifier to third-party cookies by default.

The WordPress proposal would see the blogging system use its weight to thwart FLoC.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination, and discrimination against those with mental illness with four lines of code," it states.

For users that want to enable FLoC, the proposal states those users would likely be able to do so themselves, and a little more code would allow FLoC to be toggled on and off in blog settings.

"When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate -- and the interests of the users and visitors to those sites, is simply more compelling," the proposal states.

In order to get the block out to current users, WordPress has floated that FLoC be treated as a security problem and backported, rather than waiting until the next major release in July.

"Currently, 5.8. is only scheduled for July 2021. FLoC will likely be rolling out this month," it states.

"Furthermore, a significant number of WordPress sites only update to minor versions. By back-porting, we can protect more sites and more visitors to those sites -- and amplify the impact."

FLoC has received some stinging criticism, mostly based on how it would share a summary of recent browser history with marketers, something third-party cookies could try to do, but were never guaranteed to be able to do so.

"Its core design involves sharing new information with advertisers," Chromium-based browser maker Vivaldi said last week.

"You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site."

Vivaldi said FLoC has very serious implications for people who live in an environment where aspects of their personality are persecuted, such as their sexuality, political viewpoint, or religion.

"All can become a part of your FLoC ID," it said.

"This is no longer about privacy but goes beyond. It crosses the line into personal safety.

The Electronic Frontiers Foundation said the era of third-party cookies was over, and the decision was now whether to allow users to decide what information to share, or have a behavioural label attached to users that is "rich with meaning to those in the know".

"Their recent history, distilled into a few bits, is 'democratized' and shared with dozens of nameless actors that take part in the service of each web page," it said.

"Users begin every interaction with a confession: Here's what I've been up to this week, please treat me accordingly."

Related Coverage

Editorial standards