←back to thread

Google’s FLoC Is a Terrible Idea

(www.eff.org)
604 points wyldfire | 3 comments | 04 Mar 21 15:59 UTC | HN request time: 0.713s | source
Show context
dleslie ◴[04 Mar 21 16:49 UTC] No.26344736[source]
This captures my feelings on the issue:

> That framing is based on a false premise that we have to choose between “old tracking” and “new tracking.” It’s not either-or. Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.

I don't want to be tracked. I never have wanted to be tracked. I shouldn't have to aggressively opt-out of tracking; it should be a service one must opt-in to receive. And it's not something we can trust industry to correct properly. This is precisely the role that privacy-protecting legislation should be undertaking.

Stop spying on us, please.

replies(10): >>26345317 #>>26345398 #>>26345438 #>>26345507 #>>26345714 #>>26346976 #>>26347529 #>>26347549 #>>26349806 #>>26350238 #
izacus ◴[04 Mar 21 17:34 UTC] No.26345317[source]
What's tracking in your definition here? Is counting display of an ad tracking? Load of an image on page? Is logging nginx entry for your page load tracking? Is responding with correct image for your browser user-agent tracking?

I'm sometimes confused what is covered under this term and I'd kinda like to know where the line here is drawn. What exactly are we talking about here?

replies(2): >>26345587 #>>26345689 #
probably_wrong ◴[04 Mar 21 17:59 UTC] No.26345689[source]
I fear that your questions reduce the problem to the point where no answer is possible. Loading the Y Combinator logo in here is almost certainly not tracking, but loading an invisible, 1px-by-1px gif in an email almost certainly counts. It's missing the forest for the trees.

The simplest definition of tracking I can come up with is "collect data about me that can (and often, is) used to build a profile of me and my behavior". The NGinx log could or could not be tracking, depending on whether you use it to diagnose issues ("we should optimize this picture, it's loading too slow for too many people") or to profile me ("ID 12345 uses a 56K modem, let's sell him a new one"). But no perfect definition exists because everyone has different thresholds of what they are okay with.

replies(4): >>26345820 #>>26346045 #>>26350151 #>>26353790 #
izacus ◴[04 Mar 21 18:06 UTC] No.26345820[source]
If I understand FloC correctly though, it sends your profile/tags/interesting topics from your owned client software. So this basically means that if you have a browser like Firefox, it could send a preset cohort set to server that doesn't build your tracking profile and gives you things you're interested in.

To me this seems like a win? It allows you as a person to control how your ad profile is built (and if it's sent at all) and doesn't send your data to servers anymore?

(Please correct me if I misunderstood the technology.)

replies(4): >>26345894 #>>26347219 #>>26348706 #>>26348742 #
1. Veserv ◴[04 Mar 21 21:37 UTC] No.26348742[source]
If they will not send data to their servers anymore, then they can easily regain trust by just introducing a contractual obligation to pay out a reasonable sum if they are found to be doing so that would disincentive them from doing so. Say 1 year of revenue or ~$100B? Since they have control over their own actions and there is no reason to send data to their servers anymore, then that would be pure upside with no risk if they are being truthful. However, until they make promises where success and failure can be evaluated by non-technical individuals and there is actual downside when failing to fulfill those promises, I see no reason for anyone to believe their claims if they will not put their money where their mouth is.
replies(1): >>26349805 #
2. izacus ◴[04 Mar 21 23:08 UTC] No.26349805[source]
Sounds like you're proposing GDPR. I supported it, it's s good step.
replies(1): >>26350323 #
3. Veserv ◴[05 Mar 21 00:00 UTC] No.26350323[source]
Not really. GDPR establishes specific rules around data protection and retention, but what I am proposing is having them establish a contractual obligation to abide by their claims with pre-defined damages in the event of a breach of contract to demonstrate a commitment to their claims. GDPR is about data protection, this model is about honesty/fulfilling obligations which just so happens to be about data protection in this case. If they want to gobble up all the data and they are completely honest and forward about it such that the average impacted individual properly understands the scope and degree of what is occurring, then I do not care too much about it since at least everybody is going in with open-ish eyes. It is doing so while lying about it or appealing to people's wishful thinking then blaming them for not reading the fine print that is truly evil.