• Amazon Blocks FLoC across most sites

    Google's Federated Learning of Cohorts (FLoC) isn't exactly noted for it's popularity.

    The company claims that FLoC will improve privacy, though various researchers disagree (and there are issues that have remained unaddressed for years).

    For those who're not up to date: the stated aim of FLoC is to replace tracking via 3rd party cookies with an engine within the browser that profiles your browsing habits and adds you into a cohort of users with similar behaviour - advertisers then advertise to you based on your cohort ID (I wonder why the idea of a browser tracking your habits for advertising purposes hasn't won hearts and minds in the way they wanted...).

    News has broken (via Digiday) that Amazon have blocked FLoC from operating on (most of) their domains - the exception seems to be Abebooks.

    Because it's driven by a HTTP response header, we can trivially confirm for individual domains:

    curl -v -o/dev/null https://www.amazon.co.uk 2>&1 | grep permis
    < permissions-policy: interest-cohort=()
    

  • Breaking the Google Addiction one step at a time

    Google isn't your friend. Google isn't my friend. Google is, and always has been, a data-whore.

    But, still we use them and allow them to slurp up more and more data about us.

    They're a bit like Amazon in that respect - you know they're an increasingly terrible company, but they're just so convenient and you keep on using them whilst ignoring the power they're amassing over the market.

    But, it is something that's been concerning me more and more over the years.

    We install adblockers, no-script and other extensions to add a fig-leaf to our privacy, or to try and avoid Google's user-hostile changes, yet we keep on using the same services. Even when they completely change the UI around on us, for no good reason, we still keep using their services.

    I decided, quite a while ago, it was time I made a change, but then did very little, at least until recently.

    As great as a "clean-break" might sound, going cold turkey off Google's services is never going to work - no model of user behaviour supports making massive jarring changes.

    So I decided to start with the most obvious interaction with Google - their search engine. I don't have Google Home or similar, so my most frequent interaction with Google is search.

  • FLoC disabled on my sites

    Cookies have been viewed as the enemy for quite some time, with the result that 3rd party cookies are (quite rightly) being treated with high levels of suspicion.

    Unfortunately, the focus being on cookies rather than the tracking/profiling that they enable has left an opening for the unscrupulous to offer a cookie-less alternative.

    Enter Google, who a while back announced they were building something called Federated Learning of Cohorts (FLoC) into Chrome. The basic underlying idea of FLoC is that it assigns the browser a cohort ID - grouping it in with other browsers who have a similar browsing history.

    The browser's history never leaves the browser, with the cohort ID being calculated locally (updating once per week, based on the previous week's browsing), websites can then query the browser for it's cohort ID (by calling document.interestCohort()) and serve appropriate ads based on the ID returned.

    However, deeper inspection has shown that rather than solving privacy issues, FLoC simply presents new ones - in fact there's an obvious vector in the paragraph above - your cohort ID is the same across all sites you visit...

    Plus, although I say new, some of these issues were highlighted in 2019 and remain unaddressed.

  • Google, Cloudflare and GDPR - my quandry

    Just like most of the internet, I've been working hard making sure my site and services are GDPR compliant. For the most part, on the technical front I already was, and it's mostly been a case of making sure the documentation is up to scratch.

    However, in one area, I've had to revisit a  decision that I've gone over and over after the past few years - having ads on (some) of the sites, compared to the alternatives.

    I decided I'd create this post for a couple of reasons - partially because I suspect others may be in a similar situation, and also to try and help lay it out so I can spot alternatives to those I've already considered.

     

  • Removing Ads from my Sites

    (It occurs to me that publishing this on 1 Apr isn't the best move - rest assured this is genuine)

    I've long felt uncomfortable with the privacy trade-offs of having advertising on my sites.

    Shortly before GDPR came into effect, I wrote a post detailing how I was, once again, revisiting the decision of having ads on my site.

    The decision then, as before, was that the ads were a necessary evil as the revenue they generate contributes something to the running costs of this site, helping keep over a decade's worth of work online.

    Today, however, I'm changing that decision and removing Google's Adsense from all of my sites

  • Virtualisation: Google Play Music Manager cannot identify your computer

    Although there seem to be an increasing number of things which irritate me about Google's Play Music, there's no denying that it's an incredibly convenient way to listen to music when not at home. Whether using the Android App, or playing in a browser, it makes your library available wherever you are.

    It's a pity then, that Google have decided to make it such a royal PITA to upload music (I'm also not too happy about the requirement to have card details on file, even if you plan on using the free version - you should only ever need to provide card details when the plan is to actually use them, it reduces the likelihood of them being compromised).

    As Google's Play Music Manager now won't run on my desktop (something I need more introduces a conflicting dependency , I figured I'd run Music Manager in a virtual machine and just point it at the right NFS share.

    Turns out it wasn't quite so simple, as Music Manager returns the error 'Login failed. Could not identify your computer'.

    After some digging, it's incredibly easy to resolve though.