---

blog: Don Marti

---

FLoC opt out

13 February 2021

Updated 28 Feb 2021. Removed meta tag material, added link. We still do not know how to opt out of FLoC without setting an HTTP response header.

I'm not going to cover all the problems with having web browsers label their users with "cohorts" here. Really briefly, the Google Chrome browser might start using a system called "Federated Learning of Cohorts" (FLoC) to partly replace some of the data practices that are currently done using third-party tracking cookies.

There is a test of FLoC coming up that is opt-in, but the core FLoC proposal is still opt out. It looks as if, in order to protect Google Chrome users on your site, you will have to change the site configuration a little. I still need to test this with real FLoC when it comes out.

This is a draft blog post in progress. Do not rely in it for protection yet.

Opt out method 1: HTTP header in the site config

The header you need is Permissions-Policy, and looks like this:

Permissions-Policy: interest-cohort=()

In order to set that in Apache2 on Debian, I made a file called /etc/apache2/conf-available/floc.conf with the line

Header always set Permissions-Policy: interest-cohort=()

and then ran:

a2enconf floc.conf
apachectl graceful

I'm going to do this on all the sites where I have access to the web server config and can easily add a header.

Opt out method 2: for sites that can't set HTTP headers

Work in progress. The HTTP header is still the only way to opt out, since a meta tag won't work. (Discussion on the WICG/floc repository on GitHub.)

Testing

In the future, to check that it worked, I should be able to use the Permissions API. An example of a Permissions API query that works is this one, for how to check the Geolocation API permission:

// Check for Geolocation API permissions
navigator.permissions.query({name:'geolocation'})
    .then(function(permissionStatus) {
        console.log('geolocation permission state is ', permissionStatus.state);
  });

Right now when I do the a query for the name interest-cohort, I'm getting The provided value 'interest-cohort' is not a valid enum value of type PermissionName. but I'm sure that they'll get this fixed up before FLoC gets turned on in regular people's browsers. Anyway, will update as I get to test more.

Well that was interesting

I mess around with this kind of thing on a Saturday morning because I'm interested in web privacy, but seriously, opting out of half-thought-out site audience data exfiltration schemes should not have to be something that people with normal web sites have to worry about. Not everybody has a free Saturday morning to work on their personal site, and not every company has a massive open-plan office with armies of developers to throw at projects they need to do just to stay in the same place.

New York State Lawmakers Reintroduce CCPA-Like Data Privacy Legislation

On the Dangers of Stochastic Parrots:Can Language Models Be Too Big?

Why a tweet from California’s AG about a global privacy tool has companies scrambling

‘This is what monopolies do’: Nine slams Google News Showcase launch

This is the Democrats’ plan to limit Section 230

Google’s Cookie Replacement Means Nothing Has Changed

Google workers across the globe announce international union alliance to hold Alphabet accountable

Scott Galloway: Why 2021 will be a year of reckoning for Big Tech

Here's What Google Didn't Say In Its Promises About Our Privacy