Google’s ‘pro-privacy’ FLoC squawks when Chrome goes Incognito: Websites can sense when you’re trying to lurk
Updated Google’s effort at “building a privacy-first future for web advertising” already looks like it will require some privacy retrofitting.
The internet titan’s interest-based ad-targeting technology, Federated Learning of Cohorts (FLoC), ostensibly intended to provide a more privacy-friendly alternative to third-party tracking cookies, has a privacy flaw, according to Dr Lukasz Olejnik, an independent privacy researcher and consultant.
“Unfortunately, it seems that FLoC contains a privacy design bug that leaks the information about whether the user is browsing in private mode (Incognito) or not,” Olejnik wrote in a blog post on Monday, noting that he’d spotted a similar Incognito detection bug in another API.
Incognito mode is supposed to prevent online histories from being recorded in the browser’s local log and to erase local HTTP cookies and site data from memory at the end of a session. Its purpose is to hide actions from other people using the same browser.
Google says once third-party cookies are toast, Chrome won’t help ad networks track individuals around the web
But Chrome’s private browsing mode doesn’t conceal information from websites being visited. The service’s name, however, suggests otherwise and Google was sued in June, 2020, for allegedly collecting data from Incognito Chrome users. A federal judge in California recently allowed the lawsuit to proceed, despite Google’s effort to have it tossed.
While Incognito mode isn’t intended to provide anonymity, it is supposed to prevent websites from detecting whether online visitors are using it. Prior to Chrome 76, released July 30, 2019, it was possible to detect whether a Chrome user had Incognito mode activated.
Publishers have taken advantage of this to implement Incognito mode detection to enforce their metered access mechanisms. The ability to detect Incognito mode also represents another data point that can be used for building a browser fingerprint, an identifier calculated from detectable browser features.
Google considers Incognito mode detection to be abuse and aimed to fix it in Chrome 76 by altering the browser’s FileSystem API, the mechanism used to infer Incognito state. But its modification attempt fell short after two separate security researchers identified ways around the changes. These gaps weren’t closed until Chrome 81.
Google has said it plans to phase out third-party cookies in 2022 and implement a set of still-incomplete technologies, some from ad tech partners, that constitute what the Chocolate Factory calls its Privacy Sandbox.
FLoC of seeing sites?
One of these, FLoC, provides a way to present Chrome users with online ads targeted at their general interests. When FLoC is widely implemented, web sites will be able to request a visitor’s interest cohort, which will be returned in the form of an identifier.
The identifier, Olejnik, explains, is obtained by generating a SimHashed fingerprint which provides a way to evaluate set similarity. The cohort ID is derived from the user’s interests as expressed in their web browsing history. Thousands of people will share the same cohort ID, which might be something like “498413426628.” The general idea is that FLoC will identify interest groups (e.g. jazz fans) without exposing individual identities or website visits.
But FLoC, scheduled for broader testing in Chrome 90 next month, isn’t yet watertight.
“This information leak works because when browsing in Incognito a call to document.interestCohort()
results in an exception,” explains Olejnik.
As he points out, Google acknowledges as much in its FLoC Security and Privacy Self-Review, stating making a FLoC identifier request while in Incognito mode would throw an error, just like the API is supposed to do when an individual’s cohort is not eligible to be calculated or blocked, which can happen currently if the browser is set to block third-party cookies.
In response to Olejnik’s Chromium bug report, Google senior software engineer Josh Karlin disputes Olejnik’s characterization of the issue.
“Note that this isn’t an Incognito detector, in that there are several circumstances in which we’d throw [an error],” he said citing in addition new users with no FLoC data, lack of enough recent browsing history to create a FLoC id, a FLoC associated with sensitive material, and users who have opted out of Privacy Sandbox APIs.
However, the bug report suggests Google engineers intend to make some changes. The Register asked Google for comment but we’ve not yet heard back. ®
Updated to add
“Federated Learning of Cohorts (FLoC) is designed to preserve the privacy of individuals by default and will not reveal if a user is in Incognito mode,” a Google spokesperson said. “We have not launched FLoC and the researcher turned on unsupported features in Chrome.”
READ MORE HERE