WordPress Sees Google's Controversial FLoC Browser Cookie Replacement As A Security Threat

Cookie Smile
Google is on a mission to crumble the third-party cookie infrastructure that the web is largely based on, as it relates to lucrative targeted advertising efforts, and rebuild things with an initiative called FLoC, or Federated Learning of Cohorts. Not without controversy, Google's FLoC ad-tracking has drawn an antitrust probe. In addition, WordPress has proposed treating FLoC as a security threat.

Let's back up a moment, shall we? We covered what you need to know about FLoC, but to recap, it is part of an effort at Google to develop open-source "privacy-preserving technologies that make third-party cookies obsolete and enable publishers to keep growing their businesses and keep the web sustainable." How does FLoC do that?

Instead of tracking individuals, as third-party cookies do, FLoC puts users into groups, or cohorts, defined by their similarities in browser histories. A user's browsing history stays localized to their Chrome browser, so in theory data is not shared between websites or large corporations.

Google says Chrome will not create sensitive groups, leaving out certain topics like religion, politics, and medical, for example. But the overarching concern, as expressed by the Electronic Frontier Foundation, is that grouping people based on their browsing habits could have dire consequences, like employment and housing discrimination.

"This is in addition to the privacy concerns of tracking people and sharing their data, seemingly without informed consent—and making it more difficult for legislators and regulators to protect people," EFF said.

For these reasons, the EFF says "FLoC is a terrible idea." It seems WordPress agrees, and may end up treating FLoC as a security concern. That would be a pretty big deal, because WordPress is not a small operation.

"WordPress powers approximately 41 percent of the web—and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," WordPress said.

From the vantage point of WordPress, blocking FLoC by default would not be detrimental to web developers who want to use it, because they are likely to have the technical prowess to override the proposed filter to WordPress Core.

"When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate—and the interests of the users and visitors to those sites, is simply more compelling," WordPress added.

In essence, WordPress is likely to block FLoC by default in future builds, with a few lines of code added to the mix. It also brought up the possibility of adding a toggle to enable websites to opt in, which would just require a few lines of additional code.

Interestingly, WordPress proposes treating FLoC as a security concern in order to back-port the block to previous versions "for the good of the community as a whole." The next build (version 5.8) is not scheduled for release until July, whereas Google is likely to begun rolling out FLoC this month.