Google’s FLoC came under more pressure as WordPress discussed a proposal to block it as a security threat
WordPress discussed a proposal to block Google’s new user tracking scheme called FLoC. While most expressed support others raised valid concerns. No decision has been made to block FLoC. Discussions will continue in the official WordPress Slack channel.
There have been many articles inaccurately saying that WordPress was blocking FLoC.
As we initially reported, WordPress has not made a decision.
Matt Mullenweg tweeted a statement confirming that no decision has been made.
Contrary to headlines, “WordPress” hasn’t made any decisions or changes yet with regards to #FLoC. It is more correct to say there is a proposal from a WP contributor to block FLoC by default. https://t.co/YNRYuFWoaZ
— Matt Mullenweg (@photomatt) April 19, 2021
Being able to track what people are interested in by using third party cookies is lucrative for Google. Ads targeted by user interest are said to convert at a higher rate are are thus more valuable to both advertisers and Google because these kinds of ads can be sold at a premium.
But third party cookies are going away because many browsers are already blocking them automatically.
Google responded to the slow death of third party cookie tracking by rolling out a new way to track users called, Federated Learning of Cohorts (FLoC).
FLoC is an anonymous way to assign an interest to people based on their browsing patterns. Those browsing patterns are used to categorize users into user interest buckets.
That has inspired alarming articles from sites like the Electronic Frontier Foundation which decried it as “terrible idea.”
Competitors to Google and it’s Chrome browser (Brave, DuckDuckGo, and Vivaldi) have also taken action to block FLoC and render it unable to track users.
They have called FLoC “nasty” and claim that it enables “discrimination” and is a “dangerous step that harms user privacy.”
Developers have also already published two plugins that block FLoC from WordPress.
As mentioned earlier, no firm decision has been made to block FLoC. The official WordPress core developers are discussing a proposal to block FLoC. So it’s not a done deal.
Some in the developer community questioned the suggestion of adding FLoC blocking to previous older versions of WordPress that publishers are still using, citing that it might undermine trust.
“Love the feature idea, it will need work. Practically it won’t be easy to back port, it has potential to damage the trust in automatic updates.”
Someone else agreed that FLoC should be treated as a security update but that they had concerns about making the opt-out something noticeable and with a clear explanation of what WordPress is doing.
This is an important point because some users may want to opt back in if opting out impacts their ad revenue earnings through the Google AdSense program.
“It makes sense to treat it as a security, matter. And, in principle, I agree with @roytanck that it should add the opt-out header by default, but seeing there is (kinda) a tradition in WordPress to let the user decide and if it is not opt-out by default, WP should highlight this issue and present it in a very clear noticeable… notice when the update is released and a very clear help message in the settings pages in the future versions.”
However others questioned the reasoning behind calling this a security update.
“While I agree with the overall sentiment here, I think it is a mistake to treat this as a security update and risks abusing user trust in automatic updates. To call it a security update appears to me to be intentionally misusing the term in order to roll it out via automatic updates.
The implicit contract with users for security autoupdates is that they are used in order to protect the user from their site …being compromised imminently. This isn’t the case with FLoC, and may in some cases damage the site’s behaviour.”
That commenter followed up by labeling the action against FLoC a political statement and questioned calling it a security update:
“I’m on board for the political statement of countering Chrome’s encroachment on privacy, as well as the alignment of this with WP’s values generally, but making this change as a “security” update is a step too far.”
That person wasn’t alone in questioning calling it a security threat.
Someone else asked:
“Can someone even explain, providing concrete facts not just assumptions, as to how having a browser be part of a group of hundreds of thousands of similar other browsers for a week is a security threat?”
Another commenter similarly questioned calling this a security threat:
“If WordPress treats FLoC as a security concern, how would it justify letting users opt in? Security fixes are unilateral by definition, users don’t get to opt back in to the threat that was eliminated.”
Someone else questioned blocking FLoC while historically turning a blind eye to the arguably more invasive third party cookies.
“Where do we draw the line at what WordPress should be blocking in core for privacy?
Should WordPress block ALL third party tracking cookies like Facebook too?”
It was also suggested later on that this may be an issue for the individual to deal with, not for WordPress, similar to how WordPress is neutral about third party tracking cookies.
“This sounds like an individual privacy concern, and not something that WordPress – as a neutral publishing platform that can be used to share whatever where ever you want, should take a stance on.
WordPress doesn’t block other forms of browser tracking, why should this be any different? WordPress allows you to use an unscrupulous ad provider on your site, but importantly it doesn’t prevent you from using it either.”
Changes to WordPress are discussed within the developer community, sometimes beginning with a proposal. Proposals are not always carried out.
It may be misinformation and clickbait to claim that WordPress has made a firm decision to block FLoC. There are many technical issues to be worked out such as whether or not this is a security issue, whether it should be backported to earlier versions of WordPress (as a “security fix”) as well as deciding whether it’s even WordPress’ place to take a stand against FLoC seeing how WordPress was neutral about third party tracking.
Nevertheless, blocking FLoC appears to have overwhelming support both inside the core developer group and anecdotally outside it in the general WordPress developer community.
How to disable FLoC in @WordPress https://t.co/emgRqU3rkR pic.twitter.com/WY6eR3RZc6
— Jon Henshaw (@henshaw) April 18, 2021
WordPress Proposal Discussion
Proposal: Treat FLoC as a security concern
Electronic Frontier Foundation
Google’s FLoC Is a Terrible Idea
Brave Browser Blocks FLoC
DuckDuckGo Publishes a Browser Extension to Block FLoC
Vivaldi Browser Rejects FLoC
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and … [Read full bio]
Subscribe to our daily newsletter to get the latest industry news.
Subscribe to our daily newsletter to get the latest industry news.