New trick to block Chrome’s FLoC

👉 TL;DR - Add this script tag inside the <head> tag on your website’s HTML:

<script type="application/javascript">document.interestCohort = null;</script>👈

HTML code showing how to monkey patch Chrome's FLoC API document.interestCohort function

Example HTML file showing how to include a monkey patch script to disable Chrome FLoC API's 'interestCohort' function.

Google is testing a new ad targeting mechanism called the Federated Learning of Cohorts (FLoC). FLoC tracks which websites a Chrome browser visits, and uses that to generate an ID that can then be shared with ad servers for the purposes of behavioral ad targeting. If you use Chrome and visit sites about sports and right-wing media, you will likely end up with a different FLoC ID than a user who visits sites about gardening and left-wing media. FLoC is different from other behavioral targeting ad tech systems (such as third party cookies), in that it uniquely resides within the core of the Chrome browser.

As of April 16th, 2021, the only mechanism, publicly provided by Google, that allows a website owner to opt-out of FLoC is by configuring a web server HTTP response header. This “Permissions-Policy” header must be set to “interest-cohort=()” to disable FLoC on a given website for all Chrome users who visit the site. Setting this header indicates that your site does not want to be included in the list of sites for a Chrome user’s cohort calculation. A previous Adalytics research study found that fewer than 0.1% of websites had opted-out of FLoC as of early-April 2021 using this mechanism.

Example of how to set the Permissions-Policy HTTP response header to opt out of Chrome's FLoC

Example of how to configure the "Permissions-Policy" HTTP response header to disable Google Chrome's FLoC API from working on a specific website.

Web developer Paramdeo Singh published a detailed blog post on how different web server technologies, such as Nginx, Lighttpd and Netlify, can be configured to include the FLoC opt-out Permissions-Policy header. Plausible Analytics released a blog article showing how Apache web servers can opt-out of FLoC via the htaccess configuration file. Roy Tanck published a WordPress plugin that adds the opt-out header to Wordpress sites, and Joshua Lowcock wrote a guide about how the Wordpress HTTP headers plugin can be configured to similar effect.

However, all of these implementation solutions may prove unfeasible for website owners who do not have control over their site’s HTTP response headers, such as those that use a managed hosting provider. Your humble correspondent falls in this category and has contacted Adalytics’ web host to inquire about having them configure this header.

Screenshot of Tweet by researcher Zach Edwards, showing that most websites have not opt-ed out of FLoC via HTTP response headers

Tweet from privacy researcher Zach Edwards, showing how most website owners are not opting out of FLoC Origin trials in Chrome. In many cases, they are unable to opt-out because they do not control their web server's response header configurations.

As of April 16th, there is another way, which has not received official acknowledgment from Google, to block FLoC from incorporating a specific website into a user’s FLoC ID. As I mentioned in my previous Adalytics blog post, a website owner can apply a technique called “monkey patching”, where they (temporarily) modify the behavior of the FLoC API on a guest’s Chrome browser for the duration of their site visit.

This technique does not require setting an HTTP response header. Instead, it involves changing the underlying behavior of the Chrome browser API on a given website. This can be done simply by inserting the following Javascript tag into the beginning of the <head> section of a website:

HTML code showing how to monkey patch Chrome's FLoC API document.interestCohort functionExample HTML file showing how to include a monkey patch script to disable Chrome FLoC API's 'interestCohort' function.

The technique is based on an observation by information security researcher Jonathan Foote, who previously demonstrated how monkey patching the “interestCohort()” function can be used to artificially generate any FLoC ID for a given user.

By including this script tag at the top of a website’s code, the “interestCohort'' function that is used to invoke the FLoC API on a given webpage will no longer make any changes. If any third-party Javascript tries to invoke the FLoC API, an error will be silently printed to the Chrome Developer Tools console.

Screenshot of Chrome Developer Tools, showing the FLoC document.interestCohort function being invoked

Chrome Developer Tools screenshot, showing that no cohort ID is accessible on a website that includes the monkey patch script.

Additionally, checking a given computer’s hard drive for FLoC-related files under the FLoC Application folder will show that no FLoC ID was computed (or changed) when a user visited that given website.

Screenshot of FLoC ID from Chrome disk files

Terminal screenshot showing that no FLoC ID is generated or updated on sites that include the monkey patch script. This screenshot was generated after visiting a website using Chrome with FLoC API invocations enabled, and through the following terminal command: "cat ~/Library/Application\ Support/Google/Chrome/Profile\ 1/Preferences | jq .federated_learning"

Conclusion

As a previous Adalytics research post noted, the vast majority of websites have not opted-out of FLoC yet. In some cases this may be an active decision, but in others, it may be because website owners cannot change their HTTP headers.

For website owners who cannot change their HTTP response headers, using this monkey patch script tag may prove to be a working alternative to opt-out of FLoC for Google Chrome.

This approach is conditional upon how the FLoC API works in Google Chrome v89, as of April 17, 2021. Future releases of Chrome may change how the FLoC API operates, in which case it may no longer be possible to use this simple technique.

If you are a data privacy, ad tech, or IT researcher who has any feedback or suggestions regarding this opt-out approach, please feel free to reach out on Twitter @kfranasz or via the Adalytics contact form.

Receive future blog posts

Subscribe below to get new articles