WordPress may automatically disable Google FLoC on websites

WordPress announced today that they are treating Google’s new FLoC tracking technology as a security concern and may block it by default on WordPress sites.

For some time, browsers have begun to increasingly block third-party browser cookies [1, 2, 3] used by advertisers for interest-based advertising.

In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web.

After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google’s FLoC implementation just replaces one privacy risk with another one.

“FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers.”

“The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process. It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting,” the Electronic Frontier Foundation (EFF) explained in a recent blog post.

Since then, other privacy browser and search engine developers, such as Brave Browser, DuckDuckGo, and Vivaldi, have all removed FLoC from their software or created tools to block it.

WordPress plans on blocking FLoC

In a new announcement today, WordPress states that they consider Google’s FLoC technology a security concern and they propose blocking the technology in future versions of the blogging software.

“WordPress powers approximately 41{cb3fe4c54de06d7c4b8dceae281fb32e521027d1659af7adec2f427d2f5333d9} of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code,” says WordPress.

WordPress plans to disable FLoC using the following four lines of code, which will cause the blogging platform to issue a HTTP request header tells the browser that FLoC should be disabled for the site.

function disable_floc($headers) {
    $headers['Permissions-Policy'] = 'interest-cohort=()';
    return $headers;
  }
 
add_filter('wp_headers', 'disable_floc');

WordPress explains that though some admins will likely want to enable this technology, those admins probably have the tech know-how to override the above code. WordPress also indicated that they might add a setting that allows admins to control whether FLoC is permitted.

However, WordPress’s concern is that those unaware of this new tracking technology will automatically opt into it without fully understanding what it entails. Therefore, it is in these users’ best interest for WordPress to automatically disable the technology.

“When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate – and the interests of the users and visitors to those sites, is simply more compelling,” WordPress explains.

WordPress states that this block is planned for WordPress 5.8, scheduled for release in July 2021, but is requesting feedback before implementing the proposed change.

As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to “amplify the impact” on current versions of the blogging platform.

Update 04/19/21 06:10 AM EST:  Further clarified that this is a proposal.