Page MenuHomePhabricator
Create Task
Maniphest T279804

Visits to Wikimedia properties should not be used for Google ad targeting (FLoC)
Closed, ResolvedPublic
Actions

Description

Google Chrome (and Chromium, Microsoft Edge, etc.) browsers now track which websites users visit, and group users into "cohorts" of people who visit similar sites, so that Google can serve them targeted advertising based on their browsing history. See https://blog.malwarebytes.com/cybercrime/privacy/2021/04/millions-of-chrome-users-quietly-added-to-googles-floc-pilot/ and https://spreadprivacy.com/block-floc-with-duckduckgo/.

Site owners must opt-out of this behavior if they don't want visits to their site to be tracked, by sending the HTTP response header Permissions-Policy: interest-cohort=(). See https://github.com/wicg/floc#opting-out-of-computation.

Allowing visits to be tracked via FLoC is a privacy risk to our users. Although the resulting cohort IDs are meant to group users anonymously, it is possible to de-anonymize visitors using them. See e.g. https://github.com/WICG/floc/issues/100.

Details

SubjectRepoBranchLines +/-
P:tlsproxy::envoy: Add support to opt out of FLoCoperations/puppetproduction+27 -0
security: Add Google FloC out-out header to responseswikimedia/toolhubmain+39 -0
cloud-vps: opt-out of Google FLoC trackingoperations/puppetproduction+2 -0
toolforge: opt-out of Google FLoC trackingoperations/puppetproduction+2 -0
hiera - idp: opt out of FLoCoperations/puppetproduction+1 -0
varnish: add anti-FLoC header to responsesoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects

Event Timeline

Peter created this task.Apr 9 2021, 7:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2021, 7:29 PM
Krenair subscribed.Apr 9 2021, 7:42 PM
Peachey88 subscribed.Apr 9 2021, 10:46 PM
Legoktm awarded a token.Apr 9 2021, 11:35 PM
taavi subscribed.Apr 11 2021, 10:57 AM
dpifke subscribed.Apr 15 2021, 3:27 PM
dpifke renamed this task from Block Chrome FLoC tracking by default for Wikipedia to Visits to Wikimedia properties should not be used for Google ad targeting (FLoC).Apr 15 2021, 3:35 PM
dpifke added a project: Traffic.
dpifke updated the task description. (Show Details)
Maintenance_bot added a project: SRE.Apr 15 2021, 3:45 PM
gerritbot added a comment.Apr 15 2021, 3:51 PM

Change 679866 had a related patch set uploaded (by Dave Pifke; author: Dave Pifke):

[operations/puppet@production] varnish: add anti-FLoC header to responses

https://gerrit.wikimedia.org/r/679866

gerritbot added a project: Patch-For-Review.Apr 15 2021, 3:51 PM
dpifke updated the task description. (Show Details)Apr 15 2021, 3:59 PM
gerritbot added a comment.Apr 15 2021, 4:34 PM

Change 679877 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/puppet@production] toolforge: opt-out of Google FLoC tracking

https://gerrit.wikimedia.org/r/679877

gerritbot added a comment.Apr 15 2021, 4:34 PM

Change 679878 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/puppet@production] cloud-vps: opt-out of Google FLoC tracking

https://gerrit.wikimedia.org/r/679878

Jdforrester-WMF subscribed.Apr 15 2021, 4:44 PM
greg subscribed.Apr 15 2021, 5:10 PM
ori subscribed.Apr 15 2021, 6:01 PM

Is the header needed at all?

https://github.com/WICG/floc/issues/45#issuecomment-781042491 says:

During the Origin Trial, the default for whether a page will be used for FLoC computation will be based on Chrome's existing infrastructure which detects pages that load ads-related resources. Our thinking here is that pages detected as including ads-related resources probably fetched something with an ads-related 3p cookie attached, which means it's reasonable to guess that the page visit contributes to some ads profile today.

Since the WMF doesn't serve ads (I don't think the fundraising banners count), I don't think WMF sites would be included, so the header would be just cruft (and extra bytes down the wire).

Disclosure: I work for Google, but I'm making this (and all other) comments in a personal capacity. I have no relevant insider knowledge and my observation is based purely on the public GitHub thread.

bd808 mentioned this in T280278: Add FLoC opt-out header.Apr 15 2021, 6:13 PM
gerritbot added a comment.Apr 15 2021, 6:16 PM

Change 679908 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] security: Add Google FloC out-out header to responses

https://gerrit.wikimedia.org/r/679908

dpifke added a comment.Apr 15 2021, 6:58 PM

Are the Google heuristics for "ads-related resources" public? Are changes to those heuristics (or to the FLoC "trial") announced in advance? Do we have the resources to monitor for changes to either in determining if this header is needed in the future?

If the answer to any of the above is no, I think it's worth 39 bytes of response payload to unambiguously signal that we don't want our users to be tracked. As a point of context, a fresh enwiki/Main_Page pageview is 1,057,815 bytes, so this is 0.0036% overhead. Assuming a 1,500 byte MTU, it does not affect the number of packets containing the initial response, so should have no effect on latency.

I would love if FLoC were to be made opt-in, or abandoned completely. If that should happen, reverting the patches proposed in this task is trivial.

dpifke added a comment.Apr 15 2021, 7:07 PM

I considered modifying the Varnish patch to not send the header to privacy-respecting user agents like Firefox, but Chrome is phasing out the User-Agent header, which makes doing so difficult at the traffic layer.

ori added a comment.Apr 15 2021, 8:03 PM
In T279804#7005424, @dpifke wrote:

Are the Google heuristics for "ads-related resources" public? Are changes to those heuristics (or to the FLoC "trial") announced in advance? Do we have the resources to monitor for changes to either in determining if this header is needed in the future?

If the answer to any of the above is no, I think it's worth 39 bytes of response payload to unambiguously signal that we don't want our users to be tracked. As a point of context, a fresh enwiki/Main_Page pageview is 1,057,815 bytes, so this is 0.0036% overhead. Assuming a 1,500 byte MTU, it does not affect the number of packets containing the initial response, so should have no effect on latency.

I would love if FLoC were to be made opt-in, or abandoned completely. If that should happen, reverting the patches proposed in this task is trivial.

I think these are all fair points and I agree with your conclusions.

gerritbot added a comment.Apr 15 2021, 10:49 PM

Change 679877 merged by Bstorm:

[operations/puppet@production] toolforge: opt-out of Google FLoC tracking

https://gerrit.wikimedia.org/r/679877

gerritbot added a comment.Apr 15 2021, 11:06 PM

Change 679878 merged by Bstorm:

[operations/puppet@production] cloud-vps: opt-out of Google FLoC tracking

https://gerrit.wikimedia.org/r/679878

fgiunchedi triaged this task as Medium priority.Apr 16 2021, 8:45 AM
Joe merged a task: T280377: Protect our users against Google-driven privacy breach via FLOC.Apr 16 2021, 4:06 PM
Joe subscribed.
Joe added a comment.Apr 16 2021, 4:08 PM
In T279804#7003701, @ori wrote:

Is the header needed at all?

https://github.com/WICG/floc/issues/45#issuecomment-781042491 says:

During the Origin Trial, the default for whether a page will be used for FLoC computation will be based on Chrome's existing infrastructure which detects pages that load ads-related resources. Our thinking here is that pages detected as including ads-related resources probably fetched something with an ads-related 3p cookie attached, which means it's reasonable to guess that the page visit contributes to some ads profile today.

Since the WMF doesn't serve ads (I don't think the fundraising banners count), I don't think WMF sites would be included, so the header would be just cruft (and extra bytes down the wire).

Disclosure: I work for Google, but I'm making this (and all other) comments in a personal capacity. I have no relevant insider knowledge and my observation is based purely on the public GitHub thread.

As I said in a task I opened, we surely don't, but a) we load per-wiki js which might be changed and b) we also serve a lot of third-party software (think of gerrit or jenkins) so I would consider it a "better safe than sorry" measure.

gerritbot added a comment.Apr 16 2021, 4:14 PM

Change 679908 merged by jenkins-bot:

[wikimedia/toolhub@main] security: Add Google FloC out-out header to responses

https://gerrit.wikimedia.org/r/679908

jenkins-bot mentioned this in rWTHU182396d78857: security: Add Google FloC out-out header to responses.Apr 16 2021, 4:15 PM
jbond subscribed.Apr 16 2021, 4:18 PM
MoritzMuehlenhoff subscribed.Apr 16 2021, 4:53 PM
Dwisehaupt added a project: fundraising-tech-ops.Apr 16 2021, 5:23 PM
Dwisehaupt moved this task from Triage to Watching on the fundraising-tech-ops board.
Dwisehaupt subscribed.Apr 16 2021, 5:30 PM

Header added to fundraising nginx templates and deployed.

[frack::puppet] 58ed92cf Add Permissions-Policy header (Google FLoC)
gerritbot added a comment.Apr 16 2021, 8:47 PM

Change 679866 merged by BBlack:

[operations/puppet@production] varnish: add anti-FLoC header to responses

https://gerrit.wikimedia.org/r/679866

dpifke closed this task as Resolved.Apr 16 2021, 10:02 PM
dpifke claimed this task.
gerritbot added a comment.Apr 19 2021, 1:45 PM

Change 681085 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:tlsproxy::envoy: Add support to opt out of FLoC

https://gerrit.wikimedia.org/r/681085

gerritbot added a comment.Apr 19 2021, 2:12 PM

Change 681085 merged by Jbond:

[operations/puppet@production] P:tlsproxy::envoy: Add support to opt out of FLoC

https://gerrit.wikimedia.org/r/681085

gerritbot added a comment.Apr 19 2021, 4:53 PM

Change 681130 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] hiera - idp: opt out of FLoC

https://gerrit.wikimedia.org/r/681130

gerritbot added a comment.Apr 19 2021, 4:55 PM

Change 681130 merged by Jbond:

[operations/puppet@production] hiera - idp: opt out of FLoC

https://gerrit.wikimedia.org/r/681130

Daniel_Mietchen awarded a token.May 10 2021, 10:02 PM
Jgreen moved this task from Watching to Done on the fundraising-tech-ops board.May 17 2021, 2:38 PM
Krinkle mentioned this in T312823: Remove obsolete "Permissions-Policy: interest-cohort" header.Jul 29 2022, 11:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits