> and that's not even considering other sources of entropy, like user agent or screen size.
As a reminder: Chrome sends 16 bits of x-client-data with every http request aimed at Google servers. So they already have half the bits they need to uniquely identify your system without FLoC.
Saying "well they could be lying" kinda makes the whole discussion moot doesn't it? Why even bother talking about FloC because they could be lying about that too.
Because neither Facebook nor Google is a single monolithic decision-maker that understands what it itself is doing. Instead, they're fragmented organizations with many different groups with competing interests and goals within them.
More concretely, I think it's easy to believe that:
- The Facebook software developers and product managers who originally built and promoted phone 2FA were being earnest when they said the data would never be used for advertising.
- Some number of years later, someone elsewhere in the organization successfully got themselves access to that information without the knowledge/approval of the first group of people--who in all likelihood don't even work at Facebook anymore--and broke that original promise.
Throwing your hands up in the air and crying "well if they're lying, then all is for naught!" ignores the fact that large organizations act in complex ways, and even if you assume good faith on behalf of the current set of actors, you still need to push for systems which remain ethical and safe if some future set of actors turns out to be complete scumbags.
Irrespective of whether they're telling the truth or lying, saying Chrome sends 16 bits of x-client-data that can be used to identify you means Chrome sends 16 bits of x-client-data that can be used to identify you.
FLoC is open source in Chromium. They're not lying about that. What they do with Google-specific information originating from Chrome is where skepticism applies.
I don't really understand this mindset. Google controls Chrome. They openly track every page you visit and show it to you at https://myactivity.google.com/ .
It's possible that Google is tracking you with FLoC or with extra HTTP headers or whatever. But they're also openly tracking you all the time anyway because you use Chrome. If you don't trust them to use the data they collect responsibly, don't use Chrome. (I'm not saying you shouldn't pressure Chrome to collect less data, I'm saying it doesn't make any sense to theorize about secret HTTP header fingerprinting operations when they're making literally no effort to hide the much bigger data collection operation right in front of you.)
My guess is they are still tracking you. Kind of like how fb creates shadow profiles for people who don't have an account. So they do all the same tracking, you just don't get to see it in a nice dashboard!
As a reminder: Chrome sends 16 bits of x-client-data with every http request aimed at Google servers. So they already have half the bits they need to uniquely identify your system without FLoC.