WordPress may ban Google FLoC over security fears

The WordPress app on an iPhone
(Image credit: Shutterstock)

WordPress may treat Google’s proposals to replace third-party cookies with a Federated Learning of Cohorts (FLoC) mechanism for recording browsing history as a potential security risk.

A post on the WordPress Core development team blog has urged the platform to consider banning FLoC because this replacement for third-party cookies supposedly unethically places people into groups based on their browsing habits.

Any prospective move would be significant because WordPress powers 41% of platforms across the web, according to the organisation, and adds weight to a growing list of entities strongly opposed to the introduction of Google’s FLoC.

A string of popular web browsers, for example, including Mozilla’s Firefox, Opera, Brave and Edge have all opted out of the FLoC experiment, according to The Verge. Trials set to take place in the EU, meanwhile, have been delayed because of concerns they violate GDPR, according to Adexchanger.

Google has proposed FLoC as an alternative to third-party cookies to refine the process of using data to target web users with tailored adverts. This system is a way of making your browser profile users in the way that third-party tracker used to do, assigning a label to each user based on their behaviour, before sharing these with other websites and advertisers.


Address multi-cloud configuration risks

Cloud security challenges and how to overcome them


The likes of the Electronic Frontier Foundation (EFF) have complained that it exacerbates the worst tendencies of third-party cookies, while also allowing organisations and governments to discriminate against individuals.

The post calls for WordPress to brand this a security risk because this practice “is likely to facilitate employment, housing and other types of discrimination, as well as predatory targeting of unsophisticated consumers.”

The proposal, which is only being considered at present, would involve automatically blocking FLoC support from all its websites by default, with administrators able to opt-in at a later date should by making changes themselves. The only way to roll out an automatic block is by considering FLoC as a security issue, not an ethical issue.

Simon Dickson, who used to manage the WordPress VIP enterprise services team, clarified that nothing has yet been agreed, although the matter is under discussion.

"Framing it as a security concern is understandable, but problematic," he added. "As several influential folks have noted already, 'security updates' are there to fix something that's demonstrably broken. People should feel able to apply them without (much) consideration.

"This will be an interesting test of WordPress's commitment to an open web. With 40% of the web running our software, what responsibility do we feel to respond to developments like this? And do we have appropriate decision-making structures to make that call?"

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.