President Barack Obama’s White House was exceptionally close to Google, but until March 2021, most of the world had no clue the core benefits Google acquired from this relationship until Politico reported on 312 pages of confidential memos proving that antitrust regulators appointed by Obama declined to sue Google for spurious reasons.
In the 4 years since President Obama left office, the world’s understanding of Google’s past behavior, private lobbying, and problematic advertising practices have crystalized and been the focus of multiple government investigations.
We learned from the massive States Attorneys General investigation that Google and Facebook made a secret deal to reduce competition in advertising systems and they continue to share user data between the two companies.
Google has also been fined multiple times in Europe under GDPR for privacy violations and there are antitrust investigations into Google’s deals in several countries, with Australia most recently taking up the fight.
There are countless Google scandals that can fill page after page — but the core argument made from their recent history could be, “Don’t trust Google to look out for your best interests.”
It should also come as no surprise that Google launched a new advertising product in 2021 that crosses numerous grey lines into “five alarm territory” – an automated audience creation product called “FloC” that uses the websites viewed in the Chrome browser to group users together automatically (nearly every site is included in these calculations, merely requiring “ad related calls” on the website which Google engineers have indicated would include attribution scripts – not just pages with banner ads).
Due to Google’s aggressive scraping of Chrome history to build this new “FloC” advertising product, nearly all major U.S. government websites are suddenly having their users grouped together — this hidden grouping of users without their awareness is a national security emergency – and huge organizations like WordPress, Brave browser, Microsoft, Mozilla and Vivaldi have all expressed strong concerns and decided to proactively send “opt-out” signals to FloC to reduce it’s ability to profile their users.
Currently, it appears that the Joe Biden White House or relevant federal cyber security agencies have sent out *zero warnings to federal employees, especially federal employees operating outside the U.S.* letting them know about FloC and urging them to be careful about using the Google Chrome browser due to it’s new tracking within the browser itself.
Currently, it also appears that neither the White House nor any other federal agency website is sending the “FloC Response Opt-Out Header” from their servers (process described here) — this is a dangerous technical choice that is putting .gov website visitors who use Chrome at risk of being profiled based on the government services or websites they are using.
And since FloC is such a new technology, and Google seems to have not warned any local, state, or federal agencies about this new potential user tracking technology — it’s nearly impossible for CISA, the FBI, the CIA or any “federal security agencies” to confidently conclude that FloC doesn’t have new vulnerabilities that could be known or exploited by foreign adversaries.
New user tracking tech shouldn’t be tested on .gov websites, period.
The world knows that Chrome is now grouping users together based on which domains and websites they view — this is an outrageously dangerous opportunity for a foreign adversary to find a zero day within this new tracking infrastructure built into Chrome, and then deanonymize foreign intelligence assets who mistakenly use the most popular browser in the world to view a .gov website or resource.
As it stands, it’s unclear if the Joe Biden White House will continue to give Google preferential treatment, and if Biden’s team will ignore Google FloCing most if not all of the federal government website visitors. It’s very unfortunate that the Obama/Biden White House deferred to Google on hugely important issues, and while the Biden White House has made some strong choices on their FTC nominees, there is still no indication that Google isn’t fully in control of the day to day messaging from the White House itself.
Only time will tell whether the Joe Biden White House decides to protect .gov website visitors, and whether they or a cybersecurity agency within his administration decides to issue a warning about FloC.
There should be guidance sent to all .gov website administrators about how and why they should be issuing the “FloC Opt-out Response Headers” for all website visits moving forward. If this warning isn’t sent, you can assume that the Biden White House deferred to Google on this and decided to not “rock the boat” just like with the FTC decision during the Obama administration.
Until Google clarifies a safer process that doesn’t automatically group .gov website visitors into hidden groups, elected officials should consider FloC a national security risk.
And if days and weeks go by without any feedback from the Biden White House, we should consider there to be a government-wide emergency stemming from the Biden administration’s inability to grasp FloC, and his team’s history of deferring to Google on complex privacy matters.
The public had no clue that the Obama/Biden administration “gave Google a free pass” — which took nearly 8 years to come to light.
Will we eventually find out that the Biden/Harris administration gave Google a free FloC pass too?
UPDATE 4/21/2021: Google has pushed back on claims that “every website will be FloC’d” so I think it’s important to point out that Google’s own FloC documentation notes that “A domain name is included if some page on that domain” loads the ad related resources / EasyList++ // This means that if any 1 page on a domain fires advertising scripts, it’s likely the entire domain and any visit to any page on that domain, will be classified in FloC. Read Google’s documentation on this here. I’ve also got a brief thread on Twitter about this ongoing confusion.