DEV Community


Posted on • Originally published at

Opting Out of Google's Federated Learning of Cohorts (FloC) with Traefik 2

Google has recently announced it will start tracking the visitors of your website even if you're not using Google Analytics or Adsense.
Plausible sums it up pretty good, in short:

They put all chrome users in so called "cohorts" which each represent some group of interest.
Basically, they stop following individuals through the internet but instead just let the chrome browser do the profiling and targeting for them based on the sites they've viewed in the past.
The browser then sends a "cohort" identifier to the websites it visits, telling the website (or rather, the ad network used on it) what group that user is part of to show them more relevant ads.

While Google uses this move as a privacy friendly manner by banning third-party cookies (which in itself is a good move) they're essentially abusing their monopoly power as the company building the biggest browser and the biggest ad network.
I'll leave it to the eff to explain in detail why this is such a bad idea.

Opting out of FloC as a website owner

FloC is opt-out which means as a website owner, you will need to do something to avoid having your website and its visitors contribute to cohorts rather than opt-in where you would need to include a google script or something like that.
You can do so by sending a Permissions-Policy header:

Permissions-Policy: interest-cohort=()
Enter fullscreen mode Exit fullscreen mode

Traefik has a middleware to add custom headers which I'll use to send the Permissions-Policy header to the visitors of my site.
To do that, we'll have to create a middleware with the header first.
Pretty straight forward with traefik, simply create a new config file with this content:

          Permissions-Policy: "interest-cohort=()"
Enter fullscreen mode Exit fullscreen mode

(this is using yaml, but it will ofc work with toml just fine)

I like adding these kind of general things to config files so I can use them globally and won't have to recreate them for each container configuration I use.

Now we can add the nofloc@file middleware to any traefik router.
If you're using traefik to expose docker containers to the internet, it would look something like this in a docker-compose file:

  image: traefik/whoami
    - "traefik.http.routers.whoami.middlewares=nofloc@file"
Enter fullscreen mode Exit fullscreen mode

Applying it to all services

If you're like me, you're probably hosting quite a few services.
While you could just add the middleware by hand to all of these it is a lot easier (and faster) to just add it globally.
Traefik lets you add middlewares to http entrypoints which will basically add them to all services on that entrypoint.
The configuration for our nofloc middleware is pretty straighforward:

    address: :443
        - nofloc@file
Enter fullscreen mode Exit fullscreen mode

While changes to files in middlewares are automatically picked up by traefik and don't require you to restart it you will need to restart traefik every time you change the configuration of the entrypoints.

After doing that, all services using the https entrypoint will send the Permissions-Policy header (this blog being one of them).

You can verify this with curl:

$ curl -I
HTTP/2 200 
accept-ranges: bytes
cache-control: no-cache
content-type: text/html; charset=utf-8
date: Fri, 16 Apr 2021 09:55:58 GMT
etag: "60795dff-26bb"
expires: Thu, 01 Jan 1970 00:00:01 GMT
last-modified: Fri, 16 Apr 2021 09:50:55 GMT
permissions-policy: interest-cohort=()
server: nginx/1.19.10
vary: Accept-Encoding
content-length: 9915
Enter fullscreen mode Exit fullscreen mode

A service like this one will also work just fine.

Closing thoughts

While Killing third-party cookies is great (and browsers like Safari on MacOS have already started doing this) Google abusing its monopoly power to force FloC onto every website user and owner is not.
As someone who does not use any Google services, not on my websites nor in my every day usage of the internet, I am not a fan of having to take action on my sites to opt out.

Privacy matters.

Any questions or suggestions? Hit me up on twitter.

Other Ressources

Paramdeo Singh has done a good way to explain how to opt out of FloC when you're using other setups like nginx, apache, netliy etc. over on his blog.

Top comments (0)