Last month, Google announced that it will introduce a new web technology – FLoC tracking (Federated Learning of Cohorts), that will eventually replace the practice of browsers and third-party websites storing user data (cookies).

GitHub logo image FLoC tracking heimdal security

Image Source: The Daily Swig

However, privacy-focused companies such as Brave, DuckDuckGo, Vivaldi, and others rejected Google’s call to implement FLoC in their own browsers as they believe the creation of a personally identifiable profile is exactly why user privacy advocates reject cookies on browsers and websites.

Yesterday, GitHub revealed that they’re adding a HTTP header on all GitHub Pages sites.

All GitHub Pages sites served from the github.io domain will now have a Permissions-Policy: interest-cohort=() header set.

Pages sites using a custom domain will not be impacted.


As reported by BleepingComputer researcher Ax Sharma, this header is actually meant for website owners to pull the plug on Google’s FLoC tracking. What’s more, the github.com domain had this header set, which means that GitHub did not want Google to track user behavior in the new FLoC system when they visited GitHub pages.

Github headers image FLoC tracking heimdal security

GitHub Pages contain HTTP header to opt-out of Google FLoC tracking

Image Source: BleepingComputer

Google believes the FLoC technology will be less intrusive compared to the current practice in terms of user privacy, pointing out that “FLoC doesn’t share your browsing history with Google or anyone.” It also wants other browsers and website hosting companies to embrace new web technology.

With FLoC, your browser determines which cohort corresponds most closely to your recent web browsing history, grouping you with thousands of other people who have similar browsing histories. The identification number of the cohort is the only thing provided when requested by a site. This is different from third-party cookies, which allow companies to follow you individually across different sites. FLoC works on your device without your browsing history being shared. Importantly, everyone in the ads ecosystem, including Google’s own advertising products, will have the same access to FLoC.


Nevertheless, browsing app developers such as DuckDuckGo, Vivaldi, and Brave strongly believe that FLoC technology doesn’t protect privacy and it certainly isn’t beneficial to users. The companies want Google to stop tracking user behavior. They say creating groups to protect users is just fluff, as tracking still continues in the new FLoC system.

At the moment, FLoC tracking is being tested in a small percentage of users in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the US.

To check if your web browser has been selected to be a part of the FLoC pilot experiment, simply follow the instructions provided at the Electronic Frontier Foundation (EFF)’s AmIFloced.org.

Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy

Scammers Continue to Use Google Alerts to Spread Malware

Privacy-Focused Browsers Oppose Google’s FLoC Technology

Leave a Reply

Your email address will not be published. Required fields are marked *