HNNewShowAskJobs
Built with Tanstack Start
Incapacitating Google Tag Manager (2022)(backlit.neocities.org)
212 points by fsflover 4 days ago | 159 comments
  • BurnerBotje4 days ago

    I have an idea that another way of preventing being tracked is just massively spamming trash in the data layer object, pushing thousands of dollars worth of purchase events and such, pushing randomly generated user details and other such events. Perhaps by doing this your real data will be hard to filter out. A side effect is also that data becomes unreliable overall, helping less privacy aware people in the process.

    • chamomeal4 days ago |parent

      Now there’s a fun idea!! I wonder how difficult it would be to spoof events.

      Edit: looks like this might exist already: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/

      • genewitch4 days ago |parent

        Since installing it on firefox on this computer (18 months ago or so) Ad Nauseam has clicked ~$38,000 worth of ads, that i never saw.

        Between this and "track me not" i've been fighting back against ads and connecting my "profile" with any habits since 2016 or so. I should also note i have pihole and my own DNS server upstream, so that's thiry-eight grand in ad clicks that got through blacklists.

        https://www.trackmenot.io/faq

        • cj4 days ago |parent

          [Preface: I hate ads, I love uBlock origin, I use pihole, I'm a proponent of ad blockers]

          I manage a Google Ads account with a $500,000 budget. That budget is spent on a mix of display ads, google search, and youtube ads.

          If I knew that 10% of our budget was wasted on bot clicks, there's nothing I can do as an advertiser. We can't stop advertising... we want to grow our business and advertising is how you get your name out there. We also can't stop using Google Ads - where else would we go?

          $38,000 in clicks boosts Google's revenue by $38k (Google ain't complaining). The only entity you're hurting are the advertisers using Google. Advertisers might see their campaigns performing less well, but that's not going to stop them from advertising. If anything, they'll increase budgets to counteract the fake bot clicks.

          I really don't understand what Ad Nauseam is trying to achieve. It honestly seems like it benefits Google more than it hurts them. It directly hurts advertisers, but not enough that it would stop anyone from advertising.

          Google has a system for refunding advertisers for invalid clicks. The $500k account that I manage gets refunded about $50/month in invalid clicks. I'm guessing if bot clicks started making a real dent in advertiser performance, Google would counter that by improving their bot detection so they can refund advertisers in higher volumes. If there's ever an advertiser-led boycott of Google Ads, Google would almost certainly respond by refunding advertisers for bot clicks at much higher rates.

          • TeMPOraL4 days ago |parent

            > I really don't understand what Ad Nauseam is trying to achieve. It honestly seems like it benefits Google more than it hurts them.

            Google is part of the problem, but they're neither the only ones nor best to target through bottom-up approaches.

            > It directly hurts advertisers, but not enough that it would stop anyone from advertising.

            You know the saying about XML - if it doesn't solve the problem, you are not using enough of it.

            > there's nothing I can do as an advertiser. We can't stop advertising...

            We know. The whole thing is a cancer[0], a runaway negative feedback loop. No single enlightened advertiser can do anything about it unilaterally. Which is why the pressure needs to go up until ~everyone wants change.

            --

            [0] - https://jacek.zlydach.pl/blog/2019-07-31-ads-as-cancer.html

            • donohoe4 days ago |parent

              > Which is why the pressure needs to go up until ~everyone wants change.

              I think the point made is that this adds no extra pressure.

              • TeMPOraL4 days ago |parent

                The comment itself is evidence that it does, otherwise no one would even pay attention. But clearly the pressure is nowhere near sufficient.

          • malfist4 days ago |parent

            You know, I'm not too worried that I'm making the lives of people who spy on me harder and wasting their money.

            You don't have to buy privacy violating ads. You don't have to buy targetted ads

            • paulryanrogers4 days ago |parent

              > You don't have to buy privacy violating ads. You don't have to buy targetted ads.

              Sadly, you do until the monopoly is broken up. Because as is your company probably won't survive in the market, nor you in your role, using anything else.

              • Shacklz3 days ago |parent

                > Because as is your company probably won't survive in the market

                Then maybe that business isn't adding all that much value to society to begin with and it's just not that much of a loss if it goes away.

                If a company cannot survive without shoving their product into the view of eyeballs appealing to our most basic monkey brain instincts, it's maybe just better if it dies.

              • malfist3 days ago |parent

                There are plenty of companies that A) don't advertise or B) don't use individually targeted ads

                An example of A: carmex

                An example of B: Ball Homes (sixth largest residential builder in the country), pretty much any lawyer, a mom and pop that buys newspaper space, TV space or a bill board

          • sneak4 days ago |parent

            > I hate ads

            > The only entity you're hurting are the advertisers using Google.

            That’s fine. Advertising is cancer. Reducing advertisers’ ROI is good too.

            You don’t hate ads if you’re spending $500k on them. You just hate receiving ads, which makes you hypocritical.

            • mschuster913 days ago |parent

              Well, in today's reality you need a job to at least pay rent. And employers need advertising to make money to pay their workers.

              It's factually impossible to live in modern society without participating in ethically questionable activities at least indirectly.

              • fsflover2 days ago |parent

                DuckDuckGo is profitable without targeted ads.

          • mystified50164 days ago |parent

            The point is to poison your ad tracking profile so that advertisers can't figure out who you are and what you'll buy.

            No matter how secure your browser setup is, Google is tracking you. By filling their trackers with garbage, there's less that can personally identify you as an individual

            • mediumsmart4 days ago |parent

              Apple bought the patent to do just that 13 years ago … the .Mac observer article about it is now gone - here is the archive record

              https://web.archive.org/web/20200601034723/https://www.macob...

              Carter invented it and got paid so they can bury it. Must be good tech.

          • krageon4 days ago |parent

            By hurting the advertisers you hurt google. It sucks that you are disadvantaged by it, but the truth of the matter is that once it becomes expensive enough it will not be worth it economically. And it is clear from your own message this is the only language you're willing to speak.

            • rvnx3 days ago |parent

              And you also hurt the people who create the content that you consume, it is a very toxic attitude (and maybe even illegal as it causes intentional financial damage)

          • BrenBarn4 days ago |parent

            I think the idea is that hurting entities who are pushing out a lot of ads is a good thing.

          • heisenbit4 days ago |parent

            Ads hurt people by stealing attention and manipulating spending intentions. Being exposed to a firehose of them makes us more stupid and poorer.

          • freeone30004 days ago |parent

            Hopefully it puts my browsers on an bot blocklist, which then invalidates the tracking profile and eliminates targeted advertising entirely.

            • michaelt4 days ago |parent

              The problem with being on google's bot blocklist is you'll suddenly discover that recaptcha is used in a heck of a lot of places.

            • thatguy09004 days ago |parent

              My assumption with something as hostile as ad nauseum is that you were running the risk of Google profile bans

              • freeone30003 days ago |parent

                oh no! anyway.

          • aziaziazi4 days ago |parent

            > It honestly seems like it benefits Google more than it hurts them. It directly hurts advertisers, but not enough that it would stop anyone from advertising.

            GP fights agains ads, not Google. And not being able to win 100% of the gain shouldn’t restrain someone from taking action it they consider the win share worth the pain.

            > $38,000 in clicks boosts Google's revenue by $38k

            You should include costs here, and if (big if) a substantial part of the clicks comes from bots and get refunded, the associated cost comes on top of the bill. At the end the whole business is impacted. I agree 50/50k is a penny through.

            > I hate ads […] I manage a Google Ads account

            [no cynism here, I genuinely wonder] how do you manage your conscience, mood and daily motivation? Do you see a dichotomy in what you wrote and if so, how did you arrive to that situation? Any future plan?

            I’m asking as you kind of introduce the subject but if you’re not willing to give more details that’s totally fine.

          • ddtaylor4 days ago |parent

            > I'm guessing if bot clicks started making a real dent in advertiser performance, Google would counter that by improving their bot detection so they can refund advertisers in higher volumes.

            They already have methods to detect a lot. Like you said yourself, customers have no alternative, so why would they refund money they don't have to?

          • jorvi4 days ago |parent

            > want to grow our business and advertising is how you get your name out there

            Or.. you know.. offering a quality product?

            • econ4 days ago |parent

              Tiny trafic but everyone is buying things. High praise in the reviews, not a single organic link.

          • wodenokoto4 days ago |parent

            I’d hope you’ll find an advocacy group to join who’ll sue google for billions in fraud and lost revenue.

          • behringer4 days ago |parent

            This is great. I seek out competitors to the companies that advertise so I can get the product without rewarding advertisers.

            Man scape? Nah, generic women's razers. Pcbway? Nope. JLCPCB.

            Screw your ads. Find a better way.

            • pests3 days ago |parent

              JLCPCB does tons of sponsored segments on YT. I see them more than Pcbway.

            • 1n40073 days ago |parent

              JLC advertise constantly, just look at the eevblog forums.

            • dotancohen4 days ago |parent

                > JLCPCB
              
              How are they?
              • snickerdoodle124 days ago |parent

                I've only used them once for my first (and so far only) PCB, so as a complete amateur, it was great. They rejected my first design which had an obvious flaw, and my second design was in my hands a little over a week after I uploaded it. I paid 2.60EUR for 5 (tiny) PCBs and 7.50EUR for the shipping. They even placed and soldered components for me.

                • dotancohen3 days ago |parent

                  That's very reasonable, especially if those were SMT components.

          • snickerdoodle124 days ago |parent

            Oh well. Advertisers are the scum of the earth, the only thing worse is those facilitating them. Driving a wedge between advertisers and googles is a win.

          • remram4 days ago |parent

            > I hate ads, I love uBlock origin, I use pihole, I'm a proponent of ad blockers. I manage a Google Ads account with a $500,000 budget.

            If you can write this without seeing how you are the very worst of our enemies, then I do hope your business die, there is obviously nothing that will make you understand. I still can't believe you put those words together, honestly.

            Do you see yourself as a separate breed from your lowly users or something? How can you inflict and even try to justify what you yourself avoid and say you "hate"?

            • Spivak4 days ago |parent

              Probably just doesn't want to take his work home with him :P

              In a way I get it, I wouldn't buy or recommend the product I currently work on. Still cash the paychecks though. I also am the stereotypical tech person who avoids technology. I can't exactly blame anyone for playing the game. The guy who works at the sausage factory but won't eat sausage due to what he's seen is a pretty common refrain.

            • 4 days ago |parent
              [deleted]
        • Wowfunhappy4 days ago |parent

          I would worry about being labeled a bot and denied access to websites at all.

        • 4 days ago |parent
          [deleted]
        • wglb4 days ago |parent

          What do you expect this to do, long term? I’m curious.

          • zelphirkalt3 days ago |parent

            Even if it merely makes using Google shenanigans unattractive for advertisers, that would be a huge win against one of the biggest perpetrators, privacy and data protection violators out there.

            • wglb3 days ago |parent

              How unattractive do you think it will make it for them?

              • genewitch3 days ago |parent

                about -$25,000 a year, give or take.

    • culi4 days ago |parent

      You're talking about Adnauseum

      https://adnauseam.io/

      Chrome banned it from their add on store but it can still be installed manually

      • jeroenhd3 days ago |parent

        AdNaueam works against ads, but does it also work against Google Tag Manager?

        I've already got most ads blocked by simply Piholing them, but GTM tracking my every move using first-party content is a different kind of interaction to attack.

        • redeeman3 days ago |parent

          just block GTM

      • mmsc4 days ago |parent

        Would be nice to have something similar to this for Mixpanel and Amplitude

    • dylan6044 days ago |parent

      I’d imagine that by this point in time, they are able to filter this specific type of noise out of the dataset. They have been tracking everyone for so long that I doubt there’s anyone they don’t know about whether directly of shadow profiles. These randomly generated users would just not match up to anything and would be fine to just drop

    • 3036e44 days ago |parent

      I have a quite common name in my country and snatched firstname.lastname@gmail.com for that name many years ago. Many use it by accident somehow when registering for things. Possibly (hopefully!) half of all leaks containing my email address are for other people. Never thought of what it might do for ad profiling, but hopefully it is adding at least some noise to it.

      Maybe I could manually improve a bit on that by deliberately register myself for various random services and just clicking around a bit to pretend I am interested in things I have no interest in. On the other hand with 20 years of tracking I think Google has all my interests and habits nailed down anyway.

  • aerzen4 days ago

    Am I dumb or does this article fail to explain what does the tag manager actually do? And not just with a loaded word, such as surveillance or spying, but actually technically explain what they are selling for and why it is bad.

    • mlinsey4 days ago |parent

      Google Tag Manager is a single place for you to drop in and manage all the tracking snippets you might want to add to your site. When I've worked on B2C sites that run a lot of paid advertising campaigns, the marketing team would frequently ask me to add this tracking pixel or another, usually when we were testing a new ad channel. Want to start running ads on Snapchat? Gotta ad the Snapchat tracker to your site to know when users convert. Now doing TikTok? That's another snippet. Sometimes there would be additional business logic for which pages to fire or not fire, and this would change more often. Sometimes it was so they could use a different analytics tool.

      While these were almost always very easy tickets to do, they were just one more interruption for us and a blocker for the stakeholders, who liked to have an extremely rapid iteration cycle themselves.

      GTM was a way to make this self-service, instead of the eng team having to keep this updated, and also it was clear to everyone what all the different trackers were.

      • simonw4 days ago |parent

        The self-service thing is such a nightmare. There are two things that you almost certainly cannot trust your marketing team with:

        1. Understanding the security implications of code they add via tag manager. How good are they at auditing the third parties that they introduce to make sure they have rock-solid security? Even worse, do they understand that they need to be very careful not to add JavaScript code that someone emailed to them with a message that says "Important! The CEO says add this code right now!".

        2. Understand the performance overhead of new code. Did they just drop in a tag that loads a full 1MB of JavaScript code before the page becomes responsive? Can they figure that out themselves? Are they positioned to make good decisions on trade-offs with respect to analytics compared to site performance?

        • JimDabell4 days ago |parent

          I agree with this and can add two more problems that are super common.

          Firstly, people will add all sorts of things on a whim without telling anybody. So your privacy policy won’t capture any of this.

          Secondly, nobody ever cleans up after themselves. So a year down the line, you’ll have a dozen different services, all doing the same thing, all added by different people, and half of them aren’t even being used by anybody because the people that added them forgot about them or left the company.

          I don’t think I’ve ever seen GTM used responsibly.

        • bravesoul24 days ago |parent

          Yep it's vibe coding before vibe coding existed. Paste in the script. No code review. No staging. No roll-out. Just straight in prod. And it can break stuff.

        • captn3m04 days ago |parent

          You effectively delegate code-review on a XSS path to your marketing team. I refused to do that anywhere users could be logged in.

        • zelphirkalt3 days ago |parent

          If there is one thing you can trust marketing departments with, it's their ability to ruin any website they have the chance of ruining.

        • gnz113 days ago |parent

          Agreed that it's a nightmare, but what usually happens then is that an MBA-type VP will come in and demand the marketing team be allowed to insert whatever they want. Not many dev teams have the political clout to push back.

    • sandspar4 days ago |parent

      Google Tag Manager lets you add tracking stuff on your website without needing to touch the code every time. So if you want to track things like link clicks, PDF downloads, or people adding stuff to their cart.

      It doesn't track things by itself. It just links your data to other tools like Google Analytics or Facebook Pixel to do the tracking.

      This kind of data lets businesses do stuff like send coupon emails to people who left something in their cart.

      There are lots of other uses. Basically, any time you want to add code or track behavior without dealing with a developer.

    • a28002764 days ago |parent

      I was tasked with auditing third party scripts at a client a couple of years ago, the marketing people where unable to explain wtf tag manager does concretely without resorting to ‚it tracks campaign engagement´ mumbo jumbo, but were adamant they they can’t live without it.

    • sitharus4 days ago |parent

      XSS-as-a-service. It lets people drop in random JavaScript to be injected on to the page without any oversight.

      It’s used by marketing people to add the 1001 trackers they love to use.

    • simonsarris4 days ago |parent

      The chief reason is that websites pay for advertising and want to know if the advertising is working and Google tag manager is the way to do that, for Google Ads.

      This is not unreasonable! People spend a lot of money on ads and would like to find out if and when they work. But people act like its an unspeakable nebulous crime but this is probably the most common case by miles.

      • reaperducer4 days ago |parent

        This is not unreasonable! People spend a lot of money on ads and would like to find out if and when they work.

        Companies were doing this for hundreds of years before Google even existed. You can learn if your ads work without invasive tracking.

      • throwaway654494 days ago |parent

        If running spyware on people's browsers just to see if your ads are working is "not unreasonable", what is?

        • arcfour4 days ago |parent

          Try responding in good faith on a non-throwaway account.

      • bravesoul24 days ago |parent

        Why should an advertiser have a right to know if their ads work, regardless of privacy considerations. EU brought out a freaking legal framework around this. I can't take seriously how you've over simplified it.

      • abanana4 days ago |parent

        Tracking website ads has become so normalised, it doesn't seem to even cross the minds of web-only marketing people to think: how has this always worked for advertising via TV, radio, billboards, newspapers/magazines, etc?

        Website-based advertising is a special case - the only one that makes this tracking possible. Advertisers need to understand the huge advantage they've been given, rather than taking it as a given and thinking they have more of a right to the data, than the user has a right to not provide it.

      • jppittma3 days ago |parent

        It feels that way for a lot of privacy concerns. "Telemetry" is the scare word for debug log, core dumps, and stack traces. I think it’s completely reasonable to want those.

        • ndriscoll3 days ago |parent

          It's reasonable to want and ask for debug data. Not so reasonable to exfiltrate it without the owner's permission.

    • mrweasel3 days ago |parent

      This may have changed, I last used Tag Manager 9-10 ago. You basically added a single Javascript snippet to you website, then you could inject other Javascript into the pages, using various rules. So rather than having to redeploy our site every time the marketing department wanted to add a new tracking or retargeting script, we could just add it in Tag Manager. I think is a great tool if you insist on doing these types of thing. You can also extract and transform variables, so all the customization required to adapt to each service could be done within Tag Manager, keeping your website simpler.

      One major issue Tag Manager solved for us was that a bunch of these online marketing companies that have their own tracking pixels/scripts absolutely suck at running IT infrastructure. More than ones we experienced poorly written 3rd. party scripts would break our site. Rather than having to do a redeployment, to temporarily disable a script, I could easily pop into the Tag Manager console and disable to offending service.

      Maybe Google Tag Manager has changed, but it was a good tool, if you where in the business of doing those sorts of things. I suppose it's also a clever way of blocking all tracking from a site by just stopping the Tag Manager script from loading.

      • egorfine2 days ago |parent

        > This may have changed, I last used Tag Manager 9-10 ago.

        GTM from 9-10 years ago and GTM today have nothing in common.

    • JimDabell4 days ago |parent

      It’s a little bit like dependency injection for websites, used by marketing teams.

      The people responsible for maintaining a site don’t want to know about all the different analytics tools the marketing team wants to use, and don’t want to be involved whenever any changes need to be made. So they expose a mechanism where the marketing team can inject functionality onto the page. Then all the marketing tools tell the marketing team how to use GTM to inject their tool.

    • fguerraz4 days ago |parent

      Maybe you’re being misled by the cryptic name. It’s got nothing to do with managing tags, it’s a behaviour tracker and fingerprint machine.

      • 9dev4 days ago |parent

        I mean technically you can use it to manage HTML tags to inject into a site.

        • snowwrestler4 days ago |parent

          This is in fact what it is primarily used for.

        • slow_typist4 days ago |parent

          Well I can inject HTML tags (or elements) with native JavaScript. Or manage them. Why would I want a bloated third party piece of software doing that?

          • SquareWheel4 days ago |parent

            Since you're asking, you could use it to tie together triggers and actions to embed code in specific situations (eg. based on the URL or page state). It has automatic versioning. There's a preview feature for testing code changes before deploying, and a permission system for sharing view/edit access with others.

          • connicpu4 days ago |parent

            So that your sales and marketing team can add the third-party tracker for a new ad campaign service without bothering the engineering team.

            • bravesoul24 days ago |parent

              They can also add features! Yes have fun!

            • 4 days ago |parent
              [deleted]
    • xiande044 days ago |parent

      There's a section in the article titled, "WHAT DOES GOOGLE TAG MANAGER DO?":

      > Whilst Google would love the general public to believe that Tag Manager covers a wide range of general purpose duties, it's almost exclusively used for one thing: surveillance.

      • munchler4 days ago |parent

        That’s a single word, not much of an actual explanation.

      • Finnucane4 days ago |parent

        the "general public" probably has no idea that Tag Manager is a thing that exists.

  • paradox4604 days ago

    Years ago, I worked on a site where we constantly had requests from the non technical side of the company to make the site load faster. We were perplexed in engineering. The site loaded and was ready for us in less than a fraction of a second.

    Eventually we realized that every dev ran ubo, and tried loading the site without it. It took about 5 seconds. Marketing and other parts of the company had loaded so much crap into GTM that it just bogged everything down

    • jeroenhd3 days ago |parent

      This is why I generally keep a mostly-clean browser around for development (only including some dev extensions). I've wasted half an hour when I had a stray uBO filter go off on a component I was working on once (wasn't even an ad) and that taught me a valuable lesson.

      If you're testing a website, you've got to test it like your customers use it. I shake my head at the incompetence of web designers every time I encounter a website filled with scroll bars because the devs on macOS haven't bothered testing any other device.

  • gleenn4 days ago

    I'm all for blocking surveillance but how tiring is it to block JavaScript as suggested and then watch the majority of the internet not work?

    • pluc4 days ago |parent

      It really isn't. I've been blocking all JavaScript for years now, selectively allowing what is essential for sites to run or using a private session to allow more/investigate/discover. Most sites work fine without their 30 JS sources, just allowing what is hosted on their own domain. It takes a little effort, but it's a fair price to pay to have a sane Internet.

      The thing is - with everything - it's never easy to have strong principles. If it were, everyone would do it.

      • roywiggins4 days ago |parent

        It's certainly not that bad if you have uMatrix to do it with, but I haven't found a reasonable way to do it on mobile. uMatrix does work on Firefox Mobile but the UI is only semi functional.

        • 1vuio0pswjnm74 days ago |parent

          uMatrix is fully-functional on Nightly.

          Using Firefox Add-Ons on a "smartphone" sucks because one has to access every Add-On interface via an Extensions menu.

          In that sense _all_ Add-Ons are only semi-functional.

          I use multiple layers: uMatrix + NetGuard + Nebulo "DNS Rules", at the least. Thus I have at least three opportunities where I can block lookups for and requests to Google domains.

          • DavideNL4 days ago |parent

            Doesn’t uBlock Origin in advanced mode do the exact same thing as uMatrix?

            • 1vuio0pswjnm74 days ago |parent

              https://github.com/gorhill/uMatrix/wiki/Changes-from-HTTP-Sw...

              https://github.com/gorhill/uBlock/wiki/Advanced-settings

              Having tried both, IMHO they do not do exactly the same thing. One is pattern-based, the other is host-based. As such, one can use them together, simultaneously.

              • 4 days ago |parent
                [deleted]
            • pmontra4 days ago |parent

              Maybe, but the UX is so terrible that I never figured out how to use uBO to replace uMatrix. I always use both: uBO for ads and DOM elements filtering and uMatrix for JavaScript, frames, cookies, anything in the columns of its UI.

              Basically uMatrix is so donor to use that anybody can use it. The equivalent uBO section is so complicated that I feel I need to take a master degree in that subject.

              • zelphirkalt3 days ago |parent

                You would be surprised how many people are completely overwhelmed by the choices uMatrix offers. Lots of people out there, that don't even know what a website can consist of, let alone what it means to block this or that, or have the awareness that they did block something, or the patience to properly unblock the minimum amount of shit necessary to use the website. For many people any effort at all makes them surrender to the global spyware.

        • bornfreddy4 days ago |parent

          Not quite the same (I love uMatrix UI), but advanced mode in uBO is similar. It lacks filtering by data type (css, js, images, fonts,...) per domain, but it does resolve domains to their primary domain, revealing where they are hosted. A huge kudos to gorhill for both of these!

        • baobun4 days ago |parent

          NoScript + uBO is all right.

          • pluc4 days ago |parent

            Yup that's what I use as well. With whatever the name of the extension that makes allowing cookies a whitelist thing too, and PrivacyBadger/Decentraleyes.

            Also, deleting everything when Firefox closes. It's a little annoying to re-login to everything every day, but again, they are banking on this inconvenience to fuck you over and I refuse to let them win. It becomes part of the routine easily enough.

      • dylan6044 days ago |parent

        That’s my default as well. Self hosted/1st party scripts can load, but 3rd party scripts are blocked. The vast majority of sites work this way. If a site doesn’t work because they must have a 3rd party script to work, I tend to just close the tab. I really don’t feel like it has caused me to miss anything. There’s usually 8 other sites with the same data in a slightly less hostile site

      • palata4 days ago |parent

        Do you selectively enable JavaScript for the whole site, or is there a way with uBO to only enable subparts of it?

        • culi4 days ago |parent

          NoScript seems like the go-to addon

          https://noscript.net/

          It has pretty advanced features but also basic ones that allow you to block scripts by source

    • 1vuio0pswjnm74 days ago |parent

      Impossible to know because when I disable Javascript "the majority of the internet" works fine. As does a majority of the web.

      I read HN and every site submitted to HN using TCP clients and a text-only browser, that has no Javascript engine, to convert HTML to text.

      The keyword is "read". Javascript is not necessary for requesting or reading documents. Web developers may use it but that doesn't mean it is necessary for sending HTTP requests or reading HTML or JSON.

      If the web user is trying to do something else other than requesting and reading, then perhaps it might not "work".

      • zelphirkalt3 days ago |parent

        [dead]

    • michaelt4 days ago |parent

      It depends.

      If you're spending 99% of your time on your favourite websites that you've already tuned the blocking on? Barely a problem.

      On the other hand if your job involves going to lots of different vendors' websites - you'll find it pretty burdensome, because you might end up fiddling with the per-site settings 15+ times per day.

      • dylan6044 days ago |parent

        If I’m at work using a work provided computer, I don’t bother with the blocking. They are not tracking me as I do not do anything as me. I’m just some corporate stooge employee that has no similarity to me personally.

        My personal devices block everything I can get away with

    • heavyset_go4 days ago |parent

      Whitelisting JS has worked on my end for a while.

      I won't browse the Internet on my phone without it, everything loads instantly and any site that actually matters was whitelisted years ago.

    • kevin_thibedeau4 days ago |parent

      StackOverflow switched over from spying with ajax.google.com to GTM in the past year or so. All for some pointless out of date jQuery code they could self-host. I wonder how much they're being paid to let Google collect user stats from their site.

    • sureglymop4 days ago |parent

      It's easier than I thought. I just use uBlock Origin with everything blocked by default and then allow selectively.

    • qualeed4 days ago |parent

      Echoing others, I've used NoScript for years and at this point it is practically unnoticeable.

      Many sites work without (some, like random news & blogs, work better). When a site doesn't work, I make a choice between temporarily or permanently allowing it depending on how often I visit the site. It takes maybe 5 seconds and I typically only need to spend that 5 seconds once. As a reward, I enjoy a much better web experience.

    • anothernewdude4 days ago |parent

      The sites that don't work are usually the worst websites around - you end up not missing much. And if it's a store or whatever, you can unblock all js when you actually want to buy.

    • goopypoop4 days ago |parent

      People who want you to run their scripts aren't really your friends

    • Rapzid4 days ago |parent

      About as tiring as hearing about it all the time. Thank god it's a fringe topic these days but this article snuck it in. Probably the constant use of the word "surveillance" was an early tell haha.

  • schiffern4 days ago

      >Use uBlock Origin with JavaScript disabled, as described above, but also with ALL third-party content hard-blocked. To achieve the latter, you need to add the rule ||.^$third-party to the My Filters pane.
    
    This is a worse way to implement uBO's "Hard Mode" (except with JS blocked), which has the advantage that you can easily whitelist sites individually and set a hotkey to switch to lesser blocking modes.

    https://github.com/gorhill/uBlock/wiki/Blocking-mode

    https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...

  • adamiscool84 days ago

    I don't think this article makes a good case for why you should.

    >The more of us who incapacitate Google's analytics products and their support mechanism, the better. Not just for the good of each individual person implementing the blocks - but in a wider sense, because if enough people block Google Analytics 4, it will go the same way as Universal Google Analytics. These products rely on gaining access to the majority of Web users. If too many people block them, they become useless and have to be withdrawn.

    OK - but then also in the wider sense, if site owners can't easily assess the performance of their site relative to user behavior to make improvements, now the overall UX of the web declines. Should we go back to static pages and mining Urchin extracts, and guessing what people care about?

    • card_zero4 days ago |parent

      But I like it better when they have to guess. If it's something we care about enough, we'll let them know.

    • add-sub-mul-div4 days ago |parent

      If the analytics brought us to this, of what use are the analytics?

    • Timwi3 days ago |parent

      > if site owners can't easily assess the performance of their site

      I would be more than happy to opt in to performance metrics or other reports if only I could have some level of trust that improving the UX is all it's gonna be used for. I want to live in a world where that is the everyday normal, and where the non-consensual collection and sale of personal data is a high-profile public scandal with severe legal consequences.

    • bredren4 days ago |parent

      Belt and suspenders approach is to attach analytics to the most important events on the server side and combine with the session.

      If the frontend automatic js is blocked, it doesn’t matter.

    • slow_typist4 days ago |parent

      Effective and accessible UX design is a solved problem. It’s a matter of education of front end developers, not of A/B testing your users to death.

    • throw123xz4 days ago |parent

      Analytics can have good uses, but these days it's mostly used to improve things for the operator (more sales, conversions, etc) and what's best for the website isn't always the best for the user. And so I block all that.

    • goopypoop3 days ago |parent

      > Should we go back to static pages and mining Urchin extracts, and guessing what people care about?

      Yes absolutely do this please.

      Why even bother with the effort of analytics only to ignore the answers? I'm honestly not sure I've ever seen a website improve.

  • fvgvkujdfbllo4 days ago

    > surveillanceware

    I thought the term was spyware.

    Surveillanceware almost sounds like something necessary to prevent bad stuff. Is this corporate rebranding to make spyware software sound less bad?

    • Eggs-n-Jakey4 days ago |parent

      I don't know, the memetics of Surveillanceware or spyware mostly leads me to the belief that everything is weaponized to drain your money thru ads/marketing instead of the direct approach of stealing my money.

  • tempodox4 days ago

    > Meanwhile, Google Tag Manager is regularly popping up on Government sites. This means not only that governments can study you in more depth - but also that Google gets to follow you into much more private spaces.

    The corruption of the system knows no bounds.

  • v5v34 days ago

    I use:

    VPN so constantly changing ip.

    Tor browser for everyday browsing (has no script preinstalled). So onion provides double Vpn. Regularly closed down so history cleared.

    Safari in private mode and lockdown mode for when tor won't work (tor ip blocked/hd video that is too slow to stream on tor). Safari Isolation in private mode is excellent, you can use two tabs with, say emails, and neither will know other is logged in.

    Safari non private for sites I want available and in sync across devices.

    Firefox in permanent private mode with ublock origin for when safari lockdown mode causes issues. (Bizarely Firefox containers doesn't work in private so no isolation across tabs).

    Chromium for logged into Google stuff.

    Chrome for web development.

    Plus opt out for everything possible inc targeted ads.

    I rarely see ads of anything I would want to buy, and VPN blocks most of it at its DNS.

    Beyond that, anything else would be too much effort for me.

    The advertising companies I'm sure know I am not susceptible to impulse buy on ads, I research and seek vfm so not really their target.

    • culi4 days ago |parent

      > Tor browser for everyday browsing

      Do you just... log back in to Hacker News every day?

      I downloaded the Mullvad browser (basically Tor without the onion protocol part) but having no way to save passwords ended up making it unusable for me

      • sheiyei4 days ago |parent

        What platform do you use that doesn't allow for password managers? A browser's password manager is not the ideal for security, apparently (I would like to know how generally true this is, of course saving them on Google or Microsoft is as good as idea as it sounds)

      • v5v34 days ago |parent

        As said, use a password manager.

        Also regularly export your passwords from your password manager, either to another password manager or encrypt and store.So if the password manager has issues it won't leave you stuck.

  • egorfine2 days ago

    I develop software for over 30 years now.

    GTM is in my top #3 list of the worst software to ever exist. And I mean it. GTM is incredibly hostile to everyone around it: to the victims, to marketing people, to software engineers.

  • user0702234 days ago

    Ublock origin author - Gorhill - 2022 response: https://news.ycombinator.com/item?id=30415234

    Ublock origin wiki referencing a method to block, unsure how effective it is(seems to be based on the first link): https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...

    "*$1p,strict3p,script,header=via:1.1 google"

    Perhaps some filter in your list already utilizing this but I'm unable to verify

  • drcongo4 days ago

    Google Tag Manager and the whole consent management platform certification business is nothing more than a shakedown. It's racketeering.

  • padjo4 days ago

    How refreshing, a website that doesn’t punch me in the face with a cookie banner. Is that because they’re legit not tracking me or are they just noncompliant?

  • Animats4 days ago

    Blocking Google Tag Manager script injection seems to have few side effects. Blocking third party cookies also seems to have few side effects. Turning off Javascript breaks too much.

    • alganet4 days ago |parent

      Use a whitelist-based extension such as NoScript:

      https://noscript.net

      You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.

      The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.

      Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.

      • Timwi3 days ago |parent

        Why would JIT be more likely to have such a vulnerability than a JavaScript engine without JIT?

        • alganet2 days ago |parent

          I honestly don't know. I just noticed a lot of CVEs related to JS JIT in different browsers.

  • monista4 days ago

    If you block Google Tag Manager, you probably also want to block Yandex Metrics and Cloudflare Insights.

    • reddalo4 days ago |parent

      I think it's hard to block Cloudflare Insights because most of the data is collected server-side.

      • ozgrakkurt4 days ago |parent

        You can use something like this maybe https://adnauseam.io/

  • ayaros4 days ago

    Is there a good way to collect basic analytics if you have a site you're hosting on GitHub pages? In such cases I'd rather not rely on Google Analytics if I don't have to.

    • marsavar4 days ago |parent

      https://plausible.io/ or https://usefathom.com/

    • sneak4 days ago |parent

      There are literally hundreds of alternatives.

      • ayaros4 days ago |parent

        I figured... just wanted to see which ones people on HN think are worth looking at.

  • rurban4 days ago

    Just add the domain to your /etc/hosts as 0.0.0.0

    Doing that for years

    • future10se4 days ago |parent

      As mentioned on the blog post:

      > Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.

      > Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...

      By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)

      One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.

      https://developers.google.com/tag-platform/tag-manager/serve...

      • whatevertrevor4 days ago |parent

        Slightly related I've also been recently noticing some sites loading ads pseudo-dynamically from "content-loader" subdomains usually used to serve images. It's obnoxious because blocking that subdomain at the DNS level usually breaks the site.

        My current strategy is to fully block the domain if that's the sort of tactic they're willing to use.

    • 1oooqooq4 days ago |parent

      https://someonewhocares.org/hosts/zero/

      • iknownothow4 days ago |parent

        I just did a wget of the site and noticed the following line at the end.

        > <script async src="https://www.googletagmanager.com/gtag/js?xxxxxxx"></script>

        I am going to use this for sure, but it is a little ironic.

      • jpgreens4 days ago |parent

        What if we could resolve every domain to 0.0.0.0 by default at the start. When visiting a website manually through the browser's URL bar it would automatically be whitelisted. Clicking links would also whitelist the domain of the link only. Sure you'd have to occasionally allow some 3rd party domains as well. Guess it would be cumbersome at first but after a while it would be pretty stable and wouldn't require much extra attention.

        • 1oooqooq2 days ago |parent

          that's exactly what uBlockOrigin does in advanced mode.

          enjoy.

      • reddalo4 days ago |parent

        I feel like that document is seriously outdated.

        This GitHub repo seems way more up-to-date: https://github.com/StevenBlack/hosts

        • lazyeye4 days ago |parent

          Try pihole (self-hosted) or nextdns if you want something that stays up to date.

  • colinprince3 days ago

    didn't first party sets get dropped in 2022?

    https://lists.w3.org/Archives/Public/public-privacycg/2022Ju...

  • lerp-io4 days ago

    ugh... if you think the internet should be a "static webpage" i got bad news for you bud

    • Timwi3 days ago |parent

      The term is a little ambiguous. They're not referring to a website that is served from static files that never change (which would exclude forums like Hacker News). They're referring to websites that still work if you disable JavaScript, so Hacker News would still be included.

  • aleppopepper4 days ago

    That's hilarious. Do you really Google should be privacy respecting?

  • hinkley4 days ago

    We had a disgusting number of tags on some of our customer pages and a few dozen of them start to have effects on page load, especially if you were still on HTTP 1.1.

  • unit1493 days ago

    [dead]

  • A7med4 days ago

    too long to read