Introduction
Introduction Statistics Contact Development Disclaimer Help
_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
Visit Hacker News on the Web
COMMENT PAGE FOR:
Incapacitating Google Tag Manager (2022)
colinprince wrote 11 hours 53 min ago:
didn't first party sets get dropped in 2022?
[1]: https://lists.w3.org/Archives/Public/public-privacycg/2022Jun/...
user070223 wrote 19 hours 34 min ago:
Ublock origin author - Gorhill - 2022 response: [1] Ublock origin wiki
referencing a method to block, unsure how effective it is(seems to be
based on the first link): [2] "*$1p,strict3p,script,header=via:1.1
google"
Perhaps some filter in your list already utilizing this but I'm unable
to verify
[1]: https://news.ycombinator.com/item?id=30415234
[2]: https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#he...
padjo wrote 20 hours 16 min ago:
How refreshing, a website that doesn’t punch me in the face with a
cookie banner. Is that because they’re legit not tracking me or are
they just noncompliant?
tempodox wrote 23 hours 3 min ago:
> Meanwhile, Google Tag Manager is regularly popping up on Government
sites. This means not only that governments can study you in more depth
- but also that Google gets to follow you into much more private
spaces.
The corruption of the system knows no bounds.
paradox460 wrote 1 day ago:
Years ago, I worked on a site where we constantly had requests from the
non technical side of the company to make the site load faster. We were
perplexed in engineering. The site loaded and was ready for us in less
than a fraction of a second.
Eventually we realized that every dev ran ubo, and tried loading the
site without it. It took about 5 seconds. Marketing and other parts of
the company had loaded so much crap into GTM that it just bogged
everything down
jeroenhd wrote 10 hours 58 min ago:
This is why I generally keep a mostly-clean browser around for
development (only including some dev extensions). I've wasted half an
hour when I had a stray uBO filter go off on a component I was
working on once (wasn't even an ad) and that taught me a valuable
lesson.
If you're testing a website, you've got to test it like your
customers use it. I shake my head at the incompetence of web
designers every time I encounter a website filled with scroll bars
because the devs on macOS haven't bothered testing any other device.
hinkley wrote 1 day ago:
We had a disgusting number of tags on some of our customer pages and a
few dozen of them start to have effects on page load, especially if you
were still on HTTP 1.1.
v5v3 wrote 1 day ago:
I use:
VPN so constantly changing ip.
Tor browser for everyday browsing (has no script preinstalled). So
onion provides double Vpn. Regularly closed down so history cleared.
Safari in private mode and lockdown mode for when tor won't work (tor
ip blocked/hd video that is too slow to stream on tor). Safari
Isolation in private mode is excellent, you can use two tabs with, say
emails, and neither will know other is logged in.
Safari non private for sites I want available and in sync across
devices.
Firefox in permanent private mode with ublock origin for when safari
lockdown mode causes issues. (Bizarely Firefox containers doesn't work
in private so no isolation across tabs).
Chromium for logged into Google stuff.
Chrome for web development.
Plus opt out for everything possible inc targeted ads.
I rarely see ads of anything I would want to buy, and VPN blocks most
of it at its DNS.
Beyond that, anything else would be too much effort for me.
The advertising companies I'm sure know I am not susceptible to impulse
buy on ads, I research and seek vfm so not really their target.
culi wrote 1 day ago:
> Tor browser for everyday browsing
Do you just... log back in to Hacker News every day?
I downloaded the Mullvad browser (basically Tor without the onion
protocol part) but having no way to save passwords ended up making it
unusable for me
v5v3 wrote 20 hours 8 min ago:
As said, use a password manager.
Also regularly export your passwords from your password manager,
either to another password manager or encrypt and store.So if the
password manager has issues it won't leave you stuck.
sheiyei wrote 21 hours 51 min ago:
What platform do you use that doesn't allow for password managers?
A browser's password manager is not the ideal for security,
apparently (I would like to know how generally true this is, of
course saving them on Google or Microsoft is as good as idea as it
sounds)
schiffern wrote 1 day ago:
>Use uBlock Origin with JavaScript disabled, as described above, but
also with ALL third-party content hard-blocked. To achieve the latter,
you need to add the rule ||.^$third-party to the My Filters pane.
This is a worse way to implement uBO's "Hard Mode" (except with JS
blocked), which has the advantage that you can easily whitelist sites
individually and set a hotkey to switch to lesser blocking modes. [1]
:-hard-m...
[1]: https://github.com/gorhill/uBlock/wiki/Blocking-mode
[2]: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-mod...
lerp-io wrote 1 day ago:
ugh... if you think the internet should be a "static webpage" i got bad
news for you bud
Timwi wrote 7 hours 54 min ago:
The term is a little ambiguous. They're not referring to a website
that is served from static files that never change (which would
exclude forums like Hacker News). They're referring to websites that
still work if you disable JavaScript, so Hacker News would still be
included.
A7med wrote 1 day ago:
too long to read
ayaros wrote 1 day ago:
Is there a good way to collect basic analytics if you have a site
you're hosting on GitHub pages? In such cases I'd rather not rely on
Google Analytics if I don't have to.
marsavar wrote 1 day ago:
[1] or
[1]: https://plausible.io/
[2]: https://usefathom.com/
sneak wrote 1 day ago:
There are literally hundreds of alternatives.
ayaros wrote 1 day ago:
I figured... just wanted to see which ones people on HN think are
worth looking at.
aleppopepper wrote 1 day ago:
That's hilarious. Do you really Google should be privacy respecting?
monista wrote 1 day ago:
If you block Google Tag Manager, you probably also want to block Yandex
Metrics and Cloudflare Insights.
reddalo wrote 1 day ago:
I think it's hard to block Cloudflare Insights because most of the
data is collected server-side.
ozgrakkurt wrote 21 hours 8 min ago:
You can use something like this maybe
[1]: https://adnauseam.io/
adamiscool8 wrote 1 day ago:
I don't think this article makes a good case for why you should.
>The more of us who incapacitate Google's analytics products and their
support mechanism, the better. Not just for the good of each individual
person implementing the blocks - but in a wider sense, because if
enough people block Google Analytics 4, it will go the same way as
Universal Google Analytics. These products rely on gaining access to
the majority of Web users. If too many people block them, they become
useless and have to be withdrawn.
OK - but then also in the wider sense, if site owners can't easily
assess the performance of their site relative to user behavior to make
improvements, now the overall UX of the web declines. Should we go back
to static pages and mining Urchin extracts, and guessing what people
care about?
goopypoop wrote 3 hours 19 min ago:
> Should we go back to static pages and mining Urchin extracts, and
guessing what people care about?
Yes absolutely do this please.
Why even bother with the effort of analytics only to ignore the
answers? I'm honestly not sure I've ever seen a website improve.
Timwi wrote 8 hours 6 min ago:
> if site owners can't easily assess the performance of their site
I would be more than happy to opt in to performance metrics or other
reports if only I could have some level of trust that improving the
UX is all it's gonna be used for. I want to live in a world where
that is the everyday normal, and where the non-consensual collection
and sale of personal data is a high-profile public scandal with
severe legal consequences.
throw123xz wrote 1 day ago:
Analytics can have good uses, but these days it's mostly used to
improve things for the operator (more sales, conversions, etc) and
what's best for the website isn't always the best for the user. And
so I block all that.
add-sub-mul-div wrote 1 day ago:
If the analytics brought us to this, of what use are the analytics?
slow_typist wrote 1 day ago:
Effective and accessible UX design is a solved problem. It’s a
matter of education of front end developers, not of A/B testing your
users to death.
bredren wrote 1 day ago:
Belt and suspenders approach is to attach analytics to the most
important events on the server side and combine with the session.
If the frontend automatic js is blocked, it doesn’t matter.
card_zero wrote 1 day ago:
But I like it better when they have to guess. If it's something we
care about enough, we'll let them know.
BurnerBotje wrote 1 day ago:
I have an idea that another way of preventing being tracked is just
massively spamming trash in the data layer object, pushing thousands of
dollars worth of purchase events and such, pushing randomly generated
user details and other such events. Perhaps by doing this your real
data will be hard to filter out. A side effect is also that data
becomes unreliable overall, helping less privacy aware people in the
process.
3036e4 wrote 18 hours 23 min ago:
I have a quite common name in my country and snatched
[email protected] for that name many years ago. Many use
it by accident somehow when registering for things. Possibly
(hopefully!) half of all leaks containing my email address are for
other people. Never thought of what it might do for ad profiling, but
hopefully it is adding at least some noise to it.
Maybe I could manually improve a bit on that by deliberately register
myself for various random services and just clicking around a bit to
pretend I am interested in things I have no interest in. On the other
hand with 20 years of tracking I think Google has all my interests
and habits nailed down anyway.
culi wrote 1 day ago:
You're talking about Adnauseum [1] Chrome banned it from their add on
store but it can still be installed manually
[1]: https://adnauseam.io/
jeroenhd wrote 11 hours 3 min ago:
AdNaueam works against ads, but does it also work against Google
Tag Manager?
I've already got most ads blocked by simply Piholing them, but GTM
tracking my every move using first-party content is a different
kind of interaction to attack.
redeeman wrote 5 hours 45 min ago:
just block GTM
mmsc wrote 15 hours 59 min ago:
Would be nice to have something similar to this for Mixpanel and
Amplitude
dylan604 wrote 1 day ago:
I’d imagine that by this point in time, they are able to filter
this specific type of noise out of the dataset. They have been
tracking everyone for so long that I doubt there’s anyone they
don’t know about whether directly of shadow profiles. These
randomly generated users would just not match up to anything and
would be fine to just drop
chamomeal wrote 1 day ago:
Now there’s a fun idea!! I wonder how difficult it would be to
spoof events.
Edit: looks like this might exist already:
[1]: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
genewitch wrote 1 day ago:
Since installing it on firefox on this computer (18 months ago or
so) Ad Nauseam has clicked ~$38,000 worth of ads, that i never saw.
Between this and "track me not" i've been fighting back against ads
and connecting my "profile" with any habits since 2016 or so. I
should also note i have pihole and my own DNS server upstream, so
that's thiry-eight grand in ad clicks that got through blacklists.
[1]: https://www.trackmenot.io/faq
wglb wrote 14 hours 41 min ago:
What do you expect this to do, long term? I’m curious.
zelphirkalt wrote 12 hours 39 min ago:
Even if it merely makes using Google shenanigans unattractive
for advertisers, that would be a huge win against one of the
biggest perpetrators, privacy and data protection violators out
there.
wglb wrote 7 hours 43 min ago:
How unattractive do you think it will make it for them?
Wowfunhappy wrote 1 day ago:
I would worry about being labeled a bot and denied access to
websites at all.
cj wrote 1 day ago:
[Preface: I hate ads, I love uBlock origin, I use pihole, I'm a
proponent of ad blockers]
I manage a Google Ads account with a $500,000 budget. That budget
is spent on a mix of display ads, google search, and youtube ads.
If I knew that 10% of our budget was wasted on bot clicks,
there's nothing I can do as an advertiser. We can't stop
advertising... we want to grow our business and advertising is
how you get your name out there. We also can't stop using Google
Ads - where else would we go?
$38,000 in clicks boosts Google's revenue by $38k (Google ain't
complaining). The only entity you're hurting are the advertisers
using Google. Advertisers might see their campaigns performing
less well, but that's not going to stop them from advertising. If
anything, they'll increase budgets to counteract the fake bot
clicks.
I really don't understand what Ad Nauseam is trying to achieve.
It honestly seems like it benefits Google more than it hurts
them. It directly hurts advertisers, but not enough that it would
stop anyone from advertising.
Google has a system for refunding advertisers for invalid clicks.
The $500k account that I manage gets refunded about $50/month in
invalid clicks. I'm guessing if bot clicks started making a real
dent in advertiser performance, Google would counter that by
improving their bot detection so they can refund advertisers in
higher volumes. If there's ever an advertiser-led boycott of
Google Ads, Google would almost certainly respond by refunding
advertisers for bot clicks at much higher rates.
wodenokoto wrote 14 hours 5 min ago:
I’d hope you’ll find an advocacy group to join who’ll s…
google for billions in fraud and lost revenue.
snickerdoodle12 wrote 14 hours 41 min ago:
Oh well. Advertisers are the scum of the earth, the only thing
worse is those facilitating them. Driving a wedge between
advertisers and googles is a win.
krageon wrote 15 hours 44 min ago:
By hurting the advertisers you hurt google. It sucks that you
are disadvantaged by it, but the truth of the matter is that
once it becomes expensive enough it will not be worth it
economically. And it is clear from your own message this is the
only language you're willing to speak.
rvnx wrote 13 hours 4 min ago:
And you also hurt the people who create the content that you
consume, it is a very toxic attitude (and maybe even illegal
as it causes intentional financial damage)
heisenbit wrote 21 hours 1 min ago:
Ads hurt people by stealing attention and manipulating spending
intentions. Being exposed to a firehose of them makes us more
stupid and poorer.
BrenBarn wrote 21 hours 7 min ago:
I think the idea is that hurting entities who are pushing out a
lot of ads is a good thing.
behringer wrote 1 day ago:
This is great. I seek out competitors to the companies that
advertise so I can get the product without rewarding
advertisers.
Man scape? Nah, generic women's razers. Pcbway? Nope. JLCPCB.
Screw your ads. Find a better way.
pests wrote 9 hours 10 min ago:
JLCPCB does tons of sponsored segments on YT. I see them more
than Pcbway.
1n4007 wrote 13 hours 13 min ago:
JLC advertise constantly, just look at the eevblog forums.
dotancohen wrote 16 hours 28 min ago:
> JLCPCB
How are they?
snickerdoodle12 wrote 14 hours 36 min ago:
I've only used them once for my first (and so far only)
PCB, so as a complete amateur, it was great. They rejected
my first design which had an obvious flaw, and my second
design was in my hands a little over a week after I
uploaded it. I paid 2.60EUR for 5 (tiny) PCBs and 7.50EUR
for the shipping. They even placed and soldered components
for me.
ddtaylor wrote 1 day ago:
> I'm guessing if bot clicks started making a real dent in
advertiser performance, Google would counter that by improving
their bot detection so they can refund advertisers in higher
volumes.
They already have methods to detect a lot. Like you said
yourself, customers have no alternative, so why would they
refund money they don't have to?
sneak wrote 1 day ago:
> I hate ads
> The only entity you're hurting are the advertisers using
Google.
That’s fine. Advertising is cancer. Reducing advertisers’
ROI is good too.
You don’t hate ads if you’re spending $500k on them. You
just hate receiving ads, which makes you hypocritical.
mschuster91 wrote 12 hours 31 min ago:
Well, in today's reality you need a job to at least pay rent.
And employers need advertising to make money to pay their
workers.
It's factually impossible to live in modern society without
participating in ethically questionable activities at least
indirectly.
TeMPOraL wrote 1 day ago:
> I really don't understand what Ad Nauseam is trying to
achieve. It honestly seems like it benefits Google more than it
hurts them.
Google is part of the problem, but they're neither the only
ones nor best to target through bottom-up approaches.
> It directly hurts advertisers, but not enough that it would
stop anyone from advertising.
You know the saying about XML - if it doesn't solve the
problem, you are not using enough of it.
> there's nothing I can do as an advertiser. We can't stop
advertising...
We know. The whole thing is a cancer[0], a runaway negative
feedback loop. No single enlightened advertiser can do anything
about it unilaterally. Which is why the pressure needs to go up
until ~everyone wants change.
--
[0] -
[1]: https://jacek.zlydach.pl/blog/2019-07-31-ads-as-cancer...
donohoe wrote 15 hours 50 min ago:
> Which is why the pressure needs to go up until ~everyone
wants change.
I think the point made is that this adds no extra pressure.
TeMPOraL wrote 15 hours 24 min ago:
The comment itself is evidence that it does, otherwise no
one would even pay attention. But clearly the pressure is
nowhere near sufficient.
aziaziazi wrote 1 day ago:
> It honestly seems like it benefits Google more than it hurts
them. It directly hurts advertisers, but not enough that it
would stop anyone from advertising.
GP fights agains ads, not Google. And not being able to win
100% of the gain shouldn’t restrain someone from taking
action it they consider the win share worth the pain.
> $38,000 in clicks boosts Google's revenue by $38k
You should include costs here, and if (big if) a substantial
part of the clicks comes from bots and get refunded, the
associated cost comes on top of the bill. At the end the whole
business is impacted. I agree 50/50k is a penny through.
> I hate ads […] I manage a Google Ads account
[no cynism here, I genuinely wonder] how do you manage your
conscience, mood and daily motivation? Do you see a dichotomy
in what you wrote and if so, how did you arrive to that
situation? Any future plan?
I’m asking as you kind of introduce the subject but if
you’re not willing to give more details that’s totally
fine.
jorvi wrote 1 day ago:
> want to grow our business and advertising is how you get your
name out there
Or.. you know.. offering a quality product?
econ wrote 1 day ago:
Tiny trafic but everyone is buying things. High praise in the
reviews, not a single organic link.
malfist wrote 1 day ago:
You know, I'm not too worried that I'm making the lives of
people who spy on me harder and wasting their money.
You don't have to buy privacy violating ads. You don't have to
buy targetted ads
paulryanrogers wrote 14 hours 7 min ago:
> You don't have to buy privacy violating ads. You don't have
to buy targetted ads.
Sadly, you do until the monopoly is broken up. Because as is
your company probably won't survive in the market, nor you in
your role, using anything else.
malfist wrote 11 hours 37 min ago:
There are plenty of companies that A) don't advertise or B)
don't use individually targeted ads
An example of A: carmex
An example of B: Ball Homes (sixth largest residential
builder in the country), pretty much any lawyer, a mom and
pop that buys newspaper space, TV space or a bill board
Shacklz wrote 12 hours 26 min ago:
> Because as is your company probably won't survive in the
market
Then maybe that business isn't adding all that much value
to society to begin with and it's just not that much of a
loss if it goes away.
If a company cannot survive without shoving their product
into the view of eyeballs appealing to our most basic
monkey brain instincts, it's maybe just better if it dies.
freeone3000 wrote 1 day ago:
Hopefully it puts my browsers on an bot blocklist, which then
invalidates the tracking profile and eliminates targeted
advertising entirely.
thatguy0900 wrote 1 day ago:
My assumption with something as hostile as ad nauseum is that
you were running the risk of Google profile bans
freeone3000 wrote 12 hours 37 min ago:
oh no! anyway.
michaelt wrote 1 day ago:
The problem with being on google's bot blocklist is you'll
suddenly discover that recaptcha is used in a heck of a lot
of places.
mystified5016 wrote 1 day ago:
The point is to poison your ad tracking profile so that
advertisers can't figure out who you are and what you'll buy.
No matter how secure your browser setup is, Google is tracking
you. By filling their trackers with garbage, there's less that
can personally identify you as an individual
mediumsmart wrote 1 day ago:
Apple bought the patent to do just that 13 years ago … the
.Mac observer article about it is now gone - here is the
archive record [1] Carter invented it and got paid so they
can bury it. Must be good tech.
[1]: https://web.archive.org/web/20200601034723/https://w...
aerzen wrote 1 day ago:
Am I dumb or does this article fail to explain what does the tag
manager actually do? And not just with a loaded word, such as
surveillance or spying, but actually technically explain what they are
selling for and why it is bad.
mrweasel wrote 10 hours 8 min ago:
This may have changed, I last used Tag Manager 9-10 ago. You
basically added a single Javascript snippet to you website, then you
could inject other Javascript into the pages, using various rules. So
rather than having to redeploy our site every time the marketing
department wanted to add a new tracking or retargeting script, we
could just add it in Tag Manager. I think is a great tool if you
insist on doing these types of thing. You can also extract and
transform variables, so all the customization required to adapt to
each service could be done within Tag Manager, keeping your website
simpler.
One major issue Tag Manager solved for us was that a bunch of these
online marketing companies that have their own tracking
pixels/scripts absolutely suck at running IT infrastructure. More
than ones we experienced poorly written 3rd. party scripts would
break our site. Rather than having to do a redeployment, to
temporarily disable a script, I could easily pop into the Tag Manager
console and disable to offending service.
Maybe Google Tag Manager has changed, but it was a good tool, if you
where in the business of doing those sorts of things. I suppose it's
also a clever way of blocking all tracking from a site by just
stopping the Tag Manager script from loading.
JimDabell wrote 21 hours 8 min ago:
It’s a little bit like dependency injection for websites, used by
marketing teams.
The people responsible for maintaining a site don’t want to know
about all the different analytics tools the marketing team wants to
use, and don’t want to be involved whenever any changes need to be
made. So they expose a mechanism where the marketing team can inject
functionality onto the page. Then all the marketing tools tell the
marketing team how to use GTM to inject their tool.
simonsarris wrote 1 day ago:
The chief reason is that websites pay for advertising and want to
know if the advertising is working and Google tag manager is the way
to do that, for Google Ads.
This is not unreasonable! People spend a lot of money on ads and
would like to find out if and when they work. But people act like its
an unspeakable nebulous crime but this is probably the most common
case by miles.
jppittma wrote 12 hours 34 min ago:
It feels that way for a lot of privacy concerns. "Telemetry" is the
scare word for debug log, core dumps, and stack traces. I think
it’s completely reasonable to want those.
ndriscoll wrote 8 hours 30 min ago:
It's reasonable to want and ask for debug data. Not so reasonable
to exfiltrate it without the owner's permission.
abanana wrote 15 hours 41 min ago:
Tracking website ads has become so normalised, it doesn't seem to
even cross the minds of web-only marketing people to think: how has
this always worked for advertising via TV, radio, billboards,
newspapers/magazines, etc?
Website-based advertising is a special case - the only one that
makes this tracking possible. Advertisers need to understand the
huge advantage they've been given, rather than taking it as a given
and thinking they have more of a right to the data, than the user
has a right to not provide it.
bravesoul2 wrote 22 hours 7 min ago:
Why should an advertiser have a right to know if their ads work,
regardless of privacy considerations. EU brought out a freaking
legal framework around this. I can't take seriously how you've over
simplified it.
reaperducer wrote 23 hours 26 min ago:
This is not unreasonable! People spend a lot of money on ads and
would like to find out if and when they work.
Companies were doing this for hundreds of years before Google even
existed. You can learn if your ads work without invasive
tracking.
throwaway65449 wrote 1 day ago:
If running spyware on people's browsers just to see if your ads are
working is "not unreasonable", what is?
arcfour wrote 1 day ago:
Try responding in good faith on a non-throwaway account.
sitharus wrote 1 day ago:
XSS-as-a-service. It lets people drop in random JavaScript to be
injected on to the page without any oversight.
It’s used by marketing people to add the 1001 trackers they love to
use.
mlinsey wrote 1 day ago:
Google Tag Manager is a single place for you to drop in and manage
all the tracking snippets you might want to add to your site. When
I've worked on B2C sites that run a lot of paid advertising
campaigns, the marketing team would frequently ask me to add this
tracking pixel or another, usually when we were testing a new ad
channel. Want to start running ads on Snapchat? Gotta ad the Snapchat
tracker to your site to know when users convert. Now doing TikTok?
That's another snippet. Sometimes there would be additional business
logic for which pages to fire or not fire, and this would change more
often. Sometimes it was so they could use a different analytics tool.
While these were almost always very easy tickets to do, they were
just one more interruption for us and a blocker for the stakeholders,
who liked to have an extremely rapid iteration cycle themselves.
GTM was a way to make this self-service, instead of the eng team
having to keep this updated, and also it was clear to everyone what
all the different trackers were.
simonw wrote 23 hours 25 min ago:
The self-service thing is such a nightmare. There are two things
that you almost certainly cannot trust your marketing team with:
1. Understanding the security implications of code they add via tag
manager. How good are they at auditing the third parties that they
introduce to make sure they have rock-solid security? Even worse,
do they understand that they need to be very careful not to add
JavaScript code that someone emailed to them with a message that
says "Important! The CEO says add this code right now!".
2. Understand the performance overhead of new code. Did they just
drop in a tag that loads a full 1MB of JavaScript code before the
page becomes responsive? Can they figure that out themselves? Are
they positioned to make good decisions on trade-offs with respect
to analytics compared to site performance?
gnz11 wrote 7 hours 26 min ago:
Agreed that it's a nightmare, but what usually happens then is
that an MBA-type VP will come in and demand the marketing team be
allowed to insert whatever they want. Not many dev teams have the
political clout to push back.
zelphirkalt wrote 12 hours 54 min ago:
If there is one thing you can trust marketing departments with,
it's their ability to ruin any website they have the chance of
ruining.
JimDabell wrote 21 hours 12 min ago:
I agree with this and can add two more problems that are super
common.
Firstly, people will add all sorts of things on a whim without
telling anybody. So your privacy policy won’t capture any of
this.
Secondly, nobody ever cleans up after themselves. So a year down
the line, you’ll have a dozen different services, all doing the
same thing, all added by different people, and half of them
aren’t even being used by anybody because the people that added
them forgot about them or left the company.
I don’t think I’ve ever seen GTM used responsibly.
captn3m0 wrote 22 hours 3 min ago:
You effectively delegate code-review on a XSS path to your
marketing team. I refused to do that anywhere users could be
logged in.
bravesoul2 wrote 22 hours 9 min ago:
Yep it's vibe coding before vibe coding existed. Paste in the
script. No code review. No staging. No roll-out. Just straight in
prod. And it can break stuff.
sandspar wrote 1 day ago:
Google Tag Manager lets you add tracking stuff on your website
without needing to touch the code every time. So if you want to track
things like link clicks, PDF downloads, or people adding stuff to
their cart.
It doesn't track things by itself. It just links your data to other
tools like Google Analytics or Facebook Pixel to do the tracking.
This kind of data lets businesses do stuff like send coupon emails to
people who left something in their cart.
There are lots of other uses. Basically, any time you want to add
code or track behavior without dealing with a developer.
xiande04 wrote 1 day ago:
There's a section in the article titled, "WHAT DOES GOOGLE TAG
MANAGER DO?":
> Whilst Google would love the general public to believe that Tag
Manager covers a wide range of general purpose duties, it's almost
exclusively used for one thing: surveillance.
Finnucane wrote 1 day ago:
the "general public" probably has no idea that Tag Manager is a
thing that exists.
munchler wrote 1 day ago:
That’s a single word, not much of an actual explanation.
a2800276 wrote 1 day ago:
I was tasked with auditing third party scripts at a client a couple
of years ago, the marketing people where unable to explain wtf tag
manager does concretely without resorting to ‚it tracks campaign
engagement´ mumbo jumbo, but were adamant they they can’t live
without it.
fguerraz wrote 1 day ago:
Maybe you’re being misled by the cryptic name. It’s got nothing
to do with managing tags, it’s a behaviour tracker and fingerprint
machine.
9dev wrote 1 day ago:
I mean technically you can use it to manage HTML tags to inject
into a site.
slow_typist wrote 1 day ago:
Well I can inject HTML tags (or elements) with native JavaScript.
Or manage them. Why would I want a bloated third party piece of
software doing that?
connicpu wrote 1 day ago:
So that your sales and marketing team can add the third-party
tracker for a new ad campaign service without bothering the
engineering team.
bravesoul2 wrote 22 hours 1 min ago:
They can also add features! Yes have fun!
SquareWheel wrote 1 day ago:
Since you're asking, you could use it to tie together triggers
and actions to embed code in specific situations (eg. based on
the URL or page state). It has automatic versioning. There's
a preview feature for testing code changes before deploying,
and a permission system for sharing view/edit access with
others.
snowwrestler wrote 1 day ago:
This is in fact what it is primarily used for.
Animats wrote 1 day ago:
Blocking Google Tag Manager script injection seems to have few side
effects.
Blocking third party cookies also seems to have few side effects.
Turning off Javascript breaks too much.
alganet wrote 1 day ago:
Use a whitelist-based extension such as NoScript: [1] You can then
enable just enough JS to make sites work, slowly building a list of
just what is necessary. It can also block fonts, webgl, prefetch,
ping and all those other supercookie-enabling techniques.
The same with traditional cookies. I use Cookie AutoDelete to remove
_all_ cookies as soon as I close the tab. I can then whitelist the
ones I notice impact on authentication.
Also, you should disable JavaScript JIT, so the scripts that
eventually load are less effective at exploiting potential
vulnerabilities that could expose your data.
[1]: https://noscript.net
Timwi wrote 8 hours 2 min ago:
Why would JIT be more likely to have such a vulnerability than a
JavaScript engine without JIT?
fvgvkujdfbllo wrote 1 day ago:
> surveillanceware
I thought the term was spyware.
Surveillanceware almost sounds like something necessary to prevent bad
stuff. Is this corporate rebranding to make spyware software sound less
bad?
Eggs-n-Jakey wrote 1 day ago:
I don't know, the memetics of Surveillanceware or spyware mostly
leads me to the belief that everything is weaponized to drain your
money thru ads/marketing instead of the direct approach of stealing
my money.
drcongo wrote 1 day ago:
Google Tag Manager and the whole consent management platform
certification business is nothing more than a shakedown. It's
racketeering.
rurban wrote 1 day ago:
Just add the domain to your /etc/hosts as 0.0.0.0
Doing that for years
future10se wrote 1 day ago:
As mentioned on the blog post:
> Used as supplied, Google Tag Manager can be blocked by third-party
content-blocker extensions. uBlock Origin blocks GTM by default, and
some browsers with native content-blocking based on uBO - such as
Brave - will block it too.
> Some preds, however, full-on will not take no for an answer, and
they use a workaround to circumvent these blocking mechanisms. What
they do is transfer Google Tag Manager and its connected analytics to
the server side of the Web connection. This trick turns a third-party
resource into a first-party resource. Tag Manager itself becomes
unblockable. But running GTM on the server does not lay the site
admin a golden egg...
By serving the Google Analytics JS from the site's own domain, this
makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file,
etc.)
One might think "yeah but the google js still has to talk to google
domains", but apparently, Google lets you do "server-side" tagging
now (e.g. running a google tag manager docker container). This means
more (sub)domains to track and block. That said, how many site
operators choose to go this far, I don't know.
[1]: https://developers.google.com/tag-platform/tag-manager/serve...
whatevertrevor wrote 22 hours 34 min ago:
Slightly related I've also been recently noticing some sites
loading ads pseudo-dynamically from "content-loader" subdomains
usually used to serve images. It's obnoxious because blocking that
subdomain at the DNS level usually breaks the site.
My current strategy is to fully block the domain if that's the sort
of tactic they're willing to use.
1oooqooq wrote 1 day ago:
[1]: https://someonewhocares.org/hosts/zero/
jpgreens wrote 1 day ago:
What if we could resolve every domain to 0.0.0.0 by default at the
start. When visiting a website manually through the browser's URL
bar it would automatically be whitelisted. Clicking links would
also whitelist the domain of the link only. Sure you'd have to
occasionally allow some 3rd party domains as well. Guess it would
be cumbersome at first but after a while it would be pretty stable
and wouldn't require much extra attention.
reddalo wrote 1 day ago:
I feel like that document is seriously outdated.
This GitHub repo seems way more up-to-date:
[1]: https://github.com/StevenBlack/hosts
lazyeye wrote 1 day ago:
Try pihole (self-hosted) or nextdns if you want something that
stays up to date.
iknownothow wrote 1 day ago:
I just did a wget of the site and noticed the following line at the
end.
> "
rel="nofollow">https://www.googletagmanager.com/gtag/js?xxxxxxx">
I am going to use this for sure, but it is a little ironic.
gleenn wrote 1 day ago:
I'm all for blocking surveillance but how tiring is it to block
JavaScript as suggested and then watch the majority of the internet not
work?
michaelt wrote 1 day ago:
It depends.
If you're spending 99% of your time on your favourite websites that
you've already tuned the blocking on? Barely a problem.
On the other hand if your job involves going to lots of different
vendors' websites - you'll find it pretty burdensome, because you
might end up fiddling with the per-site settings 15+ times per day.
dylan604 wrote 1 day ago:
If I’m at work using a work provided computer, I don’t bother
with the blocking. They are not tracking me as I do not do anything
as me. I’m just some corporate stooge employee that has no
similarity to me personally.
My personal devices block everything I can get away with
qualeed wrote 1 day ago:
Echoing others, I've used NoScript for years and at this point it is
practically unnoticeable.
Many sites work without (some, like random news & blogs, work
better). When a site doesn't work, I make a choice between
temporarily or permanently allowing it depending on how often I visit
the site. It takes maybe 5 seconds and I typically only need to spend
that 5 seconds once. As a reward, I enjoy a much better web
experience.
1vuio0pswjnm7 wrote 1 day ago:
Impossible to know because when I disable Javascript "the majority of
the internet" works fine. As does a majority of the web.
I read HN and every site submitted to HN using TCP clients and a
text-only browser, that has no Javascript engine, to convert HTML to
text.
The keyword is "read". Javascript is not necessary for requesting or
reading documents. Web developers may use it but that doesn't mean
it is necessary for sending HTTP requests or reading HTML or JSON.
If the web user is trying to do something else other than requesting
and reading, then perhaps it might not "work".
goopypoop wrote 1 day ago:
People who want you to run their scripts aren't really your friends
kevin_thibedeau wrote 1 day ago:
StackOverflow switched over from spying with ajax.google.com to GTM
in the past year or so. All for some pointless out of date jQuery
code they could self-host. I wonder how much they're being paid to
let Google collect user stats from their site.
anothernewdude wrote 1 day ago:
The sites that don't work are usually the worst websites around - you
end up not missing much. And if it's a store or whatever, you can
unblock all js when you actually want to buy.
heavyset_go wrote 1 day ago:
Whitelisting JS has worked on my end for a while.
I won't browse the Internet on my phone without it, everything loads
instantly and any site that actually matters was whitelisted years
ago.
Rapzid wrote 1 day ago:
About as tiring as hearing about it all the time. Thank god it's a
fringe topic these days but this article snuck it in. Probably the
constant use of the word "surveillance" was an early tell haha.
sureglymop wrote 1 day ago:
It's easier than I thought. I just use uBlock Origin with everything
blocked by default and then allow selectively.
pluc wrote 1 day ago:
It really isn't. I've been blocking all JavaScript for years now,
selectively allowing what is essential for sites to run or using a
private session to allow more/investigate/discover. Most sites work
fine without their 30 JS sources, just allowing what is hosted on
their own domain. It takes a little effort, but it's a fair price to
pay to have a sane Internet.
The thing is - with everything - it's never easy to have strong
principles. If it were, everyone would do it.
palata wrote 1 day ago:
Do you selectively enable JavaScript for the whole site, or is
there a way with uBO to only enable subparts of it?
culi wrote 1 day ago:
NoScript seems like the go-to addon [1] It has pretty advanced
features but also basic ones that allow you to block scripts by
source
[1]: https://noscript.net/
dylan604 wrote 1 day ago:
That’s my default as well. Self hosted/1st party scripts can
load, but 3rd party scripts are blocked. The vast majority of sites
work this way. If a site doesn’t work because they must have a
3rd party script to work, I tend to just close the tab. I really
don’t feel like it has caused me to miss anything. There’s
usually 8 other sites with the same data in a slightly less hostile
site
roywiggins wrote 1 day ago:
It's certainly not that bad if you have uMatrix to do it with, but
I haven't found a reasonable way to do it on mobile. uMatrix does
work on Firefox Mobile but the UI is only semi functional.
1vuio0pswjnm7 wrote 1 day ago:
uMatrix is fully-functional on Nightly.
Using Firefox Add-Ons on a "smartphone" sucks because one has to
access every Add-On interface via an Extensions menu.
In that sense _all_ Add-Ons are only semi-functional.
I use multiple layers: uMatrix + NetGuard + Nebulo "DNS Rules",
at the least. Thus I have at least three opportunities where I
can block lookups for and requests to Google domains.
DavideNL wrote 1 day ago:
Doesn’t uBlock Origin in advanced mode do the exact same
thing as uMatrix?
pmontra wrote 23 hours 12 min ago:
Maybe, but the UX is so terrible that I never figured out how
to use uBO to replace uMatrix. I always use both: uBO for ads
and DOM elements filtering and uMatrix for JavaScript,
frames, cookies, anything in the columns of its UI.
Basically uMatrix is so donor to use that anybody can use it.
The equivalent uBO section is so complicated that I feel I
need to take a master degree in that subject.
zelphirkalt wrote 12 hours 31 min ago:
You would be surprised how many people are completely
overwhelmed by the choices uMatrix offers. Lots of people
out there, that don't even know what a website can consist
of, let alone what it means to block this or that, or have
the awareness that they did block something, or the
patience to properly unblock the minimum amount of shit
necessary to use the website. For many people any effort at
all makes them surrender to the global spyware.
1vuio0pswjnm7 wrote 1 day ago:
[1] [2] Having tried both, IMHO they do not do exactly the
same thing. One is pattern-based, the other is host-based. As
such, one can use them together, simultaneously.
[1]: https://github.com/gorhill/uMatrix/wiki/Changes-from...
[2]: https://github.com/gorhill/uBlock/wiki/Advanced-sett...
bornfreddy wrote 1 day ago:
Not quite the same (I love uMatrix UI), but advanced mode in uBO
is similar. It lacks filtering by data type (css, js, images,
fonts,...) per domain, but it does resolve domains to their
primary domain, revealing where they are hosted. A huge kudos to
gorhill for both of these!
baobun wrote 1 day ago:
NoScript + uBO is all right.
pluc wrote 1 day ago:
Yup that's what I use as well. With whatever the name of the
extension that makes allowing cookies a whitelist thing too,
and PrivacyBadger/Decentraleyes.
Also, deleting everything when Firefox closes. It's a little
annoying to re-login to everything every day, but again, they
are banking on this inconvenience to fuck you over and I refuse
to let them win. It becomes part of the routine easily enough.
<- back to front page
You are viewing proxied material from codevoid.de. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.