Doing that for years
> <script async src="https://www.googletagmanager.com/gtag/js?xxxxxxx"></script>
I am going to use this for sure, but it is a little ironic.
This GitHub repo seems way more up-to-date: https://github.com/StevenBlack/hosts
enjoy.
> Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.
> Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...
By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)
One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.
https://developers.google.com/tag-platform/tag-manager/serve...
My current strategy is to fully block the domain if that's the sort of tactic they're willing to use.
I thought the term was spyware.
Surveillanceware almost sounds like something necessary to prevent bad stuff. Is this corporate rebranding to make spyware software sound less bad?
You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.
The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.
Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.
> Whilst Google would love the general public to believe that Tag Manager covers a wide range of general purpose duties, it's almost exclusively used for one thing: surveillance.
It doesn't track things by itself. It just links your data to other tools like Google Analytics or Facebook Pixel to do the tracking.
This kind of data lets businesses do stuff like send coupon emails to people who left something in their cart.
There are lots of other uses. Basically, any time you want to add code or track behavior without dealing with a developer.
While these were almost always very easy tickets to do, they were just one more interruption for us and a blocker for the stakeholders, who liked to have an extremely rapid iteration cycle themselves.
GTM was a way to make this self-service, instead of the eng team having to keep this updated, and also it was clear to everyone what all the different trackers were.
1. Understanding the security implications of code they add via tag manager. How good are they at auditing the third parties that they introduce to make sure they have rock-solid security? Even worse, do they understand that they need to be very careful not to add JavaScript code that someone emailed to them with a message that says "Important! The CEO says add this code right now!".
2. Understand the performance overhead of new code. Did they just drop in a tag that loads a full 1MB of JavaScript code before the page becomes responsive? Can they figure that out themselves? Are they positioned to make good decisions on trade-offs with respect to analytics compared to site performance?
Firstly, people will add all sorts of things on a whim without telling anybody. So your privacy policy won’t capture any of this.
Secondly, nobody ever cleans up after themselves. So a year down the line, you’ll have a dozen different services, all doing the same thing, all added by different people, and half of them aren’t even being used by anybody because the people that added them forgot about them or left the company.
I don’t think I’ve ever seen GTM used responsibly.
It’s used by marketing people to add the 1001 trackers they love to use.
This is not unreasonable! People spend a lot of money on ads and would like to find out if and when they work. But people act like its an unspeakable nebulous crime but this is probably the most common case by miles.
Companies were doing this for hundreds of years before Google even existed. You can learn if your ads work without invasive tracking.
Website-based advertising is a special case - the only one that makes this tracking possible. Advertisers need to understand the huge advantage they've been given, rather than taking it as a given and thinking they have more of a right to the data, than the user has a right to not provide it.
The people responsible for maintaining a site don’t want to know about all the different analytics tools the marketing team wants to use, and don’t want to be involved whenever any changes need to be made. So they expose a mechanism where the marketing team can inject functionality onto the page. Then all the marketing tools tell the marketing team how to use GTM to inject their tool.
One major issue Tag Manager solved for us was that a bunch of these online marketing companies that have their own tracking pixels/scripts absolutely suck at running IT infrastructure. More than ones we experienced poorly written 3rd. party scripts would break our site. Rather than having to do a redeployment, to temporarily disable a script, I could easily pop into the Tag Manager console and disable to offending service.
Maybe Google Tag Manager has changed, but it was a good tool, if you where in the business of doing those sorts of things. I suppose it's also a clever way of blocking all tracking from a site by just stopping the Tag Manager script from loading.
GTM from 9-10 years ago and GTM today have nothing in common.
Edit: looks like this might exist already: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
Between this and "track me not" i've been fighting back against ads and connecting my "profile" with any habits since 2016 or so. I should also note i have pihole and my own DNS server upstream, so that's thiry-eight grand in ad clicks that got through blacklists.
I manage a Google Ads account with a $500,000 budget. That budget is spent on a mix of display ads, google search, and youtube ads.
If I knew that 10% of our budget was wasted on bot clicks, there's nothing I can do as an advertiser. We can't stop advertising... we want to grow our business and advertising is how you get your name out there. We also can't stop using Google Ads - where else would we go?
$38,000 in clicks boosts Google's revenue by $38k (Google ain't complaining). The only entity you're hurting are the advertisers using Google. Advertisers might see their campaigns performing less well, but that's not going to stop them from advertising. If anything, they'll increase budgets to counteract the fake bot clicks.
I really don't understand what Ad Nauseam is trying to achieve. It honestly seems like it benefits Google more than it hurts them. It directly hurts advertisers, but not enough that it would stop anyone from advertising.
Google has a system for refunding advertisers for invalid clicks. The $500k account that I manage gets refunded about $50/month in invalid clicks. I'm guessing if bot clicks started making a real dent in advertiser performance, Google would counter that by improving their bot detection so they can refund advertisers in higher volumes. If there's ever an advertiser-led boycott of Google Ads, Google would almost certainly respond by refunding advertisers for bot clicks at much higher rates.
No matter how secure your browser setup is, Google is tracking you. By filling their trackers with garbage, there's less that can personally identify you as an individual
https://web.archive.org/web/20200601034723/https://www.macob...
Carter invented it and got paid so they can bury it. Must be good tech.
You don't have to buy privacy violating ads. You don't have to buy targetted ads
Sadly, you do until the monopoly is broken up. Because as is your company probably won't survive in the market, nor you in your role, using anything else.
Then maybe that business isn't adding all that much value to society to begin with and it's just not that much of a loss if it goes away.
If a company cannot survive without shoving their product into the view of eyeballs appealing to our most basic monkey brain instincts, it's maybe just better if it dies.
An example of A: carmex
An example of B: Ball Homes (sixth largest residential builder in the country), pretty much any lawyer, a mom and pop that buys newspaper space, TV space or a bill board
Or.. you know.. offering a quality product?
GP fights agains ads, not Google. And not being able to win 100% of the gain shouldn’t restrain someone from taking action it they consider the win share worth the pain.
> $38,000 in clicks boosts Google's revenue by $38k
You should include costs here, and if (big if) a substantial part of the clicks comes from bots and get refunded, the associated cost comes on top of the bill. At the end the whole business is impacted. I agree 50/50k is a penny through.
> I hate ads […] I manage a Google Ads account
[no cynism here, I genuinely wonder] how do you manage your conscience, mood and daily motivation? Do you see a dichotomy in what you wrote and if so, how did you arrive to that situation? Any future plan?
I’m asking as you kind of introduce the subject but if you’re not willing to give more details that’s totally fine.
Google is part of the problem, but they're neither the only ones nor best to target through bottom-up approaches.
> It directly hurts advertisers, but not enough that it would stop anyone from advertising.
You know the saying about XML - if it doesn't solve the problem, you are not using enough of it.
> there's nothing I can do as an advertiser. We can't stop advertising...
We know. The whole thing is a cancer[0], a runaway negative feedback loop. No single enlightened advertiser can do anything about it unilaterally. Which is why the pressure needs to go up until ~everyone wants change.
--
[0] - https://jacek.zlydach.pl/blog/2019-07-31-ads-as-cancer.html
I think the point made is that this adds no extra pressure.
> The only entity you're hurting are the advertisers using Google.
That’s fine. Advertising is cancer. Reducing advertisers’ ROI is good too.
You don’t hate ads if you’re spending $500k on them. You just hate receiving ads, which makes you hypocritical.
It's factually impossible to live in modern society without participating in ethically questionable activities at least indirectly.
They already have methods to detect a lot. Like you said yourself, customers have no alternative, so why would they refund money they don't have to?
Man scape? Nah, generic women's razers. Pcbway? Nope. JLCPCB.
Screw your ads. Find a better way.
> JLCPCB
If you can write this without seeing how you are the very worst of our enemies, then I do hope your business die, there is obviously nothing that will make you understand. I still can't believe you put those words together, honestly.
Do you see yourself as a separate breed from your lowly users or something? How can you inflict and even try to justify what you yourself avoid and say you "hate"?
In a way I get it, I wouldn't buy or recommend the product I currently work on. Still cash the paychecks though. I also am the stereotypical tech person who avoids technology. I can't exactly blame anyone for playing the game. The guy who works at the sausage factory but won't eat sausage due to what he's seen is a pretty common refrain.
Chrome banned it from their add on store but it can still be installed manually
I've already got most ads blocked by simply Piholing them, but GTM tracking my every move using first-party content is a different kind of interaction to attack.
Maybe I could manually improve a bit on that by deliberately register myself for various random services and just clicking around a bit to pretend I am interested in things I have no interest in. On the other hand with 20 years of tracking I think Google has all my interests and habits nailed down anyway.
>The more of us who incapacitate Google's analytics products and their support mechanism, the better. Not just for the good of each individual person implementing the blocks - but in a wider sense, because if enough people block Google Analytics 4, it will go the same way as Universal Google Analytics. These products rely on gaining access to the majority of Web users. If too many people block them, they become useless and have to be withdrawn.
OK - but then also in the wider sense, if site owners can't easily assess the performance of their site relative to user behavior to make improvements, now the overall UX of the web declines. Should we go back to static pages and mining Urchin extracts, and guessing what people care about?
If the frontend automatic js is blocked, it doesn’t matter.
I would be more than happy to opt in to performance metrics or other reports if only I could have some level of trust that improving the UX is all it's gonna be used for. I want to live in a world where that is the everyday normal, and where the non-consensual collection and sale of personal data is a high-profile public scandal with severe legal consequences.
Yes absolutely do this please.
Why even bother with the effort of analytics only to ignore the answers? I'm honestly not sure I've ever seen a website improve.
>Use uBlock Origin with JavaScript disabled, as described above, but also with ALL third-party content hard-blocked. To achieve the latter, you need to add the rule ||.^$third-party to the My Filters pane.
https://github.com/gorhill/uBlock/wiki/Blocking-mode
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...
VPN so constantly changing ip.
Tor browser for everyday browsing (has no script preinstalled). So onion provides double Vpn. Regularly closed down so history cleared.
Safari in private mode and lockdown mode for when tor won't work (tor ip blocked/hd video that is too slow to stream on tor). Safari Isolation in private mode is excellent, you can use two tabs with, say emails, and neither will know other is logged in.
Safari non private for sites I want available and in sync across devices.
Firefox in permanent private mode with ublock origin for when safari lockdown mode causes issues. (Bizarely Firefox containers doesn't work in private so no isolation across tabs).
Chromium for logged into Google stuff.
Chrome for web development.
Plus opt out for everything possible inc targeted ads.
I rarely see ads of anything I would want to buy, and VPN blocks most of it at its DNS.
Beyond that, anything else would be too much effort for me.
The advertising companies I'm sure know I am not susceptible to impulse buy on ads, I research and seek vfm so not really their target.
Do you just... log back in to Hacker News every day?
I downloaded the Mullvad browser (basically Tor without the onion protocol part) but having no way to save passwords ended up making it unusable for me
Also regularly export your passwords from your password manager, either to another password manager or encrypt and store.So if the password manager has issues it won't leave you stuck.
Eventually we realized that every dev ran ubo, and tried loading the site without it. It took about 5 seconds. Marketing and other parts of the company had loaded so much crap into GTM that it just bogged everything down
If you're testing a website, you've got to test it like your customers use it. I shake my head at the incompetence of web designers every time I encounter a website filled with scroll bars because the devs on macOS haven't bothered testing any other device.
The corruption of the system knows no bounds.
Ublock origin wiki referencing a method to block, unsure how effective it is(seems to be based on the first link): https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...
"*$1p,strict3p,script,header=via:1.1 google"
Perhaps some filter in your list already utilizing this but I'm unable to verify
https://lists.w3.org/Archives/Public/public-privacycg/2022Ju...
GTM is in my top #3 list of the worst software to ever exist. And I mean it. GTM is incredibly hostile to everyone around it: to the victims, to marketing people, to software engineers.
gleenn•7mo ago
pluc•7mo ago
The thing is - with everything - it's never easy to have strong principles. If it were, everyone would do it.
roywiggins•7mo ago
baobun•7mo ago
pluc•7mo ago
Also, deleting everything when Firefox closes. It's a little annoying to re-login to everything every day, but again, they are banking on this inconvenience to fuck you over and I refuse to let them win. It becomes part of the routine easily enough.
bornfreddy•7mo ago
1vuio0pswjnm7•7mo ago
Using Firefox Add-Ons on a "smartphone" sucks because one has to access every Add-On interface via an Extensions menu.
In that sense _all_ Add-Ons are only semi-functional.
I use multiple layers: uMatrix + NetGuard + Nebulo "DNS Rules", at the least. Thus I have at least three opportunities where I can block lookups for and requests to Google domains.
DavideNL•7mo ago
1vuio0pswjnm7•7mo ago
https://github.com/gorhill/uBlock/wiki/Advanced-settings
Having tried both, IMHO they do not do exactly the same thing. One is pattern-based, the other is host-based. As such, one can use them together, simultaneously.
pmontra•7mo ago
Basically uMatrix is so donor to use that anybody can use it. The equivalent uBO section is so complicated that I feel I need to take a master degree in that subject.
zelphirkalt•7mo ago
dylan604•7mo ago
palata•7mo ago
culi•7mo ago
https://noscript.net/
It has pretty advanced features but also basic ones that allow you to block scripts by source
sureglymop•7mo ago
Rapzid•7mo ago
heavyset_go•7mo ago
I won't browse the Internet on my phone without it, everything loads instantly and any site that actually matters was whitelisted years ago.
anothernewdude•7mo ago
kevin_thibedeau•7mo ago
goopypoop•7mo ago
1vuio0pswjnm7•7mo ago
I read HN and every site submitted to HN using TCP clients and a text-only browser, that has no Javascript engine, to convert HTML to text.
The keyword is "read". Javascript is not necessary for requesting or reading documents. Web developers may use it but that doesn't mean it is necessary for sending HTTP requests or reading HTML or JSON.
If the web user is trying to do something else other than requesting and reading, then perhaps it might not "work".
qualeed•7mo ago
Many sites work without (some, like random news & blogs, work better). When a site doesn't work, I make a choice between temporarily or permanently allowing it depending on how often I visit the site. It takes maybe 5 seconds and I typically only need to spend that 5 seconds once. As a reward, I enjoy a much better web experience.
michaelt•7mo ago
If you're spending 99% of your time on your favourite websites that you've already tuned the blocking on? Barely a problem.
On the other hand if your job involves going to lots of different vendors' websites - you'll find it pretty burdensome, because you might end up fiddling with the per-site settings 15+ times per day.
dylan604•7mo ago
My personal devices block everything I can get away with