It really isn't. I've been blocking all JavaScript for years now, selectively allowing what is essential for sites to run or using a private session to allow more/investigate/discover. Most sites work fine without their 30 JS sources, just allowing what is hosted on their own domain. It takes a little effort, but it's a fair price to pay to have a sane Internet.

The thing is - with everything - it's never easy to have strong principles. If it were, everyone would do it.

It's easier than I thought. I just use uBlock Origin with everything blocked by default and then allow selectively.

About as tiring as hearing about it all the time. Thank god it's a fringe topic these days but this article snuck it in. Probably the constant use of the word "surveillance" was an early tell haha.

Whitelisting JS has worked on my end for a while.

I won't browse the Internet on my phone without it, everything loads instantly and any site that actually matters was whitelisted years ago.

The sites that don't work are usually the worst websites around - you end up not missing much. And if it's a store or whatever, you can unblock all js when you actually want to buy.

StackOverflow switched over from spying with ajax.google.com to GTM in the past year or so. All for some pointless out of date jQuery code they could self-host. I wonder how much they're being paid to let Google collect user stats from their site.

People who want you to run their scripts aren't really your friends

Impossible to know because when I disable Javascript "the majority of the internet" works fine. As does a majority of the web.

I read HN and every site submitted to HN using TCP clients and a text-only browser, that has no Javascript engine, to convert HTML to text.

The keyword is "read". Javascript is not necessary for requesting or reading documents. Web developers may use it but that doesn't mean it is necessary for sending HTTP requests or reading HTML or JSON.

If the web user is trying to do something else other than requesting and reading, then perhaps it might not "work".

Echoing others, I've used NoScript for years and at this point it is practically unnoticeable.

Many sites work without (some, like random news & blogs, work better). When a site doesn't work, I make a choice between temporarily or permanently allowing it depending on how often I visit the site. It takes maybe 5 seconds and I typically only need to spend that 5 seconds once. As a reward, I enjoy a much better web experience.

It depends.

If you're spending 99% of your time on your favourite websites that you've already tuned the blocking on? Barely a problem.

On the other hand if your job involves going to lots of different vendors' websites - you'll find it pretty burdensome, because you might end up fiddling with the per-site settings 15+ times per day.

As mentioned on the blog post:

> Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.

> Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...

By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)

One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.

https://developers.google.com/tag-platform/tag-manager/serve...

I don't know, the memetics of Surveillanceware or spyware mostly leads me to the belief that everything is weaponized to drain your money thru ads/marketing instead of the direct approach of stealing my money.

Use a whitelist-based extension such as NoScript:

https://noscript.net

You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.

The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.

Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.

Maybe you’re being misled by the cryptic name. It’s got nothing to do with managing tags, it’s a behaviour tracker and fingerprint machine.

I was tasked with auditing third party scripts at a client a couple of years ago, the marketing people where unable to explain wtf tag manager does concretely without resorting to ‚it tracks campaign engagement´ mumbo jumbo, but were adamant they they can’t live without it.

There's a section in the article titled, "WHAT DOES GOOGLE TAG MANAGER DO?":

> Whilst Google would love the general public to believe that Tag Manager covers a wide range of general purpose duties, it's almost exclusively used for one thing: surveillance.

Google Tag Manager lets you add tracking stuff on your website without needing to touch the code every time. So if you want to track things like link clicks, PDF downloads, or people adding stuff to their cart.

It doesn't track things by itself. It just links your data to other tools like Google Analytics or Facebook Pixel to do the tracking.

This kind of data lets businesses do stuff like send coupon emails to people who left something in their cart.

There are lots of other uses. Basically, any time you want to add code or track behavior without dealing with a developer.

Google Tag Manager is a single place for you to drop in and manage all the tracking snippets you might want to add to your site. When I've worked on B2C sites that run a lot of paid advertising campaigns, the marketing team would frequently ask me to add this tracking pixel or another, usually when we were testing a new ad channel. Want to start running ads on Snapchat? Gotta ad the Snapchat tracker to your site to know when users convert. Now doing TikTok? That's another snippet. Sometimes there would be additional business logic for which pages to fire or not fire, and this would change more often. Sometimes it was so they could use a different analytics tool.

While these were almost always very easy tickets to do, they were just one more interruption for us and a blocker for the stakeholders, who liked to have an extremely rapid iteration cycle themselves.

GTM was a way to make this self-service, instead of the eng team having to keep this updated, and also it was clear to everyone what all the different trackers were.

XSS-as-a-service. It lets people drop in random JavaScript to be injected on to the page without any oversight.

It’s used by marketing people to add the 1001 trackers they love to use.

The chief reason is that websites pay for advertising and want to know if the advertising is working and Google tag manager is the way to do that, for Google Ads.

This is not unreasonable! People spend a lot of money on ads and would like to find out if and when they work. But people act like its an unspeakable nebulous crime but this is probably the most common case by miles.

Now there’s a fun idea!! I wonder how difficult it would be to spoof events.

Edit: looks like this might exist already: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/

I’d imagine that by this point in time, they are able to filter this specific type of noise out of the dataset. They have been tracking everyone for so long that I doubt there’s anyone they don’t know about whether directly of shadow profiles. These randomly generated users would just not match up to anything and would be fine to just drop

But I like it better when they have to guess. If it's something we care about enough, we'll let them know.

Belt and suspenders approach is to attach analytics to the most important events on the server side and combine with the session.

If the frontend automatic js is blocked, it doesn’t matter.

Effective and accessible UX design is a solved problem. It’s a matter of education of front end developers, not of A/B testing your users to death.

If the analytics brought us to this, of what use are the analytics?

Analytics can have good uses, but these days it's mostly used to improve things for the operator (more sales, conversions, etc) and what's best for the website isn't always the best for the user. And so I block all that.

I think it's hard to block Cloudflare Insights because most of the data is collected server-side.

There are literally hundreds of alternatives.

https://plausible.io/ or https://usefathom.com/