Google Tag Manager, the new anti-adblock weapon (2020)

Thank you for making SingleFile, it's been an absolute lifesaver in a project I'm working on. I was having a lot of trouble trying to manually save pages with puppeteer but the singlefile CLI worked perfectly, even with added extensions. (To get extensions to work I had to add --browser-headless=false --browser-args ["--enable-features=UseOzonePlatform", "--ozone-platform=headless", "--disable-extensions-except=/path/to/extension", "--load-extension=/path/to/extension"] )

Gawd I love HN you beautiful bastards.

SingleFile and SingleFileZ are great!

It’s a shame with manifest v3 that it will hamstring the size of pages that can be saved (to 43mb if I remember on the SingleFileLite GitHub page).

thanks for the info! maybe it's Jerry: https://info.woolyss.com/

I Like the cut of your jib, and I would like to subscribe to your newsletter.

Does anyone know which addon that might've been? Seems like a good addition to adnauseam.

In my experience the most popular noscript trackers are googletagmanager and facebook, so with just two domains you can get a lot. But e.g. bloomberg uses full first party proxy for facebook pixel with pseudorandom base url, it's difficult to block even by url; I suspect they duplicate the page request to facebook too, but this is unobservable on client side. Hopefully this solution doesn't scale well.

This is my go-to: https://github.com/StevenBlack/hosts

It helps a lot.

> Could they consider this malware and add the client IP to blacklists?

Do malware developers consider the countermeasure softwate created to resist them to be malware as well?

Good. If it is a shopping or some other service that charges money, then they lose business.

If it is some service that you have no choice but to use, but relies on network effects (like Facebook Events), then you can just send a screenshot to the interested party and they Might consider not using a service that is broken for other people.

Sure, and perhaps also the accounts of users running this while logged-in. Have contingency plans if you run this and your, say, GMail account is blocked.

With a bit of luck, it gets server owners banned from AdMob/MoPub/etc for fraudulent clicks.

I wish, but I haven't stopped receiving ads yet.

Microsoft doesn't care because they collect everything through their desktop environment. That's why you need an email to set windows up now.

You should not trust them. You can download the add-on and inspect it yourself, if you know some JS. Right-clicking yields this URL:

https://addons.cdn.mozilla.net/user-media/addons/585454/adna...

But it seems to include a lot of code, including some uBlock Origin code.

Either way, this kind of sabotage might get you banned on Google. Be mindful of the risks, and have contingency plans.

You should put the same amount of trust in this dev as you should in any other. I myself trust Mozilla's store reviews enough to run the addon, but if you're more conservative with trust, you can inspect the source code and build the addon itself.

The addon comes down to a uBlock Origin fork with different behaviour. I believe most of the addon code is actually the base uBlock code base.

I haven't seen any obvious data exfiltration in my DNS logs, but then again I'm just another random on the internet. If you don't feel comfortable installing something with a privacy impact as broad as an ad blocker, you should definitely trust your instincts.

> By default, I don't run JavaScript. I don't see blocking JS as a problem - in fact, it's a blessing as the web is blinding fast without it - and also most of the ads just simply disappear if JS is not running.

Years ago I was on the "people who block JavaScript are crazy" bandwagon, until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load. I spent more time waiting for things to finish loading than I spent browsing the actual sites, which killed my battery life. I'd get a couple of hours of battery life with JS on, and with it off, I could work all day on a single charge. It was nice.

Ever since then, I've been using NoScript without a problem. I've spent all of maybe 5 minutes, cumulative over the course of several years, clicking a single button to add domains to the whitelist. If whitelisting isn't something you want to do, you can use NoScript's blacklist mode, too.

> I'm now so spoilt by the advantages of the non-JS world that I don't think I could ever return. I'm always acutely reminded of the fact whenever I use someone else's machine.

I relate with this 100%.

There's another, indirect benefit to blocking JavaScript.

Over time I have noticed a strong correlation between sites which don't work right without JS and low-quality content which I regret having spent time reading.

Most of the time I encounter one of these sites I now just close the tab and move on with a clear conscience.

I used to run NoScript then at some point (maybe switched browsers?) I stopped using it. You've persuaded me to re-enable it.

Also - Firefox on mobile supports NoScript!

Firefox has never been slow for me over the last 15 years because NoScript makes it light years better than Chrome. Conversely, I routinely have the Android assistant lock up on me from JS bloat despite the supposed performance enhancement of AMP pages.

I don't know which web you're viewing that only needs JS for 3-5% of websites

This. I use the no script addon by default, and it’s amazing how many different domains sites try to bring in. Then I hit Twitter, imgurl, quora, etc and I am left with nothing but a blank page with plain text telling me that I need JavaScript to view the site. It makes me wonder what kind of tracking they are pushing.

> and also most of the ads just simply disappear if JS is not running.

since we are talking about the future I'd like to point out that they can always serve ads from the origin domain without javascript.

I mean the anti-adblock battle will evolve until each page we visit is a single image file that we have to OCR to remove ads. then we will need AI, and they will have captchas that will ask which breakfast cereal is the best.

you can stay ahead of the curve but it's always moving forward.

How does blocking javascript in this case prevent tracking? It's done via the same cookies the website uses, as I understand it. Do you disable cookies too?

How is private relay different from a vpn? A lot of fingerprinting scripts also can track you despite vpn.

I wonder why Safari is required? I’d be interested in paying for this if it worked with Firefox.

The thing is that you can host the server container also in AWS https://www.simoahava.com/analytics/deploy-server-side-googl... or Azure https://www.simoahava.com/analytics/server-side-tagging-azur...

I have no concern with blocking Google App Engine holistically

Unfortunately, it seems that more and more government web sites rely on Google services to function. And there's no replacement for those.

Google is pushing to have the browser itself track your interests and share them with whoever asks. The first attempt FloC backfired rather quickly as it was an all around privacy nightmare. The second attempt Topics promises to fix a lot of the problems FloC had but that is not a high bar and Google left itself a lot of room for future changes.

This is what I’m interested in. Article itself did not mention cross site tracking.

Every website having their own tracking subdomain makes third party cookies not work cross site even without browser changes.

Browser isolation isn't quite that. It's just running a browser that is heavily sandboxed from internal files and networks, or running on another machine so any exploits don't hit your machine.

It's very much like running a browser through Citrix (in particular the remote flavour which is the most common as far as I've seen). But of course any data in the browser itself is still within reach for the malicious code... Which only solves half the problem. Unless you rigidly separate internal browsing from external sites.

But it doesn't run all the JavaScript and then send you a screenshot or anything. The resulting page is still interactive.

Remote browser isolation has the ability to change the landscape of personal computing enormously by the way. Right now we equip all our laptops with at least 16GB (32 for customer care) because some web apps like Salesforce Lightning are such memory hogs.

Considering the importance of the browser in modern computing this model world basically make the PC more like a terminal and require much less resources.

Of course this has already been going on with web based apps and streaming of things like games but this could be the final nail in the coffin of the PC as we know it. Not sure I'm happy with that...

Opera Mobile has been doing this for years and years

>There needs to be a monetization channel that is 1) good for both users AND publishers and 2) pays just as much as current methods.

I agree, but what party would you like that money to originate from?

Ads work well right now for consumer-to-consumer (e.g. I create a blog and you view it) because there's a rich, third-party that money can flow from (a company running ads --> money to me) without having to charge you, the end-user who is more than likely significantly less well-off than a corporation.

To buck that pattern, you need the money to come from somewhere else. Subscriptions and direct payments are an obvious choice (see: the boom of SaaS over the past few years) but people are already complaining that they have so many subscriptions they lose track of them all, and spend too much money on what used to be a "free" internet.

So, I don't think there's a solution where the money comes from the end-user. However, any time you add in a third party for the money to flow from, they're going to want something in return. And unless you want that cash flowing from the site owner to that third party (...why would you?), they're gonna need to offer something else.

I don't see any solution other than "a third party pays for something users and/or the site can create for free". Is the answer to just find something free other than analytics/usage, or are there other approaches to monetize a site while still making it "free" to access?

Using Gemini as an allowlist doesn't seem any better than allowlisting known-good domains for HTTPS sites

HN is a link aggregator for HTTP(s) links. How do you read them?

Exactly! A company's goal is profit and most of the time, that does not align with the customer's goals. Amazon's goal is to sell me the highest margin item, I want the best value or highest quality.

I have very limited information about which items are a good value or high quality, so why should amazon have the tools to most effectively steer me towards high-margin items? They exist to provide us a service and we grant them the right to make a small % of profit while doing it. Not the other way around!

That's not true. I run a site like this and I want both. Yes I want to test what maximizes conversions, but this is also what helps me provide value to more users. And I also need it to determime how to improve the service I provide to users.

The bit you're replying to here hasn't yet introduced the problem of marketing teams.

The kind of tracking in the first section is "understanding how people use your product", and is usually introduced by the product team, rather than marketing. And most product teams i've worked on fiercely fight back against the addition of excessive tracking. Whilst the goal of a business (and therefore a product team), is usually about maximising profits, it's not exclusively about that. I've worked for businesses that literally have a social charter in their articles of association, but they still want to measure how people use their products.

That's to easy IMHO. Yes, online marketing is about profit. But tracking is not always about profit. I work for a customer that offers kind of a job search engine. All they want to maximize is the rate of succesful employments. Yes, they need to optimize marketing budget. But not to sell useless stuff, but to reach out to potential employees.

Most people only see 1-2% of what a marketing department does. The primary goal of a marketing department is to inform and present information in a clear and attractive manner. A good marketing department is also an advocate for what the consumer wants based on research and consumer feedback.

Are there bad actors in marketing. Yes. A lot. Marketing agencies are full of them. Agencies, to generalize, only care about short-term results and selling the client on the next big idea. They won’t be around or have to live with the repurcuions of their bad actions. In fact, the clients are their customer and so they don’t really care about the client’s customers at all so long as the client is paying them. They just need superficial numbers to go up to show the client. They are screwing over the client and customers are unfortunately collateral damage, but the agencies, again, don’t really have to deal with that.

A lot of the most anti-consumer tactics do not work in the long-run. Most consumers aren’t so easily tricked into buying a product today and they most certainly won’t be tricked twice. It doesn’t take too long—usually—for the snake-oil salesman to get run out of town. They just do a lot of damage while around.

As a 'white-hat' marketer (I work for some place that's similar to Vote411/ The League of Women Voters and I initially started in library outreach; I don't think anybody would consider my work unethical), the issue is the need for constant growth and profits.

You can do cool and interesting things in marketing and outreach and there are actual use cases for them. For example, libraries often carry unconventional items, and making the community aware that they can borrow a sewing machine/get seeds to plant/get museum passes is technically marketing and 'creating' a need, but it's not exploitative.

It's a very similar situation to dev work in that if I were willing to chuck my ethics out the window, I would make a lot more money, and marketing people do also like money.

> their whole goal is to create a need where there isn't an organic one

This is reductionist. Was telling people about trains and cars creating a need where there wasn’t one? In a sense. But in another sense, it was broadcasting a better way of being. Marketing doesn’t have to be evil. Saying all marketing is evil is sort of a cop out for the people who do it badly.

> Marketing is almost by definition not going to act ethically: their whole goal is to create a need where there isn't an organic one

That's very single-minded. Marketing mainly informs about a product, which obviously also works even if you already have the need for it. And it can also help in realizing a specific need which the customer has not pinpointed yet. That's the whole point of acting ethically, to support, not to bait, trap and abuse.

Ridiculous. "Tracking" and your so called "artificial" metrics have significantly increased my site's conversions to paying users and my users' experience. I did nothing unethical in the process.

Well actually it is more like they you are entering their store. They are measuring the number of people that come in. The number of items (and what items) these people look at. Add to their basket. How many stand in line at the cashier and how many buy. And how many filled baskets stand in the isles at the end of the day.

But - they also could write down the gender of anyone entering the shop. Or the hair color. Or they could note down the license plate of your car. With whom you arrive. The brand of your car. The color. The brands of the clothes you visibly wear.

Then they correlate that to the payment method, your Visa card, the credit ranking they receive back from visa (digitally at least). And so on.

and they measure how often you return.

They could do all of this (and actually a big lot of them does) and not only log that for themselves and do whatever analysis with it, but also send this data happily to the advertising agency that manages the big signs all over town so that they can show you additional advertisements for a new car, because you have money, but your car is old.

That is were the problem begins. It begins when doing way too invasive logging of user attributes that do only marginally have anything to do with measuring how the shop (or the website) work. And more so when this data is being sent to who knows whom in this advertising space out there.

I have no problem with an online store storing the fact that I came by clicking on a display ad. Or on an email newsletter. Or that I am using Firefox. Or Chrome. And that I am on a WIn10 desktop device. Or that I tend to add a lot of stuff to my shopping cart, wait two hours and then sort what I don't need.

I even do not have a problem showing me additional products based on what I looked at in their shop.

But to correlate that with offsite data, sending this to advertisers and so on is a no go for me.

No, you are voluntarily downloading and running their code on your computer. What you describe is hacking into somebody's computer, that is different. Stores take measurements about their customers, so do sites.

Thanks - didn't know that. Interesting. Might be a solution for a client of the team I work in (but not my client).

Isn't it so strange that if you or I were to do these kinds of things to an individual it would be considered creepy cyber stalking but when companies do it they are rewarded?

Blocking of feigning responses to particular remote APIs is still better than having to run a bunch of random tracking JS snippets, because without one of them a page just errors out.

Don't forget about ad-served malware

That’s inaccurate. You do still need to run a client side GTM script that adds event listeners for specific actions (like “clicks purchase button”). This is then sent to a server side container with whatever first party identifier the site may have (3rd party IDs aren’t supported as there’s no 3rd party cookies from Facebook and the like). From there a server to server network request is made to whatever tracking platforms (GA, Google Campaign Manager, etc).

Most of the tracking script these days is well written, at least the Google and Facebook libraries, so they generally don’t affect page performance, but some of the smaller players have script that can slow down performance.

With server side GTM, only it’s client side component needs to run, everything else will be server side.

How are you going to block it "trivially" if you don't know which script to block? They recommend changing the name of the GTM script, and paired with changing the content slightly, you won't be able to tell which script is GTM and which is actually important to the functioning of the site.

> GTM is still GTM and can be trivially blocked; the container itself isn't moving server-side.

Not when the script sending data to the server side GTM is a first party one.

No, the gtag in the browser sends all the data to the server-side proxy. Then on the server-side config you can pick which parts of the data to share with 3rd parties. So there is still client side data capture, its just reduced to one component capturing the data.

"I think we just need to ban all targeted advertising based on viewer profiles, even session data such as IP and geo-location"

I'd go further and ban all unsolicited advertising.

We also need to include hefty fines for handling data to Google and their ilk behind the back of users. It is required, but not sufficient to ban businesses like ad and spy business of Google.

It's a government.

Gorhill managed to get uBlock to block CNAME masked domains, so surely this wouldn't be that out of reach for an adblocker?

Good luck getting this to work in google chrome though.

Blocking all GCP and AWS hosted sites is about as effective as turning off all javascript. It reduces the usable set of sites on the web to basically worthlessness.

A cron job on the network gateway that creates iptables rules to drop connections to x IPs sounds like a good plan.

There are no perfect outcomes in life - if you're going to make an ethical decision then more often than not you'll have to compromise elsewhere. Another example would be cheap goods that come at an ethical and/or environmental cost - you'll usually have to pay extra to avoid those because the bad behaviour is what allows companies to keep costs down.

In some sense, FAANG employees are being paid extra to look the other way.

I don't understand the reasoning here. How does being paid more justify unethical acting? Especially since you are getting by very very well in the tech industry in general. Isn't that like saying "I'm kicking puppies all day, but it's paying enough to finance the second Lamborghini, so how could I decide against it"?

(If you were referring to moral offsetting, that could indeed work, assuming you donate enough to charities, but your post didn't sound like that.)

Yes it's been out for quite some time.

It's also requires running a proxy as a GCP application, so people running GTM largely because it's free/cheap aren't going to go along with this.

If I am reading it right, the article is saying about 1/3 of all web sites on the Internet already use GTM.

totally

Yea, I think we're saying the same thing. Ultimately both the best choice (for privacy, performance etc.) and the one that's most likely (given adblockers and and ever increasing push for privacy from browsers and OSs) is to stop trying to find a way around adblockers, and simply invest in the technologies that work - http, cookies, sessions, logins, and os on.

Yea. Though, GA does (at least) two things: analyzes your own data, and, uses the data they collect from all their other sites to improve your experience via better bot detection, recommendations, insights. Google's network is useful, like it or not, for a) their cross device graph - they know which mobile devices and which desktop browsers are the same user (ish) and b) from that, building better MTA models than you can with pure first-party data - especially if most of your traffic isn't logged in.

But I agree, the future is pointing toward a world where privacy and empowerment is more in the hands of the user, and that's a good thing.