903 comments

[ 3.2 ms ] story [ 240 ms ] thread
Anything that can be reliably identified across multiple websites can be blocked.

So here we'd just block "tag manager web container" no?

The article explains that the info can be transmitted by any JavaScript library.
Having spent a good amount of time looking at potential JavaScript malware that ended up being repackaged GTM, I'm pretty confident anyone who says they're "blocking Google Tag Manager" has their head in the sand.
I've been blocking GTM forever, so I do wonder how this will play out.
So it’s finally come down to “turn off JavaScript, or be infinitely tracked”?
And all cookies, else pixel trackers and serverside analytics can still identify your device. Don't need JS to set a cookie.
They can identify a device. Without JavaScript, you don't have nasty client-side hints telling sites exactly what OS, CPUs, Graphics Cards, etc. With a VPN and changing your UA, no JavaScript does a pretty good job at preventing sites from tracking you.
User agent strings tend to reveal the operating system and CPU architecture.
That is why I mentioned changing your UA. Unfortunately, with JS that is not enough due to client-side hints and other information leaked.
I'd characterize more as "Turn off JavaScript, and lose access to any site fronted by Cloudflare."
Which is a staggering portion of the popular web.
I've been running NoScript for the past year. It's pretty nice once you get to a stable set of policies. I load mainstream media sites in incognito tabs with JavaScript enabled for the tab.
So in other words you allow some of the largest, worst sites to track you. ;)
Elaborate? I have dnt turned on and am using incognito tabs? Still not good enough?
“DNT” is a bad joke, always was, just so you know. It just adds a header to your requests asking nicely not to be tracked.

If anything it probably acts as a datapoint on fingerprinting and actually helps to track you.

It provides a modicum of social and legal enforcement. A website with any sort of brand risks legal and PR costs if they violate DNT. I'm happy for them to take that risk.

Though I see now that the whole thing has fallen through since around 2019: https://en.wikipedia.org/wiki/Do_Not_Track. Oh well.

Going back to my original comment, if there's a better way to read say the NYTimes without being tracked by the NYTimes, I'd like to hear it.

Legal risks? I'm unaware that it's ever been enforceable anywhere, and I don't think there's ever been enough awareness of its existence to cause reputational damage.

Personally I think the whole thing fell through the moment it was conceived in 2009. We're going to ask nicely that people who are tracking us, who know that we don't want to be tracked anyway, kindly refrain? The whole idea was laughable.

Its advocates got annoyed when Microsoft enabled it by default on a version of IE several years ago, as then it wouldn't be perceived as a reliable indicator of intent. This really just exposed the problem with the whole thing, that it was going to be hidden away in settings where few people would go, and rely on the good will of effectively known-bad actors to respect it, and just maybe they would respect it if we keep it more-or-less a secret that only techy people bother with.

(Sorry, this rant is not aimed at you, it's just a bit of a pet hate)

This is all valid. But like I said, it was always about social and PR pressure (edit with reputable sites). (I was mistaken earlier when I thought it also had the force of law behind it.) That still has some, depreciating, value. To repeat my question, what else is there?
So long as we're on the topic of fighting ad targeting... if you've never heard of uBlock Origin, you should get it. It's probably the reason YouTube still thinks I'm Hispanic.

I love my poorly targeted ads. Easier to ignore.

The article claims ublock origin won’t work on sites that implement this.
The current version doesn't but there's not really a reason to believe it can't be updated. I think the author overstates the complexity of documenting these proxies and URLs for sites that run them.
You're going to lose this cat-and-mouse game, it's the same one that gets played with malware C2 domains (except it's worse because both the proxy operator and the actual domain operator are colluding). Add in the zero-cost nature of subdomains as opposed to needing to pay for new DGA root domains and the fact that they can run the whole thing behind e.g. cloudflare to prevent IP blocking? Forget about it.
> You're going to lose this cat-and-mouse game...

History is full of sentiments like that, from power structures that were never able to stop subversion. The game itself is perpetual, so there's always another turn coming.

Google’s recommending that people set a A record in their own domain for the server, and change the name of the script. Given this, documenting such proxies and URLs and maintaining that documentation doesn’t seem practical.

On the other hand, I wonder if you could just block all IP addresses associated with google, or those associated with their cloud/app engine? I suppose that could be handled at the firewall maybe? Are there ASNs google uses specifically for their app engine and cloud computing resources? Others have mentioned that a lot of government agencies rely on google app engine, but it’d be nice to kill all traffic to/from anything google.

Just use Brave and you won’t see any YouTube ads at all. It even works on mobile.
Youtube via Brave on my iPad refuses to stream anything above 720p most of the time. As a result I just use it less.
I am not sure OP has the proper background to discuss blocking ad+tracking techniques. Such utilities do a lot more than blocking domains. Blocking domains is just first step as it's the simplest and cheapest win. Signatures/Content inspection being sent can go a long way and can accurately identify patterns.
This is a pretty accurate description in my view, it does make blocking significantly harder.

[I've got about a decade+ in this highly specific domain fwiw.]

Citing adblock feels like clickbait. Google Tag Manager can't run ads so I don't follow the comparison. Marketing analytics could always side-step anti-adblocking tools through server-side tracking.
Server side tracking based on what, server access logs? That's not particularly helpful compared to the info you get with clientside analytics libraries.
No, the gtag in the browser sends all the data to the server-side proxy. Then on the server-side config you can pick which parts of the data to share with 3rd parties. So there is still client side data capture, its just reduced to one component capturing the data.
Right. Everything in the article is wrong.

GTM is still GTM and can be trivially blocked; the container itself isn't moving server-side.

It's just gained the ability to proxy data to third parties instead of needing to load scripts for every tracker. This is better for performance, and should be explicitly in control of exactly what data is passed on to where.

All you really lose is the ability to block a subset of analytics scripts selectively.

How are you going to block it "trivially" if you don't know which script to block? They recommend changing the name of the GTM script, and paired with changing the content slightly, you won't be able to tell which script is GTM and which is actually important to the functioning of the site.
You'll know that after loading the first couple of bytes though.
So they need to change the first couple bytes then, automatically.

Essentially I don't understand how possibly could free adblocking lists defeat advertisers or trackers if they truly cared about them: simply have a system running with the latest adblock lists against their test site, and if it is able to filter them, have an engineer make a modification—or have the system automatically pull up a pre-made modification or even generate a new one. In addition, the content-driving JS and the site JS could be bundled in one and obfuscated.

Best functioning filters are secret ones and thus only the technically minded minority has access to them.

If it's 99.99% the same I think we will manage :)
This was my exact thought when I wrote that comment. Then I remembered Manifest v3.

ITP, ETP, and plugins that can block requests based on heuristics will make pretty short work of this. In Chrome, come Manifest v3, plugins won't be allowed to.

So... this is all uglier and more complicated than I thought.

+It's gonna be very hard to detect once they actually bundle up (which I suspect only a few will do) the tag manager and obfuscate
Where does Google recommend changing the name of the script? The author claims that they do, but their link just recommends self-hosting the script. In Google's recommended JS, the path is exactly the same, only the hostname is different ("www.googletagmanager.com" replaced with "<DOMAIN NAME>").

Self-hosting by itself might make blocking marginally more difficult, but there are other reasons to do it:

- Browsers these days segment caches by origin, so there's no caching benefit to using Google as a CDN.

- With HTTP2, a first-party request is likely to immediately go through an existing (multiplexed) connection, saving a handshake.

- It's arguably better for privacy, as users and legislators seem to be concerned about links to Google leaking IPs (https://news.ycombinator.com/item?id=30135264).

> GTM is still GTM and can be trivially blocked; the container itself isn't moving server-side.

Not when the script sending data to the server side GTM is a first party one.

(comment deleted)
Saying that Adblock users want it 100% to block ads and 0% to protect their privacy is a misleadingly narrow analysis, even this use isn’t completely effective.
Adblockers block ads and tracking, if the new gtag manager makes easier to defeat the tracking protections of an ad blocker then it seems accurate.

I think the key thing here is that ad/tracking blockers often rely on domains or requests being 3rd party. In the past it was more work to hide the 3rd party trackers as 1st party, this makes it easy so its more likely to happen now.

Hack LocalCDN to inject modified scripts?
As someone who has spent a lot of time on both sides of this, I think this is a great outcome, personally.

The most annoying part of ad-tech for me, as a user, was the fact that I was running all sorts of random javascript, any bit of which could blow up performance on my browser.

As someone who used to lead an e-commerce operation, I hated running all of this crap in my users' browsers because I knew it would get blocked randomly or cause hard-to-diagnose errors.

I eventually moved us to basically this approach using a home-grown solution and everyone was happier. It was even more robust because it just used session/cookie data and didn't require running any javascript execution to work.

Been there, until you're instructed to inject ads in your website, and then you're back to GTM again.
The most annoying part for me is getting tracked against my will.

So now it's worse.

Blocking of feigning responses to particular remote APIs is still better than having to run a bunch of random tracking JS snippets, because without one of them a page just errors out.
Isn't it so strange that if you or I were to do these kinds of things to an individual it would be considered creepy cyber stalking but when companies do it they are rewarded?
Do what? Record who came in and out of your house?
Imagine if Google offered a retail solution advertised as “record who came in and out of your house”. They would offer a CCTV for free and run centralized face recognition on everybody visiting. They’d give you a bit of stats, but truly they would aggregate data on where people go and build shadow profiles (supposedly to facilitate ad targeting). And imagine 90% of households were using it.
So this is only a problem if the person thinking of visiting their neighbors' or friends' house has an issue with it. Why can't I install such a system if I want to? Why does it matter that 90% of households use this system?

In fact, because 90% of households use this system, doesn't that mean society at large agrees that this is an OK thing to have? We all opt for wearing clothes only because society at large has agreed that wearing clothes is a requirement; there is no law of nature mandating this, and select small groups of people congregate in nudist colonies to escape from this societal requirement. Even on the non-private side, if I don't like clothes, why should I be forced to enter government buildings (for official government business such as court appearances) with them on? Surely society shouldn't be forced to make accomodations for me, just because I have a different opinion on these topics. If 90% of households did in fact use such a system, it would be the new normal because it's a nearly universal collective opinion on the technology. A society almost never caters to those that are the ultra-minority if it inconveniences the 90% or directly challenges the 90%'s own freedoms and choices when it comes to their lives, especially when that's in regards to something as low-impact as what sort of privacy visitors to a residence have while on that property.

> because 90% of households use this system, doesn't that mean society at large agrees that this is an OK thing to have?

And if 90% of households have slaves doesn't that mean that society at large agrees that this is an OK thing to have?

Yes. Slavery was OK in the US for a long while. If things hadn't been done to get this changed in the US, it would still be seen as an OK thing to do, and in reality no higher power or law of nature would stop that, even in $current_year - evidenced by how worldwide modern slavery/forced labor is still going strong[0].

My point is that there is no correct moral compass, no general rule as to what behavior is good or evil and no arbitrator that will correct the wrongs humans are doing in the world. Society is only governed by itself, and thus a 'supermajority' of ideals is what will reign over the superminority in terms of law and general consensus. If society accepts and encourages one company to control an absolute record of human movement and presence, it's not going to be stopped and that majority isn't going to cater to the small portion of society that doesn't agree.

0: https://en.wikipedia.org/wiki/Slavery_in_the_21st_century#St...

Are you asserting that it is your current opinion that slavery was morally OK in the US, because it was morally accepted at the time?

(Warning: this is a trap question, do not answer yes, the only socially accepted answer is no)

Not the guy you're responding to, but this trap question seemed like you either misunderstood their comment or are unintentionally putting words in their mouth.

Their comment explicitly subscribes to a form of ethical relativism [1], which argues that there is no universal concept of "morally right" or "morally wrong", and that morals are determined solely by the society judging them at that time.

[1] >Ethical relativism is the theory that holds that morality is relative to the norms of one's culture. That is, whether an action is right or wrong depends on the moral norms of the society in which it is practiced. The same action may be morally right in one society but be morally wrong in another. For the ethical relativist, there are no universal moral standards -- standards that can be universally applied to all peoples at all times. The only moral standards against which a society's practices can be judged are its own. If ethical relativism is correct, there can be no common framework for resolving moral disputes or for reaching agreement on ethical matters among members of different societies.

>https://www.scu.edu/ethics/ethics-resources/ethical-decision...

It is not a particularly helpful take in an ethical debate (which this whole privacy thread is) outside of making a populist argument ("if everything thinks X is morally acceptable, then it is; who are you to say it's not?").

That said, I'm not sure I'd want to make the loaded comparison of equating "taking notes of who does what in your house" to slavery. One of these things is very clearly significantly worse than the other.

Right, I'm saying moral relativism ends up in inacceptable or at least widely not accepted answers as soon as you apply it to charged topics. It sounded to me like they were making a relativism argument, and I wanted to highlight this - to give them the opportunity to avoid saying that slavery is acceptable (even in the past) - while at the same time warning them against walking into this position unintentionally.

I'm not saying it should be unacceptable, relativism is an interesting position with some upsides, such as that the future, if relativist, will not judge us harshly for our undoubtedly manifold transgressions by their standard, but "slavery was okay actually" is still something that one should, if at all, say with deliberate intent, not as an accidental implication.

edit: To clarify my own view, I think that inasmuch as we now think that slavery was wrong, we have gained understanding - that slavery was just as wrong at the time, at least that it followed from moral precepts that were already believed, but this fact was obscured by the social and economic reality that people lived in. Evidence for this would be that people were already arriving at the view that slavery was wrong based on reasoning that matches, in hindsight, our own.

A good candidate for a similar moral mistake that we'd be making is, of course, the meat industry - meat is tasty and vegetarianism is effort. But I would expect the future to condemn meat-eating for the same reasons that vegetarians today condemn meat-eating, indicating moral progress (or at least technological progress reducing moral effort) rather than value drift.

I'm not sure that morality always works that way, to be clear, but I do think it works that way in these specific cases.

Dru,

I'm gonna take an adversarial point of view here. Wrong is wrong, and the magnitudes aren't really comparable at the resolution of the individual. At the maximum, according to Statista, there were about 4mn slaves. There are about 5bn people online, out of what is projected to be 8bn. While there are certainly cultural boundaries, that 5bn almost certainly interfaces with Google. So taking a step back and looking at the magnitude implied by the scale, and the outsized power of Google in virtually every facet of society, I wonder if it really is stepping out of line. Keyword dragnets, indefensible tracking... What's next?

Purely numerically comparing it, assuming slavery counts as a life spent in suffering, and there's a 1:1000 factor, given a forty year life expectancy, Google must cause the equivalent of 14 slavery-equivalent-suffering-days or more to be worse.

How many days of back-breaking labor and abuse would you put in to get freedom from Google tracking for the rest of your life? For me at three days, it'd be arguable; three weeks would be a stretch. (Of course, I have no actual experience to compare.)

I find it hard to believe that no Persian Gulf countries made that list. I was under impression that most of the manual labour workforce in places like UAE, Saudi Arabia, Qatar and Kuwait are slaves imported from the Indian subcontinent.
(comment deleted)
That's not even the half of it. It's not only building a record of who came in and out, but what they did, where they went, what or who they "engaged" with in the house, and arbitrarily more granular information. And the person visiting your house, on average, has no clue any of this is happening.
(comment deleted)
Isn't this literally what Ring does?
Yeah and isn't this stalking?
You think installing cameras on your own property is stalking? Putting aside that this is legal nonsense, are you saying that the millions of private retail stores, offices, and houses that install security cameras are actually stalking and the majority of citizens that visit grocery stores are stalking victims?

I mean, maybe you do believe that, but it's a little ridiculous to freak out over something that most people do and are used to. At most, it's an extension of the status quo.

Edit: I suppose it's not that ridiculous if you think most of the world is evil, but I am genuinely curious if you believe that.

Individual businesses aren’t stalking anyone if their CCTVs are watching out for themselves. But as soon as there is a centralized company offering the service and gobbling all the data, and that company acts like Google does with regards to web tracking, then it’d be in some sense no better than stalking (or even worse, stalking at scale).

If it only obtains the data to provide you the service of knowing who comes in or out, and deletes the data as soon as it’s not needed anymore, there would be no question; but that’s not where profit is in a double-sided market.

Like ADT? Like a lot of security companies that offer monitoring solutions on behalf of clients, especially smaller businesses and individual homeowners?

"gobbling all the data" is vaguely scary while being totally meaningless. GTM data is fully managed by the client, Google contractually does not randomly spy on it. Many businesses would argue that they do delete user data after they don't need it anymore, but analytics is useful and therefore necessary for a fairly long time (many platforms have natural retention limits, usually a few years). Google themselves deletes user data on their first party products after 18 months by default (referring to things like Web & App activity and Location history) and users can set it as low as 3 months, approximately the same amount of time as security footage.

Edited to correct a number and remove some snark

How can you feign obliviousness so much that you can't see the difference between what ADT was doing in 1995 and what Google is doing in 2022?
I'm disappointed that you chose to respond in bad faith without any argument at all, I guess I shouldn't waste my time.
> You think installing cameras on your own property is stalking?

The moment that someone responded in bad faith was right here.

You know full well that we're talking about the companies that get the data from these devices and what they do with it, not the rubes that these companies trick into buying their stalking products.

You also know full well that ADT is in no way comparable to Google in this discussion given the order of magnitude difference in revenue between the two companies and the extensive integration between the intelligence community and Google.

Key difference is one’s revenue stream (do you profit by selling security system or through data accumulated from your customers).

> Google themselves deletes user data on their first party products after 18 months by default (referring to things like Web & App activity and Location history) and users can set it as low as 3 months, approximately the same amount of time as security footage.

Security footage is not the problem, after all you may want to look back a few days to see who was around at the time something went missing. The problem would be processing footage into data on where each individual goes, storing that and finding various ways to profit off of it. This is not necessary for the core value proposition, and in my opinion is ethically questionable.

Sure, if they don’t store it for long, and especially if they comply with GDPR, that would help. However, I’m not deeply familiar with this, but I suspect they can easily claim that they don’t store data on you and don’t need to delete it simply by storing it in a way not obviously connected to your identity—even if this connection is very easy to make at any point.

Would be a bit creepy sure. But who am I to judge what other people install in their houses? I don't have to go and visit them, if I don't like it.
You’re describing the modern experience in a grocery store
And leave a webcam on the door of every single person I'm professionally engaged with, to record their visitors? Use it to understand where each of those persons spends all of their time, to the best of my capability? Learn who has what vices, and sell that information (or a service to employ it) to anyone who would take advantage?
> Do what?

All of the things that these companies do to monitor and track as much of the population as they can.

What I'm saying is it's funny because it's one of those things that's apparently legal to do in the aggregate but not individually?

Imagine if someone started up a business to track Google employees.

Bad analogy.

It's more like Target, Walmart, and Best Buy recording everything you do in the store (where your eyes go, what you say to your spouse, etc.) and then selling that information to random companies you've never interacted with, including each other.

Together, they can create a comprehensive log of everything you do outside (and inside!) your house and secretly sell it.

This isn't even an analogy. With Alexa and Google Home, we should expect that it's literally happening.

Why does selling the data matter? If it's fine to collect but not sell it, people would already be fine with Google Ads tracking as Google is solely in possession of that data and will never sell it, lest their competitors gain an edge by out-header-bidding Google (offering higher profit margins to sites) with Google's own user data.
> Why does selling the data matter?

It is somewhat galling for your private behavior to be monetized.

But you're right that the selling itself is not the core issue. The core issue is that it's being shared. The monetization is an incentive to share, and that's where the problem lies.

By contrast, think about your doctor: they can't legally sell your private data. If they share it with anyone, it is for the express purpose of helping you, their patient. No problem there! My doctor shares my data with their lab testing partners and cloud vendor, and it doesn't bother me at all.

Now imagine if my doctor could legally sell my data to anyone and make even more money from me. We know with 100% certainty that every hospital would sell that data far and wide.

This is what adtech firms are doing, just with (slightly) less sensitive data than my doctor has.

> By contrast, think about your doctor: they can't legally sell your private data.

This is not a reasonable comparison. You choose to tell the doctor private information because of patient-doctor confidentiality. The other type of “private information” is collected by observing you in public (e.g. in a Walmart).

> You choose to tell the doctor private information because of patient-doctor confidentiality. The other type of “private information” is collected by observing you in public (e.g. in a Walmart).

I think this distinction is irrelevant. The salient questions are:

- Is this information private and potentially damaging to me?

- Do I expect [third party] to have access to it?

This is especially important if [third party] can be a government. In the massive web of interconnected buyers/sellers of adtech data, there is no reason to expect that oppressive governments will be unable to get anything they want.

But to address your point:

I absolutely do not expect "observing in a public place" to include personal conversations and/or data about exactly what products my eyes land on.

I'm pretty sure those big retailers are already doing this. Given sufficient profit motive, you should always assume the worst possible.
More like the street in front of your house including people in their cars
Actual it would be more like a company recording what (physical) mail you read, when you read it, where you were when you read it, how long you read it, where you looked at on the paper, etc. You request data, they send it to you.

For example, ad blocking is more akin to paying someone to cut advertisements out of a magazine before you read it.

Violate an explicit request for privacy.

I would love to leave all of the blinds on the windows in my home open all time, but I live in a neighborhood. The price I pay for privacy is the cost of the blinds and the action of closing them when I want privacy. When those blinds are closed, it is not in any way acceptable for anyone to come along and try to find a way to see around or through them, even if they're trying to sell something.

Nobody would be harmed in the above example any more than they would be by having their privacy violated online. Nobody is physically harmed, or had their property stolen. They wouldn't even be inconvenienced in any a way, so long as they are unaware of the intrusion.

Now for a personal experience that stuck with me and helped shaped my views on privacy:

Many years ago I walked in on my girlfriend in the bathroom, and she asked me to leave. I was going for something in the medicine cabinet and thinking she just didn't want me to see her on the toilet, I replied "I don't mind" and continued toward the cabinet. She exclaimed "But I do!".

Of course, she was right and I was wrong, because privacy is about respecting the individual's desire for it.

No reason ad tech companies should have freedom to associate real world data with online data. This seems like the perfect candidate for a US state proposition.. no company engaged in online ad tech may combine or allow any other entity to marry online identities with real life.
(comment deleted)
I have mixed feelings about it, even just as a user. There are two reasons people block tracking scripts: 1) privacy, and 2) to stem the deluge of crap that marketing departments dump onto the page, harming performance (both load-time and otherwise) [1].

This basically gives everyone the benefit of #2, even if they don't or can't use an ad blocker. That's pretty cool, in isolation. But of course it also makes it much harder to accomplish #1.

[1] I've seen React-based websites with literally 10x as much JavaScript (by weight) coming in from GTM and other third-party marketing vendors, as the amount powering the actual app functionality. This happens (partly) because every single ad provider has you load their own arbitrary JS bundle onto the page, just so they can measure conversions. This is obscenely inefficient (and frankly, even though it makes things easier to block, in some ways it's potentially a lot more insecure/privacy-invading). People on here complain about frameworks ruining web performance, but in reality GTM is far more responsible (or has been, so far).

Don't forget about ad-served malware
GTM doesn't serve ads though, so my understanding is the OP doesn't apply to ads, only trackers
All that random crap will still run in your browser though.

The important thing here is that Google are asking users to proxy scripts from a Google server via a subdomain of their site. That's relatively trivial to do as far as the code and config goes, and not costly for the user or for Google. The advantage to the site and Google is that those scripts now look like first party files; Google are using a first part subdomain to subvert the Same Origin Policy via a proxy.

Every other tracking and ad service will set up the same thing. The reason it hasn't happened in the past is because it was hard to configure. Google are giving every other service the gift of explaining how to do it to users. Going to a website that had 50 tracking bugs from 50 domains will now have 50 tracking bugs from 50 Same Origin Policy allowed subdomains, all unique to that site, and all different so blockers will have a much harder time working out what to block.

The code that runs in the browser doesn't change. The only difference is where it appears to originate from.

That’s inaccurate. You do still need to run a client side GTM script that adds event listeners for specific actions (like “clicks purchase button”). This is then sent to a server side container with whatever first party identifier the site may have (3rd party IDs aren’t supported as there’s no 3rd party cookies from Facebook and the like). From there a server to server network request is made to whatever tracking platforms (GA, Google Campaign Manager, etc).

Most of the tracking script these days is well written, at least the Google and Facebook libraries, so they generally don’t affect page performance, but some of the smaller players have script that can slow down performance.

With server side GTM, only it’s client side component needs to run, everything else will be server side.

¿Por que no los dos? (Server-side and client-side spying synergise. Which computer is spending resources transferring telemetry?)
Any organization still running Google Tag Manager and allowing random marketing people to insert whatever someone told them to in a webinar must be having a death wish when the GDPR exists. You would think security teams would have put an end to that madness years ago but here we are.
You would think legal would have put an end to that madness..
I just use different browser for different activities. I search with Firefox (w/ Ublock, Adblocker) - when I'm ready to buy I use Chrome.
Why not just use Firefox containers?
I use Firefox containers but my Firefox is locked down too tight for online shopping so I use a different browser for making purchases.
firefox still has profiles, so you could use a profile that's not locked down instead. Although you'd probably wanna use a differnt theme on both to distinguish them.
What do you think this buys you?
Financial transactions provide more (precise) telemetry for fingerprinting.
This is not a well-written article.
Pretty sure a big ban hammer is coming for Google with all such shenanigans, especially in trigger happy places like Europe and India who don't like their citizens tracked and are happy to create legislative bans.

So you may win the cat and mouse adblock game but what are you gonna do when countries start making it illegal to use GA? (1)

(1) https://www.forbes.com/sites/emmawoollacott/2022/02/10/frenc...?

I can't wait for this to happen. Personally I think we just need to ban all targeted advertising based on viewer profiles, even session data such as IP and geo-location. This in turn should severely limit or destroy business models based on optimizing for engagement, as non-paying users are no longer profitable. It's going to cost a lot of people in ad-tech their jobs, but there is no shortage of demand for IT work, so surely they'll find something else to do.
"I think we just need to ban all targeted advertising based on viewer profiles, even session data such as IP and geo-location"

I'd go further and ban all unsolicited advertising.

I don't hear these words enough :(.
In $current_year, I kind of want to go even further and just ban the Internet.
Not all ads are created equal:

The other day I learned from an ad that my favorite 6 year old Bergans jacket can be repaired at a shop next to where I work for a price that is next to nothing.

We also need to include hefty fines for handling data to Google and their ilk behind the back of users. It is required, but not sufficient to ban businesses like ad and spy business of Google.
I'd wish so too but I don't see much that can happen in this context.
> India who don't like their citizens tracked...

Pretty sure the Indian govt bullied everyone into getting an Aadhar. The quintessential tracking device.

It's a government.
...which likes to police, surveil, impose, oppress the governed a bit too much.
God damn... this is it, this is the end-game. There's no way to fight this unless you customize and maintain blocking scripts for each individual website.

Yes, websites could always have done this, but the REST (CDN-bypassing) requests' cost and the manual maintenance for the telemetry endpoints and storage was an impediment that Google just gives them a drop-in solution for :(

I think Google is happy to eat some of the cost for the "proxy" server given the abundance of data they'll be gobbling up (not just each request's query string and users' IP address but -being a subdomain- all the 1st party cookies as well). I don't have the time or energy to block JavaScript and/or manually inspect each domain's requests to figure out if they use server-side tracking or not.

I honestly don't know if there's any solution to this at all. Maybe using an archive.is-like service that renders the static page (as an image at the extreme), or a Tor-like service and randomizes one's IP address and browser fingerprint.

(comment deleted)
Apple’s Private Relay blocks this type of cross site tracking.

Given this tracking is all server side, third party cookies across sites aren’t possible using this mechanism, and private relay cycles through your IP addresses frequently and uses common IPs across multiple users.

Regarding your other point, unless Google execs want to be thrown in jail / sued, they can’t use things like first party cookies for their benefit since that is against their terms of service.

I wonder why Safari is required? I’d be interested in paying for this if it worked with Firefox.
Yeah that would be a useful service that Mozilla could offer and I'd actually pay for.

I don't like their VPN as it's too basic in terms of privacy protection and it's much more versatile to just sign up with Mullvad myself because then I can use it on other stuff than just the browser.

How is private relay different from a vpn? A lot of fingerprinting scripts also can track you despite vpn.
(comment deleted)
Private Relay uses ingress and egress relays. The ingress proxy does know your IP but not which sites you are visiting and what you are doing. The egress proxy is only connected to the ingress, sees what you visit but does not know who you are. Both proxies are run by different parties.

With a VPN you would have to trust one provider, who sees all of your traffic.

Then is Private Relay equivalent to a two layer tor setup?
From my understanding yes, but with the caveat of being organised by a single entity (apple)
> Maybe using an archive.is-like service that renders the static page (as an image at the extreme)

A lot of companies are starting to use "browser isolation" which is essentially what you're saying. A proxy runs between the client and the server, but it does more than just direct TLS streams - it actually builds the DOM and executes the JS. The resulting web page is sent to the actual client browser, which might send back things like mouse and touch events to the proxy, which will then update the page.

I think most companies are using this as a malware protection thing, but it does hide the actual client IP address and fingerprint, and I imagine it would make tracking very difficult.

https://en.wikipedia.org/wiki/Browser_isolation

Opera Mobile has been doing this for years and years
The Opera product you are thinking of is Opera Mini. Opera Mobile is a browser running mostly on your device (except for "turbo" which optimized media trough a proxy setup, but did not, afaik, execute any of the javascript).

Opera Mini can be looked at as a browser running in the cloud, sending OBML (Opera Binary Markup Language, if I remember correctly) causing the (very thin) client to draw things on the mobile screen, like text, images, etc without having to transfer, parse, execute, flow and paint every thing on the device.

Yeah, they released countless of rebrands and versions and what not.

The equivalent on desktop would be Browsh (e.g. with terminal + Mosh), but it runs Firefox under the hood. Opera Mini is just akin to a remote browser with the result being send to the client (as a compressed picture like in RDP/VNC, or a proprietary markup language like OBML).

Browser isolation isn't quite that. It's just running a browser that is heavily sandboxed from internal files and networks, or running on another machine so any exploits don't hit your machine.

It's very much like running a browser through Citrix (in particular the remote flavour which is the most common as far as I've seen). But of course any data in the browser itself is still within reach for the malicious code... Which only solves half the problem. Unless you rigidly separate internal browsing from external sites.

But it doesn't run all the JavaScript and then send you a screenshot or anything. The resulting page is still interactive.

Remote browser isolation has the ability to change the landscape of personal computing enormously by the way. Right now we equip all our laptops with at least 16GB (32 for customer care) because some web apps like Salesforce Lightning are such memory hogs.

Considering the importance of the browser in modern computing this model world basically make the PC more like a terminal and require much less resources.

Of course this has already been going on with web based apps and streaming of things like games but this could be the final nail in the coffin of the PC as we know it. Not sure I'm happy with that...

"I don't have the time or energy to block JavaScript and/or manually inspect each domain's requests to figure out if they use server-side tracking or not."

By default, I don't run JavaScript. I don't see blocking JS as a problem - in fact, it's a blessing as the web is blinding fast without it - and also most of the ads just simply disappear if JS is not running.

On occasions when I need JS (only about 3-5% of sites) it's just a matter of toggling it on and refreshing the page. I've been working this way for at least 15 years - that's when I first realized JS was ruining my web experience.

I'm now so spoilt by the advantages of the non-JS world that I don't think I could ever return. I'm always acutely reminded of the fact whenever I use someone else's machine.

> By default, I don't run JavaScript. I don't see blocking JS as a problem - in fact, it's a blessing as the web is blinding fast without it - and also most of the ads just simply disappear if JS is not running.

Years ago I was on the "people who block JavaScript are crazy" bandwagon, until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load. I spent more time waiting for things to finish loading than I spent browsing the actual sites, which killed my battery life. I'd get a couple of hours of battery life with JS on, and with it off, I could work all day on a single charge. It was nice.

Ever since then, I've been using NoScript without a problem. I've spent all of maybe 5 minutes, cumulative over the course of several years, clicking a single button to add domains to the whitelist. If whitelisting isn't something you want to do, you can use NoScript's blacklist mode, too.

> I'm now so spoilt by the advantages of the non-JS world that I don't think I could ever return. I'm always acutely reminded of the fact whenever I use someone else's machine.

I relate with this 100%.

Tried NoScript for years and it was a pain. Too many of the sites I use need so many domains full of JS. So I think this will vary widely depending on the person and their preferred/needed sites.
I use NoScript with Firefox on Android (together with uBlock Origin). After I unblocked the websites I regularly use (and not the ad delivery domains), it doesn't get in the way that much.
Unblocking the sites you use removes the advantage of not being tracked by Google through tag manager though.
That's probably true. Part of the reason why I still also use an ad-blocker.
I've had Google Tag Manager blocked for years and sites have worked fine without it.
It has to be said: there are people who can get by without JavaScript and those who can't. You can almost predict those who can and those who can't by their personality.

If you are heavy user of Google's services, Twitter and Facebook as well as many big news outlets and heavy-duty commercial sites then you're the 'JavaScript' type and stopping scripts is definitely not for you!

If you are like me and don't have any Facebook, Twitter or Google accounts and deliberately avoid large commercial sites like, say, Microsoft then you can happily switch off JavaScript and experience the 'better' web.

You know the type of person you are, so with this fact in mind there's no point me proselytizing the case for disabling JavaScript.

I can relate 100%. In the past I was constantly using Twitter, Gmail, et al. I was using different hacks to bend them to the extent possible to my will. Time changed, my personality changed and the desire and need to use those services disappeared, therefore I naturally stopped using them. When people where talking about this or that service being down, I didn't notice it at all. I was also lucky enough to not rely on them on my $dayjob. I run my mail server, host my website and run my scripts. Old fashoin guy lets say. It works well for me. Moreover, JS-bloat is a red flag to stay away from certain services. Has served me well.
This seems like a broad generalization. JS continues to permeate every industry brought to the web. It's increasingly not optional as employers and governments mandate more and more web services. Doubtful that can be predicted by personality.
"...as employers and governments mandate more and more web services."

It's not compulsory, especially governments. I never deal with government on the web at a personal level. If they expect me to fill in forms I simply say that I do not have the web and would they please send me a paper copy - which they're obliged to do at law - same goes for the census.

If the government expects me to do business with it on the internet then it will have to legislate to make it compulsory AND then provide me with the necessary dedicated hardware for said purpose.

Why would I act this way? Well, for quite some years I was the IT manager for a government department and I know how they work (or I should say don't work).

BTW, as IT manager I never used email within the department (perfunctorily emails sent to my office were received by secretarial staff). If the CEO wanted to send me an important memorandum then he had to have it typed up on paper and personally sign it (and I would reciprocate the same). When in government you quickly realize that atoms on paper and especially a written signature is real guaranteed worth - unlike ephemeral emails that can vanish without trace.

I'm forever amazed at the trust the average person has in these vulnerability-ridden flaky systems.

> If you are heavy user of Google's services, Twitter and Facebook as well as many big news outlets and heavy-duty commercial sites then you're the 'JavaScript' type and stopping scripts is definitely not for you!

I, unfortunately, use some of these services and similar ones, too, and it takes a few seconds to enable JS on them, and then the sites will work indefinitely afterwards.

> Too many of the sites I use need so many domains full of JS

I hear you, but I wonder if you are being honest with yourself when you use the word need.

At this point, I view Google and Facebook as the equivalent of loan sharks. A loan shark does provide a service, but most people shouldn't use one.

Are you a web developer by any chance?
> until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load.

That sounds like you not only didn’t block JS, you also didn’t block ads. Which is a very different argument. I only block 3rd-party JS by default (and that already requires a lot of whitelisting for almost every site that has any interaction) and I don’t have those issues because I also block ads.

There was a period around 2014 - 2016 where even if you used uBlock, ads would still get through. Even now, when I use computers that just have uBlock Origin installed, some ads, and especially autoplaying videos on news sites, still get through.
> Years ago I was on the "people who block JavaScript are crazy" bandwagon, until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load.

Seems like clear case of "crossing the river to collect water" (as the Swedish saying says)? This is what I use uBlock Origin (with the right blocklists) for and it happens automagically. I did use uMatrix for quite a awhile, but eventually ended up ditching it because uBlock Origin worked so well.

uBlock Origin solves the problem you had too, without breaking multiple sites.
This. I use the no script addon by default, and it’s amazing how many different domains sites try to bring in. Then I hit Twitter, imgurl, quora, etc and I am left with nothing but a blank page with plain text telling me that I need JavaScript to view the site. It makes me wonder what kind of tracking they are pushing.
All of them. If you allow everything and have Ghostery running in "don't block anything but tell me what's there" mode, it's horrifying just how many things get loaded.

You can play with page load sizes in the debugger console with stuff blocked and without too - about half the downloaded material on any major news website is stuff that Ghostery will block. It's quite terrifying.

Firefox has never been slow for me over the last 15 years because NoScript makes it light years better than Chrome. Conversely, I routinely have the Android assistant lock up on me from JS bloat despite the supposed performance enhancement of AMP pages.
There's another, indirect benefit to blocking JavaScript.

Over time I have noticed a strong correlation between sites which don't work right without JS and low-quality content which I regret having spent time reading.

Most of the time I encounter one of these sites I now just close the tab and move on with a clear conscience.

"Over time I have noticed a strong correlation between sites which don't work right without JS and low-quality content...."

Absolutely true, I can't agree with you more. I've reached the stage where if I land on a site and its main content is blocked if JavaScript is disabled then my conditioned reflex kicks in and I'm off the site within milliseconds.

Rarely is this a problem with sites that I frequent (and I too don't have time to waste reading low quality content).

Any tips for high quality content sites? It truly is hard to find these days
Yeah, read HN!

There are stacks and stacks of them here on HN that are of excellent quality - I use HN as my 'quality' filter (and I reckon I'm not alone).

Moreover, if one doesn't run JS like me then it's dead easy to avoid problematic sites as HN lists them (Twitter, etc. - and it doesn't take long to get to know the main offenders, thus avoid them).

:-)

BTW, I agree with you it is hard to find good sites these days but eventually most really good sites appear here on HN. Do what I do, when you come across them bookmark them.

A pedantic note that follows from this particular thread: HackerNews’s search capabilities are powered by Algolia and require JavaScript to work (turn off all JS and the HN branded Algolia page will not load). The reason I bring this up is that even good websites sometimes lean on free or free-ish services to provide extra functionality (such as calendars, discussion boards, issue tracking, or search) without realizing that such functionality may be a back door to letting JS in and any tracking/privacy-erosion that could follow from it.
Right, HN does use JavaScript for certain functions, search etc. Now, if you read the second paragraph of my first post I've got such cases covered.

OK, here's the scenario: I log on to HN with JavaScript disabled, do all the things I do, read articles, submit posts all without JS. At some point I want to search HN so I hit the 'toggle JS' button on my browser, it then goes from red to green to tell me JS is now active. I then refresh the page and start searching HN. When I've finished I hit the JS toggle and the button goes back to red - JS is now kaput.

I really can't think of anything simpler - JS is off until I really need it and when I do it's immediately available without digging deep down into menus etc.

I'd add HN uses JS as it was originally intended and does so responsibly. I have nothing against JS per se, the problem comes from websites that abuse webpages and thus the user by sending megabytes of JS gumph and so on.

Running without JS and only turning it on when really necessary I reckon is a reasonable compromise.

It's true, there are some decent sites out there which use JS legitimately to add features. And there are some sites which require JS without really needing to, but still have good content and do not have unnecessary annoyances and performance problems.

Lucky for me, I can toggle on JavaScript for them individually and continue with my general policy.

The thing with WWW is links, the web. So https://news.ycombinator.com is a good starter. From there, yes, you could end up on twitter.com for example but it would be worthwhile.
“…you could end up on twitter.com for example but it would be worthwhile.”

Unpopular opinion: I never click on twitter links anymore. It’s almost never worth it.

IMHO, 140/280/N character limits are a way to cheapen discourse. I think there is something to be said for the “density” of text: text that offers very little to think about (less dense) is vacuous but encouraged by a character limit; yet, text that is compressed into a character limit either packs too much info into a short space that requires more discourse to properly get a thought across or elides too much from the text, making it less accurate/meaningful/important. Or worse: people chain posts into long 1/907, 2/907, 3/907… trains that should be blog posts rather than requiring some other application to string the thread together.

Of course the other reason (more central to this discussion) never to click on a twitter link is that JS and an account login is required now to read the posts past a certain point. If that makes me an old man yelling at a cloud, so be it, but aren’t there better ways to handle online public discourse without sacrificing people’s privacy and security?

"Unpopular opinion: I never click on twitter links anymore. It’s almost never worth it."

It's not unpopular with me, I agree with you completely. I was never a Twitter fan but when they forced the use of JS that was the end of it (you'll note I used Twitter as an example in one of my earlier posts).

You're right about sacrificing people’s privacy and security, as I said in another post 'I'm forever amazed at the trust the average person has in these vulnerability-ridden flaky systems'.

Similar here. When I am searching for something and a website wont show it unless I enable JS on that website, then usually it is the case, that after enabling JS to see the content, I realize, that the website's content is worth nothing and that I activated JS for naught, regretting to have spent time on that website.
I used to run NoScript then at some point (maybe switched browsers?) I stopped using it. You've persuaded me to re-enable it.

Also - Firefox on mobile supports NoScript!

Concerning noscript, is this [1] still a thing?

[1] NoScript is harmful and promotes malware - https://news.ycombinator.com/item?id=12624000

Can't find any ads on NoScript.net with uBlock running and uniblue.com seems to have expired. However it is hilarious that the complaint comes from Ad block Plus, their entire business model is build around bypassing EasyList. For a generous fee they make sure that your ads are "acceptable".
What makes you think this comes from ABP? The article linked to is from 2016, they link to a history between NoScript and ABP. The article by ABP is from 2009 (!!). Back in the 2009, ABP was the defacto standard. There was no uBlock. There was NoScript, but no uMatrix yet.

The developer issued an apology and reverted the change, and apart from a Ghostery one (who are also shady) no further controversies are documented at [1]. Perhaps the Wikipedia article is incomplete, given the one linked is from 2016?

[1] https://en.wikipedia.org/wiki/NoScript

No, only FF on Android supports extensions.
Because Apple essentially does not allow Firefox...
Exactly! If something didn't work without JS, I don't use it. There are many alternatives.
i used to have javascript turned off for a long time, but i've given up. you can't even search hacker news without javascript (for some reason).
Pretending as if you can search hacker news with JS turned on...
There is some truth to this though. It is sometimes hard to find that HN topic, that you remember just a few words of through the aglolia search thing.
I don't know which web you're viewing that only needs JS for 3-5% of websites
Read my reply to paulryanrogers about whether one's a JavaScript or a non-JavaScript type person.

The 3-5% of sites I'm referring to are ones where I have to enable JS to view them. In by far the vast majority of the sites that I frequent I do not have to enable JS to view them.

Also note my reply to forgotmypw17, one doesn't need JS if one avoids low quality dross.

I will give it another shot. Unfortunately though, this does not solve the server-side GTM issue, right ?

If the 3-5% of the website you use will start tracking via server-side GTM with the site's domain, you will not be able to simply use noscript to disable tracking ?

You're probably right, but then there are many factors involved - take Europe's GDPR, I'd reckon it'd be deemed unlawful under those regs but of course that doesn't help those of us outside Europe.

It remains to be seen how Google's Tag Manager actually works and I'd be surprised if data from your machine is ignored altogether. If your machine says nothing about you then Google won't know who you are - unless you have a fixed IP address and most ordinary users don't. Sure there's browser fingerprinting (but I never bother about this as I use multiple browsers on multiple machines which screws things up a bit).

When I used to worry about this more than I do now, I used to send my modem/router an automatic reboot signal during periods of inactivity, this ensured a regular change of IP address.

OK, so what info can be gotten from your machine if JavaScript is disabled? Some but it's nothing like what happens when JS is active - in fact the difference is quite staggering (ages ago I actually listed the differences on HN).

Presumably you could search for the post but there's an easier way. Use the EFF's test your browser site https://coveryourtracks.eff.org/ and do the test with and without JS. Note specifically the parameters with the 'no JavaScript' message.

Also note the stuff a website can determine about you even when JS is disabled - with this info you can start tackling the problem such as randomizing your browser's user agent, etc.

My aim was never to kill evey bit of tracking, rather it was to render tracking ineffective and I've been very successful at doing that. The fact is I don't get ads let alone targeted ones just by turning off JS and having an ad blocker as backup. The only other precaution I take is to always nuke third-party cookies and to kill all standard cookies when the browser closes.

I'm not too worried about Google's Tag Manager, for even if Google tracks me it still has to deliver the ads and it cannot do so with JS disabled and an ad-blocker in place.

__

Edit: if you want to watch YouTube then Google insists you enable JavaScript. This is bit of a pain but it's easily solved with say the Android app NewPipe (available via F-Droid). NewPipe also has the added advantage of bypassing the ads and having the facility to download clips as well if that's your wont.

Of course, there are similar apps for desktops too.

I have advanced protection on my Google account that unfortunately doesn't let me install apps outside Play Store...

I think I can still load NewPipe through usb debugging but not able to have auto updates

If you've advanced protection running then you're a dyed-in-wool Google user (hard core type) so I wouldn't even try.

I'm the exact opposite. I root my Android machines and remove every trace of Google's crappy gumph, Gmail etc. (I don't even have a current Google account.)

I occasionally use the Google playstore but I log on anonymously with the Aurora Store app (not available on the playstore).

I say occasionally because that's true, instead I use F-Droid or Aurora Droid to get my guaranteed spyware free apps. It's a different world - I'm the antithesis of the happy Google user.

Don't try to load NewPipe, in your case it's just not worth the effort (and Google will notice the fact).

HN totally usable for basic functionality w/o JS.

profootballtalk.com works great if you don't want to vote or comment

macrumors.com great functionality

nitter.net happily takes the place of twitter.com

drudgereport.com works great and I rarely turn on JS when I go to the sites he links to, usually the text on target sites is there if not as pretty as it could be

individual subreddits (e.g. old.reddit.com/r/Portland/ ) are quite good w/o JS. But the "old." is probably important.

I admit that there are lots of sites that don't work, e.g. /r/IdiotsInCars/ doesn't work because reddit uses JS for video. For so many sites the text is there but images and videos aren't. Also need to turn off "page style" for some recalcitrant sites.

In conclusion, contrary to your JS experience, I'd say that I spend over 90% of my time browsing w/o JS and am happy with my experience. Things are lightning fast and I see few or no ads. I don't need an ad blocker since 99% of ads just don't happen w/o JS.

> In conclusion, contrary to your JS experience, I'd say that I spend over 90% of my time browsing w/o JS and am happy with my experience. Things are lightning fast and I see few or no ads. I don't need an ad blocker since 99% of ads just don't happen w/o JS.

Well, you still have lots of tracking stuff loaded probably, unless you got something extra for blocking trackers. A tracking pixels does not need JS. A font loading from CSS does not need JS. Personally I dislike those too, so I would still recommend using a blocker for those.

Well, you still have lots of tracking stuff loaded probably, unless you got something extra for blocking trackers.

Yes I'm sure I have that stuff loaded. But I don't care because it's quite ephemeral:

I exit Firefox multiple times a day, there's really no performance cost to doing that after every group of websites. E.g. if, while reading HN, I look up something on Wikipedia, or I search with Bing or Google, everything goes away together.

In my settings: delete cookies and site data when Firefox is closed

In my settings: clear history when Firefox closes, everything goes except browsing and download history

No suggestions except for bookmarks.

So when I restart Firefox to then browse reddit it starts with a clean slate.

Comcast insisted I purchase a DOCSIS3 modem quite a while ago. Once downloads are at 100 mpbs+, does it really matter if I repeatedly re-download a few items to cache?

The only noticeable downside is when I switch to Safari to view something that needs JS, I then see ads for clothing that my wife and daughters might be interested in. I presume this is due to fallback to tracking via IP address. Of course I always clear history and empty caches in Safari.

Obviously this doesn't work for someone who wants to or needs to keep 100 browser windows open at once, for months at a time. But that's not me. I don't think that way, never have.

Edit: just had to add that sites like Wikipedia are better w/o JS (unless you edit?). I don't see those annoying week-long pleas for money. Do they still do those?

> Obviously this doesn't work for someone who wants to or needs to keep 100 browser windows open at once, for months at a time. But that's not me. I don't think that way, never have.

Caught me. Tab hoarder here : )

> I don't see those annoying week-long pleas for money. Do they still do those?

They still do those. At least I have seen them less than a year ago.

How does blocking javascript in this case prevent tracking? It's done via the same cookies the website uses, as I understand it. Do you disable cookies too?
> and also most of the ads just simply disappear if JS is not running.

since we are talking about the future I'd like to point out that they can always serve ads from the origin domain without javascript.

I mean the anti-adblock battle will evolve until each page we visit is a single image file that we have to OCR to remove ads. then we will need AI, and they will have captchas that will ask which breakfast cereal is the best.

you can stay ahead of the curve but it's always moving forward.

"...they can always serve ads from the origin domain without JavaScript."

But most of them don't. Yes, they can change their model and in time they likely will.

As it stands now, one doesn't have to watch ads on the internet if one doesn't want to - all it takes is a little perseverance and they're gone. If one can't rise to the occasion then one has a high tolerance for ads.

Even YouTube can be viewed without ads with packages such as NewPipe and similar.

You're right about AI, OCR etc. and I think in time it will come to that.

It seems to me people like us will always be ahead because we've the motivation to rid ourselves of ads. It reminds me of the senseless copyright debate - if I can see the image then I can copy it. No amount of hardware protection can stop me substituting a camera for my eyes. What's more, as the fidelity goes up HD, 4k etc. the better the optical transfer will be (less comparative fidelity loss).

That said, the oldest technology - standard TV - is still the hardest to remove ads from. Yes, one can record a program and race though the ads later (which most of us are very adept at doing) but it's still inconvenient.

What I want is a PVR/STB that figures out the ads and bypasses them. Say I want to watch TV from 7 to 11pm (4 hours) and there's a total of one hour of ads and other breaks in that time that I don't want to watch then I want my AI-aware PVR/STB to suggest that I start watching at 8pm instead of 7 as this will allow it to progressively remove ads on-the-fly across the evening.

The person who makes one of these devices will make a fortune. If the industry tries to ban it (as it will) then we resort to a software version and download it into the hardware. Sooner or later it's bound happen and I'll be an early adopter.

> What I want is a PVR/STB that figures out the ads and bypasses them. Say I want to watch TV from 7 to 11pm (4 hours) and there's a total of one hour of ads and other breaks in that time that I don't want to watch then I want my AI-aware PVR/STB to suggest that I start watching at 8pm instead of 7 as this will allow it to progressively remove ads on-the-fly across the evening.

I wonder if something like sponsorblock for youtube (which is a must have) could be done for TV? it's a crowsourced effort and works flawlessly for popular channels.

Good question, I don't know. It's certainly worth thinking about.
Aren't browsers shifting to a per-domain cookie jar?

While you can never prevent one specific site from tracking you, this still doesn't (directly) allow your activity on Site A to be linked to activity on Site B, does it?

Of course, fingerprinting combined with IP addresses will ultimately allow something that comes very close to it, so the current state (a few hundred trackers per website, all ending up harmlessly incrementing the adblocker's counter) is better for privacy for power-users, but I'm not sure if this is the big "game over".

This is what I’m interested in. Article itself did not mention cross site tracking.

Every website having their own tracking subdomain makes third party cookies not work cross site even without browser changes.

They can still cross-track based on IP or any other fingerprint worthy information. I expect this is exactly what they're doing. Doing this all on a central service makes this process much easier unfortunately...
yes, they would need to get another identifier, and that's what is done with players like Facebook.

Sorry another of my articles in french: https://pixeldetracking.com/fr/les-signaux-resilients-de-fac..., but Facebook is making it easy to integrate their "Conversion API (CAPI)" with GTM Server-Side tagging

But that should only help e.g. a web store to track you from the ad you clicked, which seems reasonable.

It should not allow e.g. Facebook to link your activity on a news site to your Facecbook cookie, because while you're on cnn.com, your browser is using the cnn.com-specific cookie jar for everything, including the like button?

The cross site tracking is done by a third party. From reading the docs, the way it works is, publisher sets a unique id, browsers send that unique id to the publishers domain, publisher forwards that (via the tag manager app engine) to the third party.
Google is pushing to have the browser itself track your interests and share them with whoever asks. The first attempt FloC backfired rather quickly as it was an all around privacy nightmare. The second attempt Topics promises to fix a lot of the problems FloC had but that is not a high bar and Google left itself a lot of room for future changes.
"Endgame" is the way all web analytics was done 20 years ago.
The server-side "analytics" of 20 years ago was for aggregate reports on popular pages, number of users, their browsers and OSs and maybe their geo-location; solely for the use of the site owners to optimize and whatnot.

This abomination Google is proposing is unblockable cross-site tracking of people's activities. That site owners get to see some of that data too is insignificant, their value comes from being able to track people across the web. I'd bet Google would even offer this proxy service "for free" depending on how much data they can hoover from the site.

How does google correlate identifiers between different users?
Browser fingerprinting and IP address plus any unique identifiers if you happened to log in on that website.
While impractical, I liked the article's suggestion of blocking the proxies. I'm curious what reaction this would have. Ad blocking users get no content and move to alternatives and stop being users, or would the sites cave and realize having users interacting is more important than all of the data collected.
It's a fine suggestion. If it breaks the site, then I'd call that a broken website and move on. Maybe next time someone points me there, they'll have fixed their critical issue for users who block tracking proxies.

I'm okay with not being in the target audience of sites that really want to do this. I've got enough other things to do at less hostile places that my FOMO isn't triggered in the least.

How do you identify tracking proxies though? When everything is going through the same domain you don't even know if data is being sent to Google, it's all a server-side black box.
By using Cname uncloaking that uBlockOrigin can do on Firefox. It should see that the real domain is Google Tag Manager.
I think the article mentions that Google recommends against using Cname for this, and using A records instead.
> Google recommends against using Cname for this

So use Cname? :D

Sites want the ads to get through, right? So they’re going to do the thing that makes that happen: A records.
Just block Google tag manager itself. Gets two birds stoned at the same time.
How would you do that? Isn't it the server that talks to Google Tag Manager, not the browser?
Google tag manager in my experience is a script executed by the browser. Then it installs itself in the page and performs the inner payload of user script insertions. It’s a Trojan horse, really. You can block Google tag manager’s embed scripts. I wasn’t aware of a backend integration but it’s certainly possible.

Regardless, I use a DNS based ad blocker (pihole) and it takes care of all this stuff. I occasionally need to turn it off or whitelist domains (like Google tag manager) for client work, but normally I have it blocked.

> Google tag manager in my experience is a script executed by the browser.

Isn't the whole point of this new change that it runs server-side, using a proxy that you install on the website so it uses the same domain?

> Regardless, I use a DNS based ad blocker

But it's the same domain name isn't it?

A Server-Side GTM container compliments a client-side container, it does not fully replace it.

Some processing happens on the server, but event data must still be sent to the server-side container first. For now, the "standard" deployment of a server-side is that it receives hits directly from the browser, orchestrated by a traditional client-side container. So the client-side script is still there, just less bloated.

The server-side container has built-in facilities for serving up the client-side container script. Meaning that domain-name blocking will not prevent this. DNS-based also has some issues: Server-Side Containers run in App Engine, blocking them basically means blocking anything running on GCP.

Current GTM, configured (via the server UI) to inject tracker X:

gtm javascript loads, pulls down the config, injects tracker X javascript into the browser

new gtm:

gtm javascript loads, pulls down config, streams events to google servers to fan out to tracker X as configured

So blocking gtm.js off tagmanager.google.com / www.googletagmanager.com / the various other domains still blocks all gtm injected tags.

The tl;dr is they're become much closer to segment -- which does the data fanout internally to segment. But they should still be straightforward to block.

This is not how GTM server side works. There is not a single call to Google domains from the client, when GTM server side is set up to its fullest. The config (gtm.js) will be loaded from my subdomain and not googletagmanager.com. Also gtm.js can be renamed.
Couldn't you still recognize the script by its content?
Exactly, this is already done for tracking scripts, since it's commong to use proxies to load tracking scripts.
No because the script contents can change from site to site. Maintaining an index for every site would get you closer, but individual sites can trivially tweak things to break fingerprinting as often as they want. Even on every request.
You missed the same domain part. How are you going to block a request when you don't know the url?
You check the loaded script itself to see if it matches an expected pattern.
Does there need to be a loaded script with a certain fingerprint? What if they are just passing data from the browser to some random endpoint? I'm not sure, just thoughts.
There needs to be a script because the tracking still happens client-side and there will be some logic involved. The only way to avoid being blocked by the browser is to track server-side.
You missed the part where they recommend changing the script's name as well, add in changing a few variable/function names in the script and even matching the hash of the script itself would be useless. On top of them recommending using a sub domain with an A/AAAA record so its first party.
Worst-case you parse the script and block it if the AST is too similar.

There are a million ways to detect and block this sort of thing when you control the client. Yes, it's harder than just blackholing a whole domain, but it's hardly impossible.

The point is that DNS ad blocking is being worked around with this new system, because it looks like part of the site you're on. Also, that google is encouraging modifying the JS to prevent automated tools from blocking the javascript.
Just block the GTM js from loading, it'll stop it easily.
The big change they are suggesting is that the gtm code is no longer accessed via a predictable Google domain, rather it is requested through a subdomain of the parent site.
uBlock already blocks stuff like Plausible analytics based on what's in the code, even if it runs on the parent site. Would this be any different?
Block the code that they suggest changing the name, domain, and function signatures of? How?
If the loops, if statements, and block scopes are similar then the graph can be fuzzily identified. They’ve had anti-plagiarism software for years.
Annoyingly that would still require downloading them, which I'd definitely prefer not to. It's bloat that serves me no purpose.
For popular sites a backlist could be formed after the first person downloads it.
Can you point me to some anti-plagiarism software? Because this doesn't sound like it will work at a non-trivial level.
use uMatrix or uBlock and block individual domains

https://github.com/gorhill/uMatrix

Proud uMatrix user here. Sadly, just noticed that the repo is now archived and I don't know if it will be maintained. Could not find any fork either.

I'll miss this extension.

I liked this a lot but I don't see how someone without a computer science degree will use it successfully..

I think this is why Raymond gave up on it.. I think for the masses his time is better spent on uBlock Origin.

You have the features of uMatrix with uBlock Origin's static rules. You just have to write them by hand instead of the convenient table UI.

https://news.ycombinator.com/item?id=26284124

The only thing that uBO doesn't support is controlling cookie access, so I still use uM for that.

> You just have to write them by hand instead of the convenient table UI.

That’s a pretty big "just", though. Very few sites work without fiddling with rules, having to do manual text entry every time would push me towards not using it.

The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.

>That’s a pretty big "just", though.

It is, but for me the pros outweigh the cons. In particular, even with uM I often ended up editing the rules by hand because it was easier to copy-paste and turn on and off rules for experimenting, but uM would forcibly resort the rules on save which made that annoying.

>Very few sites work without fiddling with rules,

The only sites I fiddle with the rules of are the ones I visit regularly, which is not many. Over the 1.5 years that I've been using this method, I've only got 75 "web properties" in my list (github.com, github.io and githubusercontent.com count as one "GitHub" web property; so the number of domains is a bit higher). Going by git history, I do have to fiddle with one or more rules once a month on average.

For other sites, either they work well enough with default settings, or I give up and close them, or if I really need to know what they say I use a different browser. For this other browser I never log in to anything, and have it configured to delete all history by default on exit. (I've been pondering making this an X-forwarded browser running on a different source IP, but haven't bothered.)

>The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.

To be clear, editing the rules does not use the "mobile-friendly, simplified" uBO UI. It refers to the giant text field you see in the uBO "Dashboard", specifically the "My filters" tab.

But yes, it'd be the best of all worlds if uBO gains the table UI as an alternative to the filters textfield. I imagine the problem is that static filters are technically much more powerful than what the uM-style rules do, so it'd require inventing a third kind of rule, which isn't great.

I have almost 7000 rules for a 260kb file ;)
Yup, overwrite its API on the page
Simpler protocols (Gemini, Gopher...), outright refusing to use what the modern web has become. I only use HN and a few select sites. You don't need an ad-blocker if there are no ads in the first place.
Using Gemini as an allowlist doesn't seem any better than allowlisting known-good domains for HTTPS sites
HN is a link aggregator for HTTP(s) links. How do you read them?
Not sure about the parent poster, but I am here mostly for the comments, and rarely visit the linked content.
Doesn't exactly this behavior create echo chambers and lead to polarization?
I usually do read the linked content but I agree with GP poster that comments are often more informative.

Yes there is sometimes an echo chamber here, but it's only for limited topics. It very much has a Silicon Valley feel to it, but @dang and I have gone around on this and he assures us that the readership and comments have broad geographic representation.[1] It's a worldwide echo chamber. :)

Fortunately the echo chamber doesn't exist for most submissions. Most of the discussion on HN is on non-polarizing topics.

[1] https://news.ycombinator.com/item?id=26869902

The time of the day is reflective of broad geography, generally.

So some UK or EU specific topics will appear, be commented upon but then disappear later in the day.

It would be interesting to see what kind of topics are commented on from different places.

Which behaviour would that be? The "reading only the comments, not the article"? I don't see how reading creates an echo chamber.

What creates an echo chamber is if all the posts are similar or otherwise in agreement with each other. Those threads make for boring reading and I tend to only scan them for less boring content (yes, that means I read the context surrounding greyed-out comments more than the rest). The threads where people discuss various aspects and experiences is what I come here for.

(full disclosure, I mostly read the comments before even opening the article. I only read the article if there's a high-quality comment thread about some details in the article, or if multiple commenters state that it's a great article. And I tend to upvote an article based on the quality of the comments, not just the article itself).

I dont think so. I'd think Echo chambers are created by lack of diversity in the user base. I think HN has a lot of actual diversity, and its possible to see controversial topics disputed without unceremonial downvoting.
I think in the short-term the strategy is this from the article:

> Or ... block all the IP addresses of Google App Engine, at the risk of blocking many applications. having nothing to do with tracking.

Anyone hosting legitimate apps in the Google ecosystsm is indirectly complicit in this and at least for my personal network, I have no concern with blocking Google App Engine holistically.

Additionally, I think it's important to hurt Google as much as possible for escalating in this way. Widespread blocking of GAE may seem extreme but it's also arguably warranted.

I have no concern with blocking Google App Engine holistically

Unfortunately, it seems that more and more government web sites rely on Google services to function. And there's no replacement for those.

How can it be legal for a government to make increasingly core services depend on these amoral, for profit monsters?
I’m not sure if this is a serious question, but what would this imaginary law say?

The government can only do business with companies who aren’t in it for the money?

The US government isn't shy about adding rules for its contractors. It should be trivial for them to demand (or provide) dedicated IPs for their sites. Then they won't get caught up in the IP address blocking of GCP.
The big tech companies have all built out lobbying capabilities; such a law would end up helping big tech and harming small companies because the big companies would be involved in authoring the law and would be contributing to the sponsors and committee chairs and members to get their favorable language included. And it would all be legal and business as usual.
They don't have to be laws. It's something that Biden can just add into every RFP the US government puts otu.

But no, typically things like that don't hurt small companies.

Realistically, Congress could in fact mandate that government website implementations must be transferable between software vendors. That’s both technically feasible and in line with past government requirements for hardware procurement.
How about that government services must be built by the government?
Yes, I feel the same, at least for a lot of things. Certainly, all externally facing websites should be designed and maintained by gov't staff.

From time to time, HN features high quality UK gov't websites. In the last five years, the UK gov't has made dramatic strides on "digital gov't" initiatives that benefit regular citizens. As I understand, most of those sites are built and maintained by gov't employees. This runs counter to the normal, all-prevailing attitude in UK that "any gov't is too much gov't" (or "any gov't that does not directly benefit me...").

Brit here. On your last point, there is no such widespread attitude in the UK towards government. We are historically conservative, but not libertarian. Don't forget two of the most famous and loved British institutions are the BBC and the NHS. I'm not saying such attitudes don't exist, because they do, but it's not "all-prevailing" by any stretch.
I think it's a typo/autocorrect and they meant US at the last instance instead of UK.
The Conservatives want to privatise the BBC and the NHS though - abolishing the BBC licensing fee is a recent move, and steps to privatise the NHS have been repeatedly popular among politicians over the last decade.
The trouble is, they're mostly Microsoft and either Azure or AWS behind the scenes. The UK government as a whole seems to love Microsoft. I just worry it will be out of the frying pan and into the fire...
You have to draw a line somewhere with that logic, otherwise you'd have governments running their own fabs.

I'm fully in favour of governments doing everything from hosting up ( hosting, design, dev), with as much as possible open source.

For instance the French government fares well on this front, with most government services being developed in-house, and many parts are open source; in emergencies specific services were delegated to third parties ( e.g. vaccine bookings) so it isn't taken to a religious NIH level. However hosting is delegated to commercial entities.

I would like that law. However, they would have to pay wages and offer working conditions, that actually attract good developers and they would have to stop outsourcing everything. Outsourcing everything is also a problem with otherwise qualified engineers unfortunately. The big picture long term consequences are unpleasant.
> but what would this imaginary law say?

IANAL, but how about something like, "Government services offered via WWW must not contact commercial servers and must be fully usable with non-JS browsers."

(comment deleted)
The military-industrial complex would like to have a word.
Use two browsers. One where you don't block tracking and can access government and make purchases on shopping sites, and one tracking is blocked and JavaScript is turned off.
There's no way to fight this unless ... you pass legislation against it or comparable technologies, preferably at a policy level.
You can fight against it by refusing to use these websites?

If you can't do this, perhaps because a big _majority_ of users don't care enough to support this kind of ecosystem shift, what makes you think a majority of voters would support this? (And if not, why would you want to force your view on them?)

It's like legislating that people should only listen to Good Music and eat Healthy Food, as defined by some people who know better than the unwashed masses?

I rather think it's more like legislating that you can't sell people food adulterated with poisons, and you have to label the ingredients accurately. Oh, and it's like saying that you can't sell lead paint, even though it is a very pretty white.
Even without that legislation, most people would already care about avoiding poisoned food.

So a law specifically forbidding poisons is in line with what the majority already cares about.

(Slightly related: see eg some Chinese people making good money from buying baby formula overseas and shipping it back home in their luggage. China has legislation against poison, but people don't trust the enforcement enough.)

> Even without that legislation, most people would already care about avoiding poisoned food.

There is lots of evidence that people would still use harmful substances when it’s nice and cheap. Then other people would be exposed to it just because it is impossible to know the chemical composition of everything around you. Lots of people care about avoiding things like toxic chemicals and harmful bacteria, the trouble is that they cannot see them.

> So a law specifically forbidding poisons is in line with what the majority already cares about.

So why not do it, then, if it is the right thing and people want it?

In the real world, people are not perfectly informed, and fraudsters are willing to lie. So law and enforcement are absolutely necessary to end harmful practices. See lead paint, but also leaded petrol, asbestos, antibiotics in farm animals, and insecticide chemicals spread willy nilly across the countryside. These things not just disappear on their own because some people don’t like it.

Even on the topic at hand, to be honest. People know that ads and tracking are bad and annoying, even if they do not see clearly the extent of the damage. Some of us know how to avoid most of them. And yet, they keep making more and more money, and are far from disappearing. It is difficult to take your point seriously.

Part of the job of lawmakers is, intriguingly enough, deciding what’s good for voters. This would be among those things. Would voters vote for this specific law? Probably not. But they probably wouldn’t vote out the representatives who wrote it either. And arguably privacy needs to be protected for the good of society.
I'm not sure about this notion of the 'good of society'.

If you believe that the 'good of society' is not what voters want, why bother with democracy at all?

(Slightly besides the point: I actually do agree that people behave like idiots at the ballot booth and don't know what is good for them in this context.

Luckily, people tend to be much more savvy when voting with their wallets or their feet. And as a society we would be well advised to encourage these latter two.

Eg by taking subsidiarity serious, and pushing as much decision making as possible to as local a unit as possible. Don't decide stuff at federal level, when the states can handle it. Don't let the states handle, what the counties can handle. Don't let counties handle, what the municipalities can handle. Don't let municipalities handle what people can do privately on their own.

See https://en.wikipedia.org/wiki/Subsidiarity

By pushing authority down the stack, you make the act of moving between states or even just cities so much more powerful and expressive.)

I’m not saying it’s not what voters want, I’m saying they’re not going to vote for it. There’s a difference.

The average voter has a fairly limited horizon in terms of what they see and understand about what’s good for society. And in a democracy you elect representatives because they’re supposed to have a wider horizon and more in depth knowledge, in part because they’re on average smarter than the average voter and in part because they get to dedicate all their time to that specific job.

This means that lawmakers will sometimes have to do th8ngs the voters don’t understand they want. It’s on them to explain it to the voters. And it’s on the voters to vote them out if they still don’t agree.

As for voting with their wallets, I would have agreed say 20 years ago. But marketing has become so all-encompassing and so much money and effort has been spent making marketing stick, that I don’t think most people can make truly independent decisions anymore about many many things.

And free stuff on the internet is definitely something that most people have trouble dealing rationally with. Just look at all the free trials that hook people into costly year long subscriptions, etc etc. Let alone when it’s free in the sense that the users never pays directly but through things as ads and privacy.

My view of this is very much influenced by my being a European and EU citizen, though. And if anything, the EU is a bit of a technocracy that likes to decide for the “good of society”. And that’s not something everyone will like every time.

Well, I was born in East Germany and grew up there. Later I decided to vote with my feet, and pay my taxes in Singapore instead. Much better value for my tax money here---both lower taxes and better government services.

Btw, I'm not saying people are perfectly rational when voting with their feet or wallet. Just that they are much, much more rational than at the ballot booth.

> Let alone when it’s free in the sense that the users never pays directly but through things as ads and privacy.

Well, can't argue about taste? Perhaps people prefer it that way?

> This means that lawmakers will sometimes have to do th8ngs the voters don’t understand they want. It’s on them to explain it to the voters. And it’s on the voters to vote them out if they still don’t agree.

I am basically agreeing with you: voting is a weak channel to transmit information. Almost no individual vote makes a difference. Neither in aggregate nor to the individual voting.

Voting with your feet or wallet does make an immediate difference to yourself, and has at least a clear marginal impact in aggregate. There are less weird threshold effects than in politics. A dollar more spend on iPhones is a dollar more spend on iPhones; but another vote for candidate A only makes a difference if it makes her have more votes than candidate B.

(And proportional representation only helps partially: in the end it's important which coalitions can form a majority in parliament, whether one party has one seat more or less doesn't make much of a difference usually.)

I'd like to give sortition a try to fill up parliament.

> Luckily, people tend to be much more savvy when voting with their wallets or their feet. And as a society we would be well advised to encourage these latter two.

The problem with voting with your dollars is that people with more dollars get more votes. The problem with voting with your feet is that only some people can afford to move.

If you want "just let the rich decide", why dress it up in fancy words?

As much as possible, people should decide what to do with their dollars.

> The problem with voting with your dollars is that people with more dollars get more votes.

Eh, the biggest and most successful companies on the planet cater to mass markets. The system seems to work fairly well for average people. (And we all suspect the most important politicians cater to tiny elites.) Also, using your dollars to vote means you lose those dollars. So rich people can vote each dollar only once, just like everyone else.

> As much as possible, people should decide what to do with their dollars.

This sounds very good until it is actually put in practice, when people realise that those who have all the dollars have all the power. Now you have an unaccountable oligarchy.

> Also, using your dollars to vote means you lose those dollars. So rich people can vote each dollar only once, just like everyone else.

That’s hilarious. As if those billionaires were not making the median yearly income in a week.

The greatest minds of a few generations really should think about not being evil.
I co-develop an open source firewall for Android, which most of our users use for ad-blocking purposes.

The community has known about server-side collection for quite sometime now. You could run Google Analytics on any of the serverless environments since a year or two ago (I noted this on news.yc a year back [0][1]). Tag Manager server-side is Google throwing its own solution in to the mix.

DNS based content blocking was always DoA, there simply are too many chinks in the armour besides CNAME or HTTPS/SVCB or SRV or ALIAS record cloaking [2]. The worst I've seen reported to me by users is a tracker generating domains names on-the-fly (domain generation algorithms) and A/AAAA records pointing to different IP addresses each time [3].

That said, a firewall can still mitigate this offensive, while network security with just DNS was always going to be what it was: A stop-gap.

This isn't the end-game: I fully expect that IP address blocklists would crop up in no time, and will be painfully maintained by folks pouring their life in to it.

TFA points that Google's reverse-cloaking presumably with IP addresses, but the worse would be if multiple domains shared IP addresses (like in a CDN), reverse-cloaked with Server Name Identification. Even firewalls would have to blanket block IPs... and what if those IPs are shared with other Google front-ends like the AMP project / YouTube / Mail / Docs?

The firewalls would also have trouble with something like Ao1 [4]: If multiple websites were behind multiple IPs, or in the extreme, a single IP.

The firewall is bust, but that's good, now we simply de-Google / de-Cloudflare ourselves, and be luddites like they want us to be.

[0] https://news.ycombinator.com/item?id=26003654

[1] https://news.ycombinator.com/item?id=25169029

[2] https://news.ycombinator.com/item?id=26298339

[3] Ex: https://www.reddit.com/r/uBlockOrigin/comments/srza8x/changi...

[4] https://nitter.net/rethinkdns/status/1448738898998292495

I really don't know much about this space, but do you think server-side tagging could be more or less susceptible to user resistance attacks like what Adnausium[0] does? Can we spam them into futility?

[0] https://adnauseam.io/

Adnauseam's offensive tactics can still confuse these server-side implementations. That said, if Google et al figure a way out to defeat it, pretty sure they'd not be blogging or talking about it, at all, for us to know.
Ah, good point. Thanks for the response
> This isn't the end-game: I fully expect that IP address blocklists would crop up in no time, and will be painfully maintained by folks pouring their life in to it.

Proxy can be hosted on the same server as the site itself. In that case this simply becomes a blocklist of naughty websites. Someone still needs to do the hard work of figuring out which sites are naughty.

How much would you pay per month for custom-per-site tracking blocking as described here?
5-10 bucks. Any higher and I'll be looking at other options like not using the web so much.
up to $6.9 - which would be (roughly) $10 local bucks on my country.
Nothing. No one should pay for not being tracked.
In principle I agree, and I support having the GDPR in effect globally, so that these server-side data sharing solutions are illegal without opt-in consent.

Unfortunately there’s a reality gap between “GDPR everywhere” and the United States and other countries, and that gap was being filled previously by anti-tracking lists maintained essentially for free out of the goodwill of people’s hearts. Now that Google is - and has been - using server-side proxies, those tracking lists won’t scale without human caretaking. Any human versus the entire web would burn out in a day.

So the choice is either to pay humans to enforce our anti-tracking beliefs against scummy corps, or to donate to politicians that believe in GDPR so they can try to make it illegal, or to refuse to pay anything and accept the status quo of being tracked. We’ve reached the end game of the “pay nothing until it’s fixed, then continue paying nothing” ethos: Google has outplayed us, and website owners can afford to pay to track us. I don’t like this, and neither do you. I think it’s time to pay money to fight back, and you do not think it's appropriate to pay money to fight back.

If you or anyone have a good idea on how zero-cost effort can somehow solve the tracking problem, share that with others in a useful reply to the post somewhere. You don’t have to convince me that such ideas exist: you have to convince others who share your “at no cost to me” beliefs to invest their time and energy in your zero-cost idea. And, whatever else I’m uncertain, I guarantee they’re not going to see such a reply down here in this thread that started with a pricing question.

Called it [1]. It's a cat-and-mouse game and, unfortunately, advertising is just _that_ lucrative. Privacy-minded browsing will help those that care (for now...), but that's an unsustainable option with the current monetization channels available.

If a content publisher cannot monetize you, they will think nothing of blocking you. There will be some public backlash against companies that do so and there will be some sites who will lose money because of it, but the rest of the publishers will simply follow the money while the industry shifts towards more intrusive tactics.

There needs to be a monetization channel that is 1) good for both users AND publishers and 2) pays just as much as current methods. Unfortunately none of the current systems support that.

[1] https://news.ycombinator.com/item?id=9975955

>There needs to be a monetization channel that is 1) good for both users AND publishers and 2) pays just as much as current methods.

I agree, but what party would you like that money to originate from?

Ads work well right now for consumer-to-consumer (e.g. I create a blog and you view it) because there's a rich, third-party that money can flow from (a company running ads --> money to me) without having to charge you, the end-user who is more than likely significantly less well-off than a corporation.

To buck that pattern, you need the money to come from somewhere else. Subscriptions and direct payments are an obvious choice (see: the boom of SaaS over the past few years) but people are already complaining that they have so many subscriptions they lose track of them all, and spend too much money on what used to be a "free" internet.

So, I don't think there's a solution where the money comes from the end-user. However, any time you add in a third party for the money to flow from, they're going to want something in return. And unless you want that cash flowing from the site owner to that third party (...why would you?), they're gonna need to offer something else.

I don't see any solution other than "a third party pays for something users and/or the site can create for free". Is the answer to just find something free other than analytics/usage, or are there other approaches to monetize a site while still making it "free" to access?

Unfortunately I don't see a good solution either. Large direct to consumer business models like SaaS or subscriptions are really only sustainable at scale, and even then it's dicey. In a SaaS model, the big fish win and we lose the democratic nature of the current internet.

Society has driven the perceived price of content so low that the content itself is worth less than the aggregate audience. Really, in what other space does the average consumer set their price expectations at free AND balk at paying $5/mo for unlimited access to a product?

The only thing that seems to come close to moving the needle towards privacy is somehow pushing advertisers into in-market advertising (think early internet-style site banner ads) and out of programmatic/user tracked ads. There is some evidence that these programmatic ads don't really perform as well as they claim but from what I can gather, the data is still unclear.

IP blocking still seems a thing, even with this new feature - the ads need to be served from _somewhere_. I am using pfblocker-ng on pfsense, which uses giant IP blocklists to filter out all connections to spam and ad-servers. I haven't seen ads in 5 years and there is no need for client-side solutions (e.g. adblocker). The places where ads appear are just whitespace.
The idea is that this will be served from the same IP address that the site that you're trying to visit is.
Thanks for the explanation - I understood this partly from the article and it is pretty worrying for the future.
“ I honestly don't know if there's any solution to this at all.”

How about the law? Like GDPR? My data is mine.

I mean, technically there is nothing stopping me from following anybody around, documenting their actions, taking pictures. It's easy... But we have laws that prevent this because we decided together that we do not like this.
I think the solution will be for ad blockers to invest in neural nets to detect the graph of the code flow for known variants of the script. The software that detects plagiarism will be a good start.
That sounds like it's going to be slower than not using an ad blocker at all.
Not if the signatures are uploaded and shared.
I don’t think the solution here is a technical one. This should just be solved by legislation.

Google Analytics has been recently ruled illegal in multiple European countries. And either this already is illegal under the same laws or it should be made so.

I suspect this might end up as a slightly trickier scenario because when you get down to the details it’s hard at a technical level to make a distinction between a server log file and a tool like analytics which takes those same bits of data and mostly just organises and displays it in an intuitive way with charts and a nice UI.
The ruling against google analytics in France is quite simple: google analytics as used by an unnamed website was not compliant with GDPR, because it exports user data to a country that has privacy laws that are not up to GDPR standards, which is not allowed. This is on the unnamed website and they or compelled to stop this illegal export of user data by either only exporting anonymized statistics or stopping use of google analytics entirely.

Of course this isn’t yet a perfect banning of GA and Google might be able to work around it, but it’s something. And in fact, anonymized statistics would probably be OK (depending on the details of course).

But this actually highlights exactly what I mean. What if I simply stood up a plain old Apache server to host my website but that happened to be hosted in the US. No analytics, just a few HTML files and that’s it.

I’m still in this scenario sending PII of EU citizens in the form of IP addresses to the US which are just written to /var/log/apache

It seems obviously different and yet as that ruling seems to imply it wouldn’t be unless I’m missing something here between first and third party capture or something?

Default configurations of logging on most servers is illegal now under GDPR since it saves IP addresses.
This pops up regularly, but AFAIK it's not correct. The law is much more fine grained than the USA PII concept. IP addresses are only personal data (PD) if you are capable of using them as identification mechanism. If you don't they are not. This also means that something that is not PD for you, can become PD when you give it to someone else. Or that 2 items which are not PD themselves, become PD when you combine them. Or that being hacked turns non-PD into PD.

Even as PD, using IP addresses to maintain a website is fine, even without consent. Using them to track individuals is not fine. Having a log rotation policy and a sane security policy so you can demonstrate when you throw them away is a good idea.

To be short: Install debian, drop nginx on it, then let it log as it wants. This is legal. But don't you dare mine the logs for abusing PD.

Do you have a source? My observation came from multiple lawyers in the context of "to stay on the safe side".
Incorrect. In the "Breyer" ruling[0] the highest European court concluded that dynamic IP addresses are PII (not just personal data, and not just data), as there is an abstract risk that combining IP addresses with other data can lead to identification of a user. The ruling explicitly said that the mere risk of such an identification is enough, not that such an identification has to actually happen.

Subsequent rulings by many courts have found that all IP addresses are PII, for various reasons, such as "static" IP addresses bear the same risk of indirect identification, and there is no reliable way to distinguish between "dynamic" and "static" addresses anyway.

The recent German ruling that Google Fonts violates the GDPR just by transmitting an IP to google (by making the web browser fetch a resource from a google server) hammered home this point, citing the EU ruling again[0].

This is different to e.g. of a streaming provider keeping a history of songs you played. This data is personal data, but it is not personally identifiable data as this history alone cannot be used to identify a person. However, if this history has some kind of identifier attached that links back to account information or an IP address, that identifier would be PII, as this identifier could be used to indirectly identify a person.

[0] https://curia.europa.eu/juris/document/document.jsf;?text=&d...

[1] https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/

Die dynamische IP-Adresse stellt für einen Webseitenbetreiber ein personenbezogenes Datum dar, denn der Webseitenbetreiber verfügt abstrakt über rechtliche Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].

Translated, best to my abilities:

The dynamic IP address is to a web site operator a piece of personally identifiable data, because the web site operator abstractly has legal means, which could be reasonably used, with the help of third parties, namely the the responsible authority and the internet service provider, to identify the person in question with the use of the stored IP address (BGH, ruling from the 16th of May 2017, VI ZR 135/13)[2]

[2] The BGH ruling quoted is the "Breyer" ruling again, just at the German national level instead of the EU level. The Bundesgerichtshof (BGH, highest German court of ordinary law) asked the European Court of Justice to settle the question of whether dynamic IP addresses are PII, which the ECJ affirmatively settled in [0].

This is a very interesting legal document, and I'll have to take the time to read it slowly before I can judge it.

It centers around this line:

   ... not PD for you, can become PD when you give it to someone else
and claims that, as this potentiality can always be fulfilled, you should consider it PD. This would invalidate the first part of the post, but is still not enough to make a default deploy of a logging http server illegal because of the 6.1(f) legitimate intrest rule. In fact, things like 21.1(b) might make it obligatory.

Now we are in lawyer 'interesting question' territory which costs a lot of money, and I still don't think you'll need to worry, because you're not violating the spirit of the law. Personally, I'll go on depending on 2.2(c)

It's not illegal to store such information in default logs per se, even without explicit consent, if it would fall into the "legitimate interest" category[0], e.g. you need it to operate the service and prevent abuse, and there is no less intrusive way to e.g. reasonably monitor for and prevent abuse.

However, you cannot share such logs without consent, you still have an obligation to inform users about your legitimate interest assessment and what data you store, and you still have to abide to other rights of users such as the right of users to ask for a copy of the data you store about them.

[0] Art 6.1.f https://gdpr.eu/article-6-how-to-process-personal-data-legal...

Gdpr.eu is not an official EU resource. There is no official guidance saying that IP address in logs falls under "legitimate interest" and every lawyer I asked advised against it "just to be on the safe side".

One actually added: Do you really want to test our government's understanding of "legitimate interest" for your business in court?

>Gdpr.eu is not an official EU resource.

Yes, but I never claimed that they were. The text that I linked is a copy of the official GDPR text (and recitals), not an article they wrote on the topic. I used their website, because I find it more usable as they added cross-references links and recital links. But if you prefer, read the official EU version[0], which is the same in content and in words.

>There is no official guidance saying that IP address in logs falls under "legitimate interest"

I haven't said that. I said storing IPs in logs might be legal, if there is a legitimate interest and/or there is consent.

There are actually two official recitals straight up addressing that topic. Recital 47 states (in part): "[...] The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." (This is not meant to be an exhaustive list)

Recital 49 states (in full): "The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems."

These recitals were specifically added to address some points that had already been litigated in the past in various European courts.

>and every lawyer I asked advised against it "just to be on the safe side".

Good for your lawyers (that you keep mentioning all across threads). I don't know your lawyers, but they seem overly cautious - even for lawyers - and maybe a little bit under-educated on the subject matter. But they still have a point. You cannot just store access logs containing IP addresses, you have to have a legitimate interest, and be able to articulate this legitimate interest, and see if law makers and courts would consider your "interest" to be "legitimate". Which is easy when it comes to fraud detection and network security/abuse (thanks to the recitals), less easy when it comes to other areas, and pretty easy when it comes to different areas that are clearly against the text or spirit of the GDPR; e.g. nobody will buy an argument of "my legitimate interest is that I want to earn money from tracking and selling user data".

[0] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[1] https://gdpr.eu/Recital-47-Overriding-legitimate-interest or https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[2]

When you use laws to ban businesses from other countries, those countries will feel entitled to use laws to ban businesses for your countries as well.

It's how protectionism works and it's generally the consumers who lose.

These laws do not ban businesses, they ban business practices. And consumers often win. E.g. laws to ban the business practice of just dumping toxic waste into rivers because it's cheaper were hugely successful - at least in places were they were enforced. On the other hand, there is a danger of regulatory capture, which has to be considered as well...

The GDPR does not ban Google, and it does not ban analytics. But, according to recent court rulings, it bans the business practice of Google Analytics to collect and transfer data to the US - which isn't considered to be a place with "adequate" privacy laws - and other places without prior user consent. Google could potentially come up with ways to make a Google Analytics that does abide by the law, but so far they choose not to. Maybe the changes that would be required would cut severely into revenues, or even make (free) GA cost-prohibitive, but this is in line with environmental protections killing off certain products/businesses that got too expensive when they had to dispose of their toxic waste properly and in a way that doesn't poison people and the environment.

Comparing tracking with "dumping toxic waste into rivers" is comparing a breeze with a hurricane.

> Google could potentially come up with ways to make a Google Analytics that does abide by the law

I personally know of no way to have legal analytics under GDPR, as advised by multiple lawyers.

>I personally know of no way to have legal analytics under GDPR, as advised by multiple lawyers.

If this is truly the case, then these businesses must consider shifting to ethical business models to stay afloat. If not, then competition will steamroll them.

> Google Analytics has been recently ruled illegal in multiple European countries.

Just about everything hosted by a non EU company just got ruled illegal (in the EU that is).

It's very doable to disable google analytics for EU visitors.
Not quite - only everything US-based, since they fall under the purview of the cloud act, which is incompatible with the GDPR (on purpose.. this is an entirely self-inflicted wound by the US).
> Not quite - only everything US-based

No anything with laws similar to the "cloud act", which is the norm rather then the exception, is illegal. It's quite rare for a country to allow companies inside it to say no to there government.

This is interesting to me. The US is basically doing the same thing as Russia and China yet the media never talks about it...
> The US is basically doing the same thing as Russia and China

I don't understand or really get what you're referencing.

The whole issue here is the USA claims global jurisdiction over US companies forcing them to obey the USA legal system even for data located in the EU. On the other hand EU law makes it illegal for anyone globally to turn over data for EU customers without a court order from the EU.

It's not about companies inside it, but companies outside the country. And is it actually the norm? Since clearly even the US didn't have the Cloud Act until 2018. Was the US such a rare case until that recently?
I get privacy concerns and hate for ads, but what about "free" internet? Paywalls are a massive annoyance to me personally, and if ads were legislatively blocked, would I have to pay for each website I visit that previously relied on ads for $? Perhaps we could be making micro-transactions for each website visited via crypto (?)
If it takes maintaining blocking scripts for individual websites, I'm pretty sure services will spring up to crowd source it.
> Maybe using an archive.is-like service that renders the static page (as an image at the extreme), or a Tor-like service and randomizes one's IP address and browser fingerprint.

I'm building a peer-to-peer network of Web Browsers [1] that doesn't trust anything by default, and only allows to render types of content incrementally; while disabling JS completely. Most of the time, you can find out what the content is with heuristics. The crappy occasional web apps that don't work without JS can be rendered temporarily in an isolated sandbox in /tmp anyways.

I think that the only way to get ahead of the adblocking game is to instead of maintaining blocklists, we need to move to a system that has allowlists for content. The user has to be able to decide whether they're expecting a website serving a video, or whether the expectation is to get text content, image content, audio content etc. News websites are the prime example of how "wrong" ads can get. Autoplayed videos, dozens of popups, flashing advertisements and I haven't even had time to read a single paragraph of the article.

And to get ahead of the "if fanboy gets hit by the bus" problem... we need to crowdsource this kind of meta information in a decentralized and distributed manner.

[1] https://github.com/tholian-network/stealth

It's based on JS. There's your solution. I disabled JS in the browser for nearly 2 decades and I can still use most of the web (HN included).

You are blind to the solution because you don't want to take responsibility for your own browsing. You and people like you won't change, will whine about how nothing can be done while not being prepared to understand the problem is yourself and that's where the solution lies as well. When google screws you over, remember you chose that (maybe by omission rather than commission, but you chose).

Maybe using an archive.is-like service

No that has turned to shit (for me anyway). Used to be fine, now presents a captcha when JS off. Okay so I switch from Firefox to Safari (where I leave JS on) and it still presents a captcha. I'd rather use the original site with JS than solve captchas.

That has been my consistent recent experience for a multitude of those.

or a Tor-like service

I've never used Tor, but aren't there a lot of complaints of repetitive captchas when using it?

randomizes one's IP address and browser fingerprint

I haven't followed this closely, but didn't Apple make claims that they would soon have an opt-in service that did something like this?

The article is from 2020, and I don't think I've ever seen a site using this approach yet. It is an egregious attempt to circumvent the Same Origin security policy in browsers that developers and privacy advocates should rightly be angry at, but it doesn't seem to have caught on. That's something to be thankful for.
your are optimistic, most analytics guys I know are working with clients to transition to GTM server-side tagging
>I don't think I've ever seen a site using this approach yet.

What have you been looking for? It seems like this would be hard to observe.

>> God damn... this is it, this is the end-game

I don't understand. I tried to read the article but it doesn't make sense to me. What is the end-game? Can you explain? Not everyone uses google analytics, and even if we do it would only be on the front pages... (hooking into any API has always had the potential to expose session data if you pass it, so what's new here??)

There is a hope this can be blocked with adblockers inspecting payload of requests and blocking based on some generic properties that could be always present in Google Tag Manager requests to proxies. Unless this mechanism has some dedicated Chrome-level support that would disallow inspecting or blocking these requests.
I think modifying some fingerprintable apis to give faked/altered results could be enough, given the global fingerprint is a product of all partial fingerprints. Some extensions already implement that, eg. https://github.com/kkapsner/CanvasBlocker/
Wouldn't a script blocker like NoScript or uMatrix take care of this?
Nope. The end-game is adding the data collection into the backend frameworks so the user does not have to execute javascript at all.

But this is pretty close to it. I hope Google and anybody collaborating with them get severely punished.

I think there was never the possibility to "out-tech" tracking solutions in the first place. You simply cannot plug every hole imaginable that will be discovered, and still serve your service on a network.

The only remedy is strict legislation and judicial recourse against companies that do try to cheese it.

Just like you cannot possibly implement real world security and surveillance that makes it completely impossible to commit theft, but you can implement strong enough legal deterrance to make it a really unviable risk/reward scenario for individuals and corporations alike

"Blocking scripts for each individual website" probably isn't too bad of a burden though. There's enough people who are annoyed by this and few enough sites that you actually visit (how often do you actually visit a brand new website, or one that hasn't been visited by thousands already?) that maintained (donation supported) chrome extensions for this will pop up eventually.
Couldn't a adblocker block the largest javascript blob loaded by the page? Most likely it's gtm. Also with a bit of machine learning it could recognise the patterns in the js blob, no?
It was clear this was going to happen for more than a decade now. I'm surprised it took them so long to really push for this. I'm just reiterating what I said back then: There's no point in wasting any time and resources into a stupid technical cat and mouse game to fix this. The only sensible way to deal with this stuff is through legislation.
You still pay for the app engine requests. This whole product is just a hash script that configures the proxy for you.
Server-side tracking has been around for a while (indeed this article is dated Nov 15, 2020; and of course, you could argue simply parsing your Apache/nginx logs to get visitor stats has existed forever). The article I think conflates several different pieces.

There's probably a few actual use cases marketers may care about for tagging/tracking/analytics:

1. Simplest: I want to know how many people use my site/app, how many come back, how many are real (not bots), which pages are popular, etc. I'd like to see all this in a nice UI where I can cut and filter the data.

2. Same as #1, but I'd like to do it across devices. Still all within my own site/app, but simply connecting a non-logged in session across desktop and mobile web. Google and FB probably have the largest available dataset on this.

3. I'd like to enrich all this information with data from other sources, for example to target ads, serve ads, etc.

Site owners/marketers then try and tackle these in a few ways, the first 3 equally bad:

1. Just dump a bunch of scripts into your site (GA, FB, Segment, whatever). Pros: easy. Cons: very easily blocked, so your data is super biased.

2. Self host some of these scripts, or CNAME them. Pros: maybe a bit better for performance? Cons: still rather easily blocked with content signatures etc. A nightmare to ensure consistency if self-hosting.

3. Run your own JS that sends events to your server, and then your server fans out to whomever. Pros: much harder to block, and likely quite performant. Cons: its unlikely your self built lib is going to give all the same 'features' as GA (features meaning device fingerprinting and so on).

4. Just get everything from HTTP logs. Pros: very performant, can't be blocked. Cons: much more limited data to work with.

Personally, I think #4 is the future (and also where we started 20 years ago). What I don't think anyone is doing yet is relaying that data out to all the other parts of the stack: GA, FB, Mixpanel, whatever. If you could solve both - giving users privacy and performance and giving marketers the same tools they're used to - sounds like a win. You might argue "well we'd be missing a bunch of user data", but you're already missing it with adblockers and iOS privacy features.

> 3. Run your own JS that sends events to your server

If your platform is popular enough, those telemetry endpoints will end-up on ad-blockers lists.

Then it is up to you, if you want to do an arms race of obfuscation or just accept it.

I think some of the whiplash in the market isn't just the tit for tat battle with ad blockers and regulators but the realization that there's so much useless data being collected. The best data we get is first party (ie things people click or type into forms on our sites) or qualitative feedback from surveys. GA and GTM are valuable tools for us but Google's network isn't really.
Yea. Though, GA does (at least) two things: analyzes your own data, and, uses the data they collect from all their other sites to improve your experience via better bot detection, recommendations, insights. Google's network is useful, like it or not, for a) their cross device graph - they know which mobile devices and which desktop browsers are the same user (ish) and b) from that, building better MTA models than you can with pure first-party data - especially if most of your traffic isn't logged in.

But I agree, the future is pointing toward a world where privacy and empowerment is more in the hands of the user, and that's a good thing.

1) can be done trivially with first party cookies.

2) you can already tell what device someone is using. If you mean “I want to know if the same person is on different devices” get them to login, don’t try in effectively spy while also providing google etc with the ability to actually spy

3)you cannot know how to target ads on a per user basis unless you are spying on your users. You have no justification that supports a claim to such information.

Yea, I think we're saying the same thing. Ultimately both the best choice (for privacy, performance etc.) and the one that's most likely (given adblockers and and ever increasing push for privacy from browsers and OSs) is to stop trying to find a way around adblockers, and simply invest in the technologies that work - http, cookies, sessions, logins, and os on.
Forgive me if this is ignorant. Wouldn't an adblock simply need to inject an impersonation payload into the page, so the report would send incorrect attribution to the proxy server?
In case of Google it could be (initially) quite simple. Randomly change um-Parameters, gclid-Param and the like. This would at least make marketing tracking more "interesting".

Years ago there was an extension that did that for GA and Adobe Analytics at least.

But that would only be an arms race. We (analysts and marketing agencies) would obfuscate the params we use and switch that in the server side container.

Wouldn't it be possible for a potential client-side blocker for this to intercept the gtag() method invoked on the client side ("Tag Manager web container"), even if that function is provided by a script hosted on the website owner's domain, as Google recommends[1]?

[1] https://developers.google.com/tag-platform/tag-manager/serve...

Highly doubtful the method would continue to be called "gtag"; any js bundling / minification would replace that with a randomly generated string, and it's just as easy to randomize the server-side api endpoint url, making this virtually impossible to block (maybe a pattern analysis on the data being transmitted, but that can also be encrypted with random algorithms and keys, beyond recognition).
Yes, it can surely be obfuscated, but ultimately there will be a client-side function with near-identical functionality prevalent all over the web. It's harder, but seems possible to build an extension to identify this function.
Taken to its logical conclusion, this process reminds me of anti-virus software: finding code signatures and flagging sketchy code.
Exactly. And the end result might be as bad as antivirus: horrendously slow software with a huge database of heuristics that cause false positives and at the same time let malware through. It's going to suck.
This is literally the same game virus scanners played against mutation engines. Ultimately, the halting problem won.

There are two places this can end:

* Redesign the runtime environment so it doesn’t matter if you download trackers. The execution environment doesn’t offer the I/O facilities that it requires to actually produce harm. This is what Apple Private Relay and Tor Browser try to give you. By analogy, this is why Web Apps became so popular in the first place — web publishers who do not intentionally collude are protected from each other by the SOP, so opening a web page should be less risky than running an EXE. It’s “just”[1] extending the existing sandbox to prevent differing origins from being able to collude.

* Instead of blocking bad scripts, allow only known-good ones. To match the convenience of current-day ad blocking, it needs to be a collaboratively-produced list. In other words, a gatekeeper. By analogy, this is why installing “unrecognized” applications on Windows and macOS is behind a scare screen, and why doing it on iOS is prevented entirely.

The former seems less dystopian, but much more difficult.

[1]: this is actually very difficult

I was going to suggest introducing the kind of heuristic analysis found in antivirus engines. Kind of like your item #2 - don’t run scripts that behave badly (for some heuristically recognizable “bad behavior”.) Basically a browser built-in AV scanner. Maybe give a user the option to permit the script once per session, or forever. Something like this would definitely introduce a UX speed bump, it sounds terrible.
You can use CTPH algorithms to fingerprint the function, so you'd need an extension that fingerprints each function before the browser runs it. Or you could man-in-the-middle yourself and patch the malicious code before it gets to your browser.

Better still would be to fingerprint the syntax tree, so obfuscators need to change more than just the names of things (Unison does this, Javascript would probably be less friendly).

I'd love an app where I could crowd-fund the inevitable game of cat/mouse that would ensue. Like maybe I put $5 in at the beginning of each month and as I browse I curate a list of sites that I'd like tampered with. Better developers than I could then publish patches for the malicious functions, which are applied as I browse. At the end of the month, my $5 gets distributed to the people who fixed the parts of the web that I browsed that month.

I'm working on a tool that facilitates collaboration on CTPH-identified blobs of data, but it's more of a `curl shadysite.com | mytool` kind of thing. I'm not sure what would go into integrating it into a browser.

ML is already applied to spam mail, maybe it could be applied to JS runtime behavior to detect this kind of tracking. Fight ML analytics with ML
There's an asymmetry nat play here though. You're now burning battery to block stuff.
I am fascinated that the popular press has described this as Google adding privacy (which is how google describes it of course) where really it’s a massive escalation of their spying network.
I wouldn't be surprised if much of the popular reporting on it are just press releases.
Seems like it, even in the big papers/sites
Well it sounds like they're plugging the RCE hole in how ads operate which is even better. That's the real elephant in the room which no one seems to be talking about. With all these zero click exploits I don't want an entire industry to exist that's dedicated to people bidding to run code on my computer. If all that bloat is running somewhere else in the cloud and this tag manager is filtering the information they access so that it's actually just boring marketing analytics then I'd imagine it does a lot to help improve the sovereignty of personal spaces.
Apple and Firefox brought this on by killing 3rd party cookies.

The reason why client send requests to the 3rd party domain directly is that the cookies attached to that domain are sent and which can track you better! With a server-side request there's no way to use that cookie info.

But browsers increasingly limit 3rd party cookies. With 3rd party cookies becoming useless for tracking there's far less to lose by moving all these analytics calls to the server side.

> Apple and Firefox brought this on by killing 3rd party cookies.

And the ad networks–like Google–brought that on by their user-hostile data collection practices.

Note that the Google announcement in question was August 2020. This didn't seem to make any significant changes to the ad-block space when it rolled out, and pretty much every site is still running the Javascript frontend.
Sorry I can't understand the article, but does server side Google tag manager already out?
If I am reading it right, the article is saying about 1/3 of all web sites on the Internet already use GTM.
Using Google Tag Manager doesn't mean you are using the server-side tagging. You have to configure it in your account. It is something you have to pay for. If you read the instructions on https://developers.google.com/tag-platform/tag-manager/serve... you have to have GCP billing setup to pay for the App Engine instance running the server-side tagging proxy.
thx for the explaination, btw, do you think server side GTM can let Adsense bypass the adblocker, since it is what claimed in the article. Though after Googled a bit, I can't find a single article/video about this.
Somewhat. Some of the tracking protections center around 1st party vs 3rd party. If the site owner takes the time to configure the DNS records for this server-side proxy then the page is only communicating with 1st party domains so that protection is gone.

Next, ad blocker components often target various parts of the URL. By hosting on your own domain the domain name matching patterns that would be used for blocking no longer apply. But the ad blockers can also use just the path or file name portion of the URL to block on.

Easylist has a set of lists that are commonly used by ad blockers such as UBlock Origin. The tracking/privacy centric list is https://easylist.to/easylist/easyprivacy.txt which I'm using in UBlock Origin. If you look at it there are lines like '/gtag.js' which might match on the name of the JavaScript file and still block it.

Of course site owners might change the name of their script files to a non-default name making it harder to detect.

The next step in the arms race would be having more dynamic names for the files and URLs. You could rotate the names of the scripts and endpoints automatically at which point the adblockers would have to preform content inspection or some other strategy which is more resource intensive.

Yes it's been out for quite some time.

It's also requires running a proxy as a GCP application, so people running GTM largely because it's free/cheap aren't going to go along with this.

That's why we need generic legislation without consideration of specific technologies, restricting the general goals, not just one particular way to achieve them. GDPR would forbid this tracking without opt-in consent - the fact that you have the technical ability to effectively handle tracking information server-side without support from the user/browser (as for cookies) does not imply that you have the right to do so.

We don't have to win a technical fight, we have to ensure that privacy-invasive tracking is not profitable because all the major legitimate megacorp advertisers throwing billions at internet ads are prohibited from using that.

this is great. to block this shit it's now just necessary to disable the "tag container" instead of tracking hundreds of javascript / URLs.
well not sure is it good or bad.
I blindly added Google Tag Manager to my sites. This article gave me a reason to remove it, thanks.
You shouldn’t be adding any google scripts to your site, u less you believe that you have the right to support spying on your users.

Google “analytics” is a spyware system that they bribed sites to include with the promise of “knowing your users”.

I used them to set up their Search Console product and didn't think to remove them.
Wait, Google wants to proxy the entire internet through Google servers? Just so ad tracking will work? This lets Google spy on the entire session in both directions, right?
And also makes it harder for any alternative - you can’t use two different systems to proxy the same content at the same time, and you can’t expect one company to not “protect user privacy” by filtering competitors.

Honestly the only reason this is even an option for google is because a bunch of web admins said “I want to know who is browsing my site, and who cares if that lets google spy on every person who uses my site”, and now they’re just offering this “improvement” to spying.

This was modded down, but commented on favorably. Am I wrong about this giving Google a backdoor into every web site that uses it?
It’s just another mechanism to maintain their existing spyware systems. What google absolutely depends on is having as much of the web as possible including their code.

Essentially: if every website includes some amount of their code it becomes increasingly difficult to block every tentacle. Presumably the goal is that it doesn’t matter if 90% of their crap is blocked by browsers: as long as a single tentacle leaks enough info on any given page they can track you.

How true this is in the face of privacy preserving vpns like Apple’s private relay I don’t know.

Yes, you misunderstand it. Google isn't getting any more information / power than they previously did. What server side tagging does it separates the creation of tags outside of a user's browsers and into a server that is a part of your infrastructure. You can host this tagging server on Google Cloud, but you can also self host it if you choose to.

To restate what happens, a website's users send events to a first party tagging server and then that tagging server can communicate with 3rd parties.

i'm using firefox with https://addons.mozilla.org/en-GB/firefox/addon/temporary-con...

it occasionally gets in the way, but does make things a bit more enjoyable (i can now happily click 'allow all tracking' on all the popups not blocked by ublock -- all that lasts until i close the tab).

ideally i should also use something to resist fingerprinting (i.e. randomising fingerprintable features).

Increasingly, the only solution I see to this is Apple's Private Relay [1].

"When Private Relay is in use, the user’s device opens up a connection to the first internet relay (also known as the “ingress proxy”).

As the user browses, their original IP address is visible to the first internet relay and to the network they are connected to. However, the website names requested by the user are encrypted and cannot be seen by either party.

The second internet relay (also known as the “egress proxy”) has the role of assigning the Relay IP address they’ll use for the session, decrypting the website name the user has requested and completing the connection.

The second internet relay has no knowledge of the user’s original IP address and receives only enough location information to assign them a Relay IP address that maps to the region they are connecting from, conforming to the IP Address Location preference they selected in Private Relay settings."

[1] https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...

To what is a VPN a solution? It prevents IP tracking, but that's it. The rest of what is described here still works.
"Private Relay uses both the CONNECT and CONNECT-UDP methods in HTTP/3 to set up connections quickly. For connections to websites that support TLS or QUIC, the initial TLS handshake messages are sent in the same set of data as the proxy request"

Would this not hinder the proposed mechanism discussed in the article?

Edit: forgive me, for my knowledge of networking is limited and I'd like to learn more if I am incorrect.

I fail to see how this is any different (for the purposes of getting around google) than any other VPN or proxy service out there. The proposed mechanism is just using a script that comes from the same server as the main website with perhaps slightly changed up code and a different file name to trick up adblockers. It can still fingerprint you without your actual ip address, as it collects data clientside.
I don't really have a great knowledge of the Tor Network but is that not really similar to a Tor Relay?
Tor relays are identifiable.

And are blocked or rate-limited by many websites.

That said, if a majority of interesting Web traffic transited Tor, that behaviour would likely change.

I don't think this is a solution, since modern fingerprinting methods go far, far beyond IP address.
Apple Private Relay runs on iDevices, which are almost all identical.
Panopticon still seems to think my browser is pretty unique, and I am browsing with an iDevice.
Not to current fingerprinting methods, they are not.
I don't trust Apple; they are shady AF and I'm convinced they are hard at work building an AD empire to rival Google and Facebook behind the scenes. Their so-called "privacy" moves are very clearly designed to limit Facebook's and Google's ability to profit off their platform giving themselves an advantage: https://www.forbes.com/sites/johnkoetsier/2020/08/07/apple-a...

That said, Private Relay has some interesting ideas, maybe a few trustworthy VPN providers adopt some of them.

Apple's Private Relay is great, but it won't help with server-side tracking (which is not based on IPs)