[HN Gopher] Google Tag Manager, the new anti-adblock weapon (2020)
___________________________________________________________________
Google Tag Manager, the new anti-adblock weapon (2020)
Author : thyrox
Score : 1308 points
Date : 2022-02-21 01:41 UTC (21 hours ago)
(HTM) web link (chromium.woolyss.com)
(TXT) w3m dump (chromium.woolyss.com)
| LtdJorge wrote:
| Isn't that this what Cloudflare Zaraz is doing?
| pixeldetracking wrote:
| KoftaBob wrote:
| Wouldn't a script blocker like NoScript or uMatrix take care of
| this?
| xvector wrote:
| No, that's the point
| soheil wrote:
| What if blockers did not allow any js loaded form any cname
| except the currently loaded one? This would surely break a lot of
| website that load their js from something like
| _static.example.com_ but at least would help against server side
| tracking, perhaps it could be an optional feature that is off by
| default. Setting up a proxy for the same cname as the current
| page is loaded on is several times more difficult so I think
| Google wouldn 't consider that as an alternative anytime soon.
| transcendrc wrote:
| I've been using Google Tag Manager on this website
| https://transcendrecoverycommunity.com/, so far it's great. Tag
| Manager gives you the ability to add and update your own tags for
| conversion tracking, site analytics, remarketing, and more. There
| are nearly endless ways to track activity across your sites and
| apps, and the intuitive design lets you change tags whenever you
| want.
| xvector wrote:
| The engineers that work on this should be ashamed of themselves.
| easytiger wrote:
| UK local newspapers have been bought up by a company called
| Reach. Most of their sites look the same. On my laptop visiting
| their home page is burdensome on my laptop.
|
| e.g. https://www.mylondon.news/
|
| Looking at firefox's network tabs. It mostly completed after 41
| seconds and almost 9MB. In the article pages there are adverts
| dynamically loaded every couple of lines of text
|
| An article page from that site ,e.g.
|
| https://www.mylondon.news/news/east-london-news/heartbroken-...
|
| Takes around 1m50s to load at 18 MB.
|
| The web is a disaster right now
| danhilltech wrote:
| Server-side tracking has been around for a while (indeed this
| article is dated Nov 15, 2020; and of course, you could argue
| simply parsing your Apache/nginx logs to get visitor stats has
| existed forever). The article I think conflates several different
| pieces.
|
| There's probably a few actual use cases marketers may care about
| for tagging/tracking/analytics:
|
| 1. Simplest: I want to know how many people use my site/app, how
| many come back, how many are real (not bots), which pages are
| popular, etc. I'd like to see all this in a nice UI where I can
| cut and filter the data.
|
| 2. Same as #1, but I'd like to do it across devices. Still all
| within my own site/app, but simply connecting a non-logged in
| session across desktop and mobile web. Google and FB probably
| have the largest available dataset on this.
|
| 3. I'd like to enrich all this information with data from other
| sources, for example to target ads, serve ads, etc.
|
| Site owners/marketers then try and tackle these in a few ways,
| the first 3 equally bad:
|
| 1. Just dump a bunch of scripts into your site (GA, FB, Segment,
| whatever). Pros: easy. Cons: very easily blocked, so your data is
| super biased.
|
| 2. Self host some of these scripts, or CNAME them. Pros: maybe a
| bit better for performance? Cons: still rather easily blocked
| with content signatures etc. A nightmare to ensure consistency if
| self-hosting.
|
| 3. Run your own JS that sends events to your server, and then
| your server fans out to whomever. Pros: much harder to block, and
| likely quite performant. Cons: its unlikely your self built lib
| is going to give all the same 'features' as GA (features meaning
| device fingerprinting and so on).
|
| 4. Just get everything from HTTP logs. Pros: very performant,
| can't be blocked. Cons: much more limited data to work with.
|
| Personally, I think #4 is the future (and also where we started
| 20 years ago). What I don't think anyone is doing yet is relaying
| that data out to all the other parts of the stack: GA, FB,
| Mixpanel, whatever. If you could solve both - giving users
| privacy and performance and giving marketers the same tools
| they're used to - sounds like a win. You might argue "well we'd
| be missing a bunch of user data", but you're already missing it
| with adblockers and iOS privacy features.
| Raed667 wrote:
| > 3. Run your own JS that sends events to your server
|
| If your platform is popular enough, those telemetry endpoints
| will end-up on ad-blockers lists.
|
| Then it is up to you, if you want to do an arms race of
| obfuscation or just accept it.
| danhilltech wrote:
| totally
| pixeldetracking wrote:
| 5. use edge computing https://blog.cloudflare.com/zaraz-use-
| workers-to-make-third-...
| olliej wrote:
| 1) can be done trivially with first party cookies.
|
| 2) you can already tell what device someone is using. If you
| mean "I want to know if the same person is on different
| devices" get them to login, don't try in effectively spy while
| also providing google etc with the ability to actually spy
|
| 3)you cannot know how to target ads on a per user basis unless
| you are spying on your users. You have no justification that
| supports a claim to such information.
| danhilltech wrote:
| Yea, I think we're saying the same thing. Ultimately both the
| best choice (for privacy, performance etc.) and the one
| that's most likely (given adblockers and and ever increasing
| push for privacy from browsers and OSs) is to stop trying to
| find a way around adblockers, and simply invest in the
| technologies that work - http, cookies, sessions, logins, and
| os on.
| tootie wrote:
| I think some of the whiplash in the market isn't just the tit
| for tat battle with ad blockers and regulators but the
| realization that there's so much useless data being collected.
| The best data we get is first party (ie things people click or
| type into forms on our sites) or qualitative feedback from
| surveys. GA and GTM are valuable tools for us but Google's
| network isn't really.
| danhilltech wrote:
| Yea. Though, GA does (at least) two things: analyzes your own
| data, and, uses the data they collect from all their other
| sites to improve your experience via better bot detection,
| recommendations, insights. Google's network is useful, like
| it or not, for a) their cross device graph - they know which
| mobile devices and which desktop browsers are the same user
| (ish) and b) from that, building better MTA models than you
| can with pure first-party data - especially if most of your
| traffic isn't logged in.
|
| But I agree, the future is pointing toward a world where
| privacy and empowerment is more in the hands of the user, and
| that's a good thing.
| perlgeek wrote:
| For a pretty long time I believed that many of the privacy and
| security issues in current tech could have (at least partial)
| technical solutions.
|
| This convinces me more than ever that regulation is necessary
| and, in the long run, unavoidable.
|
| Yes, GDPR rules suck for somebody who has to write software that
| deals with personal data, but we can no longer act as if good ad
| blockers would solve the problem for us.
| choeger wrote:
| So it's essentially a keylogger snippet and API with a backend
| for analytics? Plus some how-to's on how to best hide it?
| Intentionally acting as a middleman between the publisher and all
| the shady advertisers? Seems like a slam-dunk GDPR violation to
| me.
|
| What's the next step? Obfuscation of the keylogger and unique
| snippets for every visitor? That's pretty much malware deployment
| technology.
| henrydark wrote:
| Basically it's time to treat ad trackers and everything involved
| as viruses. Adblock software needs to start fingerprinting and
| monitor mutations in privacy-harmful javascript packages
| jacquesm wrote:
| Isn't the solution then to recognize the GTM proxy and block
| anything that tries to talk to it?
| ece wrote:
| With PlatformStorage on Android 12, which lets apps share
| key/values and things like this, it really looks like two steps
| back, one step forward for privacy if Topics/FLEDGE ever make it
| to browsers. The cat and mouse games need to stop.
|
| A strong privacy law that cracks down on fingerprinting and lets
| users opt-out of tracking and delete their data really seems
| necessary. Even ephemeral data collection online needs to be
| checked. The user should be in control, and be served context-
| based or random ads, unless they approve interest based ads. The
| LiveRamps of the world will still be able to collect 3rd party
| data offline, but it's not anonymous, and can be deleted, at
| least if you're in CA for now through the CCPA.
|
| Most users would likely be fine with consented context-based or
| interest-based ads, but an option for no analytics tracking or
| other tracking should be respected.
| sdoering wrote:
| Disclaimer: I am a data analyst. I consult companies in regards
| to ethical data collection. But I also know of black sheep.
|
| I don't have a problem with websites measuring what I view,
| click, add to cart or buy. I want them to be able to see what
| doesn't work in terms of user experience.
|
| And if they do marketing I even want them to be able to see from
| which source of traffic (aka marketing effort) how many
| conversions (whatever comprises a conversion) stems.
|
| The problem imho isn't GTM (Google Tagmanager) running as proxy.
| This would (or at least could) be a data privacy win if done
| ethically. At least under one imho essential condition: I could
| be able to run the proxy on any infrastructure that I like. Not
| only one Google's cloud offering.
|
| And on the second essential condition that marketing departments
| act ethically. They can send the web analytics data to whatever
| tool they like. But they should absolutely not send my
| identifying information with it. They should use the proxy as a
| privacy protector. The same when sending conversion data to the
| marketing tools. I am OK with the marketer sending information
| back that a specific ad (not a specific user clicking on a
| specific ad) led to a conversion.
|
| I don't need Meta or Alphabet tracking me personally (or my
| clients'users) with every click. But I understand the business
| need to measure the effectiveness of marketing money spent.
| Solutions like these could be a way to achieve this. If done
| right. And not done in the way GTM does (only hosting on Google,
| using an A/AAAA subdomain, grabbing every cookie possibly and so
| on).
| rvanlaar wrote:
| You're hitting the nail on the head. I'm not against the
| website owners seeing what I do on their website.
|
| What I am against is what other parties are able to do with the
| data when sold. They're able to correlate website visits with
| specific businesses and linkedin profiles.
| baybal2 wrote:
| Just block the script by its checksum, and the issue is solved
| beagle3 wrote:
| Article addresses this: google is actually encouraging users
| to modify said script.
| yunohn wrote:
| > not done in the way GTM does (only hosting on Google, using
| an A/AAAA subdomain, grabbing every cookie possibly and so on).
|
| It's provided as a Docker image that you can run anywhere you
| want.
|
| https://developers.google.com/tag-platform/tag-manager/serve...
| kyrra wrote:
| Btw, someone wrote up a guide on hosting this on AWS, which
| covers what it would take to run it yourself.
|
| https://www.simoahava.com/analytics/deploy-server-side-googl...
|
| If I'm not mistaken, the key bit is that Google makes the
| docker image available at: gcr.io/cloud-tagging-10302018/gtm-
| cloud-image:stable
|
| Edit: oh, Google published a guide to self host maybe?
| https://developers.google.com/tag-platform/tag-manager/serve...
| curiousmindz wrote:
| Sadly, most publishers are not interested in developing their
| own proxy solution just for the sake of data privacy. They
| vastly prefer a ready-made solution that they can just use.
|
| Much of the power of the advertising space come from people
| (publishers, consumers and advertisers) generally choosing the
| path of least resistance. They don't have the technical know-
| how and they would only acquire it if there were enough
| benefits. Sadly, privacy is not enough on its own.
|
| I think the solution that can solve all that is when a company
| acts as a "wall" between consumers and publishers/advertisers.
| Then, that company can protect the consumer while keeping the
| user experience as simple as possible.
|
| "Sign in with Apple" is one such solution. But of course, it
| brings its own (different) downsides.
| criddell wrote:
| > But I understand the business need to measure the
| effectiveness of marketing money spent.
|
| They don't need to, but they sure want to.
| deepstack wrote:
| >The problem imho isn't GTM (Google Tagmanager) running as
| proxy. This would (or at least could) be a data privacy win if
| done ethically. At least under one imho essential condition: I
| could be able to run the proxy on any infrastructure that I
| like. Not only one Google's cloud offering.
|
| Yup that is where rubber meets the road. Would like to offer
| google as little data as possible. And use as little google
| products as possible on the web and internet.
| andrewingram wrote:
| Sibling comment shares this link, but you can run this in
| your own infrastructure (this is actually how Segment does
| server-side publishing to Google Analytics, because until
| very recently there hasn't been a proper API for it):
| https://developers.google.com/tag-platform/tag-
| manager/serve...
| runarberg wrote:
| How effective is tracking in increasing user experience over
| less invasive techniques, e.g. like asking users?
| TZVdosOWs3kZHus wrote:
| This! The most valuable information is collected via classic
| communication! We include basic opt-in tracking (selectable
| in our installer) to get information about basic usage
| untangled to certain users. While this is just a statistical
| overview, it shows to us which parts of our software get used
| only for the customers who activated this kind of tracking.
|
| The most valuable information we get is through our forum
| which is open to everyone regardless of whether tracking is
| activated or not.
| pfooti wrote:
| Most companies do both. If just asking users questions was
| strictly better than passive tracking, that's probably all
| they'd do - analytics have a real cost to use, that cost
| wouldn't be paid if the information gathered was useless.
|
| But, people are pretty remarkably bad at asking for things.
| It's mostly the "better horse" problem. People ask for fixes
| to proximal issues (make this faster, cheaper, better) and
| not the big things.
|
| In my own product, we use gtm to understand where in our sign
| up funnel people fall off. It is a complicated product and a
| complicated sign up flow. Since people who fall out of the
| funnel are unreachable, we can't just ask them _why_. But we
| can observe that (say) 40% of users bounce off of step X, so
| let 's make that step easier.
| aeyes wrote:
| > But I understand the business need to measure the
| effectiveness of marketing money spent.
|
| Why? They are not able to track TV, newspaper, billboard or
| radio campaigns but still spend a lot of marketing money on
| these.
| sdoering wrote:
| The are at least quite able to correlate these. Tracking TV
| advertising'impact is relatively easy and straight forward.
| Same for out of home advertising. And with a bit more effort
| attribution to newspaper/magazine advertising is also
| possible.
|
| But. It often isn't necessary. More often than not these
| forms of advertising are not direct marketing. They don't
| necessarily have a call to action. They are a branding asset.
| And brand awareness is measured differently. With different
| means.
|
| So while you can and should measure the direct impact, this
| isn't the main focus.
|
| The same way response and conversion rates on direct
| marketing efforts were meticulously measured long before the
| internet. There were even AB tests being run on mailings
| (snail mail) on test flights to identify the campaigns with
| the best ROI.
|
| I have a booklet from 1978, the year I was born, explaining
| AB testing for direct marketing campaigns.
|
| Except for the speed, nothing changed. Nowadays we only have
| more intrusive tracking methods if we decide to go that
| route. But the underlying methods (statistics, measuring
| success, et al) habe not significantly changed.
| charcircuit wrote:
| >I could be able to run the proxy on any infrastructure that I
| like. Not only one Google's cloud offering.
|
| This is already true.
|
| https://developers.google.com/tag-platform/tag-manager/serve...
| sdoering wrote:
| Thanks - didn't know that. Interesting. Might be a solution
| for a client of the team I work in (but not my client).
| janpot wrote:
| > I want them to be able to see what doesn't work in terms of
| user experience.
|
| That's not what they're doing, at all. They want to be able to
| see what doesn't work in terms of maximising profits. That may
| correlate with good user experience sometimes, but more often
| it results in the opposite.
| collegeburner wrote:
| That's not true. I run a site like this and I want both. Yes
| I want to test what maximizes conversions, but this is also
| what helps me provide value to more users. And I also need it
| to determime how to improve the service I provide to users.
| y42 wrote:
| That's to easy IMHO. Yes, online marketing is about profit.
| But tracking is not always about profit. I work for a
| customer that offers kind of a job search engine. All they
| want to maximize is the rate of succesful employments. Yes,
| they need to optimize marketing budget. But not to sell
| useless stuff, but to reach out to potential employees.
| franga2000 wrote:
| Exactly! A company's goal is profit and most of the time,
| that does not align with the customer's goals. Amazon's goal
| is to sell me the highest margin item, I want the best value
| or highest quality.
|
| I have very limited information about which items are a good
| value or high quality, so why should amazon have the tools to
| most effectively steer me towards high-margin items? They
| exist to provide us a service and we grant them the right to
| make a small % of profit while doing it. Not the other way
| around!
| airstrike wrote:
| _> I have very limited information about which items are a
| good value or high quality, so why should amazon have the
| tools to most effectively steer me towards high-margin
| items? They exist to provide us a service and we grant them
| the right to make a small % of profit while doing it. Not
| the other way around!_
|
| As a small aside, The capitalist's answer is that
| regulating companies to prevent them from steering to the
| most profitable items is both impossible to be adequately
| done and prohibitively costly. Even assuming cost isn't an
| issue, it's hard to imagine such regulation to be equally
| applied to all market participants (or to be equally
| effective). So we would be left with companies that
| cooperate and others that defect, and the defectors would
| be favored (more profitable) and outcompete the cooperators
| in the long run.
|
| So instead we start from the assumption that companies are
| greedy and let them compete to offer customers the best
| value -- and if that value comes (at least in part) from
| not being tracked, companies that do not track will attract
| more customers. We probably just haven't made enough of a
| fuss about it with our dollar-votes.
|
| For what it's worth, I block all ads without giving it a
| single thought. The way I think about it is that on the
| flip side of the prisoner's dilemma, I'm just defecting
| like some companies would. It's a race to the bottom in
| terms of the trust between customers and companies, but I
| didn't make the rules of the game...
| dasil003 wrote:
| Keep in mind that capitalists have all the power and a
| lot of time and incentive to rationalize the status quo.
|
| The assumption in this argument is that consumers are
| able to observe and quantify the harm of tracking more
| effectively than regulators could create laws against
| data collection.
|
| Personally I think the success of either one comes down
| to cultural factors that are currently stacked in favor
| of advertisers.
| airstrike wrote:
| _> The assumption in this argument is that consumers are
| able to observe and quantify the harm of tracking more
| effectively than regulators could create laws against
| data collection._
|
| Not necessarily, because creating laws isn't enough to
| regulate. You also need to enforce such regulation, and
| that's where the challenge lies. The argument assumes
| that in the long run consumers are more effective at
| rationalizing their choices than the government is able
| to appropriately enforce regulation.
|
| Alternatively, it assumes the cumulative harm created by
| the disconnect between current customer behavior and
| rationalized customer behavior (i.e. prior to their
| rationalizing the status quo) is less than the cumulative
| harm caused by inefficient regulation, including the
| defector's problem mentioned earlier but also other
| negative externalities such as encouraging corruption /
| fraud (which itself requires further enforcement)
| dasil003 wrote:
| Yes, my choice of words was hasty and suboptimal. I meant
| addressing data collection practices via regulation as a
| whole vs consumer choice as whole.
|
| The way you are framing this serves only to reinforce
| talking points from those who are benefitting from the
| current situation. For instance, you're basically stating
| a priori that regulation is expensive and ineffective,
| and as evidence you talk about long tail of enforcement
| and defectors. But the ad revenue market is so
| consolidated you only need to enforce on a handful of
| players (Google and Facebook basically). The idea that
| defectors would then swoop in and create a massive
| enforcement problem is not substantiated. There have
| always been fly-by-night operations in all types of
| business, and they don't gain a huge advantage that
| catapults them to overnight success just because others
| play by the rules. No one is saying enforcement is easy,
| but to assume that it will be fatally flawed if it can't
| be perfectly applied to everyone plays right into the
| hands of those who are profiting from abuse of our data.
|
| Now on the other side framing this as a "customer value"
| problem that will be sorted out by the hand of the market
| is just pure capitalist oligarch koolaid. How do you
| expect customers to have any sense of what data practices
| are behind their every day digital product choices, let
| alone quantify that into a dollar value? And even
| assuming they do all that, where are the market choices
| when everyone behaves this way? Even where there is
| theoretically a choice, many services have a huge network
| effect that makes a consumer's choice all but pre-
| ordained.
|
| We need to have a reality check here. Markets are great
| when they work, but they are not magic and can not solve
| all problems.
| mindslight wrote:
| Most everyone knows the "capitalist's answer". But it's
| specious, as it assumes a large scale check that requires
| P = NP.
|
| In the real world market inefficiency creates local
| maximums, which can then be leveraged to implement
| policy. The most lucrative policies are to make those
| maximums even stickier. Advertising itself is a prime
| example of this - in a perfectly efficient market, once a
| brand became well known you'd think that additional money
| going to advertising would be a waste - causing the
| company to be less competitive and they'd dial it back.
| But instead what saturating advertising actually does is
| crowd out any new competitors that might come along. So
| as a customer, you're effectively overpaying so that you
| can have less choice!
|
| This effect becomes even more relevant as the costs of
| production drop to zero, as an upstart competitor cannot
| get a leg up by optimizing production - in other words,
| the brand itself is a larger component of the "value".
| And on the larger topic, these days large corporations
| are declared "too big too fail" and bailed out by the
| central bank, rather than letting market mechanics assert
| themselves in even the most pressing cases.
|
| Effective libertarianism involves recognizing that
| corporations and government are not dichotomous types of
| entities, but rather that both lay somewhere on a
| continuum of coercion. If the companies offering a
| product or service effectively move in lock step on some
| policy, then your main ability to reject that policy
| consists of going without that product or service. This
| is perhaps easier, but of the exact same vein, as needing
| to physically move to reject specific laws.
| bogwog wrote:
| > The capitalist's answer is that regulating companies to
| prevent them from steering to the most profitable items
| is both impossible to be adequately done and
| prohibitively costly.
|
| True, but only because that's the wrong approach. The
| correct regulations are the ones that result in more
| competition. That's treating the cause rather than the
| symptom.
|
| If Amazon had to seriously worry about competitors, they
| wouldn't be focused on selling overpriced garbage. Why?
| Because customers will notice that Amazon sells
| overpriced garbage, and will instead buy from somewhere
| else.
|
| I don't know what those regulations might look like, but
| I do know that pretty much every single "evil" behavior
| in the market can be solved by throwing in competition.
| It's not always possible (e.g. maybe someone is locked in
| to a single vendor due to a bad contract), but when
| customers are given choices, the choice that offers the
| best value will survive in the long run.
| andrewingram wrote:
| The bit you're replying to here hasn't yet introduced the
| problem of marketing teams.
|
| The kind of tracking in the first section is "understanding
| how people use your product", and is usually introduced by
| the product team, rather than marketing. And most product
| teams i've worked on fiercely fight back against the addition
| of excessive tracking. Whilst the goal of a business (and
| therefore a product team), is _usually_ about maximising
| profits, it 's not exclusively about that. I've worked for
| businesses that literally have a social charter in their
| articles of association, but they still want to measure how
| people use their products.
| jeltz wrote:
| You have been lucky then. At the places I have worked the
| product people have not fought with thech but if anything
| they have fought against tech on this matter.
| andrewingram wrote:
| You're right about luck. Though I should clarify, I
| include tech in the "product team"; and it's usually me
| fighting back :)
| collegeburner wrote:
| Similarly, I want to be able to show my users ads. They're not
| really bad ads, but otherwise I lose money on providing
| service. And then we risk the "youtube paradox": keep showing
| more ads to your ad watching users so they subsidize the
| growing number of ad blockers, but this causes more to use ad
| blockers so show even more ads.
| mediumsmart wrote:
| Can't you just switch out the users for bots that watch the
| ads without adblockers and then gradually switch out the
| content for ads to keep the growing number of bots busy? That
| way you can also show really bad ads without anyone
| complaining. win win.
| choose-another wrote:
| >ethical data collection Oxymoron. Hence your need to prefix
| 'ethical'. >ethically >ethically I am overdosing reading your
| post; rationalise it however you wish, you're well aware of
| what you're doing and it's clear no comment I could make would
| change your mind.
| black_puppydog wrote:
| > the second essential condition that marketing departments act
| ethically
|
| This seems like a pretty strong assumption, given that both an
| engrained culture, lived experience, and an analysis of the
| different parties' incentives stand against this.
|
| Until we have strong (and crucially, really enforced)
| legislation against this, I'd say technical means (blocking JS
| mostly) will be the only thing I'd be willing to bet on.
| [deleted]
| robalni wrote:
| > I don't have a problem with websites measuring what I view,
| click, add to cart or buy. I want them to be able to see what
| doesn't work in terms of user experience.
|
| The problem is not that they measure things. The problem is
| that they enter the user's private area; they run code on the
| user's computer and probably grab information about the user
| too (I don't know exactly how tag managers work because I have
| never used one). It's like if I enter your home and start
| measuring things, the problem is not that I measure things,
| it's that I entered your private area.
| collegeburner wrote:
| No, you are voluntarily downloading and running their code on
| your computer. What you describe is hacking into somebody's
| computer, that is different. Stores take measurements about
| their customers, so do sites.
| matheusmoreira wrote:
| I'm also voluntarily running uBlock Origin whose entire
| purpose is to sanitize their borderline malware code into
| something that I can actually consume. As you said, it's my
| computer and they really need to submit to my will instead
| of finding creative new ways to work around it like some
| malware developer.
| shkkmo wrote:
| > Stores take measurements about their customers, so do
| sites.
|
| When stores use Bluetooth or other tech to track their
| customers movement within their stores, that is also a
| creepy and unethical.
|
| Also "voluntarily" is a complete misnomer as nobody is
| volunteering for this, a more correct world would be
| "unwittingly" or possibly "begrudgingly" depending on their
| level of tech saviness.
| sdoering wrote:
| Well actually it is more like they you are entering their
| store. They are measuring the number of people that come in.
| The number of items (and what items) these people look at.
| Add to their basket. How many stand in line at the cashier
| and how many buy. And how many filled baskets stand in the
| isles at the end of the day.
|
| But - they also could write down the gender of anyone
| entering the shop. Or the hair color. Or they could note down
| the license plate of your car. With whom you arrive. The
| brand of your car. The color. The brands of the clothes you
| visibly wear.
|
| Then they correlate that to the payment method, your Visa
| card, the credit ranking they receive back from visa
| (digitally at least). And so on.
|
| and they measure how often you return.
|
| They could do all of this (and actually a big lot of them
| does) and not only log that for themselves and do whatever
| analysis with it, but also send this data happily to the
| advertising agency that manages the big signs all over town
| so that they can show you additional advertisements for a new
| car, because you have money, but your car is old.
|
| That is were the problem begins. It begins when doing way too
| invasive logging of user attributes that do only marginally
| have anything to do with measuring how the shop (or the
| website) work. And more so when this data is being sent to
| who knows whom in this advertising space out there.
|
| I have no problem with an online store storing the fact that
| I came by clicking on a display ad. Or on an email
| newsletter. Or that I am using Firefox. Or Chrome. And that I
| am on a WIn10 desktop device. Or that I tend to add a lot of
| stuff to my shopping cart, wait two hours and then sort what
| I don't need.
|
| I even do not have a problem showing me additional products
| based on what I looked at in their shop.
|
| But to correlate that with offsite data, sending this to
| advertisers and so on is a no go for me.
| achairapart wrote:
| While I agree with the ethical matter, from what I understand
| Google offered some form of server-side analytics APIs since
| ages[0]. I know, this is different from this new GTM server-
| side thing, but nonetheless it already offered technical ways
| of proxy-tracking data with whatever infrastructure available,
| also circumventing ad-blockers.
|
| This to say that this server-side approach is nothing totally
| new. I'm sure some big business already implemented it, you
| can't just easily notice it everywhere like the client-side
| counterpart. The difference here is that now Google has
| tinkered some ready made solution, using its own
| infrastructure.
|
| Maybe it's also a matter of convenience: It has always been
| mostly trivial to setup some JS to collect this data (often, as
| easy as just pasting a single script tag in your HTML). Once
| you need App Engine, DNS setup, etc not every business will
| likely jump into all this technical burden, and this could slow
| the adoption of the whole server-side tracking.
|
| Or maybe not. Who knows.
|
| [0]:
| https://developers.google.com/analytics/devguides/reporting/...
| kall wrote:
| On the conversion tracking point, because I just wrote a
| privacy policy section on this: I just send the conversion
| event for the ad, but the advertiser almost certainly has all
| the user info tied to that already, right? I can say "not my
| department" but still.
|
| Of course facebook would prefer you just send it all app
| events, in perpetuity, just in case.
| mkdirp wrote:
| > _This would (or at least could) be a data privacy win if done
| ethically._
|
| Most, if not all, tracking is unethical.
| verisimi wrote:
| "Ethical data collection"!
| jacquesm wrote:
| Marketing is almost by definition not going to act ethically:
| their whole goal is to create a need where there isn't an
| organic one, and the KPIs by which marketing departments are
| run are proof positive of that. Nobody starts off with 'what
| would be the natural limit of our product sales', instead they
| start off with 'what is the total addressable market and how do
| we maximize our fraction of that' implying that if you are
| counted in their market that you are fair game whether you like
| it or not.
| slightwinder wrote:
| > Marketing is almost by definition not going to act
| ethically: their whole goal is to create a need where there
| isn't an organic one
|
| That's very single-minded. Marketing mainly informs about a
| product, which obviously also works even if you already have
| the need for it. And it can also help in realizing a specific
| need which the customer has not pinpointed yet. That's the
| whole point of acting ethically, to support, not to bait,
| trap and abuse.
| magicalhippo wrote:
| Indeed. That's exactly what our marketing department does.
|
| Our product helps our customers comply with the law. The
| law created the need, we're just trying to make our
| customers lives easier by assisting them with complying.
|
| So our marketing team focuses on informing potential
| customers what it takes to be in compliance as few are well
| aware of what it takes, and how our product can help with
| that.
| jacquesm wrote:
| Wow, that's quite the self justification story.
|
| Your customers were required to comply with the law,
| whether or not your company exist.
|
| Whether you help them or not is up for debate, what isn't
| up for debate is that you sell them something, which they
| _may_ need but not necessarily so. It 's not your product
| that they need, it is compliance.
|
| Making their lives easier is great: as long as your
| product doesn't mess up, at which point I'm sure your
| terms of service will say something to the effect of
| 'well, sorry, but it was your responsibility after all'
| and 'informing potential customers' typically - in that
| context - takes the form of pressing the fear buttons for
| possibly not being compliant and selling them a solution
| which they may not even need.
|
| Seriously: this is a fantastic example of how being on
| one side of such a story you might lose objectivity, if I
| wanted to know whether your product is useful or not the
| last party I would trust is your marketing department.
| Who would I trust? My lawyer, who I would ask to
| establish whether or not (1) this particular law applies
| to me, (2) the risk of non-compliance outweighs the cost
| of your product, (3) whether the products terms and
| services _really_ protect me or if it opens me up to a
| new level of liability, (4) whether there is a better /
| cheaper product and so on.
| scoutt wrote:
| What would be the utmost, top dream of a Marketing team? I
| think it is to be able to read my mind. Followed by being
| able to project an ad into my retina (if writing into my
| mind is not possible).
|
| If the above is not possible, then they will come to
| analyze my behavior online.
|
| It's truly sad...
|
| Paraphrasing The Godfather 3 "Finance is a gun, politics is
| knowing when to pull the trigger" and I would add
| "marketing is knowing HOW to pull the trigger".
|
| > And it can also help in realizing a specific need which
| the customer has not pinpointed yet
|
| Don't you love cold calls, spam and pop-ups?
|
| Marketing helped to ruin the latest and finest revolution
| of our time, that is, the Internet.
| collegeburner wrote:
| Ridiculous. "Tracking" and your so called "artificial"
| metrics have significantly increased my site's conversions to
| paying users and my users' experience. I did nothing
| unethical in the process.
| medium_spicy wrote:
| - This thread is about marketing. Did you do all of the
| marketing, or did an existing infrastructure perform
| tracking and serve ads for you?
|
| - What data support claims about your users' experience?
| Conversions are not a good metric of user experience.
|
| - People generally have a hard time evaluating the ethical
| merits of things that benefit them. Do you have some kind
| of independent evaluation so support your claim that you
| did nothing unethical? If a politician hires a lawyer as a
| fixer, and pays them to make problems go away with a
| minimum of information returned, is that politician acting
| ethically? If the fixer hires a hitman for that problem,
| does the politician's ignorance of that act constitute
| ethical impunity?
| JumpCrisscross wrote:
| > _their whole goal is to create a need where there isn 't an
| organic one_
|
| This is reductionist. Was telling people about trains and
| cars creating a need where there wasn't one? In a sense. But
| in another sense, it was broadcasting a better way of being.
| Marketing doesn't have to be evil. Saying all marketing is
| evil is sort of a cop out for the people who do it badly.
| ATsch wrote:
| > Was telling people about trains and cars creating a need
| where there wasn't one?
|
| That's a great example actually, because the reason you
| can't get anywhere without a car these days is marketing
| campaigns by the automobile and oil industry. First by
| suggesting the newly necessary road safety standards and
| ridiculing people for being in the street without a car
| ("jaywalking") to the point that it was criminalized, then
| by sponsoring enormous displays about the glorious car-
| dependent future at multiple world fairs (GMs "Futurama"
| holds the attendance record at 5 million visitors to this
| day), shutting down streetcar companies via lobbying and
| acquisitions and eventually even providing the US secretary
| of defense, who then used the defense budget to bulldoze
| inner cities to run highways through them. A development
| that caused the US to have the highest car dependence, car
| ownership and transport emissions of any large nation
| today.
|
| So yes, I think it's fair to say there was a bit of
| artificial need created here.
| sigmaml wrote:
| This view is probably too US-centric. There is a lot of
| the world (including developed world), where people get
| around everyday without relying on cars for everything.
|
| I do not negate your point that marketing has a strong
| component of creating a need where there isn't one. But,
| its success in doing so relies on a strong combination of
| cultural, economic and political backgrounds.
| jonathanstrange wrote:
| Not to speak of a promised sense of freedom you could
| only ever possibly obtain by driving around in the right
| kind of car and smoking the right brand of cigarettes.
| itsoktocry wrote:
| > _a promised sense of freedom you could only ever
| possibly obtain by driving around in the right kind of
| car_
|
| You do realize that having the ability to hop in your car
| and drive wherever you want to go without having to
| report to anyone provides an incredible amount of
| freedom, right?
| shkkmo wrote:
| You do realize that navigating infastucture designed
| exclusively for cars without one has a much larger
| negative impact on your freedom?
| PinguTS wrote:
| You don't need a car for this. You can use trains and
| other means of transportation.
|
| Take a look at other countries. Japan, Singapore, France
| with cities like Paris, Netherlands with cites like
| Amsterdam, which transformed from a car centric city in
| the 1950s to now a very lively city with lots of bikes
| and public transport.
| shakes_mcjunkie wrote:
| Who are you "reporting" to when you catch a train? Also,
| in cars, you're using Google maps which is tracking you,
| you're license plate is fully visible which allows you to
| be tracked, there are ticketing cameras, aerial
| monitoring, tool booths, speed traps... Yea sure pretty
| free.
| itsoktocry wrote:
| > _because the reason you can 't get anywhere without a
| car these days is marketing campaigns by the automobile
| and oil industry_
|
| We aren't all brainless automatons. Not everything is a
| giant conspiracy. Have you considered that there are
| people that actually like cars and find them convenient
| and useful? Cars and the highway system completely
| changed the course of commerce in this country. Sure,
| that has lead to some problems we're going to have to
| correct, but this idea that a bunch of moustache-twirling
| executives sat in a board room figuring out how to force
| cars on people is a bit much.
| ATsch wrote:
| I'm not sure what part of my message lead you to believe
| I didn't think people enjoyed cars?
|
| The problem is that it wasn't enough for cars to be a
| useful tool for those that needed it, but that they
| needed to be a source of endless growth, and marketing
| played a crucial role in that.
|
| There's no need for mustache twirling here. Car companies
| rationally maximized their profit by selling to everyone
| they could, rationally removed barriers to car adoption
| by removing everyone else from the road and rationally
| created new markets for their product by encouraging
| sprawling cities and enormous highways, which also acted
| as a competitive moat. They then disregarded the
| consequences, not because they were evil, but because
| their job was to maximize car sales, not the car's
| benefit to humanity.
|
| All of this is just things working as intended.
| adonovan wrote:
| I was about to reply that this is exactly what happened
| in L.A. in the 1940s and suggest that you look up the
| "Great American Streetcar Conspiracy", my favorite
| example of monopolistic conspiracy. But apparently much
| has changed since I last did that myself, and now the
| conspiracy seems to be little more than... fake news.
|
| Unless of course we're in the midst of a "Great American
| Streetcar Conspiracy"-Conspiracy Conspiracy. ;-)
| shkkmo wrote:
| That is a bit of a misleading way of putting it. There
| was indeed a "street car conspiracy" and it even led to
| criminal convictions. The interpretation that this
| conspiracy was intended to kill off street cars is harder
| to justify since street cars were already struggling in
| the aftermath the great depression andany were bankrupt.
| I do think that the actions of GM et all did accelerate
| the decline of the street car but the urban myth about is
| "Great American Streetcar Company" is generally
| overblown.
| jacquesm wrote:
| Streetcars and public transport in general should _never_
| be run on a for profit basis.
| JumpCrisscross wrote:
| > _public transport in general should never be run on a
| for profit basis_
|
| Japan seems to do fine [1].
|
| [1]
| https://en.m.wikipedia.org/wiki/Rail_transport_in_Japan
| jacquesm wrote:
| Japan is a special case in many ways.
| carapace wrote:
| In this case it was a giant _open_ conspiracy. It wasn 't
| secret.
|
| > a bunch of moustache-twirling executives sat in a board
| room figuring out how to force cars on people is a bit
| much.
|
| That's pretty much exactly what happened. I don't know
| that they twirled their mustaches though, I'm sure they
| all thought they were doing the right thing.
|
| "The Real Reason Jaywalking Is A Crime" (Adam Ruins
| Everything) https://www.youtube.com/watch?v=vxopfjXkArM
|
| It was a classic case of "seemed like a good idea at the
| time".
|
| > Sure, that has lead to some problems we're going to
| have to correct,
|
| That's pretty facile. For one thing more people (in the
| USA) have died directly from cars crashes than from all
| the wars we've fought. For another there's the pollution:
| exhaust is deadly poisonous, tires wear down and shed
| millions of tons of tiny particles of vulcanized rubber
| into the environment, the fuel we burn contributes to the
| Greenhouse Effect, the asphalt of the roads is toxic, and
| there are so many roads and so much pavement that it
| affects planetary albedo. Then there are the
| unquantifiable changes to the social order: streets used
| to be public ways for everyone, now they are the domain
| of the automobile and people are confined to the
| sidewalks for fear of mayhem and death. I could go on and
| on.
|
| I think if an alien landed here and looked around one of
| it's first reactions would be, "WTF is up with all these
| cars!?"
| shkkmo wrote:
| > Have you considered that there are people that actually
| like cars and find them convenient and useful? Cars and
| the highway system completely changed the course of
| commerce in this country.
|
| Cars would have been wildly successful without marketing,
| but the deliberate marketing efforts of car companies
| significantly amped up that demand and pushed us into
| being a society that is unheathily dependant on these
| amazing machines.
|
| > this idea that a bunch of moustache-twirling executives
| sat in a board room figuring out how to force cars on
| people is a bit much.
|
| This "idea" is strongly backed up by the historic record,
| so if this seems like "too much" you really need to
| recalibrate your intuitions with reality.
| Lamad123 wrote:
| There had always been a need to move people and stuff from
| point A to point B and move it fast!!!
| jacquesm wrote:
| > Was telling people about trains and cars creating a need
| where there wasn't one?
|
| People were telling each other about these.
|
| > Marketing doesn't have to be evil.
|
| No, indeed it doesn't. But as a rule it definitely appears
| to be. It's a bit like arsenic: it doesn't have to be
| negative but usually it is.
|
| > Saying all marketing is evil is sort of a cop out for the
| people who do it badly.
|
| If 99% of the people engaging in an activity are doing it
| badly then I'm all for reigning them in, in spite of the 1%
| that are doing a swell job.
| JumpCrisscross wrote:
| > _It 's a bit like arsenic: it doesn't have to be
| negative but usually it is_
|
| This is a good analogy. In stories, arsenic is almost
| without fail evil. In reality, it has use in medicine,
| agriculture and ceramics [1].
|
| > _If 99% of the people engaging in an activity are doing
| it badly then I 'm all for reigning them in_
|
| We agree. And I have no horse in this race. But that 99%
| figure is largely confined to tech-based marketing. The
| people painting print ads and planning PR stunts aren't
| hurting anyone.
|
| [1] https://en.m.wikipedia.org/wiki/Arsenic#Uses
| jacquesm wrote:
| > The people painting print ads and planning PR stunts
| aren't hurting anyone.
|
| You must have missed the cosmetics industry.
| shadowgovt wrote:
| And you might have missed how the cure for polio was
| rolled out so quickly.
|
| https://www.npr.org/sections/health-
| shots/2021/05/03/9887569...
|
| Marketing is a tool. It can be misused. It can also be
| used for good. In fact, now that I raise the point, I
| wonder why nobody's thought to use ad microtargeting for
| COVID-19 vaccine campaigns yet.
|
| They probably have and I just haven't noticed, because
| when good marketing's working it tends to be invisibly
| transparent.
|
| If I may: I think your larger problem is really that most
| _product_ is crap, and marketing 's job is to put product
| in front of people whether or not it's crap. Maybe we
| should be doing something about crap product instead of
| advertising of crap product?
| jacquesm wrote:
| The polio vaccine serves an actual need, and if you're
| not selling something I would refrain from using the word
| marketing.
|
| As for the marketing of 'good' products: even marketing a
| good product comes with the implied 'right to market',
| where possibly none exists. You could get people hooked
| on very high quality vehicles for short trips because of
| convenience when the alternative, a bike, or even walking
| are perfectly acceptable. But if all your neighbors have
| been sold on the car then the message is that you can't
| be seen to be left behind, and that is a problem.
| Harnessing peer pressure for gain is an important element
| of marketing, which _rarely_ is positive in nature, but
| usually tries hard to push people to feel inferior based
| on not using /owning a particular product.
|
| And that's for a high quality product. Marketing is all
| about changing perceptions, to turn the unpalatable into
| something desirable and to turn the things you don't need
| into the things that you must own to be happy or to feel
| complete.
|
| I used the cosmetics industry as an example because
| they've turned this into a veritable industry: people are
| made to feel terribly unhappy, to the point of in some
| cases committing suicide on the strength of marketing
| aimed squarely at making them feel inferior. This is
| revolting.
| shadowgovt wrote:
| > The polio vaccine serves an actual need, and if you're
| not selling something I would refrain from using the word
| marketing.
|
| Then I believe basing policy off your definition of
| marketing would require first a tribunal to decide if
| something is "marketing" or... Whatever the polio
| campaign was. Because the national, then international,
| polio eradication project absolutely included perception
| and behavior modification.
|
| Polio was only paralytic to a fraction of a fraction of
| its victims. For most, it was a bad bout of diarrhea and
| several bad days. And the vaccine (unlike the safer
| designs we have now) was either killed virus or half-
| killed live strain; in one terribly unfortunate batch, it
| _caused polio._ People had legitimate reason to believe
| things were good enough as-is (after all, most everyone
| had either gotten and survived polio or knew someone who
| had, with far, far fewer "Uncle Harry got it and he's in
| an iron lung" stories by volume) and getting some
| (possibly still-active) vaccine shot into their arms was
| going to be a bad long-term decision.
|
| Against all of that, the March of Dimes did a _huge_
| amount of work to get people to go against their
| inclinations and the evidence available to their eyes to
| move polio from an "everybody eventually gets this"
| common environmental risk to a "makes the news"
| occasional outbreak. It's a brilliant success story of
| perception adjustment, on par with Colonel Stapp's
| crusade to make the seat-belt mandatory (speaking of
| which... http://persuasion-and-
| influence.blogspot.com/2015/02/wear-se...).
|
| > Marketing is all about changing perceptions
|
| No disagreement here. Sometimes, it's used to help people
| believe that the world can be other than it is, if we
| only all change our behavior to make it so.
|
| > I used the cosmetics industry as an example because
| they've turned this into a veritable industry: people are
| made to feel terribly unhappy
|
| No disagreement that cosmetics is full of bad actors and
| bad action, but people were putting eyeshadow and rouge
| on back when the closest thing we had to marketing was
| some statues declaring that a dead pharaoh was a cool guy
| (with the name scribbled out and replaced by some other
| dead pharaoh's name). I submit to you the humble
| possibility that people don't doll up because they're
| compelled by advertisers to do so (though I've no doubt
| advertising plays a huge factor in the way they choose to
| doll up).
|
| > even marketing a good product comes with the implied
| 'right to market', where possibly none exists
|
| The right to freedom of speech isn't universal, I agree.
| I submit that we do more harm than good trying to split
| the hair on deciding when something is freely-offered
| speech and when something is marketing, however. Good
| luck squaring those circles without getting eerily close
| to "prior restraint on open communication of ideas."
| jacquesm wrote:
| > Then I believe basing policy off your definition of
| marketing would require first a tribunal to decide if
| something is "marketing" or... Whatever the polio
| campaign was.
|
| Let's just use the dictionary definition and save
| everybody a lot of time:
|
| "the process or technique of promoting, selling, and
| distributing a product or service"
|
| So I think the polio campaign doesn't have to be hauled
| in front of a tribunal (is that a new thing? I see this
| term used more and more for things that it has nothing to
| do with) to prove its worth.
| shadowgovt wrote:
| I think we'll simply have to agree to disagree, because
| we're seeing the same facts and reaching different
| conclusions. The polio campaign included heavy use of
| marketing. Its story demonstrates that marketing isn't
| intrinsically bad; it can be used to bad ends. And any
| policy separating the baby from the bathwater in this
| regard will, I think, be a major challenge to implement
| correctly without risking making something like the polio
| campaign illegal.
|
| Polio vaccination had to be sold as a concept. The public
| had to be taught, cajoled, coerced, and door-to-door-
| campaigned to volunteer to get stabbed with a cocktail of
| virus parts to protect them from a disease that hardly
| ever proved fatal or permanently debilitating. They had
| to be told their friends were doing it, their neighbors
| were doing it, all the "cool kids" were into it.
|
| It looked like this:
|
| https://pbs.twimg.com/media/E1XpNTjWQAIRb_y.jpg
|
| https://cbsnews1.cbsistatic.com/hub/i/r/2013/03/26/20d592
| 9c-...
|
| https://www.neh.gov/sites/default/files/styles/1000x1000_
| squ...
|
| There were, of course, additional circumstances (having a
| President that is visibly impaired by the disease, though
| his people did their best to hide it, certainly
| mattered), but the March of Dimes _absolutely_ promoted,
| sold, and aided in distribution of a service. Hell, the
| name March of Dimes was coined as a more marketable name
| than "National Foundation for Infantile Paralysis"
| because they were trying to convince everyone to chip in
| 10 cents to pay for the project
| (https://www.marchofdimes.org/mission/eddie-cantor-and-
| the-or...). It's every bit as much a sell as Sarah
| McLachlan showing up and singing over pictures of very
| sad puppies is today.
|
| (And to be clear... Thank God it worked. It's great to
| live in one of the decades where my fear of polio is
| practically nil. But the point is: without marketing,
| none of that was a given. People didn't just wake up one
| day and go "I'm going to go get stabbed by a stranger
| with a needle full of disease-juice..." a vast marketing
| campaign _convinced_ them that was the right thing to do.
| Same techniques that were being used to convince them
| they should drive to the injection site in their shiny
| new Ford because walking was for suckers).
| jacquesm wrote:
| I would much sooner label 'the march of dimes' a charity
| and a PSA than marketing, but each to their own. Also:
| note that exactly those things are trotted out by the
| marketing people to prove that "hey, marketing isn't all
| evil" when actually they have to reach back _decades_
| into history for an example that people will recognize
| and that has nothing to do with selling un-necessary
| stuff, which is the thing they are as a rule heavily
| engaged in.
| mbesto wrote:
| > People were telling each other about these.
|
| I've seen this argument a lot, especially by technically
| minded folks.
|
| When you say "telling each other" what do you mean
| exactly? Do you think businesses just magically get
| talked about with zero investment in marketing dollars?
|
| I get the sense that lots of people in the HN community
| don't realize when they read an article from <insert tech
| company engineering blog> that this is marketing dollars
| at work.
|
| > But as a rule it definitely appears to be.
|
| By your "rule", sure. I understand the gripe with
| marketing from the consumer perspective, but pretending
| is inherently evil because it (1) invades your personal
| attention and (2) you think people are going to
| organically talk about products or services they don't
| know exist is a pretty myopic view of marketing as a
| whole.
| jacquesm wrote:
| > When you say "telling each other" what do you mean
| exactly?
|
| I don't think we need to discuss the meaning of words
| that are in the top 5000 commonly used dictionary words
| here.
|
| > Do you think businesses just magically get talked about
| with zero investment in marketing dollars?
|
| Yes. It's called word-of-mouth and it is how it has
| always been done.
| mbesto wrote:
| > I don't think we need to discuss the meaning of words
| that are in the top 5000 commonly used dictionary words
| here.
|
| Good. We're on the same page then. Snarky response not
| required but okay.
|
| > Yes. It's called word-of-mouth and it is how it has
| always been done.
|
| I don't know where to start with how to respond, but I'll
| bite:
|
| Let's magically go back to the gold rush in the US.
| You're traveling from New York and arrive in San
| Francisco. You know nothing about products and services
| in that market. You walk into town and look for a general
| good store to buy some water. You ask a guy on the corner
| where the general store is and so you find the general
| store based on his help. Okay, so word of mouth. You want
| to prospect some gold and know you need to buy a pan.
| There are two gold prospecting material vendors in town,
| Gold Supply Inc and Acme Gold (but you don't know this
| because you're new to town). You walk through town
| looking for a vendor and notice a guy with a megaphone is
| yelling to the crowd about Gold Supply Inc offering
| better prices on pans. He is paid by Gold Supply to do
| this. This is marketing/advertising.
|
| So, no, this is not "how it's always been done" and its
| inconceivable to think any modern company doesn't spend
| money on advertising/marketing. I understand the
| grievances about having hundreds of thousands of
| megaphones in your face 24/7, but let's stop pretending
| the world's marketplaces can operate efficiently on word
| of mouth alone because that's what you're implying.
| jacquesm wrote:
| > You walk through town looking for a vendor and notice a
| guy with a megaphone is yelling to the crowd about Gold
| Supply Inc offering better prices on pans.
|
| Which may be true. Or not. And they may be crappy pans,
| or not. And that's my point: all that yelling just
| muddies the water, it's like a mountain of 'fake reviews'
| and no way to pick up the signal any more because of all
| of the noise. Marketing mostly lies.
| mbesto wrote:
| I don't understand your point?
|
| You think that the average person:
|
| - Be fully educated on every product and service
| available to them in every market they encounter
|
| - Spend the time to speak to N amount of people via word
| of mouth and understand how many N amount of
| conversations are required to have the confidence to buy
| the best product (in terms of value, feature set, price,
| etc.) for the item they're looking for
|
| - Discover products and services that they didn't know
| existed but may solve their problem in a novel way
|
| All without any marketing/advertising interaction? And
| that this is somehow going to magically make buying
| decisions more clear (i.e. not muddy)?
|
| Sorry but that is hilariously out of touch with
| reality...
| jacquesm wrote:
| > I don't understand your point?
|
| and
|
| > Sorry but that is hilariously out of touch with
| reality...
|
| are incompatible with each other.
| mbesto wrote:
| I posed a bunch of clarifying statements to understand
| your point and instead of responding to them that's how
| you respond? Weird.
|
| I respect most, if not all, of your viewpoints on HN
| (even if we disagree), but dodging the meat of my
| questions and clarifying statements isn't helping with
| your argument.
| jacquesm wrote:
| That's fine, but I think that if you don't understand
| someone's point then your best bet is to ask, not to
| extrapolate.
|
| I'm not dodging anything here, it's just that it makes
| responding much harder because now instead of
| clarification we're off on some wild goose chase.
|
| It's ok with me if you don't believe that people got by
| just fine before marketing became a weapon in the armory
| of companies that all compete for the same market because
| traditionally the reach of companies was fairly limited
| due to the cost of transportation. But (mass) marketing
| as a profession is a relatively recent invention, as are
| companies with global consumer reach.
|
| The availability of 30 brands for the same niche is what
| drives one form of marketing ('we're better than them',
| when in fact the products are most likely at best at
| parity). The other is that plenty of 'need' is merely
| marketeers pushing jealousy buttons, something that you
| don't need to do if there is a genuine need for a
| product.
|
| All that marketing and advertising is in the end an arms
| race and a big contributor to overproduction and
| overconsumption. The thing that needs marketing the most
| is probably the thing that you need the least.
| [deleted]
| carapace wrote:
| > Do you think businesses just magically get talked about
| with zero investment in marketing dollars?
|
| Yes. It's hardly magic. If some business or service
| provides a great value or "a better way of being" people
| naturally get excited and tell their friends. I'm not a
| domain expert but my understanding is that these organic
| word-of-mouth referrals and recommendations are waaaaaay
| more effective than any other form of marketing. The
| other organic thing that happens is when people realize
| they have a need and ask their friends for referrals and
| recommendations. It works great _if your product is
| great_.
|
| If you can't develop and sustain word-of-mouth
| organically then you have to use other less efficient and
| more coercive means. Deliberate marketing is commercial
| propaganda. Someone wants to put their hand in my wallet
| and is deliberately using professionally-design
| artificial media to trick me into letting them.
|
| Your example of the barker with the megaphone is noise
| pollution and a waste of a human being. But you can go
| much further back. It was decadent when the Romans did
| it, and it was decedent when we San Franciscans did it,
| it's decadent today.
|
| > its inconceivable to think any modern company doesn't
| spend money on advertising/marketing
|
| You can't conceive it, maybe, but I can. There are worlds
| without advertising/marketing. There are marketplaces
| that operate efficiently on word of mouth alone. You
| might not believe me, but it's true, and from those
| worlds our modern advertising/marketing mania seems like
| a madness.
| GoblinSlayer wrote:
| Marketing is basically hacking, so yes, it doesn't have to
| be evil. Apparently there are a few white hats.
| Mezzie wrote:
| As a 'white-hat' marketer (I work for some place that's
| similar to Vote411/ The League of Women Voters and I
| initially started in library outreach; I don't think anybody
| would consider my work unethical), the issue is the need for
| constant growth and profits.
|
| You can do cool and interesting things in marketing and
| outreach and there are actual use cases for them. For
| example, libraries often carry unconventional items, and
| making the community aware that they can borrow a sewing
| machine/get seeds to plant/get museum passes is technically
| marketing and 'creating' a need, but it's not exploitative.
|
| It's a very similar situation to dev work in that if I were
| willing to chuck my ethics out the window, I would make a lot
| more money, and marketing people do also like money.
| jacquesm wrote:
| The implicit observation that there is such a thing as a
| white hat marketeer relegating the remainder to black hats
| is an astute one.
|
| I would rephrase the one as raising consciousness about
| important issues, and leave the other one under the label
| marketing, which to me is limited to commercial enterprises
| and indirect money grabs, a lot of which is related to
| politics and creating artificial divisions in society (the
| 'haves' vs the 'have nots' and so on).
| etempleton wrote:
| Most people only see 1-2% of what a marketing department
| does. The primary goal of a marketing department is to inform
| and present information in a clear and attractive manner. A
| good marketing department is also an advocate for what the
| consumer wants based on research and consumer feedback.
|
| Are there bad actors in marketing. Yes. A lot. Marketing
| agencies are full of them. Agencies, to generalize, only care
| about short-term results and selling the client on the next
| big idea. They won't be around or have to live with the
| repurcuions of their bad actions. In fact, the clients are
| their customer and so they don't really care about the
| client's customers at all so long as the client is paying
| them. They just need superficial numbers to go up to show the
| client. They are screwing over the client and customers are
| unfortunately collateral damage, but the agencies, again,
| don't really have to deal with that.
|
| A lot of the most anti-consumer tactics do not work in the
| long-run. Most consumers aren't so easily tricked into buying
| a product today and they most certainly won't be tricked
| twice. It doesn't take too long--usually--for the snake-oil
| salesman to get run out of town. They just do a lot of damage
| while around.
| slx26 wrote:
| Even when recognizing that there are a lot of bad actors in
| marketing, that's still an extremely over-optimistic
| perspective: at some point, tricking people becomes easier
| than improving the products, value propositions become
| muddier, and snake-oil starts to be used as the lubricant
| for business relationships. Only the most obvious offenders
| get run out of town, while most evolve and get to raise the
| new normal boiling point; as long as refining the snake-oil
| is cheaper than refining the actual products, the situation
| keeps getting worse.
|
| Either the dynamics work in favor of the people, or they
| don't. That we continually mistake the comfort of our ships
| with the state of the sea is just the blessing and tragedy
| of our ignorance.
| matheusmoreira wrote:
| > marketing departments act ethically
|
| Impossible. All marketing is inherently unethical. _At best_ it
| 's got massive conflicts of interest everywhere: who trusts the
| opinion of someone who's being paid to say good things about a
| product or service? I want to talk to real humans with real
| experiences and real opinions, not paid for ads and
| testimonials.
|
| Marketing at its worst is kind of an undefined thing because
| they reach new lows every day, there's no limit they won't
| cross. It's gotten to the point I consider advertising to be
| abuse if not mind rape. We don't tolerate people assuming they
| have arbitrary access to our bodies, and our attention and
| cognition are absolutely part of our bodies and deserving of
| respect.
| danielmorozoff wrote:
| Forgive me if this is ignorant. Wouldn't an adblock simply need
| to inject an impersonation payload into the page, so the report
| would send incorrect attribution to the proxy server?
| sdoering wrote:
| In case of Google it could be (initially) quite simple.
| Randomly change um-Parameters, gclid-Param and the like. This
| would at least make marketing tracking more "interesting".
|
| Years ago there was an extension that did that for GA and Adobe
| Analytics at least.
|
| But that would only be an arms race. We (analysts and marketing
| agencies) would obfuscate the params we use and switch that in
| the server side container.
| kajal7052 wrote:
| PeterisP wrote:
| That's why we need generic legislation without consideration of
| specific technologies, restricting the general goals, not just
| one particular way to achieve them. GDPR would forbid this
| tracking without opt-in consent - the fact that you have the
| technical ability to effectively handle tracking information
| server-side without support from the user/browser (as for
| cookies) does not imply that you have the right to do so.
|
| We don't have to win a technical fight, we have to ensure that
| privacy-invasive tracking is not profitable because all the major
| legitimate megacorp advertisers throwing billions at internet ads
| are prohibited from using that.
| sdfjkl wrote:
| So now Adblockers need to become like anti-virus software,
| heuristically determining a piece of Javascript as undesirable.
| The arms race will continue.
| antifarben wrote:
| Actually this article strengthens my believe that adblockers will
| even become more essential. I mean, even if the server decides to
| send some ads, the client doesn't have to show them. Or am I
| missing something?
| dartharva wrote:
| The client won't be able to distinguish between ads and actual
| content on the website if both come from the same source.
| bruce343434 wrote:
| machine learning to the rescue!
| _flux wrote:
| As long as the countermeasures are public, the advertisers
| can also automatically react to them, if they put enough
| effort in it e.g. in the form of preparing alternatives
| ahead of time.
| HHC-Hunter wrote:
| Not sure where you got that from the article, in-fact I get the
| inverse.
| soheil wrote:
| I always wondered how much negative revenue the adblock extension
| is generating for Google. It must be in the billions. Crazy to
| think a simple extension can be involved with that much money.
| avodonosov wrote:
| But how can it perform cross domain tracking? The main site can
| only share with "Tags" the user information from the main site.
| waynesonfire wrote:
| this is great. to block this shit it's now just necessary to
| disable the "tag container" instead of tracking hundreds of
| javascript / URLs.
| ho_schi wrote:
| TLDR I'm fine without JavaScript? I've the impression that
| JavaScript is worse than ever assumed during early 2000s. I don't
| criticize the language it is the actual usage scenario which was
| bad for people and got even worse. Web 3.0 should be server side
| _again_ with interactive code at all in browser. No interpreter
| on your computer should ever execute foreign code.
| sidcool wrote:
| Should add 2020 tag to this article to reflect its date.
| eru wrote:
| > How has Google been able to impose itself again? As with Google
| Analytics, the standard version of Google Tag Manager is free
| (market solutions are generally paid), it is very well integrated
| with other Google solutions and it is well done.
|
| Not sure what they mean by 'market solutions' here?
| peer2pay wrote:
| I'm not too familiar with the space but this sounds very similar
| to the solution Cloudflare acquired a few months ago called
| 'Zaraz'.
|
| Looks like this really will be the next level of user tracking.
| pixeldetracking wrote:
| d--b wrote:
| Did anyone actually look into the details?
|
| It's likely that we can still block this. My thought is: either
| the link between the frontend and the proxy is completely up to
| the developer, which means that developers can write whatever
| they want between the proxy and google. Possibly opening the
| doors to the proxy sending fake data to google - which I assume
| Google wants to avoid. Or the data that is being transmitted is
| encrypted somehow in the browser so that the proxy can't fiddle
| with it.
|
| A smart browser extension could be able to figure out that some
| encrypted data is being transmitted, no?
| viraptor wrote:
| Fortunately, as bad as this is, I don't believe many companies
| will implement the worst version of it. (Server side + subdomain
| + different name scripts)
|
| The reason is that we had server-side analytics available for
| years and virtually every big website still implements the
| clientside part. If they can't be bothered with that, I don't
| expect they'll move the whole tag manager any time soon.
| pixeldetracking wrote:
| Cloudflare Zaraz seems to be an easier option unfortunately
| https://twitter.com/pixeldetracking/status/14957193559879434...
| sdoering wrote:
| I have to agree. Working as consultant/data analyst none of the
| clients I know (most of them on the paid 360 version) are
| anywhere near to switching.
|
| Complexity as well as the price tag for the proxy is keeping
| (even is it would be just a fraction of the 360 bill) keep them
| from jumping. But mostly the complexity and effort for the
| migration.
|
| If the were to start from scratch they would probably go for
| it.
|
| Additionally most data privacy departments actually have some
| influence nowadays. They would not stand by if marketing were
| to implement this and not honoring consent.
|
| But there will surely be black sheep.
| atoav wrote:
| An obvious GDPR violation. So obvious, that you could think they
| are getting desperate due to the latest developments around
| Google Analytics and Google Fonts.
|
| Don't be evil.
| windex wrote:
| I should go back to Lynx.
| pbd wrote:
| wow. insane.
| noduerme wrote:
| Ok. MotherFuckers be pirates. Does this affect me?
|
| I have a dozen or so websites for clients running the normal
| google analytics script on those pages. This article is hard for
| me to parse, but, it just sounds like the idea of keeping some
| session alive and serving it off the same backend (if the same
| backend is calling google...?)
|
| I'm probably not understanding what's going on here or how it
| would affect independent web devs or privacy towards users of our
| sites (even if we use analytics). Someone explain how this leaks
| my users info if I don't integrate with any google apis on the
| back...(?)
| GrifMD wrote:
| I'm actually in this industry! So Server Side GTM (SS-GTM) is
| still relatively new and a bit limited in the number of
| integrated partners.
|
| GTM in itself doesn't do any tracking, not even Google
| tracking, its just a manager. So hypothetically you could use
| GTM or SS-GTM to listen for clicks on a purchase button and
| then send a hit to your own URL with your own user identifier
| (or none at all). Google wouldn't record this anywhere. If you
| add Google Analytics or Google Marketing tags into your GTM
| container, then Google would store that data in their
| platforms.
|
| The real concern with privacy advocates is that you lose
| transparency with SS-GTM. When you run client side GTM, you can
| see hits going off to Google Marketing, Facebook, etc when a
| site has implemented those tags, and you could use ad block to
| prevent those network requests.
|
| SS-GTM would only show a request going to client.com/track (or
| wherever GTM has been set). The privacy benefit is that
| Facebook and the like cannot set their own 3rd party cookies to
| track you across the web, however Facebook allows advertisers
| to pass in hashed PII (like email addresses) to match with
| users in their database, so if you're logged in via email,
| hypothetically Facebook could be linking interactions to you. I
| have seen very few companies do that yet though, as it's more
| complicated to setup that most things and marketing teams
| aren't usually made up of engineers.
| noduerme wrote:
| Thanks! I'm still not sure what the privacy danger is,
| though. When a customer clicks a checkout form on a site
| that's usually via a Stripe or Square form, but we do capture
| a receipt on the backend. If I wanted to, I could send that
| data to Google now through the tracking API. I don't need to
| since we log it all locally on the server. Aren't we just
| talking about another way to inform Google if a page is hit,
| with some session variable, which would be totally optional
| to the webmaster?
| pabs3 wrote:
| The only reasonable way to interact with the modern web is to
| disable everything by default including images, cookies, CSS,
| JavaScript, video, frames etc and then develop strategies for
| interacting with each website. Either in the browser or in
| reimplemented frontends like nitter/bibliogram or externally
| using things like yt-dlp, gallery-dl, woob etc.
|
| Edit: oh and only contact the web via Apple private relay or Tor
| etc.
| YaBomm wrote:
| BugWatch wrote:
| I completely agree, most of the Major Websites (TM) are as
| user-hostile as it gets. But, the "bypasses" (to try to
| encircle all approaches with a single term) would require
| constant vigilance and updates, the ever-lasting game of cat &
| mouse, not to mention possibility of lawsuits or other
| shenanigans by the said Websites.
|
| Honestly, I'd donate certain amount every month and support the
| effort, if it was a very wide-service/website encompassing, and
| would give logical end-user easily/very customizable behaviours
| within options, easy for the everyday Joes, and that it
| wouldn't treat its power users as garbage.
|
| And here's an idea for a starting recipe for every website: a
| library of set of actions that would run on the first visit and
| would result in decline/block for each and every cookie
| category and "partner" (and no, there is no such thing as
| "legitimate uses", GTFO), since most websites either roll their
| own ot customize some existing solutions (from what I see), but
| usually invert/dark pattern options and choices to a certain
| degree (usually "to hell").
| kryps wrote:
| Can we have " (2020)" added to the title?
| Karen48 wrote:
| pl0x wrote:
| nickreese wrote:
| This sort of thing has been hand rolled for at least 10 years in
| the affiliate space for super accurate tracking/commission
| attribution.
|
| This has always been the endgame. It is also common to name the
| reverse proxy file things like jquery.js which no sane adblocker
| would block.
| jeroenhd wrote:
| This kind of data collection abuse is why I think we need more
| addons like AdNauseam [1]. Unlike uBlock Origin, it's not
| available from the Chrome web store anymore, which is a good sign
| that Google hates these types of addons more than they hate
| simple blockers.
|
| Blocking A/AAAA domains with custom URLs to prevent tracking is
| almost impossible, so instead let's flood the trackers with
| useless, incorrect data that's not worth collecting.
|
| [1]: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
| Const-me wrote:
| Interesting idea, installed the addon.
|
| I'm using MS Edge BTW, Microsoft doesn't care about Google's
| advertisement revenue, the addon is available in their
| marketplace.
| sizzle wrote:
| Will pihole automatically protect against A/AAAA domains if
| your blocked domain host file lists are updated regularly?
| ashtonkem wrote:
| My experience is that Pihole has been getting less effective
| over time as more and more ads are being run through the same
| domain that legitimate content is. When I first installed it
| it killed ads on my Roku, that doesn't happen anymore.
| sizzle wrote:
| What apps on your roku? I had to whitelist a Hulu domain
| cause it froze when trying to load ads during commercials
| for example, but when I look at the logs it's blocking a
| ton of telemetry and phoning home 24/7 by Roku and Alexa
| devices.
|
| Are you regularly updating your ad blocking filters? When
| ads start showing up on my phone I know it's time to go hit
| the update button.
| walterbell wrote:
| Since this extension actively clicks on ads which may trigger
| payments, how do ad-fraud services classify endpoints running
| this extension? Could they consider this malware and add the
| client IP to blacklists?
| ohgodplsno wrote:
| With a bit of luck, it gets server owners banned from
| AdMob/MoPub/etc for fraudulent clicks.
| matheusmoreira wrote:
| > Could they consider this malware and add the client IP to
| blacklists?
|
| Do malware developers consider the countermeasure softwate
| created to resist them to be malware as well?
| rplnt wrote:
| If we were to split what malware does into Infection
| (getting into the system), Avoidance (hiding from system,
| AV, or attacking AV) and work (sniffing, sending spam,
| etc..) then the Avoidance would be by far the biggest and
| most complicated (and most interesting) category.
| GoblinSlayer wrote:
| They absolutely do.
| ratww wrote:
| Good. If it is a shopping or some other service that charges
| money, then they lose business.
|
| If it is some service that you have no choice but to use, but
| relies on network effects (like Facebook Events), then you
| can just send a screenshot to the interested party and they
| Might consider not using a service that is broken for other
| people.
| danuker wrote:
| Sure, and perhaps also the accounts of users running this
| while logged-in. Have contingency plans if you run this and
| your, say, GMail account is blocked.
| malka wrote:
| it is precisely why I degoogled my life.
|
| I did not want to live under the constant threat of big G
| locking me out of my own life anymore.
| User23 wrote:
| Anyone still using gmail today for anything other than
| throwaway purposes is behaving foolishly.
| analog31 wrote:
| What's the jellybean alternative these days?
| surajrmal wrote:
| You sound like you are living in a bubble. This is like
| asserting anyone who owns a car is being foolish.
| foxfluff wrote:
| I lost my gmail account a decade ago. Since then, year
| after year, I've been watching people suffer the same
| fate with gmail, youtube, google play, etcetra. There's
| always someone who won't believe that google can screw
| you over all of a sudden. There's always someone who will
| be surprised, always someone who thought it couldn't
| happen to them...
|
| I don't know what else I can say. It's a shame I haven't
| been maintaining a list of all incidents I've come
| across.
| jeroenhd wrote:
| I wish, but I haven't stopped receiving ads yet.
| [deleted]
| soheil wrote:
| I feel like the reason you initially used a strong word like
| _abuse_ is to distract from the same behavior the blockers you
| mention engage in. Spamming Google event services and
| "flooding" them with garbage is surely considered to be in the
| abuse category at least if you're not an avid anti-ad
| proponent.
| malka wrote:
| They simply have to stop shoving ads down my throat, if they
| do not want me abusing those same ads.
| unicornporn wrote:
| That's cool, but it's only going to save the 1% that knows how
| to bend the internet to their will. What we need is
| legislation, like this:
| https://www.theregister.com/2022/01/31/website_fine_google_f...
|
| That would actually make difference, not only for the HN crowd.
| matheusmoreira wrote:
| Completely agree. Stuff like uBlock Origin is just online self-
| defense against hostile megacorporations. Maybe it's time we
| started going on the offensive by poisoning their data sets
| with total junk data with negative value. They insist on
| collecting data despite our wishes? Okay, take it all.
| samstave wrote:
| I Like the cut of your jib, and I would like to subscribe to
| your newsletter.
| [deleted]
| cobbzilla wrote:
| Can uBlock do payload inspection? It would be easy to block an
| upstream json POST that matches a certain structure.
| consumer451 wrote:
| I am very interested in this, thanks for sharing.
|
| Adding another party into my web browsing is always a tough
| pill for me to swallow. I am also a noob at reading trust
| signaling. What are some of the reasons that I should trust
| this dev and their processes?
| jeroenhd wrote:
| You should put the same amount of trust in this dev as you
| should in any other. I myself trust Mozilla's store reviews
| enough to run the addon, but if you're more conservative with
| trust, you can inspect the source code and build the addon
| itself.
|
| The addon comes down to a uBlock Origin fork with different
| behaviour. I believe most of the addon code is actually the
| base uBlock code base.
|
| I haven't seen any obvious data exfiltration in my DNS logs,
| but then again I'm just another random on the internet. If
| you don't feel comfortable installing something with a
| privacy impact as broad as an ad blocker, you should
| definitely trust your instincts.
| danuker wrote:
| You should not trust them. You can download the add-on and
| inspect it yourself, if you know some JS. Right-clicking
| yields this URL:
|
| https://addons.cdn.mozilla.net/user-
| media/addons/585454/adna...
|
| But it seems to include a lot of code, including some uBlock
| Origin code.
|
| Either way, this kind of sabotage might get you banned on
| Google. Be mindful of the risks, and have contingency plans.
| toss1 wrote:
| Yup. I've used NoScript for years, and one of the most
| frequently appearing sites that remain blocked is
| googletagmanager.
|
| I totally second the sentiment that this is merely minimal
| defense against hostile 'service providers'.
|
| This avalanche of tracking libraries is now almost as toxic as
| email spam in its worst-controlled days. Much of the internet
| is literally unusable, as pages take dozens of seconds to
| minutes to load - on a CAD-level laptop that can rotate 30MB
| models with zero lag.
|
| In fact, does anyone have a blacklist of trackers that we can
| just blackhole at the HOSTS file or router level? Maybe time to
| setup a pihole?
| GoblinSlayer wrote:
| In my experience the most popular noscript trackers are
| googletagmanager and facebook, so with just two domains you
| can get a lot. But e.g. bloomberg uses full first party proxy
| for facebook pixel with pseudorandom base url, it's difficult
| to block even by url; I suspect they duplicate the page
| request to facebook too, but this is unobservable on client
| side. Hopefully this solution doesn't scale well.
| troyvit wrote:
| This is my go-to: https://github.com/StevenBlack/hosts
|
| It helps a lot.
| y42 wrote:
| I worked for a agency a couple of years ago, when, out of the
| blue, tracked data contained tons of random data instead of the
| expected UTM parameters. It took us a while to figure out what
| was happening. It was some kind of obfuscating plugin that was
| messing up well known tracking parameters.
|
| What I want to say is: stuff like that could actually cause a
| lot of fun on the other side.
| malermeister wrote:
| Does anyone know which addon that might've been? Seems like a
| good addition to adnauseam.
| [deleted]
| manigandham wrote:
| There is nothing new about this at all. Websites can collect data
| and forward it on the backend since the dawn of the internet.
| Google Analytics has an HTTP API [1] for sending events that's
| used by plenty of large sites. Consolidating event collection and
| forwarding to various sources is a large SaaS category with
| several billion-dollar companies, and one of the biggest success
| stories is Segment from YC [2].
|
| In past adblocking discussions, many users mentioned that they
| were fine with ads if they were served by the 1st party without
| data leakage, but the entire issue is that 1st-party on a
| technical basis has no bearing on the custody and access of the
| data itself. The only serious way to protect privacy is through
| legal doctrine that regulates collection and sharing. Browser-
| based adblockers were always a short-term technical bandaid to a
| much broader surveillance problem, but the real solutions take
| much more work.
|
| 1.
| https://developers.google.com/analytics/devguides/collection...
| 2. https://www.ycombinator.com/companies/segment
| pixeldetracking wrote:
| There is nothing new for the few experts out there (yes Segment
| has been doing it, yes others also, yes you can do it
| yourself). But Google proposes it, well, the adoption is not
| the same...
|
| I agree with you on the legal doctrine
| paulcarroty wrote:
| For sure, guess it's why Brave block it.
| UltraViolence wrote:
| But isn't GTM easily foiled by blocking the domain in NoScript?
| anxrn wrote:
| Wouldn't it be possible for a potential client-side blocker for
| this to intercept the gtag() method invoked on the client side
| ("Tag Manager web container"), even if that function is provided
| by a script hosted on the website owner's domain, as Google
| recommends[1]?
|
| [1] https://developers.google.com/tag-platform/tag-
| manager/serve...
| gigel82 wrote:
| Highly doubtful the method would continue to be called "gtag";
| any js bundling / minification would replace that with a
| randomly generated string, and it's just as easy to randomize
| the server-side api endpoint url, making this virtually
| impossible to block (maybe a pattern analysis on the data being
| transmitted, but that can also be encrypted with random
| algorithms and keys, beyond recognition).
| totony wrote:
| ML is already applied to spam mail, maybe it could be applied
| to JS runtime behavior to detect this kind of tracking. Fight
| ML analytics with ML
| EamonnMR wrote:
| There's an asymmetry nat play here though. You're now
| burning battery to block stuff.
| pixeldetracking wrote:
| it will be called differently indeed, it's already there:
| https://www.simoahava.com/analytics/custom-gtm-loader-
| server...
| anxrn wrote:
| Yes, it can surely be obfuscated, but ultimately there will
| be a client-side function with near-identical functionality
| prevalent all over the web. It's harder, but seems possible
| to build an extension to identify this function.
| chillacy wrote:
| Taken to its logical conclusion, this process reminds me of
| anti-virus software: finding code signatures and flagging
| sketchy code.
| foxfluff wrote:
| Exactly. And the end result might be as bad as antivirus:
| horrendously slow software with a huge database of
| heuristics that cause false positives and at the same
| time let malware through. It's going to suck.
| __MatrixMan__ wrote:
| You can use CTPH algorithms to fingerprint the function, so
| you'd need an extension that fingerprints each function
| before the browser runs it. Or you could man-in-the-middle
| yourself and patch the malicious code before it gets to
| your browser.
|
| Better still would be to fingerprint the syntax tree, so
| obfuscators need to change more than just the names of
| things (Unison does this, Javascript would probably be less
| friendly).
|
| I'd love an app where I could crowd-fund the inevitable
| game of cat/mouse that would ensue. Like maybe I put $5 in
| at the beginning of each month and as I browse I curate a
| list of sites that I'd like tampered with. Better
| developers than I could then publish patches for the
| malicious functions, which are applied as I browse. At the
| end of the month, my $5 gets distributed to the people who
| fixed the parts of the web that I browsed that month.
|
| I'm working on a tool that facilitates collaboration on
| CTPH-identified blobs of data, but it's more of a `curl
| shadysite.com | mytool` kind of thing. I'm not sure what
| would go into integrating it into a browser.
| notriddle wrote:
| This is literally the same game virus scanners played
| against mutation engines. Ultimately, the halting problem
| won.
|
| There are two places this can end:
|
| * Redesign the runtime environment so it doesn't matter if
| you download trackers. The execution environment doesn't
| offer the I/O facilities that it requires to actually
| produce harm. This is what Apple Private Relay and Tor
| Browser try to give you. By analogy, this is why Web Apps
| became so popular in the first place -- web publishers who
| do not intentionally collude are protected from each other
| by the SOP, so opening a web page should be less risky than
| running an EXE. It's "just"[1] extending the existing
| sandbox to prevent differing origins from being able to
| collude.
|
| * Instead of blocking bad scripts, allow only known-good
| ones. To match the convenience of current-day ad blocking,
| it needs to be a collaboratively-produced list. In other
| words, a gatekeeper. By analogy, this is why installing
| "unrecognized" applications on Windows and macOS is behind
| a scare screen, and why doing it on iOS is prevented
| entirely.
|
| The former seems less dystopian, but much more difficult.
|
| [1]: this is actually very difficult
| garren wrote:
| I was going to suggest introducing the kind of heuristic
| analysis found in antivirus engines. Kind of like your
| item #2 - don't run scripts that behave badly (for some
| heuristically recognizable "bad behavior".) Basically a
| browser built-in AV scanner. Maybe give a user the option
| to permit the script once per session, or forever.
| Something like this would definitely introduce a UX speed
| bump, it sounds terrible.
| Hard_Space wrote:
| Wow. I've been talking about this for 15 years. I guess they
| finally got painted into a corner enough to implement it.
| [deleted]
| 1vuio0pswjnm7 wrote:
| Stupid question: What value, if any, does "Google Tag Manager"
| offer the end user? By "end user" I do not mean website operator
| or advertiser.
|
| I never ran this stuff. There is no Javascript engine available,
| there is no DNS and the local forwarding proxy does not forward
| traffic to Google domains. I am not asleep at the wheel and
| probably not the target end user. But I always wondered why _any_
| end user would want to allow this garbage, assuming they
| exercised a conscious choice.
| andirk wrote:
| Google Tag Manager data can be used to optimize your
| recommendation engine. It can help with Google Ads as well. It
| is a 3rd party handling some precious and maybe private data,
| but it has a low barrier of entry.
| charcircuit wrote:
| It benefits the end user by them "hopefully" getting an
| improved product in the future.
| gumby wrote:
| I am fascinated that the popular press has described this as
| Google adding privacy (which is how google describes it of
| course) where really it's a massive escalation of their spying
| network.
| heavyset_go wrote:
| I wouldn't be surprised if much of the popular reporting on it
| are just press releases.
| gumby wrote:
| Seems like it, even in the big papers/sites
| jart wrote:
| Well it sounds like they're plugging the RCE hole in how ads
| operate which is even better. That's the real elephant in the
| room which no one seems to be talking about. With all these
| zero click exploits I don't want an entire industry to exist
| that's dedicated to people bidding to run code on my computer.
| If all that bloat is running somewhere else in the cloud and
| this tag manager is filtering the information they access so
| that it's actually just boring marketing analytics then I'd
| imagine it does a lot to help improve the sovereignty of
| personal spaces.
| bigpeopleareold wrote:
| This article and thread got me to just install NoScript finally
| and start using it. It's not only part of an adblocking regime,
| but also am sick of the persistent nagging over consent walls (me
| being in Europe), adblocker walls, etc. If the content is
| meaningful enough, I'll subscribe (like my local newspaper, my
| only news subscription.)
|
| Simple JS and site analytics is perfectly fine for me (and to be
| fair, not just because I work on analytics software myself, site
| analytics is a useful tool), but having it bundled in with
| constant nagging on top of heavily bloated sites and pointless
| (and sometimes slightly offensive) advertising that even leaks
| through adblocking gets on my nerves a lot.
| SBF wrote:
| well not sure is it good or bad.
| qwerty456127 wrote:
| This looks like an opportunity for antivirus developers. Now as
| antivirus software has became less relevant the talents can be
| reallocated to apply heuristic and signature-based code analysis
| to protecting web users against tracking. I would gladly pay
| money to a trustworthy company to sanitize my traffic blocking
| every bit except what I really need to be there.
| srg0 wrote:
| > I would gladly pay money to a trustworthy company to sanitize
| my traffic blocking every bit except what I really need to be
| there.
|
| $0/month -> duckduckgo -> browser-level protection and email
| aliases
|
| $1/month -> Mozilla -> browser-level protection and email
| aliases (relay.firefox.com)
|
| $2/month -> NextDNS -> DNS-over-HTTPS with blocklists and
| tracking protection
|
| $1/month -> Apple -> browser-level protection, Private Relay &
| Hide My Email
|
| Blocking "every bit" is a hard problem.
| heavyset_go wrote:
| I blindly added Google Tag Manager to my sites. This article gave
| me a reason to remove it, thanks.
| olliej wrote:
| You shouldn't be adding _any_ google scripts to your site, u
| less you believe that you have the right to support spying on
| your users.
|
| Google "analytics" is a spyware system that they bribed sites
| to include with the promise of "knowing your users".
| heavyset_go wrote:
| I used them to set up their Search Console product and didn't
| think to remove them.
| simpss wrote:
| Anything that can be reliably identified across multiple websites
| can be blocked.
|
| So here we'd just block "tag manager web container" no?
| jtbayly wrote:
| The article explains that the info can be transmitted by any
| JavaScript library.
| Godel_unicode wrote:
| Having spent a good amount of time looking at potential
| JavaScript malware that ended up being repackaged GTM, I'm
| pretty confident anyone who says they're "blocking Google Tag
| Manager" has their head in the sand.
| rhizome wrote:
| I've been blocking GTM forever, so I do wonder how this will
| play out.
| gorhill wrote:
| I read the original article back when it was published in
| November 2020[0]. This is what led me to introduce new static
| network filter options:
|
| - strict1p, strict3p [1]
|
| - header=, experimental, disabled by default [2]
|
| I used Simo Ahava's blog as test case, and with these new
| options, I could craft a filter to block the Google Tag Manager
| script on Simo Ahava's blog. However due to the lack of more test
| cases, no more progress has been made about this since then.
|
| Things that stood out to me when reading about all this:
|
| Simo Ahava's refers to the CNAME approach as "vulnerable"[3]:
|
| > This way you'll be instructed to use A/AAAA DNS records rather
| than the vulnerable CNAME alias
|
| "Vulnerable" to what? To uncloaking as I understand it, and by
| extension, "vulnerable" to users taking steps to protect their
| privacy.
|
| Whether the very experimental solution in uBO ends up working or
| not, this case shows very well how Google Chrome's Manifest
| Version 3 (MV3) put a lid on innovation content-blocking wise:
| All the new filter options introduced above can't be implemented
| with declarativeNetRequest.
|
| ===
|
| [0] https://www.pixeldetracking.com/fr/google-tag-manager-
| server...
|
| [1] https://github.com/gorhill/uBlock/wiki/Static-filter-
| syntax#...
|
| [2] https://github.com/gorhill/uBlock/wiki/Static-filter-
| syntax#...
|
| [3] https://www.simoahava.com/analytics/server-side-tagging-
| goog...
| Vinnl wrote:
| For context, gorhill is the author of uBlock Origin.
|
| And for context on MV3, see
| https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
| GoblinSlayer wrote:
| Sure that means vulnerable to widespread blocking.
| danShumway wrote:
| Thanks for adding this comment. My immediate reaction when
| seeing this was that I thought it looked familiar to previous
| conversations I saw a while back. But I didn't know for sure
| that they lined up exactly, and I wasn't looking forward to
| doing the research to find out.
|
| > All the new filter options introduced above can't be
| implemented with declarativeNetRequest.
|
| My understanding was that stuff like CNAME uncloaking was
| already unsupported in Chrome[0]. Of course, Manifest V3 won't
| make the situation any better though.
|
| [0]: https://github.com/gorhill/uBlock/wiki/uBlock-Origin-
| works-b...
| Animats wrote:
| Wait, Google wants to proxy the _entire internet_ through Google
| servers? Just so ad tracking will work? This lets Google spy on
| the entire session in both directions, right?
| olliej wrote:
| And also makes it harder for any alternative - you can't use
| two different systems to proxy the same content at the same
| time, and you can't expect one company to not "protect user
| privacy" by filtering competitors.
|
| Honestly the only reason this is even an option for google is
| because a bunch of web admins said "I want to know who is
| browsing my site, and who cares if that lets google spy on
| every person who uses my site", and now they're just offering
| this "improvement" to spying.
| Animats wrote:
| This was modded down, but commented on favorably. Am I wrong
| about this giving Google a backdoor into every web site that
| uses it?
| olliej wrote:
| It's just another mechanism to maintain their existing
| spyware systems. What google absolutely depends on is
| having as much of the web as possible including their code.
|
| Essentially: if every website includes some amount of their
| code it becomes increasingly difficult to block _every_
| tentacle. Presumably the goal is that it doesn't matter if
| 90% of their crap is blocked by browsers: as long as a
| single tentacle leaks enough info on any given page they
| can track you.
|
| How true this is in the face of privacy preserving vpns
| like Apple's private relay I don't know.
| charcircuit wrote:
| Yes, you misunderstand it. Google isn't getting any more
| information / power than they previously did. What server
| side tagging does it separates the creation of tags outside
| of a user's browsers and into a server that is a part of
| your infrastructure. You can host this tagging server on
| Google Cloud, but you can also self host it if you choose
| to.
|
| To restate what happens, a website's users send events to a
| first party tagging server and then that tagging server can
| communicate with 3rd parties.
| macinjosh wrote:
| At the end of the day the data is still coming from the client so
| perhaps the best approach in future would be to find ways to make
| the data less useful or useless.
| donohoe wrote:
| To be clear, this is not new - many of the comments suggest this
| is some new front by ads/marketeers against privacy. It's not,
| it's just being used more.
|
| Server-side analytics has been available as an option for
| decades. You can do server-side GA for a long, long time now.
|
| Its generally a bit more of a pain to setup and and can be a bit
| most costly (depending on your cache/cdn/hosting setup).
| 5- wrote:
| i'm using firefox with https://addons.mozilla.org/en-
| GB/firefox/addon/temporary-con...
|
| it occasionally gets in the way, but does make things a bit more
| enjoyable (i can now happily click 'allow all tracking' on all
| the popups not blocked by ublock -- all that lasts until i close
| the tab).
|
| ideally i should also use something to resist fingerprinting
| (i.e. randomising fingerprintable features).
| Svetlitski wrote:
| @dang Title should have (2020) appended to it
| gzer0 wrote:
| Increasingly, the only solution I see to this is Apple's Private
| Relay [1].
|
| "When Private Relay is in use, the user's device opens up a
| connection to the first internet relay (also known as the
| "ingress proxy").
|
| As the user browses, their original IP address is visible to the
| first internet relay and to the network they are connected to.
| However, the website names requested by the user are encrypted
| and cannot be seen by either party.
|
| The second internet relay (also known as the "egress proxy") has
| the role of assigning the Relay IP address they'll use for the
| session, decrypting the website name the user has requested and
| completing the connection.
|
| The second internet relay has no knowledge of the user's original
| IP address and receives only enough location information to
| assign them a Relay IP address that maps to the region they are
| connecting from, conforming to the IP Address Location preference
| they selected in Private Relay settings."
|
| [1]
| https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...
| gigel82 wrote:
| I don't trust Apple; they are shady AF and I'm convinced they
| are hard at work building an AD empire to rival Google and
| Facebook behind the scenes. Their so-called "privacy" moves are
| very clearly designed to limit Facebook's and Google's ability
| to profit off their platform giving themselves an advantage:
| https://www.forbes.com/sites/johnkoetsier/2020/08/07/apple-a...
|
| That said, Private Relay has some interesting ideas, maybe a
| few trustworthy VPN providers adopt some of them.
| pixeldetracking wrote:
| Apple's Private Relay is great, but it won't help with server-
| side tracking (which is not based on IPs)
| meibo wrote:
| To what is a VPN a solution? It prevents IP tracking, but
| that's it. The rest of what is described here still works.
| gzer0 wrote:
| "Private Relay uses both the CONNECT and CONNECT-UDP methods
| in HTTP/3 to set up connections quickly. For connections to
| websites that support TLS or QUIC, the initial TLS handshake
| messages are sent in the same set of data as the proxy
| request"
|
| Would this not hinder the proposed mechanism discussed in the
| article?
|
| Edit: forgive me, for my knowledge of networking is limited
| and I'd like to learn more if I am incorrect.
| snowycat wrote:
| I fail to see how this is any different (for the purposes
| of getting around google) than any other VPN or proxy
| service out there. The proposed mechanism is just using a
| script that comes from the same server as the main website
| with perhaps slightly changed up code and a different file
| name to trick up adblockers. It can still fingerprint you
| without your actual ip address, as it collects data
| clientside.
| rnotaro wrote:
| I don't really have a great knowledge of the Tor Network but is
| that not really similar to a Tor Relay?
| dredmorbius wrote:
| Tor relays are identifiable.
|
| And are blocked or rate-limited by many websites.
|
| That said, if a majority of interesting Web traffic transited
| Tor, that behaviour would likely change.
| bo1024 wrote:
| I don't think this is a solution, since modern fingerprinting
| methods go far, far beyond IP address.
| notriddle wrote:
| Apple Private Relay runs on iDevices, which are almost all
| identical.
| rootusrootus wrote:
| Panopticon still seems to think my browser is pretty
| unique, and I am browsing with an iDevice.
| Zerverus wrote:
| Not to current fingerprinting methods, they are not.
| ii550 wrote:
| Naive question?
|
| What would happen if we were to block googletagmanager.com at the
| DNS level AND use uBlock Origin to block all calls to "gtag
| (...)" functions?
|
| Source:
| https://developers.google.com/analytics/devguides/collection...
| pixeldetracking wrote:
| you can also change the ressources names:
| https://www.simoahava.com/analytics/custom-gtm-loader-server...
| and you can host the container on your own infra:
| https://developers.google.com/tag-platform/tag-manager/serve...
| jtbayly wrote:
| So it's finally come down to "turn off JavaScript, or be
| infinitely tracked"?
| ehnto wrote:
| And all cookies, else pixel trackers and serverside analytics
| can still identify your device. Don't need JS to set a cookie.
| encryptluks2 wrote:
| They can identify a device. Without JavaScript, you don't
| have nasty client-side hints telling sites exactly what OS,
| CPUs, Graphics Cards, etc. With a VPN and changing your UA,
| no JavaScript does a pretty good job at preventing sites from
| tracking you.
| steve_taylor wrote:
| User agent strings tend to reveal the operating system and
| CPU architecture.
| encryptluks2 wrote:
| That is why I mentioned changing your UA. Unfortunately,
| with JS that is not enough due to client-side hints and
| other information leaked.
| 88913527 wrote:
| I'd characterize more as "Turn off JavaScript, and lose access
| to any site fronted by Cloudflare."
| ehnto wrote:
| Which is a staggering portion of the popular web.
| rhizome wrote:
| akkartik wrote:
| I've been running NoScript for the past year. It's pretty
| nice once you get to a stable set of policies. I load
| mainstream media sites in incognito tabs with JavaScript
| enabled for the tab.
| jtbayly wrote:
| So in other words you allow some of the largest, worst
| sites to track you. ;)
| akkartik wrote:
| Elaborate? I have dnt turned on and am using incognito
| tabs? Still not good enough?
| Nursie wrote:
| "DNT" is a bad joke, always was, just so you know. It
| just adds a header to your requests asking nicely not to
| be tracked.
|
| If anything it probably acts as a datapoint on
| fingerprinting and actually helps to track you.
| akkartik wrote:
| It provides a modicum of social and legal enforcement. A
| website with any sort of brand risks legal and PR costs
| if they violate DNT. I'm happy for them to take that
| risk.
|
| Though I see now that the whole thing has fallen through
| since around 2019:
| https://en.wikipedia.org/wiki/Do_Not_Track. Oh well.
|
| Going back to my original comment, if there's a better
| way to read say the NYTimes without being tracked by the
| NYTimes, I'd like to hear it.
| Nursie wrote:
| Legal risks? I'm unaware that it's ever been enforceable
| anywhere, and I don't think there's ever been enough
| awareness of its existence to cause reputational damage.
|
| Personally I think the whole thing fell through the
| moment it was conceived in 2009. We're going to ask
| nicely that people who are tracking us, who _know_ that
| we don 't want to be tracked anyway, kindly refrain? The
| whole idea was laughable.
|
| Its advocates got annoyed when Microsoft enabled it by
| default on a version of IE several years ago, as then it
| wouldn't be perceived as a reliable indicator of intent.
| This really just exposed the problem with the whole
| thing, that it was going to be hidden away in settings
| where few people would go, and rely on the good will of
| effectively known-bad actors to respect it, and just
| maybe they would respect it if we keep it more-or-less a
| secret that only techy people bother with.
|
| (Sorry, this rant is not aimed at you, it's just a bit of
| a pet hate)
| akkartik wrote:
| This is all valid. But like I said, it was always about
| social and PR pressure ( _edit_ with reputable sites). (I
| was mistaken earlier when I thought it also had the force
| of law behind it.) That still has some, depreciating,
| value. To repeat my question, what else is there?
| sinuhe69 wrote:
| Maybe Google till can track the users but what benefit would it
| bring if its customers can not display ads to the users? Ads are
| still blocked!
| civilized wrote:
| So long as we're on the topic of fighting ad targeting... if
| you've never heard of uBlock Origin, you should get it. It's
| probably the reason YouTube still thinks I'm Hispanic.
|
| I love my poorly targeted ads. Easier to ignore.
| nostromo wrote:
| Just use Brave and you won't see any YouTube ads at all. It
| even works on mobile.
| NaturalPhallacy wrote:
| Youtube via Brave on my iPad refuses to stream anything above
| 720p most of the time. As a result I just use it less.
| arvindamirtaa wrote:
| Frankly, that's a win IMHO
| jtbayly wrote:
| The article claims ublock origin won't work on sites that
| implement this.
| bink wrote:
| The current version doesn't but there's not really a reason
| to believe it can't be updated. I think the author overstates
| the complexity of documenting these proxies and URLs for
| sites that run them.
| garren wrote:
| Google's recommending that people set a A record in their
| own domain for the server, and change the name of the
| script. Given this, documenting such proxies and URLs and
| maintaining that documentation doesn't seem practical.
|
| On the other hand, I wonder if you could just block all IP
| addresses associated with google, or those associated with
| their cloud/app engine? I suppose that could be handled at
| the firewall maybe? Are there ASNs google uses specifically
| for their app engine and cloud computing resources? Others
| have mentioned that a lot of government agencies rely on
| google app engine, but it'd be nice to kill all traffic
| to/from anything google.
| pixeldetracking wrote:
| Godel_unicode wrote:
| You're going to lose this cat-and-mouse game, it's the same
| one that gets played with malware C2 domains (except it's
| worse because both the proxy operator and the actual domain
| operator are colluding). Add in the zero-cost nature of
| subdomains as opposed to needing to pay for new DGA root
| domains and the fact that they can run the whole thing
| behind e.g. cloudflare to prevent IP blocking? Forget about
| it.
| ohyeshedid wrote:
| > You're going to lose this cat-and-mouse game...
|
| History is full of sentiments like that, from power
| structures that were never able to stop subversion. The
| game itself is perpetual, so there's always another turn
| coming.
| halayli wrote:
| I am not sure OP has the proper background to discuss blocking
| ad+tracking techniques. Such utilities do a lot more than
| blocking domains. Blocking domains is just first step as it's the
| simplest and cheapest win. Signatures/Content inspection being
| sent can go a long way and can accurately identify patterns.
| nr2x wrote:
| This is a pretty accurate description in my view, it does make
| blocking significantly harder.
|
| [I've got about a decade+ in this highly specific domain fwiw.]
| Godel_unicode wrote:
| Pihole.
| tgv wrote:
| Doesn't help against server side tracking.
| [deleted]
| mkdirp wrote:
| It is clear Google is finally feeling the hurt from adblockers
| and the like. That means we are winning. Google knows it's not
| what people want, but they clearly do not care. In my opinion, if
| you work for Google on things like this, you are equally to
| blame. You have Google on your CV, you can easily go elsewhere
| and find a decent job.
|
| Having said that, uBlock Origin, and I'm assuming other similar
| extensions, offer inline script filtering. The code being served
| has to have some common code since it's all coming from a single
| org. What is stopping a filter that includes a filter like this?
|
| The issue obviously being that this still prevents DNS filters
| from blocking Google, which is equally a big issue. Assuming the
| scripts indeed have some common code that can be blocked, perhaps
| this is where we start crowdsource filters. Something that runs
| in the background, and inspects scripts, which then gets posted
| to a server, validated automatically, and then later served as a
| block list that anyone can download.
|
| [0] https://github.com/uBlockOrigin/uBlock-issues/wiki/Inline-
| sc...
| was_a_dev wrote:
| Yes a Google employee could go work elsewhere. But is there an
| equally well paid position at a more ethical company? As far as
| I can tell, all FANGs are as unethical as each other
| Perseids wrote:
| I don't understand the reasoning here. How does being paid
| more justify unethical acting? Especially since you are
| getting by very very well in the tech industry in general.
| Isn't that like saying "I'm kicking puppies all day, but it's
| paying enough to finance the second Lamborghini, so how could
| I decide against it"?
|
| (If you were referring to moral offsetting, that could indeed
| work, assuming you donate enough to charities, but your post
| didn't sound like that.)
| danparsonson wrote:
| There are no perfect outcomes in life - if you're going to
| make an ethical decision then more often than not you'll have
| to compromise elsewhere. Another example would be cheap goods
| that come at an ethical and/or environmental cost - you'll
| usually have to pay extra to avoid those because the bad
| behaviour is what allows companies to keep costs down.
|
| In some sense, FAANG employees are being paid extra to look
| the other way.
| Zardoz84 wrote:
| Well... At least on Europe it will be forbidden on all European
| union countries.
| stiray wrote:
| Well, I am blocking google tag manager and everything else from
| google, also forever caching CDNs and disabling caching for
| everything, for more than a day.
|
| Also blocking every domain found on any blocklist including CNAME
| resolving.
|
| And injecting my scripts trough mitm proxy that effectively
| disable any fingerprinting for my whole home network and all the
| mobile devices (they are all configured to use the proxy trough
| ssh tunnel).
|
| Some sites dont work. Do you think I care? Do you think I will
| ssh home and change the settings for _your_ site as it is so
| special, that I "need" to have its content? Every content is
| quadrupled on internet and if one site doesn't work, I go to
| next, I couldnt care less.
|
| Someone doesn't want me to be his visitor? I will cry a river
| (not really), close the tab and find someone else while the site
| will have one visitor less.
|
| (thank you hacker news for playing it fair!)
| losteric wrote:
| Citing adblock feels like clickbait. Google Tag Manager can't run
| ads so I don't follow the comparison. Marketing analytics could
| always side-step anti-adblocking tools through server-side
| tracking.
| sodality2 wrote:
| Server side tracking based on what, server access logs? That's
| not particularly helpful compared to the info you get with
| clientside analytics libraries.
| matt_heimer wrote:
| No, the gtag in the browser sends all the data to the server-
| side proxy. Then on the server-side config you can pick which
| parts of the data to share with 3rd parties. So there is
| still client side data capture, its just reduced to one
| component capturing the data.
| fay59 wrote:
| Saying that Adblock users want it 100% to block ads and 0% to
| protect their privacy is a misleadingly narrow analysis, even
| this use isn't completely effective.
| matt_heimer wrote:
| Adblockers block ads and tracking, if the new gtag manager
| makes easier to defeat the tracking protections of an ad
| blocker then it seems accurate.
|
| I think the key thing here is that ad/tracking blockers often
| rely on domains or requests being 3rd party. In the past it was
| more work to hide the 3rd party trackers as 1st party, this
| makes it easy so its more likely to happen now.
| coffeefirst wrote:
| Right. Everything in the article is wrong.
|
| GTM is still GTM and can be trivially blocked; the _container_
| itself isn 't moving server-side.
|
| It's just gained the ability to proxy data to third parties
| instead of needing to load scripts for every tracker. This is
| better for performance, and should be explicitly in control of
| exactly what data is passed on to where.
|
| All you really lose is the ability to block a subset of
| analytics scripts selectively.
| probotect0r wrote:
| How are you going to block it "trivially" if you don't know
| which script to block? They recommend changing the name of
| the GTM script, and paired with changing the content
| slightly, you won't be able to tell which script is GTM and
| which is actually important to the functioning of the site.
| jacquesm wrote:
| You'll know that after loading the first couple of bytes
| though.
| _flux wrote:
| So they need to change the first couple bytes then,
| automatically.
|
| Essentially I don't understand how possibly could free
| adblocking lists defeat advertisers or trackers if they
| truly cared about them: simply have a system running with
| the latest adblock lists against their test site, and if
| it is able to filter them, have an engineer make a
| modification--or have the system automatically pull up a
| pre-made modification or even generate a new one. In
| addition, the content-driving JS and the site JS could be
| bundled in one and obfuscated.
|
| Best functioning filters are secret ones and thus only
| the technically minded minority has access to them.
| c0balt wrote:
| +It's gonna be very hard to detect once they actually
| bundle up (which I suspect only a few will do) the tag
| manager and obfuscate
| gizzlon wrote:
| If it's 99.99% the same I think we will manage :)
| coffeefirst wrote:
| This was my exact thought when I wrote that comment. Then
| I remembered Manifest v3.
|
| ITP, ETP, and plugins that can block requests based on
| heuristics will make pretty short work of this. In
| Chrome, come Manifest v3, plugins won't be allowed to.
|
| So... this is all uglier and more complicated than I
| thought.
| dlubarov wrote:
| Where does Google recommend changing the name of the
| script? The author claims that they do, but their link just
| recommends self-hosting the script. In Google's recommended
| JS, the path is exactly the same, only the hostname is
| different ("www.googletagmanager.com" replaced with
| "<DOMAIN NAME>").
|
| Self-hosting by itself might make blocking marginally more
| difficult, but there are other reasons to do it:
|
| - Browsers these days segment caches by origin, so there's
| no caching benefit to using Google as a CDN.
|
| - With HTTP2, a first-party request is likely to
| immediately go through an existing (multiplexed)
| connection, saving a handshake.
|
| - It's arguably better for privacy, as users and
| legislators seem to be concerned about links to Google
| leaking IPs
| (https://news.ycombinator.com/item?id=30135264).
| [deleted]
| iamacyborg wrote:
| > GTM is still GTM and can be trivially blocked; the
| container itself isn't moving server-side.
|
| Not when the script sending data to the server side GTM is a
| first party one.
| jamesy0ung wrote:
| Hack LocalCDN to inject modified scripts?
| arvindamirtaa wrote:
| I use brave which has a "Brave shield" that disables GTM from
| loading altogether by default. Would that solve this issue?
| viraptor wrote:
| Depends how is implemented. Currently: possibly, but likely not
| if all the steps were implemented.
| miere wrote:
| Do you believe ad-blockers could checksum these scripts or do
| some sort of pattern recognition - like some anti-viruses do -
| match and deny these scripts?
| thenanyu wrote:
| As someone who has spent a lot of time on both sides of this, I
| think this is a great outcome, personally.
|
| The most annoying part of ad-tech for me, as a user, was the fact
| that I was running all sorts of random javascript, any bit of
| which could blow up performance on my browser.
|
| As someone who used to lead an e-commerce operation, I hated
| running all of this crap in my users' browsers because I knew it
| would get blocked randomly or cause hard-to-diagnose errors.
|
| I eventually moved us to basically this approach using a home-
| grown solution and everyone was happier. It was even more robust
| because it just used session/cookie data and didn't require
| running any javascript execution to work.
| onion2k wrote:
| All that random crap will still run in your browser though.
|
| The important thing here is that Google are asking users to
| proxy scripts from a Google server via a subdomain of their
| site. That's relatively trivial to do as far as the code and
| config goes, and not costly for the user or for Google. The
| advantage to the site and Google is that those scripts now look
| like first party files; Google are using a first part subdomain
| to subvert the Same Origin Policy via a proxy.
|
| Every other tracking and ad service will set up the same thing.
| The reason it hasn't happened in the past is because it was
| hard to configure. Google are giving every other service the
| gift of explaining how to do it to users. Going to a website
| that had 50 tracking bugs from 50 domains will now have 50
| tracking bugs from 50 Same Origin Policy allowed subdomains,
| all unique to that site, and all different so blockers will
| have a much harder time working out what to block.
|
| The code that runs in the browser doesn't change. The only
| difference is where it appears to originate from.
| GrifMD wrote:
| That's inaccurate. You do still need to run a client side GTM
| script that adds event listeners for specific actions (like
| "clicks purchase button"). This is then sent to a server side
| container with whatever first party identifier the site may
| have (3rd party IDs aren't supported as there's no 3rd party
| cookies from Facebook and the like). From there a server to
| server network request is made to whatever tracking platforms
| (GA, Google Campaign Manager, etc).
|
| Most of the tracking script these days is well written, at
| least the Google and Facebook libraries, so they generally
| don't affect page performance, but some of the smaller
| players have script that can slow down performance.
|
| With server side GTM, only it's client side component needs
| to run, everything else will be server side.
| btdmaster wrote:
| ?Por que no los dos? (Server-side and client-side spying
| synergise. Which computer is spending resources transferring
| telemetry?)
| [deleted]
| Raed667 wrote:
| Been there, until you're instructed to inject ads in your
| website, and then you're back to GTM again.
| croes wrote:
| The most annoying part for me is getting tracked against my
| will.
|
| So now it's worse.
| Teever wrote:
| Isn't it so strange that if you or I were to do these kinds
| of things to an individual it would be considered creepy
| cyber stalking but when companies do it they are rewarded?
| snomad wrote:
| No reason ad tech companies should have freedom to
| associate real world data with online data. This seems like
| the perfect candidate for a US state proposition.. no
| company engaged in online ad tech may combine or allow any
| other entity to marry online identities with real life.
| gernb wrote:
| Do what? Record who came in and out of your house?
| RedComet wrote:
| Actual it would be more like a company recording what
| (physical) mail you read, when you read it, where you
| were when you read it, how long you read it, where you
| looked at on the paper, etc. You request data, they send
| it to you.
|
| For example, ad blocking is more akin to paying someone
| to cut advertisements out of a magazine before you read
| it.
| culi wrote:
| More like the street in front of your house including
| people in their cars
| 34679 wrote:
| Violate an explicit request for privacy.
|
| I would love to leave all of the blinds on the windows in
| my home open all time, but I live in a neighborhood. The
| price I pay for privacy is the cost of the blinds and the
| action of closing them when I want privacy. When those
| blinds are closed, it is not in any way acceptable for
| anyone to come along and try to find a way to see around
| or through them, even if they're trying to sell
| something.
|
| Nobody would be harmed in the above example any more than
| they would be by having their privacy violated online.
| Nobody is physically harmed, or had their property
| stolen. They wouldn't even be inconvenienced in any a
| way, so long as they are unaware of the intrusion.
|
| Now for a personal experience that stuck with me and
| helped shaped my views on privacy:
|
| Many years ago I walked in on my girlfriend in the
| bathroom, and she asked me to leave. I was going for
| something in the medicine cabinet and thinking she just
| didn't want me to see her on the toilet, I replied "I
| don't mind" and continued toward the cabinet. She
| exclaimed "But _I_ do! ".
|
| Of course, she was right and I was wrong, because privacy
| is about respecting the individual's desire for it.
| smt88 wrote:
| Bad analogy.
|
| It's more like Target, Walmart, and Best Buy recording
| everything you do in the store (where your eyes go, what
| you say to your spouse, etc.) _and then selling that
| information to random companies you 've never interacted
| with_, including each other.
|
| Together, they can create a comprehensive log of
| everything you do outside (and inside!) your house and
| secretly sell it.
|
| This isn't even an analogy. With Alexa and Google Home,
| we should expect that it's literally happening.
| alexb_ wrote:
| I'm pretty sure those big retailers are already doing
| this. Given sufficient profit motive, you should always
| assume the worst possible.
| judge2020 wrote:
| Why does selling the data matter? If it's fine to collect
| but not sell it, people would already be fine with Google
| Ads tracking as Google is solely in possession of that
| data and will never sell it, lest their competitors gain
| an edge by out-header-bidding Google (offering higher
| profit margins to sites) with Google's own user data.
| smt88 wrote:
| > _Why does selling the data matter?_
|
| It is somewhat galling for your private behavior to be
| monetized.
|
| But you're right that the selling itself is not the core
| issue. The core issue is that it's being _shared_. The
| monetization is an incentive to share, and that 's where
| the problem lies.
|
| By contrast, think about your doctor: they can't legally
| sell your private data. If they share it with anyone, it
| is for the express purpose of helping you, their patient.
| No problem there! My doctor shares my data with their lab
| testing partners and cloud vendor, and it doesn't bother
| me at all.
|
| Now imagine if my doctor could legally sell my data to
| anyone and make even more money from me. We know with
| 100% certainty that every hospital would sell that data
| far and wide.
|
| This is what adtech firms are doing, just with (slightly)
| less sensitive data than my doctor has.
| runeks wrote:
| > By contrast, think about your doctor: they can't
| legally sell your private data.
|
| This is not a reasonable comparison. You choose to tell
| the doctor private information because of patient-doctor
| confidentiality. The other type of "private information"
| is collected by observing you in public (e.g. in a
| Walmart).
| smt88 wrote:
| > _You choose to tell the doctor private information
| because of patient-doctor confidentiality. The other type
| of "private information" is collected by observing you in
| public (e.g. in a Walmart)._
|
| I think this distinction is irrelevant. The salient
| questions are:
|
| - Is this information private and potentially damaging to
| me?
|
| - Do I expect [third party] to have access to it?
|
| This is especially important if [third party] can be a
| government. In the massive web of interconnected
| buyers/sellers of adtech data, there is no reason to
| expect that oppressive governments will be unable to get
| anything they want.
|
| But to address your point:
|
| I absolutely do not expect "observing in a public place"
| to include personal conversations and/or data about
| exactly what products my eyes land on.
| strogonoff wrote:
| Imagine if Google offered a retail solution advertised as
| "record who came in and out of your house". They would
| offer a CCTV for free and run centralized face
| recognition on everybody visiting. They'd give you a bit
| of stats, but truly they would aggregate data on where
| people go and build shadow profiles (supposedly to
| facilitate ad targeting). And imagine 90% of households
| were using it.
| [deleted]
| iptq wrote:
| Isn't this literally what Ring does?
| Teever wrote:
| Yeah and isn't this stalking?
| themacguffinman wrote:
| You think installing cameras on your own property is
| stalking? Putting aside that this is legal nonsense, are
| you saying that the millions of private retail stores,
| offices, and houses that install security cameras are
| actually stalking and the majority of citizens that visit
| grocery stores are stalking victims?
|
| I mean, maybe you do believe that, but it's a little
| ridiculous to freak out over something that most people
| do and are used to. At most, it's an extension of the
| status quo.
|
| Edit: I suppose it's not that ridiculous if you think
| most of the world is evil, but I am genuinely curious if
| you believe that.
| strogonoff wrote:
| Individual businesses aren't stalking anyone if their
| CCTVs are watching out for themselves. But as soon as
| there is a centralized company offering the service and
| gobbling all the data, and that company acts like Google
| does with regards to web tracking, then it'd be in some
| sense no better than stalking (or even worse, stalking at
| scale).
|
| If it only obtains the data to provide you the service of
| knowing who comes in or out, and deletes the data as soon
| as it's not needed anymore, there would be no question;
| but that's not where profit is in a double-sided market.
| themacguffinman wrote:
| Like ADT? Like a lot of security companies that offer
| monitoring solutions on behalf of clients, especially
| smaller businesses and individual homeowners?
|
| "gobbling all the data" is vaguely scary while being
| totally meaningless. GTM data is fully managed by the
| client, Google contractually does not randomly spy on it.
| Many businesses would argue that they do delete user data
| after they don't need it anymore, but analytics is useful
| and therefore necessary for a fairly long time (many
| platforms have natural retention limits, usually a few
| years). Google themselves deletes user data on their
| first party products after 18 months by default
| (referring to things like Web & App activity and Location
| history) and users can set it as low as 3 months,
| approximately the same amount of time as security
| footage.
|
| Edited to correct a number and remove some snark
| Teever wrote:
| How can you feign obliviousness so much that you can't
| see the difference between what ADT was doing in 1995 and
| what Google is doing in 2022?
| inlined wrote:
| You're describing the modern experience in a grocery
| store
| eru wrote:
| Would be a bit creepy sure. But who am I to judge what
| other people install in their houses? I don't have to go
| and visit them, if I don't like it.
| judge2020 wrote:
| So this is only a problem if the person thinking of
| visiting their neighbors' or friends' house has an issue
| with it. Why can't I install such a system if I want to?
| Why does it matter that 90% of households use this
| system?
|
| In fact, because 90% of households use this system,
| doesn't that mean society at large agrees that this is an
| OK thing to have? We all opt for wearing clothes only
| because society at large has agreed that wearing clothes
| is a requirement; there is no law of nature mandating
| this, and select small groups of people congregate in
| nudist colonies to escape from this societal requirement.
| Even on the non-private side, if I don't like clothes,
| why should I be forced to enter government buildings (for
| official government business such as court appearances)
| with them on? Surely society shouldn't be forced to make
| accomodations for me, just because I have a different
| opinion on these topics. If 90% of households did in fact
| use such a system, it would be the new normal because
| it's a nearly universal collective opinion on the
| technology. A society almost never caters to those that
| are the ultra-minority if it inconveniences the 90% or
| directly challenges the 90%'s own freedoms and choices
| when it comes to their lives, especially when that's in
| regards to something as low-impact as what sort of
| privacy visitors to a residence have while on that
| property.
| Teever wrote:
| > because 90% of households use this system, doesn't that
| mean society at large agrees that this is an OK thing to
| have?
|
| And if 90% of households have slaves doesn't that mean
| that society at large agrees that this is an OK thing to
| have?
| judge2020 wrote:
| Yes. Slavery was OK in the US for a long while. If things
| hadn't been done to get this changed in the US, it would
| still be seen as an OK thing to do, and in reality no
| higher power or law of nature would stop that, even in
| $current_year - evidenced by how worldwide modern
| slavery/forced labor is still going strong[0].
|
| My point is that there is no correct moral compass, no
| general rule as to what behavior is good or evil and no
| arbitrator that will correct the wrongs humans are doing
| in the world. Society is only governed by itself, and
| thus a 'supermajority' of ideals is what will reign over
| the superminority in terms of law and general consensus.
| If society accepts and encourages one company to control
| an absolute record of human movement and presence, it's
| not going to be stopped and that majority isn't going to
| cater to the small portion of society that doesn't agree.
|
| 0: https://en.wikipedia.org/wiki/Slavery_in_the_21st_cent
| ury#St...
| FeepingCreature wrote:
| Are you asserting that it is your _current_ opinion that
| slavery was _morally OK_ in the US, because it was
| morally _accepted_ at the time?
|
| (Warning: this is a trap question, do not answer yes, the
| only socially accepted answer is no)
| brnaftr361 wrote:
| Dru,
|
| I'm gonna take an adversarial point of view here. Wrong
| is wrong, and the magnitudes aren't really comparable at
| the resolution of the individual. At the maximum,
| according to Statista, there were about 4mn slaves. There
| are about 5bn people online, out of what is projected to
| be 8bn. While there are certainly cultural boundaries,
| that 5bn almost certainly interfaces with Google. So
| taking a step back and looking at the magnitude implied
| by the scale, and the outsized power of Google in
| virtually every facet of society, I wonder if it really
| is stepping out of line. Keyword dragnets, indefensible
| tracking... What's next?
| FeepingCreature wrote:
| Purely numerically comparing it, assuming slavery counts
| as a life spent in suffering, and there's a 1:1000
| factor, given a forty year life expectancy, Google must
| cause the equivalent of 14 slavery-equivalent-suffering-
| days or more to be worse.
|
| How many days of back-breaking labor and abuse would you
| put in to get freedom from Google tracking for the rest
| of your life? For me at three days, it'd be arguable;
| three weeks would be a stretch. (Of course, I have no
| actual experience to compare.)
| drusepth wrote:
| Not the guy you're responding to, but this trap question
| seemed like you either misunderstood their comment or are
| unintentionally putting words in their mouth.
|
| Their comment explicitly subscribes to a form of ethical
| relativism [1], which argues that there is no universal
| concept of "morally right" or "morally wrong", and that
| morals are determined solely by the society judging them
| at that time.
|
| [1] >Ethical relativism is the theory that holds that
| morality is relative to the norms of one's culture. That
| is, whether an action is right or wrong depends on the
| moral norms of the society in which it is practiced. The
| same action may be morally right in one society but be
| morally wrong in another. For the ethical relativist,
| there are no universal moral standards -- standards that
| can be universally applied to all peoples at all times.
| The only moral standards against which a society's
| practices can be judged are its own. If ethical
| relativism is correct, there can be no common framework
| for resolving moral disputes or for reaching agreement on
| ethical matters among members of different societies.
|
| >https://www.scu.edu/ethics/ethics-resources/ethical-
| decision...
|
| It is not a particularly helpful take in an ethical
| debate (which this whole privacy thread is) outside of
| making a populist argument ("if everything thinks X is
| morally acceptable, then it is; who are you to say it's
| not?").
|
| That said, I'm not sure I'd want to make the loaded
| comparison of equating "taking notes of who does what in
| your house" to slavery. One of these things is very
| clearly significantly worse than the other.
| FeepingCreature wrote:
| Right, I'm saying moral relativism ends up in
| inacceptable or at least widely not accepted answers as
| soon as you apply it to charged topics. It sounded to me
| like they were making a relativism argument, and I wanted
| to highlight this - to give them the opportunity to avoid
| saying that slavery is acceptable (even in the past) -
| while at the same time warning them against walking into
| this position unintentionally.
|
| I'm not saying it _should_ be unacceptable, relativism is
| an interesting position with some upsides, such as that
| the future, if relativist, will not judge us harshly for
| our undoubtedly manifold transgressions by their
| standard, but "slavery was okay actually" is still
| something that one should, if at all, say with deliberate
| intent, not as an accidental implication.
|
| edit: To clarify my own view, I think that inasmuch as we
| now think that slavery was wrong, we have _gained
| understanding_ - that slavery was just as wrong at the
| time, at least that it followed from moral precepts that
| were already believed, but this fact was obscured by the
| social and economic reality that people lived in.
| Evidence for this would be that people were already
| arriving at the view that slavery was wrong based on
| reasoning that matches, in hindsight, our own.
|
| A good candidate for a similar moral mistake that we'd be
| making is, of course, the meat industry - meat is tasty
| and vegetarianism is effort. But I would expect the
| future to condemn meat-eating for the same reasons that
| vegetarians today condemn meat-eating, indicating moral
| progress (or at least technological progress reducing
| moral effort) rather than value drift.
|
| I'm not sure that morality always works that way, to be
| clear, but I do think it works that way in these specific
| cases.
| sgjohnson wrote:
| I find it hard to believe that no Persian Gulf countries
| made that list. I was under impression that most of the
| manual labour workforce in places like UAE, Saudi Arabia,
| Qatar and Kuwait are slaves imported from the Indian
| subcontinent.
| [deleted]
| somenameforme wrote:
| That's not even the half of it. It's not only building a
| record of who came in and out, but what they did, where
| they went, what or who they "engaged" with in the house,
| and arbitrarily more granular information. And the person
| visiting your house, on average, has no clue any of this
| is happening.
| bskrobisz wrote:
| And leave a webcam on the door of every single person I'm
| professionally engaged with, to record their visitors?
| Use it to understand where each of those persons spends
| all of their time, to the best of my capability? Learn
| who has what vices, and sell that information (or a
| service to employ it) to anyone who would take advantage?
| Teever wrote:
| > Do what?
|
| All of the things that these companies do to monitor and
| track as much of the population as they can.
|
| What I'm saying is it's funny because it's one of those
| things that's apparently legal to do in the aggregate but
| not individually?
|
| Imagine if someone started up a business to track Google
| employees.
| Firmwarrior wrote:
| Man, that's a great idea
|
| Hire a bunch of PIs to follow and publicly report on all
| the movements and actions of every exec you can manage at
| Google, Facebook, and smaller/shadier ad companies
| Teever wrote:
| https://en.wikipedia.org/wiki/Sousveillance
| nine_k wrote:
| Blocking of _feigning_ responses to particular remote APIs is
| still better than having to run a bunch of random tracking JS
| snippets, because without one of them a page just errors out.
| brundolf wrote:
| I have mixed feelings about it, even just as a user. There are
| two reasons people block tracking scripts: 1) privacy, and 2)
| to stem the deluge of crap that marketing departments dump onto
| the page, harming performance (both load-time and otherwise)
| [1].
|
| This basically gives everyone the benefit of #2, even if they
| don't or can't use an ad blocker. That's pretty cool, in
| isolation. But of course it also makes it much harder to
| accomplish #1.
|
| [1] I've seen React-based websites with literally 10x as much
| JavaScript (by weight) coming in from GTM and other third-party
| marketing vendors, as the amount powering the actual app
| functionality. This happens (partly) because every single ad
| provider has you load their own arbitrary JS bundle onto the
| page, just so they can measure conversions. This is obscenely
| inefficient (and frankly, even though it makes things easier to
| block, in some ways it's potentially a lot more
| insecure/privacy-invading). People on here complain about
| frameworks ruining web performance, but in reality GTM is far
| more responsible (or has been, so far).
| ghostpepper wrote:
| Don't forget about ad-served malware
| brundolf wrote:
| GTM doesn't serve ads though, so my understanding is the OP
| doesn't apply to ads, only trackers
| sorry_outta_gas wrote:
| Man, screw the web.
| stefan_ wrote:
| Any organization still running Google Tag Manager and allowing
| random marketing people to insert whatever someone told them to
| in a webinar must be having a death wish when the GDPR exists.
| You would think security teams would have put an end to that
| madness years ago but here we are.
| foxfluff wrote:
| You would think _legal_ would have put an end to that madness..
| antattack wrote:
| I just use different browser for different activities. I search
| with Firefox (w/ Ublock, Adblocker) - when I'm ready to buy I use
| Chrome.
| nine_k wrote:
| Why not just use Firefox containers?
| timbit42 wrote:
| I use Firefox containers but my Firefox is locked down too
| tight for online shopping so I use a different browser for
| making purchases.
| johnny22 wrote:
| firefox still has profiles, so you could use a profile
| that's not locked down instead. Although you'd probably
| wanna use a differnt theme on both to distinguish them.
| Godel_unicode wrote:
| What do you think this buys you?
| antattack wrote:
| Financial transactions provide more (precise) telemetry for
| fingerprinting.
| [deleted]
| newscracker wrote:
| _> How can adblockers react?
|
| ...
|
| > Automatically detect these "1st party" calls to the "proxy"
| server via the URL parameters sent. Except that these URL
| parameters will change from one site to another, depending on the
| library used, the page viewed, etc
|
| > Detect the javascript library responsible for calls to the
| "proxy" server to block its execution. Except that you should not
| simply detect the javascript library provided by Google, but
| potentially all the javascript tracking libraries, even home
| libraries._
|
| Seems like this would be a great case for AI/ML. I say that in
| half jest.
|
| _> Block the IP addresses of these proxy servers._
|
| This seems doable, even with the caveats included in it.
|
| Even if these measures work on some sites and not others, they
| would be valuable.
|
| Meanwhile, please get your non-tech circle to use ad blockers
| and/or browsers that support ad blockers on desktops, laptops and
| mobile. And instruct them that browsers that don't support ad
| blockers are from a "be evil corporation".
| throwawaygjdbsj wrote:
| You didn't think Googles effort to kill third party cookies was
| to help the people did you?
|
| It's a ladder pull.
| pcthrowaway wrote:
| Can someone explain how they claim that TMS is running on 31.9%
| of top 10 million Alexa websites if Google Cloud itself only has
| 7% market share[1] (compared to AWS at 32% and Azure at 19%), if
| the TMS relies on the site being hosted on Google Cloud?
|
| [1]: https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-
| clou...
| pixeldetracking wrote:
| Today, most websites don't user server-side tagging from
| Google, but the "standard" Google Tag Manager (with 3rd party
| tags running on the browser)
| [deleted]
| tpoacher wrote:
| > How can adblockers react?
|
| They shouldn't. Perhaps it's time to stop treating a behavioural
| problem as a technological one.
|
| Perhaps instead a movement needs to start where if a website uses
| these technologies there's a way to inform them they've just lost
| a customer. Technology can help by automatically detecting these
| evils, aborting loading the page, then informing the webmaster of
| their offence, and the community of the offending page.
| rhizome wrote:
| This is not a well-written article.
| zwaps wrote:
| Crazy how evil Google is. Just wow.
|
| Since this runs entirely on the domain of the website, it can
| easily ignore your privacy rights, with Google more or less
| washing their hands clean of it.
|
| Indeed, if we take blocking trackers as expression of consent,
| the only possible reason this exists at all is to illegally
| circumvent privacy preferences.
|
| In other words, if you work for Google, you are literally working
| for a criminal organization. How times have changed.
|
| It seems the only possible option to retain privacy rights given
| to us by law (eg in the EU) is to disable JavaScript and cycle
| IPs or other fingerprinting features. None of that is realistic.
|
| As a EU citizen, i hope that our ineffectual administration at
| least tries to fight this somehow. Of course, there is little
| hope.
| Cederfjard wrote:
| Not taking a moral stance here, just curious what laws you
| think have been broken in this instance?
| RamblingCTO wrote:
| Technically none. But google helps circumvent protections
| that would prevent illegal cases where website owners are
| breaking the law. Now we can't defend ourselves any more.
| Would be fun to see if any law makers would consider this
| abedment (?) or even go directly after google for this kind
| of thing.
| shadowgovt wrote:
| Google explains the purpose of server-side tagging here:
| https://developers.google.com/tag-platform/tag-manager/serve...
|
| The main benefits are performance and security (performance
| because the tagging can be online with other resource requests,
| so user agents aren't pausing on additional requests to third-
| party resources).
|
| This system is giving site owners a fancy way to do analytics
| they could build into their own server. Hardly evil as long as
| it's disclosed and managed in a GDPR-compliant fashion.
| pixeldetracking wrote:
| I agree, thought it has to be done properly (and most
| marketers are not used to that currently)
| manholio wrote:
| > Of course, there is little hope.
|
| I think our hope are technical solutions:
|
| - No 3rd party cookies or equivalents, fully compartmentalized
| browsing, no automated cross-domain GETs/POSTs, no domain can
| leak data to another domain without manual intervention
|
| - No User-Agent leak, just a standards compliance level ex.
| HTML/5.0
|
| - No Java-Script leaks, fonts or any other way to do client
| fingerprinting
|
| - Cycle your IPv6 addresses or even use persistent IP-domains
| binding, with OS support, in a Tor-like manner.
|
| - & Many more
|
| It will break the current web yes, but the web needs a do-over,
| it has become a toxic soup of massive surveillance.
| marcosdumay wrote:
| None of those have any chance of helping.
| manholio wrote:
| Really, none of them, not even a chance? And you've
| conjured that conclusion using your extraordinary powers of
| argumentation, perchance.
| Fice wrote:
| > Crazy how evil Google is.
|
| And the even worse evil are the website owners who betray their
| own users by placing third-party trackers on their own sites.
| tinus_hn wrote:
| If the scripts are hosted on the separate domains they don't
| have access to some global state and there is no cross site
| tracking.
| beagle3 wrote:
| What is their means to correlate users between sites, though?
| On IPv6, the IP itself is often enough (or IP+Browser/OS
| version).
|
| Currently, at home, I'm behind a CG/NAT (and with a somewhat
| fingerprint resistant setup - rotating user agent, blocked
| canvas, a few other things). What would they use to correlate
| my identity across sites, when there's no common "google.com"
| cookie to anchor against?
| catfishx wrote:
| Google: "Don't be evil"
|
| Wat?
| dxdm wrote:
| > our ineffectual administration
|
| It always saddens me to see EU citizens talk in absolutes like
| that. With some exceptions, and by comparison, we have some of
| the best governments in the world, and, for all its faults, the
| EU has been a huge net positive. Perpetuating these overly
| negative stereotypes just aids populists in replacing our good
| governance with the other kind that we see all over the world.
| digitalengineer wrote:
| Here is an overview of all GDPR related fines. I often show
| it to clients to help them understand what could happen.
| https://www.enforcementtracker.com/
| raspberry1337 wrote:
| >a huge net positive
|
| A huge net positive for buisness, that's for sure. There are
| currently over 25,000 lobbyists in Brussels and Berlin [1].
| As for the citizens, that is up to debate, and highly
| individual.
|
| Truckers in Sweden, for example, that currently find
| themselves competing with truckers from all over europe who
| also fill the tank in countries with far cheaper gas, cant
| really be said to enjoy positive gain from the EU [2].
|
| [1] https://www.economist.com/business/2021/05/13/the-power-
| of-l...
|
| [2] https://www.transportarbetaren.se/lavinartad-okning-av-
| tredj...
| mingusrude wrote:
| I am not denying that there are problems for truckers in
| Sweden caused by open borders to other EU-countries and
| that those problems should be fixed. However, without EU
| there would probably be a lot less stuff to truck around.
| raspberry1337 wrote:
| jsiepkes wrote:
| > who also fill the tank in countries with far cheaper gas
|
| So we are talking here about inter-country transport,
| right? Because I don't think it's very econimical to fill
| up your gastank in Poland if your driving deliveries
| locally inside Sweden? That will probably not be a net-win.
|
| If you are a Swedish company importing from for example
| Poland you could always let a Polish transport company
| handle the transport. The EU didn't change much about that.
| A Swedish trucker driving to Poland could also fill up it's
| truck in Poland with cheap gas.
|
| So what did the EU do that made cheaper gas more of an
| competitive advantage then it was before?
|
| BTW gas prices are something that Swedens goverment
| themselve handle...
| raspberry1337 wrote:
| I'm not a trucker, so you would have to ask them about
| the gas they complain about. But there are others more
| obvious issues mentioned by the unions by international
| trucking - they have to compete with companies utilizing
| slave labour and sometimes even cases of trafficking.
| Hence my point that benefits of the EU is highly
| individual. Many have surely won, such as large
| companies, and many have lost.
|
| >So what did the EU do that made cheaper gas more of an
| competitive advantage then it was before?
|
| Enable all european truckers to work anywhere.
|
| >BTW gas prices are something that Swedens goverment
| themselve handle...
|
| I don't see how this is relevant to anything said
| previously, and yes, that is quite obvious.
| jsiepkes wrote:
| > I'm not a trucker, so you would have to ask them about
| the gas they complain about.
|
| You presented it as a (I presume good) example of your
| point. So I'm asking you because it definitly does not
| sound logical.
|
| > Enable all european truckers to work anywhere.
|
| That's not an answer to the question what the EU has to
| do with cheap gas prices in countries like Poland being a
| issue for a Swedish truck driver. A Polish truck driver
| working in Sweden is going to bring his own cheap gas
| from Poland and undercut Swedish transport companies? It
| just doesn't make sense how that is related to allowing
| to work everywere.
|
| The wages could be a problem, sure, but that gap has also
| been largely plugged [1]. But gas prices...?
|
| > I don't see how this is relevant to anything said
| previously, and yes, that is quite obvious.
|
| Its relevant because if it's a real problem Sweden can
| lower taxes on the gas prices in order to remain
| competitive. That's not something the EU needs to do.
|
| My point is that local politicians are quick to point to
| the EU. However it wasn't local politicians that managed
| to for example get the mobile roaming fee's gone for
| good. If you want to have a laugh just look at the UK.
| Vodafone et al said the roaming costs wouldn't return
| after brexit. Yet somehow the roaming costs are back for
| UK citizens...
|
| [1] https://www.euractiv.com/section/road-
| safety/news/controvers...
| raspberry1337 wrote:
| >You presented it as a (I presume good) example of your
| point. So I'm asking you because it definitly does not
| sound logical.
|
| It doesn't sound logical to you that companies based in
| Sweden who endure some of the highest gas prices in the
| world does not want to compete with companies based out
| of eastern european companies with far cheaper gas -
| because they could just fill the tank outside of Sweden
| themselves?
|
| As I said previously, I'm not a trucker myself, so I
| don't wanna go into the specifics, but that is one reason
| their union cites among others. And I don't find it THAT
| hard to imagine that no, it is not as simple as to just
| fill your tank outside of the country where the
| competition does.
|
| > but that gap has also been largely plugged [1].
|
| Your source is a proposal, critized by western unions as
| mentioned by your own posts. The proposal went through a
| compromise but is still being challenged in court by
| eastern european nations [1]. Anyway its too late,
| considering the EU is currently in a trucking crisis,
| that's what happens when you undercut a workforce for
| decades and suddenly demand increases rapidly.
|
| >Its relevant because if it's a real problem Sweden can
| lower taxes on the gas prices in order to remain
| competitive. That's not something the EU needs to do.
|
| And Sweden has high gas prices to try combat climate
| change, but it can lower those measures to be able to be
| competetive with the EU? How does this lead to an overall
| 'net benefit' through the EU, generally and individually,
| when the ecosystem collapses?
|
| >My point is that local politicians are quick to point to
| the EU. However it wasn't local politicians that managed
| to for example get the mobile roaming fee's gone for
| good. If you want to have a laugh just look at the UK.
| Vodafone et al said the roaming costs wouldn't return
| after brexit. Yet somehow the roaming costs are back for
| UK citizens...
|
| I was in UK when brexit came through and I still remember
| all the headlines about how severe and devastating the
| consequences were gonna be, yet I've still to see them
| realize. My question is, in the case of Vodafone, why
| wouldnt one company just not use roaming costs and
| undercut the competitors?
|
| [1] https://www.europaportalen.se/2021/03/sverige-backar-
| nya-tra....
| MrMan wrote:
| I think the underlying problem is that Sweden taxes gas
| very high, very good reasons. Poland, being a regressive
| climate denying conservative place, relatively speaking,
| lets gas be at a natural price.
|
| In the US trucking companies would just relocate to a
| state with cheaper gas, but maybe Swedish people dont
| want to move to Poland, and they also want fossil fuels
| taxed across the entire EU, so they feel aggrieved.
| jevgeni wrote:
| raspberry1337 wrote:
| zambal wrote:
| I'm not sure this is a convincing example of policy that
| results in a net negative? It seems to be a positive for
| truck drivers from other parts of Europe. Maybe for most EU
| citizens too if it leads to lower transport prices?
| raspberry1337 wrote:
| Hence the word 'individually'. Great for truckers from
| poorer countries with weak or no unions sure, and great
| for companies that get cheaper trucking.
| Chris2048 wrote:
| On what basis?
|
| For all it's faults Google was great. Now it isn't.
|
| Why wouldn't we think the EU is just the same, but on a
| longer timespan. Maybe if we had been more critical of google
| in the beginning, despite it's initial comparative goodness,
| it would have found it harder becoming rooted.
| avgcorrection wrote:
| Really fits the EU fan stereotype to immediately complain
| that someone expressing their subjective opinion "aids
| populists".
|
| Maybe they are wrong that the EU is ineffectual. If so, just
| argue against that.
| jevgeni wrote:
| You're not exactly leading by example, arguing off a
| stereotype...
| avgcorrection wrote:
| Are you charging me with hypocrisy? Ok here's the
| difference:
|
| - "Ineffectual EU": this could be a well-informed or
| badly informed opinion. Or it could be a lazy stereotype.
| The OP did not elaborate so we have no way of knowing
| that at this point.
|
| - "EU stereotypes - aids populists": the reasoning or
| association being drawn is right there in the post--You
| said A (or rather my interpretation of A) and that causes
| B.
|
| My own point was simply that one can make a counter-
| argument instead of complaining about how a certain
| assertion aids populists.
|
| Could my point have been made without the EU fan
| stereotype charge? Sure. But taking the high road at all
| costs is not my personal policy and responding tit-for-
| tat is OK in my book.
| jevgeni wrote:
| Firstly, the "ineffectual EU" stereotype is a well-known
| trope of anti-EU populist politicians, so I'm not sure
| what more should be proven to you?
|
| Secondly, you say yourself, that OP does not in any way
| support their "ineffectual EU" statement, which is
| according to you not a problem. Not once did you see it
| as a problem. In fact, you go out of your way to hide
| away the implied associations in zwaps comment.
|
| But when dxdm points out that it's a populist opinion,
| then you become the debate police.
|
| Yes, that's hypocritical.
| avgcorrection wrote:
| A problem? It's neither here nor there--people spout off
| all sorts of opinions on HN or any fora. So no--it's not
| a problem. It's just an opinion, not some vigorously
| well-researched argument.
|
| People can say that the EU is the best thing since sliced
| bread--also not a problem.
|
| I'm not a fan of the EU but I'm not going to accuse
| people who like the EU that they are "aiding the
| technocrats of Brussels" (or some similar over-the-top
| rhetoric).
|
| Yes. I do take issue with jumping to the "aid populists"
| conclusion from merely _two words_. Saying that some off-
| hand Internet comment is aiding authoritarians--because
| that's surely the implication of "the other kind [of
| governance] that we see all over the world"--is
| hysterical.
| dkjaudyeqooe wrote:
| That's true, but EU governance is byzantine to say the least.
| I realise that this is a political necessity, but at some
| point people have to understand that we're losing a majority
| of the benefits while increasing costs in having such a
| cumbersome arrangement.
|
| Maybe with Russia being so aggressive people will realise
| unity and cooperation should be a priority.
| toyg wrote:
| _> That 's true, but EU governance is byzantine to say the
| least._
|
| That's largely because the fight for primacy between
| continental authorities and national ones is still ongoing.
| Unlike the US, where (beyond the occasional tactical
| posture) Congress, Presidency, and Supreme Court, have long
| been established as fundamentally supreme to their
| equivalent in local states, for the EU this has not yet
| been the case in many areas. Even the courts of one of the
| pillars of the union, Germany, recently refused to certify
| such primacy, and are currently in the process of being
| sanctioned.
| dontlaugh wrote:
| I agree that it's not ineffectual. It's very effective at
| imposing austerity, privatisation and deregulation,
| especially on the periphery countries. It's also effective at
| encouraging foreign ownership of industry and exploitation of
| migrants.
|
| On occasion, the EU does something that is accidentally
| useful to most people. But in general, it's bad for all
| workers and even businesses of the periphery countries.
| southerntofu wrote:
| The EU had some great time not long ago but it lost its way.
| Now apart from GPDR what was the last good news you heard
| from this EU? Was it about automatic censorship filter? About
| Frontex turning into a military organization designed to help
| people die at sea?
|
| From some perspective, the EU is much better than my local
| corrupt/authoritarian government (France) and effectively
| serves to keep french abuses of power in check (though it
| always takes 5+ years of litigation to reach the European
| Court of Human Rights or the ECJ). But in even worse-off
| countries like Hungary the EU is essentially powerless
| against human rights abuses.
|
| Also in France the EU had zero negative impact because the EU
| is more or less controlled by France (and a handful other
| countries) so the neoliberal anti-social policies are usually
| already in place before they became mandatory on a european
| level, but in some EU countries the EU is the reason your
| kids can't study, your cousin lives on the street, and your
| grandma can't afford healthcare. I'm thinking about Greece
| among others here, where EU has put enormous pressure on an
| entire country to pay for banking shenanigans and created
| enormous suffering for the entire population just to pay of a
| few french/german banks who can well do without (and without
| whom we could do well, as well).
|
| So it's not exactly one-sided. And in fact, we could make the
| argument corruption and anti-democratic policies in the EU
| (anti-social regulations, proposals ignored by the parliament
| which has very little power compared to the commission) is
| part of what's led to the new rise of fascism across Europe.
| To keep Greece as an example, people massively voted for
| Tsipras a few years back, but under Troika pressure he took
| away _all_ his campaign promises and sent the riot cops
| against the local population just like the previous
| government. So now they have a right-wing authoritarian
| government who 's cracking down even harder on social
| services and launched a military assault on the only free
| commune of the capital (Exarchia) where life was a little
| less worse than elsewhere around the country.
|
| Is it supposed to be that hard to keep only the good stuff
| and say fuck you to bankers and other suit-and-tie people?
| peoplefromibiza wrote:
| > It always saddens me to see EU citizens talk in absolutes
| like that.
|
| Unfortunate there are many European enemies of the EU.
|
| It doesn't even have anything to do with EU administration:
| EU can't prevent Google trying to trick users into leaking
| their privates data and habits.
|
| Not at least until Google reveals their plans on how they're
| gonna do it.
|
| On a final note: we accepted two non-democratic countries in
| EU, Poland and Hungary, and these are the results.
|
| They infected all the other countries, like COVID-19 has done
| with people.
| anhner wrote:
| I don't think it's fair to put Poland and Hungary in that
| basket. It's not like they were like this when they joined
| the EU. They slowly drifted towards anti-EU sentiment over
| the years thanks to populist politicians. The same can
| happen to any country. The same happend to Britain.
| darebak wrote:
| Or they slowly drifted towards anti-EU sentiment due to
| the EU.
| peoplefromibiza wrote:
| > Or they slowly drifted towards anti-EU sentiment due to
| the EU.
|
| _Poland, through 7 national and 17 regional programmes,
| benefitted from EU funding of EUR 91.3 billion under the
| 2014-2020 ESIF programmes (as of January 2022). This
| represented an average of 2 400 euro per person in the
| 2014 population_
|
| they didn't drift
|
| they already had it in their belly, they simply hid it to
| take EU money and build their anti-democratic platforms.
|
| Don't get fooled by appearances.
|
| People of Hungary and Poland are not responsible for
| what's happening to them and to their countries and they
| do not deserve it.
| darebak wrote:
| I am not sure what are you getting at? Money is not
| significant factor in anti-EU sentiment, insisting it is
| only increases that sentiment.
| peoplefromibiza wrote:
| Repetita Iuvant
|
| _they didn 't drift
|
| they already had it in their belly, *they simply hid it
| to take EU money and build their anti-democratic
| platforms*._
|
| Money was the *most* important factor.
|
| The anti-eu sentiment *was already there*
|
| They simply did not have the money to lead, they were
| just some anti-communist nut.
|
| Now they are uber rich nuts.
|
| So yeah, in a way it was EU fault, because they invited
| them in and gave them a lot of money instead of leaving
| them in the good hands of uncle Putin.
| [deleted]
| dessant wrote:
| > we accepted two non-democratic countries in EU, Poland
| and Hungary, and these are the results.
|
| I can't speak for Poland, but the political landscape of
| Hungary was different when it joined the EU, and the
| country was by no means considered non-democratic or EU-
| skeptic.
|
| > They infected all the other countries
|
| The EU was infected by rising inequality and the
| degradation of purchasing power by the middle class, which
| is a global issue that gives an opportunity for populists
| to gain power, and for the population to find scapegoats,
| like pointing fingers at a foreign country.
| estrai wrote:
| Poland's political landscape has also changed since they
| joined the EU, perhaps in a less spectacular way than in
| Hungary. Both countries are democracies, current leaders
| were elected in democratic elections. It's the adherence
| to the rule of law that's an issue in both cases.
| JumpCrisscross wrote:
| > _Both countries are democracies, current leaders were
| elected in democratic elections_
|
| Elections in which the ruling party has no real chance of
| being deposed, and thus no incentive to compete, aren't
| democratic.
| pqs wrote:
| One can argue that the EU itself is rather undemocratic, as
| the Parliament does not hold much power, and there isn't a
| clear separation between executive and legislative, as the
| Commission and the Council of Ministers both participate in
| the process.
| [deleted]
| peoplefromibiza wrote:
| > One can argue that the EU itself is rather undemocratic
|
| Of course one can.
|
| It doesn't make it correct though.
| blibble wrote:
| it's the only parliament in the world that can't
| legislate
| peoplefromibiza wrote:
| repetita iuvant #2
|
| _You can of course think it
|
| It doesn't make it correct though_
| thenaturalist wrote:
| Agree completely with your voice there.
|
| In fact, I think especially when you look at digital privacy
| and curbing ever more intrusive tracking practices, the EU
| has been THE most engaged international body by far. Of
| course it's a game of cat and mouse, but advertisers will do
| what advertisers do and when the practice is exposed don't
| think it'll go unnoticed.
| prox wrote:
| I agree. I understand people like to talk in this way to show
| their emotional connection to the topic, but it's not very
| helpful and like you mention, too absolute.
|
| It's a system in progress, and we need to be invested in its
| ideals (fair, just, democratic)
| saiya-jin wrote:
| Most often such comments come from eastern parts of Europe,
| where nationalistic movements have a nice resurgence in
| past few years. A prime example is Czech republic, a very
| euro-skeptical nation despite all the benefits it brought
| them. Hungary would be another one.
|
| That being said, as somebody coming from east too and
| seeing clearly all the direct and indirect benefits of EU,
| its far from ideal. The whole concept of central planning
| resembles old east communist block when soviets forced down
| our throats whatever they pleased (we had to refuse
| Marshall's plan, they took all of our uranium reserves for
| free for which more appropriate term is stealing, and many
| many other cases) and that's an association many older
| people have knee-jerk reaction of.
| tremon wrote:
| As if England didn't broadcast its share of fact-free
| euro-skeptical gaslighting all over Europe. As if their
| voice wasn't echoed by both PVV and FVD in The
| Netherlands, FN in France, AFD in Germany or M5S in
| Italy.
| suction wrote:
| True. If you compare Hungary / Poland and for example
| Ireland and Portugal, the difference couldn't be greater
| in terms of effectiveness of government.
| ThalesX wrote:
| > Most often such comments come from eastern parts of
| Europe, where nationalistic movements have a nice
| resurgence in past few years.
|
| I wish people would stop attributing our attitude to
| nationalistic resurgences.
|
| I'm a globalist and think nationalism and regionalism
| should be relics of the past and I keep getting put in
| the same box as nationalists because I am Euro-realist.
|
| With this frame of mind I think the EU politicians are
| shit at building the foundations for a truly globalized
| civilization and the current system devalues entire areas
| of the continent both of natural resources as well as
| human resources.
| krageon wrote:
| > Euro-realist
|
| It's not realism to believe the EU can't exist within or
| facilitate your idealised frame of reference (assuming it
| makes sense and is something people should want), it's
| just negativity.
|
| > I wish people would stop attributing our attitude to
| nationalistic resurgences.
|
| Quite frankly nationalistic resurgence is the #1
| indicator for "euro realism", so this is a very
| reasonable stance to take.
| Chris2048 wrote:
| > nationalistic resurgence is the #1 indicator for "euro
| realism"
|
| Is it though? All you did was express this opinion, you
| didn't prove anything. Also, multiple different
| indicators can correlate spuriously.
| ThalesX wrote:
| > It's not realism to believe the EU can't exist within
| or facilitate your idealised frame of reference (assuming
| it makes sense and is something people should want), it's
| just negativity.
|
| As a citizen of the EU, I am arguing for the
| debureaucratization of institutions, for capital
| unlocking in proper ventures, nuclear energy, and the
| appropriate handling of countries from which human
| capital is departing faster than some war-torn ones.
| Frankly, I don't give a damn that some people might
| perceive this as 'negativity' on a forum when I have
| (hopefully) an entire life to live under this construct.
|
| > Quite frankly nationalistic resurgence is the #1
| indicator for "euro realism", so this is a very
| reasonable stance to take.
|
| Quite frankly, if you're going to shove me, against
| evidence, in the nationalist insurgence "euro realism"
| and then claim it as a reasonable stance to take. I'm not
| sure where that leaves me in this debate. Argue with your
| constructed image of me all you want.
| cameronh90 wrote:
| Before the whole brexit issue, even most ardent EU
| supporters would admit that the institution was terribly
| dysfunctional and would need to be reinvented to survive
| the next few decades.
|
| The Brexit debate seems to have polarised the whole issue
| into either you hate the EU and everything it stands for,
| or you think the EU is perfect and if it wasn't for these
| damn national governments then we could live in utopia.
|
| Unfortunately my country is no longer part of this
| project, but I hope that pro-EU people take on board some
| of the valid criticism of the institution and make the
| necessary changes. Otherwise, what happened here will
| inevitably happen elsewhere.
| toyg wrote:
| _> even most ardent EU supporters would admit that the
| institution was terribly dysfunctional_
|
| That's a mischaracterization. "Most" would have accepted
| that there was (and is) room for improvement, but
| "terribly disfunctional" is an extreme term. The view
| that the whole institution had to be reinvented has
| always been a very English idea, based on the fact that
| some key policies (like agricultural support) benefited
| other countries over Britain. Most of the continent, much
| more pragmatically, always understood that the EU is
| fundamentally _a set of compromises_ that will continue
| to expand. As such, it can look confusing from a
| distance, but once you unpack it, the compromises
| actually make sense (or are the only possible way towards
| cooperation among such different peoples). Britain
| benefited hugely from infrastructure support programs,
| for example.
|
| The EU has always been kept together more by the sheer
| will of European middle-classes at large, than by this or
| that particular set of rules. National governments are in
| a constant state of tension with something that they see
| as a new competitor for the absolute power they enjoyed
| for centuries. This will likely continue to be the case
| for a very long time.
| cameronh90 wrote:
| > a very English idea
|
| The UK didn't even have the worst public opinion of the
| EU in Europe on average.
|
| Public polling has generally shown other countries -
| including Italy, Greece and France - have an
| approximately similar (or worse) opinion of the EU than
| we did. There's a significant chance that Sweden would
| have ended up having a referendum on membership if we
| hadn't, but how terribly it's gone for us has put off
| many of the eurosceptics elsewhere. During the worst of
| the Eurozone crisis, there were many who genuinely
| thought that the entire bloc would - or should -
| collapse.
|
| I also think people here do understand it's a set of
| compromises. The question for many is whether the set of
| compromises has become too large and unwieldly. The
| common view of eurosceptics in the UK was that the scope
| had crept too far, and that we could gain most of the
| benefits through a normal trade agreement without having
| to compromise on aspects like agriculture, fisheries,
| immigration control and ceding control over national law
| and third party trade. I think so far this is not going
| well, but it's still an open question.
|
| What you point out about Brits not understanding EU press
| is touching on an major issue a lot of people had with
| it: how can a supranational institution taking over
| national government function be truly democratic if you
| don't even have a standard language, and can't understand
| each other's press? A common aspect of countries with
| poorly functioning democracies is they don't have a
| common culture or language. Whenever I've needed
| information about the EU, it's always been difficult to
| find because the EU websites are poor and the source
| material is often in French or another language that I
| can't understand.
|
| I absolutely agree that the compromises are necessary for
| the EU to function in its current state. However, perhaps
| the EU scope has become too large given how disparate the
| members are? If your partner desperately wants to live in
| Europe and you desperately want to live in the USA, does
| it really make sense to compromise by living on a boat in
| the Atlantic? Or is it better to just be friends
| instead...
| toyg wrote:
| _> The UK didn 't even have the worst public opinion of
| the EU in Europe on average._
|
| The UK is the only country where significant chunks of
| the _elites_ kept explicitly advocating for (and are now
| putting in practice) a future outside the bloc. I 'm
| Italian, and with all the usual complaints about this or
| that policy, Italian elites have never seriously
| considered backtracking on the project - because they all
| realize that the European nation-state is dead meat in
| the age of continent-sized superpowers. Of course they'll
| bitch and moan that they can't currency-inflate their way
| out of economic crisis anymore, but that is it; once
| Eurozone institutions are tweaked to allow for more
| fiscal transfers across the Union, as it's slowly
| happening, there won't be any real reason to leave.
|
| Same basically goes for French elites - with the last
| humiliation in Mali a painful reminder of their actual
| standing in this brave new world. The only country with a
| potential future outside the bloc is Germany, but they
| benefit from it so much in practice that it's never going
| to happen.
|
| _> how can a supranational institution taking over
| national government function be truly democratic if you
| don 't even have a standard language_
|
| This is really a non-issue, EU institutions employ an
| army of translators and everything is available in any
| chosen lingo. The working _lingua franca_ are effectively
| two, French and English. Any decently-educated European
| is bilingual, these days, to a decent level.
|
| It's more about insularity of the intellectual and
| political classes in this or that country. Probably
| because of the overabundance of cultural production
| coming from the US, the UK outside London is extremely
| insular. Pretty much any continental elite-person will
| consume The Economist and the Financial Times _in
| addition_ to their local press; whereas the UK
| intellighentsia hardly every touches any continental
| press.
|
| _> f your partner desperately wants to live in Europe
| and you desperately want to live in the USA_
|
| When the alternative is being overrun by Russian tanks
| and American F15, yes, the Atlantic island will have to
| do. We will all bitch and moan, sure, but we'll get on
| it.
| cameronh90 wrote:
| I don't think the UK is as far from other European
| countries as you think it is. Our elites, bar,
| historically, a small contingent of the conservative
| party, have always been _far_ more pro-EU than the
| population at large. Indeed, they still are - possibly
| about 3/4ths of parliament are Europhiles. Eurosceptics
| were typically political misfits and weirdos, like
| Farage, Corbyn, Banks, Gove, Wetherspoon and Cummings.
| BoJo only jumped on the Leave bandwagon as he's an
| opportunist. Nigel Farage seemingly made it his life goal
| to separate the UK from the EU and was fairly wealthy,
| but not even close to the kind of wealth you see on a day
| to day basis around London, let alone an elite. I
| personally know far wealthier, more politically connected
| "elite" pro-EU individuals than Farage. Most business
| leaders and elites in London, especially those in
| finance, were solidly pro-EU as their livelihoods were
| based on it. The EU is arguably the world's largest elite
| globalist capitalist organisation.
|
| Farage's influence was minimal until he managed to
| position himself as the leader of the British anti-EU
| movement, which as far as British political movements go,
| was as close to a grassroots movement as it gets. Few of
| the mainstream Conservative political elite were pushing
| for Brexit until it became increasingly apparent that
| they were losing votes to UKIP based on the anti-EU
| sentiment that had been boiling under the surface for the
| better part of half a century. The nature of our
| political and voting system is that the two major parties
| tend to try and placate the extremes to diminish their
| influence. There's a lot to dislike about how that system
| works, but historically that has resulted in a relatively
| stable political system. Once this discontent reached a
| certain level, Cameron decided to gamble the future of
| the country to save the Conservative party, thinking
| they'd easily walk the referendum and kill the grassroots
| opposition - but despite almost every major mainstream
| political influence being on the side of remain, leave
| won.
|
| There is clearly a certain amount of Russian influence,
| dodgy money and disinformation that pushed us that
| direction, but honestly I think it's overstated. Without
| it, maybe it would have gone 52/48 the other way, but
| clearly it was going to be very close no matter what. The
| EU has never sat right with a lot of people across the
| entire political spectrum for many of the same reasons
| it's unpopular with both the left and right in other
| European countries. I suspect if France was to have a
| similar referendum, the results would be similarly
| uncomfortably close - even if Frexit ultimately lost.
|
| Arguably the main difference between the UK and other
| European countries is our political mainstream tends to
| shift more to placate the extremes and stop them becoming
| a mainstream force in their own right. This is evident in
| how UKIP/BNP/BXP are now irrelevant again and have no
| representation, whereas AFD, SD, M5S, RN and others are
| still significant forces in European politics. I would
| bet money that if we had a different voting system,
| Brexit wouldn't have happened. Whether or not our voting
| system's trade-offs are the correct ones or not is
| certainly debatable (and I personally vote for voting
| reform at any opportunity), but our system has served us
| well throughout history and one must always be careful
| about changing something so fundamental to a successful
| democracy.
|
| What also emboldens the UK is that despite no longer
| being an Empire, it still is a very powerful country in
| its own right. Irrespective of how much of that power we
| dumped by leaving the EU, we're still permanent members
| of the UNSC, members of G7, FVEY, somewhere between #5
| and #7 in global GDP, one of the strongest militaries,
| one of maybe two or three global force projection blue
| water navies, one of five NPT designated nuclear weapon
| states, one of the top countries for education, business
| and media output, have one of the world's two global
| cities, etc. If Sweden had a similar level of global
| relevance, the equation there might be substantially
| different too.
|
| Another reason other countries haven't left the EU is
| that the EU was intentionally designed to make it hard to
| leave. This isn't a conspiracy theory, the people who
| wrote those protocols have stated such. Obviously part of
| the point of the EU was to make us interdependent so we
| don't start killing each other again.
|
| > This is really a non-issue, EU institutions employ an
| army of translators and everything is available in any
| chosen lingo. The working lingua franca are effectively
| two, French and English.
|
| Not only is this a huge waste of time (and thus I would
| argue reduces the overall quality of the output of EU
| institutions - which is certainly extremely poor compared
| to UK government resources), the quality of those
| translations were often questionable. It was not uncommon
| for me and European friends to find pages where the pages
| would say something subtly different depending on what
| translation you were reading.
|
| But I would argue that it's not just about EU
| institutions, but rather for it to be a strong union you
| need to have an understanding about the domestic
| policies, culture and general goings-on within the other
| countries within the union. The UK has almost no cultural
| overlap with somewhere like Romania, which makes it hard
| for British people to accept that level of immigration
| and integration. Imagine every US state had a different
| language. Even if they also all spoke English as a second
| language, it's hard to imagine that would be as strong of
| a union as it currently is.
|
| And of course, many EU citizens speak other languages,
| but most commonly they speak their native language,
| intermediate English and then sometimes a tertiary
| regional language (e.g. Finns speaking Swedish). NW
| continental Europe tends to be a bit better, with places
| like Belgium, Netherlands, Switzerland often being
| conversational in 3 or 4 languages, but that's not
| particularly representative of the whole EU. Europe is
| still very much a continent where people don't understand
| each other particularly well.
|
| As for the UK intelligentsia not touching European press,
| bilingual ones certainly do - but in general, why would
| we? It obviously doesn't make sense to learn German to
| read BILD. Anything important gets translated into
| English, and between our own press and the rest of the
| English speaking world, we have access to more quality
| media and news than we could possibly hope to consume in
| our lifetimes. Such is the nature of natively speaking
| the world's dominant language: no other languages reach a
| critical level of importance that we generally ever
| bother to learn them well. Personally speaking, if I was
| to learn another language, it would be either Spanish or
| Mandarin, neither of which would probably help me out too
| much in European matters...
| blibble wrote:
| > Britain benefited hugely from infrastructure support
| programs, for example.
|
| how, exactly?
|
| compared to UK government expenditure: the funding from
| EU programs are a rounding error
| toyg wrote:
| Half of Wales and Scotland was rebuilt with European
| money that Westminster would not have dispensed
| otherwise, preferring people in decaying cities to "get
| on yer bike". If that's a "rounding error", think what
| the UK government could have achieved before and since,
| and never bothered to.
| blibble wrote:
| your statement makes the bus figure look honest by
| comparison
|
| the block grant to Scotland in 2019/20 was PS32 billion,
| whereas EU RDF was EUR1.8 billion for 2014-2020
|
| or put another way: the UK block grant provides Scotland
| more than 128x more the EU funding over the same period
|
| put another way: EU funding is 0.78% of that provided by
| the UK, which I think is fair to describe as a rounding
| error
|
| additional points:
|
| 1. the RDF only exists because of Westminster: the UK
| government made it a condition when it joined the EEC in
| 1972
|
| 2. EU funds spent in the UK are funds from Westminster as
| the UK is (well, was, thankfully) a net contributor
|
| (as a general observation: innumeracy amongst ultra-
| remainers seems to be very common)
| arka2147483647 wrote:
| > The view that the whole institution had to be
| reinvented has always been a very English idea, based on
| the fact that some key policies (like agricultural
| support) benefited other countries over Britain.
|
| Most of the important discussions about EU are not held
| in English. I think a good part of the negative talk
| about EU in the English speaking sphere comes from
| English (Who have different needs than continental, or
| eastern Europe) talking with Americans (Who understand
| the EU even less).
|
| A lot of the moderate, compromise analyzing discussions
| will not be perceptible in English, because it will be
| held in French, German, Italian, Spanish, etc...
| [deleted]
| Y-bar wrote:
| > I wish people would stop attributing our attitude to
| nationalistic resurgences.
|
| Why should we stop? Where I live (NW Europe) this
| sentiment is almost exclusively echoed by members of the
| refreshed "neoconservative/nationalistic" right wing
| parties.
|
| Other parties also have their qualms about government
| institutions, of course, but for different reasons and
| expressed with different attitudes.
| ThalesX wrote:
| > Why should we stop? Where I live (NW Europe) this
| sentiment is almost exclusively echoed by members of the
| refreshed "neoconservative/nationalistic" right wing
| parties.
|
| This is the 2nd post ignoring the fact that I have
| declared I am, in fact, not a member of such a group.
| Assuming that I'm lying, you'd be correct in holding your
| stance. Considering I am not lying, you are basically
| closing in the door to communication and possible
| expansions of subject matter from someone that's really
| not an extremist in any sense of the word.
| glogla wrote:
| You might not be formally member of such groups, but if
| you are spreading their values and repeating their
| propaganda, you're working for them.
|
| That would make you _de facto_ member even if you 're not
| _de iure_ member.
|
| e: and based on Paradox of Tolerance, shutting down
| communication with anti-system efforts might be the only
| way. You can't be tolerant to intolerance, you can't be
| democratic to anti-democracy, etc.
| ThalesX wrote:
| Mind underlying where I am spreading the values and
| propaganda of 'refreshed "neoconservative/nationalistic"
| right wing parties'? I would like to not do such a thing
| if possible.
|
| I'm quite surprised that so many don't realize that there
| exists an entire category of people that are not radical,
| but do hold opinions on some reforms that should be
| taken, including the quote that started this conversation
| "our ineffectual administration".
| glogla wrote:
| I'm not saying you are. I'm saying that if someone says X
| and there's groups saying X than expecting that person to
| be part of that group is kinda normal and not some kind
| of character assassination.
|
| Speaking of ineffectual administration - I think it might
| be hard for some people to grasp that any bureaucracy is
| going to look inefficient. The point of bureaucracy is to
| replace ad-hoc decision making with a repeatable,
| documented, audited and justifiable process. Ad-hoc "the
| dictator decides" is always going to be faster.
| Chris2048 wrote:
| > if someone says X and there's groups saying X than
| expecting that person to be part of that group is kinda
| normal
|
| Different groups can support the same policies for
| entirely different, and mutually exclusive reasons.
| nec4b wrote:
| In Eastern Europe before joining the EU, the most anti EU
| parties were the "ex"- communist and neomarxist and the
| conservative parties couldn't wait to get in. There can
| be 2 explanations why this has changed today.
|
| 1. The "ex"-communist and neomarxist parties became
| enlightened democrats and the conservatives changed to
| nationalistic anti democrats.
|
| 2. Something changed within the EU, which made it a
| suitable environment for "ex"-communist and neomarxist to
| thrive in and reminded the conservatives what was it like
| to live under old communist regimes.
|
| I think the number 2 is the right explanation. The news
| about undemocratic Poland, Hungary and occasional other
| eastern-southern countries is mostly spreading through
| leftist western media by activist reporters who take for
| granted what their leftist activist colleagues from
| eastern countries are feeding them. For a person who
| reads newspapers in both parts of Europe, that fact is
| painfully obvious. Throw in some leftist activist MPs
| (like Sophie in 't Veld) and good old geopolitical power
| struggles and the world quickly becomes black and white
| (us vs them).
| tsimionescu wrote:
| You should also note that across much of Eastern Europe,
| the "ex"-"communist" and "neomarxist" parties were always
| either nationalistic and populist (e.g. the PDSR/PSD in
| Romania) or subservient to Russia. This means that there
| was a very easy pivot from "communist" parties to far-
| right ultranationalism, usually with a good dash of
| oligarchy, authoritarianism, and/or kleptocracy which
| also characterized the old regimes. There are very few,
| if any, leftist ideals held by any remnants of the Cold
| War-era government parties.
| nec4b wrote:
| Yes, communist never had troubles with nationalism. And
| communism is by definition a populist ideology. The
| legendary elusive communist who shapeshift the moment one
| points a finger at one (no true communism), is more of an
| idea of western leftists.
|
| Unfortunately the communist ideals are very much alive
| and well, especially in those countries where communism
| arose from within, without an external force.
| tsimionescu wrote:
| Well, "communism" in the Eastern Bloc is more
| appropriately called State Capitalism, it has nothing
| really to do with the left, socialism or communism.
| nec4b wrote:
| Maybe you'll get it right next time. Then you'll have
| true communism, at least until it fails again. Then the
| kids from the last round of red nobility will call it
| "capitalism something" and agitate for new true communism
| again.
| tsimionescu wrote:
| If you believe that the USSR (or China, etc.) were actual
| attempts at socialism or communism, do you also believe
| they were democracies?
|
| Socialism, by definition, is democratic workers' control
| of the means of production. A socialist dictatorial state
| is therefore an oxymoron.
|
| If the state itself is controlled by a violent maniac
| (Stalin, Mao, etc.), and the state owns and controls
| every aspect of society, including the means of
| production of course, then there is simply no logical
| connection to socialism.
|
| The USSR and China claim(ed) they are are democratic and
| socialist states. The "democratic" part is obviously a
| lie, and was ever since the beginning, since Lenin stole
| the revolution - and everyone of course knows this. Why
| then do people believe the "socialist" part?
| suction wrote:
| We should stop because it bothers them that the "clever"
| ways they try to undermine democracies and the EU aren't
| that clever at all and easily observable.
| darebak wrote:
| EU is trying to undermine democracy, atleast in my
| country.
| martimarkov wrote:
| I feel this would be headline news if correct so do you
| want to elaborate or is it just a throw away comment with
| no backing?
| darebak wrote:
| It would not be headline news because bit doesn't benefit
| any big capital player.
|
| Continuous support of Germany to autocrats is so widely
| known it even has a name, stabilocracy meaning that a
| country is ruled by an autocrat that is favourable to
| German and by extension EU business.
|
| Most blatant support to that kind of leadership happens
| to be when the German PM and EU commissioners
| congratulated Serbia on its EU path often just days after
| some protest or antidemocratic measures done by the
| Serbian dictator. Or the support that Quinta gave to
| constitutional amendments which reinforced the control of
| the current regime over the judicial branch.
| suction wrote:
| Gobbledigook
| darebak wrote:
| Why would it be headline news? It doesn't benefit any big
| capital.
|
| Most significant incident was definitely in 2012 when
| Serbia had tight elections on all levels including
| parliamentary and presidential elections. The problematic
| part was that German PM at the time congratulated the new
| president even before the polls were officially closed.
| I'm not saying that Germany is the EU but various EU
| commissioners were not much better over the years,
| praising Serbian EU path days after controversial anti-
| democratic actions by the government. Lately this has
| began to change but it's a little bit late, Serbian
| president consolidated power not unlike Orban or Putin.
|
| All this has contributed to lowest support for EU
| ascension among Serbian population in a generation.
| Chris2048 wrote:
| > but for different reasons and expressed with different
| attitudes
|
| What reasons / attitudes / sentiment are you referring
| to?
| jagrsw wrote:
| > Most often such comments come from eastern parts of
| Europe, where nationalistic movements
|
| This is seriously an uncool statement. Such
| generalisations, are both unethical and unfounded.
| JumpCrisscross wrote:
| > _such comments come from eastern parts of Europe, where
| nationalistic movements have a nice resurgence_
|
| Speaking as an American (and a Swissman), the country
| that has done the most to undermine the EU has been
| Germany. First with austerity. Next by hyperventilating
| over nuclear. Then by implementing the results of said
| hyperventilation by vacillating over Russia. Almost
| pathologically, it has been Berlin putting its interests
| ahead of Europe that has caused Brussels' stumbles.
|
| If these issues weren't blocked (nor the common defence
| and deposit insurance schemes) nationalism in Eastern
| Europe wouldn't be as pressing.
| openplatypus wrote:
| > Most often such comments come from eastern parts of
| Europe, where nationalistic movements have a nice
| resurgence in past few years.
|
| That kind of gas-lighting should not have place on HN.
| That's unfair and dismissive generalization.
|
| We, Europeans from west and east, center, north and south
| walked blind into privacy abuse. If awareness coincides
| with increase of nationalist movement in Europe and US,
| that is not a correlation.
| robtherobber wrote:
| I must echo the other comments in this thread and point
| out the fact that this sort of generalisation does more
| harm than good by helping to cement one of the negative
| stereotypes concerning Eastern Europe (EE) (that somehow
| they lack the ability or the drive to work towards a more
| democratic society), which is also not backed by data.
| According to this 2019 BBC article [0] that looks at
| where in Europe's political landscape the right-wing
| nationalists hold sway, 8 out of top 10 countries are in
| Western Europe (WE). The UK is not on that list (nor
| other EE countries like Croatia for that matter), but I
| think it should be.
|
| There's also a noticeable increase in right wing
| terrorism, which appears to take place more in WE than EE
| ("measured by overall volume of right-wing terrorism,
| Germany and Italy, the two former World War II Axis
| powers, lead the way"), where most targets show that the
| substantial majority of right-wing terrorist attacks have
| been aimed at immigrants and Muslims [1]. Possible
| explanations include the displacement of people from
| conflict zones like Syria and Afghanistan, but also the
| fact that most migrants in Europe are economic migrants,
| which means that they go from less economically developed
| countries to more developed ones, thus from EE to WE,
| which is why the rise of nationalism is higher in WE than
| EE. This, of course, is but speculation on my part,
| especially since countries like Hungary, Poland and
| Czechia have behaved rather poorly in this respect, on
| par with Austria, Italy and the UK.
|
| Plenty to discuss here and there's a lot of information
| available, but I doubt we can simply point to EE and
| consider the matter closed, since this seems to be a
| global phenomenon.
|
| [0] https://www.bbc.co.uk/news/world-europe-36130006 [1]
| https://www.opendemocracy.net/en/countering-radical-
| right/we...
| Chris2048 wrote:
| [deleted]
| suction wrote:
| RamblingCTO wrote:
| That's definitely not trolling, that's just correct. We have
| nice laws and stuff, but it's not widely enforced and almost
| all websites do not implement these laws correctly. So why is
| it trolling? You also need to enforce it and make it hurt.
| thirdvect0r wrote:
| Twitter has convinced everyone on the Internet that people
| who have even midly divergent views about their government
| of choice are "Russian bots".
| suction wrote:
| Never been on Twitter, sorry kid
| jevgeni wrote:
| No, Russian bots convinced everyone to suspect diverging
| opinions to be Russian bots.
| WithinReason wrote:
| > It seems the only possible option to retain privacy rights
| given to us by law (eg in the EU) is to disable JavaScript and
| cycle IPs or other fingerprinting features. None of that is
| realistic.
|
| As a last resort, using a VPN and automatically scrambling your
| fingerprint seems doable
| habosa wrote:
| > the only possible reason this exists at all is to illegally
| circumvent privacy preferences.
|
| The article gives multiple other reasons why this exists.
| Gibbon1 wrote:
| I was thinking about something. There is belief that Old Boeing
| died when they 'bought' McDonald Douglas, with the result that
| MD's cancerous bloated failed defense contractor management
| then injected itself into Boeing.
|
| Hear me out. Google bought Doubleclick in 2007. And
| Doubleclick's sleezy amoral management culture injected itself
| into Google.
| tyingq wrote:
| I'm sure it had an effect, but they were already reading your
| email and making targeted ads out of the content before that.
| geeB wrote:
| From the outside, Eric Schmidt basically put them on the
| current track and he long predates the acquisition. Most
| likely when the company was in its infancy and growing at
| high rates relied on cranking out products loved by all, it
| was easy to do the right thing/humor the founders (assuming
| they cared at least). At this stage though there is not much
| utility (as far as increasing ad revenue) in improving
| products, so its harder to hide what really mattered all
| along if they want to meet the growth expectations that the
| market/themselves have set.
| collegeburner wrote:
| I'll probably get roasted hard for saying this on HN. Maybe not
| the tracker part, but I am excited by server side ads. I hate
| that I can't either make the ~30% of my audience that block ads
| stop using my site or see the ads anyway because they continue
| costing me resources. Especially since my ads aren't awful or
| invasive or slow.
| manigandham wrote:
| Any website can ingest data and then pass it off to another 3rd
| party. This has been possible since the dawn of the internet
| and very common. There is absolutely nothing new here.
|
| The technical workings of how data is collected on websites is
| completely orthogonal to legal doctrine that protects user
| privacy.
| pixeldetracking wrote:
| the "new" thing is that it's been pushed by Google, hence
| made a lot easier
| fxtentacle wrote:
| I'd say when it comes to privacy laws, the EU is actually doing
| better than almost any other countries. Yes, they could be
| faster, but the GDPR is still a big win for users everywhere.
| And a pita for Facebook / Google, which is intentional.
| csunbird wrote:
| Laws are meaningless if they are not enforced. It has been
| more than 3 years and all kind of illegal cookie banners,
| unauthorized processing of the data and data leaks without
| any discourse to the public are still there.
| Cthulhu_ wrote:
| > Since this runs entirely on the domain of the website, it can
| easily ignore your privacy rights.
|
| This is not exactly correct; unless the user consents, they
| still can't transmit this data to any 3rd party. I mean they
| can, but they're not allowed to. I mean they're not allowed to,
| but IF they investigate and IF they find evidence that data is
| shared with third parties and IF they can be arsed to proceed
| with legal action, the company using this technology MIGHT be
| in trouble.
|
| It does work to circumvent ad- and tracking blockers though, if
| they can hide the endpoint and scripts well enough.
| npteljes wrote:
| How is this crazy? Server administrators could have done, and
| have done anything on their side of the code. Nothing changed
| on this front since the invention of the HTTP request.
| nirse wrote:
| Previously GA and GTM would share private data with Google
| but we could at least see requests going out to google, so if
| you had rejected data being shared with 3rd parties or hadn't
| been asked at all (think GDPR) you could see that the website
| was breaking the law. This clever solution from Google hides
| it from us, consumers, so that we will just have to trust
| that if a website doesn't ask if it may share our details
| with Google, or when we tell them not to share data with
| Google, they actually won't do that.
|
| Just to enphasise: for GDPR it really doesn't matter where
| your data is shared with a third party, from the browser or
| server. It's your data so they have to ask your permission to
| share it and otherwise they can't.
| npteljes wrote:
| No we couldn't see the requests, and that's because we
| couldn't see what the backend does, which was always the
| case since the inception of remote procedure calls.
|
| To illustrate my point, here's a Stackoverflow question
| from nearly 10 years ago:
| https://stackoverflow.com/questions/11795477/using-google-
| an...
|
| Whatever trust was ever there, it was false.
| eps wrote:
| What's crazy is how openly anti-individual Google is.
|
| They explicitly and aggressively facilitate practices that
| virtually every single person is against.
| shadowgovt wrote:
| ... in the tech-commentary echo chamber, perhaps.
|
| The outside world is more apathetic than hostile to it.
| cascom wrote:
| It shouldn't be on the todo list of the average user to
| be knowledgeable on this subject, just like the average
| consumer should not have to be an expert in airbags to
| expect the ones installed in their car to work.
| npteljes wrote:
| Absolutely. People don't care about this stuff and
| honestly, I'm not expecting them to, because I don't care
| about much of the world either. But I do care about this
| issue and so, I'd like better regulation so that the
| individuals' privacy is better protected, with the same
| level of them not caring.
| shadowgovt wrote:
| I think there's a huge assumption implied in an analogy
| between airbags and user tracking. Airbags save lives.
| Anti-tracking guards against some hand-wavey
| philosophical concerns regarding privacy (in an
| inconsistent fashion, even... It's hard for me to buy
| that we need to make user-behavior tracking for ad
| targeting illegal in a world where user-purchase tracking
| for credit reporting is legal).
| avgcorrection wrote:
| The motto of some people on this website when it comes to
| unethical behavior in tech seems to "Well, most people
| didn't _actively_ try to stop us..."
| kall wrote:
| Well, it's not the only possible reason (but probably the core
| one).
|
| It will theoretically also improve website performance. I've
| personally seen some bad things injected by GTM. For now, this
| doesn't actually work for the thousands of trackers by flimsy
| adtech companies, so I guess that benefit won't materialise.
|
| I don't think this is really different from what usually
| happens with Segment and pretty much exactly what happens with
| (Cloudflare aquired) Zaraz. I guess the problem is that google
| is doing it and why.
|
| In terms of blocking, isn't it good for you when a website uses
| segment? One script and you're done. For now, this looks like
| the same thing.
| kkjjkgjjgg wrote:
| Is it really worse for the users? Article also mentions
| possible privacy benefits, as Google could prevent transmission
| of some data to third parties.
| niels_bom wrote:
| Believing Google values privacy over profits is a bit naive
| I'd say.
| kkjjkgjjgg wrote:
| Nevertheless it could be strictly better: the new version
| gives the OPTION to share less data, whereas the old
| version does not really give you the option. If you include
| third party scripts, they can just send the information to
| third parties directly.
|
| Google could also be audited and would then have to prove
| that they really didn't share ay data, or whatever.
| pixeldetracking wrote:
| the big difference is that I cannot audit the websites
| using this new version of GTM (and I don't trust
| marketers)
| kkjjkgjjgg wrote:
| This method of the server sharing data with third parties
| was already possible before.
| pixeldetracking wrote:
| Sure, just that Google didn't propose it
| kkjjkgjjgg wrote:
| So far they only propose their server proxy thingie. Is
| it clear what data they intend to share?
| ImPostingOnHN wrote:
| In the old way, site owners who did not want to send data
| to 3rd parties could just NOT insert the "send data to
| 3rd parties" code into their website
|
| Now they still have that option, but users have no
| technical means to determine whether this is happening
| kkjjkgjjgg wrote:
| In the old days, servers could still share data with
| third parties, so in that sense, there never was any way
| to be sure.
| PhantomGremlin wrote:
| _Crazy how evil Google is. Just wow._
|
| Yeah, but there are a lot of employees there who check their
| bank accounts twice a month and say: "Just wow".
|
| Venial evil is easily bought.
|
| Edit:
|
| _As a EU citizen_
|
| I really hate to even say this, but "Crazy Vlad" nearby is what
| true evil is about.
| raspberry1337 wrote:
| >I really hate to even say this, but "Crazy Vlad" nearby is
| what true evil is about.
|
| I would say that systematic evil, evil that is a consequence
| of technology or reality, will always surpass individual
| evil. It's like comparing the horrors of slavery as an
| instituted system compared to one really evil, sadistic
| slave-owner. Or how the native Americas we're to the 90%
| killed by viruses, rather than the evil of greedy conquerors.
| Perhaps you could argue that Putin is a manifestation of an
| evil system as well, but I'd think that if he was replaced by
| a good person tomorrow, the world would be a radically better
| place.
|
| Google is clearly working hard, as an powerful institution,
| to perpetuate the system.
| Cthulhu_ wrote:
| That's the thing here, morals are flexible for most people if
| there's a decent paycheck on the other side. It's another
| reason why politics are so corrupt these days. There's plenty
| of ways to avoid direct corruption, via "campaign funds",
| board of director seats, and lucrative corporate positions
| after a political career - most recently there's Nick Clegg,
| a former UK politician who will now be paid $15 million a
| year and probably bonuses and stocks as well to represent
| Facebook.
| fsflover wrote:
| If you want to support the fight for privacy in EU, consider
| supporting https://edri.org.
| piokoch wrote:
| Things has changed indeed. Modern economy (I mean the one that
| has started somewhere deep in the Middle-ages) which finally
| led to the appearance of capitalism, was built on several
| foundations, one of them was ethics - in the olden days, in the
| times of lack of communication, invoices, the state authority
| that could enforce any law quickly, people had to count on the
| honesty of the others. One merchant had to trust another,
| otherwise no trade would be possible, there were no courts that
| could block dishonest party bank account or take any action to
| prevent fraud.
|
| There were dishonest merchants, sure, but when finally message
| was spread, nobody would trade with them (if they managed to
| stay alive).
|
| In the western world this ethics come from Christianity, those
| who were stealing, cheating, were going to hell - People really
| believed that and were afraid of this. Today for a lot of
| people, and for sure for Google management, this sounds like
| some fairy tale of the Princess Mononoke or Little Red Riding
| Hood type. Nobody (including a lot of Christians) is not scared
| by the devil, hell and all that stuff any more.
|
| Unfortunately, as we see, ethics is still needed. Whatever EU
| does, Google will find the way to circumvent any regulation as
| it happens with GDPR, which is easily bypassed by the maze of
| buttons, 6pt light grey text, etc. And even if Google will be
| forced at some point to close its service officially in Europe
| (escalation that probably will never happen, but I also though
| that probably there will no war in Europe during my lifetime),
| people will use VPN-s, etc. to keep using it, as there is no
| viable alternative (the issue in itself).
|
| It all can stop only if some people in Google would just decide
| that doing X is nasty and that they are abandoning the idea,
| even if income will be smaller next year.
|
| This would be an ethical behavior, but nowadays to be ethical
| company it is cheap - it is sufficient to add to your company
| management board "person of color", person from "oppressed
| minority" (luckily there is so many such minorities to chose
| from so this is not a problem) which costs somewhere around
| $500K per year plus change your company logo to LGBT+ rainbow
| once a year ($100 for an HTML expert to handle this).
|
| Once this is covered, company is ethical in the eyes of the
| public and can use all possible tax avoidance schemes, exploit
| it workers as Amazon does in its warehouses, steal their data
| and use them to create conflicts between people and manipulate
| them like Facebook does. And so on.
|
| As a result Google can do what it wants and nobody will stop
| them. More, people would not even know about this outside
| tech/privacy oriented circles as mass media are living from the
| ads, so this change is actually what they dream of.
| aliher1911 wrote:
| I don't think Google or any other tech company is doing
| something new here. If you look on Enron scandal or shady
| things tobacco companies did or car manufacturing not doing
| recalls etc etc. This isn't that different.
| ImPostingOnHN wrote:
| The benefits and ethics of diversity are unrelated to this
| topic or anything else touched upon by your post
|
| It seems like you're using this topic as a pretext to
| complain about the chip on your shoulder that is opposition
| to any conscious embracing of diversity
|
| Also, you don't have to put "people of color" in quotes,
| they're actually people
| ornornor wrote:
| > privacy rights given to us by law (eg in the EU)
|
| > As a EU citizen, i hope that our ineffectual administration
| at least tries to fight this somehow. Of course, there is
| little hope.
|
| GDPR is thanks to the EU and I wouldn't say it has no effect.
|
| It seems like you're contradicting yourself with these two
| paragraphs.
| CommanderData wrote:
| GDPR has been a massive win for user/consumer rights. Its a
| piece of legislation law makers in the US are trying to
| mimic.
|
| Surprisingly the UK are trying to rid or weaken GDPR
| significantly after brexit.
|
| The only way to fix this problem now is through strong
| legislation.
| wjnc wrote:
| Do we really need more or new legislation if there is still
| ample room for improvement on the enforcement side of GDPR.
| Just a not so far stretch: all or most of the GDPR
| supervisors now think Google Analytics is a no-go. Publish
| this and an intention to fine say 2% of revenue, set an
| expiration date six months ahead and do a EU-tender for a
| scraping facility finding all users of Google Analytics.
| Then in six months, re-scrape and send out the fines. Rinse
| and repeat.
|
| Google Tag Manager could be declared illegal on the outset,
| with a 5 to 10% fine for Google if they continue to offer
| it in the EU. Do a top-down assessment of the usage of
| Google Tag Manager in the largest e-commerce users in
| Europe. Fine them as well. At the end of the day privacy
| enforcement could easily pay for itself.
|
| (Edit: After typing this I think you were writing from a US
| perspective. I think GDPR is a big win as well, but
| enforcement is feeble ;)
| kristofferR wrote:
| > Surprisingly the UK are trying to rid or weaken GDPR
| significantly after brexit.
|
| Isn't that the whole point of brexit - to get rid of
| various EU customer protection laws and regulations?
| mlatu wrote:
| US law makers are trying to mimic GDPR?
|
| are you certain? would be certainly nice, but i dont
| believe there is a majority in the US that would support
| such a change. I mean there are probably more individual
| people interested in doing that than not, but I bet in
| comparison there are more individual $$$ being invested in
| keeping data privacy laws as lax as possible
| kkjjkgjjgg wrote:
| Did it really make the world a better place? Most sites
| collect as much data as ever, but now we need many more
| clicks, and can't have nice things like photos from
| kindergarden parties anymore.
| GreenWatermelon wrote:
| I'm less likely to use a site that offers obnoxious
| cookie consent forms, and I think I'm better off without
| them. so yeah, it made the world better for me.
|
| My anger is directed towards the criminal websites that
| seek to circumvent the spirit of the law (most if the web
| today)
| shadowgovt wrote:
| To my observation, there are no sites with more than a
| dram of content on them that haven't been compelled by
| GDPR compliance to put an obnoxious cookie banner up.
|
| If you've found some, please share.
| denton-scratch wrote:
| If you need to set a cookie for the correct operation of
| your site, then you don't need a cookie banner. The
| banners are a middle-finger to the GDPR.
| shadowgovt wrote:
| ... but "correct operation of your site" is in the eye of
| a judge and can't be evaluated before someone brings
| suit, so "better safe than sorry" behavior (at the cost
| of user time) is completely predictable.
|
| ... It's not even clear that it's safe to log IP
| addresses in the style of a default Apache configuration
| on a static website without user consent.
| denton-scratch wrote:
| > completely predictable
|
| It's completely predictable that there are people who
| don't want to comply. Collecting personal information is
| a lucrative business.
|
| Re. Website logs: in fact it's perfectly clear that a
| website log retained for the purposes of site management
| is fine. It's on the face of the regulation.
| M2Ys4U wrote:
| The GDPR applies to everything outside of purely
| personal/household activities - it's not limited to
| websites.
| kkjjkgjjgg wrote:
| Yes, hence the issue with photographs of events of our
| children.
|
| I'm not convinced yet it is a net positive. For sure it
| increased senseless bureaucracy by a huge margin (not
| just the clicks on web sites, it creates more work in
| other places, too).
|
| The real players collect just as much data as before, but
| private people can't do most basic things anymore.
| ImPostingOnHN wrote:
| I'm not convinced yet that it isn't a net positive, given
| that a lot of what you described is illegal according to
| it, and said illegal behavior is being punished
| kkjjkgjjgg wrote:
| "a lot of what I describe" - you mean big players
| collecting even more data? Not really illegal, you just
| have to get the users to consent somehow. Which most do
| anyway.
| ImPostingOnHN wrote:
| > you mean big players collecting even more data?
|
| No.
| kkjjkgjjgg wrote:
| So taking photographs of your children's life's events?
| Or what are you referring to?
| chickenimprint wrote:
| Is it safe to assume you've never had to deal with those
| downright malevolent dark patterns and button labyrinths,
| designed to make it extremely unlikely for anyone in the
| general population to actually reject tracking?
| boudin wrote:
| Don't blame the lawmaker for the bad behaviour of people
| who are trying to bypass it... If you're on such website,
| you know that the website itself shouldn't be trusted.
| mlatu wrote:
| the laws are teethless if they are not enforced, and
| playing hot potatoe with responsibilities like is the
| case with Max Schrems makes it all laughable.
|
| dont blame the lawmaker for participants bad behaviour?
|
| well, ok. allright.
|
| but i DO blame the responsible authorities for licking
| the misbehaving participants' boots
| krageon wrote:
| > if they are not enforced
|
| Ok, but they _are_ enforced. So this entire line of
| reasoning makes absolutely zero sense. If your demand is
| that every infraction is enforced immediately, then you
| will be disappointed. Such things take time.
|
| > i DO blame the responsible authorities for licking the
| misbehaving participants' boots
|
| There's a single European country that does this
| (Ireland) and it is definitely a stain on an otherwise
| healthy situation in terms of enforcement. It is not fair
| to attribute their willful ignorance in the face of plain
| bribing to the rest of the enforcement agencies.
| fsflover wrote:
| > the laws are teethless if they are not enforced
|
| https://www.enforcementtracker.com/
| dbrgn wrote:
| Enforcing requires court cases and time. That's how law
| works, unfortunately.
|
| Fortunately organizations like NOYB (with Max Schrems)
| are doing exactly this: https://noyb.eu/en/noyb-
| files-422-formal-gdpr-complaints-ner... Once there are a
| few high-profile cases with high fines to set a
| precedent, this hopefully changes the way companies
| handle cookie banners.
| the_other wrote:
| > the laws are teethless if they are not enforced
|
| How many sites have you reported?
| MrYellowP wrote:
| Yes, absolutely blame the lawmaker for making laws which
| are completely detached from how people operate. Yes,
| absolutely, blame lawmakers for making laws that don't
| actually fit reality.
|
| Yes.
|
| Absolutely.
| dtech wrote:
| So what do you propose: "People are working around it so we
| should just give up"? I don't think it's time to admit
| defeat like that.
|
| This can change, but enforcement and courts by nature are
| slow. With EU courts striking down asymptotic consent
| banners as illegal, sites are spooked, and you now see
| sites adding a "reject all" button next to the "accept
| all". I still have hope we get there.
| carlhjerpe wrote:
| Some reject all buttons don't set a cookie/localstorage
| for the rejection meaning the banner will be on every
| page, darkest of patterns!
| simongray wrote:
| There are solutions to most of that, e.g.
| https://chrome.google.com/webstore/detail/consent-o-
| matic/md...
| danuker wrote:
| This is more of a workaround.
|
| A solution to a poliical problem is political, not
| technical.
| emsixteen wrote:
| How is it political?
| danuker wrote:
| The decision to force service providers collect consent
| from their own users is a political decision.
|
| And a fundamentally bad one: providers' incentive is to
| make it easy to get consent and hard to refuse.
|
| I don't know what policy is better than this, but right
| now, we only get more annoyance without any benefits in
| privacy. Pretty much every page I've visited issues 3rd
| party requests before I consent to data sharing.
| mlatu wrote:
| i would call it societal; society still needs to grasp in
| what way they are being exploited. it's still not clear
| to most people
| KronisLV wrote:
| Those are (nice) solutions to a problem that shouldn't be
| allowed to (legally) exist. The industry shouldn't be
| allowed to play clever with the ways to coerce their
| users into giving up their information just because they
| know that most of those users are not interested in
| navigating difficult dialogs.
| black_puppydog wrote:
| They shouldn't be allowed, and they aren't allowed.
| Actually the new digital services act [0] is shaping up
| to clarify these, but IIRC there have also been first
| cases decided in courts.
|
| [0]: https://edri.org/our-work/the-eu-parliament-takes-
| strong-sta...
| friendzis wrote:
| This particular behavior is actually illegal. GDPR
| [Recital 32] clearly states that "Consent should be given
| by a clear affirmative act <...> Silence, pre-ticked
| boxes or inactivity should not therefore constitute
| consent."
|
| [Recital 32]: https://gdpr-info.eu/recitals/no-32/
| ohgodplsno wrote:
| Those patterns are more and more being punished by GDPR
| enforcement. Companies may try playing around the letter of
| the law, but Europe runs pretty solidly on the spirit of
| the law. See events like these:
| https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-
| europe...
| zxcvbn4038 wrote:
| And American companies are absolutely dumbfounded when
| they try to play the "misplaced comma" card in the EU and
| they still get slapped down. It is a very American
| attitude -- I always wondered what ST:TNG would have been
| like if Picard wasn't always able to save the day by
| invoking some obscure sub paragraph of some obscure
| treaty. Note to Elon that if he launches lawyers into
| space it doesn't kill them, he just ends up with a lot of
| lawyers in space.
|
| https://en.m.wikipedia.org/wiki/The_Ensigns_of_Command
|
| The other aspect of EU law that always gets US companies
| is that penalties are large enough to actually be
| penalizing. In the US companies can basically ignore the
| law until they get caught, pay a token $100,000 or
| $1,000,000 fine (which sounds impressive in all the
| papers), then invent a new interpretation of the law and
| go do it again. In the EU the regulators start looking at
| percentages of income during the entire time the illegal
| activity occurred, so again the US companies are caught
| completely off guard when they get asked to forfeit
| billions of dollars.
| efdee wrote:
| In my experience, almost all of those consent popups work
| the same way. On the first popup, press the button that
| doesn't say they can just use all cookies. On the second
| popup, press the button that says it saves your
| preferences.
| ornornor wrote:
| Couldn't be further from reality.
| formerly_proven wrote:
| I some cases the "people do illegal things regardless"
| argument can hold some water, but that's not the case for
| the GDPR, which is worded very clearly and hence it's
| really obvious that this kind of thing violates it.
|
| Most of these banners violate the GDPR even before they're
| showing up, because the GDPR actually restricts your
| ability to embed non-first-party content without consent.
| That's why Google Fonts violates the GDPR, for example.
| Arguably every vanilla Wordpress install violates the GDPR
| because Wordpress embeds something from s.w.org on every
| page (presumably for install count / analytics reasons).
|
| This kinda sounds like a bad thing but it's not. It's
| actually a huge boon, because it's an excellent legal
| excuse to get rid of embedding stuff from 213789 origins
| and CDNs, which only has negative performance effects since
| caches have been origin-segregated for years, meaning that
| even if another page uses the same jQuery version from
| cdnjs, it will be downloaded again anyway.
| shadowgovt wrote:
| > which is worded very clearly
|
| Hard disagree. I've been racking my brain as of late
| trying to decide if default apache access logs violate
| the GDPR, and stackexchange searches on the topic seem to
| confirm the confusion.
|
| If the legality of data collection hinges on what is
| considered necessary for service maintenance in the eye
| of a judge, the law is not clear.
| formerly_proven wrote:
| You can keep such logs under article 6.1.f if the
| retention period is 30 days or less (causing self-
| fulfillment of article 17) or indefinitely if you
| remove/anonymize PII from them. Of course article 17.3
| gives you an exemption for various purposes, e.g. if you
| had a breach you don't need to delete the logs from that
| period while investigating it.
| shadowgovt wrote:
| I fail to see how a 30-day or fewer retention policy
| impinges on article 17 one way or the other, nor do I see
| how article 6.1 gives any protection on the topic of the
| default Apache HTTP access logs (which include IP
| addresses).
| MrYellowP wrote:
| You think the GDPR is a good idea? Wow, mate, that's quite
| the detachment from reality.
|
| In _reality_ , GDPR is pure nonsense. It's a serious burden
| for anyone putting up a site. Any site. They all have
| cookies. All of them. It is so bad, there are now services
| taking care of this, because it's so much of a bullshit that
| people need to rely on others to get it right.
|
| You'll probably spin this as a net win, right? Because more
| businesses, right? Right??
|
| The odds of 99% of the people not simply clicking "accept
| all" are slim to none and anyone insisting otherwise would
| make himself look like a moron. It's like you're assuming the
| masses out there are actually _thinking_ about things.
|
| They don't! It's not how people work! They just click it away
| and are done with it, because _it 's super fucking annoying
| to constantly click that bullshit away_ and it does literally
| _nothing_ for us people, no matter how much anyone would want
| to insist that it does, theoretically, do benefit us.
|
| The GDPR is pure nonsense. It is not made for the people. It
| in fact completely _ignores_ how people operate.
| sunaurus wrote:
| It seems you're not fully clear on what GDPR is. You could
| check this page for more info: https://gdpr.eu/what-is-
| gdpr/
|
| Just as a very brief note: it's not really about cookies,
| it's more about how companies should store data about
| people and what kind of rights people have concerning that
| data.
| alkonaut wrote:
| If the standard deployment will be a separate IP in the same
| range (Google cloud) which is also bound to a subdomain of the
| site I'm viewing, isn't that an easily identifiable situation?
| Couldn't blockers like unlock just block the subdomain.site.com
| for every site.com? Or even block all subdomain calls to Google
| hosts?
| bamboozled wrote:
| It's a good point, those endpoints can't change forever.
| Ultimately there will be solutions to detect and prevent this
| tracking just like whatever exists today.
| EGreg wrote:
| Does this involve a CNAME on a subdomain? If not, how do they
| track people across domains?
| philliphaydon wrote:
| So if the script comes from the owners site instead of Google.
| And all the rest requests are proxied via the owners site. Would
| this not result in people forking a browser that looks at http
| requests before they are packaged and issued to remove tracking
| data or block the request?
| bgdam wrote:
| And how do you differentiate between a request that is sending
| over tracking data and a request that is sending over data
| required to fetch the page you requested?
| tgv wrote:
| It would seem easier to identify data patterns than script
| content. After all, tracking is only useful if the data is
| consistent.
| varenc wrote:
| Apple and Firefox brought this on by killing 3rd party cookies.
|
| The reason why client send requests to the 3rd party domain
| directly is that the cookies attached to that domain are sent and
| which can track you better! With a server-side request there's no
| way to use that cookie info.
|
| But browsers increasingly limit 3rd party cookies. With 3rd party
| cookies becoming useless for tracking there's far less to lose by
| moving all these analytics calls to the server side.
| wmeredith wrote:
| > Apple and Firefox brought this on by killing 3rd party
| cookies.
|
| And the ad networks-like Google-brought _that_ on by their
| user-hostile data collection practices.
| phkamp wrote:
| A great example of "surveillance too cheap to meter"
|
| https://queue.acm.org/detail.cfm?id=3511661
| teddyh wrote:
| Discussed here a week ago:
| https://news.ycombinator.com/item?id=30326027
| samwillis wrote:
| I run a B2C e-commerce business, and want to offer a little
| insight into this from the other side.
|
| Advertising online has changes a lot over the last ten years, I
| don't believe advertisers are particularly happy about it.
|
| On Google we almost exclusively just to search result page
| advertising, very little display network and re-marketing. My
| comment here is about search result place adverts, with is where
| Google started and why they are so successful.
|
| As an advertiser search result page as arising is amazing, you
| are paying to get you product in front of people you pretty sure
| are already looking for it or something like it. When it works
| it's magic.
|
| Ten years ago when we stated it was super simple, you would bid
| individually on keywords that people are searching for, and the
| tracking on your site was only about attributing advert clicks to
| conversions for reporting. There was no (or very little) data
| mining and profile building, at least from my perspective as an
| advertiser.
|
| Then came the "shopping ads", you upload a list of your products
| and google decided when to show them with their magical ML/AI. As
| an advertiser you could only use "negative keywords" . Gone was
| the ability to control properly when your ad was shown.
|
| The latest is "smart shopping ads", it's a great big magic black
| box, and all advertisers are bing agreeably pushed towards it,
| all calls with google advisors are basically sales calls push it
| on you. Advertisers have basically no control of when their ad is
| shown, it's all down to AI/ML. They have also folded the display
| network and re-marketing into this, you can't turn that bit off.
|
| I am pretty sure the old keyword bidding is on its way out will
| not be available in a few years.
|
| In order for all these new ML based advertising work we have to
| send google a lot of data, there is no option. They know
| everything about your business, all revenue numbers, they no
| exactly how much every business that uses their advertising is
| making. The level of "spying" on advertisers is frankly amazing,
| I wish it wasn't necessary, just as I wish I wasn't being spied
| on as a user.
|
| Google have made a rot for their own back, they need this data
| for the ads to work and advertisers have no choice. I believe
| part of the problem is that the old style keyword bugging relied
| on advertisers being able to see what peoples search terms were,
| due to GDPR I think this is no longer possible and so they have
| to go the ML route.
|
| I long for going back to super simple search ads with just simple
| attribution.
| octoberfranklin wrote:
| Folks, this stuff only works because of browser fingerprinting.
|
| Google couldn't do this before, because letting the ad-displaying
| website sit between them and the user meant the websites could
| defraud google like crazy.
|
| This idea isn't new. What's new is that browser fingerprinting
| got good enough that google can catch fraudful customers by
| sending fingerprinting scripts through their proxy and watching
| what comes back.
| jmyeet wrote:
| There is one positive here: if this is widely adopted it means
| less third-party JS libraries run on your browser. That's better
| for speed and security. Frankly, Google is probably better at
| avoiding and fixing vulnerabilities than [insert third party ad
| network here] is.
|
| Plus, as noted, Google will restrict what data is transmitted to
| third parties like IP address. That's a positive. Fear of
| regulators is more likely to keep Google in line than it is to
| some basement operation in Serbia.
|
| I actually wonder if third party ad networks want to give up
| their power to Google in this way. It wouldn't surprise me if
| they don't.
|
| As for the negative... I think the reality is it won't be as
| negative as people make it out to be. Why? Imagine if this is
| widely deployed. It creates a single call for all tracking so the
| adblockers just have to focus on that finding and blocking that
| call. The article claims this will be difficult. It will be
| harder but there'll be more incentive.
|
| Next, a question: I don't know the ins and outs of GDPR and
| similar legislation well enough, but doesn't this put Google on
| the hook for data collection and transmission of that data to
| third party sites by virtue of them running these "proxies"?
|
| Lastly, in general I don't really care if websites run A/B tests.
| They do this anyway and it's done serverside all the time as is.
| So that part of this isn't really a big deal.
|
| Ad blocking is and will continue to be an arms race with
| advertisers. This feels like business as usual, honestly.
| FateOfNations wrote:
| The proxy is by default running in App Engine under the
| responsibility and control of the website owner, so I'd presume
| it would be handled the same as any other PaaS or IaaS service
| a company uses. The data sent Google products, like Analytics,
| via the proxy would still be subject to GDPR as it would if
| sent directly from the client.
|
| Note that they do give website operators the option of running
| the proxy in their own environment, it's made available as a
| Docker image.
| tyler33 wrote:
| maybe we need better adblockers now, maybe check a hash of
| javascript files (instead of domain and name) or maybe even
| something with AI
| pixeldetracking wrote:
| I'm the author, good to see this on HN, raising awareness on the
| topic
|
| I don't know who made the translation and when it was made, but
| the original article in french
| (https://pixeldetracking.com/fr/google-tag-manager-server-sid...)
| contains more information on recent GTM "improvements"): mainly
| on how you can easily change JS library names and detailed
| instructions on how to host your container in other clouds or
| self-host
| gildas wrote:
| > I don't know who made the translation and when it was made
|
| This page was saved with SingleFile (I'm the author of
| SingleFile). Therefore, I can tell you that this page was
| produced on Tue Dec 08 2020.
| easrng wrote:
| Thank you for making SingleFile, it's been an absolute
| lifesaver in a project I'm working on. I was having a lot of
| trouble trying to manually save pages with puppeteer but the
| singlefile CLI worked perfectly, even with added extensions.
| (To get extensions to work I had to add --browser-
| headless=false --browser-args ["--enable-
| features=UseOzonePlatform", "--ozone-platform=headless", "--
| disable-extensions-except=/path/to/extension", "--load-
| extension=/path/to/extension"] )
| gildas wrote:
| Thanks for the feedback! It's very timely, I just have an
| issue that discusses the problem of sideloaded extensions
| (and profile data).
| samstave wrote:
| Uhm, can you pack all those options in a simple "--E" or
| somesuch...
| samstave wrote:
| Gawd I love HN you beautiful bastards.
| pixeldetracking wrote:
| thanks for the info! maybe it's Jerry:
| https://info.woolyss.com/
| urthor wrote:
| All this is doing is redirecting _data you already submitted to a
| website_ to Google?
|
| I don't see any of this as particularly new or revolutionary.
| Except the implementation, user data was already being hoovered
| up.
|
| Now it's just pipelined better.
|
| if you were worried about your data, you have to stop submitting
| the data to websites. Period.
| buro9 wrote:
| > As we have seen, Google does not explain (
| https://developers.google.com/tag-manager/serverside/custom-... )
| the reason for creating a subdomain of the website for its
| "proxy" server:
|
| > > The default server-side tagging deployment is hosted on an
| App Engine domain. We recommend that you modify the deployment to
| use a subdomain of your website instead.
|
| The reason is simple: it creates a denial of service attack on
| DNS block lists used by things like Pi-Hole and NextDNS. Sure,
| Google knows that some of the subdomains will be blocked for some
| block lists... but the vast majority won't be blocked on the vast
| majority of block lists.
| southerntofu wrote:
| Looks like the only sane thing to do is to block routes to
| GAFAM AS directly on your router instead of relying on DNS
| tricks. I knew people doing that over ten years ago and i
| thought they were kind of crazy, but in retrospect they were
| right all along.
|
| What if your website is hosted by Google Cloud Engine or AWS,
| should we block it? I certainly would. Please find a decent
| host that does not use their customers as human shield/leverage
| to engage in criminal conspiracies against privacy.
| hwers wrote:
| Blocking all GCP and AWS hosted sites is about as effective
| as turning off all javascript. It reduces the usable set of
| sites on the web to basically worthlessness.
| contravariant wrote:
| Gorhill managed to get uBlock to block CNAME masked domains,
| so surely this wouldn't be _that_ out of reach for an
| adblocker?
|
| Good luck getting this to work in google chrome though.
| brobinson wrote:
| Maybe this will drive people back to Firefox? It's a
| perfect opportunity for Mozilla to do a marketing drive...
| oh, wait, they are busy partnering with Facebook (er, Meta)
| to do advertising stuff. Sigh.
| ersii wrote:
| Don't forget force-installing addons like Pocket as a
| service.. and.. Disney.
| selfhoster69 wrote:
| A cron job on the network gateway that creates iptables rules
| to drop connections to x IPs sounds like a good plan.
| technion wrote:
| Note that the Google announcement in question was August 2020.
| This didn't seem to make any significant changes to the ad-block
| space when it rolled out, and pretty much every site is still
| running the Javascript frontend.
| terrycody wrote:
| Sorry I can't understand the article, but does server side
| Google tag manager already out?
| rootusrootus wrote:
| If I am reading it right, the article is saying about 1/3 of
| all web sites on the Internet already use GTM.
| matt_heimer wrote:
| Using Google Tag Manager doesn't mean you are using the
| server-side tagging. You have to configure it in your
| account. It is something you have to pay for. If you read
| the instructions on https://developers.google.com/tag-
| platform/tag-manager/serve... you have to have GCP billing
| setup to pay for the App Engine instance running the
| server-side tagging proxy.
| terrycody wrote:
| thx for the explaination, btw, do you think server side
| GTM can let Adsense bypass the adblocker, since it is
| what claimed in the article. Though after Googled a bit,
| I can't find a single article/video about this.
| matt_heimer wrote:
| Somewhat. Some of the tracking protections center around
| 1st party vs 3rd party. If the site owner takes the time
| to configure the DNS records for this server-side proxy
| then the page is only communicating with 1st party
| domains so that protection is gone.
|
| Next, ad blocker components often target various parts of
| the URL. By hosting on your own domain the domain name
| matching patterns that would be used for blocking no
| longer apply. But the ad blockers can also use just the
| path or file name portion of the URL to block on.
|
| Easylist has a set of lists that are commonly used by ad
| blockers such as UBlock Origin. The tracking/privacy
| centric list is
| https://easylist.to/easylist/easyprivacy.txt which I'm
| using in UBlock Origin. If you look at it there are lines
| like '/gtag.js' which might match on the name of the
| JavaScript file and still block it.
|
| Of course site owners might change the name of their
| script files to a non-default name making it harder to
| detect.
|
| The next step in the arms race would be having more
| dynamic names for the files and URLs. You could rotate
| the names of the scripts and endpoints automatically at
| which point the adblockers would have to preform content
| inspection or some other strategy which is more resource
| intensive.
| technion wrote:
| Yes it's been out for quite some time.
|
| It's also requires running a proxy as a GCP application, so
| people running GTM largely because it's free/cheap aren't
| going to go along with this.
| thrwawy283 wrote:
| I think it's going to be important to recognize and block
| javascript/wasm by the bytecode it compiles down to. As far as I
| know we don't have this ability to "jump into" the process.
| ublock or umatrix can't be extended to do this currently. You
| could send the scripts the browser downloads to an outside
| service for fingerprinting, but doing this in the same browser
| isn't possible right now.
|
| This wouldn't completely stop a server from generating code that
| compiles to slightly different bytecode. Then the move would be
| to identify side effects of the execution?
|
| Cat and mouse...
| ghoomketu wrote:
| Pretty sure a big ban hammer is coming for Google with all such
| shenanigans, especially in trigger happy places like Europe and
| India who don't like their citizens tracked and are happy to
| create legislative bans.
|
| So you may win the cat and mouse adblock game but what are you
| gonna do when countries start making it illegal to use GA? (1)
|
| (1)
| https://www.forbes.com/sites/emmawoollacott/2022/02/10/frenc...?
| dartharva wrote:
| I'd wish so too but I don't see much that can happen in this
| context.
| ignoramous wrote:
| > _India who don 't like their citizens tracked..._
|
| Pretty sure the Indian govt bullied everyone into getting an
| Aadhar. The quintessential tracking device.
| aliswe wrote:
| It's a _government_.
| ulrikrasmussen wrote:
| I can't wait for this to happen. Personally I think we just
| need to ban all targeted advertising based on viewer profiles,
| even session data such as IP and geo-location. This in turn
| should severely limit or destroy business models based on
| optimizing for engagement, as non-paying users are no longer
| profitable. It's going to cost a lot of people in ad-tech their
| jobs, but there is no shortage of demand for IT work, so surely
| they'll find something else to do.
| zelphirkalt wrote:
| We also need to include hefty fines for handling data to
| Google and their ilk behind the back of users. It is
| required, but not sufficient to ban businesses like ad and
| spy business of Google.
| pmoriarty wrote:
| _" I think we just need to ban all targeted advertising based
| on viewer profiles, even session data such as IP and geo-
| location"_
|
| I'd go further and ban all unsolicited advertising.
| ouid wrote:
| I don't hear these words enough :(.
| drusepth wrote:
| In $current_year, I kind of want to go even further and
| just ban the Internet.
| eitland wrote:
| Not all ads are created equal:
|
| The other day I learned from an ad that my favorite 6 year
| old Bergans jacket can be repaired at a shop next to where
| I work for a price that is next to nothing.
| eterevsky wrote:
| It doesn't sound like this technology interferes with the main
| purpose of adblockers: blocking ads. As long as I don't see any
| ads, I don't see why I should care how the website tracks my
| behavior.
| malka wrote:
| well, it is finally time to disable javascript in my browser once
| and for all.
|
| Good riddance to the 99.99% of the internet that rely on it. It
| is shit anyway.
| gigel82 wrote:
| God damn... this is it, this is the end-game. There's no way to
| fight this unless you customize and maintain blocking scripts for
| each individual website.
|
| Yes, websites could always have done this, but the REST (CDN-
| bypassing) requests' cost and the manual maintenance for the
| telemetry endpoints and storage was an impediment that Google
| just gives them a drop-in solution for :(
|
| I think Google is happy to eat some of the cost for the "proxy"
| server given the abundance of data they'll be gobbling up (not
| just each request's query string and users' IP address but -being
| a subdomain- all the 1st party cookies as well). I don't have the
| time or energy to block JavaScript and/or manually inspect each
| domain's requests to figure out if they use server-side tracking
| or not.
|
| I honestly don't know if there's any solution to this at all.
| Maybe using an archive.is-like service that renders the static
| page (as an image at the extreme), or a Tor-like service and
| randomizes one's IP address and browser fingerprint.
| KoftaBob wrote:
| Wouldn't a script blocker like NoScript or uMatrix take care of
| this?
| mixedbit wrote:
| There is a hope this can be blocked with adblockers inspecting
| payload of requests and blocking based on some generic
| properties that could be always present in Google Tag Manager
| requests to proxies. Unless this mechanism has some dedicated
| Chrome-level support that would disallow inspecting or blocking
| these requests.
| xyzal wrote:
| I think modifying some fingerprintable apis to give
| faked/altered results could be enough, given the global
| fingerprint is a product of all partial fingerprints. Some
| extensions already implement that, eg.
| https://github.com/kkapsner/CanvasBlocker/
| whalesalad wrote:
| Just block Google tag manager itself. Gets two birds stoned at
| the same time.
| chrisseaton wrote:
| How would you do that? Isn't it the server that talks to
| Google Tag Manager, not the browser?
| whalesalad wrote:
| Google tag manager in my experience is a script executed by
| the browser. Then it installs itself in the page and
| performs the inner payload of user script insertions. It's
| a Trojan horse, really. You can block Google tag manager's
| embed scripts. I wasn't aware of a backend integration but
| it's certainly possible.
|
| Regardless, I use a DNS based ad blocker (pihole) and it
| takes care of all this stuff. I occasionally need to turn
| it off or whitelist domains (like Google tag manager) for
| client work, but normally I have it blocked.
| HWR_14 wrote:
| The point is that DNS ad blocking is being worked around
| with this new system, because it looks like part of the
| site you're on. Also, that google is encouraging
| modifying the JS to prevent automated tools from blocking
| the javascript.
| chrisseaton wrote:
| > Google tag manager in my experience is a script
| executed by the browser.
|
| Isn't the whole point of this new change that it runs
| server-side, using a proxy that you install on the
| website so it uses the same domain?
|
| > Regardless, I use a DNS based ad blocker
|
| But it's the same domain name isn't it?
| lmkg wrote:
| A Server-Side GTM container _compliments_ a client-side
| container, it does not fully replace it.
|
| Some processing happens on the server, but event data
| must still be sent to the server-side container first.
| For now, the "standard" deployment of a server-side is
| that it receives hits directly from the browser,
| orchestrated by a traditional client-side container. So
| the client-side script is still there, just less bloated.
|
| The server-side container has built-in facilities for
| serving up the client-side container script. Meaning that
| domain-name blocking will not prevent this. DNS-based
| also has some issues: Server-Side Containers run in App
| Engine, blocking them basically means blocking anything
| running on GCP.
| pixeldetracking wrote:
| and you can host the container:
| https://developers.google.com/tag-platform/tag-
| manager/serve...
| x0x0 wrote:
| Current GTM, configured (via the server UI) to inject
| tracker X:
|
| gtm javascript loads, pulls down the config, injects
| tracker X javascript into the browser
|
| new gtm:
|
| gtm javascript loads, pulls down config, streams events
| to google servers to fan out to tracker X as configured
|
| So blocking gtm.js off tagmanager.google.com /
| www.googletagmanager.com / the various other domains
| still blocks all gtm injected tags.
|
| The tl;dr is they're become much closer to segment --
| which does the data fanout internally to segment. But
| they should still be straightforward to block.
| volderette wrote:
| This is not how GTM server side works. There is not a
| single call to Google domains from the client, when GTM
| server side is set up to its fullest. The config (gtm.js)
| will be loaded from my subdomain and not
| googletagmanager.com. Also gtm.js can be renamed.
| x0x0 wrote:
| Per the docs here [1], that is not true. You continue to
| load gtag.js off the googletagmanager.com domain;
| subsequent events can flow to a custom domain.
|
| [1] https://developers.google.com/tag-platform/tag-
| manager/serve...
| xigoi wrote:
| Couldn't you still recognize the script by its content?
| ComodoHacker wrote:
| Not with dynamic obfuscation.
| freedomben wrote:
| No because the script contents can change from site to
| site. Maintaining an index for every site would get you
| closer, but individual sites can trivially tweak things
| to break fingerprinting as often as they want. Even on
| every request.
| shafyy wrote:
| Exactly, this is already done for tracking scripts, since
| it's commong to use proxies to load tracking scripts.
| seandoe wrote:
| You missed the same domain part. How are you going to
| block a request when you don't know the url?
| shafyy wrote:
| You check the loaded script itself to see if it matches
| an expected pattern.
| romeoblade wrote:
| You missed the part where they recommend changing the
| script's name as well, add in changing a few
| variable/function names in the script and even matching
| the hash of the script itself would be useless. On top of
| them recommending using a sub domain with an A/AAAA
| record so its first party.
| Ajedi32 wrote:
| Worst-case you parse the script and block it if the AST
| is too similar.
|
| There are a million ways to detect and block this sort of
| thing when you control the client. Yes, it's harder than
| just blackholing a whole domain, but it's hardly
| impossible.
| pixeldetracking wrote:
| yes, french article is updated, but this english
| translation is quite old here it is:
| https://www.simoahava.com/analytics/custom-gtm-loader-
| server...
| Saris wrote:
| Just block the GTM js from loading, it'll stop it easily.
| HWR_14 wrote:
| Block the code that they suggest changing the name,
| domain, and function signatures of? How?
| inlined wrote:
| If the loops, if statements, and block scopes are similar
| then the graph can be fuzzily identified. They've had
| anti-plagiarism software for years.
| HWR_14 wrote:
| Can you point me to some anti-plagiarism software?
| Because this doesn't sound like it will work at a non-
| trivial level.
| Deukhoofd wrote:
| Annoyingly that would still require downloading them,
| which I'd definitely prefer not to. It's bloat that
| serves me no purpose.
| inlined wrote:
| For popular sites a backlist could be formed after the
| first person downloads it.
| seandoe wrote:
| The big change they are suggesting is that the gtm code
| is no longer accessed via a predictable Google domain,
| rather it is requested through a subdomain of the parent
| site.
| pixeldetracking wrote:
| yes, custom names for loader:
| https://www.simoahava.com/analytics/custom-gtm-loader-
| server... and even hosted on your own infra:
| https://developers.google.com/tag-platform/tag-
| manager/serve...
| Saris wrote:
| uBlock already blocks stuff like Plausible analytics
| based on what's in the code, even if it runs on the
| parent site. Would this be any different?
| propogandist wrote:
| use uMatrix or uBlock and block individual domains
|
| https://github.com/gorhill/uMatrix
| gaius_baltar wrote:
| Proud uMatrix user here. Sadly, just noticed that the
| repo is now archived and I don't know if it will be
| maintained. Could not find any fork either.
|
| I'll miss this extension.
| GekkePrutser wrote:
| I liked this a lot but I don't see how someone without a
| computer science degree will use it successfully..
|
| I think this is why Raymond gave up on it.. I think for
| the masses his time is better spent on uBlock Origin.
| propogandist wrote:
| It requires some effort to get oriented, but the
| granularity of control is fantastic. There is no
| competition.
|
| Although the dev gave up on it, he's open to someone
| picking it up (if there are any brave souls on HN)
|
| https://old.reddit.com/r/uBlockOrigin/comments/i240ds/req
| ues...
| tremon wrote:
| eMatrix is a fork maintained for Pale Moon:
| https://gitlab.com/vannilla/ematrix
| Arnavion wrote:
| You have the features of uMatrix with uBlock Origin's
| static rules. You just have to write them by hand instead
| of the convenient table UI.
|
| https://news.ycombinator.com/item?id=26284124
|
| The only thing that uBO doesn't support is controlling
| cookie access, so I still use uM for that.
| Semaphor wrote:
| > You just have to write them by hand instead of the
| convenient table UI.
|
| That's a pretty big "just", though. Very few sites work
| without fiddling with rules, having to do manual text
| entry every time would push me towards not using it.
|
| The UI of uMatrix is generally far superior to the
| mobile-friendly, simplified one of uBo.
| Arnavion wrote:
| >That's a pretty big "just", though.
|
| It is, but for me the pros outweigh the cons. In
| particular, even with uM I often ended up editing the
| rules by hand because it was easier to copy-paste and
| turn on and off rules for experimenting, but uM would
| forcibly resort the rules on save which made that
| annoying.
|
| >Very few sites work without fiddling with rules,
|
| The only sites I fiddle with the rules of are the ones I
| visit regularly, which is not many. Over the 1.5 years
| that I've been using this method, I've only got 75 "web
| properties" in my list (github.com, github.io and
| githubusercontent.com count as one "GitHub" web property;
| so the number of domains is a bit higher). Going by git
| history, I do have to fiddle with one or more rules once
| a month on average.
|
| For other sites, either they work well enough with
| default settings, or I give up and close them, or if I
| really need to know what they say I use a different
| browser. For this other browser I never log in to
| anything, and have it configured to delete all history by
| default on exit. (I've been pondering making this an
| X-forwarded browser running on a different source IP, but
| haven't bothered.)
|
| >The UI of uMatrix is generally far superior to the
| mobile-friendly, simplified one of uBo.
|
| To be clear, editing the rules does not use the "mobile-
| friendly, simplified" uBO UI. It refers to the giant text
| field you see in the uBO "Dashboard", specifically the
| "My filters" tab.
|
| But yes, it'd be the best of all worlds if uBO gains the
| table UI as an alternative to the filters textfield. I
| imagine the problem is that static filters are
| technically much more powerful than what the uM-style
| rules do, so it'd require inventing a third kind of rule,
| which isn't great.
| Semaphor wrote:
| I have almost 7000 rules for a 260kb file ;)
| youngtaff wrote:
| Yup, overwrite its API on the page
| downrightmike wrote:
| The greatest minds of a few generations really should think
| about not being evil.
| cavisne wrote:
| You still pay for the app engine requests. This whole product
| is just a hash script that configures the proxy for you.
| [deleted]
| ignoramous wrote:
| I co-develop an open source firewall for Android, which most of
| our users use for ad-blocking purposes.
|
| The community has known about server-side collection for quite
| sometime now. You could run Google Analytics on any of the
| serverless environments since a year or two ago (I noted this
| on news.yc a year back [0][1]). Tag Manager server-side is
| Google throwing its own solution in to the mix.
|
| DNS based content blocking was always DoA, there simply are too
| many chinks in the armour besides CNAME or HTTPS/SVCB or SRV or
| ALIAS record cloaking [2]. The worst I've seen reported to me
| by users is a tracker generating domains names on-the-fly
| (domain generation algorithms) and A/AAAA records pointing to
| different IP addresses each time [3].
|
| That said, a firewall can still mitigate this offensive, while
| network security with just DNS was always going to be what it
| was: A stop-gap.
|
| This isn't the end-game: I fully expect that IP address
| blocklists would crop up in no time, and will be painfully
| maintained by folks pouring their life in to it.
|
| TFA points that Google's reverse-cloaking presumably with IP
| addresses, but the worse would be if multiple domains shared IP
| addresses (like in a CDN), reverse-cloaked with _Server Name
| Identification_. Even firewalls would have to blanket block
| IPs... and what if those IPs are shared with other Google
| front-ends like the AMP project / YouTube / Mail / Docs?
|
| The firewalls would also have trouble with something like _Ao1_
| [4]: If multiple websites were behind multiple IPs, or in the
| extreme, a single IP.
|
| The firewall is bust, but that's good, now we simply de-Google
| / de-Cloudflare ourselves, and be luddites like they want us to
| be.
|
| [0] https://news.ycombinator.com/item?id=26003654
|
| [1] https://news.ycombinator.com/item?id=25169029
|
| [2] https://news.ycombinator.com/item?id=26298339
|
| [3] Ex:
| https://www.reddit.com/r/uBlockOrigin/comments/srza8x/changi...
|
| [4] https://nitter.net/rethinkdns/status/1448738898998292495
| culi wrote:
| I really don't know much about this space, but do you think
| server-side tagging could be more or less susceptible to user
| resistance attacks like what Adnausium[0] does? Can we spam
| them into futility?
|
| [0] https://adnauseam.io/
| ignoramous wrote:
| Adnauseam's offensive tactics can still confuse these
| server-side implementations. That said, if Google et al
| figure a way out to defeat it, pretty sure they'd not be
| blogging or talking about it, at all, for us to know.
| culi wrote:
| Ah, good point. Thanks for the response
| foxfluff wrote:
| > This isn't the end-game: I fully expect that IP address
| blocklists would crop up in no time, and will be painfully
| maintained by folks pouring their life in to it.
|
| Proxy can be hosted on the same server as the site itself. In
| that case this simply becomes a blocklist of naughty
| websites. Someone still needs to do the hard work of figuring
| out which sites are naughty.
| booleandilemma wrote:
| Simpler protocols (Gemini, Gopher...), outright refusing to use
| what the modern web has become. I only use HN and a few select
| sites. You don't need an ad-blocker if there are no ads in the
| first place.
| ReactiveJelly wrote:
| Using Gemini as an allowlist doesn't seem any better than
| allowlisting known-good domains for HTTPS sites
| EE84M3i wrote:
| HN is a link aggregator for HTTP(s) links. How do you read
| them?
| aenis wrote:
| Not sure about the parent poster, but I am here mostly for
| the comments, and rarely visit the linked content.
| ComodoHacker wrote:
| Doesn't exactly this behavior create echo chambers and
| lead to polarization?
| PhantomGremlin wrote:
| I usually do read the linked content but I agree with GP
| poster that comments are often more informative.
|
| Yes there is sometimes an echo chamber here, but it's
| only for limited topics. It very much has a Silicon
| Valley feel to it, but @dang and I have gone around on
| this and he assures us that the readership and comments
| have broad geographic representation.[1] It's a worldwide
| echo chamber. :)
|
| Fortunately the echo chamber doesn't exist for most
| submissions. Most of the discussion on HN is on non-
| polarizing topics.
|
| [1] https://news.ycombinator.com/item?id=26869902
| thinkingemote wrote:
| The time of the day is reflective of broad geography,
| generally.
|
| So some UK or EU specific topics will appear, be
| commented upon but then disappear later in the day.
|
| It would be interesting to see what kind of topics are
| commented on from different places.
| tremon wrote:
| Which behaviour would that be? The "reading only the
| comments, not the article"? I don't see how reading
| creates an echo chamber.
|
| What creates an echo chamber is if all the posts are
| similar or otherwise in agreement with each other. Those
| threads make for boring reading and I tend to only scan
| them for less boring content (yes, that means I read the
| context surrounding greyed-out comments more than the
| rest). The threads where people discuss various aspects
| and experiences is what I come here for.
|
| (full disclosure, I mostly read the comments before even
| opening the article. I only read the article if there's a
| high-quality comment thread about some details in the
| article, or if multiple commenters state that it's a
| great article. And I tend to upvote an article based on
| the quality of the comments, not just the article
| itself).
| marcosdumay wrote:
| Nope. The end-game is adding the data collection into the
| backend frameworks so the user does not have to execute
| javascript at all.
|
| But this is pretty close to it. I hope Google and anybody
| collaborating with them get severely punished.
| krsdcbl wrote:
| I think there was never the possibility to "out-tech" tracking
| solutions in the first place. You simply cannot plug every hole
| imaginable that will be discovered, and still serve your
| service on a network.
|
| The only remedy is strict legislation and judicial recourse
| against companies that do try to cheese it.
|
| Just like you cannot possibly implement real world security and
| surveillance that makes it completely impossible to commit
| theft, but you can implement strong enough legal deterrance to
| make it a really unviable risk/reward scenario for individuals
| and corporations alike
| ji23ii23jjj3 wrote:
| Helmut10001 wrote:
| IP blocking still seems a thing, even with this new feature -
| the ads need to be served from _somewhere_. I am using
| pfblocker-ng on pfsense, which uses giant IP blocklists to
| filter out all connections to spam and ad-servers. I haven't
| seen ads in 5 years and there is no need for client-side
| solutions (e.g. adblocker). The places where ads appear are
| just whitespace.
| josephcsible wrote:
| The idea is that this will be served from the same IP address
| that the site that you're trying to visit is.
| Helmut10001 wrote:
| Thanks for the explanation - I understood this partly from
| the article and it is pretty worrying for the future.
| pixeldetracking wrote:
| yes, i updated the french article but not this translation
| (no idea who did the translation btw), Google has a guide
| to host the container on your own infra:
| https://developers.google.com/tag-platform/tag-
| manager/serve...
| dsr_ wrote:
| There's no way to fight this unless ... you pass legislation
| against it or comparable technologies, preferably at a policy
| level.
| eru wrote:
| You can fight against it by refusing to use these websites?
|
| If you can't do this, perhaps because a big _majority_ of
| users don't care enough to support this kind of ecosystem
| shift, what makes you think a majority of voters would
| support this? (And if not, why would you want to force your
| view on them?)
|
| It's like legislating that people should only listen to Good
| Music and eat Healthy Food, as defined by some people who
| know better than the unwashed masses?
| dsr_ wrote:
| I rather think it's more like legislating that you can't
| sell people food adulterated with poisons, and you have to
| label the ingredients accurately. Oh, and it's like saying
| that you can't sell lead paint, even though it is a very
| pretty white.
| eru wrote:
| Even without that legislation, most people would already
| care about avoiding poisoned food.
|
| So a law specifically forbidding poisons is in line with
| what the majority already cares about.
|
| (Slightly related: see eg some Chinese people making good
| money from buying baby formula overseas and shipping it
| back home in their luggage. China has legislation against
| poison, but people don't trust the enforcement enough.)
| kergonath wrote:
| > Even without that legislation, most people would
| already care about avoiding poisoned food.
|
| There is lots of evidence that people would still use
| harmful substances when it's nice and cheap. Then other
| people would be exposed to it just because it is
| impossible to know the chemical composition of
| _everything_ around you. Lots of people care about
| avoiding things like toxic chemicals and harmful
| bacteria, the trouble is that they cannot see them.
|
| > So a law specifically forbidding poisons is in line
| with what the majority already cares about.
|
| So why not do it, then, if it is the right thing and
| people want it?
|
| In the real world, people are not perfectly informed, and
| fraudsters are willing to lie. So law and enforcement are
| absolutely necessary to end harmful practices. See lead
| paint, but also leaded petrol, asbestos, antibiotics in
| farm animals, and insecticide chemicals spread willy
| nilly across the countryside. These things not just
| disappear on their own because some people don't like it.
|
| Even on the topic at hand, to be honest. People know that
| ads and tracking are bad and annoying, even if they do
| not see clearly the extent of the damage. Some of us know
| how to avoid most of them. And yet, they keep making more
| and more money, and are far from disappearing. It is
| difficult to take your point seriously.
| mtsr wrote:
| Part of the job of lawmakers is, intriguingly enough,
| deciding what's good for voters. This would be among those
| things. Would voters vote for this specific law? Probably
| not. But they probably wouldn't vote out the
| representatives who wrote it either. And arguably privacy
| needs to be protected for the good of society.
| eru wrote:
| I'm not sure about this notion of the 'good of society'.
|
| If you believe that the 'good of society' is not what
| voters want, why bother with democracy at all?
|
| (Slightly besides the point: I actually do agree that
| people behave like idiots at the ballot booth and don't
| know what is good for them in this context.
|
| Luckily, people tend to be much more savvy when voting
| with their wallets or their feet. And as a society we
| would be well advised to encourage these latter two.
|
| Eg by taking subsidiarity serious, and pushing as much
| decision making as possible to as local a unit as
| possible. Don't decide stuff at federal level, when the
| states can handle it. Don't let the states handle, what
| the counties can handle. Don't let counties handle, what
| the municipalities can handle. Don't let municipalities
| handle what people can do privately on their own.
|
| See https://en.wikipedia.org/wiki/Subsidiarity
|
| By pushing authority down the stack, you make the act of
| moving between states or even just cities so much more
| powerful and expressive.)
| mtsr wrote:
| I'm not saying it's not what voters _want_ , I'm saying
| they're not going to vote for it. There's a difference.
|
| The average voter has a fairly limited horizon in terms
| of what they see and understand about what's good for
| society. And in a democracy you elect representatives
| because they're supposed to have a wider horizon and more
| in depth knowledge, in part because they're on average
| smarter than the average voter and in part because they
| get to dedicate all their time to that specific job.
|
| This means that lawmakers will sometimes have to do
| th8ngs the voters don't understand they want. It's on
| them to explain it to the voters. And it's on the voters
| to vote them out if they still don't agree.
|
| As for voting with their wallets, I would have agreed say
| 20 years ago. But marketing has become so all-
| encompassing and so much money and effort has been spent
| making marketing stick, that I don't think most people
| can make truly independent decisions anymore about many
| many things.
|
| And free stuff on the internet is definitely something
| that most people have trouble dealing rationally with.
| Just look at all the free trials that hook people into
| costly year long subscriptions, etc etc. Let alone when
| it's free in the sense that the users never pays directly
| but through things as ads and privacy.
|
| My view of this is very much influenced by my being a
| European and EU citizen, though. And if anything, the EU
| is a bit of a technocracy that likes to decide for the
| "good of society". And that's not something everyone will
| like every time.
| eru wrote:
| Well, I was born in East Germany and grew up there. Later
| I decided to vote with my feet, and pay my taxes in
| Singapore instead. Much better value for my tax money
| here---both lower taxes and better government services.
|
| Btw, I'm not saying people are perfectly rational when
| voting with their feet or wallet. Just that they are
| much, much more rational than at the ballot booth.
|
| > Let alone when it's free in the sense that the users
| never pays directly but through things as ads and
| privacy.
|
| Well, can't argue about taste? Perhaps people prefer it
| that way?
|
| > This means that lawmakers will sometimes have to do
| th8ngs the voters don't understand they want. It's on
| them to explain it to the voters. And it's on the voters
| to vote them out if they still don't agree.
|
| I am basically agreeing with you: voting is a weak
| channel to transmit information. Almost no individual
| vote makes a difference. Neither in aggregate nor to the
| individual voting.
|
| Voting with your feet or wallet does make an immediate
| difference to yourself, and has at least a clear marginal
| impact in aggregate. There are less weird threshold
| effects than in politics. A dollar more spend on iPhones
| is a dollar more spend on iPhones; but another vote for
| candidate A only makes a difference if it makes her have
| more votes than candidate B.
|
| (And proportional representation only helps partially: in
| the end it's important which coalitions can form a
| majority in parliament, whether one party has one seat
| more or less doesn't make much of a difference usually.)
|
| I'd like to give sortition a try to fill up parliament.
| glogla wrote:
| > Luckily, people tend to be much more savvy when voting
| with their wallets or their feet. And as a society we
| would be well advised to encourage these latter two.
|
| The problem with voting with your dollars is that people
| with more dollars get more votes. The problem with voting
| with your feet is that only some people can afford to
| move.
|
| If you want "just let the rich decide", why dress it up
| in fancy words?
| eru wrote:
| As much as possible, people should decide what to do with
| their dollars.
|
| > The problem with voting with your dollars is that
| people with more dollars get more votes.
|
| Eh, the biggest and most successful companies on the
| planet cater to mass markets. The system seems to work
| fairly well for average people. (And we all suspect the
| most important politicians cater to tiny elites.) Also,
| using your dollars to vote means you lose those dollars.
| So rich people can vote each dollar only once, just like
| everyone else.
| kergonath wrote:
| > As much as possible, people should decide what to do
| with their dollars.
|
| This sounds very good until it is actually put in
| practice, when people realise that those who have all the
| dollars have all the power. Now you have an unaccountable
| oligarchy.
|
| > Also, using your dollars to vote means you lose those
| dollars. So rich people can vote each dollar only once,
| just like everyone else.
|
| That's hilarious. As if those billionaires were not
| making the median yearly income in a week.
| ec109685 wrote:
| Apple's Private Relay blocks this type of cross site tracking.
|
| Given this tracking is all server side, third party cookies
| across sites aren't possible using this mechanism, and private
| relay cycles through your IP addresses frequently and uses
| common IPs across multiple users.
|
| Regarding your other point, unless Google execs want to be
| thrown in jail / sued, they can't use things like first party
| cookies for their benefit since that is against their terms of
| service.
| novok wrote:
| How is private relay different from a vpn? A lot of
| fingerprinting scripts also can track you despite vpn.
| top_sigrid wrote:
| Private Relay uses ingress and egress relays. The ingress
| proxy does know your IP but not which sites you are
| visiting and what you are doing. The egress proxy is only
| connected to the ingress, sees what you visit but does not
| know who you are. Both proxies are run by different
| parties.
|
| With a VPN you would have to trust one provider, who sees
| all of your traffic.
| mkmk3 wrote:
| Then is Private Relay equivalent to a two layer tor
| setup?
| Engineering-MD wrote:
| From my understanding yes, but with the caveat of being
| organised by a single entity (apple)
| [deleted]
| irrational wrote:
| I wonder why Safari is required? I'd be interested in paying
| for this if it worked with Firefox.
| GekkePrutser wrote:
| Yeah that would be a useful service that Mozilla could
| offer and I'd actually pay for.
|
| I don't like their VPN as it's too basic in terms of
| privacy protection and it's much more versatile to just
| sign up with Mullvad myself because then I can use it on
| other stuff than just the browser.
| altairprime wrote:
| How much would you pay per month for custom-per-site tracking
| blocking as described here?
| scim-knox-twox wrote:
| Nothing. No one should pay for _not_ being tracked.
| altairprime wrote:
| In principle I agree, and I support having the GDPR in
| effect globally, so that these server-side data sharing
| solutions are illegal without opt-in consent.
|
| Unfortunately there's a reality gap between "GDPR
| everywhere" and the United States and other countries, and
| that gap was being filled previously by anti-tracking lists
| maintained essentially for free out of the goodwill of
| people's hearts. Now that Google is - and has been - using
| server-side proxies, those tracking lists won't scale
| without human caretaking. Any human versus the entire web
| would burn out in a day.
|
| So the choice is either to pay humans to enforce our anti-
| tracking beliefs against scummy corps, or to donate to
| politicians that believe in GDPR so they can try to make it
| illegal, or to refuse to pay anything and accept the status
| quo of being tracked. We've reached the end game of the
| "pay nothing until it's fixed, then continue paying
| nothing" ethos: Google has outplayed us, and website owners
| can afford to pay to track us. I don't like this, and
| neither do you. I think it's time to pay money to fight
| back, and you do not think it's appropriate to pay money to
| fight back.
|
| If you or anyone have a good idea on how zero-cost effort
| can somehow solve the tracking problem, share that with
| others in a useful reply to the post somewhere. You don't
| have to convince _me_ that such ideas exist: you have to
| convince others who share your "at no cost to me" beliefs
| to invest their time and energy in your zero-cost idea.
| And, whatever else I'm uncertain, I guarantee they're not
| going to see such a reply down here in this thread that
| started with a pricing question.
| GekkePrutser wrote:
| 5-10 bucks. Any higher and I'll be looking at other options
| like not using the web so much.
| miere wrote:
| up to $6.9 - which would be (roughly) $10 local bucks on my
| country.
| quicklime wrote:
| > Maybe using an archive.is-like service that renders the
| static page (as an image at the extreme)
|
| A lot of companies are starting to use "browser isolation"
| which is essentially what you're saying. A proxy runs between
| the client and the server, but it does more than just direct
| TLS streams - it actually builds the DOM and executes the JS.
| The resulting web page is sent to the actual client browser,
| which might send back things like mouse and touch events to the
| proxy, which will then update the page.
|
| I think most companies are using this as a malware protection
| thing, but it does hide the actual client IP address and
| fingerprint, and I imagine it would make tracking very
| difficult.
|
| https://en.wikipedia.org/wiki/Browser_isolation
| GekkePrutser wrote:
| Browser isolation isn't quite that. It's just running a
| browser that is heavily sandboxed from internal files and
| networks, or running on another machine so any exploits don't
| hit your machine.
|
| It's very much like running a browser through Citrix (in
| particular the remote flavour which is the most common as far
| as I've seen). But of course any data in the browser itself
| is still within reach for the malicious code... Which only
| solves half the problem. Unless you rigidly separate internal
| browsing from external sites.
|
| But it doesn't run all the JavaScript and then send you a
| screenshot or anything. The resulting page is still
| interactive.
|
| Remote browser isolation has the ability to change the
| landscape of personal computing enormously by the way. Right
| now we equip all our laptops with at least 16GB (32 for
| customer care) because some web apps like Salesforce
| Lightning are such memory hogs.
|
| Considering the importance of the browser in modern computing
| this model world basically make the PC more like a terminal
| and require much less resources.
|
| Of course this has already been going on with web based apps
| and streaming of things like games but this could be the
| final nail in the coffin of the PC as we know it. Not sure
| I'm happy with that...
| kibibu wrote:
| Opera Mobile has been doing this for years and years
| Quai wrote:
| The Opera product you are thinking of is Opera Mini. Opera
| Mobile is a browser running mostly on your device (except
| for "turbo" which optimized media trough a proxy setup, but
| did not, afaik, execute any of the javascript).
|
| Opera Mini can be looked at as a browser running in the
| cloud, sending OBML (Opera Binary Markup Language, if I
| remember correctly) causing the (very thin) client to draw
| things on the mobile screen, like text, images, etc without
| having to transfer, parse, execute, flow and paint every
| thing on the device.
| Fnoord wrote:
| Yeah, they released countless of rebrands and versions
| and what not.
|
| The equivalent on desktop would be Browsh (e.g. with
| terminal + Mosh), but it runs Firefox under the hood.
| Opera Mini is just akin to a remote browser with the
| result being send to the client (as a compressed picture
| like in RDP/VNC, or a proprietary markup language like
| OBML).
| hwers wrote:
| "Blocking scripts for each individual website" probably isn't
| too bad of a burden though. There's enough people who are
| annoyed by this and few enough sites that you actually visit
| (how often do you actually visit a brand new website, or one
| that hasn't been visited by thousands already?) that maintained
| (donation supported) chrome extensions for this will pop up
| eventually.
| noduerme wrote:
| >> God damn... this is it, this is the end-game
|
| I don't understand. I tried to read the article but it doesn't
| make sense to me. What is the end-game? Can you explain? Not
| everyone uses google analytics, and even if we do it would only
| be on the front pages... (hooking into any API has always had
| the potential to expose session data if you pass it, so what's
| new here??)
| PhantomGremlin wrote:
| _Maybe using an archive.is-like service_
|
| No that has turned to shit (for me anyway). Used to be fine,
| now presents a captcha when JS off. Okay so I switch from
| Firefox to Safari (where I leave JS on) and it still presents a
| captcha. I'd rather use the original site with JS than solve
| captchas.
|
| That has been my consistent recent experience for a multitude
| of those.
|
| _or a Tor-like service_
|
| I've never used Tor, but aren't there a lot of complaints of
| repetitive captchas when using it?
|
| _randomizes one 's IP address and browser fingerprint_
|
| I haven't followed this closely, but didn't Apple make claims
| that they would soon have an opt-in service that did something
| like this?
| latexr wrote:
| > didn't Apple make claims that they would soon have an opt-
| in service that did something like this?
|
| iCloud Private Relay[1]. It's in beta.
|
| [1]: https://support.apple.com/en-us/HT212614
| hilbert42 wrote:
| _" I don't have the time or energy to block JavaScript and/or
| manually inspect each domain's requests to figure out if they
| use server-side tracking or not."_
|
| By default, I don't run JavaScript. I don't see blocking JS as
| a problem - in fact, it's a blessing as the web is blinding
| fast without it - and also most of the ads just simply
| disappear if JS is not running.
|
| On occasions when I need JS (only about 3-5% of sites) it's
| just a matter of toggling it on and refreshing the page. I've
| been working this way for at least 15 years - that's when I
| first realized JS was ruining my web experience.
|
| I'm now so spoilt by the advantages of the non-JS world that I
| don't think I could ever return. I'm always acutely reminded of
| the fact whenever I use someone else's machine.
| kevin_thibedeau wrote:
| Firefox has never been slow for me over the last 15 years
| because NoScript makes it light years better than Chrome.
| Conversely, I routinely have the Android assistant lock up on
| me from JS bloat despite the supposed performance enhancement
| of AMP pages.
| scim-knox-twox wrote:
| Exactly! If something didn't work without JS, I don't use it.
| There are many alternatives.
| forgotmypw17 wrote:
| There's another, indirect benefit to blocking JavaScript.
|
| Over time I have noticed a strong correlation between sites
| which don't work right without JS and low-quality content
| which I regret having spent time reading.
|
| Most of the time I encounter one of these sites I now just
| close the tab and move on with a clear conscience.
| zelphirkalt wrote:
| Similar here. When I am searching for something and a
| website wont show it unless I enable JS on that website,
| then usually it is the case, that after enabling JS to see
| the content, I realize, that the website's content is worth
| nothing and that I activated JS for naught, regretting to
| have spent time on that website.
| hilbert42 wrote:
| _" Over time I have noticed a strong correlation between
| sites which don't work right without JS and low-quality
| content...."_
|
| Absolutely true, I can't agree with you more. I've reached
| the stage where if I land on a site and its main content is
| blocked if JavaScript is disabled then my conditioned
| reflex kicks in and I'm off the site within milliseconds.
|
| Rarely is this a problem with sites that I frequent (and I
| too don't have time to waste reading low quality content).
| raspberry1337 wrote:
| Any tips for high quality content sites? It truly is hard
| to find these days
| hilbert42 wrote:
| Yeah, read HN!
|
| There are stacks and stacks of them here on HN that are
| of excellent quality - I use HN as my 'quality' filter
| (and I reckon I'm not alone).
|
| Moreover, if one doesn't run JS like me then it's dead
| easy to avoid problematic sites as HN lists them
| (Twitter, etc. - and it doesn't take long to get to know
| the main offenders, thus avoid them).
|
| :-)
|
| _BTW, I agree with you it is hard to find good sites
| these days but eventually most really good sites appear
| here on HN. Do what I do, when you come across them
| bookmark them._
| IHLayman wrote:
| A pedantic note that follows from this particular thread:
| HackerNews's search capabilities are powered by Algolia
| and require JavaScript to work (turn off all JS and the
| HN branded Algolia page will not load). The reason I
| bring this up is that even good websites sometimes lean
| on free or free-ish services to provide extra
| functionality (such as calendars, discussion boards,
| issue tracking, or search) without realizing that such
| functionality may be a back door to letting JS in and any
| tracking/privacy-erosion that could follow from it.
| hilbert42 wrote:
| Right, HN does use JavaScript for certain functions,
| search etc. Now, if you read the second paragraph of my
| first post I've got such cases covered.
|
| OK, here's the scenario: I log on to HN with JavaScript
| disabled, do all the things I do, read articles, submit
| posts all without JS. At some point I want to search HN
| so I hit the 'toggle JS' button on my browser, it then
| goes from red to green to tell me JS is now active. I
| then refresh the page and start searching HN. When I've
| finished I hit the JS toggle and the button goes back to
| red - JS is now kaput.
|
| I really can't think of anything simpler - JS is off
| until I really need it and when I do it's immediately
| available without digging deep down into menus etc.
|
| I'd add HN uses JS as it was originally intended and does
| so responsibly. I have nothing against JS per se, the
| problem comes from websites that abuse webpages and thus
| the user by sending megabytes of JS gumph and so on.
|
| Running without JS and only turning it on when really
| necessary I reckon is a reasonable compromise.
| Fnoord wrote:
| The thing with WWW is links, the web. So
| https://news.ycombinator.com is a good starter. From
| there, yes, you could end up on twitter.com for example
| but it would be worthwhile.
| IHLayman wrote:
| "...you could end up on twitter.com for example but it
| would be worthwhile."
|
| Unpopular opinion: I never click on twitter links
| anymore. It's almost never worth it.
|
| IMHO, 140/280/N character limits are a way to cheapen
| discourse. I think there is something to be said for the
| "density" of text: text that offers very little to think
| about (less dense) is vacuous but encouraged by a
| character limit; yet, text that is compressed into a
| character limit either packs too much info into a short
| space that requires more discourse to properly get a
| thought across or elides too much from the text, making
| it less accurate/meaningful/important. Or worse: people
| chain posts into long 1/907, 2/907, 3/907... trains that
| should be blog posts rather than requiring some other
| application to string the thread together.
|
| Of course the other reason (more central to this
| discussion) never to click on a twitter link is that JS
| and an account login is required now to read the posts
| past a certain point. If that makes me an old man yelling
| at a cloud, so be it, but aren't there better ways to
| handle online public discourse without sacrificing
| people's privacy and security?
| hilbert42 wrote:
| _" Unpopular opinion: I never click on twitter links
| anymore. It's almost never worth it."_
|
| It's not unpopular with me, I agree with you completely.
| I was never a Twitter fan but when they forced the use of
| JS that was the end of it (you'll note I used Twitter as
| an example in one of my earlier posts).
|
| You're right about sacrificing people's privacy and
| security, as I said in another post 'I'm forever amazed
| at the trust the average person has in these
| vulnerability-ridden flaky systems'.
| jcfrei wrote:
| How does blocking javascript in this case prevent tracking?
| It's done via the same cookies the website uses, as I
| understand it. Do you disable cookies too?
| bentcorner wrote:
| I used to run NoScript then at some point (maybe switched
| browsers?) I stopped using it. You've persuaded me to re-
| enable it.
|
| Also - Firefox on mobile supports NoScript!
| behnamoh wrote:
| No, only FF on Android supports extensions.
| exyi wrote:
| Because Apple essentially does not allow Firefox...
| quambene wrote:
| Concerning noscript, is this [1] still a thing?
|
| [1] NoScript is harmful and promotes malware -
| https://news.ycombinator.com/item?id=12624000
| josefx wrote:
| Can't find any ads on NoScript.net with uBlock running
| and uniblue.com seems to have expired. However it is
| hilarious that the complaint comes from Ad block Plus,
| their entire business model is build around bypassing
| EasyList. For a generous fee they make sure that your ads
| are "acceptable".
| Fnoord wrote:
| What makes you think this comes from ABP? The article
| linked to is from 2016, they link to a history between
| NoScript and ABP. The article by ABP is from 2009 (!!).
| Back in the 2009, ABP was the defacto standard. There was
| no uBlock. There was NoScript, but no uMatrix yet.
|
| The developer issued an apology and reverted the change,
| and apart from a Ghostery one (who are also shady) no
| further controversies are documented at [1]. Perhaps the
| Wikipedia article is incomplete, given the one linked is
| from 2016?
|
| [1] https://en.wikipedia.org/wiki/NoScript
| heavyset_go wrote:
| > _By default, I don 't run JavaScript. I don't see blocking
| JS as a problem - in fact, it's a blessing as the web is
| blinding fast without it - and also most of the ads just
| simply disappear if JS is not running._
|
| Years ago I was on the "people who block JavaScript are
| crazy" bandwagon, until just loading a single news article
| online meant waiting for a dozen ads and autoplaying videos
| to load. I spent more time waiting for things to finish
| loading than I spent browsing the actual sites, which killed
| my battery life. I'd get a couple of hours of battery life
| with JS on, and with it off, I could work all day on a single
| charge. It was nice.
|
| Ever since then, I've been using NoScript without a problem.
| I've spent all of maybe 5 minutes, cumulative over the course
| of several years, clicking a single button to add domains to
| the whitelist. If whitelisting isn't something you want to
| do, you can use NoScript's blacklist mode, too.
|
| > _I 'm now so spoilt by the advantages of the non-JS world
| that I don't think I could ever return. I'm always acutely
| reminded of the fact whenever I use someone else's machine._
|
| I relate with this 100%.
| Semaphor wrote:
| > until just loading a single news article online meant
| waiting for a dozen ads and autoplaying videos to load.
|
| That sounds like you not only didn't block JS, you also
| didn't block ads. Which is a very different argument. I
| only block 3rd-party JS by default (and that already
| requires a lot of whitelisting for almost every site that
| has any interaction) and I don't have those issues because
| I also block ads.
| unicornporn wrote:
| > Years ago I was on the "people who block JavaScript are
| crazy" bandwagon, until just loading a single news article
| online meant waiting for a dozen ads and autoplaying videos
| to load.
|
| Seems like clear case of "crossing the river to collect
| water" (as the Swedish saying says)? This is what I use
| uBlock Origin (with the right blocklists) for and it
| happens automagically. I did use uMatrix for quite a
| awhile, but eventually ended up ditching it because uBlock
| Origin worked so well.
| paulryanrogers wrote:
| Tried NoScript for years and it was a pain. Too many of the
| sites I use need so many domains full of JS. So I think
| this will vary widely depending on the person and their
| preferred/needed sites.
| hilbert42 wrote:
| It has to be said: there are people who can get by
| without JavaScript and those who can't. You can almost
| predict those who can and those who can't by their
| personality.
|
| If you are heavy user of Google's services, Twitter and
| Facebook as well as many big news outlets and heavy-duty
| commercial sites then you're the 'JavaScript' type and
| stopping scripts is definitely not for you!
|
| If you are like me and don't have any Facebook, Twitter
| or Google accounts and deliberately avoid large
| commercial sites like, say, Microsoft then you can
| happily switch off JavaScript and experience the 'better'
| web.
|
| You know the type of person you are, so with this fact in
| mind there's no point me proselytizing the case for
| disabling JavaScript.
| paulryanrogers wrote:
| This seems like a broad generalization. JS continues to
| permeate every industry brought to the web. It's
| increasingly not optional as employers and governments
| mandate more and more web services. Doubtful that can be
| predicted by personality.
| hilbert42 wrote:
| _"...as employers and governments mandate more and more
| web services. "_
|
| It's not compulsory, especially governments. I never deal
| with government on the web at a personal level. If they
| expect me to fill in forms I simply say that I do not
| have the web and would they please send me a paper copy -
| which they're obliged to do at law - same goes for the
| census.
|
| If the government expects me to do business with it on
| the internet then it will have to legislate to make it
| compulsory AND then provide me with the necessary
| dedicated hardware for said purpose.
|
| Why would I act this way? Well, for quite some years I
| was the IT manager for a government department and I know
| how they work (or I should say don't work).
|
| BTW, as IT manager I never used email within the
| department (perfunctorily emails sent to my office were
| received by secretarial staff). If the CEO wanted to send
| me an important memorandum then he had to have it typed
| up on paper and personally sign it (and I would
| reciprocate the same). When in government you quickly
| realize that atoms on paper and especially a written
| signature is real guaranteed worth - unlike ephemeral
| emails that can vanish without trace.
|
| I'm forever amazed at the trust the average person has in
| these vulnerability-ridden flaky systems.
| mehdix wrote:
| I can relate 100%. In the past I was constantly using
| Twitter, Gmail, et al. I was using different hacks to
| bend them to the extent possible to my will. Time
| changed, my personality changed and the desire and need
| to use those services disappeared, therefore I naturally
| stopped using them. When people where talking about this
| or that service being down, I didn't notice it at all. I
| was also lucky enough to not rely on them on my $dayjob.
| I run my mail server, host my website and run my scripts.
| Old fashoin guy lets say. It works well for me. Moreover,
| JS-bloat is a red flag to stay away from certain
| services. Has served me well.
| gorjusborg wrote:
| > Too many of the sites I use need so many domains full
| of JS
|
| I hear you, but I wonder if you are being honest with
| yourself when you use the word _need_.
|
| At this point, I view Google and Facebook as the
| equivalent of loan sharks. A loan shark does provide a
| service, but most people shouldn't use one.
| eru wrote:
| I use NoScript with Firefox on Android (together with
| uBlock Origin). After I unblocked the websites I
| regularly use (and not the ad delivery domains), it
| doesn't get in the way that much.
| pcthrowaway wrote:
| Unblocking the sites you use removes the advantage of not
| being tracked by Google through tag manager though.
| eru wrote:
| That's probably true. Part of the reason why I still also
| use an ad-blocker.
| bogwog wrote:
| Are you a web developer by any chance?
| maccard wrote:
| uBlock Origin solves the problem you had too, without
| breaking multiple sites.
| ajdude wrote:
| This. I use the no script addon by default, and it's amazing
| how many different domains sites try to bring in. Then I hit
| Twitter, imgurl, quora, etc and I am left with nothing but a
| blank page with plain text telling me that I need JavaScript
| to view the site. It makes me wonder what kind of tracking
| they are pushing.
| Syonyk wrote:
| All of them. If you allow everything and have Ghostery
| running in "don't block anything but tell me what's there"
| mode, it's horrifying just how many things get loaded.
|
| You can play with page load sizes in the debugger console
| with stuff blocked and without too - about half the
| downloaded material on any major news website is stuff that
| Ghostery will block. It's quite terrifying.
| kobalsky wrote:
| > and also most of the ads just simply disappear if JS is not
| running.
|
| since we are talking about the future I'd like to point out
| that they can always serve ads from the origin domain without
| javascript.
|
| I mean the anti-adblock battle will evolve until each page we
| visit is a single image file that we have to OCR to remove
| ads. then we will need AI, and they will have captchas that
| will ask which breakfast cereal is the best.
|
| you can stay ahead of the curve but it's always moving
| forward.
| hilbert42 wrote:
| _"...they can always serve ads from the origin domain
| without JavaScript. "_
|
| But most of them don't. Yes, they can change their model
| and in time they likely will.
|
| As it stands now, one doesn't have to watch ads on the
| internet if one doesn't want to - all it takes is a little
| perseverance and they're gone. If one can't rise to the
| occasion then one has a high tolerance for ads.
|
| Even YouTube can be viewed without ads with packages such
| as NewPipe and similar.
|
| You're right about AI, OCR etc. and I think in time it will
| come to that.
|
| It seems to me people like us will always be ahead because
| we've the motivation to rid ourselves of ads. It reminds me
| of the senseless copyright debate - if I can see the image
| then I can copy it. No amount of hardware protection can
| stop me substituting a camera for my eyes. What's more, as
| the fidelity goes up HD, 4k etc. the better the optical
| transfer will be (less comparative fidelity loss).
|
| That said, the oldest technology - standard TV - is still
| the hardest to remove ads from. Yes, one can record a
| program and race though the ads later (which most of us are
| very adept at doing) but it's still inconvenient.
|
| What I want is a PVR/STB that figures out the ads and
| bypasses them. Say I want to watch TV from 7 to 11pm (4
| hours) and there's a total of one hour of ads and other
| breaks in that time that I don't want to watch then I want
| my AI-aware PVR/STB to suggest that I start watching at 8pm
| instead of 7 as this will allow it to progressively remove
| ads on-the-fly across the evening.
|
| The person who makes one of these devices will make a
| fortune. If the industry tries to ban it (as it will) then
| we resort to a software version and download it into the
| hardware. Sooner or later it's bound happen and I'll be an
| early adopter.
| kobalsky wrote:
| > What I want is a PVR/STB that figures out the ads and
| bypasses them. Say I want to watch TV from 7 to 11pm (4
| hours) and there's a total of one hour of ads and other
| breaks in that time that I don't want to watch then I
| want my AI-aware PVR/STB to suggest that I start watching
| at 8pm instead of 7 as this will allow it to
| progressively remove ads on-the-fly across the evening.
|
| I wonder if something like sponsorblock for youtube
| (which is a must have) could be done for TV? it's a
| crowsourced effort and works flawlessly for popular
| channels.
| hilbert42 wrote:
| Good question, I don't know. It's certainly worth
| thinking about.
| minimilian wrote:
| i used to have javascript turned off for a long time, but
| i've given up. you can't even search hacker news without
| javascript (for some reason).
| 3836293648 wrote:
| Pretending as if you can search hacker news with JS turned
| on...
| zelphirkalt wrote:
| There is some truth to this though. It is sometimes hard
| to find that HN topic, that you remember just a few words
| of through the aglolia search thing.
| mderazon wrote:
| I don't know which web you're viewing that only needs JS for
| 3-5% of websites
| hilbert42 wrote:
| Read my reply to _paulryanrogers_ about whether one 's a
| JavaScript or a non-JavaScript type person.
|
| The 3-5% of sites I'm referring to are ones where I _have_
| to enable JS to view them. In by far the vast majority of
| the sites that I frequent I do not have to enable JS to
| view them.
|
| Also note my reply to _forgotmypw17,_ one doesn 't need JS
| if one avoids low quality dross.
| mderazon wrote:
| I will give it another shot. Unfortunately though, this
| does not solve the server-side GTM issue, right ?
|
| If the 3-5% of the website you use will start tracking
| via server-side GTM with the site's domain, you will not
| be able to simply use noscript to disable tracking ?
| hilbert42 wrote:
| You're probably right, but then there are many factors
| involved - take Europe's GDPR, I'd reckon it'd be deemed
| unlawful under those regs but of course that doesn't help
| those of us outside Europe.
|
| It remains to be seen how Google's Tag Manager actually
| works and I'd be surprised if data from your machine is
| ignored altogether. If your machine says nothing about
| you then Google won't know who you are - unless you have
| a fixed IP address and most ordinary users don't. Sure
| there's browser fingerprinting (but I never bother about
| this as I use multiple browsers on multiple machines
| which screws things up a bit).
|
| When I used to worry about this more than I do now, I
| used to send my modem/router an automatic reboot signal
| during periods of inactivity, this ensured a regular
| change of IP address.
|
| OK, so what info can be gotten from your machine if
| JavaScript is disabled? Some but it's nothing like what
| happens when JS is active - in fact the difference is
| quite staggering (ages ago I actually listed the
| differences on HN).
|
| Presumably you could search for the post but there's an
| easier way. Use the EFF's test your browser site
| https://coveryourtracks.eff.org/ and do the test with and
| without JS. Note specifically the parameters with the 'no
| JavaScript' message.
|
| Also note the stuff a website can determine about you
| even when JS is disabled - with this info you can start
| tackling the problem such as randomizing your browser's
| user agent, etc.
|
| My aim was never to kill evey bit of tracking, rather it
| was to render tracking ineffective and I've been very
| successful at doing that. The fact is I don't get ads let
| alone targeted ones just by turning off JS and having an
| ad blocker as backup. The only other precaution I take is
| to always nuke third-party cookies and to kill all
| standard cookies when the browser closes.
|
| I'm not too worried about Google's Tag Manager, for even
| if Google tracks me it still has to deliver the ads and
| it cannot do so with JS disabled and an ad-blocker in
| place.
|
| __
|
| _Edit: if you want to watch YouTube then Google insists
| you enable JavaScript. This is bit of a pain but it 's
| easily solved with say the Android app NewPipe (available
| via F-Droid). NewPipe also has the added advantage of
| bypassing the ads and having the facility to download
| clips as well if that's your wont.
|
| Of course, there are similar apps for desktops too._
| mderazon wrote:
| I have advanced protection on my Google account that
| unfortunately doesn't let me install apps outside Play
| Store...
|
| I think I can still load NewPipe through usb debugging
| but not able to have auto updates
| hilbert42 wrote:
| If you've advanced protection running then you're a dyed-
| in-wool Google user (hard core type) so I wouldn't even
| try.
|
| I'm the exact opposite. I root my Android machines and
| remove every trace of Google's crappy gumph, Gmail etc.
| (I don't even have a current Google account.)
|
| I occasionally use the Google playstore but I log on
| anonymously with the Aurora Store app (not available on
| the playstore).
|
| I say occasionally because that's true, instead I use
| F-Droid or Aurora Droid to get my guaranteed spyware free
| apps. It's a different world - I'm the antithesis of the
| happy Google user.
|
| Don't try to load NewPipe, in your case it's just not
| worth the effort (and Google will notice the fact).
| PhantomGremlin wrote:
| HN totally usable for basic functionality w/o JS.
|
| profootballtalk.com works great if you don't want to vote
| or comment
|
| macrumors.com great functionality
|
| nitter.net happily takes the place of twitter.com
|
| drudgereport.com works great and I rarely turn on JS when I
| go to the sites he links to, usually the text on target
| sites is there if not as pretty as it could be
|
| individual subreddits (e.g. old.reddit.com/r/Portland/ )
| are quite good w/o JS. But the "old." is probably
| important.
|
| I admit that there are lots of sites that don't work, e.g.
| /r/IdiotsInCars/ doesn't work because reddit uses JS for
| video. For so many sites the text is there but images and
| videos aren't. Also need to turn off "page style" for some
| recalcitrant sites.
|
| In conclusion, contrary to your JS experience, I'd say that
| I spend over 90% of my time browsing w/o JS and am happy
| with my experience. Things are lightning fast and I see few
| or no ads. I don't need an ad blocker since 99% of ads just
| don't happen w/o JS.
| zelphirkalt wrote:
| > In conclusion, contrary to your JS experience, I'd say
| that I spend over 90% of my time browsing w/o JS and am
| happy with my experience. Things are lightning fast and I
| see few or no ads. I don't need an ad blocker since 99%
| of ads just don't happen w/o JS.
|
| Well, you still have lots of tracking stuff loaded
| probably, unless you got something extra for blocking
| trackers. A tracking pixels does not need JS. A font
| loading from CSS does not need JS. Personally I dislike
| those too, so I would still recommend using a blocker for
| those.
| PhantomGremlin wrote:
| _Well, you still have lots of tracking stuff loaded
| probably, unless you got something extra for blocking
| trackers._
|
| Yes I'm sure I have that stuff loaded. But I don't care
| because it's quite ephemeral:
|
| I exit Firefox multiple times a day, there's really no
| performance cost to doing that after every group of
| websites. E.g. if, while reading HN, I look up something
| on Wikipedia, or I search with Bing or Google, everything
| goes away together.
|
| In my settings: delete cookies and site data when Firefox
| is closed
|
| In my settings: clear history when Firefox closes,
| everything goes except browsing and download history
|
| No suggestions except for bookmarks.
|
| So when I restart Firefox to then browse reddit it starts
| with a clean slate.
|
| Comcast insisted I purchase a DOCSIS3 modem quite a while
| ago. Once downloads are at 100 mpbs+, does it really
| matter if I repeatedly re-download a few items to cache?
|
| The only noticeable downside is when I switch to Safari
| to view something that needs JS, I then see ads for
| clothing that my wife and daughters might be interested
| in. I presume this is due to fallback to tracking via IP
| address. Of course I always clear history and empty
| caches in Safari.
|
| Obviously this doesn't work for someone who wants to or
| needs to keep 100 browser windows open at once, for
| months at a time. But that's not me. I don't think that
| way, never have.
|
| Edit: just had to add that sites like Wikipedia are
| better w/o JS (unless you edit?). I don't see those
| annoying week-long pleas for money. Do they still do
| those?
| zelphirkalt wrote:
| > Obviously this doesn't work for someone who wants to or
| needs to keep 100 browser windows open at once, for
| months at a time. But that's not me. I don't think that
| way, never have.
|
| Caught me. Tab hoarder here : )
|
| > I don't see those annoying week-long pleas for money.
| Do they still do those?
|
| They still do those. At least I have seen them less than
| a year ago.
| mtsr wrote:
| I don't think the solution here is a technical one. This should
| just be solved by legislation.
|
| Google Analytics has been recently ruled illegal in multiple
| European countries. And either this already is illegal under
| the same laws or it should be made so.
| tick_tock_tick wrote:
| > Google Analytics has been recently ruled illegal in
| multiple European countries.
|
| Just about everything hosted by a non EU company just got
| ruled illegal (in the EU that is).
| mtsr wrote:
| It's very doable to disable google analytics for EU
| visitors.
| welterde wrote:
| Not quite - only everything US-based, since they fall under
| the purview of the cloud act, which is incompatible with
| the GDPR (on purpose.. this is an entirely self-inflicted
| wound by the US).
| mhoad wrote:
| I suspect this might end up as a slightly trickier scenario
| because when you get down to the details it's hard at a
| technical level to make a distinction between a server log
| file and a tool like analytics which takes those same bits of
| data and mostly just organises and displays it in an
| intuitive way with charts and a nice UI.
| mtsr wrote:
| The ruling against google analytics in France is quite
| simple: google analytics as used by an unnamed website was
| not compliant with GDPR, because it exports user data to a
| country that has privacy laws that are not up to GDPR
| standards, which is not allowed. This is on the unnamed
| website and they or compelled to stop this illegal export
| of user data by either only exporting anonymized statistics
| or stopping use of google analytics entirely.
|
| Of course this isn't yet a perfect banning of GA and Google
| might be able to work around it, but it's something. And in
| fact, anonymized statistics would probably be OK (depending
| on the details of course).
| mhoad wrote:
| But this actually highlights exactly what I mean. What if
| I simply stood up a plain old Apache server to host my
| website but that happened to be hosted in the US. No
| analytics, just a few HTML files and that's it.
|
| I'm still in this scenario sending PII of EU citizens in
| the form of IP addresses to the US which are just written
| to /var/log/apache
|
| It seems obviously different and yet as that ruling seems
| to imply it wouldn't be unless I'm missing something here
| between first and third party capture or something?
| nickpp wrote:
| Default configurations of logging on most servers is
| illegal now under GDPR since it saves IP addresses.
| hyperman1 wrote:
| This pops up regularly, but AFAIK it's not correct. The
| law is much more fine grained than the USA PII concept.
| IP addresses are only personal data (PD) if you are
| capable of using them as identification mechanism. If you
| don't they are not. This also means that something that
| is not PD for you, can become PD when you give it to
| someone else. Or that 2 items which are not PD
| themselves, become PD when you combine them. Or that
| being hacked turns non-PD into PD.
|
| Even as PD, using IP addresses to maintain a website is
| fine, even without consent. Using them to track
| individuals is not fine. Having a log rotation policy and
| a sane security policy so you can demonstrate when you
| throw them away is a good idea.
|
| To be short: Install debian, drop nginx on it, then let
| it log as it wants. This is legal. But don't you dare
| mine the logs for abusing PD.
| nickpp wrote:
| Do you have a source? My observation came from multiple
| lawyers in the context of "to stay on the safe side".
| rndgermandude wrote:
| Incorrect. In the "Breyer" ruling[0] the highest European
| court concluded that dynamic IP addresses are PII (not
| just personal data, and not just data), as there is an
| abstract risk that combining IP addresses with other data
| can lead to identification of a user. The ruling
| explicitly said that the mere risk of such an
| identification is enough, not that such an identification
| has to actually happen.
|
| Subsequent rulings by many courts have found that all IP
| addresses are PII, for various reasons, such as "static"
| IP addresses bear the same risk of indirect
| identification, and there is no reliable way to
| distinguish between "dynamic" and "static" addresses
| anyway.
|
| The recent German ruling that Google Fonts violates the
| GDPR just by transmitting an IP to google (by making the
| web browser fetch a resource from a google server)
| hammered home this point, citing the EU ruling again[0].
|
| This is different to e.g. of a streaming provider keeping
| a history of songs you played. This data is personal
| data, but it is not personally identifiable data as this
| history alone cannot be used to identify a person.
| However, if this history has some kind of identifier
| attached that links back to account information or an IP
| address, that identifier would be PII, as this identifier
| could be used to indirectly identify a person.
|
| [0] https://curia.europa.eu/juris/document/document.jsf;?
| text=&d...
|
| [1] https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-17
| 49320/
|
| Die dynamische IP-Adresse stellt fur einen
| Webseitenbetreiber ein personenbezogenes Datum dar, denn
| der Webseitenbetreiber verfugt abstrakt uber rechtliche
| Mittel, die vernunftigerweise eingesetzt werden konnten,
| um mithilfe Dritter, und zwar der zustandigen Behorde und
| des Internetzugangsanbieters, die betreffende Person
| anhand der gespeicherten IP-Adressen bestimmen zu lassen
| (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].
|
| Translated, best to my abilities:
|
| The dynamic IP address is to a web site operator a piece
| of personally identifiable data, because the web site
| operator abstractly has legal means, which could be
| reasonably used, with the help of third parties, namely
| the the responsible authority and the internet service
| provider, to identify the person in question with the use
| of the stored IP address (BGH, ruling from the 16th of
| May 2017, VI ZR 135/13)[2]
|
| [2] The BGH ruling quoted is the "Breyer" ruling again,
| just at the German national level instead of the EU
| level. The Bundesgerichtshof (BGH, highest German court
| of ordinary law) asked the European Court of Justice to
| settle the question of whether dynamic IP addresses are
| PII, which the ECJ affirmatively settled in [0].
| hyperman1 wrote:
| This is a very interesting legal document, and I'll have
| to take the time to read it slowly before I can judge it.
|
| It centers around this line: ... not PD
| for you, can become PD when you give it to someone else
|
| and claims that, as this potentiality can always be
| fulfilled, you should consider it PD. This would
| invalidate the first part of the post, but is still not
| enough to make a default deploy of a logging http server
| illegal because of the 6.1(f) legitimate intrest rule. In
| fact, things like 21.1(b) might make it obligatory.
|
| Now we are in lawyer 'interesting question' territory
| which costs a lot of money, and I still don't think
| you'll need to worry, because you're not violating the
| spirit of the law. Personally, I'll go on depending on
| 2.2(c)
| rndgermandude wrote:
| It's not illegal to store such information in default
| logs per se, even without explicit consent, if it would
| fall into the "legitimate interest" category[0], e.g. you
| need it to operate the service and prevent abuse, and
| there is no less intrusive way to e.g. reasonably monitor
| for and prevent abuse.
|
| However, you cannot share such logs without consent, you
| still have an obligation to inform users about your
| legitimate interest assessment and what data you store,
| and you still have to abide to other rights of users such
| as the right of users to ask for a copy of the data you
| store about them.
|
| [0] Art 6.1.f https://gdpr.eu/article-6-how-to-process-
| personal-data-legal...
| nickpp wrote:
| Gdpr.eu is not an official EU resource. There is no
| official guidance saying that IP address in logs falls
| under "legitimate interest" and every lawyer I asked
| advised against it "just to be on the safe side".
|
| One actually added: _Do you really want to test our
| government 's understanding of "legitimate interest" for
| your business in court?_
| nickpp wrote:
| When you use laws to ban businesses from other countries,
| those countries will feel entitled to use laws to ban
| businesses for your countries as well.
|
| It's how protectionism works and it's generally the consumers
| who lose.
| rndgermandude wrote:
| These laws do not ban businesses, they ban business
| practices. And consumers often win. E.g. laws to ban the
| business practice of just dumping toxic waste into rivers
| because it's cheaper were hugely successful - at least in
| places were they were enforced. On the other hand, there is
| a danger of regulatory capture, which has to be considered
| as well...
|
| The GDPR does not ban Google, and it does not ban
| analytics. But, according to recent court rulings, it bans
| the business practice of Google Analytics to collect and
| transfer data to the US - which isn't considered to be a
| place with "adequate" privacy laws - and other places
| without prior user consent. Google could potentially come
| up with ways to make a Google Analytics that does abide by
| the law, but so far they choose not to. Maybe the changes
| that would be required would cut severely into revenues, or
| even make (free) GA cost-prohibitive, but this is in line
| with environmental protections killing off certain
| products/businesses that got too expensive when they had to
| dispose of their toxic waste properly and in a way that
| doesn't poison people and the environment.
| nickpp wrote:
| Comparing tracking with "dumping toxic waste into rivers"
| is comparing a breeze with a hurricane.
|
| > Google could potentially come up with ways to make a
| Google Analytics that does abide by the law
|
| I personally know of no way to have legal analytics under
| GDPR, as advised by multiple lawyers.
| cookiengineer wrote:
| > Maybe using an archive.is-like service that renders the
| static page (as an image at the extreme), or a Tor-like service
| and randomizes one's IP address and browser fingerprint.
|
| I'm building a peer-to-peer network of Web Browsers [1] that
| doesn't trust anything by default, and only allows to render
| types of content incrementally; while disabling JS completely.
| Most of the time, you can find out what the content is with
| heuristics. The crappy occasional web apps that don't work
| without JS can be rendered temporarily in an isolated sandbox
| in /tmp anyways.
|
| I think that the only way to get ahead of the adblocking game
| is to instead of maintaining blocklists, we need to move to a
| system that has allowlists for content. The user has to be able
| to decide whether they're expecting a website serving a video,
| or whether the expectation is to get text content, image
| content, audio content etc. News websites are the prime example
| of how "wrong" ads can get. Autoplayed videos, dozens of
| popups, flashing advertisements and I haven't even had time to
| read a single paragraph of the article.
|
| And to get ahead of the "if fanboy gets hit by the bus"
| problem... we need to crowdsource this kind of meta information
| in a decentralized and distributed manner.
|
| [1] https://github.com/tholian-network/stealth
| tgsovlerkhgsel wrote:
| Aren't browsers shifting to a per-domain cookie jar?
|
| While you can never prevent one specific site from tracking
| you, this still doesn't (directly) allow your activity on Site
| A to be linked to activity on Site B, does it?
|
| Of course, fingerprinting combined with IP addresses will
| ultimately allow something that comes very close to it, so the
| current state (a few hundred trackers per website, all ending
| up harmlessly incrementing the adblocker's counter) is better
| for privacy for power-users, but I'm not sure if this is the
| big "game over".
| lewantmontreal wrote:
| This is what I'm interested in. Article itself did not
| mention cross site tracking.
|
| Every website having their own tracking subdomain makes third
| party cookies not work cross site even without browser
| changes.
| pixeldetracking wrote:
| yes, they would need to get another identifier, and that's
| what is done with players like Facebook.
|
| Sorry another of my articles in french:
| https://pixeldetracking.com/fr/les-signaux-resilients-de-
| fac..., but Facebook is making it easy to integrate their
| "Conversion API (CAPI)" with GTM Server-Side tagging
| callmeal wrote:
| The cross site tracking is done by a third party. From
| reading the docs, the way it works is, publisher sets a
| unique id, browsers send that unique id to the publishers
| domain, publisher forwards that (via the tag manager app
| engine) to the third party.
| GekkePrutser wrote:
| They can still cross-track based on IP or any other
| fingerprint worthy information. I expect this is exactly
| what they're doing. Doing this all on a central service
| makes this process much easier unfortunately...
| josefx wrote:
| Google is pushing to have the browser itself track your
| interests and share them with whoever asks. The first attempt
| FloC backfired rather quickly as it was an all around privacy
| nightmare. The second attempt Topics promises to fix a lot of
| the problems FloC had but that is not a high bar and Google
| left itself a lot of room for future changes.
| onion2k wrote:
| The article is from 2020, and I don't think I've ever seen a
| site using this approach yet. It is an egregious attempt to
| circumvent the Same Origin security policy in browsers that
| developers and privacy advocates should rightly be angry at,
| but it doesn't seem to have caught on. That's something to be
| thankful for.
| 1shooner wrote:
| >I don't think I've ever seen a site using this approach yet.
|
| What have you been looking for? It seems like this would be
| hard to observe.
| pixeldetracking wrote:
| your are optimistic, most analytics guys I know are working
| with clients to transition to GTM server-side tagging
| teekert wrote:
| " I honestly don't know if there's any solution to this at
| all."
|
| How about the law? Like GDPR? My data is mine.
| teekert wrote:
| I mean, technically there is nothing stopping me from
| following anybody around, documenting their actions, taking
| pictures. It's easy... But we have laws that prevent this
| because we decided together that we do not like this.
| pacifika wrote:
| Couldn't a adblocker block the largest javascript blob loaded
| by the page? Most likely it's gtm. Also with a bit of machine
| learning it could recognise the patterns in the js blob, no?
| tootie wrote:
| "Endgame" is the way all web analytics was done 20 years ago.
| gigel82 wrote:
| The server-side "analytics" of 20 years ago was for aggregate
| reports on popular pages, number of users, their browsers and
| OSs and maybe their geo-location; solely for the use of the
| site owners to optimize and whatnot.
|
| This abomination Google is proposing is unblockable cross-
| site tracking of people's activities. That site owners get to
| see some of that data too is insignificant, their value comes
| from being able to track people across the web. I'd bet
| Google would even offer this proxy service "for free"
| depending on how much data they can hoover from the site.
| beagle3 wrote:
| How does google correlate identifiers between different
| users?
| gigel82 wrote:
| Browser fingerprinting and IP address plus any unique
| identifiers if you happened to log in on that website.
| silentsea90 wrote:
| I get privacy concerns and hate for ads, but what about "free"
| internet? Paywalls are a massive annoyance to me personally,
| and if ads were legislatively blocked, would I have to pay for
| each website I visit that previously relied on ads for $?
| Perhaps we could be making micro-transactions for each website
| visited via crypto (?)
| philihp wrote:
| So something like https://yalls.org?
| latexr wrote:
| Solutions for sending micro transactions to websites you
| visit have existed for over a decade[1], no cryptocurrencies
| or blockchains required.
|
| [1]: https://en.wikipedia.org/wiki/Flattr
| inlined wrote:
| I think the solution will be for ad blockers to invest in
| neural nets to detect the graph of the code flow for known
| variants of the script. The software that detects plagiarism
| will be a good start.
| xigoi wrote:
| That sounds like it's going to be slower than not using an ad
| blocker at all.
| brobinson wrote:
| Hashmap lookups are O(1)
| aembleton wrote:
| Not if the signatures are uploaded and shared.
| cbvlkjerna wrote:
| It's based on JS. There's your solution. I disabled JS in the
| browser for nearly 2 decades and I can still use most of the
| web (HN included).
|
| You are blind to the solution because you don't want to take
| responsibility for your own browsing. You and people like you
| won't change, will whine about how nothing can be done while
| not being prepared to understand the problem is yourself and
| that's where the solution lies as well. When google screws you
| over, remember you chose that (maybe by omission rather than
| commission, but you chose).
| toastal wrote:
| While impractical, I liked the article's suggestion of blocking
| the proxies. I'm curious what reaction this would have. Ad
| blocking users get no content and move to alternatives and stop
| being users, or would the sites cave and realize having users
| interacting is more important than all of the data collected.
| tasha0663 wrote:
| It's a fine suggestion. If it breaks the site, then I'd call
| that a broken website and move on. Maybe next time someone
| points me there, they'll have fixed their critical issue for
| users who block tracking proxies.
|
| I'm okay with not being in the target audience of sites that
| really want to do this. I've got enough other things to do at
| less hostile places that my FOMO isn't triggered in the
| least.
| gigel82 wrote:
| How do you identify tracking proxies though? When
| everything is going through the same domain you don't even
| know if data is being sent to Google, it's all a server-
| side black box.
| pixeldetracking wrote:
| ublock origin has actually an experimental option for
| this: https://github.com/gorhill/uBlock/wiki/Static-
| filter-syntax#...
|
| only issue with blocking the proxies is that you can now
| decide to host the container on your own infra through
| docker, and it's documented by Google:
| https://developers.google.com/tag-platform/tag-
| manager/serve...
|
| I guess this is very interesting for many people,
| especially in Europe with the "Google Analytics ban"
| aembleton wrote:
| By using Cname uncloaking that uBlockOrigin can do on
| Firefox. It should see that the real domain is Google Tag
| Manager.
| thejohnconway wrote:
| I think the article mentions that Google recommends
| against using Cname for this, and using A records
| instead.
| tasha0663 wrote:
| > Google recommends against using Cname for this
|
| So use Cname? :D
| thejohnconway wrote:
| Sites want the ads to get through, right? So they're
| going to do the thing that makes that happen: A records.
| bhauer wrote:
| I think in the short-term the strategy is this from the
| article:
|
| > _Or ... block all the IP addresses of Google App Engine, at
| the risk of blocking many applications. having nothing to do
| with tracking._
|
| Anyone hosting legitimate apps in the Google ecosystsm is
| indirectly complicit in this and at least for my personal
| network, I have no concern with blocking Google App Engine
| holistically.
|
| Additionally, I think it's important to hurt Google as much as
| possible for escalating in this way. Widespread blocking of GAE
| may seem extreme but it's also arguably warranted.
| reaperducer wrote:
| _I have no concern with blocking Google App Engine
| holistically_
|
| Unfortunately, it seems that more and more government web
| sites rely on Google services to function. And there's no
| replacement for those.
| timbit42 wrote:
| Use two browsers. One where you don't block tracking and
| can access government and make purchases on shopping sites,
| and one tracking is blocked and JavaScript is turned off.
| paulryanrogers wrote:
| How can it be legal for a government to make increasingly
| core services depend on these amoral, for profit monsters?
| l33t2328 wrote:
| I'm not sure if this is a serious question, but what
| would this imaginary law say?
|
| The government can only do business with companies who
| aren't in it for the money?
| HWR_14 wrote:
| The US government isn't shy about adding rules for its
| contractors. It should be trivial for them to demand (or
| provide) dedicated IPs for their sites. Then they won't
| get caught up in the IP address blocking of GCP.
| efitz wrote:
| The big tech companies have all built out lobbying
| capabilities; such a law would end up helping big tech
| and harming small companies because the big companies
| would be involved in authoring the law and would be
| contributing to the sponsors and committee chairs and
| members to get their favorable language included. And it
| would all be legal and business as usual.
| HWR_14 wrote:
| They don't have to be laws. It's something that Biden can
| just add into every RFP the US government puts otu.
|
| But no, typically things like that don't hurt small
| companies.
| KerrAvon wrote:
| Realistically, Congress could in fact mandate that
| government website implementations must be transferable
| between software vendors. That's both technically
| feasible and in line with past government requirements
| for hardware procurement.
| Ansil849 wrote:
| How about that government services must be built by the
| government?
| sofixa wrote:
| You have to draw a line somewhere with that logic,
| otherwise you'd have governments running their own fabs.
|
| I'm fully in favour of governments doing everything from
| hosting up ( hosting, design, dev), with as much as
| possible open source.
|
| For instance the French government fares well on this
| front, with most government services being developed in-
| house, and many parts are open source; in emergencies
| specific services were delegated to third parties ( e.g.
| vaccine bookings) so it isn't taken to a religious NIH
| level. However hosting is delegated to commercial
| entities.
| throwaway2037 wrote:
| Yes, I feel the same, at least for a lot of things.
| Certainly, all externally facing websites should be
| designed and maintained by gov't staff.
|
| From time to time, HN features high quality UK gov't
| websites. In the last five years, the UK gov't has made
| dramatic strides on "digital gov't" initiatives that
| benefit regular citizens. As I understand, most of those
| sites are built and maintained by gov't employees. This
| runs counter to the normal, all-prevailing attitude in UK
| that "any gov't is too much gov't" (or "any gov't that
| does not directly benefit _me_... ").
| ssl232 wrote:
| Brit here. On your last point, there is no such
| widespread attitude in the UK towards government. We are
| historically conservative, but not libertarian. Don't
| forget two of the most famous and loved British
| institutions are the BBC and the NHS. I'm not saying such
| attitudes don't exist, because they do, but it's not
| "all-prevailing" by any stretch.
| sofixa wrote:
| I think it's a typo/autocorrect and they meant US at the
| last instance instead of UK.
| gbear605 wrote:
| The Conservatives want to privatise the BBC and the NHS
| though - abolishing the BBC licensing fee is a recent
| move, and steps to privatise the NHS have been repeatedly
| popular among politicians over the last decade.
| azalemeth wrote:
| The trouble is, they're mostly Microsoft and either Azure
| or AWS behind the scenes. The UK government as a whole
| seems to love Microsoft. I just worry it will be out of
| the frying pan and into the fire...
| zelphirkalt wrote:
| I would like that law. However, they would have to pay
| wages and offer working conditions, that actually attract
| good developers and they would have to stop outsourcing
| everything. Outsourcing everything is also a problem with
| otherwise qualified engineers unfortunately. The big
| picture long term consequences are unpleasant.
| carapace wrote:
| > but what would this imaginary law say?
|
| IANAL, but how about something like, "Government services
| offered via WWW must not contact commercial servers and
| must be fully usable with non-JS browsers."
| [deleted]
| boondaburrah wrote:
| The military-industrial complex would like to have a
| word.
| sdepablos wrote:
| The thing is that you can host the server container also in
| AWS https://www.simoahava.com/analytics/deploy-server-side-
| googl... or Azure https://www.simoahava.com/analytics/server-
| side-tagging-azur...
| ssl232 wrote:
| If it takes maintaining blocking scripts for individual
| websites, I'm pretty sure services will spring up to crowd
| source it.
| jcfrei wrote:
| It was clear this was going to happen for more than a decade
| now. I'm surprised it took them so long to really push for
| this. I'm just reiterating what I said back then: There's no
| point in wasting any time and resources into a stupid technical
| cat and mouse game to fix this. The only sensible way to deal
| with this stuff is through legislation.
| misterbwong wrote:
| Called it [1]. It's a cat-and-mouse game and, unfortunately,
| advertising is just _that_ lucrative. Privacy-minded browsing
| will help those that care (for now...), but that's an
| unsustainable option with the current monetization channels
| available.
|
| If a content publisher cannot monetize you, they will think
| nothing of blocking you. There will be some public backlash
| against companies that do so and there will be some sites who
| will lose money because of it, but the rest of the publishers
| will simply follow the money while the industry shifts towards
| more intrusive tactics.
|
| There needs to be a monetization channel that is 1) good for
| both users AND publishers and 2) pays just as much as current
| methods. Unfortunately none of the current systems support
| that.
|
| [1] https://news.ycombinator.com/item?id=9975955
| drusepth wrote:
| >There needs to be a monetization channel that is 1) good for
| both users AND publishers and 2) pays just as much as current
| methods.
|
| I agree, but what party would you like that money to
| originate from?
|
| Ads work well right now for consumer-to-consumer (e.g. I
| create a blog and you view it) because there's a rich, third-
| party that money can flow from (a company running ads -->
| money to me) without having to charge you, the end-user who
| is more than likely significantly less well-off than a
| corporation.
|
| To buck that pattern, you need the money to come from
| somewhere else. Subscriptions and direct payments are an
| obvious choice (see: the boom of SaaS over the past few
| years) but people are already complaining that they have so
| many subscriptions they lose track of them all, and spend too
| much money on what used to be a "free" internet.
|
| So, I don't think there's a solution where the money comes
| from the end-user. However, any time you add in a third party
| for the money to flow from, they're going to want something
| in return. And unless you want that cash flowing from the
| site owner to that third party (...why would you?), they're
| gonna need to offer something else.
|
| I don't see any solution other than "a third party pays for
| something users and/or the site can create for free". Is the
| answer to just find something free other than
| analytics/usage, or are there other approaches to monetize a
| site while still making it "free" to access?
| misterbwong wrote:
| Unfortunately I don't see a good solution either. Large
| direct to consumer business models like SaaS or
| subscriptions are really only sustainable at scale, and
| even then it's dicey. In a SaaS model, the big fish win and
| we lose the democratic nature of the current internet.
|
| Society has driven the perceived price of content so low
| that the content itself is worth less than the aggregate
| audience. Really, in what other space does the average
| consumer set their price expectations at free AND balk at
| paying $5/mo for unlimited access to a product?
|
| The only thing that seems to come close to moving the
| needle towards privacy is somehow pushing advertisers into
| in-market advertising (think early internet-style site
| banner ads) and out of programmatic/user tracked ads. There
| is some evidence that these programmatic ads don't really
| perform as well as they claim but from what I can gather,
| the data is still unclear.
| transcendrc wrote:
| Tag Manager gives you the ability to add and update your own tags
| for conversion tracking, site analytics, remarketing, and more.
| There are nearly endless ways to track activity across your sites
| and apps, and the intuitive design lets you change tags whenever
| you want. I've been using Google Tag Manager on this website <a
| href="https://transcendrecoverycommunity.com/">Transcend Recovery
| Community</a>.
| dartharva wrote:
| I always wondered why they didn't just do this in the first
| place. Despite having that much power Google always seemed oddly
| tolerant towards content blockers even when they were directly a
| slap on the face of their main offerings. Spoofing ads to act as
| first-party content through proxies was something I thought they
| were perfectly capable of making websites do with their existing
| behemoth network infrastructure. Surprising it actually took so
| long.
| janikvonrotz wrote:
| "this is america, stupid"
|
| This won't be allowed in the EU under GDPR[^1].
|
| [^1]: https://matomo.org/blog/2022/01/google-analytics-gdpr-
| violat...
| mkdirp wrote:
| Which is fine, but will it be enforced? So far GDPR rules
| haven't done a whole lot of damage except make sure everyone
| knows what a cookie might be. Until the EU is willing to better
| enforce the GDPR rules, Google will keep doing what they're
| doing.
| leetwito wrote:
___________________________________________________________________
(page generated 2022-02-21 23:01 UTC)