[HN Gopher] How to Incapacitate Google Tag Manager and Why You S...
___________________________________________________________________
How to Incapacitate Google Tag Manager and Why You Should (2022)
Author : fsflover
Score : 96 points
Date : 2025-07-04 18:12 UTC (4 hours ago)
(HTM) web link (backlit.neocities.org)
(TXT) w3m dump (backlit.neocities.org)
| gleenn wrote:
| I'm all for blocking surveillance but how tiring is it to block
| JavaScript as suggested and then watch the majority of the
| internet not work?
| pluc wrote:
| It really isn't. I've been blocking all JavaScript for years
| now, selectively allowing what is essential for sites to run or
| using a private session to allow more/investigate/discover.
| Most sites work fine without their 30 JS sources, just allowing
| what is hosted on their own domain. It takes a little effort,
| but it's a fair price to pay to have a sane Internet.
|
| The thing is - with everything - it's never easy to have strong
| principles. If it were, everyone would do it.
| roywiggins wrote:
| It's certainly not that bad if you have uMatrix to do it
| with, but I haven't found a reasonable way to do it on
| mobile. uMatrix does work on Firefox Mobile but the UI is
| only semi functional.
| baobun wrote:
| NoScript + uBO is all right.
| pluc wrote:
| Yup that's what I use as well. With whatever the name of
| the extension that makes allowing cookies a whitelist
| thing too, and PrivacyBadger/Decentraleyes.
|
| Also, deleting everything when Firefox closes. It's a
| little annoying to re-login to everything every day, but
| again, they are banking on this inconvenience to fuck you
| over and I refuse to let them win. It becomes part of the
| routine easily enough.
| bornfreddy wrote:
| Not quite the same (I love uMatrix UI), but advanced mode
| in uBO is similar. It lacks filtering by data type (css,
| js, images, fonts,...) per domain, but it does resolve
| domains to their primary domain, revealing where they are
| hosted. A huge kudos to gorhill for both of these!
| 1vuio0pswjnm7 wrote:
| uMatrix is fully-functional on Nightly.
|
| Using Firefox Add-Ons on a "smartphone" sucks because one
| has to access every Add-On interface via an Extensions
| menu.
|
| In that sense _all_ Add-Ons are only semi-functional.
|
| I use multiple layers: uMatrix + NetGuard + Nebulo "DNS
| Rules", at the least. Thus I have at least three
| opportunities where I can block lookups for and requests to
| Google domains.
| sureglymop wrote:
| It's easier than I thought. I just use uBlock Origin with
| everything blocked by default and then allow selectively.
| Rapzid wrote:
| About as tiring as hearing about it all the time. Thank god
| it's a fringe topic these days but this article snuck it in.
| Probably the constant use of the word "surveillance" was an
| early tell haha.
| heavyset_go wrote:
| Whitelisting JS has worked on my end for a while.
|
| I won't browse the Internet on my phone without it, everything
| loads instantly and any site that actually matters was
| whitelisted years ago.
| anothernewdude wrote:
| The sites that don't work are usually the worst websites around
| - you end up not missing much. And if it's a store or whatever,
| you can unblock all js when you actually want to buy.
| kevin_thibedeau wrote:
| StackOverflow switched over from spying with ajax.google.com to
| GTM in the past year or so. All for some pointless out of date
| jQuery code they could self-host. I wonder how much they're
| being paid to let Google collect user stats from their site.
| goopypoop wrote:
| People who want you to run their scripts aren't really your
| friends
| 1vuio0pswjnm7 wrote:
| Impossible to know because when I disable Javascript "the
| majority of the internet" works fine. As does a majority of the
| web.
|
| I read HN and every site submitted to HN using TCP clients and
| a text-only browser, that has no Javascript engine, to convert
| HTML to text.
|
| The keyword is "read". Javascript is not necessary for
| requesting or reading documents. Web developers may use it but
| that doesn't mean it is necessary for sending HTTP requests or
| reading HTML or JSON.
|
| If the web user is trying to do something else other than
| requesting and reading, then perhaps it might not "work".
| qualeed wrote:
| Echoing others, I've used NoScript for years and at this point
| it is practically unnoticeable.
|
| Many sites work without (some, like random news & blogs, work
| better). When a site doesn't work, I make a choice between
| temporarily or permanently allowing it depending on how often I
| visit the site. It takes maybe 5 seconds and I typically only
| need to spend that 5 seconds once. As a reward, I enjoy a much
| better web experience.
| michaelt wrote:
| It depends.
|
| If you're spending 99% of your time on your favourite websites
| that you've already tuned the blocking on? Barely a problem.
|
| On the other hand if your job involves going to lots of
| different vendors' websites - you'll find it pretty burdensome,
| because you might end up fiddling with the per-site settings
| 15+ times per day.
| rurban wrote:
| Just add the domain to your /etc/hosts as 0.0.0.0
|
| Doing that for years
| 1oooqooq wrote:
| https://someonewhocares.org/hosts/zero/
| iknownothow wrote:
| I just did a wget of the site and noticed the following line
| at the end.
|
| > <script async src="https://www.googletagmanager.com/gtag/js
| ?xxxxxxx"></script>
|
| I am going to use this for sure, but it is a little ironic.
| reddalo wrote:
| I feel like that document is seriously outdated.
|
| This GitHub repo seems way more up-to-date:
| https://github.com/StevenBlack/hosts
| future10se wrote:
| As mentioned on the blog post:
|
| > Used as supplied, Google Tag Manager can be blocked by third-
| party content-blocker extensions. uBlock Origin blocks GTM by
| default, and some browsers with native content-blocking based
| on uBO - such as Brave - will block it too.
|
| > Some preds, however, full-on will not take no for an answer,
| and they use a workaround to circumvent these blocking
| mechanisms. What they do is transfer Google Tag Manager and its
| connected analytics to the server side of the Web connection.
| This trick turns a third-party resource into a first-party
| resource. Tag Manager itself becomes unblockable. But running
| GTM on the server does not lay the site admin a golden egg...
|
| By serving the Google Analytics JS from the site's own domain,
| this makes it harder to block using only DNS. (e.g. Pi-Hole,
| hosts file, etc.)
|
| One might think "yeah but the google js still has to talk to
| google domains", but apparently, Google lets you do "server-
| side" tagging now (e.g. running a google tag manager docker
| container). This means more (sub)domains to track and block.
| That said, how many site operators choose to go this far, I
| don't know.
|
| https://developers.google.com/tag-platform/tag-manager/serve...
| drcongo wrote:
| Google Tag Manager and the whole consent management platform
| certification business is nothing more than a shakedown. It's
| racketeering.
| fvgvkujdfbllo wrote:
| > surveillanceware
|
| I thought the term was spyware.
|
| Surveillanceware almost sounds like something necessary to
| prevent bad stuff. Is this corporate rebranding to make spyware
| software sound less bad?
| Eggs-n-Jakey wrote:
| I don't know, the memetics of Surveillanceware or spyware
| mostly leads me to the belief that everything is weaponized to
| drain your money thru ads/marketing instead of the direct
| approach of stealing my money.
| Animats wrote:
| Blocking Google Tag Manager script injection seems to have few
| side effects. Blocking third party cookies also seems to have few
| side effects. Turning off Javascript breaks too much.
| alganet wrote:
| Use a whitelist-based extension such as NoScript:
|
| https://noscript.net
|
| You can then enable just enough JS to make sites work, slowly
| building a list of just what is necessary. It can also block
| fonts, webgl, prefetch, ping and all those other supercookie-
| enabling techniques.
|
| The same with traditional cookies. I use Cookie AutoDelete to
| remove _all_ cookies as soon as I close the tab. I can then
| whitelist the ones I notice impact on authentication.
|
| Also, you should disable JavaScript JIT, so the scripts that
| eventually load are less effective at exploiting potential
| vulnerabilities that could expose your data.
| aerzen wrote:
| Am I dumb or does this article fail to explain what does the tag
| manager actually do? And not just with a loaded word, such as
| surveillance or spying, but actually technically explain what
| they are selling for and why it is bad.
| fguerraz wrote:
| Maybe you're being misled by the cryptic name. It's got nothing
| to do with managing tags, it's a behaviour tracker and
| fingerprint machine.
| 9dev wrote:
| I mean technically you _can_ use it to manage HTML tags to
| inject into a site.
| snowwrestler wrote:
| This is in fact what it is primarily used for.
| slow_typist wrote:
| Well I can inject HTML tags (or elements) with native
| JavaScript. Or manage them. Why would I want a bloated
| third party piece of software doing that?
| SquareWheel wrote:
| Since you're asking, you could use it to tie together
| triggers and actions to embed code in specific situations
| (eg. based on the URL or page state). It has automatic
| versioning. There's a preview feature for testing code
| changes before deploying, and a permission system for
| sharing view/edit access with others.
| connicpu wrote:
| So that your sales and marketing team can add the third-
| party tracker for a new ad campaign service without
| bothering the engineering team.
| a2800276 wrote:
| I was tasked with auditing third party scripts at a client a
| couple of years ago, the marketing people where unable to
| explain wtf tag manager does concretely without resorting to
| ,it tracks campaign engagement' mumbo jumbo, but were adamant
| they they can't live without it.
| xiande04 wrote:
| There's a section in the article titled, "WHAT DOES GOOGLE TAG
| MANAGER DO?":
|
| > Whilst Google would love the general public to believe that
| Tag Manager covers a wide range of general purpose duties, it's
| almost exclusively used for one thing: surveillance.
| munchler wrote:
| That's a single word, not much of an actual explanation.
| Finnucane wrote:
| the "general public" probably has no idea that Tag Manager is
| a thing that exists.
| sandspar wrote:
| Google Tag Manager lets you add tracking stuff on your website
| without needing to touch the code every time. So if you want to
| track things like link clicks, PDF downloads, or people adding
| stuff to their cart.
|
| It doesn't track things by itself. It just links your data to
| other tools like Google Analytics or Facebook Pixel to do the
| tracking.
|
| This kind of data lets businesses do stuff like send coupon
| emails to people who left something in their cart.
|
| There are lots of other uses. Basically, any time you want to
| add code or track behavior without dealing with a developer.
| mlinsey wrote:
| Google Tag Manager is a single place for you to drop in and
| manage all the tracking snippets you might want to add to your
| site. When I've worked on B2C sites that run a lot of paid
| advertising campaigns, the marketing team would frequently ask
| me to add this tracking pixel or another, usually when we were
| testing a new ad channel. Want to start running ads on
| Snapchat? Gotta ad the Snapchat tracker to your site to know
| when users convert. Now doing TikTok? That's another snippet.
| Sometimes there would be additional business logic for which
| pages to fire or not fire, and this would change more often.
| Sometimes it was so they could use a different analytics tool.
|
| While these were almost always very easy tickets to do, they
| were just one more interruption for us and a blocker for the
| stakeholders, who liked to have an extremely rapid iteration
| cycle themselves.
|
| GTM was a way to make this self-service, instead of the eng
| team having to keep this updated, and also it was clear to
| everyone what all the different trackers were.
| BurnerBotje wrote:
| I have an idea that another way of preventing being tracked is
| just massively spamming trash in the data layer object, pushing
| thousands of dollars worth of purchase events and such, pushing
| randomly generated user details and other such events. Perhaps by
| doing this your real data will be hard to filter out. A side
| effect is also that data becomes unreliable overall, helping less
| privacy aware people in the process.
| chamomeal wrote:
| Now there's a fun idea!! I wonder how difficult it would be to
| spoof events.
|
| Edit: looks like this might exist already:
| https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
| genewitch wrote:
| Since installing it on firefox on this computer (18 months
| ago or so) Ad Nauseam has clicked ~$38,000 worth of ads, that
| i never saw.
|
| Between this and "track me not" i've been fighting back
| against ads and connecting my "profile" with any habits since
| 2016 or so. I should also note i have pihole and my own DNS
| server upstream, so that's thiry-eight grand in ad clicks
| _that got through blacklists_.
|
| https://www.trackmenot.io/faq
| cj wrote:
| [Preface: I hate ads, I love uBlock origin, I use pihole,
| I'm a proponent of ad blockers]
|
| I manage a Google Ads account with a $500,000 budget. That
| budget is spent on a mix of display ads, google search, and
| youtube ads.
|
| If I knew that 10% of our budget was wasted on bot clicks,
| there's nothing I can do as an advertiser. We can't stop
| advertising... we want to grow our business and advertising
| is how you get your name out there. We also can't stop
| using Google Ads - where else would we go?
|
| $38,000 in clicks boosts Google's revenue by $38k (Google
| ain't complaining). The only entity you're hurting are the
| advertisers using Google. Advertisers might see their
| campaigns performing less well, but that's not going to
| stop them from advertising. If anything, they'll increase
| budgets to counteract the fake bot clicks.
|
| I really don't understand what Ad Nauseam is trying to
| achieve. It honestly seems like it benefits Google more
| than it hurts them. It directly hurts advertisers, but not
| enough that it would stop anyone from advertising.
|
| Google has a system for refunding advertisers for invalid
| clicks. The $500k account that I manage gets refunded about
| $50/month in invalid clicks. I'm guessing if bot clicks
| started making a real dent in advertiser performance,
| Google would counter that by improving their bot detection
| so they can refund advertisers in higher volumes. If
| there's ever an advertiser-led boycott of Google Ads,
| Google would almost certainly respond by refunding
| advertisers for bot clicks at much higher rates.
| mystified5016 wrote:
| The point is to poison your ad tracking profile so that
| advertisers can't figure out who you are and what you'll
| buy.
|
| No matter how secure your browser setup is, Google _is_
| tracking you. By filling their trackers with garbage,
| there 's less that can personally identify you as an
| individual
| freeone3000 wrote:
| Hopefully it puts my browsers on an bot blocklist, which
| then invalidates the tracking profile and eliminates
| targeted advertising entirely.
| michaelt wrote:
| The problem with being on google's bot blocklist is
| you'll suddenly discover that recaptcha is used in a heck
| of a lot of places.
| malfist wrote:
| You know, I'm not too worried that I'm making the lives
| of people who spy on me harder and wasting their money.
|
| You don't have to buy privacy violating ads. You don't
| have to buy targetted ads
| jorvi wrote:
| > want to grow our business and advertising is how you
| get your name out there
|
| Or.. you know.. offering a quality product?
| aziaziazi wrote:
| > It honestly seems like it benefits Google more than it
| hurts them. It directly hurts advertisers, but not enough
| that it would stop anyone from advertising.
|
| GP fights agains _ads_ , not _Google_. And not being able
| to win 100% of the gain shouldn't restrain someone from
| taking action it they consider the win share worth the
| pain.
|
| > $38,000 in clicks boosts Google's revenue by $38k
|
| You should include costs here, and if (big if) a
| substantial part of the clicks comes from bots and get
| refunded, the associated cost comes on top of the bill.
| At the end the whole business is impacted. I agree 50/50k
| is a penny through.
|
| > I hate ads [...] I manage a Google Ads account
|
| [no cynism here, I genuinely wonder] how do you manage
| your conscience, mood and daily motivation? Do you see a
| dichotomy in what you wrote and if so, how did you arrive
| to that situation? Any future plan?
|
| I'm asking as you kind of introduce the subject but if
| you're not willing to give more details that's totally
| fine.
| Wowfunhappy wrote:
| I would worry about being labeled a bot and denied access
| to websites at all.
| dylan604 wrote:
| I'd imagine that by this point in time, they are able to filter
| this specific type of noise out of the dataset. They have been
| tracking everyone for so long that I doubt there's anyone they
| don't know about whether directly of shadow profiles. These
| randomly generated users would just not match up to anything
| and would be fine to just drop
| adamiscool8 wrote:
| I don't think this article makes a good case for why you should.
|
| >The more of us who incapacitate Google's analytics products and
| their support mechanism, the better. Not just for the good of
| each individual person implementing the blocks - but in a wider
| sense, because if enough people block Google Analytics 4, it will
| go the same way as Universal Google Analytics. These products
| rely on gaining access to the majority of Web users. If too many
| people block them, they become useless and have to be withdrawn.
|
| OK - but then also in the wider sense, if site owners can't
| easily assess the performance of their site relative to user
| behavior to make improvements, now the overall UX of the web
| declines. Should we go back to static pages and mining Urchin
| extracts, and guessing what people care about?
| card_zero wrote:
| But I like it better when they have to guess. If it's something
| we care about enough, we'll let them know.
| bredren wrote:
| Belt and suspenders approach is to attach analytics to the most
| important events on the server side and combine with the
| session.
|
| If the frontend automatic js is blocked, it doesn't matter.
| slow_typist wrote:
| Effective and accessible UX design is a solved problem. It's a
| matter of education of front end developers, not of A/B testing
| your users to death.
| add-sub-mul-div wrote:
| If the analytics brought us to this, of what use are the
| analytics?
| throw123xz wrote:
| Analytics can have good uses, but these days it's mostly used
| to improve things for the operator (more sales, conversions,
| etc) and what's best for the website isn't always the best for
| the user. And so I block all that.
| monista wrote:
| If you block Google Tag Manager, you probably also want to block
| Yandex Metrics and Cloudflare Insights.
| reddalo wrote:
| I think it's hard to block Cloudflare Insights because most of
| the data is collected server-side.
| aleppopepper wrote:
| That's hilarious. Do you really Google should be privacy
| respecting?
___________________________________________________________________
(page generated 2025-07-04 23:00 UTC)