
Ad Blockers Are Also Changing the Game for SaaS and Web Developers - plehoux
https://snipcart.com/blog/ad-blockers-saas-web-developers?utm_content=bufferd7420&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
======
joosters
Good! We need to ditch all the analytics software that rely on clients to make
pointless HTTP requests. They are offloading their work on to the website
visitors, wasting every user's bandwidth and slowing down internet connections
worldwide.

If you want to know who is visiting your site, try reading your server logs.

~~~
adrr
Server logs are missing important information like screen resolution,
navigator.language etc. Server logs also can't report on element events. Nor
does it work with things like single page apps. How can developers make their
apps better without having the proper analytics to do so?

~~~
_hyn3
We're dropping all third party domains at Userify [1] (plug: SSH key
management software for EC2), but for reasons of both security and privacy.

What would happen to your website (or millions of websites) if one of the
CDN's that you rely on started quietly issuing evil code to a few, targeted
users? Would you notice? Would your users?

I don't think that it'd be too hard for us to add a simple API call that pokes
data about screen resolution, browser agent string, language, etc upon load or
login, and it'll be far more efficient and private than us sending random data
off to GA or similar where they frequently don't even provide us IP addresses
of our own site visitors so that we can correlate the data against our own
logs.

The data that GA gathers is highly valuable... to Google. They only provide
you visibility of the tippy tip of the iceberg.. but ultimately it's your
customers' and your data, not theirs.

Don't compromise your users with third-party includes, even Google Fonts
(which is still our last holdout on the website.. hm, someone should make a
simple web app that gathers names and styles of fonts and provides a zip w/
pre-generated CSS.)

CDN's sound great but they're a _huge privacy hole_. Ask yourself; what's the
profit model? Are they really just an opportunity to gather valuable data on
other people's websites and browsing habits? (yes).

Please don't leak your customers' data.

1\. [https://Userify.com](https://Userify.com)

~~~
WA
Same here. I never really used third party domain software. I used Google
Fonts for a while, but I find it pathetic to have some font files and some CSS
loaded from a different server than mine. Google Fonts (and every CDN) can be
a lot slower than my own server. Sometimes, the site hangs while "waiting for
google.com". Silly.

Also, Google Fonts might be Google Analytics in disguise. Who knows.

I use Piwik for tracking, but the self-hosted version. I don't even use
newsletter services. I bought a cheap newsletter plugin for Wordpress which I
use as an autoresponder email course.

 _But delivery is all that matters_ they say. And yet, all Mailchimp and
Aweber and whatnot goes 100% to my spam folder automatically. I believe the
delivery argument is a myth.

The best part: Decision making is much easier. "So, your product can't be
installed on my own server? Bad luck, I won't become your customer."

~~~
nacs
> I used Google Fonts for a while, but I find it pathetic to have some font
> files and some CSS loaded from a different server than mine

You can have the fonts and not have any requests leave your site by using
something like this[1]. It downloads the Google font data so you can serve the
font files and CSS from your own site.

[https://github.com/majodev/google-webfonts-
helper](https://github.com/majodev/google-webfonts-helper)

~~~
Wilya
In theory, the point of Google Fonts is that it does user-agent sniffing to
adapt the font and css to the user's browser, to get the best rendering. You
would lose that advantage by hosting the fonts yourself.

~~~
WA
In practice, I'd set up the CSS such that modern browsers render it
beautifully and give a crap about older browsers. Or make a CSS for older
browsers without that font.

------
steventhedev
This is why I use server side analytics almost exclusively. You just can't
rely on every browser running all your javascript.

~~~
pgrote
What interfaces akin to Google Analytics read web server logs?

~~~
tombrossman
Piwik can. Run a self-hosted instance or pay them to run it, and it handles
server logs no problem.

You do give up the ability to get live stats, but you get better performance
and the ability to track more visitors (read: people like me who have blocked
GA for years...)

Added bonus: Referrer spam is automatically blocked by default.

[https://piwik.org/log-analytics/](https://piwik.org/log-analytics/)

EDIT: Almost forgot GoAccess, if you are okay with a terminal app and want
live stats (can also be scripted to generate HTML reports) -
[http://goaccess.io/](http://goaccess.io/)

~~~
luxpir
Quick note that with hourly, or more frequent, cron jobs you get quasi live
data. Mentioned a little about logimport in a recent post on stripping
external calls and pointless js/css/font loads from our site. Otherwise well
put, same experience here.

Btw, tail -f /log.log is always fun for live data...

~~~
roel_v
Yeah, I build a system in the late 1990's that did something like that.
Required a dedicated server though, the web server farm would copy over their
log files to this analytics machine with cron jobs, which would then
dynamically aggregate that data and update the stats cache.

------
kylek
> Needless to say, we were slightly irritated at the fact that a valuable
> feature for our merchants, totally unrelated to online privacy issues, was
> blocked by the software.

Why would the author think tracking/analytics is "totally unrelated to online
privacy issues"? Baffling

~~~
hartator
I've a business that rely only on online advertising and directly lose revenue
from ad blockers. Never felt irritated about that, it's just fair game.

As a publisher, if you want to be profitable, you have to load a bunch of crap
from Google, Criteo and others. And, I feel the quality of the JS loaded are
slowly degrading. That's shameful point. Advertising networks should buy the
best JS talents and release top quality JS. Until then, people should use Ad
blockers.

~~~
stevesearer
It is not 100% true that publishers can only be profitable using ad networks
that degrade quality.

Anecdotal evidence is myself who recently removed Adsense and only direct
sells ads. Positives of direct selling is that I get 100% of the sale and I
have better control over the ads on my site (static image graphics, no
popovers or interstitials). The former makes me happy, the latter improves the
experience for my readers.

That said, I do use ad blockers from time-to-time myself because some sites
have gotten so ridiculous they are absolutely unusable - I'm talking to you
Epicurious and Bon Appetit!

~~~
blantonl
Yes, and you also have to manage a team (even if that is yourself) to monetize
your ad traffic.

There is no way to scale running your own internal ad network unless you have
scores of folks to manage the marketing of your property, the managemnet of
your ads, contracts, receipt of payment etc.

------
petercooper
Note that the key issue in this story is not the blocking of analytics tools,
but that they had a legitimate URL in their app of /api/analytics and it was
getting blocked. That's quite a problem, especially as I see things like
/js/dart.js also in that list which could destroy an app's functionality if
you knew no better.

~~~
gnud
Worth having a look at [https://easylist-
downloads.adblockplus.org/easyprivacy.txt](https://easylist-
downloads.adblockplus.org/easyprivacy.txt)

There are some possibly problematic blocks with the words 'analytics', 'log',
'event' that might be used in a log viewer, for example.

Also worth noting that I don't think EasyPrivacy is on by deafault in uBlock.

~~~
sandstrom
Interesting list. Grep on `.cloudfront.net`, hopefully AWS don't reuse these.

~~~
HappyTypist
They don't. Same origin policy, cookies etc.. You just don't.

------
Scaevolus
Google recommends against hosting their tracking javascript locally, but that
in combination with a server-side proxy (POSTING to
[https://example.com/a](https://example.com/a) forwards to
[https://analytics.google.com/collect](https://analytics.google.com/collect))
might be the most resilient to ad blocking techniques.

~~~
tarr11
Yeah, this feels like the next step in the arms race. Just use some random URL
to post this to, to avoid any regex based ad blockers.

~~~
HappyTypist
We will then have rules based on file hashes. People will obfuscate them, so
it'll now be based on function signatures and API calls (get locale, screen
size, OS, set cookie? No network requests for you). When that's bypassed,
maybe we will see DPI of network requests for patterns.

The arms race is only going to continue if trackers play the game. I think
we'll probably see server side analytics instead, with Google and so making
Apache/nginx/express modules and middlewear.

------
Animats
Right. Time to dump Google Analytics, which is now heavily blocked, and start
processing your server logs.

~~~
eropple
You can dump events at Google Analytics, too, and leverage their
infrastructure (instead of expensive options around handling your own).

------
suprjami
Perhaps the SaaS industry could use its cloudy-buzzword momentum to rage
against the ad industry which necessitates the use of these plugins. I really
have no problem with most ads. It's the one too-invasive full-page flyover or
auto-playing video which ruins it for everyone else. If the ad industry was
sensible and moderated itself, there would be far less ad blockers out there.

~~~
vitd
But it's not just ads. I don't want Google Analytics putting cookies on my
machine and then tracking every other web site I go to. It's a privacy issue
as much as an annoyance at ads.

~~~
mirimir
It's instructive to play with NoScript, Lightbeam and Cookie Controller in a
fresh VM, connecting through a fresh VPN exit.

------
alexatkeplar
A quick scan of the EasyPrivacy list reveals partial or full blocking of the
JavaScript trackers and/or event collection endpoints of the following YC-
backed SaaS analytics companies:

    
    
      - Mixpanel (17 matches)
      - Heap (heapanalytics.com^$third-party only)
      - Segment (11 matches)
    

Disclaimer: co-founder of Snowplow Analytics, a first-party event analytics
platform
([https://github.com/snowplow/snowplow](https://github.com/snowplow/snowplow)).
I see 2 entries in the list related to Snowplow, and 26 for Piwik
([https://github.com/piwik/piwik](https://github.com/piwik/piwik)), another
first-party solution.

~~~
frik
That EasyPrivacy apparently even blocks self hosted first-parts solutions is
really bad. They are the good guys.

~~~
alexatkeplar
Well, any blocking of self-hosted first-party analytics is easily circumvented
by the site owner: you just rename the JavaScript Tracker filename to
something new (or even safer, just minify the code into your own JS bundle),
and put a new CNAME on your event collector.

------
kleinsch
For SaaS analytics companies, take a lesson learned from online advertising:
host your corporate site and dashboard on a different domain than your
ads/analytics pixels are hosted on. That way if your domain inevitably ends up
on ad block lists, your corporate website and dashboard still work.

------
adzicg
I'm working on a collaboration tool that uses google drive APIs, and we
occasionally get e-mails from people claiming that the product is broken, but
in 99% of the cases they installed disconnect or an overly zealous ad-blocker
to explicitly block access to drive APIs. I assume this is just a blanket
block on anything being loaded from google domains using ajax.

Even though the error message suggests that they blocked it themselves,
somehow that thought doesn't come across to users before they start
complaining that our product is broken. Given that google loads APIs mostly in
the background through several chains of dynamic JS, there isn't much to do
about this, really.

------
syed99
I've always used both server side analytics and JS based analytics, some
external analytics tools have been long in a black list by EasyPrivacy and
their constant addition and removal of those services from that list means
sporadic stat charts.

The only problem with server side analytics is that they're pretty limited
with functionality unless you have your own internal analytics system which
can track alot more information than just page views and general traffic
stats.

------
dredmorbius
This makes me wonder at the next generation of Web-based spyware.

Presently, surveillance and monitoring is accomplished through third-party
requests. Including, yes, sites' own monitoring tools -- Google Analytics, New
Relic, and related services.

If the monitoring can be brought in-house, and assembled back-end on the
server side, so can the advertising. Which will means that the present
generation of site-and-domain based blocking will eventually become less
effective.

Have fun storming the castle, kids.

~~~
nacs
They already go beyond site-and-domain based blocking. Most Adblock extensions
support CSS-based rules that will block based on CSS IDs, class names, div-
sizes (468x60 is a common ad size) or more complex rules.

For the sites that can't be blocked with those, there are even more advanced
blockers via Greasemonkey/Tampermonkey JS scripts.

~~~
dredmorbius
I actually remember the _old_ regime of userContent.css with hacks for
specific banner sizes and such.

I've found a set of rules which are quite helpful at removing / reducing
online Web annoyances myself, including killing variants of interstitials,
popups, and flyovers. To the extent I'd strongly recommend current Web devs
avoid use of those and similar terms in their own CSS.

(ProTip: if you're calling an element "nag" or "tease", it probably shouldn't
be there in the first place.)

------
neilellis
Probably a good idea to use one of these on your SaaS portals for safety:
[https://github.com/nicjansma/adblock-
detector.js](https://github.com/nicjansma/adblock-detector.js) ,
[https://github.com/sitexw/BlockAdBlock](https://github.com/sitexw/BlockAdBlock)

------
gPphX
this snipcart link is full of tracking:

[https://snipcart.com/blog/ad-blockers-saas-web-
developers?ut...](https://snipcart.com/blog/ad-blockers-saas-web-
developers?utm_content=bufferd7420&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)

"clean" it to:

[https://snipcart.com/blog/ad-blockers-saas-web-
developers](https://snipcart.com/blog/ad-blockers-saas-web-developers)

by:

[https://github.com/diegocr/cleanlinks](https://github.com/diegocr/cleanlinks)

for Mozilla Firefox

------
spullara
What is the best first-party web analytics product?

~~~
frik
Pwiki (self hosted version), it is pretty similar to Google Analytics.

------
lifeisstillgood
Is one way around this to have analysis packages on my site? Is there now a
upload your raw stats and get a nice analysis SaaS?

------
xdinomode
I run uBlock Origin and I block third party cookies. Because screw trackers
and spammy ads.

~~~
voltagex_
Unfortunately you're blocking people self-hosting piwik.js too.

~~~
stan_rogers
Well, isn't _that_ a bummer. I'd block it manually if it weren't blocked
automatically since it uses my resources (including, but not limited to,
simply requesting and downloading the file) to do things the server ought to
be doing at its own end. And no, you _don 't_ need to be more granular than
that.

~~~
voltagex_
Shit, do you block Mustache/Handlebars too because it's using your resources
to render a template? That's quite a reductive argument - you get to the point
where you don't turn the computer on because it's using your electricity.

~~~
icebraining
You know, quite a lot of us do use NoScript, so that reduction to absurd is
not really that effective. As for using electricity, that's why stan_rogers
added the caveat of "do things the server ought to be doing at its own end".

------
draw_down
It's good to be proactive about such things as a developer. But it's also
worth considering that if you're using things that take such a zealous
approach to blocking that you are trading some of the UX of well-behaved sites
and apps to deal with the poorly-behaved ones.

~~~
tacticus
Unfortunately the well behaved sites are one in a thousand. to cater for those
you need to expose yourself to a wide range of threats and spies. not to
mention making your eyeballs bleed and your sites perform so poorly it isn't
funny.

