Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Bypassing ad blockers for Google Analytics (netlify.com)
55 points by StefanoC 24 days ago | hide | past | web | favorite | 104 comments



Those who would consider doing this deserve a special place in hell right next to devs who don't respect user privacy and the crooks in the advertising industry who turn a blind eye to the fact they're distributing malware. By installing an adblocker I've made a conscious decision to not have your BS running inside my browser. Forcing it on me will at the very least result in me disabling JavaScript on all your pages.


I work for a fairly high traffic website, and we got a demonstration a few weeks ago from a company that is offering to install software for us that can force about 80% of our ads through, with minimal modification on our part. It is this proxy that dynamically recompiles our javascript and knits it into our content. But we were told we should only turn on ad-forcing for only for older demographics, who were far less likely to care. Management opted to pass, only because it wouldn't improve things enough.

This is what we get for letting companies like Google decide what technologies win and reshape the landscape. We have become so dependent on javascript blobs and server side rendering that blocking ads will be an uphill battle. Honestly I think Google could shove ads down our throats if they wanted to, but they are holding back, for now.

The bulwark against this encroachment was Mozilla Firefox, and the OSS community. Firefox was supposed to provide a legitimate alternative vision for the web. But Mozilla decided to let Google define what was normal, and what features a web browser should and should not have.

Can't people see that Google's vision is box canyon?


> But we were told we should only turn on ad-forcing for only for older demographics, who were far less likely to care.

I'm speechless, I just want to put some emphasis on this.

I wonder what other kinds of evil practice they push to this demographic. Perhaps more malware, because they are "less likely to understand them" too?


If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground.

You're implying the creator of the website is okay letting you receive the service or content on your terms. They are not. Ads and tracking are there because they earn the creators some amount of money.

One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?


"If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground."

What I don't understand is why they insist in fighting against people who hate excessive ads. Adblockers don't install themselves, users install them, which sends the message they're resistant to advertising, so why embarking in this endless war costing them even more money to show an ad to people who wouldn't buy the service or product anyway? If a company screws with my adblocker and manage to show me an ad for something I need at 100€, I swear all divinities in the Universe I'll go buy that thing elsewhere for €150 rather than them. Been there, done that.

I would rather go for a much nicer alternative: "You using an adblocker? Fine, you get the content anyway but your traffic get the least priority so that users seeing ads will get some precedence over you". To me that would be nicer to all users while giving some advantage to those without adblockers, and to the company as well since adblocking users would never be able to clog the network. Would it be so hard to implement?


What about the airline site I need to buy that plane ticket on using Google Analytics? What about the trackers embedded on the university website I need to access to apply for college? You're implying there's a real alternative choice where you can just not go on websites with trackers.


In addition to those examples, it's significant that you can block Google Analytics without blocking ads, if you're worried about privacy more than disruption. In practice, blocking trackers is a privacy issue for me, while blocking ads is a security issue. Sites that are content to run ads as text or linked static images get through, but social media trackers and arbitrary JS from ad networks doesn't.

Also, you can turn off any of that blocking after you first visit the site. I don't understand how the narrative of "you agreed to use this site, then went back on your part of the deal" is supposed to work when the only way to discover what you're agreeing to is to land on the site and let it happen. Do Not Track was supposed to be a (partial) solution there, letting you state your conditions for use on arrival, but we all know how much respect those conditions got.


We do people who advocate for advertising insist so hard that pervasive tracking needs to be a part of it. If pages were serving up plain, static images, probably free of pervasive tracking, I wouldn’t feel the need to take the nuclear approach to ad tracking. Advertisers have really wrought this upon themselves.

I’m actually happy to pay for the media I consume, I actually do pay for some things, but nobody gets their advertising/trackers let through because the whole industry is patently untrustworthy. If publishers want ad revenue from me, they can remove pervasive tracking, it until then, they get nothing.


> If pages were serving up plain, static images, probably free of pervasive tracking, I wouldn’t feel the need to take the nuclear approach to ad tracking.

Because people who pay for these ads need to justify that the ROI is there. They need to know how many views, clicks, and other stuff. Just like you need to know many things in different areas.

I'm not defending terrible offenders like Google, but people don't just say "Yeah sure, let me just spend thousands of dollars on an ad and HOPE it gets clicks and views like you claim it will"


> "Yeah sure, let me just spend thousands of dollars on an ad and HOPE it gets clicks and views like you claim it will"

Literally how marketing worked from the invention of the printing press right up until 2002 or so. It's obviously a sustainable business model.


Let's look at it from the other side though. Not doing so is implying that I am okay with website owners adding whatever ads and tracking they like, terms unseen. I am not.

> One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?

Easy, paying money. I already do where it's an option.


> Not doing so is implying that I am okay with website owners adding whatever ads and tracking they like, terms unseen.

This is precisely my objection. The narrative that blocking ads and trackers breaks an agreement with site owners makes no sense to me when I can't see the terms of that "agreement" until after I've landed on the site. Shrinkwrap contracts didn't become a reasonable practice when they turned into browsewrap, and indeed courts consistently hold that those contracts are valid only after presenting proper notice of terms to the user. Visiting a webpage is certainly not assent to allow third-party tracking or code execution.

If the site host wants to object to my continued use while blocking ads and trackers, fine. They're welcome to do so; sometimes I reduce my blocking and sometimes I leave the site, depending on the nature of the tracking and the value of the site. That's an agreement, blindly accepting whatever someone cares to serve is not.


> breaks an agreement with site owners

I love when people throw this argument out there. I made no such agreement. I signed nothing. My device will behave exactly how I tell it, not how advertisers tell it.


This is quite silly. Am I also supposed to compulsorily watch all the ads that come up on TV in the commercial break and not mute it or leave the room?


I believe this is precisely what spotify would like you to do. Last time I tried they client, they paused ad playback when I muted my speakers. Never again!


Just like ads on your TV you can "leave the room" by closing the page.

Whats with this entitlement that you shouldn't have to endure ads but also get to have the content too?


I said "leave the room during the commercials". If what you meant is that I can't leave ONLY during the commercials, then this comes across as extremely user-hostile approach.

Should a user be forced to NOT mute the commercials? I'm clearly in the "NO" camp on this issue.


Can you fast forward through commercials? All you can do is mute the TV and/or leave the room. Even in systems like TiVO where you can rewind and fast forward they still mostly block you from fast forwarding commercials... No different than circumventing adblocks, but nobody complains about that.

Hell even TV networks track you. They know how many viewers are on certain shows and that. That's how they're able to garner high prices too.

Advertising is just something we always had to deal with. You don't have to watch commercials. You do that by not going to channels that have commercials, or using different services that you pay to not see commercials.

My point is, you are entitled to not be tracked. You're entitled to not have to see ads. But you are _NOT_ entitled to the content without those if the website decides the trade-off of you getting that content for free is by enduring those ads.

Close your window. Go somewhere else for content if the site you're visiting displays ads.


I'm sorry, but this is a flawed analogy. When you leave the room for the duration of the commercial, you are essentially skipping/ignoring/blocking it. This is the same as hiding an ad on a webpage in that you are taking steps (pun intended) to avoid seeing/hearing the advertisement.


Presumably you are paying for your TV service, so why the fuck should you be watching ads as well?


You are paying for the service to provide you with TV. You are not paying the networks. Just like by paying for internet you're not paying Google.


believe it or not, some people genuinely are sociopathic enough to suggest that yes, you should; and by not doing so you are somehow stealing from them.

The inflated sense of entitlement in surveillance capitalists is palpable.


Google Analytics isn't an advertisement, it's a tracking system.


> You're implying the creator of the website is okay letting you receive the service or content on your terms.

Fine, but this cuts both ways. They're wrongly assuming I'm okay accepting arbitrary content on their terms.

The no-blocker system holds that by navigating to a URL, I accept whatever the domain owner cares to serve me. We had one attempt to embed user conditions in the request, that was Do Not Track, and the most common outcome was that sites neither honored it nor put up walls against users; they simply disregarded it and kept tracking. In fact, they started to fingerprint users based on their request to not be tracked.

If, prior to using a site, I want to see what it asks me to give up in terms of privacy and security, I don't know an alternative to visiting the site with blocking in place. The creator can put up a wall and tell me to turn it off, in which case I'll make a site-specific decision to leave or disable blockers just like I do for cookies. This isn't hypothetical, I do it regularly.

If I bypass a wall or ignore clear notice that I don't have permission to browse with blockers, then sure, we're both lying to each other about our usage conditions and it's just an arms race. But I reject the idea that an initial visit to a site constitutes consent to accept some unknown pile of privacy intrusions and security risks; the moral burden there really is on the site owner who's circumventing a clear refusal to accept those things.


> If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground

Well companies should aks themselves what they did to users in first place that everyone hates these ads so much now! How they pushed too far!

They have to look into the root cause of it.

But instead, most of them are making it even more annoying.

Nevertheless, the content quality is dropping as well. everyone is making unnecessary long content and a lot of click-baits.

What do you expect? It is called consequences and humans are really bad to understand it.


Paying for a good book is looking like quite a fine alternative!


Paying money. That's an easy choice.


Do you consider it a moral failing to go pee while an ad plays on the TV? To change stations in the car when an ad comes on? To turn to talk with your friends at the table when the game pauses and an ad comes on?

An ad blocker is no different except being automated. And the analytic spying it fights is automated too.


I like how you frame the argument as if advertising has the moral high ground.

> If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground.

If we are going to use psychological warfare to part people from the fruits of their labour in exchange for cheap crap they don't need by exploiting human weaknesses and insecurities, just so we can keep an unsustainable and highly damaging model of growth going; and also serve malicious software to those people, then let's not pretend we have any moral standing at all.

Adblocking is has a hell of a lot more moral substance to it than advertsing does.


The advertiser / webpage owner is free to prevent me from loading his webpage, and I will happily accept the rebuke.

They are not allowed to simply track me and serve me ads regardless, though. I pay for an email provider specifically to avoid this, and I pay for magazines and books as well.


Without arguing with the last one, I imagine that for a great deal of content I won't consume it at all; a very small portion of things on the internet is worth paying for.

And also it will probably be ads+tracking+various levels of paying money.


> You're implying the creator of the website is okay letting you receive the service or content on your terms

The creator is sending the content to my machine for free. Whether my machine displays the ads (aka cancer) attached to that content is my decision.

Also regarding paying money, don't forget in pretty much any case you still end up tracked. If anything, you get tracked less by the ad-supported version because at least you're not giving them any billing information and are not consistently logging into the same account (which you'd have to do for your subscriber benefits to kick in).

> One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?

I'd love such a choice as it will allow me to say no to cancer & stalking once and for all. However it will have to be implemented in such a way that it's technically impossible for anyone to track me through the subscription system.


The creator is sending you a particular bundle that they decided is worth their time and money as a singular unit. You decide to dissect that bundle and throw parts of it away. All of this is done based on capabilities on each side, not based on morals. Neither side of the debate is right in claiming morality.

PS: Data transmission is not free. Servers cost money and bandwidth costs money too. CDN costs money. Anti-DDOS costs money. etc.


So essentially you only pay for things through cash.


We have the right to run whatever software we want on our computers -- whether we are on the browser side or the server side. To the extent that users have the right to run ad blockers websites have the right to try to evade them.


Combine this sort of thing with Google's "chrome manifest v3" proposal, and ad blockers are mostly dead.


It just needs to be escalated to local MITM VPN-based (so it works on phones too) filtering.


I have this on my phone and it doesn't stop this technique.


Of course it does, but not if your filter lists aren't adequate.


Not on Firefox!


As described, rather than disabling js you may want to look into something more complicated, because if you do then the <noscript> side is going to kick in.

I think the noscript solution offers less data collection but can still be reverse proxied (try for yourself on the page).


What if I track you server side?


Meh.

If you're using GA to prove your site's worth, e.g. in some M&A deal, this is useless - your proxying means that you can fudge numbers and thus is no better than anything else you say. (This is a significant use case among looking-for-exit startups).

If you're using GA to get insight about your website, it would be somewhat useful, but not really - because GA would not be able to correlate the cookies to figure out the demographics, etc (and I don't know how much it would trust Via / Proxy-for headers, so other statistics it gives you are also limited).

Also, if you have non trivial traction, you're going to get flagged by their fraud filters.

You're probably better off running a local Piwik or whatever it's called these days.


> If you're using GA to get insight about your website, it would be somewhat useful, but not really - because GA would not be able to correlate the cookies to figure out the demographics, etc (and I don't know how much it would trust Via / Proxy-for headers, so other statistics it gives you are also limited).

A proxy can send whatever cookie it wants to the server (a proxy can actually hide the fact it's a proxy and make itself look like a normal client).

However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain. The proxy using a different domain means it won't be able to neither access nor set those cookies. Good for privacy but obviously (and thankfully) bad for the author's nefarious goal.


You think?

Looking at my dashboard now I can see data on language, browser, mobile model, referral, etc. I think some are just not present in the mobile version of analytics, but I can't see what data this would not be collecting.

> However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain

This also reminds me that this simple technique can bypass 3rd party cookies rules.

> author's nefarious goal.

You clearly misunderstood my goal.


It doesn’t bypass 3rd party cookie rules.

You proxy cookie for party3.com

I proxy cookie for party3.com

But there isn’t a good way for me, you or party3.com to correlate these cookies unless we have some agreed out-of-cookie-band way to do so.

I’m sure those will come up, but they will be well known and likely easy to block once they are.


> because GA would not be able to correlate the cookies to figure out the demographics, etc

It's my understanding that GA cookies do not actually do this.

When a site operator turns on demographic reporting in GA (which is optional), it adds Doubleclick cookies in order to provide that information to the site operator. I know because I did this and I had to update my privacy policy to reflect the Doubleclick cookie (GA prompts the site operator to do this).

It seems like people have come to take it on faith that GA, in its default installation, tracks users across all GA and Google properties in order to improve their ad targeting profile. If there is documentation of that, could someone link it for me?

Maybe I'm just out of date, but I don't think GA does that out of the box. In fact GA expressly forbids site operators from pushing any data into GA (via custom variables etc) that would help them identify users.


GA surely delivers that data to google, and tries to correlate through a GA specific domain.

Now, they might not provide it to the site owner unless they opt in (to also share it with DoubleClick or whatnot), and they might pinky swear not to use it (though I have never seen that promise myself).

But using GA, a site makes your naive browser send all that data to google. Why would you assume it is not being used? Does it matter if for now it is only directly visible to google?


If you are proving your site's worth, you could just use do analytics on anonymized server logs rather than relying on this technique to get GA to work.


Could you please expand on fudging numbers and fraud filters?

The original question that I was trying to answer was if the numbers that I was seeing for mobile users were skewed by how much more difficult it is to get an ad blocker for mobile.


Fraud filters is about GA not expecting such a large number of events from a single IP. You’d be sending all your visitors’ events from that single IP - at some point GA will ignore your traffic or give you a captcha (effectively blocking the analytics because it’s not designed to handle the captcha response).


Then just run an old school analysis on your server logs. Some 20 years ago, I was using webalyzer, it probably still exists and I am sure that are alternatives.

Putting google into the mix, through a proxy or not, will definitely skew your results.


This would be a problem. What Google cross site tracking cookies does GA send back to Google? I didn’t see any in the documentation.


GA has a unique user cookie on their domain, and the visited URL on yours (as well as other metrics). What else were you expecting?


This is akin to bypassing antimalware protection by hosting the malware on your own reputable site.

What are you trying to achieve here? Your entire domain will just end up blocked if you do this at scale, not to mention Google themselves would ban your reverse proxy’s IP because of too many queries (since you’ll be proxying all your visitors’ requests from a single IP).


To be fair, self-hosted ads are a thing on some sites and often don't get blocked by adblockers. I know I don't specifically go out of my way to block such ads because they're generally on sites that I'd like to support.


Do these self-hosted ads also embed malware (stalking/tracking code)? If they do not then I'm 100% with you and would totally support this kind of self-hosted advertising.

However this example is a bit different, the site in question is going out of their way to being a reverse-proxy for a spyware command & control server, and the entire domain should be considered & blocked as such.


If we're just talking about tracking then they don't need to because the site already gets all of your requests. They inherently know what pages you're viewing on their site because they gave them to you. A great many sites run this kind of analytics (often including client-side ones to track user actions - think medium.com's "most highlighted paragraph) and it's not considered malware.

If you're talking about them selling the data gathered by these, then that'd be less common but certainly not unheard of. If you're talking about them doing something more nefarious on your machine (keylogging/cracking) then hopefully that's pretty hard to do against a modern browser and any site caught doing so would never get any traffic from me again.


The problem we're discussing here is not about the site having a record of all the legitimate requests needed to load a page.

The problem is that the site is now serving a piece of (third-party, but that's besides the point) malware explicitly designed to monitor events that would normally not cause a network request (and thus wouldn't be logged), and then sending that to a malicious third-party through a reverse-proxy.


If you were to reverse proxy from the same domain then yes, you'd get blocked eventually.

The problem is that creating reverse proxies on random domains is too easy, by distributing this to different domains it wouldn't be possible to block this effectively!


It would turn into a standard game of cat & mouse just like with signature-based anti malware software. Eventually the world will move on to heuristics and domain-based workarounds will no longer be effective.


If you're doing this "at scale" then people would notice if your domain got blocked.


Assuming your domain is anything of value of course. There are plenty of domains that are technically at scale and yet when my ad blocker blocks a link to it I just go back to the previous page and don’t bother clicking through.


If you're hosting the analytics on your own domain, is it really even something an ad blocker should be blocking? It's not coming from a known third-party service domain (for ads or tracking or otherwise) so there's no real reason a blocker should be blocking it. It's first-party analytics on your own website. The fact that you're implementing it via reverse proxying is kind of an implementation detail, because at any point it could stop being Google Analytics, or an existing first-party analytics solution on a website could become GA.

It is kind of unfortunate that third-party tracking can 'hide' this way but in this case there's not really much you can do if the content author is going out of their way to pull a fast one...


> The fact that you're implementing it via reverse proxying is kind of an implementation detail, because at any point it could stop being Google Analytics, or an existing first-party analytics solution on a website could become GA.

I think you (probably unintentionally if I understand you correctly) actually just pointed out a good reason why those who really really care should block analytics even from the same domain as the site they are visiting : )

Not that it will help against a determined web site owner trying to track though: Very much of the tracking can be done one the server side (and even proxied from the server side to another third party).


Right, my point is essentially that I don't think it's realistic to try and block first-party trackers. They're indistinguishable from page content. The closest you could get would be the 'disable javascript' hammer but there are non-script-based ways to do first party tracking pretty well, I'm sure.

I get why people would want or expect tracking blockers to work on reverse proxying but it seems silly to try. On the bright side, if the tracking is being done first-party it makes it much clearer who's taking your data and who's responsible for where it goes - it's going through them even if they're just bouncing it to another server.


It isn't something they should be blocking, but they try to. uBlock, for example, blocks self-hosted Piwik/Matomo.

But the entitlement of ad-blockers is astounding sometimes: https://github.com/easylist/easylist/pull/900, in which the easylist maintainer defended blocking OpenStreetMap advertising OpenStreetMap events on openstreetmap.org, still makes my jaw drop.


I don't see how it's "entitlement" to control what your computer is doing with data it's receiving from the internet. If anything, I'd say it's the opposite site who is coming across entitled when they think not only they can expect to run any crap on user's machines, but also have the right to bitch about it when it doesn't run.

In that case, would you also say it's entitlement to be installing antimalware or security updates so malware authors are no longer able to run malware on your computer?


Nice try but doesn't work on Kiwi Browser ;) Shows "This content should be overriden by GTM". This is because an heuristic is used instead of a blacklist. So to answer, yes this can be blocked easily.


Same for uMatrix. I run two different configurations (home/work), a strict one with all scripts disabled by default, and a lax one allowing first-party scripting by default. Doesn't work in either of these.


Doesn't seem to work for uBlock Origin either, I see the same thing.


Setup please? It works for me on 2 different computers/OS + phone and had other people confirming it.


That's interesting, and good to know! I wonder if the heuristic can be bypassed by changing the code (e.g. adding a semicolon) or changing the URL further.


Also you asked in your article whether this can be used for ads.

Yes, there is an Israeli company offering to publishers to configure nginx as a reverse-proxy ( https://vip.wordpress.com/plugins/yavli/ ) and they serve the ads as small chunks of images (to not match the usual 300x250 or 468x60).

It made Easylist quite angry at the time: https://easylist.to/2015/08/19/issues-with-yavli-advertising...


Of course it can be bypassed and it's not very difficult. It's just that the way of filtering is different (many browsers / extensions are just Easylist/Disconnect clones)

To go further on the proxy idea, I think that the best strategy could be to actually do server-side calls to GA: https://ga-dev-tools.appspot.com/hit-builder/ (yes there is an API for server-side hits).

The minus of the proxy idea, is that since you don't have access to *.doubleclick.net (which should be blacklisted by any decent track/adblocker) you don't get demographics info back into GA.

But after all, like other comments said, aren't you simply a first party tracker ? GA is just a more evolved storage point than, let's say using goaccess on raw logs.


> To go further on the proxy idea, I think that the best strategy could be to actually do server-side calls to GA: https://ga-dev-tools.appspot.com/hit-builder/ (yes there is an API for server-side hits).

Yes, probably big players would like to use server side analytics! But that's a bit too involved for small websites.

> The minus of the proxy idea, is that since you don't have access to *.doubleclick.net (which should be blacklisted by any decent track/adblocker) you don't get demographics info back into GA.

When I pull down Google Analytics I also change its content to make it point to the reverse proxy itself. I didn't find any call to that domain being blocked, so I didn't do it for that particular case.

I think that the data collections is done via https://www.google-analytics.com/r/collect, which I do proxy. Notice however that sometimes an easy list filter kicks in and blocks that just because it happens to match "r/collect". I think there is a race condition somewhere that makes it not work sometimes, because I couldn't replicate it consistently. Anyways, it would be as simple as changing that domain specifically to something else. I tried doing so, but Netlify's redirects where playing up (possibly because I'm on the free tier) so I gave up. The concept of masking the domain/url still applies.


"Coincidentally", the chrome manifest v3 proposal makes blocking via heuristics pretty damn hard.


Since it goes through a reverse proxy, wouldn't it not leak personal data the way using it directly would? If using GA directly, the browser uses my google-session data which GA can track between sites/domains. But here the proxy only gets the unique session for this proxy, so it doesn't know who I am. Or?


I checked the analytics dashboard yesterday and updated the website: the only data that I'm not getting though is the users country/city and their provider. So in a sense it's better for your privacy: the IP is not your own!

I'm not an expert of Analytics but I'm also assuming that since the cookies are different (because the HTTP call to analytics happens on a different domain than usual) it shouldn't be able to track you just as well: G Analytics don't know your IP and have no trace of your previous anonymous IDs set in your cookies!


I would be interested in knowing myself. From my analytics dashboard I can tell you that I get some browser data, like language. But I'm not sure if it's safer for the users, or the data is any worse for the tracker!

The cookies will be different because the host is different, but I think that Netlify does a good job at keeping the connection like for like.


It's an ongoing cat-and-mouse game. This is like the inverse of people using VPNs and proxies to get around filtered Internet, except it's now the server that does the tunneling instead of the client.

Personally, I've found that JS off and all the GA/GTM domains (along with many others) blacklisted is sufficient in daily use; no JS gets rid of most of the crap, and the blocked domains clean up the rest. My goal is not to become completely untrackable (I believe that's next to impossible), but just to stop slow-loading pages full of junk I don't care about (which is what I suspect most people using ad-blockers are aiming for.)


> Hello from Google Tag Manager. This text is being added by a tag running from GTM.

One should note that this inclusion, without an opt-in consent banner for instance, is not GDPR compliant. The URL https://analytics-bypassing-adblockers.netlify.com/proxy/htt.... sends personal data to a third party (Google) without my explicit consent. See Article 7 and Recital 32 of the GDPR:

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.


> One should note that this inclusion, without an opt-in consent banner for instance, is not GDPR compliant.

IANAL but as I understand GDPR, this is incorrect. The paragraph you cite discusses personal data. Google's FAQ on GA is instructive (emphasis mine) [0]:

> When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.

They admittedly keep things as vague as they can, but to me it kind of reads like: using GA to collect site usage analytics is actually fine and requires no explicit consent as long as you've configured it to anonymize the IP addresses (toggle this in GA) and you're not tracking e.g. user IDs and such.

Similarly, using GTM to deliver a paragraph like OP did is also fine.

In both cases the spirit and the letter of the law would seem to be respected if you add some notice about tracking going on in your footer. No explicit consent is needed here, because no personal data is getting tracked.

Edit: clarity.

[0]: https://support.google.com/analytics/answer/2700409


This website does collect personal data. Google's FAQ on GA simply states that the first party should obtain consent before transferring data to a third party (and transfer of consent might not be GDPR compliant, but that's another issue).

Here, the first party (analytics-bypassing-adblockers.netlify.com) has to obtain consent before collecting personal data. And IP addresses are not the only personal data that GA can collect.


As someone who just received a cold call from recruiter I never heard of, with a 4 years old CV and haven't been on a job board for more than a year I must say that GDPR didn't do much. I actually previously reported a recruiter to the ICO for 3 different violations (no data disclosure, cold call, old CV) and they did nothing but advising not to keep CVs for more than 1 year.

/rant off

I feel that your point, even if valid, doesn't quite apply to what I'm describing, which is to go around ad blockers.


Your retort in no way actually counters that you are tracking without consent - this is not allowed.


I remember when modern telemetry gathering practices were labeled a malware/adware..


Especially the phone home of ZoneAlarm, that blew up quite big. And to think that's what basically every application does nowadays.


https://rrregain.com does this as a service. There are others as well but most do not use your own domain.


Interesting, do you know if they rely on the same principle of using several domains, making it harder to block?


I'm not sure, it uses your own domain, thus www.google-analytics.com becomes yourdomain.com/analytics.js. Not all requests are proxied, only the ones blocked by adblockers.

Taking this further, you could have your server send an event to GA when /index.html is requested, this can even be from tail -f access_log. No one will know GA was requested.


In general, you wouldn't be able to access third-party cookies this way, though.


I implemented something like this on a site visited almost exclusively by developers, assuming that developers must have amongst the highest adblock usage, and that my real visitor numbers according to GA would be much higher.

I saw a boost of about 7-8%. Remember, most adblockers (like Adblock Plus) don't block Google Analytics. uBlock and Ghostery are probably the 2 main GA adblockers, but as a % of adblockers as a whole they're not that large.

It's probably not worth it.


This is unfortunate, but it simply means that we have three options:

- Block entire domains - Prevent javascript from running - Use the internet less, read books, use your local library.

Happily, I was able to get my browser from the default message: Hello from Google Tag Manager. This text is being added by a tag running from GTM.

To the blocked message: This content should be overridden by GTM.

But, how far will this game of cat and mouse go?


No personal offence intended, but I hope this project dies on its arse.

It's malicious software, circumventing the protections afforded to me by my ad/tracker blocking software.

I'll contribute in any way I can to adblocking tech, and to any impotency of this kind of technology.


None taken. Believe it or not I'm mostly on your side. I published this because I've managed to do this in 4 hours, for fun. It exploits the url based blocking which is so prominent but so easily subverted, and If I've done it anybody can, so I wanted people to know.

Having said that, I must add, I don't think this is malicious software. Beside the legalities and the GDPRities which I may have overlooked, when you ask a website for its content that comes with analytics, but you want to block analytics. I don't think you can complain about the content provider bypassing your attempt at blocking it. Don't get me wrong, when I come across websites that stop me from browsing them because I use uBlock I usually bypass their block, or close the tab, but I can hardly complain at their attempt, or deem it as malicious, IMHO.


Would like to know, does Google Analytics actually use data for tracking/ad targeting? I thought it would only track users if they embedded the AdWords script. If so, why is it blocked by UBO and Ghostery?


I've always just assumed it does, in the same way I assume Facebook's like etc. buttons do plenty of tracking even if you don't interact with them.


If enabled, it does provide targeting capabilities (by tracking across multiple key domains).


I blocked GTM and GA with Little Snitch... your bypass doesn't work


Please explain, I use Little Snitch too!


:popcorn:


> [ This content should be overridden by GTM. ]

lol... pages look better if you send the actual document instead of assuming you have permission to run software in my browser.


It's a proof of concept. If it doesn't work for you then you are meant to know that :)

It's not a bug, it's a feature!




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: