The bulwark against this encroachment was Mozilla Firefox, and the OSS community. Firefox was supposed to provide a legitimate alternative vision for the web. But Mozilla decided to let Google define what was normal, and what features a web browser should and should not have.
Can't people see that Google's vision is box canyon?
I'm speechless, I just want to put some emphasis on this.
I wonder what other kinds of evil practice they push to this demographic. Perhaps more malware, because they are "less likely to understand them" too?
You're implying the creator of the website is okay letting you receive the service or content on your terms. They are not. Ads and tracking are there because they earn the creators some amount of money.
One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?
What I don't understand is why they insist in fighting against people who hate excessive ads. Adblockers don't install themselves, users install them, which sends the message they're resistant to advertising, so why embarking in this endless war costing them even more money to show an ad to people who wouldn't buy the service or product anyway? If a company screws with my adblocker and manage to show me an ad for something I need at 100€, I swear all divinities in the Universe I'll go buy that thing elsewhere for €150 rather than them. Been there, done that.
I would rather go for a much nicer alternative: "You using an adblocker? Fine, you get the content anyway but your traffic get the least priority so that users seeing ads will get some precedence over you". To me that would be nicer to all users while giving some advantage to those without adblockers, and to the company as well since adblocking users would never be able to clog the network. Would it be so hard to implement?
Also, you can turn off any of that blocking after you first visit the site. I don't understand how the narrative of "you agreed to use this site, then went back on your part of the deal" is supposed to work when the only way to discover what you're agreeing to is to land on the site and let it happen. Do Not Track was supposed to be a (partial) solution there, letting you state your conditions for use on arrival, but we all know how much respect those conditions got.
I’m actually happy to pay for the media I consume, I actually do pay for some things, but nobody gets their advertising/trackers let through because the whole industry is patently untrustworthy. If publishers want ad revenue from me, they can remove pervasive tracking, it until then, they get nothing.
Because people who pay for these ads need to justify that the ROI is there. They need to know how many views, clicks, and other stuff. Just like you need to know many things in different areas.
I'm not defending terrible offenders like Google, but people don't just say "Yeah sure, let me just spend thousands of dollars on an ad and HOPE it gets clicks and views like you claim it will"
Literally how marketing worked from the invention of the printing press right up until 2002 or so. It's obviously a sustainable business model.
> One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?
Easy, paying money. I already do where it's an option.
This is precisely my objection. The narrative that blocking ads and trackers breaks an agreement with site owners makes no sense to me when I can't see the terms of that "agreement" until after I've landed on the site. Shrinkwrap contracts didn't become a reasonable practice when they turned into browsewrap, and indeed courts consistently hold that those contracts are valid only after presenting proper notice of terms to the user. Visiting a webpage is certainly not assent to allow third-party tracking or code execution.
If the site host wants to object to my continued use while blocking ads and trackers, fine. They're welcome to do so; sometimes I reduce my blocking and sometimes I leave the site, depending on the nature of the tracking and the value of the site. That's an agreement, blindly accepting whatever someone cares to serve is not.
I love when people throw this argument out there. I made no such agreement. I signed nothing. My device will behave exactly how I tell it, not how advertisers tell it.
Whats with this entitlement that you shouldn't have to endure ads but also get to have the content too?
Should a user be forced to NOT mute the commercials? I'm clearly in the "NO" camp on this issue.
Hell even TV networks track you. They know how many viewers are on certain shows and that. That's how they're able to garner high prices too.
Advertising is just something we always had to deal with. You don't have to watch commercials. You do that by not going to channels that have commercials, or using different services that you pay to not see commercials.
My point is, you are entitled to not be tracked. You're entitled to not have to see ads. But you are _NOT_ entitled to the content without those if the website decides the trade-off of you getting that content for free is by enduring those ads.
Close your window. Go somewhere else for content if the site you're visiting displays ads.
The inflated sense of entitlement in surveillance capitalists is palpable.
Fine, but this cuts both ways. They're wrongly assuming I'm okay accepting arbitrary content on their terms.
The no-blocker system holds that by navigating to a URL, I accept whatever the domain owner cares to serve me. We had one attempt to embed user conditions in the request, that was Do Not Track, and the most common outcome was that sites neither honored it nor put up walls against users; they simply disregarded it and kept tracking. In fact, they started to fingerprint users based on their request to not be tracked.
If, prior to using a site, I want to see what it asks me to give up in terms of privacy and security, I don't know an alternative to visiting the site with blocking in place. The creator can put up a wall and tell me to turn it off, in which case I'll make a site-specific decision to leave or disable blockers just like I do for cookies. This isn't hypothetical, I do it regularly.
If I bypass a wall or ignore clear notice that I don't have permission to browse with blockers, then sure, we're both lying to each other about our usage conditions and it's just an arms race. But I reject the idea that an initial visit to a site constitutes consent to accept some unknown pile of privacy intrusions and security risks; the moral burden there really is on the site owner who's circumventing a clear refusal to accept those things.
Well companies should aks themselves what they did to users in first place that everyone hates these ads so much now! How they pushed too far!
They have to look into the root cause of it.
But instead, most of them are making it even more annoying.
Nevertheless, the content quality is dropping as well. everyone is making unnecessary long content and a lot of click-baits.
What do you expect? It is called consequences and humans are really bad to understand it.
An ad blocker is no different except being automated. And the analytic spying it fights is automated too.
> If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground.
If we are going to use psychological warfare to part people from the fruits of their labour in exchange for cheap crap they don't need by exploiting human weaknesses and insecurities, just so we can keep an unsustainable and highly damaging model of growth going; and also serve malicious software to those people, then let's not pretend we have any moral standing at all.
Adblocking is has a hell of a lot more moral substance to it than advertsing does.
They are not allowed to simply track me and serve me ads regardless, though. I pay for an email provider specifically to avoid this, and I pay for magazines and books as well.
And also it will probably be ads+tracking+various levels of paying money.
The creator is sending the content to my machine for free. Whether my machine displays the ads (aka cancer) attached to that content is my decision.
Also regarding paying money, don't forget in pretty much any case you still end up tracked. If anything, you get tracked less by the ad-supported version because at least you're not giving them any billing information and are not consistently logging into the same account (which you'd have to do for your subscriber benefits to kick in).
I'd love such a choice as it will allow me to say no to cancer & stalking once and for all. However it will have to be implemented in such a way that it's technically impossible for anyone to track me through the subscription system.
PS: Data transmission is not free. Servers cost money and bandwidth costs money too. CDN costs money. Anti-DDOS costs money. etc.
I think the noscript solution offers less data collection but can still be reverse proxied (try for yourself on the page).
If you're using GA to prove your site's worth, e.g. in some M&A deal, this is useless - your proxying means that you can fudge numbers and thus is no better than anything else you say. (This is a significant use case among looking-for-exit startups).
If you're using GA to get insight about your website, it would be somewhat useful, but not really - because GA would not be able to correlate the cookies to figure out the demographics, etc (and I don't know how much it would trust Via / Proxy-for headers, so other statistics it gives you are also limited).
Also, if you have non trivial traction, you're going to get flagged by their fraud filters.
You're probably better off running a local Piwik or whatever it's called these days.
A proxy can send whatever cookie it wants to the server (a proxy can actually hide the fact it's a proxy and make itself look like a normal client).
However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain. The proxy using a different domain means it won't be able to neither access nor set those cookies. Good for privacy but obviously (and thankfully) bad for the author's nefarious goal.
Looking at my dashboard now I can see data on language, browser, mobile model, referral, etc. I think some are just not present in the mobile version of analytics, but I can't see what data this would not be collecting.
> However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain
This also reminds me that this simple technique can bypass 3rd party cookies rules.
> author's nefarious goal.
You clearly misunderstood my goal.
You proxy cookie for party3.com
I proxy cookie for party3.com
But there isn’t a good way for me, you or party3.com to correlate these cookies unless we have some agreed out-of-cookie-band way to do so.
I’m sure those will come up, but they will be well known and likely easy to block once they are.
It's my understanding that GA cookies do not actually do this.
It seems like people have come to take it on faith that GA, in its default installation, tracks users across all GA and Google properties in order to improve their ad targeting profile. If there is documentation of that, could someone link it for me?
Maybe I'm just out of date, but I don't think GA does that out of the box. In fact GA expressly forbids site operators from pushing any data into GA (via custom variables etc) that would help them identify users.
Now, they might not provide it to the site owner unless they opt in (to also share it with DoubleClick or whatnot), and they might pinky swear not to use it (though I have never seen that promise myself).
But using GA, a site makes your naive browser send all that data to google. Why would you assume it is not being used? Does it matter if for now it is only directly visible to google?
The original question that I was trying to answer was if the numbers that I was seeing for mobile users were skewed by how much more difficult it is to get an ad blocker for mobile.
Putting google into the mix, through a proxy or not, will definitely skew your results.
What are you trying to achieve here? Your entire domain will just end up blocked if you do this at scale, not to mention Google themselves would ban your reverse proxy’s IP because of too many queries (since you’ll be proxying all your visitors’ requests from a single IP).
However this example is a bit different, the site in question is going out of their way to being a reverse-proxy for a spyware command & control server, and the entire domain should be considered & blocked as such.
If you're talking about them selling the data gathered by these, then that'd be less common but certainly not unheard of. If you're talking about them doing something more nefarious on your machine (keylogging/cracking) then hopefully that's pretty hard to do against a modern browser and any site caught doing so would never get any traffic from me again.
The problem is that the site is now serving a piece of (third-party, but that's besides the point) malware explicitly designed to monitor events that would normally not cause a network request (and thus wouldn't be logged), and then sending that to a malicious third-party through a reverse-proxy.
The problem is that creating reverse proxies on random domains is too easy, by distributing this to different domains it wouldn't be possible to block this effectively!
It is kind of unfortunate that third-party tracking can 'hide' this way but in this case there's not really much you can do if the content author is going out of their way to pull a fast one...
I think you (probably unintentionally if I understand you correctly) actually just pointed out a good reason why those who really really care should block analytics even from the same domain as the site they are visiting : )
Not that it will help against a determined web site owner trying to track though: Very much of the tracking can be done one the server side (and even proxied from the server side to another third party).
I get why people would want or expect tracking blockers to work on reverse proxying but it seems silly to try. On the bright side, if the tracking is being done first-party it makes it much clearer who's taking your data and who's responsible for where it goes - it's going through them even if they're just bouncing it to another server.
But the entitlement of ad-blockers is astounding sometimes: https://github.com/easylist/easylist/pull/900, in which the easylist maintainer defended blocking OpenStreetMap advertising OpenStreetMap events on openstreetmap.org, still makes my jaw drop.
In that case, would you also say it's entitlement to be installing antimalware or security updates so malware authors are no longer able to run malware on your computer?
Yes, there is an Israeli company offering to publishers to configure nginx as a reverse-proxy ( https://vip.wordpress.com/plugins/yavli/ ) and they serve the ads as small chunks of images (to not match the usual 300x250 or 468x60).
It made Easylist quite angry at the time:
To go further on the proxy idea, I think that the best strategy could be to actually do server-side calls to GA:
https://ga-dev-tools.appspot.com/hit-builder/ (yes there is an API for server-side hits).
The minus of the proxy idea, is that since you don't have access to *.doubleclick.net (which should be blacklisted by any decent track/adblocker) you don't get demographics info back into GA.
But after all, like other comments said, aren't you simply a first party tracker ?
GA is just a more evolved storage point than, let's say using goaccess on raw logs.
Yes, probably big players would like to use server side analytics! But that's a bit too involved for small websites.
> The minus of the proxy idea, is that since you don't have access to *.doubleclick.net (which should be blacklisted by any decent track/adblocker) you don't get demographics info back into GA.
When I pull down Google Analytics I also change its content to make it point to the reverse proxy itself. I didn't find any call to that domain being blocked, so I didn't do it for that particular case.
I think that the data collections is done via https://www.google-analytics.com/r/collect, which I do proxy. Notice however that sometimes an easy list filter kicks in and blocks that just because it happens to match "r/collect". I think there is a race condition somewhere that makes it not work sometimes, because I couldn't replicate it consistently. Anyways, it would be as simple as changing that domain specifically to something else. I tried doing so, but Netlify's redirects where playing up (possibly because I'm on the free tier) so I gave up. The concept of masking the domain/url still applies.
I'm not an expert of Analytics but I'm also assuming that since the cookies are different (because the HTTP call to analytics happens on a different domain than usual) it shouldn't be able to track you just as well: G Analytics don't know your IP and have no trace of your previous anonymous IDs set in your cookies!
The cookies will be different because the host is different, but I think that Netlify does a good job at keeping the connection like for like.
Personally, I've found that JS off and all the GA/GTM domains (along with many others) blacklisted is sufficient in daily use; no JS gets rid of most of the crap, and the blocked domains clean up the rest. My goal is not to become completely untrackable (I believe that's next to impossible), but just to stop slow-loading pages full of junk I don't care about (which is what I suspect most people using ad-blockers are aiming for.)
One should note that this inclusion, without an opt-in consent banner for instance, is not GDPR compliant. The URL https://analytics-bypassing-adblockers.netlify.com/proxy/htt.... sends personal data to a third party (Google) without my explicit consent. See Article 7 and Recital 32 of the GDPR:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
IANAL but as I understand GDPR, this is incorrect. The paragraph you cite discusses personal data. Google's FAQ on GA is instructive (emphasis mine) :
> When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.
They admittedly keep things as vague as they can, but to me it kind of reads like: using GA to collect site usage analytics is actually fine and requires no explicit consent as long as you've configured it to anonymize the IP addresses (toggle this in GA) and you're not tracking e.g. user IDs and such.
Similarly, using GTM to deliver a paragraph like OP did is also fine.
In both cases the spirit and the letter of the law would seem to be respected if you add some notice about tracking going on in your footer. No explicit consent is needed here, because no personal data is getting tracked.
Here, the first party (analytics-bypassing-adblockers.netlify.com) has to obtain consent before collecting personal data. And IP addresses are not the only personal data that GA can collect.
I feel that your point, even if valid, doesn't quite apply to what I'm describing, which is to go around ad blockers.
Taking this further, you could have your server send an event to GA when /index.html is requested, this can even be from tail -f access_log. No one will know GA was requested.
I saw a boost of about 7-8%. Remember, most adblockers (like Adblock Plus) don't block Google Analytics. uBlock and Ghostery are probably the 2 main GA adblockers, but as a % of adblockers as a whole they're not that large.
It's probably not worth it.
- Block entire domains
- Use the internet less, read books, use your local library.
Happily, I was able to get my browser from the default message:
Hello from Google Tag Manager. This text is being added by a tag running from GTM.
To the blocked message:
This content should be overridden by GTM.
But, how far will this game of cat and mouse go?
It's malicious software, circumventing the protections afforded to me by my ad/tracker blocking software.
I'll contribute in any way I can to adblocking tech, and to any impotency of this kind of technology.
Having said that, I must add, I don't think this is malicious software. Beside the legalities and the GDPRities which I may have overlooked, when you ask a website for its content that comes with analytics, but you want to block analytics. I don't think you can complain about the content provider bypassing your attempt at blocking it. Don't get me wrong, when I come across websites that stop me from browsing them because I use uBlock I usually bypass their block, or close the tab, but I can hardly complain at their attempt, or deem it as malicious, IMHO.
lol... pages look better if you send the actual document instead of assuming you have permission to run software in my browser.
It's not a bug, it's a feature!