Hacker News new | past | comments | ask | show | jobs | submit login
Firefox replaces Google Analytics with fake no-op in strict tracking protection (twitter.com/__jakub_g)
648 points by crazypython 43 days ago | hide | past | favorite | 235 comments

NoScript implemented this over a decade ago, as part of its surrogate scripts feature: https://hackademix.net/2009/01/25/surrogate-scripts-vs-googl...

This was one of my favorite examples of how there was much more to NoScript than most people assumed, and it had a depth of features that could not be matched by "alternatives" like uMatrix. But that feature was killed by the mass extension breakage in Firefox 57: https://github.com/hackademix/noscript/issues/133#issuecomme...

So in a way, this feature can be seen as more than three years overdue.

I'm happy with this. Some extensions are so important they should be integrated into the browsers themselves. NoScript, uBlock Origin, uMatrix and Privacy Badger should just be standard browser features.

That would give the browser owners control over ad blocking behaviours, while they rely on funding from companies which sell ads. That's not a great situation for the users. The authors providing an unopinionated API for plugins is much safer.

You're absolutely right. Though the problem is the conflict of interest, not the idea that these things should be browser features.

The truth is everyone trusta these particular extensions and so they should have more privileges and deeper integration. For example, Google's new extension APIs actually make a lot of sense: they allow extensions to do useful things without actually looking at user data. This is a big improvement and it should be imposed on all extensions on their store. It's just that uBlock Origin is so important that it shouldn't be subjected to these limitations. That's why I say it might as well become a browser feature.

Manifest v3 doesn't stop extensions observing requests. Just blocking them.

That tell you a bit about priorities then.

Manifest v3 still had loopholes that allowed looking at data, but it was very clear what this was a step change toward.

Indeed, it also raises the question: Why do we pay for something like MS Office but not for a browser?

I think I'd pay 50/year or so for Firefox.. Even if Chrome is free. In fact I already donate about half that. But the point of course is getting a lot of people to do that so they can achieve independence from Google.

I wouldn't pay for a browser, they all track me, or try to, and experiment on me, and extract personally identifiable information which I am told is "anonymized" but you'd have to be a complete moron to believe that.

I'm already paying with all the data Mozilla and Google extract from me. In fact, they should pay me. I haven't asked for or wanted any of the new browser features which have appeared since, say, 2001. They all serve somebody else, not me.

Good user interfaces require financial incentive as far as I can tell.

> I haven't asked for or wanted any of the new browser features which have appeared since, say, 2001.

Netscape 4.80 is available for download here: http://www.oldversion.com/windows/netscape/

IE 6 is available here: http://www.oldversion.com/windows/internet-explorer-6-0

> and experiment on me

Yeah, what's up with these experiements? Sometimes I run htop and notice lots of Chromium processes with field-trial-id parameters. Don't think I ever signed up for this!

I am also actively looking for a way to fund Firefox.

I have donated to the servo project under the Linux Foundation and I'll possibly pay for Firefox VPN when it becomes available if I know the money goes into the corporation and not the foundation (yep, weird, but the corporation is where the browser gets developed. And money only goes from the corporation to the foundation, so if I want to support the development of the browser I guess that's how it has to be.)

but if they are already taking money from Google, why should I donate to Firefox?

IMO companies that aren't getting direct money from ad businesses deserve my donations more.

There's no guarantee that reaching independence from Google will stop Firefox from getting Google money, disabling features that made Firefox different or cutting jobs.

Most of their revenue comes from Google (for providing it as the default search engine in the browser) because they can't get enough revenue from donations to pay for their work. If they got enough money from donations, they wouldn't need to rely on Google's spare change.

Do you realize that 0 donations go to Firefox development?

Firefox development is done by Mozilla Corporation (that doesn't accept any donations, AFAIK). A part of their earnings are given to their owner, Mozilla Foundation, that you are suggested to donate to, and it may not be a bad idea, but it does not finance Firefox development in any way.

Donations go to whatever social causes they decide to fund.

Yes, but none of them are development of a browser, and many people are misled otherwise when donating.

Or they can just cripple the APIs so extensions don’t work as effectively anymore. Kind of what happened in practice with Safari (although this was not malicious).

Isn't this whole thread in response to Firefox blocking tracking from an ad company?

After they prevented an extension from being able to do so, three years ago.

Tracking - yes. Ads themselves - no.

I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.

Or to put it in another way: browser developers cannot imagine every possible use case that may come out of browsers nor are always the best judges of what is important and what not. It is just a matter of limited human imagination. The combined imagination of all potential extension authors is much greater than the combined imagination of whoever makes decisions about the features in a single browser - and extension authors do not have to convince anyone about adding those features in the browser, they can just throw them at the wall (users) and see what sticks.

For a similar see X11 vs Wayland and how the latter has to make application-specific extensions for functionality provided by programs written using functionality the former provided since practically forever.

> I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.

I agree. I'm not saying we shouldn't have extensions. The entire ecosystem should be healthy, varied and with a low barrier to entry. I'm saying some extensions turned out to be so incredibly important that they really ought to be installed by default for every user. The only thing that stops uBlock Origin from being a browser feature is the fact it is an extension.

I installed uBlock Origin not only in my own browsers but also in the browsers of every single computer I have ever used. Sometimes people even comment on how much nicer the whole web browsing experience has become and they can't explain why when I ask them. People also seem to magically become immune to malware since malicious ads are no longer being shown and malware domains are being blocked.

When an extension has such an immensely positive impact on your users, browser developers need to recognize that fact and integrate it into the browser. At the very least they should ship the extension with the default browser package.

There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.

Open source has an advantage when it sets itself up as basic infrastructure that can be tailored to many roles. It is notable that Brave, being started by a CTO from Mozilla with extensive experience in Mozilla, went with Chromium as the browser base for whatever reason.

Maybe if Firefox hadn't damaged its extension ecosystem instead Brave's niche could maybe have been done with extensions. Who knows. The former userbase has been delivering powerful votes of no confidence against Firefox for a decade now.

> There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.

That'd be great!

umatrix is dead by the way

There's an alternative for Pale Moon...


Interesting, thanks.

It is not currently maintained, but it is not dead yet.

I was just warning people. Depending on something like umatrix that also uses "lists" that aren't being updated should at least be known about. I wouldn't recommend using it without combining it with something like noscript or ublock (depending on how aggressive you are).

I'm not familiar with all those extensions, but this sounds exactly like what Brave does.

uMatrix has been abandoned, sadly.

I'm very worried about this, to be honest. There doesn't appear to be anything even remotely close to a proper replacement for uMatrix. The thought of going back to the relentless spyware that is the web today (without uMatrix) is literally scary.

Someone here (long-ago thread) suggested uBlock Origin but it doesn't come anywhere near the functionality of uMatrix.

I'll continue using uMatrix and it continues to work perfectly but if Mozilla ever breaks it with incompatible changes, I'm at a loss what to do. Keeping fingers crossed it works for a long time.

I'd be happy to pay substantial money for something like uMatrix.

uBO static filters work fine as a replacement for most uM rules, except that you have to write them by hand instead of the convenient table UI that uM had.

Eg my static filters start with:

    *$csp=worker-src 'none'

    ! GitHub

    !! github.com
The first three lines disable a whole bunch of things on all websites, then the fourth selectively re-enables some of them (@@ are exception rules) in 1p cases. Then for each web property I have a section that selectively re-enables more things for that web property's domains (exception rules with a domain= filter).

Eg the first rule in the GH section says that github.com is allowed to make websocket and XHR requests to s3.amazonaws.com. If that line wasn't there, the very first line's rule would've blocked it.

Notice that 1p JS appears to be enabled by the fourth line, but I actually have dynamic rules to prevent JS by default, unless enabled per site:

    no-scripting: * true
    no-scripting: github.com false
The reason I do this with dynamic rules instead of static filters is that uBO has the ability to simulate noscript tags on websites where it disabled JS, but it only does that when JS is disabled via the `no-scripting` dynamic rule, not when it's disabled via static filters.

The only thing that uM does and uBO doesn't is cookies, so I still use uM for that.

> except that you have to write them by hand instead of the convenient table UI that uM had

Which means that this is not a proper replacement.

https://addons.palemoon.org/addon/ematrix/ if you're willing to use a fringe browser.

You can just use uBlock Origin in advanced mode, and the uMatrix features are in there.


It's nothing like the granularity of the uMatrix UI.

uBlock origin exposes this via https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-ru... . In particular, https://github.com/uBlockOrigin/uAssets/blob/master/filters/... will translate requesting google-analytics.com/analytics.js into this stub: https://github.com/gorhill/uBlock/blob/master/src/web_access... .

Not sure if you can easily substitute arbitrary scripts (would probably be placing too much trust into filter lists) but the resource library seems to be quite extensive: https://github.com/gorhill/uBlock/wiki/Resources-Library#url...

Does this imply NoScript just hasn't migrated to newer APIs, or does uBlock do something extreme to achieve it?

I thought NoScript was a single-purpose extension for disabling scripts. Naming and messaging matters, I guess. "JSControl" would've been a better name.

The full name as shown on addons.mozilla.org is "NoScript Security Suite", which more accurately conveys its purpose. Some of the features it provided really had nothing to do with JavaScript, such as NoScript's implementation of Strict Transport Security about 1.5 years before Firefox itself implemented that feature.

> "NoScript Security Suite", which more accurately conveys its purpose.

No, that just makes the name more confusing!

Still sounds like a JavaScript blocker, that doesn't clarify anything for me. I've never even looked at it as I've somehow associated it with "block all Javascript", seems like I missed out.

"Block all JavaScript" never required an extension. All the browsers have an option to turn JavaScript off entirely. NoScript started out as a way to provide an easy UI for selective blocking of scripts.

But it experienced the best kind of scope creep: it gained the ability to block other dangerous web features (eg. Flash and other plugin objects, web fonts, etc.), gained features to make life easier when blocking scripts (ie. the surrogate scripts feature), gained other security features for blocking evil actions by the scripts that are permitted (XSS blocking, clickjacking protection), and helped pioneer some security measures that weren't related to scripting (HSTS, ABE as a precursor to and superset of CORS).

IIRC if you turn JS off in the browser, the "noscript" blocks on sites get executed. But if you turn NoScript on, the "noscript" blocks aren't executed.

They are not "executed". They are displayed to user.

Thanks for the correction. My point remains that the "NoScript" extension doesn't do anything with those "noscript" blocks, so they're not shown to the user despite the user not executing JS on the site.

This is a bit of a PITA when one tries to make the site "work well" with JS both enabled and disabled; or provide _alternatives_ for when the user-agent isn't running JS.

Those work really well when the user-agent is blocking JS globally, but not for NoScript: broken behaviour everywhere.

IIRC the noscript extension had the option to parse <noscript> if you disable scripts.

But if you are doing progressive enhancement correctly you should not need any <noscript> so this becomes a moot issue.

NoScript evolved over time.

NoScript evolved over time.

It's not like you downloaded a Mozilla's executable one day and expected to see a Flaming Canine instead of a web browser.

No script blocks all scripts though so it's a tad bit extreme. They had bigger fish to fry but they finally got around to this. I'm happy they're doing it and I'm not going to complain about water under the bridge.

NoScript selectively blocks scripts on a per-domain basis, which is almost always sufficient to block the bad scripts but allow the necessary scripts on a site. The exceptions where a surrogate script (or blocking scripts by URL regex) is required are relatively rare.

It requires a lot of work from the user unlike something like ublock. It's fine for power users and hardcore privacy adherents but I would never recommend it for your general internet user as they'll just get confused.

Well, you should be able to remake it by now, since that was in 2016, so Firefox should have replaced all the functionality the previous extensions had, right?

Edit: Not you specifically, but someone.

Too little too late for me personally. I couldn't keep my two versions of Firefox from interfering with each other so these days it's Chrome for all my casual browsing and Firefox 56 for the functions I can't do without.

I love this.

It's whack-a-mole, but better whack-a-mole to learn-to-love-the-mole.

Another way to think of it besides the futility of whack-a-mole is, it's pushback, resistance, sand in the gears. It's making an undesired behavior less valuable. Yes you didn't stop sites from including analytics, yes tomorrow google will have some counter move, but that doesn't mean the effort was pointless. If you can exert a 5% pressure on some system and maybe only get a 5% reaction, that's perfectly fine.

They already have a counter move, to an extent. One of the deployment models for GA is via Google Tag Manager. One of the deployment models for GTM is this[1] server-side mode deployed to an App Engine container in Google Cloud. The only browser-visible communication happens between your browser and the App Engine instance, and then you send server side calls from that to the downstream systems based on those events (GA, Facebook Conversion API, etc).

It can also be used like the traditional GTM model, where it loads the primary GTM script browser-side, then that loads additional browser-side scripts based on the tags you implement (GA, Facebook, chat systems, map widgets, whatever). But the default GA support built into it avoids loading anything from Google's domains directly by the browser. And it's not even subject to the CNAME cloaking protections[2] that ITP have implemented, since it's not using the "CNAME to third party" technique that's typically common for these sorts of things to get first party access/privileges and is instead actually running on your infrastructure.

[1] https://developers.google.com/tag-manager/serverside

[2] https://webkit.org/blog/11338/cname-cloaking-and-bounce-trac...

Integrating with Google Analytics on the server-side as opposed to the client-side has always been available. Developers just rarely do it because it is easier to add a JavaScript snippet to the page.

It gives much more detailed data like how long a user keeps a page open, and browser fingerprinting data that's not available server-side like querying fonts or viewport size.

All of that stuff can still run as 1st party js on your site, then use your own server to proxy it all back to GA if you want to.

Yeah. But it's much easier to copy paste a script.

How do they provide that? Doesn’t that require you to use a proscribed server stack?

Does the server-side integration allow cross-site tracking? I don't see how it possibly could.

Not familiar with the particulars, but server-side GA, has the same theoretical ability as the current Javascript-based GA. The only difference is that the client code is served by the first party, and not the Google servers.

GA can compare fingerprints from different websites, so that should work.

What's really clever is that at the scale that GA is deployed, it's really really hard for Google to willy-nilly break API just to get around this because a lot of webmasters will simply not bother updating their scripts, and if Google forcefully pushes a breaking change, people might stop using GA, or worse, they get an avalanche of bad PR for breaking half the web.

I don’t think this is true. GA has at least 2 versions it doesnt support in the past decade.

I imagine the opposite is true, in that they hold so much power they can do as they please.

My understanding is they are veeery careful around rolling out changes and deprecations. The cleverness is that there's a huge asymmetry in how fast Firefox can globally deploy updated shims vs how fast Google can change GA API.

Oh interesting, they also have shims for google analytics tag manager[0], facebook SDK[1] as well as a bunch of other things.

[0] https://github.com/mozilla/gecko-dev/blob/master/browser/ext...

[1] https://github.com/mozilla/gecko-dev/blob/master/browser/ext...

People use analytics to decide where to focus there efforts. For example, if most of your users are on mobile, invest more in the mobile experience. The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome. This would degrade the experience for Firefox users as subtle breakages start appearing.

Folks advocating for the use of hosted analytics instead of GA are correct ... but that’s not what most people will do. It’s just simpler to add a one line GA tracker to your code and call it a day. And these people will see Firefox usage drop to 0.

We have already seen “this site works best/only on Chrome”, especially on Google products like Inbox. Expect to see more of that as the web becomes a Chromium/Safari duopoly, according to analytics.

You don't need Google Analytics to figure out what browser your audience is using. That information is literally embedded in every single request to your website. There's no need to siphon requests over to Google for something so trivial.

I get that people would like you know as much as possible about who visits their website. Sometimes even for legitimate reasons and not just out of an obsession with collection as much data as possible. But this analytics madness has gone too far. Pretty much every website you visit ships a bunch of data about you to multiple third parties. Often without consent. Just stop doing that. It's not a hard thing to do.

> You don’t need GA

No, but it’s what people use. Let’s not ignore reality.

That doesn’t give you shiny graphs with no effort though.

This is hardly new, people have been using ad blockers and various other scripts for years to block GA et el. In my experience it's something which PMs and other key decision makers are already well aware of. If there are still companies out there basing all of their decisions on GA metrics that's really their problem.

The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome.

Bad developers already only test in Chrome regardless of what GA is telling them. This won't have much impact there.

It’s harder for good developers to justify effort if it seems like that effort has no impact.

If only Google Chrome would adopt this too!

Sarcasm aside, sites breaking or not working when analytics scripts are blocked is nuts. Is there a Wall of Shame for such sites (it may probably be the size of a search engine index)?

FWIW it's usually not malicious. What usually happens is that the analytics script provides some API for the developers to add additional logging functionality[1]. The developer then sprinkles calls to those APIs throughout their code, assuming that those functions will be available. If the scripts are blocked then you get an error like "ga is not defined" and the rest of the code doesn't execute, causing the page to be broken.

[1] https://developers.google.com/analytics/devguides/collection...

Not malicious but sloppy.

To be honest the web is a pretty hostile environment to program in.

Imagine if calling into a library randomly failed in Python. Or random apps directly inserted data into your SQLite database. Or users regularly injected code into your iOS at runtime to remove or change views.

One classic example we ran into was DOM that we'd just rendered suddenly had a different structure because Google Translate would insert new DOM nodes. So after a.appendChild(b); b.parentNode would be some random value instead of a. As a coder that's hard, you need some certainty to build on top of.

Experienced devs can develop intuition about stuff that breaks. But it's hard to be exhaustive. And there isn't a great deal of tooling available for fuzz testing this kind of stuff.

> One classic example we ran into was DOM that we'd just rendered suddenly had a different structure because Google Translate would insert new DOM nodes.

Gosh, this continues to be one of the problems I have with all of the major frameworks. Rather than assuming the DOM is a mutable, shared resource like it actually is, they treat unexpected DOM changes as undefined behavior, and will usually break at the slightest attempts by browsers or extensions to help the user. The Google Translate issue is still largely unsolved, and I’m always frustrated whenever I attempt to translate a blog post on development from Chinese and find out that it’s not working because they’ve decided to render in client-side with React.

React does make this worse, but even with vanilla JavaScript, having a third party make arbitrary changes to the DOM means that there may be no way to safetly perform certain operations.

Expecting every website developer to code defensively for every single operation is unsustainable. A better solution might be to just build APIs for common cases; like creating new nodes that are anchored to existing DOM nodes.

> Or users regularly injected code into your iOS at runtime to remove or change views

That used to be more of a thing. A big iOS app I was indirectly involved in eventually added jailbreak detection. Not because they wanted to block it, but to log it so they could track down some fun bugs caused by random tweaks that changed the UI in impressively hacky ways.

Well, that's just what you get for abusing a document viewing platform into being a programming environment. The Web was never supposed to be an application platform; it did well what it was designed for, which somewhat implies the ability of the user to have the final say over how the content should be displayed.

It's not even sloppy. When people write code with dependency X, they don't check if X is available before every call. The website works as designed. The user decided to change the environment behaviour in an unexpected way.

It's not even sloppy

It’s the definition of sloppy. Rule One of Javascript is that you check every 3rd party dependency before every call.

  window.ga && ga(“user likes socks”);
For exactly this reason: because often all you get is what you sent down the wire yourself. You still need to work with that.

I mean kinda. I wouldn’t bother to check if jQuery was defined if I explicitly included it in a script tag.

If you load jQuery as part of your first party bundle, sure. But if you load it from a 3rd party CDN, you can assume it will independently fail at some point. If you’re making something important, the proper resiliency practise would be to gracefully handle it.

Obviously if jQuery is critical to your site working at all there’s not much you can do, but for any dependencies that are not critical or only critical to a small portion of features, it’s a much better UX to degrade only those features.

But, we, as web-devs, know, KNOW, that blockers a) exist and b) are used by clients.

It's like missing a test case that covers 15% of your user base.

Is it 15%?

I have no idea. They don't show up in my analytics...

Looks, it's Friday, I kinda made that up. A system I operate has rate higher than that but a trusted associate has a site with numbers like 2%.

Check your own metrics. It's for sure not zero.

It’s a joke because ad blockers block the analytics they would show up on.

I mean, it's a joke-but-not-a-joke.

It's actually reasonable for sites to be able to estimate the proportion of their population who block their analytics by looking at say, the proportion of signups or conversions or sales or whatever that come from 'untracked' sessions. But that is confounded by the fact that the population who uses ad and script blockers is not necessarily similar in behavior to the population who don't.

If 2% of signups to my newsletter come from sessions that don't show up in google analytics, does that mean 2% of my site traffic is using an ad blocker, or are they actually 10% of my site traffic - but those users are just 5 times less likely to give me their email address?

Why not? Log analytics are a thing, you know ....

You'd be astounded how many sites break when you turn off cookies.

I'm not just talking "can't log in"/"add to cart" break (obvs), but like, fail-to-catch-the-exception-thrown-by-localStorage-in-render()-so-completely-blank-white-page break.


Now I work around the terrible exception-throwing behavior of localStorage by leaving cookies on, but using the Cookie Autodelete extension.

As a Russian, I sometimes encounter sites that break when Yandex.Metrica is blocked. It's basically the same thing as GA, just from Yandex. And uBO didn't have a shim for it. Not sure if it does now.

I have mixed feelings about this. From the privacy angle I am pleased (I've been blocking GA ever since I knew it existed, via HOSTS), but from the "neutral browser" angle, not so much. Then again, FF is already not neutral with things like "safe browsing" and extension blacklists...

Browsers aren't supposed to be neutral. Browsers are the user's agent; they're supposed to serve the user and nothing else.

They must be neutral in the sense that they should not make specific rules for specific services. We have seen in a previous hn post that webkit has specific rules for quite some websites, now firefox has these replacements for some javascript codes.

This is wrong and will break things: if there are bad behaviors, like the cookie usage, the rules should be changed to prevent it, that's great, but having ifs and replacing selected scripts is a horrible way to go.

First reason for this is that obviously Google will try to go around that rule and change it's script. Or some nasty tricks like using script proxies, ... Second is that if Google Analytics is blocked by name, then other tracking services will take the space, and users will loose anyway.

Exactly this, web-browsers should look after the user, and should protect the user against webbrowser-exploits e.g. 1px png tracking images and cookies.

Yeah somehow I think you would have a different opinion if Chrome offered users a performance boost only on Google owned websites.

If Chrome didn't allow the user to configure that same performance boost to work on other websites, then Chrome would be failing to operate as a user agent.

They literally did that already when they came up with QUIC (before it was public).

They had private implementations only supported by Google webservers and Chrome.

HTTP/2 is an open standard that is implemented in many languages already, so that’s not the same thing at all :)

It's not on by default. It's in the "strict settings" not the "standard settings" so it's opt in.

Agreed. Also there are already extensions that already do this! This looks unnecessary, and hostile. To the extensions community, and the web.

Or maybe just a publicity sham since Firefox by default already sends all the links we visit to Google.

You can turn it off.

They need to do the same for tag manager. That's the real poison pill.

Tag manager loads more than just tracking scripts.

Every script it loads is a tracking script. They don't host that code out of an abundance of altruism.

That's not how tag managers work. Tag managers are managed by the website who pays them (it's yet another SaaS), and the website can put whatever it wants there. Various site functionality could break if parts of the site logic is missing.

You can argue it is bad engineering, but it isn't exactly the tag manager's fault any more than it is the CDN's fault.

People use tag manager for tracking scripts, but it's also used for anything that you can put into a JS script (tracking or not). Not every script is a tracking script.

Yes, thats their point, its the thing that loads all the fucking ads.

Please don't suggest it loads other meaningful things.

May as well claim torrenting is used for downloading Linux isos so its not a piracy problem.

>May as well claim torrenting is used for downloading Linux isos so its not a piracy problem.

May as well claim the internet is used for something other than piracy so it's not a piracy problem.

See how silly that is?

No because you're using the reverse of my example to make my example look silly but infact you just prove my point.

May as well claim it's silly to not try to prove negatives.

A) Here is a computer communication protocol that can be used for many things. One of those things is infringing copyright.

B) Here is another computer communication protocol that can be used for many things. One of those things is infringing copyright.

The internet, being the IP protocol and the bit torrent protocol built on top of IP each are described above.

Differentiate A from B identifying which is IP and which is Bit torrent.

This demonstrates the silliness of the argument made. You either have principles and rules applied equally or you don't. I'm very, very much for the former. Being a an utterly essential foundation of functioning democracy, the rule of law and opposition to the tyranny of government by whim.

Unfortunately it is indeed used for non-ad scripts. For example, Hearthstone on iOS fails to render the login page if GTM is blocked at DNS.

Indeed, one perspective on using GTM is as another avenue to customizing websites without using a developer.

Yep, that's exactly what a tag manager is. It lets the marketing department make changes, without the IT department getting involved and slowing things down with non-money-generating activities like code reviews or testing.

It's used to add tracking and advertising. But I've also seen it used for chat bots and chat agents. I've even seen it used for bug fixes that designers wanted to get out the door quickly.

I'm sorry, you lost me, where is the problem here?

The problem that he seems to be alluding to is that general problem of WYSIWYG cp. bespoke software - in particular, when tools like GTM are used in a way that adds to requirements cruft and detracts from software reliability.


Well, i personally always use the torrent when i download an iso...

But I also have gtm black holed.

May as well claim air is breathed by non-pirates as well so it's not a piracy problem.

You should post a blog post about this to HN. It's not related to tracking and it's still really interesting, so it deserves more than just a tangential comment here.

How would that work? You'd still need to make a request to figure out what scripts to add.

What should I use in replace of Google Analytics for basic web traffic analytics?

I've been using plausible (https://plausible.io/) recently and I've been really happy with it. I've written about the move from GA to plausible, for my use-case, here: https://www.bookstackapp.com/blog/replacing-ga-and-mailchimp...

I switched! Thank you.

GoatCounter[1] or Plausible[2]

[1]: https://www.goatcounter.com/ [2]: https://plausible.io/

The only real free alternative to Google Analytics tbh.


It analyzes your log files instead of client-side tracking.

The best solution is to self-host your analytics platform, to avoid any data being stored by 3rd parties and it gives you the best chance to not use the next platform that will be blocked like Google Analytics.

If you want to try one, I am building https://userTrack.net, you can PM me on Twitter if you need a discount.

Zoho's Pagesense is great: https://www.zoho.com/pagesense/

Wow, that is expensive! $16 a month for analytics.

Of course, ~every GA alternative is going to be a paid service.

My meta-recommendation is actually to opt for zoho's "one" suite, which gives you basically everything they offer for $30/mo/full-time employee: https://www.zoho.com/one/pricing/

"Please disable your analytics blocker to view the content on this page"

Sure! visits page through archive.is

Annoyingly enough, archiv.is itself will present you with a buttflare CAPTCHA if you don't feed it enough tracking information.

Hmm, I'll take buttflare over Google. All roads lead to butt.

Firefox should really double down on this. All this strict privacy protection could be branded as Firefox Pro and they could charge for it. This would make for a nice revenue stream as more and more people begin to see the value of this. If Hey can do it for email, Firefox Pro Can do it for browsers!

Counterpoint: this would destroy Firefox' credibility.

I use Firefox because of their strong pro-privacy stance. If they started charging for "real" privacy, it would damage that image - "privacy for those who can afford it" would be a bad slogan.

Also, Firefox has made it clear that they don't want our money, as seen in their continuous refusal to accept donations.

I've been using Firefox since the Phoenix/Firebird days, and I fear the day that Google ends their search funding to the project.

They are absolutely on the right track with Mozilla improving the actual -browser- with all of these new privacy features and core improvements. This could put them in a position to create a revenue stream independent of Google, where people would actually be willing to pay to have a browser wholly decoupled from these ad companies.

There's some risk there indeed, but there would be also big anti-monopoly scrutiny risk from Google's side doing that if they indirectly kill alternative browsers.

Right now there's some kind of equilibrium by having alternative browsers/engines, on Windows especially, plus Google still gets traffic from millions of Firefox users by being default search engine, which makes them $$$.

> I fear the day that Google ends their search funding to the project

I look forward to that day - until then, all decisions Mozilla makes are impacted by that fear.

I don't mind blocking ads, but analytics? That seems like the taking the desire for privacy too far.

Why shouldn't site owner know you've visited their site? How will they do their job if they don't know where people come from, what content they enjoy, what devices they should optimized for, general demographic of their audience, etc.

These are all the things a restourant owner would know about their customers, for example. But no one seems to have a problem with that.

The problem is with the centralisation and aggregation of that knowledge. It’s not (necessarily) bad that the site owner knows you’ve visited their site, it’s bad that Google knows all of the sites you’ve visited.

That's a fair point.

While I am not as concerned about big tech's data siloing as some, I can see why it's worrying.

Unfortunately, not only is GA the best totally free analytics solution that any marketeer will know how to use, many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google.

> many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google

That's because you don't need analytics scripts to see if people visiit your site - you have the original page request for that. Analytics script collect additional information beyond that, which users that block them have deemed to be not acceptable.

Less about stopping analytics and more about stopping privacy-malicious analytics (which google analytics could arguably be defined as). Install a privacy friendly analytics package and I suspect it won’t be much blocked.

That'd be a reasonable counter-point if extensions like uBlock Origin weren't also blocking self-hosted analytics packages, like Matomo.

I think people in general have gotten so sick of ad powered big tech they are having a bit of an over-reaction against analytics in general, not just google's product.

Perhaps I'm old fashioned but I would not expect a restaurant owner to track where I come from, my demographics etc?

Restaurant owners do exactly that - just by looking at you sitting in there (and other customers).

not my underwear colour, type, size. What they see is what I offer to show

They wouldn’t have to “track” it scientifically in a database.

They would just know implicitly by observing their customers who are right in front of their eyes. (At least pre-covid)

would they know which car I drive from looking at me?

> These are all the things a restourant owner would know about their customers, for example

The restaurant I visit most often "knows" only my first name (only) plus my mobile phone number, I suppose if they really tried they could probably collect data on my approximate height, build, eye and hair colour, and that I have multiple kids. That's it (since I pay them in cash).

Oddly enough they don't worrying about tracking their customers and instead focus on delivering an excellent product with excellent service. They're known in the region for that, they're usually busy, so one might think their strategy seems to be working(?)

They also know when you like to visit, what you like to order, how long you stay, who are you with...

All together, that's more data than a Google Analytics user knows about any of their visitors.

You could do all that without involving the world's largest advertising corporation. Use the data you already receive with each request. You know, count how many pages you've served, use a GeoIP database on visitors' IP addresses, parse their user agents, all that kind of stuff.

A lot of relevant interactions in modern apps are client based. You'd have to send those data points via ajax, but then you've just recreated google analytics.

Also, feels like a bit of an arbitrary boundary.

They know I visited the page by their servers serving me the page. Why the hell does Google need to be involved for that?

And why should a random page I visit get to know my demography, interests and where I come from? How can you portray avoiding that as taking privacy too far??

I don't care if that makes it harder to optimize your business. Find another way or perish.

But these are all things that real world business can learn as well about you, more or less.

You don't have a problem with them knowing that.

How do the real life businesses know that? If I explicitly tell them, that's fine. If they know it through some nefarious collection I would have a problem with that.

Would it be reasonable for a restaurant to know about every other restaurant you visit? And every store you look at, and every newspaper article you read?

As a user of google analytics, I don't know any of that.

But you do! There’s a ‘Interests’ profile of your visitors in the stats, which is based on what they do on other sites.

Of course in any case Google knows and they choose how much they want to tell you.

Fair point. I am not a heavy GA user, I just use the basic functionality.

Nevertheless, I don't feel iffy about my Interests profile participating in aggregate data available to the sites I visit. Since virtually all sites are free of charge, giving some of that insight back seems like a fair trade.

That said, having ALL that data available to Google without anonymization is a bit more worrying, although I haven't seen many examples where it hurt someone in real world.

JS analytics gives away too much.

Web site owners can analyze their web server's log, which has at least client's IP address, user agent, timestamp and the URL. Already too much if you ask me.

I’m mostly interested in what moves like this will mean for e-commerce. Not the sites themself, but all the shady and honestly unprofessionel retargetting, ad-agencies and online marketing in general. Most of those business rely on questionable JavaScript based tracking. I don’t see the majority of those business have the resources or knowledge to survive without JavaScript tracking.

Most of those things are easily analysed in-house or with much less invasive solutions than GA.

> general demographic of their audience

This is not useful to improve a product unless combined with proper research into the demo, which most people don't do. They just apply their own biases and make their product _worse_.

So many people are making all their decisions based on shallow data like this and never do a simple usability test that yields massively more impact.

Put differently, people use this data to try to focus in on specific traits of their audience before even testing that their software works for "humans".

You can, as the owner of a site, check that someone has visited your site, but you cannot give that information to Google (without consent). That's illegal under the GDPR.

Also, you have zero control of what code any client executes on their machine. Zero say, whatsoever.

> That's illegal under the GDPR [..]

So what about sites that claim that certain cookies are necessary for operation of the site, when that's at best bending the truth and at worst an outright falsehood?

Many sites work perfectly well and - amusingly - become blazingly fast once you block all scripting and cookies. No annoying GDPR notices, no annoying ads, no (client-side) tracking. So much for "necessary" cookies :/

You can still self-host your web analytics and they won't be blocked, plus it's 100x better than using a "free" service that centralizes data.

I am not deep into analytics space, but I know from experience that the most popular ad blocker (ublock origin) will block the most popular self hosted analytics package (matomo).

The thing about blocking self-hosted analytics is that it's very easy to avoid being blocked if you want. You can just change the included tracker name, or request parameter names.

best to ask. Do you generally advertise your ethnicity/country when you go to a restaurant?

How do I effectively opt out of google tracking me?

I don't know that you can, entirely, but installing uBlock Origin and adding a DNS-level adblocker is a good start.

Lots of moles to whack. You can try using a non-chromium browser, decked out with privacy addons like uBo, Decentraleyes, Temporary Containers, Privacy Settings. If you'd like a chromium browser, Iridium Browser could work.

Also if you have an Android phone, you could try to install LineageOS without gapps, or go with /e/.

If you use Drive, Sheets etc, you could try ONLYOFFICE. They use GA, but your decked out Firefox should already block that.

For more alternatives, there are different resources that try to be helpful, like this one: https://degooglisons-internet.org/en/

the current state of evasion is somewhat precarious and requires a lot of knowledge and continuous manual work to reduce the tracking from big tech.

you have to keep a safe distance from computers/smartphones in order to effectively avoid it.

Won't Firefox shoot themselves in the foot here?

I mean devs will see that Firefox market share is way lower due to this than it is actually true. And will stop bothering about FF?

Ir am I misunderstanding about what this feature does?

This feature only applies if you are already blocking GA with Firefox. The change is that now the GA JS API will stay available for the website so that it can keep calling GA functions. The stub won't actually send any info to Google though.

Next weeks stats are in, Firefox’s market share has dropped 50%!

This perfect. I don't have all the storess following me around and where I came from, what my tendencies are etc. They also forget about me, generally when I leave the store. This tracking is not okay and nobody, absolutely nobody, gets to decide for me. Google doesn't own the internet

Maybe a dumb question: Why isn't it enough to simply block the Analytics JS, why is it necessary to substitute it with a "fake no-op" script? Does blocking GA regularly break sites?

One use case I noticed: Don't render the site until Google Tag Manager is loaded. Because of this, when using an adblocker that blocks GTM, the site will never load.

I guess the reason to block GTM until load it use it show some personalized ads/pricing/buttons.

Yes. Many sites assume that GA is there, and for example clicks on buttons may fail to work if the GA click call fails. It isn't great engineering from the site but Firefox wants its users to still be able to browse the web.

LOL, this is beautiful!

And then every website starts doing the CNAME nonsense.

I didn’t know what you meant, so for others equally confused, this is a decent article:


I don't understand the hate for this trick. It still breaks cross-site user tracking. It's just sort of a hack around installing a hypothetical Google Analytics app on-prem or pumping in data via a server-to-server integration.

Google Analytics can't cross-reference data from other sites on the browser, b/c it's not a third party cookie now... what's the problem?

Work is ongoing on that front too: ttps://webkit.org/blog/8146/protecting-against-hsts-abuse/

If it’s only a CNAME, you’re one DNS lookup away from continuing to block it.

One DNS lookup you’re doing anyways.

It's random CNAMEs and they use the unique cname you queried as another tracking point.

Why isn't there more effort to subvert tracking vs trying to block it. Ruin the data and they can collect as much as they want

There is a Chrome extension named Ad Nauseam. Was arguably but ultimately blocked by Google extension store. I still manually install and use it.

Have they replaced the Google Analytics on the add-ons site with this yet?

Being that Google funds Firefox, how long can this kind of thing last?

I like ads tracking as much as the next guy. However, I am not comfortable with a browser modifying content in any way. I am fine to have extensions that do that, but the browser itself shouldn’t do it “by default” without user explicitly enabling it.

It's not on by default, you have to turn it off by going from "standard" to "strict" settings so there's not really anything to complain about.

Is there a Mozilla source for this Mozilla news, not just Twitter?

The tweet links to https://bugzilla.mozilla.org/show_bug.cgi?id=1493602, which is a Mozilla source

And source code helpfully found by some other commenters:


Doesn't Firefox get all its money from Google?

Yes, but Google is buying service from Firefox, Google is not donating to Firefox.

Hm, the line between Foundation and Corporation is getting blurry from here

If only. Somehow there is no way for users to actually fund development of the browser.

Google can afford not buying that service though. Can Mozilla afford Google not being their customer? I genuinely don't know.

Given that the default search engine in Firefox was Yahoo for a year or so when Google decided not to pay... sure, why not?

I'm sure Microsoft would be happy to pay for Bing to be the default in Firefox.

If Google don't pay for Firefox's continued existence, they'll have to deal with anti-trust lawsuits over their Chrome market share. That's essentially why they keep paying.

They could have, if they focused on their core mission the whole time and invested the excess in an endowment that made them independent of corporate donations.

That is just lovely.

What a great idea.

Fantastic. There is no excuse for using Chrome nowadays.

Thankfully we don't need an excuse.

OMG I love this.

Talk about bitting the hand that feeds you

Power to the people

I'm confused.

I thought Google Analytics tracked you within a site, and that it's fundamentally not really any different from analyzing server logs except the logs are simply hosted in Google's cloud and visualized using Google's tools. I realize it uses cookies but that's to build analytics around sequences of user actions, since many users can be collapsed into a single IP. Privately hosted analytics software needs to use cookies to achieve the same thing as well.

Google Analytics doesn't have anything to do with building an advertising profile around users, correct?

I know it's popular to hate on Google but does this achieve anything against tracking users across sites in order to build advertising profiles? I was under the impression all the profile-building people object to was done via the pages with ads themselves.

Is Google Analytics actually an evil tool? Or is just "evil by association" because Google ads track users across sites, and Google Analytics also does "tracking" albeit a different kind? I'm just wondering if this is actually anything substantive, or if it's more symbolic.

Edit: wow those were some FAST downvotes. I'm just asking some basic questions to understand how meaningful this is, folks. Hopefully nobody's taking offense.

Google Analytics tracks you across different sites AFAIK. Mozilla supposedly has a special option in GA to not correlate data gathered on their sites with what GA gathers on others.

Even if it didn't, it still tells Google what you're visiting: with so many sites using it, they can get a pretty much complete view of your browsing history, just like Google Fonts.

> Google Analytics tracks you across different sites AFAIK.

See that's the thing, I keep seeing this asserted but when I search for any evidence, I can't find a single article that demonstrates this to be true.

If you own multiple sites you can enable analytics across them, but that's all.

And if Google wants to know what you're visiting to build advertising profiles, they have so many options -- not just Fonts, but DNS, Chrome, ads... it's not like GA by itself is making any substantive difference. But again, just because it could be used for this doesn't mean it is.

So I don't get how this is actually helping. I worry it's a distraction from actual achievements.

There is a an option, deep in your account settings to see what Google has collected on you.

> to prevent websites from breaking

Nope, nothing will break. I am blocking GA in the following ways: NoScript, PrivacyBadger, Windows HOSTS file. I see the thing being called, and nothing gets through, and websites work properly.

Edit: the bugzilla article mentions both GA and googletagmanager.com, which (both) I have been successfully blocking in the above ways for many years. I never had any website not working because of those two pieces.

I mean the Bugzilla literally has an example of a website that breaks.


Someone built the unsubscribe mechanism in a way so that they FORCE the user to be tracked by GA. That someone is... Xfinity? By Comcast? Hahahaha!!

One.Website. So we should yield to those **(profanity)? That one website does not deserve our respect.

Comcast: https://www.geekwire.com/2019/comcast-fined-9-1m-consumer-pr...

Edit: "we are scum. We want to ** your privacy any way we can. We just got hit with a multi-million fine, so we will continue. You want to unsubscribe? Sure, be tracked a bit more while at it." /end-rant

What are you saying? Firefox should stop doing this because no sites have broke for you when blocking the script?

Only anecdotal, and no longer happening: The top menu on https://www.easyjet.com/en/ used to break if you disabled Google Analytics, the submenu just wouldn't appear.

counter-anecdote: I encountered multiple sites that break because of blocked scripts. and this is with ublock origin, which has shims for common analytics scripts: https://github.com/gorhill/uBlock/wiki/Resources-Library#url...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact