Backblaze Privacy Update: Third-Party Tracking - https://news.ycombinator.com/item?id=26550506 - March 2021 (69 comments)
I was a bit surprised that I didn't see something like "we're working with Facebook to delete any copies of the data Facebook may be storing".
The email they sent to affected users says this:
> Facebook is obligated to only process information based on our instructions and we have instructed them to not further process this data and to delete it.
I still think it's sketchy that they used the Google code at all, and I think they should have immediately deleted that from all their pages.
Main thing to remember is to only have it on the landing page for the ad campaign clicks and definitely not on the signed in pages.
Google Analytics is different from GTM. And as far as I know, Google Analytics only works with Google, not FB, Twitter etc (which GTM does).
Addressing it publicly like this (identifying exactly what was shared, who was impacted etc) builds a lot of trust. No denial or fobbing off, just clear communication.
True, such misconfigurations are bound to happen.
That's why it's so worrying that they thought it was OK to have a third-party script injector on the signed-in pages to begin with.
I see now that they've removed Google Tag Manager from those pages, however they're still fairly opaque about preventing such a glaring security and privacy issue from happening again.
Not a customer, however I was seriously considering switching to B2 for my backups before this happened. This post does very little to make me want to pursue that further.
I hope to see a blog post on HN sharing what they've done and concluded from their review of 3rd party JS. Hopefully the conclusion is that its best to just purge FB from the site entirely.
Will check out B2 for our backups sometime :)
Also appreciated that GTM is being removed from private pages all-together.
They were aware of it on March 21 and said that they “were preparing a communication with affected users at that time”.
I received an email about that only yesterday.
That’s 52 days it took them to write me an email which imo just isn’t good enough and afaik does not conform with the GDPR requirements for data breaches.
Any OSS self-hosted Google Tag Manager alternative to recommend?
Not sure about OSS alternatives. I know of a few competitors (Adobe Launch, Ensighten, Tealium), but they're all commercial. I don't expect there's a large market, the key value proposition of tag management platforms is cutting down coordination overhead between the marketing and IT teams, and self-hosting is the opposite of that. However the trend towards first-party tracking may open a market for it.
Google has enough visibility on the internet to be able to correlate mere IP addresses with high accuracy. IP addresses are also still considered PII under the GDPR.