I'm the author, good to see this on HN, raising awareness on the topic
I don't know who made the translation and when it was made, but the original article in french (https://pixeldetracking.com/fr/google-tag-manager-server-sid...) contains more information on recent GTM "improvements"): mainly on how you can easily change JS library names and detailed instructions on how to host your container in other clouds or self-host
Thank you for making SingleFile, it's been an absolute lifesaver in a project I'm working on. I was having a lot of trouble trying to manually save pages with puppeteer but the singlefile CLI worked perfectly, even with added extensions. (To get extensions to work I had to add --browser-headless=false --browser-args ["--enable-features=UseOzonePlatform", "--ozone-platform=headless", "--disable-extensions-except=/path/to/extension", "--load-extension=/path/to/extension"] )
Thank you! Actually I did some tests recently with SingleFile Lite and was able to save a page weighting 120MB+ so the 43MB limit seems obsolete. There are still some annoying issues though.
Hello pixeldetracking,
Yes it is me ;)
I translated your excellent page and made an HTML archive with the excellent SingleFile extension.
Thank you very much for all. I like to keep a copy of interesting content.
https://chromium.woolyss.com/#guides
This kind of data collection abuse is why I think we need more addons like AdNauseam [1]. Unlike uBlock Origin, it's not available from the Chrome web store anymore, which is a good sign that Google hates these types of addons more than they hate simple blockers.
Blocking A/AAAA domains with custom URLs to prevent tracking is almost impossible, so instead let's flood the trackers with useless, incorrect data that's not worth collecting.
Completely agree. Stuff like uBlock Origin is just online self-defense against hostile megacorporations. Maybe it's time we started going on the offensive by poisoning their data sets with total junk data with negative value. They insist on collecting data despite our wishes? Okay, take it all.
I worked for a agency a couple of years ago, when, out of the blue, tracked data contained tons of random data instead of the expected UTM parameters. It took us a while to figure out what was happening. It was some kind of obfuscating plugin that was messing up well known tracking parameters.
What I want to say is: stuff like that could actually cause a lot of fun on the other side.
Yup. I've used NoScript for years, and one of the most frequently appearing sites that remain blocked is googletagmanager.
I totally second the sentiment that this is merely minimal defense against hostile 'service providers'.
This avalanche of tracking libraries is now almost as toxic as email spam in its worst-controlled days. Much of the internet is literally unusable, as pages take dozens of seconds to minutes to load - on a CAD-level laptop that can rotate 30MB models with zero lag.
In fact, does anyone have a blacklist of trackers that we can just blackhole at the HOSTS file or router level? Maybe time to setup a pihole?
In my experience the most popular noscript trackers are googletagmanager and facebook, so with just two domains you can get a lot. But e.g. bloomberg uses full first party proxy for facebook pixel with pseudorandom base url, it's difficult to block even by url; I suspect they duplicate the page request to facebook too, but this is unobservable on client side. Hopefully this solution doesn't scale well.
Since this extension actively clicks on ads which may trigger payments, how do ad-fraud services classify endpoints running this extension? Could they consider this malware and add the client IP to blacklists?
If we were to split what malware does into Infection (getting into the system), Avoidance (hiding from system, AV, or attacking AV) and work (sniffing, sending spam, etc..) then the Avoidance would be by far the biggest and most complicated (and most interesting) category.
Good. If it is a shopping or some other service that charges money, then they lose business.
If it is some service that you have no choice but to use, but relies on network effects (like Facebook Events), then you can just send a screenshot to the interested party and they Might consider not using a service that is broken for other people.
Sure, and perhaps also the accounts of users running this while logged-in. Have contingency plans if you run this and your, say, GMail account is blocked.
I lost my gmail account a decade ago. Since then, year after year, I've been watching people suffer the same fate with gmail, youtube, google play, etcetra. There's always someone who won't believe that google can screw you over all of a sudden. There's always someone who will be surprised, always someone who thought it couldn't happen to them...
I don't know what else I can say. It's a shame I haven't been maintaining a list of all incidents I've come across.
> they collect everything through their desktop environment
There're many relevant questions during the install. If one actually uses the OS installation wizard GUI instead of skipping it with "next" buttons, Microsoft won't be collecting much.
Another thing, they don't have to because their business model is honest. They're building software, users are paying for that. Microsoft ain't an advertisement company, they have little motivation to track people.
> you need an email to set windows up now
I did clean installation of Windows 10 last week (recycled an old laptop after migrating to a new one), the email was optional.
It's not going to be much of a throwaway once it's associated with every activity you do on your computer and the internet. In fact, it might be one of the most valuable email addresses (to Microsoft) that you ever make.
Adding another party into my web browsing is always a tough pill for me to swallow. I am also a noob at reading trust signaling. What are some of the reasons that I should trust this dev and their processes?
You should put the same amount of trust in this dev as you should in any other. I myself trust Mozilla's store reviews enough to run the addon, but if you're more conservative with trust, you can inspect the source code and build the addon itself.
The addon comes down to a uBlock Origin fork with different behaviour. I believe most of the addon code is actually the base uBlock code base.
I haven't seen any obvious data exfiltration in my DNS logs, but then again I'm just another random on the internet. If you don't feel comfortable installing something with a privacy impact as broad as an ad blocker, you should definitely trust your instincts.
My experience is that Pihole has been getting less effective over time as more and more ads are being run through the same domain that legitimate content is. When I first installed it it killed ads on my Roku, that doesn’t happen anymore.
What apps on your roku? I had to whitelist a Hulu domain cause it froze when trying to load ads during commercials for example, but when I look at the logs it’s blocking a ton of telemetry and phoning home 24/7 by Roku and Alexa devices.
Are you regularly updating your ad blocking filters? When ads start showing up on my phone I know it’s time to go hit the update button.
I feel like the reason you initially used a strong word like abuse is to distract from the same behavior the blockers you mention engage in. Spamming Google event services and "flooding" them with garbage is surely considered to be in the abuse category at least if you're not an avid anti-ad proponent.
God damn... this is it, this is the end-game. There's no way to fight this unless you customize and maintain blocking scripts for each individual website.
Yes, websites could always have done this, but the REST (CDN-bypassing) requests' cost and the manual maintenance for the telemetry endpoints and storage was an impediment that Google just gives them a drop-in solution for :(
I think Google is happy to eat some of the cost for the "proxy" server given the abundance of data they'll be gobbling up (not just each request's query string and users' IP address but -being a subdomain- all the 1st party cookies as well). I don't have the time or energy to block JavaScript and/or manually inspect each domain's requests to figure out if they use server-side tracking or not.
I honestly don't know if there's any solution to this at all. Maybe using an archive.is-like service that renders the static page (as an image at the extreme), or a Tor-like service and randomizes one's IP address and browser fingerprint.
"I don't have the time or energy to block JavaScript and/or manually inspect each domain's requests to figure out if they use server-side tracking or not."
By default, I don't run JavaScript. I don't see blocking JS as a problem - in fact, it's a blessing as the web is blinding fast without it - and also most of the ads just simply disappear if JS is not running.
On occasions when I need JS (only about 3-5% of sites) it's just a matter of toggling it on and refreshing the page. I've been working this way for at least 15 years - that's when I first realized JS was ruining my web experience.
I'm now so spoilt by the advantages of the non-JS world that I don't think I could ever return. I'm always acutely reminded of the fact whenever I use someone else's machine.
> By default, I don't run JavaScript. I don't see blocking JS as a problem - in fact, it's a blessing as the web is blinding fast without it - and also most of the ads just simply disappear if JS is not running.
Years ago I was on the "people who block JavaScript are crazy" bandwagon, until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load. I spent more time waiting for things to finish loading than I spent browsing the actual sites, which killed my battery life. I'd get a couple of hours of battery life with JS on, and with it off, I could work all day on a single charge. It was nice.
Ever since then, I've been using NoScript without a problem. I've spent all of maybe 5 minutes, cumulative over the course of several years, clicking a single button to add domains to the whitelist. If whitelisting isn't something you want to do, you can use NoScript's blacklist mode, too.
> I'm now so spoilt by the advantages of the non-JS world that I don't think I could ever return. I'm always acutely reminded of the fact whenever I use someone else's machine.
> until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load.
That sounds like you not only didn’t block JS, you also didn’t block ads. Which is a very different argument. I only block 3rd-party JS by default (and that already requires a lot of whitelisting for almost every site that has any interaction) and I don’t have those issues because I also block ads.
There was a period around 2014 - 2016 where even if you used uBlock, ads would still get through. Even now, when I use computers that just have uBlock Origin installed, some ads, and especially autoplaying videos on news sites, still get through.
Tried NoScript for years and it was a pain. Too many of the sites I use need so many domains full of JS. So I think this will vary widely depending on the person and their preferred/needed sites.
It has to be said: there are people who can get by without JavaScript and those who can't. You can almost predict those who can and those who can't by their personality.
If you are heavy user of Google's services, Twitter and Facebook as well as many big news outlets and heavy-duty commercial sites then you're the 'JavaScript' type and stopping scripts is definitely not for you!
If you are like me and don't have any Facebook, Twitter or Google accounts and deliberately avoid large commercial sites like, say, Microsoft then you can happily switch off JavaScript and experience the 'better' web.
You know the type of person you are, so with this fact in mind there's no point me proselytizing the case for disabling JavaScript.
I can relate 100%. In the past I was constantly using Twitter, Gmail, et al. I was using different hacks to bend them to the extent possible to my will. Time changed, my personality changed and the desire and need to use those services disappeared, therefore I naturally stopped using them. When people where talking about this or that service being down, I didn't notice it at all. I was also lucky enough to not rely on them on my $dayjob. I run my mail server, host my website and run my scripts. Old fashoin guy lets say. It works well for me. Moreover, JS-bloat is a red flag to stay away from certain services. Has served me well.
This seems like a broad generalization. JS continues to permeate every industry brought to the web. It's increasingly not optional as employers and governments mandate more and more web services. Doubtful that can be predicted by personality.
"...as employers and governments mandate more and more web services."
It's not compulsory, especially governments. I never deal with government on the web at a personal level. If they expect me to fill in forms I simply say that I do not have the web and would they please send me a paper copy - which they're obliged to do at law - same goes for the census.
If the government expects me to do business with it on the internet then it will have to legislate to make it compulsory AND then provide me with the necessary dedicated hardware for said purpose.
Why would I act this way? Well, for quite some years I was the IT manager for a government department and I know how they work (or I should say don't work).
BTW, as IT manager I never used email within the department (perfunctorily emails sent to my office were received by secretarial staff). If the CEO wanted to send me an important memorandum then he had to have it typed up on paper and personally sign it (and I would reciprocate the same). When in government you quickly realize that atoms on paper and especially a written signature is real guaranteed worth - unlike ephemeral emails that can vanish without trace.
I'm forever amazed at the trust the average person has in these vulnerability-ridden flaky systems.
> If you are heavy user of Google's services, Twitter and Facebook as well as many big news outlets and heavy-duty commercial sites then you're the 'JavaScript' type and stopping scripts is definitely not for you!
I, unfortunately, use some of these services and similar ones, too, and it takes a few seconds to enable JS on them, and then the sites will work indefinitely afterwards.
I use NoScript with Firefox on Android (together with uBlock Origin). After I unblocked the websites I regularly use (and not the ad delivery domains), it doesn't get in the way that much.
> Years ago I was on the "people who block JavaScript are crazy" bandwagon, until just loading a single news article online meant waiting for a dozen ads and autoplaying videos to load.
Seems like clear case of "crossing the river to collect water" (as the Swedish saying says)? This is what I use uBlock Origin (with the right blocklists) for and it happens automagically. I did use uMatrix for quite a awhile, but eventually ended up ditching it because uBlock Origin worked so well.
There's another, indirect benefit to blocking JavaScript.
Over time I have noticed a strong correlation between sites which don't work right without JS and low-quality content which I regret having spent time reading.
Most of the time I encounter one of these sites I now just close the tab and move on with a clear conscience.
"Over time I have noticed a strong correlation between sites which don't work right without JS and low-quality content...."
Absolutely true, I can't agree with you more. I've reached the stage where if I land on a site and its main content is blocked if JavaScript is disabled then my conditioned reflex kicks in and I'm off the site within milliseconds.
Rarely is this a problem with sites that I frequent (and I too don't have time to waste reading low quality content).
There are stacks and stacks of them here on HN that are of excellent quality - I use HN as my 'quality' filter (and I reckon I'm not alone).
Moreover, if one doesn't run JS like me then it's dead easy to avoid problematic sites as HN lists them (Twitter, etc. - and it doesn't take long to get to know the main offenders, thus avoid them).
:-)
BTW, I agree with you it is hard to find good sites these days but eventually most really good sites appear here on HN. Do what I do, when you come across them bookmark them.
A pedantic note that follows from this particular thread: HackerNews’s search capabilities are powered by Algolia and require JavaScript to work (turn off all JS and the HN branded Algolia page will not load). The reason I bring this up is that even good websites sometimes lean on free or free-ish services to provide extra functionality (such as calendars, discussion boards, issue tracking, or search) without realizing that such functionality may be a back door to letting JS in and any tracking/privacy-erosion that could follow from it.
Right, HN does use JavaScript for certain functions, search etc. Now, if you read the second paragraph of my first post I've got such cases covered.
OK, here's the scenario: I log on to HN with JavaScript disabled, do all the things I do, read articles, submit posts all without JS. At some point I want to search HN so I hit the 'toggle JS' button on my browser, it then goes from red to green to tell me JS is now active. I then refresh the page and start searching HN. When I've finished I hit the JS toggle and the button goes back to red - JS is now kaput.
I really can't think of anything simpler - JS is off until I really need it and when I do it's immediately available without digging deep down into menus etc.
I'd add HN uses JS as it was originally intended and does so responsibly. I have nothing against JS per se, the problem comes from websites that abuse webpages and thus the user by sending megabytes of JS gumph and so on.
Running without JS and only turning it on when really necessary I reckon is a reasonable compromise.
It's true, there are some decent sites out there which use JS legitimately to add features. And there are some sites which require JS without really needing to, but still have good content and do not have unnecessary annoyances and performance problems.
Lucky for me, I can toggle on JavaScript for them individually and continue with my general policy.
The thing with WWW is links, the web. So https://news.ycombinator.com is a good starter. From there, yes, you could end up on twitter.com for example but it would be worthwhile.
“…you could end up on twitter.com for example but it would be worthwhile.”
Unpopular opinion: I never click on twitter links anymore. It’s almost never worth it.
IMHO, 140/280/N character limits are a way to cheapen discourse. I think there is something to be said for the “density” of text: text that offers very little to think about (less dense) is vacuous but encouraged by a character limit; yet, text that is compressed into a character limit either packs too much info into a short space that requires more discourse to properly get a thought across or elides too much from the text, making it less accurate/meaningful/important. Or worse: people chain posts into long 1/907, 2/907, 3/907… trains that should be blog posts rather than requiring some other application to string the thread together.
Of course the other reason (more central to this discussion) never to click on a twitter link is that JS and an account login is required now to read the posts past a certain point. If that makes me an old man yelling at a cloud, so be it, but aren’t there better ways to handle online public discourse without sacrificing people’s privacy and security?
"Unpopular opinion: I never click on twitter links anymore. It’s almost never worth it."
It's not unpopular with me, I agree with you completely. I was never a Twitter fan but when they forced the use of JS that was the end of it (you'll note I used Twitter as an example in one of my earlier posts).
You're right about sacrificing people’s privacy and security, as I said in another post 'I'm forever amazed at the trust the average person has in these vulnerability-ridden flaky systems'.
Similar here. When I am searching for something and a website wont show it unless I enable JS on that website, then usually it is the case, that after enabling JS to see the content, I realize, that the website's content is worth nothing and that I activated JS for naught, regretting to have spent time on that website.
Can't find any ads on NoScript.net with uBlock running and uniblue.com seems to have expired. However it is hilarious that the complaint comes from Ad block Plus, their entire business model is build around bypassing EasyList. For a generous fee they make sure that your ads are "acceptable".
What makes you think this comes from ABP? The article linked to is from 2016, they link to a history between NoScript and ABP. The article by ABP is from 2009 (!!). Back in the 2009, ABP was the defacto standard. There was no uBlock. There was NoScript, but no uMatrix yet.
The developer issued an apology and reverted the change, and apart from a Ghostery one (who are also shady) no further controversies are documented at [1]. Perhaps the Wikipedia article is incomplete, given the one linked is from 2016?
Firefox has never been slow for me over the last 15 years because NoScript makes it light years better than Chrome. Conversely, I routinely have the Android assistant lock up on me from JS bloat despite the supposed performance enhancement of AMP pages.
profootballtalk.com works great if you don't want to vote or comment
macrumors.com great functionality
nitter.net happily takes the place of twitter.com
drudgereport.com works great and I rarely turn on JS when I go to the sites he links to, usually the text on target sites is there if not as pretty as it could be
individual subreddits (e.g. old.reddit.com/r/Portland/ ) are quite good w/o JS. But the "old." is probably important.
I admit that there are lots of sites that don't work, e.g. /r/IdiotsInCars/ doesn't work because reddit uses JS for video. For so many sites the text is there but images and videos aren't. Also need to turn off "page style" for some recalcitrant sites.
In conclusion, contrary to your JS experience, I'd say that I spend over 90% of my time browsing w/o JS and am happy with my experience. Things are lightning fast and I see few or no ads. I don't need an ad blocker since 99% of ads just don't happen w/o JS.
> In conclusion, contrary to your JS experience, I'd say that I spend over 90% of my time browsing w/o JS and am happy with my experience. Things are lightning fast and I see few or no ads. I don't need an ad blocker since 99% of ads just don't happen w/o JS.
Well, you still have lots of tracking stuff loaded probably, unless you got something extra for blocking trackers. A tracking pixels does not need JS. A font loading from CSS does not need JS. Personally I dislike those too, so I would still recommend using a blocker for those.
Well, you still have lots of tracking stuff loaded probably, unless you got something extra for blocking trackers.
Yes I'm sure I have that stuff loaded. But I don't care because it's quite ephemeral:
I exit Firefox multiple times a day, there's really no performance cost to doing that after every group of websites. E.g. if, while reading HN, I look up something on Wikipedia, or I search with Bing or Google, everything goes away together.
In my settings: delete cookies and site data when Firefox is closed
In my settings: clear history when Firefox closes, everything goes except browsing and download history
No suggestions except for bookmarks.
So when I restart Firefox to then browse reddit it starts with a clean slate.
Comcast insisted I purchase a DOCSIS3 modem quite a while ago. Once downloads are at 100 mpbs+, does it really matter if I repeatedly re-download a few items to cache?
The only noticeable downside is when I switch to Safari to view something that needs JS, I then see ads for clothing that my wife and daughters might be interested in. I presume this is due to fallback to tracking via IP address. Of course I always clear history and empty caches in Safari.
Obviously this doesn't work for someone who wants to or needs to keep 100 browser windows open at once, for months at a time. But that's not me. I don't think that way, never have.
Edit: just had to add that sites like Wikipedia are better w/o JS (unless you edit?). I don't see those annoying week-long pleas for money. Do they still do those?
> Obviously this doesn't work for someone who wants to or needs to keep 100 browser windows open at once, for months at a time. But that's not me. I don't think that way, never have.
Caught me. Tab hoarder here : )
> I don't see those annoying week-long pleas for money. Do they still do those?
They still do those. At least I have seen them less than a year ago.
Read my reply to paulryanrogers about whether one's a JavaScript or a non-JavaScript type person.
The 3-5% of sites I'm referring to are ones where I have to enable JS to view them. In by far the vast majority of the sites that I frequent I do not have to enable JS to view them.
Also note my reply to forgotmypw17, one doesn't need JS if one avoids low quality dross.
I will give it another shot.
Unfortunately though, this does not solve the server-side GTM issue, right ?
If the 3-5% of the website you use will start tracking via server-side GTM with the site's domain, you will not be able to simply use noscript to disable tracking ?
You're probably right, but then there are many factors involved - take Europe's GDPR, I'd reckon it'd be deemed unlawful under those regs but of course that doesn't help those of us outside Europe.
It remains to be seen how Google's Tag Manager actually works and I'd be surprised if data from your machine is ignored altogether. If your machine says nothing about you then Google won't know who you are - unless you have a fixed IP address and most ordinary users don't. Sure there's browser fingerprinting (but I never bother about this as I use multiple browsers on multiple machines which screws things up a bit).
When I used to worry about this more than I do now, I used to send my modem/router an automatic reboot signal during periods of inactivity, this ensured a regular change of IP address.
OK, so what info can be gotten from your machine if JavaScript is disabled? Some but it's nothing like what happens when JS is active - in fact the difference is quite staggering (ages ago I actually listed the differences on HN).
Presumably you could search for the post but there's an easier way. Use the EFF's test your browser site https://coveryourtracks.eff.org/ and do the test with and without JS. Note specifically the parameters with the 'no JavaScript' message.
Also note the stuff a website can determine about you even when JS is disabled - with this info you can start tackling the problem such as randomizing your browser's user agent, etc.
My aim was never to kill evey bit of tracking, rather it was to render tracking ineffective and I've been very successful at doing that. The fact is I don't get ads let alone targeted ones just by turning off JS and having an ad blocker as backup. The only other precaution I take is to always nuke third-party cookies and to kill all standard cookies when the browser closes.
I'm not too worried about Google's Tag Manager, for even if Google tracks me it still has to deliver the ads and it cannot do so with JS disabled and an ad-blocker in place.
__
Edit: if you want to watch YouTube then Google insists you enable JavaScript. This is bit of a pain but it's easily solved with say the Android app NewPipe (available via F-Droid). NewPipe also has the added advantage of bypassing the ads and having the facility to download clips as well if that's your wont.
Of course, there are similar apps for desktops too.
If you've advanced protection running then you're a dyed-in-wool Google user (hard core type) so I wouldn't even try.
I'm the exact opposite. I root my Android machines and remove every trace of Google's crappy gumph, Gmail etc. (I don't even have a current Google account.)
I occasionally use the Google playstore but I log on anonymously with the Aurora Store app (not available on the playstore).
I say occasionally because that's true, instead I use F-Droid or Aurora Droid to get my guaranteed spyware free apps. It's a different world - I'm the antithesis of the happy Google user.
Don't try to load NewPipe, in your case it's just not worth the effort (and Google will notice the fact).
This. I use the no script addon by default, and it’s amazing how many different domains sites try to bring in. Then I hit Twitter, imgurl, quora, etc and I am left with nothing but a blank page with plain text telling me that I need JavaScript to view the site. It makes me wonder what kind of tracking they are pushing.
All of them. If you allow everything and have Ghostery running in "don't block anything but tell me what's there" mode, it's horrifying just how many things get loaded.
You can play with page load sizes in the debugger console with stuff blocked and without too - about half the downloaded material on any major news website is stuff that Ghostery will block. It's quite terrifying.
> and also most of the ads just simply disappear if JS is not running.
since we are talking about the future I'd like to point out that they can always serve ads from the origin domain without javascript.
I mean the anti-adblock battle will evolve until each page we visit is a single image file that we have to OCR to remove ads. then we will need AI, and they will have captchas that will ask which breakfast cereal is the best.
you can stay ahead of the curve but it's always moving forward.
"...they can always serve ads from the origin domain without JavaScript."
But most of them don't. Yes, they can change their model and in time they likely will.
As it stands now, one doesn't have to watch ads on the internet if one doesn't want to - all it takes is a little perseverance and they're gone. If one can't rise to the occasion then one has a high tolerance for ads.
Even YouTube can be viewed without ads with packages such as NewPipe and similar.
You're right about AI, OCR etc. and I think in time it will come to that.
It seems to me people like us will always be ahead because we've the motivation to rid ourselves of ads. It reminds me of the senseless copyright debate - if I can see the image then I can copy it. No amount of hardware protection can stop me substituting a camera for my eyes. What's more, as the fidelity goes up HD, 4k etc. the better the optical transfer will be (less comparative fidelity loss).
That said, the oldest technology - standard TV - is still the hardest to remove ads from. Yes, one can record a program and race though the ads later (which most of us are very adept at doing) but it's still inconvenient.
What I want is a PVR/STB that figures out the ads and bypasses them. Say I want to watch TV from 7 to 11pm (4 hours) and there's a total of one hour of ads and other breaks in that time that I don't want to watch then I want my AI-aware PVR/STB to suggest that I start watching at 8pm instead of 7 as this will allow it to progressively remove ads on-the-fly across the evening.
The person who makes one of these devices will make a fortune. If the industry tries to ban it (as it will) then we resort to a software version and download it into the hardware. Sooner or later it's bound happen and I'll be an early adopter.
> What I want is a PVR/STB that figures out the ads and bypasses them. Say I want to watch TV from 7 to 11pm (4 hours) and there's a total of one hour of ads and other breaks in that time that I don't want to watch then I want my AI-aware PVR/STB to suggest that I start watching at 8pm instead of 7 as this will allow it to progressively remove ads on-the-fly across the evening.
I wonder if something like sponsorblock for youtube (which is a must have) could be done for TV? it's a crowsourced effort and works flawlessly for popular channels.
How does blocking javascript in this case prevent tracking? It's done via the same cookies the website uses, as I understand it. Do you disable cookies too?
There is some truth to this though. It is sometimes hard to find that HN topic, that you remember just a few words of through the aglolia search thing.
Apple’s Private Relay blocks this type of cross site tracking.
Given this tracking is all server side, third party cookies across sites aren’t possible using this mechanism, and private relay cycles through your IP addresses frequently and uses common IPs across multiple users.
Regarding your other point, unless Google execs want to be thrown in jail / sued, they can’t use things like first party cookies for their benefit since that is against their terms of service.
Private Relay uses ingress and egress relays. The ingress proxy does know your IP but not which sites you are visiting and what you are doing. The egress proxy is only connected to the ingress, sees what you visit but does not know who you are. Both proxies are run by different parties.
With a VPN you would have to trust one provider, who sees all of your traffic.
Yeah that would be a useful service that Mozilla could offer and I'd actually pay for.
I don't like their VPN as it's too basic in terms of privacy protection and it's much more versatile to just sign up with Mullvad myself because then I can use it on other stuff than just the browser.
I think in the short-term the strategy is this from the article:
> Or ... block all the IP addresses of Google App Engine, at the risk of blocking many applications. having nothing to do with tracking.
Anyone hosting legitimate apps in the Google ecosystsm is indirectly complicit in this and at least for my personal network, I have no concern with blocking Google App Engine holistically.
Additionally, I think it's important to hurt Google as much as possible for escalating in this way. Widespread blocking of GAE may seem extreme but it's also arguably warranted.
Use two browsers. One where you don't block tracking and can access government and make purchases on shopping sites, and one tracking is blocked and JavaScript is turned off.
Yes, I feel the same, at least for a lot of things. Certainly, all externally facing websites should be designed and maintained by gov't staff.
From time to time, HN features high quality UK gov't websites. In the last five years, the UK gov't has made dramatic strides on "digital gov't" initiatives that benefit regular citizens. As I understand, most of those sites are built and maintained by gov't employees. This runs counter to the normal, all-prevailing attitude in UK that "any gov't is too much gov't" (or "any gov't that does not directly benefit me...").
The trouble is, they're mostly Microsoft and either Azure or AWS behind the scenes. The UK government as a whole seems to love Microsoft. I just worry it will be out of the frying pan and into the fire...
Brit here. On your last point, there is no such widespread attitude in the UK towards government. We are historically conservative, but not libertarian. Don't forget two of the most famous and loved British institutions are the BBC and the NHS. I'm not saying such attitudes don't exist, because they do, but it's not "all-prevailing" by any stretch.
The Conservatives want to privatise the BBC and the NHS though - abolishing the BBC licensing fee is a recent move, and steps to privatise the NHS have been repeatedly popular among politicians over the last decade.
I would like that law. However, they would have to pay wages and offer working conditions, that actually attract good developers and they would have to stop outsourcing everything. Outsourcing everything is also a problem with otherwise qualified engineers unfortunately. The big picture long term consequences are unpleasant.
You have to draw a line somewhere with that logic, otherwise you'd have governments running their own fabs.
I'm fully in favour of governments doing everything from hosting up ( hosting, design, dev), with as much as possible open source.
For instance the French government fares well on this front, with most government services being developed in-house, and many parts are open source; in emergencies specific services were delegated to third parties ( e.g. vaccine bookings) so it isn't taken to a religious NIH level. However hosting is delegated to commercial entities.
Realistically, Congress could in fact mandate that government website implementations must be transferable between software vendors. That’s both technically feasible and in line with past government requirements for hardware procurement.
The US government isn't shy about adding rules for its contractors. It should be trivial for them to demand (or provide) dedicated IPs for their sites. Then they won't get caught up in the IP address blocking of GCP.
The big tech companies have all built out lobbying capabilities; such a law would end up helping big tech and harming small companies because the big companies would be involved in authoring the law and would be contributing to the sponsors and committee chairs and members to get their favorable language included. And it would all be legal and business as usual.
IANAL, but how about something like, "Government services offered via WWW must not contact commercial servers and must be fully usable with non-JS browsers."
Aren't browsers shifting to a per-domain cookie jar?
While you can never prevent one specific site from tracking you, this still doesn't (directly) allow your activity on Site A to be linked to activity on Site B, does it?
Of course, fingerprinting combined with IP addresses will ultimately allow something that comes very close to it, so the current state (a few hundred trackers per website, all ending up harmlessly incrementing the adblocker's counter) is better for privacy for power-users, but I'm not sure if this is the big "game over".
Google is pushing to have the browser itself track your interests and share them with whoever asks. The first attempt FloC backfired rather quickly as it was an all around privacy nightmare. The second attempt Topics promises to fix a lot of the problems FloC had but that is not a high bar and Google left itself a lot of room for future changes.
They can still cross-track based on IP or any other fingerprint worthy information. I expect this is exactly what they're doing. Doing this all on a central service makes this process much easier unfortunately...
But that should only help e.g. a web store to track you from the ad you clicked, which seems reasonable.
It should not allow e.g. Facebook to link your activity on a news site to your Facecbook cookie, because while you're on cnn.com, your browser is using the cnn.com-specific cookie jar for everything, including the like button?
The cross site tracking is done by a third party. From reading the docs, the way it works is, publisher sets a unique id, browsers send that unique id to the publishers domain, publisher forwards that (via the tag manager app engine) to the third party.
> Maybe using an archive.is-like service that renders the static page (as an image at the extreme)
A lot of companies are starting to use "browser isolation" which is essentially what you're saying. A proxy runs between the client and the server, but it does more than just direct TLS streams - it actually builds the DOM and executes the JS. The resulting web page is sent to the actual client browser, which might send back things like mouse and touch events to the proxy, which will then update the page.
I think most companies are using this as a malware protection thing, but it does hide the actual client IP address and fingerprint, and I imagine it would make tracking very difficult.
Browser isolation isn't quite that. It's just running a browser that is heavily sandboxed from internal files and networks, or running on another machine so any exploits don't hit your machine.
It's very much like running a browser through Citrix (in particular the remote flavour which is the most common as far as I've seen). But of course any data in the browser itself is still within reach for the malicious code... Which only solves half the problem. Unless you rigidly separate internal browsing from external sites.
But it doesn't run all the JavaScript and then send you a screenshot or anything. The resulting page is still interactive.
Remote browser isolation has the ability to change the landscape of personal computing enormously by the way. Right now we equip all our laptops with at least 16GB (32 for customer care) because some web apps like Salesforce Lightning are such memory hogs.
Considering the importance of the browser in modern computing this model world basically make the PC more like a terminal and require much less resources.
Of course this has already been going on with web based apps and streaming of things like games but this could be the final nail in the coffin of the PC as we know it. Not sure I'm happy with that...
The Opera product you are thinking of is Opera Mini. Opera Mobile is a browser running mostly on your device (except for "turbo" which optimized media trough a proxy setup, but did not, afaik, execute any of the javascript).
Opera Mini can be looked at as a browser running in the cloud, sending OBML (Opera Binary Markup Language, if I remember correctly) causing the (very thin) client to draw things on the mobile screen, like text, images, etc without having to transfer, parse, execute, flow and paint every thing on the device.
Yeah, they released countless of rebrands and versions and what not.
The equivalent on desktop would be Browsh (e.g. with terminal + Mosh), but it runs Firefox under the hood. Opera Mini is just akin to a remote browser with the result being send to the client (as a compressed picture like in RDP/VNC, or a proprietary markup language like OBML).
> Maybe using an archive.is-like service that renders the static page (as an image at the extreme), or a Tor-like service and randomizes one's IP address and browser fingerprint.
I'm building a peer-to-peer network of Web Browsers [1] that doesn't trust anything by default, and only allows to render types of content incrementally; while disabling JS completely. Most of the time, you can find out what the content is with heuristics. The crappy occasional web apps that don't work without JS can be rendered temporarily in an isolated sandbox in /tmp anyways.
I think that the only way to get ahead of the adblocking game is to instead of maintaining blocklists, we need to move to a system that has allowlists for content. The user has to be able to decide whether they're expecting a website serving a video, or whether the expectation is to get text content, image content, audio content etc. News websites are the prime example of how "wrong" ads can get. Autoplayed videos, dozens of popups, flashing advertisements and I haven't even had time to read a single paragraph of the article.
And to get ahead of the "if fanboy gets hit by the bus" problem... we need to crowdsource this kind of meta information in a decentralized and distributed manner.
Called it [1]. It's a cat-and-mouse game and, unfortunately, advertising is just _that_ lucrative. Privacy-minded browsing will help those that care (for now...), but that's an unsustainable option with the current monetization channels available.
If a content publisher cannot monetize you, they will think nothing of blocking you. There will be some public backlash against companies that do so and there will be some sites who will lose money because of it, but the rest of the publishers will simply follow the money while the industry shifts towards more intrusive tactics.
There needs to be a monetization channel that is 1) good for both users AND publishers and 2) pays just as much as current methods. Unfortunately none of the current systems support that.
>There needs to be a monetization channel that is 1) good for both users AND publishers and 2) pays just as much as current methods.
I agree, but what party would you like that money to originate from?
Ads work well right now for consumer-to-consumer (e.g. I create a blog and you view it) because there's a rich, third-party that money can flow from (a company running ads --> money to me) without having to charge you, the end-user who is more than likely significantly less well-off than a corporation.
To buck that pattern, you need the money to come from somewhere else. Subscriptions and direct payments are an obvious choice (see: the boom of SaaS over the past few years) but people are already complaining that they have so many subscriptions they lose track of them all, and spend too much money on what used to be a "free" internet.
So, I don't think there's a solution where the money comes from the end-user. However, any time you add in a third party for the money to flow from, they're going to want something in return. And unless you want that cash flowing from the site owner to that third party (...why would you?), they're gonna need to offer something else.
I don't see any solution other than "a third party pays for something users and/or the site can create for free". Is the answer to just find something free other than analytics/usage, or are there other approaches to monetize a site while still making it "free" to access?
Unfortunately I don't see a good solution either. Large direct to consumer business models like SaaS or subscriptions are really only sustainable at scale, and even then it's dicey. In a SaaS model, the big fish win and we lose the democratic nature of the current internet.
Society has driven the perceived price of content so low that the content itself is worth less than the aggregate audience. Really, in what other space does the average consumer set their price expectations at free AND balk at paying $5/mo for unlimited access to a product?
The only thing that seems to come close to moving the needle towards privacy is somehow pushing advertisers into in-market advertising (think early internet-style site banner ads) and out of programmatic/user tracked ads. There is some evidence that these programmatic ads don't really perform as well as they claim but from what I can gather, the data is still unclear.
Simpler protocols (Gemini, Gopher...), outright refusing to use what the modern web has become. I only use HN and a few select sites. You don't need an ad-blocker if there are no ads in the first place.
I usually do read the linked content but I agree with GP poster that comments are often more informative.
Yes there is sometimes an echo chamber here, but it's only for limited topics. It very much has a Silicon Valley feel to it, but @dang and I have gone around on this and he assures us that the readership and comments have broad geographic representation.[1] It's a worldwide echo chamber. :)
Fortunately the echo chamber doesn't exist for most submissions. Most of the discussion on HN is on non-polarizing topics.
Which behaviour would that be? The "reading only the comments, not the article"? I don't see how reading creates an echo chamber.
What creates an echo chamber is if all the posts are similar or otherwise in agreement with each other. Those threads make for boring reading and I tend to only scan them for less boring content (yes, that means I read the context surrounding greyed-out comments more than the rest). The threads where people discuss various aspects and experiences is what I come here for.
(full disclosure, I mostly read the comments before even opening the article. I only read the article if there's a high-quality comment thread about some details in the article, or if multiple commenters state that it's a great article. And I tend to upvote an article based on the quality of the comments, not just the article itself).
I dont think so. I'd think Echo chambers are created by lack of diversity in the user base. I think HN has a lot of actual diversity, and its possible to see controversial topics disputed without unceremonial downvoting.
I don’t think the solution here is a technical one. This should just be solved by legislation.
Google Analytics has been recently ruled illegal in multiple European countries. And either this already is illegal under the same laws or it should be made so.
Not quite - only everything US-based, since they fall under the purview of the cloud act, which is incompatible with the GDPR (on purpose.. this is an entirely self-inflicted wound by the US).
No anything with laws similar to the "cloud act", which is the norm rather then the exception, is illegal. It's quite rare for a country to allow companies inside it to say no to there government.
It's not about companies inside it, but companies outside the country.
And is it actually the norm? Since clearly even the US didn't have the Cloud Act until 2018. Was the US such a rare case until that recently?
> The US is basically doing the same thing as Russia and China
I don't understand or really get what you're referencing.
The whole issue here is the USA claims global jurisdiction over US companies forcing them to obey the USA legal system even for data located in the EU. On the other hand EU law makes it illegal for anyone globally to turn over data for EU customers without a court order from the EU.
I suspect this might end up as a slightly trickier scenario because when you get down to the details it’s hard at a technical level to make a distinction between a server log file and a tool like analytics which takes those same bits of data and mostly just organises and displays it in an intuitive way with charts and a nice UI.
The ruling against google analytics in France is quite simple: google analytics as used by an unnamed website was not compliant with GDPR, because it exports user data to a country that has privacy laws that are not up to GDPR standards, which is not allowed. This is on the unnamed website and they or compelled to stop this illegal export of user data by either only exporting anonymized statistics or stopping use of google analytics entirely.
Of course this isn’t yet a perfect banning of GA and Google might be able to work around it, but it’s something. And in fact, anonymized statistics would probably be OK (depending on the details of course).
But this actually highlights exactly what I mean. What if I simply stood up a plain old Apache server to host my website but that happened to be hosted in the US. No analytics, just a few HTML files and that’s it.
I’m still in this scenario sending PII of EU citizens in the form of IP addresses to the US which are just written to /var/log/apache
It seems obviously different and yet as that ruling seems to imply it wouldn’t be unless I’m missing something here between first and third party capture or something?
This pops up regularly, but AFAIK it's not correct. The law is much more fine grained than the USA PII concept. IP addresses are only personal data (PD) if you are capable of using them as identification mechanism. If you don't they are not. This also means that something that is not PD for you, can become PD when you give it to someone else. Or that 2 items which are not PD themselves, become PD when you combine them. Or that being hacked turns non-PD into PD.
Even as PD, using IP addresses to maintain a website is fine, even without consent. Using them to track individuals is not fine. Having a log rotation policy and a sane security policy so you can demonstrate when you throw them away is a good idea.
To be short: Install debian, drop nginx on it, then let it log as it wants. This is legal. But don't you dare mine the logs for abusing PD.
Incorrect. In the "Breyer" ruling[0] the highest European court concluded that dynamic IP addresses are PII (not just personal data, and not just data), as there is an abstract risk that combining IP addresses with other data can lead to identification of a user. The ruling explicitly said that the mere risk of such an identification is enough, not that such an identification has to actually happen.
Subsequent rulings by many courts have found that all IP addresses are PII, for various reasons, such as "static" IP addresses bear the same risk of indirect identification, and there is no reliable way to distinguish between "dynamic" and "static" addresses anyway.
The recent German ruling that Google Fonts violates the GDPR just by transmitting an IP to google (by making the web browser fetch a resource from a google server) hammered home this point, citing the EU ruling again[0].
This is different to e.g. of a streaming provider keeping a history of songs you played. This data is personal data, but it is not personally identifiable data as this history alone cannot be used to identify a person. However, if this history has some kind of identifier attached that links back to account information or an IP address, that identifier would be PII, as this identifier could be used to indirectly identify a person.
Die dynamische IP-Adresse stellt für einen Webseitenbetreiber ein personenbezogenes Datum dar, denn der Webseitenbetreiber verfügt abstrakt über rechtliche Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].
Translated, best to my abilities:
The dynamic IP address is to a web site operator a piece of personally identifiable data, because the web site operator abstractly has legal means, which could be reasonably used, with the help of third parties, namely the the responsible authority and the internet service provider, to identify the person in question with the use of the stored IP address (BGH, ruling from the 16th of May 2017, VI ZR 135/13)[2]
[2] The BGH ruling quoted is the "Breyer" ruling again, just at the German national level instead of the EU level. The Bundesgerichtshof (BGH, highest German court of ordinary law) asked the European Court of Justice to settle the question of whether dynamic IP addresses are PII, which the ECJ affirmatively settled in [0].
This is a very interesting legal document, and I'll have to take the time to read it slowly before I can judge it.
It centers around this line:
... not PD for you, can become PD when you give it to someone else
and claims that, as this potentiality can always be fulfilled, you should consider it PD. This would invalidate the first part of the post, but is still not enough to make a default deploy of a logging http server illegal because of the 6.1(f) legitimate intrest rule. In fact, things like 21.1(b) might make it obligatory.
Now we are in lawyer 'interesting question' territory which costs a lot of money, and I still don't think you'll need to worry, because you're not violating the spirit of the law. Personally, I'll go on depending on 2.2(c)
It's not illegal to store such information in default logs per se, even without explicit consent, if it would fall into the "legitimate interest" category[0], e.g. you need it to operate the service and prevent abuse, and there is no less intrusive way to e.g. reasonably monitor for and prevent abuse.
However, you cannot share such logs without consent, you still have an obligation to inform users about your legitimate interest assessment and what data you store, and you still have to abide to other rights of users such as the right of users to ask for a copy of the data you store about them.
Gdpr.eu is not an official EU resource. There is no official guidance saying that IP address in logs falls under "legitimate interest" and every lawyer I asked advised against it "just to be on the safe side".
One actually added: Do you really want to test our government's understanding of "legitimate interest" for your business in court?
Yes, but I never claimed that they were. The text that I linked is a copy of the official GDPR text (and recitals), not an article they wrote on the topic. I used their website, because I find it more usable as they added cross-references links and recital links. But if you prefer, read the official EU version[0], which is the same in content and in words.
>There is no official guidance saying that IP address in logs falls under "legitimate interest"
I haven't said that. I said storing IPs in logs might be legal, if there is a legitimate interest and/or there is consent.
There are actually two official recitals straight up addressing that topic. Recital 47 states (in part):
"[...] The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." (This is not meant to be an exhaustive list)
Recital 49 states (in full):
"The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems."
These recitals were specifically added to address some points that had already been litigated in the past in various European courts.
>and every lawyer I asked advised against it "just to be on the safe side".
Good for your lawyers (that you keep mentioning all across threads). I don't know your lawyers, but they seem overly cautious - even for lawyers - and maybe a little bit under-educated on the subject matter. But they still have a point. You cannot just store access logs containing IP addresses, you have to have a legitimate interest, and be able to articulate this legitimate interest, and see if law makers and courts would consider your "interest" to be "legitimate". Which is easy when it comes to fraud detection and network security/abuse (thanks to the recitals), less easy when it comes to other areas, and pretty easy when it comes to different areas that are clearly against the text or spirit of the GDPR; e.g. nobody will buy an argument of "my legitimate interest is that I want to earn money from tracking and selling user data".
These laws do not ban businesses, they ban business practices. And consumers often win. E.g. laws to ban the business practice of just dumping toxic waste into rivers because it's cheaper were hugely successful - at least in places were they were enforced. On the other hand, there is a danger of regulatory capture, which has to be considered as well...
The GDPR does not ban Google, and it does not ban analytics. But, according to recent court rulings, it bans the business practice of Google Analytics to collect and transfer data to the US - which isn't considered to be a place with "adequate" privacy laws - and other places without prior user consent. Google could potentially come up with ways to make a Google Analytics that does abide by the law, but so far they choose not to. Maybe the changes that would be required would cut severely into revenues, or even make (free) GA cost-prohibitive, but this is in line with environmental protections killing off certain products/businesses that got too expensive when they had to dispose of their toxic waste properly and in a way that doesn't poison people and the environment.
>I personally know of no way to have legal analytics under GDPR, as advised by multiple lawyers.
If this is truly the case, then these businesses must consider shifting to ethical business models to stay afloat. If not, then competition will steamroll them.
The article is from 2020, and I don't think I've ever seen a site using this approach yet. It is an egregious attempt to circumvent the Same Origin security policy in browsers that developers and privacy advocates should rightly be angry at, but it doesn't seem to have caught on. That's something to be thankful for.
While impractical, I liked the article's suggestion of blocking the proxies. I'm curious what reaction this would have. Ad blocking users get no content and move to alternatives and stop being users, or would the sites cave and realize having users interacting is more important than all of the data collected.
It's a fine suggestion. If it breaks the site, then I'd call that a broken website and move on. Maybe next time someone points me there, they'll have fixed their critical issue for users who block tracking proxies.
I'm okay with not being in the target audience of sites that really want to do this. I've got enough other things to do at less hostile places that my FOMO isn't triggered in the least.
How do you identify tracking proxies though? When everything is going through the same domain you don't even know if data is being sent to Google, it's all a server-side black box.
I think the solution will be for ad blockers to invest in neural nets to detect the graph of the code flow for known variants of the script. The software that detects plagiarism will be a good start.
You can fight against it by refusing to use these websites?
If you can't do this, perhaps because a big _majority_ of users don't care enough to support this kind of ecosystem shift, what makes you think a majority of voters would support this? (And if not, why would you want to force your view on them?)
It's like legislating that people should only listen to Good Music and eat Healthy Food, as defined by some people who know better than the unwashed masses?
I rather think it's more like legislating that you can't sell people food adulterated with poisons, and you have to label the ingredients accurately. Oh, and it's like saying that you can't sell lead paint, even though it is a very pretty white.
Even without that legislation, most people would already care about avoiding poisoned food.
So a law specifically forbidding poisons is in line with what the majority already cares about.
(Slightly related: see eg some Chinese people making good money from buying baby formula overseas and shipping it back home in their luggage. China has legislation against poison, but people don't trust the enforcement enough.)
> Even without that legislation, most people would already care about avoiding poisoned food.
There is lots of evidence that people would still use harmful substances when it’s nice and cheap. Then other people would be exposed to it just because it is impossible to know the chemical composition of everything around you. Lots of people care about avoiding things like toxic chemicals and harmful bacteria, the trouble is that they cannot see them.
> So a law specifically forbidding poisons is in line with what the majority already cares about.
So why not do it, then, if it is the right thing and people want it?
In the real world, people are not perfectly informed, and fraudsters are willing to lie. So law and enforcement are absolutely necessary to end harmful practices.
See lead paint, but also leaded petrol, asbestos, antibiotics in farm animals, and insecticide chemicals spread willy nilly across the countryside. These things not just disappear on their own because some people don’t like it.
Even on the topic at hand, to be honest. People know that ads and tracking are bad and annoying, even if they do not see clearly the extent of the damage. Some of us know how to avoid most of them. And yet, they keep making more and more money, and are far from disappearing. It is difficult to take your point seriously.
Part of the job of lawmakers is, intriguingly enough, deciding what’s good for voters. This would be among those things. Would voters vote for this specific law? Probably not. But they probably wouldn’t vote out the representatives who wrote it either. And arguably privacy needs to be protected for the good of society.
I'm not sure about this notion of the 'good of society'.
If you believe that the 'good of society' is not what voters want, why bother with democracy at all?
(Slightly besides the point: I actually do agree that people behave like idiots at the ballot booth and don't know what is good for them in this context.
Luckily, people tend to be much more savvy when voting with their wallets or their feet. And as a society we would be well advised to encourage these latter two.
Eg by taking subsidiarity serious, and pushing as much decision making as possible to as local a unit as possible. Don't decide stuff at federal level, when the states can handle it. Don't let the states handle, what the counties can handle. Don't let counties handle, what the municipalities can handle. Don't let municipalities handle what people can do privately on their own.
> Luckily, people tend to be much more savvy when voting with their wallets or their feet. And as a society we would be well advised to encourage these latter two.
The problem with voting with your dollars is that people with more dollars get more votes. The problem with voting with your feet is that only some people can afford to move.
If you want "just let the rich decide", why dress it up in fancy words?
As much as possible, people should decide what to do with their dollars.
> The problem with voting with your dollars is that people with more dollars get more votes.
Eh, the biggest and most successful companies on the planet cater to mass markets. The system seems to work fairly well for average people. (And we all suspect the most important politicians cater to tiny elites.) Also, using your dollars to vote means you lose those dollars. So rich people can vote each dollar only once, just like everyone else.
> As much as possible, people should decide what to do with their dollars.
This sounds very good until it is actually put in practice, when people realise that those who have all the dollars have all the power. Now you have an unaccountable oligarchy.
> Also, using your dollars to vote means you lose those dollars. So rich people can vote each dollar only once, just like everyone else.
That’s hilarious. As if those billionaires were not making the median yearly income in a week.
I’m not saying it’s not what voters want, I’m saying they’re not going to vote for it. There’s a difference.
The average voter has a fairly limited horizon in terms of what they see and understand about what’s good for society. And in a democracy you elect representatives because they’re supposed to have a wider horizon and more in depth knowledge, in part because they’re on average smarter than the average voter and in part because they get to dedicate all their time to that specific job.
This means that lawmakers will sometimes have to do th8ngs the voters don’t understand they want. It’s on them to explain it to the voters. And it’s on the voters to vote them out if they still don’t agree.
As for voting with their wallets, I would have agreed say 20 years ago. But marketing has become so all-encompassing and so much money and effort has been spent making marketing stick, that I don’t think most people can make truly independent decisions anymore about many many things.
And free stuff on the internet is definitely something that most people have trouble dealing rationally with. Just look at all the free trials that hook people into costly year long subscriptions, etc etc. Let alone when it’s free in the sense that the users never pays directly but through things as ads and privacy.
My view of this is very much influenced by my being a European and EU citizen, though. And if anything, the EU is a bit of a technocracy that likes to decide for the “good of society”. And that’s not something everyone will like every time.
Well, I was born in East Germany and grew up there. Later I decided to vote with my feet, and pay my taxes in Singapore instead. Much better value for my tax money here---both lower taxes and better government services.
Btw, I'm not saying people are perfectly rational when voting with their feet or wallet. Just that they are much, much more rational than at the ballot booth.
> Let alone when it’s free in the sense that the users never pays directly but through things as ads and privacy.
Well, can't argue about taste? Perhaps people prefer it that way?
> This means that lawmakers will sometimes have to do th8ngs the voters don’t understand they want. It’s on them to explain it to the voters. And it’s on the voters to vote them out if they still don’t agree.
I am basically agreeing with you: voting is a weak channel to transmit information. Almost no individual vote makes a difference. Neither in aggregate nor to the individual voting.
Voting with your feet or wallet does make an immediate difference to yourself, and has at least a clear marginal impact in aggregate. There are less weird threshold effects than in politics. A dollar more spend on iPhones is a dollar more spend on iPhones; but another vote for candidate A only makes a difference if it makes her have more votes than candidate B.
(And proportional representation only helps partially: in the end it's important which coalitions can form a majority in parliament, whether one party has one seat more or less doesn't make much of a difference usually.)
I'd like to give sortition a try to fill up parliament.
I co-develop an open source firewall for Android, which most of our users use for ad-blocking purposes.
The community has known about server-side collection for quite sometime now. You could run Google Analytics on any of the serverless environments since a year or two ago (I noted this on news.yc a year back [0][1]). Tag Manager server-side is Google throwing its own solution in to the mix.
DNS based content blocking was always DoA, there simply are too many chinks in the armour besides CNAME or HTTPS/SVCB or SRV or ALIAS record cloaking [2]. The worst I've seen reported to me by users is a tracker generating domains names on-the-fly (domain generation algorithms) and A/AAAA records pointing to different IP addresses each time [3].
That said, a firewall can still mitigate this offensive, while network security with just DNS was always going to be what it was: A stop-gap.
This isn't the end-game: I fully expect that IP address blocklists would crop up in no time, and will be painfully maintained by folks pouring their life in to it.
TFA points that Google's reverse-cloaking presumably with IP addresses, but the worse would be if multiple domains shared IP addresses (like in a CDN), reverse-cloaked with Server Name Identification. Even firewalls would have to blanket block IPs... and what if those IPs are shared with other Google front-ends like the AMP project / YouTube / Mail / Docs?
The firewalls would also have trouble with something like Ao1 [4]: If multiple websites were behind multiple IPs, or in the extreme, a single IP.
The firewall is bust, but that's good, now we simply de-Google / de-Cloudflare ourselves, and be luddites like they want us to be.
I really don't know much about this space, but do you think server-side tagging could be more or less susceptible to user resistance attacks like what Adnausium[0] does? Can we spam them into futility?
Adnauseam's offensive tactics can still confuse these server-side implementations. That said, if Google et al figure a way out to defeat it, pretty sure they'd not be blogging or talking about it, at all, for us to know.
> This isn't the end-game: I fully expect that IP address blocklists would crop up in no time, and will be painfully maintained by folks pouring their life in to it.
Proxy can be hosted on the same server as the site itself. In that case this simply becomes a blocklist of naughty websites. Someone still needs to do the hard work of figuring out which sites are naughty.
IP blocking still seems a thing, even with this new feature - the ads need to be served from _somewhere_. I am using pfblocker-ng on pfsense, which uses giant IP blocklists to filter out all connections to spam and ad-servers. I haven't seen ads in 5 years and there is no need for client-side solutions (e.g. adblocker). The places where ads appear are just whitespace.
There is a hope this can be blocked with adblockers inspecting payload of requests and blocking based on some generic properties that could be always present in Google Tag Manager requests to proxies. Unless this mechanism has some dedicated Chrome-level support that would disallow inspecting or blocking these requests.
I think modifying some fingerprintable apis to give faked/altered results could be enough, given the global fingerprint is a product of all partial fingerprints. Some extensions already implement that, eg. https://github.com/kkapsner/CanvasBlocker/
No that has turned to shit (for me anyway). Used to be fine, now presents a captcha when JS off. Okay so I switch from Firefox to Safari (where I leave JS on) and it still presents a captcha. I'd rather use the original site with JS than solve captchas.
That has been my consistent recent experience for a multitude of those.
or a Tor-like service
I've never used Tor, but aren't there a lot of complaints of repetitive captchas when using it?
randomizes one's IP address and browser fingerprint
I haven't followed this closely, but didn't Apple make claims that they would soon have an opt-in service that did something like this?
I think there was never the possibility to "out-tech" tracking solutions in the first place. You simply cannot plug every hole imaginable that will be discovered, and still serve your service on a network.
The only remedy is strict legislation and judicial recourse against companies that do try to cheese it.
Just like you cannot possibly implement real world security and surveillance that makes it completely impossible to commit theft, but you can implement strong enough legal deterrance to make it a really unviable risk/reward scenario for individuals and corporations alike
Google tag manager in my experience is a script executed by the browser. Then it installs itself in the page and performs the inner payload of user script insertions. It’s a Trojan horse, really. You can block Google tag manager’s embed scripts. I wasn’t aware of a backend integration but it’s certainly possible.
Regardless, I use a DNS based ad blocker (pihole) and it takes care of all this stuff. I occasionally need to turn it off or whitelist domains (like Google tag manager) for client work, but normally I have it blocked.
A Server-Side GTM container compliments a client-side container, it does not fully replace it.
Some processing happens on the server, but event data must still be sent to the server-side container first. For now, the "standard" deployment of a server-side is that it receives hits directly from the browser, orchestrated by a traditional client-side container. So the client-side script is still there, just less bloated.
The server-side container has built-in facilities for serving up the client-side container script. Meaning that domain-name blocking will not prevent this. DNS-based also has some issues: Server-Side Containers run in App Engine, blocking them basically means blocking anything running on GCP.
Current GTM, configured (via the server UI) to inject tracker X:
gtm javascript loads, pulls down the config, injects tracker X javascript into the browser
new gtm:
gtm javascript loads, pulls down config, streams events to google servers to fan out to tracker X as configured
So blocking gtm.js off tagmanager.google.com / www.googletagmanager.com / the various other domains still blocks all gtm injected tags.
The tl;dr is they're become much closer to segment -- which does the data fanout internally to segment. But they should still be straightforward to block.
This is not how GTM server side works. There is not a single call to Google domains from the client, when GTM server side is set up to its fullest. The config (gtm.js) will be loaded from my subdomain and not googletagmanager.com. Also gtm.js can be renamed.
Per the docs here [1], that is not true. You continue to load gtag.js off the googletagmanager.com domain; subsequent events can flow to a custom domain.
No because the script contents can change from site to site. Maintaining an index for every site would get you closer, but individual sites can trivially tweak things to break fingerprinting as often as they want. Even on every request.
You missed the part where they recommend changing the script's name as well, add in changing a few variable/function names in the script and even matching the hash of the script itself would be useless. On top of them recommending using a sub domain with an A/AAAA record so its first party.
Worst-case you parse the script and block it if the AST is too similar.
There are a million ways to detect and block this sort of thing when you control the client. Yes, it's harder than just blackholing a whole domain, but it's hardly impossible.
Does there need to be a loaded script with a certain fingerprint? What if they are just passing data from the browser to some random endpoint? I'm not sure, just thoughts.
There needs to be a script because the tracking still happens client-side and there will be some logic involved. The only way to avoid being blocked by the browser is to track server-side.
The point is that DNS ad blocking is being worked around with this new system, because it looks like part of the site you're on. Also, that google is encouraging modifying the JS to prevent automated tools from blocking the javascript.
> You just have to write them by hand instead of the convenient table UI.
That’s a pretty big "just", though. Very few sites work without fiddling with rules, having to do manual text entry every time would push me towards not using it.
The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.
It is, but for me the pros outweigh the cons. In particular, even with uM I often ended up editing the rules by hand because it was easier to copy-paste and turn on and off rules for experimenting, but uM would forcibly resort the rules on save which made that annoying.
>Very few sites work without fiddling with rules,
The only sites I fiddle with the rules of are the ones I visit regularly, which is not many. Over the 1.5 years that I've been using this method, I've only got 75 "web properties" in my list (github.com, github.io and githubusercontent.com count as one "GitHub" web property; so the number of domains is a bit higher). Going by git history, I do have to fiddle with one or more rules once a month on average.
For other sites, either they work well enough with default settings, or I give up and close them, or if I really need to know what they say I use a different browser. For this other browser I never log in to anything, and have it configured to delete all history by default on exit. (I've been pondering making this an X-forwarded browser running on a different source IP, but haven't bothered.)
>The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.
To be clear, editing the rules does not use the "mobile-friendly, simplified" uBO UI. It refers to the giant text field you see in the uBO "Dashboard", specifically the "My filters" tab.
But yes, it'd be the best of all worlds if uBO gains the table UI as an alternative to the filters textfield. I imagine the problem is that static filters are technically much more powerful than what the uM-style rules do, so it'd require inventing a third kind of rule, which isn't great.
The big change they are suggesting is that the gtm code is no longer accessed via a predictable Google domain, rather it is requested through a subdomain of the parent site.
"Blocking scripts for each individual website" probably isn't too bad of a burden though. There's enough people who are annoyed by this and few enough sites that you actually visit (how often do you actually visit a brand new website, or one that hasn't been visited by thousands already?) that maintained (donation supported) chrome extensions for this will pop up eventually.
I don't understand. I tried to read the article but it doesn't make sense to me. What is the end-game? Can you explain? Not everyone uses google analytics, and even if we do it would only be on the front pages... (hooking into any API has always had the potential to expose session data if you pass it, so what's new here??)
It was clear this was going to happen for more than a decade now. I'm surprised it took them so long to really push for this. I'm just reiterating what I said back then: There's no point in wasting any time and resources into a stupid technical cat and mouse game to fix this. The only sensible way to deal with this stuff is through legislation.
Couldn't a adblocker block the largest javascript blob loaded by the page? Most likely it's gtm. Also with a bit of machine learning it could recognise the patterns in the js blob, no?
I mean, technically there is nothing stopping me from following anybody around, documenting their actions, taking pictures. It's easy... But we have laws that prevent this because we decided together that we do not like this.
I get privacy concerns and hate for ads, but what about "free" internet? Paywalls are a massive annoyance to me personally, and if ads were legislatively blocked, would I have to pay for each website I visit that previously relied on ads for $? Perhaps we could be making micro-transactions for each website visited via crypto (?)
The server-side "analytics" of 20 years ago was for aggregate reports on popular pages, number of users, their browsers and OSs and maybe their geo-location; solely for the use of the site owners to optimize and whatnot.
This abomination Google is proposing is unblockable cross-site tracking of people's activities. That site owners get to see some of that data too is insignificant, their value comes from being able to track people across the web. I'd bet Google would even offer this proxy service "for free" depending on how much data they can hoover from the site.
In principle I agree, and I support having the GDPR in effect globally, so that these server-side data sharing solutions are illegal without opt-in consent.
Unfortunately there’s a reality gap between “GDPR everywhere” and the United States and other countries, and that gap was being filled previously by anti-tracking lists maintained essentially for free out of the goodwill of people’s hearts. Now that Google is - and has been - using server-side proxies, those tracking lists won’t scale without human caretaking. Any human versus the entire web would burn out in a day.
So the choice is either to pay humans to enforce our anti-tracking beliefs against scummy corps, or to donate to politicians that believe in GDPR so they can try to make it illegal, or to refuse to pay anything and accept the status quo of being tracked. We’ve reached the end game of the “pay nothing until it’s fixed, then continue paying nothing” ethos: Google has outplayed us, and website owners can afford to pay to track us. I don’t like this, and neither do you. I think it’s time to pay money to fight back, and you do not think it's appropriate to pay money to fight back.
If you or anyone have a good idea on how zero-cost effort can somehow solve the tracking problem, share that with others in a useful reply to the post somewhere. You don’t have to convince me that such ideas exist: you have to convince others who share your “at no cost to me” beliefs to invest their time and energy in your zero-cost idea. And, whatever else I’m uncertain, I guarantee they’re not going to see such a reply down here in this thread that started with a pricing question.
It's based on JS. There's your solution. I disabled JS in the browser for nearly 2 decades and I can still use most of the web (HN included).
You are blind to the solution because you don't want to take responsibility for your own browsing. You and people like you won't change, will whine about how nothing can be done while not being prepared to understand the problem is yourself and that's where the solution lies as well. When google screws you over, remember you chose that (maybe by omission rather than commission, but you chose).
Disclaimer: I am a data analyst. I consult companies in regards to ethical data collection. But I also know of black sheep.
I don't have a problem with websites measuring what I view, click, add to cart or buy. I want them to be able to see what doesn't work in terms of user experience.
And if they do marketing I even want them to be able to see from which source of traffic (aka marketing effort) how many conversions (whatever comprises a conversion) stems.
The problem imho isn't GTM (Google Tagmanager) running as proxy. This would (or at least could) be a data privacy win if done ethically. At least under one imho essential condition: I could be able to run the proxy on any infrastructure that I like. Not only one Google's cloud offering.
And on the second essential condition that marketing departments act ethically. They can send the web analytics data to whatever tool they like. But they should absolutely not send my identifying information with it. They should use the proxy as a privacy protector. The same when sending conversion data to the marketing tools. I am OK with the marketer sending information back that a specific ad (not a specific user clicking on a specific ad) led to a conversion.
I don't need Meta or Alphabet tracking me personally (or my clients'users) with every click. But I understand the business need to measure the effectiveness of marketing money spent. Solutions like these could be a way to achieve this. If done right. And not done in the way GTM does (only hosting on Google, using an A/AAAA subdomain, grabbing every cookie possibly and so on).
> I want them to be able to see what doesn't work in terms of user experience.
That's not what they're doing, at all. They want to be able to see what doesn't work in terms of maximising profits. That may correlate with good user experience sometimes, but more often it results in the opposite.
Exactly! A company's goal is profit and most of the time, that does not align with the customer's goals. Amazon's goal is to sell me the highest margin item, I want the best value or highest quality.
I have very limited information about which items are a good value or high quality, so why should amazon have the tools to most effectively steer me towards high-margin items? They exist to provide us a service and we grant them the right to make a small % of profit while doing it. Not the other way around!
> I have very limited information about which items are a good value or high quality, so why should amazon have the tools to most effectively steer me towards high-margin items? They exist to provide us a service and we grant them the right to make a small % of profit while doing it. Not the other way around!
As a small aside, The capitalist's answer is that regulating companies to prevent them from steering to the most profitable items is both impossible to be adequately done and prohibitively costly. Even assuming cost isn't an issue, it's hard to imagine such regulation to be equally applied to all market participants (or to be equally effective). So we would be left with companies that cooperate and others that defect, and the defectors would be favored (more profitable) and outcompete the cooperators in the long run.
So instead we start from the assumption that companies are greedy and let them compete to offer customers the best value -- and if that value comes (at least in part) from not being tracked, companies that do not track will attract more customers. We probably just haven't made enough of a fuss about it with our dollar-votes.
For what it's worth, I block all ads without giving it a single thought. The way I think about it is that on the flip side of the prisoner's dilemma, I'm just defecting like some companies would. It's a race to the bottom in terms of the trust between customers and companies, but I didn't make the rules of the game...
Keep in mind that capitalists have all the power and a lot of time and incentive to rationalize the status quo.
The assumption in this argument is that consumers are able to observe and quantify the harm of tracking more effectively than regulators could create laws against data collection.
Personally I think the success of either one comes down to cultural factors that are currently stacked in favor of advertisers.
> The assumption in this argument is that consumers are able to observe and quantify the harm of tracking more effectively than regulators could create laws against data collection.
Not necessarily, because creating laws isn't enough to regulate. You also need to enforce such regulation, and that's where the challenge lies. The argument assumes that in the long run consumers are more effective at rationalizing their choices than the government is able to appropriately enforce regulation.
Alternatively, it assumes the cumulative harm created by the disconnect between current customer behavior and rationalized customer behavior (i.e. prior to their rationalizing the status quo) is less than the cumulative harm caused by inefficient regulation, including the defector's problem mentioned earlier but also other negative externalities such as encouraging corruption / fraud (which itself requires further enforcement)
Yes, my choice of words was hasty and suboptimal. I meant addressing data collection practices via regulation as a whole vs consumer choice as whole.
The way you are framing this serves only to reinforce talking points from those who are benefitting from the current situation. For instance, you're basically stating a priori that regulation is expensive and ineffective, and as evidence you talk about long tail of enforcement and defectors. But the ad revenue market is so consolidated you only need to enforce on a handful of players (Google and Facebook basically). The idea that defectors would then swoop in and create a massive enforcement problem is not substantiated. There have always been fly-by-night operations in all types of business, and they don't gain a huge advantage that catapults them to overnight success just because others play by the rules. No one is saying enforcement is easy, but to assume that it will be fatally flawed if it can't be perfectly applied to everyone plays right into the hands of those who are profiting from abuse of our data.
Now on the other side framing this as a "customer value" problem that will be sorted out by the hand of the market is just pure capitalist oligarch koolaid. How do you expect customers to have any sense of what data practices are behind their every day digital product choices, let alone quantify that into a dollar value? And even assuming they do all that, where are the market choices when everyone behaves this way? Even where there is theoretically a choice, many services have a huge network effect that makes a consumer's choice all but pre-ordained.
We need to have a reality check here. Markets are great when they work, but they are not magic and can not solve all problems.
Most everyone knows the "capitalist's answer". But it's specious, as it assumes a large scale check that requires P = NP.
In the real world market inefficiency creates local maximums, which can then be leveraged to implement policy. The most lucrative policies are to make those maximums even stickier. Advertising itself is a prime example of this - in a perfectly efficient market, once a brand became well known you'd think that additional money going to advertising would be a waste - causing the company to be less competitive and they'd dial it back. But instead what saturating advertising actually does is crowd out any new competitors that might come along. So as a customer, you're effectively overpaying so that you can have less choice!
This effect becomes even more relevant as the costs of production drop to zero, as an upstart competitor cannot get a leg up by optimizing production - in other words, the brand itself is a larger component of the "value". And on the larger topic, these days large corporations are declared "too big too fail" and bailed out by the central bank, rather than letting market mechanics assert themselves in even the most pressing cases.
Effective libertarianism involves recognizing that corporations and government are not dichotomous types of entities, but rather that both lay somewhere on a continuum of coercion. If the companies offering a product or service effectively move in lock step on some policy, then your main ability to reject that policy consists of going without that product or service. This is perhaps easier, but of the exact same vein, as needing to physically move to reject specific laws.
> The capitalist's answer is that regulating companies to prevent them from steering to the most profitable items is both impossible to be adequately done and prohibitively costly.
True, but only because that’s the wrong approach. The correct regulations are the ones that result in more competition. That’s treating the cause rather than the symptom.
If Amazon had to seriously worry about competitors, they wouldn’t be focused on selling overpriced garbage. Why? Because customers will notice that Amazon sells overpriced garbage, and will instead buy from somewhere else.
I don’t know what those regulations might look like, but I do know that pretty much every single “evil” behavior in the market can be solved by throwing in competition. It’s not always possible (e.g. maybe someone is locked in to a single vendor due to a bad contract), but when customers are given choices, the choice that offers the best value will survive in the long run.
That's not true. I run a site like this and I want both. Yes I want to test what maximizes conversions, but this is also what helps me provide value to more users. And I also need it to determime how to improve the service I provide to users.
The bit you're replying to here hasn't yet introduced the problem of marketing teams.
The kind of tracking in the first section is "understanding how people use your product", and is usually introduced by the product team, rather than marketing. And most product teams i've worked on fiercely fight back against the addition of excessive tracking. Whilst the goal of a business (and therefore a product team), is usually about maximising profits, it's not exclusively about that. I've worked for businesses that literally have a social charter in their articles of association, but they still want to measure how people use their products.
You have been lucky then. At the places I have worked the product people have not fought with thech but if anything they have fought against tech on this matter.
That's to easy IMHO. Yes, online marketing is about profit. But tracking is not always about profit. I work for a customer that offers kind of a job search engine. All they want to maximize is the rate of succesful employments. Yes, they need to optimize marketing budget. But not to sell useless stuff, but to reach out to potential employees.
Marketing is almost by definition not going to act ethically: their whole goal is to create a need where there isn't an organic one, and the KPIs by which marketing departments are run are proof positive of that. Nobody starts off with 'what would be the natural limit of our product sales', instead they start off with 'what is the total addressable market and how do we maximize our fraction of that' implying that if you are counted in their market that you are fair game whether you like it or not.
Most people only see 1-2% of what a marketing department does. The primary goal of a marketing department is to inform and present information in a clear and attractive manner. A good marketing department is also an advocate for what the consumer wants based on research and consumer feedback.
Are there bad actors in marketing. Yes. A lot. Marketing agencies are full of them. Agencies, to generalize, only care about short-term results and selling the client on the next big idea. They won’t be around or have to live with the repurcuions of their bad actions. In fact, the clients are their customer and so they don’t really care about the client’s customers at all so long as the client is paying them. They just need superficial numbers to go up to show the client. They are screwing over the client and customers are unfortunately collateral damage, but the agencies, again, don’t really have to deal with that.
A lot of the most anti-consumer tactics do not work in the long-run. Most consumers aren’t so easily tricked into buying a product today and they most certainly won’t be tricked twice. It doesn’t take too long—usually—for the snake-oil salesman to get run out of town. They just do a lot of damage while around.
Even when recognizing that there are a lot of bad actors in marketing, that's still an extremely over-optimistic perspective: at some point, tricking people becomes easier than improving the products, value propositions become muddier, and snake-oil starts to be used as the lubricant for business relationships. Only the most obvious offenders get run out of town, while most evolve and get to raise the new normal boiling point; as long as refining the snake-oil is cheaper than refining the actual products, the situation keeps getting worse.
Either the dynamics work in favor of the people, or they don't. That we continually mistake the comfort of our ships with the state of the sea is just the blessing and tragedy of our ignorance.
As a 'white-hat' marketer (I work for some place that's similar to Vote411/ The League of Women Voters and I initially started in library outreach; I don't think anybody would consider my work unethical), the issue is the need for constant growth and profits.
You can do cool and interesting things in marketing and outreach and there are actual use cases for them. For example, libraries often carry unconventional items, and making the community aware that they can borrow a sewing machine/get seeds to plant/get museum passes is technically marketing and 'creating' a need, but it's not exploitative.
It's a very similar situation to dev work in that if I were willing to chuck my ethics out the window, I would make a lot more money, and marketing people do also like money.
The implicit observation that there is such a thing as a white hat marketeer relegating the remainder to black hats is an astute one.
I would rephrase the one as raising consciousness about important issues, and leave the other one under the label marketing, which to me is limited to commercial enterprises and indirect money grabs, a lot of which is related to politics and creating artificial divisions in society (the 'haves' vs the 'have nots' and so on).
> their whole goal is to create a need where there isn't an organic one
This is reductionist. Was telling people about trains and cars creating a need where there wasn’t one? In a sense. But in another sense, it was broadcasting a better way of being. Marketing doesn’t have to be evil. Saying all marketing is evil is sort of a cop out for the people who do it badly.
> Was telling people about trains and cars creating a need where there wasn’t one?
That's a great example actually, because the reason you can't get anywhere without a car these days is marketing campaigns by the automobile and oil industry. First by suggesting the newly necessary road safety standards and ridiculing people for being in the street without a car ("jaywalking") to the point that it was criminalized, then by sponsoring enormous displays about the glorious car-dependent future at multiple world fairs (GMs "Futurama" holds the attendance record at 5 million visitors to this day), shutting down streetcar companies via lobbying and acquisitions and eventually even providing the US secretary of defense, who then used the defense budget to bulldoze inner cities to run highways through them. A development that caused the US to have the highest car dependence, car ownership and transport emissions of any large nation today.
So yes, I think it's fair to say there was a bit of artificial need created here.
>because the reason you can't get anywhere without a car these days is marketing campaigns by the automobile and oil industry
We aren't all brainless automatons. Not everything is a giant conspiracy. Have you considered that there are people that actually like cars and find them convenient and useful? Cars and the highway system completely changed the course of commerce in this country. Sure, that has lead to some problems we're going to have to correct, but this idea that a bunch of moustache-twirling executives sat in a board room figuring out how to force cars on people is a bit much.
In this case it was a giant open conspiracy. It wasn't secret.
> a bunch of moustache-twirling executives sat in a board room figuring out how to force cars on people is a bit much.
That's pretty much exactly what happened. I don't know that they twirled their mustaches though, I'm sure they all thought they were doing the right thing.
It was a classic case of "seemed like a good idea at the time".
> Sure, that has lead to some problems we're going to have to correct,
That's pretty facile. For one thing more people (in the USA) have died directly from cars crashes than from all the wars we've fought. For another there's the pollution: exhaust is deadly poisonous, tires wear down and shed millions of tons of tiny particles of vulcanized rubber into the environment, the fuel we burn contributes to the Greenhouse Effect, the asphalt of the roads is toxic, and there are so many roads and so much pavement that it affects planetary albedo. Then there are the unquantifiable changes to the social order: streets used to be public ways for everyone, now they are the domain of the automobile and people are confined to the sidewalks for fear of mayhem and death. I could go on and on.
I think if an alien landed here and looked around one of it's first reactions would be, "WTF is up with all these cars!?"
I was about to reply that this is exactly what happened in L.A. in the 1940s and suggest that you look up the "Great American Streetcar Conspiracy", my favorite example of monopolistic conspiracy. But apparently much has changed since I last did that myself, and now the conspiracy seems to be little more than... fake news.
Unless of course we're in the midst of a "Great American Streetcar Conspiracy"-Conspiracy Conspiracy. ;-)
That is a bit of a misleading way of putting it. There was indeed a "street car conspiracy" and it even led to criminal convictions. The interpretation that this conspiracy was intended to kill off street cars is harder to justify since street cars were already struggling in the aftermath the great depression andany were bankrupt. I do think that the actions of GM et all did accelerate the decline of the street car but the urban myth about is "Great American Streetcar Company" is generally overblown.
I'm not sure what part of my message lead you to believe I didn't think people enjoyed cars?
The problem is that it wasn't enough for cars to be a useful tool for those that needed it, but that they needed to be a source of endless growth, and marketing played a crucial role in that.
There's no need for mustache twirling here. Car companies rationally maximized their profit by selling to everyone they could, rationally removed barriers to car adoption by removing everyone else from the road and rationally created new markets for their product by encouraging sprawling cities and enormous highways, which also acted as a competitive moat. They then disregarded the consequences, not because they were evil, but because their job was to maximize car sales, not the car's benefit to humanity.
> Have you considered that there are people that actually like cars and find them convenient and useful? Cars and the highway system completely changed the course of commerce in this country.
Cars would have been wildly successful without marketing, but the deliberate marketing efforts of car companies significantly amped up that demand and pushed us into being a society that is unheathily dependant on these amazing machines.
> this idea that a bunch of moustache-twirling executives sat in a board room figuring out how to force cars on people is a bit much.
This "idea" is strongly backed up by the historic record, so if this seems like "too much" you really need to recalibrate your intuitions with reality.
Not to speak of a promised sense of freedom you could only ever possibly obtain by driving around in the right kind of car and smoking the right brand of cigarettes.
>a promised sense of freedom you could only ever possibly obtain by driving around in the right kind of car
You do realize that having the ability to hop in your car and drive wherever you want to go without having to report to anyone provides an incredible amount of freedom, right?
You don't need a car for this. You can use trains and other means of transportation.
Take a look at other countries. Japan, Singapore, France with cities like Paris, Netherlands with cites like Amsterdam, which transformed from a car centric city in the 1950s to now a very lively city with lots of bikes and public transport.
Who are you "reporting" to when you catch a train? Also, in cars, you're using Google maps which is tracking you, you're license plate is fully visible which allows you to be tracked, there are ticketing cameras, aerial monitoring, tool booths, speed traps... Yea sure pretty free.
This view is probably too US-centric. There is a lot of the world (including developed world), where people get around everyday without relying on cars for everything.
I do not negate your point that marketing has a strong component of creating a need where there isn't one. But, its success in doing so relies on a strong combination of cultural, economic and political backgrounds.
I've seen this argument a lot, especially by technically minded folks.
When you say "telling each other" what do you mean exactly? Do you think businesses just magically get talked about with zero investment in marketing dollars?
I get the sense that lots of people in the HN community don't realize when they read an article from <insert tech company engineering blog> that this is marketing dollars at work.
> But as a rule it definitely appears to be.
By your "rule", sure. I understand the gripe with marketing from the consumer perspective, but pretending is inherently evil because it (1) invades your personal attention and (2) you think people are going to organically talk about products or services they don't know exist is a pretty myopic view of marketing as a whole.
> I don't think we need to discuss the meaning of words that are in the top 5000 commonly used dictionary words here.
Good. We're on the same page then. Snarky response not required but okay.
> Yes. It's called word-of-mouth and it is how it has always been done.
I don't know where to start with how to respond, but I'll bite:
Let's magically go back to the gold rush in the US. You're traveling from New York and arrive in San Francisco. You know nothing about products and services in that market. You walk into town and look for a general good store to buy some water. You ask a guy on the corner where the general store is and so you find the general store based on his help. Okay, so word of mouth. You want to prospect some gold and know you need to buy a pan. There are two gold prospecting material vendors in town, Gold Supply Inc and Acme Gold (but you don't know this because you're new to town). You walk through town looking for a vendor and notice a guy with a megaphone is yelling to the crowd about Gold Supply Inc offering better prices on pans. He is paid by Gold Supply to do this. This is marketing/advertising.
So, no, this is not "how it's always been done" and its inconceivable to think any modern company doesn't spend money on advertising/marketing. I understand the grievances about having hundreds of thousands of megaphones in your face 24/7, but let's stop pretending the world's marketplaces can operate efficiently on word of mouth alone because that's what you're implying.
> You walk through town looking for a vendor and notice a guy with a megaphone is yelling to the crowd about Gold Supply Inc offering better prices on pans.
Which may be true. Or not. And they may be crappy pans, or not. And that's my point: all that yelling just muddies the water, it's like a mountain of 'fake reviews' and no way to pick up the signal any more because of all of the noise. Marketing mostly lies.
- Be fully educated on every product and service available to them in every market they encounter
- Spend the time to speak to N amount of people via word of mouth and understand how many N amount of conversations are required to have the confidence to buy the best product (in terms of value, feature set, price, etc.) for the item they're looking for
- Discover products and services that they didn't know existed but may solve their problem in a novel way
All without any marketing/advertising interaction? And that this is somehow going to magically make buying decisions more clear (i.e. not muddy)?
Sorry but that is hilariously out of touch with reality...
I posed a bunch of clarifying statements to understand your point and instead of responding to them that's how you respond? Weird.
I respect most, if not all, of your viewpoints on HN (even if we disagree), but dodging the meat of my questions and clarifying statements isn't helping with your argument.
That's fine, but I think that if you don't understand someone's point then your best bet is to ask, not to extrapolate.
I'm not dodging anything here, it's just that it makes responding much harder because now instead of clarification we're off on some wild goose chase.
It's ok with me if you don't believe that people got by just fine before marketing became a weapon in the armory of companies that all compete for the same market because traditionally the reach of companies was fairly limited due to the cost of transportation. But (mass) marketing as a profession is a relatively recent invention, as are companies with global consumer reach.
The availability of 30 brands for the same niche is what drives one form of marketing ('we're better than them', when in fact the products are most likely at best at parity). The other is that plenty of 'need' is merely marketeers pushing jealousy buttons, something that you don't need to do if there is a genuine need for a product.
All that marketing and advertising is in the end an arms race and a big contributor to overproduction and overconsumption. The thing that needs marketing the most is probably the thing that you need the least.
> Do you think businesses just magically get talked about with zero investment in marketing dollars?
Yes. It's hardly magic. If some business or service provides a great value or "a better way of being" people naturally get excited and tell their friends. I'm not a domain expert but my understanding is that these organic word-of-mouth referrals and recommendations are waaaaaay more effective than any other form of marketing. The other organic thing that happens is when people realize they have a need and ask their friends for referrals and recommendations. It works great if your product is great.
If you can't develop and sustain word-of-mouth organically then you have to use other less efficient and more coercive means. Deliberate marketing is commercial propaganda. Someone wants to put their hand in my wallet and is deliberately using professionally-design artificial media to trick me into letting them.
Your example of the barker with the megaphone is noise pollution and a waste of a human being. But you can go much further back. It was decadent when the Romans did it, and it was decedent when we San Franciscans did it, it's decadent today.
> its inconceivable to think any modern company doesn't spend money on advertising/marketing
You can't conceive it, maybe, but I can. There are worlds without advertising/marketing. There are marketplaces that operate efficiently on word of mouth alone. You might not believe me, but it's true, and from those worlds our modern advertising/marketing mania seems like a madness.
First, there are the various "black" markets. There was no appreciable change in availability, quality, or price before and after pot legalization, for example.
The high end of most services and products doesn't need to market, they're "saturated" by word-of-mouth alone. For example, I met a guy once who was part of a very high-end IT consultancy. They had A-list customers, all the work they could handle, and their website was a single line of text that basically said, "You have a problem? Email us". In other words, most markets have a subset of "quiet" companies that thrive on word-of-mouth alone.
> It's a bit like arsenic: it doesn't have to be negative but usually it is
This is a good analogy. In stories, arsenic is almost without fail evil. In reality, it has use in medicine, agriculture and ceramics [1].
> If 99% of the people engaging in an activity are doing it badly then I'm all for reigning them in
We agree. And I have no horse in this race. But that 99% figure is largely confined to tech-based marketing. The people painting print ads and planning PR stunts aren’t hurting anyone.
Marketing is a tool. It can be misused. It can also be used for good. In fact, now that I raise the point, I wonder why nobody's thought to use ad microtargeting for COVID-19 vaccine campaigns yet.
They probably have and I just haven't noticed, because when good marketing's working it tends to be invisibly transparent.
If I may: I think your larger problem is really that most product is crap, and marketing's job is to put product in front of people whether or not it's crap. Maybe we should be doing something about crap product instead of advertising of crap product?
The polio vaccine serves an actual need, and if you're not selling something I would refrain from using the word marketing.
As for the marketing of 'good' products: even marketing a good product comes with the implied 'right to market', where possibly none exists. You could get people hooked on very high quality vehicles for short trips because of convenience when the alternative, a bike, or even walking are perfectly acceptable. But if all your neighbors have been sold on the car then the message is that you can't be seen to be left behind, and that is a problem. Harnessing peer pressure for gain is an important element of marketing, which rarely is positive in nature, but usually tries hard to push people to feel inferior based on not using/owning a particular product.
And that's for a high quality product. Marketing is all about changing perceptions, to turn the unpalatable into something desirable and to turn the things you don't need into the things that you must own to be happy or to feel complete.
I used the cosmetics industry as an example because they've turned this into a veritable industry: people are made to feel terribly unhappy, to the point of in some cases committing suicide on the strength of marketing aimed squarely at making them feel inferior. This is revolting.
> The polio vaccine serves an actual need, and if you're not selling something I would refrain from using the word marketing.
Then I believe basing policy off your definition of marketing would require first a tribunal to decide if something is "marketing" or... Whatever the polio campaign was. Because the national, then international, polio eradication project absolutely included perception and behavior modification.
Polio was only paralytic to a fraction of a fraction of its victims. For most, it was a bad bout of diarrhea and several bad days. And the vaccine (unlike the safer designs we have now) was either killed virus or half-killed live strain; in one terribly unfortunate batch, it caused polio. People had legitimate reason to believe things were good enough as-is (after all, most everyone had either gotten and survived polio or knew someone who had, with far, far fewer "Uncle Harry got it and he's in an iron lung" stories by volume) and getting some (possibly still-active) vaccine shot into their arms was going to be a bad long-term decision.
Against all of that, the March of Dimes did a huge amount of work to get people to go against their inclinations and the evidence available to their eyes to move polio from an "everybody eventually gets this" common environmental risk to a "makes the news" occasional outbreak. It's a brilliant success story of perception adjustment, on par with Colonel Stapp's crusade to make the seat-belt mandatory (speaking of which... http://persuasion-and-influence.blogspot.com/2015/02/wear-se...).
> Marketing is all about changing perceptions
No disagreement here. Sometimes, it's used to help people believe that the world can be other than it is, if we only all change our behavior to make it so.
> I used the cosmetics industry as an example because they've turned this into a veritable industry: people are made to feel terribly unhappy
No disagreement that cosmetics is full of bad actors and bad action, but people were putting eyeshadow and rouge on back when the closest thing we had to marketing was some statues declaring that a dead pharaoh was a cool guy (with the name scribbled out and replaced by some other dead pharaoh's name). I submit to you the humble possibility that people don't doll up because they're compelled by advertisers to do so (though I've no doubt advertising plays a huge factor in the way they choose to doll up).
> even marketing a good product comes with the implied 'right to market', where possibly none exists
The right to freedom of speech isn't universal, I agree. I submit that we do more harm than good trying to split the hair on deciding when something is freely-offered speech and when something is marketing, however. Good luck squaring those circles without getting eerily close to "prior restraint on open communication of ideas."
> Then I believe basing policy off your definition of marketing would require first a tribunal to decide if something is "marketing" or... Whatever the polio campaign was.
Let's just use the dictionary definition and save everybody a lot of time:
"the process or technique of promoting, selling, and distributing a product or service"
So I think the polio campaign doesn't have to be hauled in front of a tribunal (is that a new thing? I see this term used more and more for things that it has nothing to do with) to prove its worth.
I think we'll simply have to agree to disagree, because we're seeing the same facts and reaching different conclusions. The polio campaign included heavy use of marketing. Its story demonstrates that marketing isn't intrinsically bad; it can be used to bad ends. And any policy separating the baby from the bathwater in this regard will, I think, be a major challenge to implement correctly without risking making something like the polio campaign illegal.
Polio vaccination had to be sold as a concept. The public had to be taught, cajoled, coerced, and door-to-door-campaigned to volunteer to get stabbed with a cocktail of virus parts to protect them from a disease that hardly ever proved fatal or permanently debilitating. They had to be told their friends were doing it, their neighbors were doing it, all the "cool kids" were into it.
There were, of course, additional circumstances (having a President that is visibly impaired by the disease, though his people did their best to hide it, certainly mattered), but the March of Dimes absolutely promoted, sold, and aided in distribution of a service. Hell, the name March of Dimes was coined as a more marketable name than "National Foundation for Infantile Paralysis" because they were trying to convince everyone to chip in 10 cents to pay for the project (https://www.marchofdimes.org/mission/eddie-cantor-and-the-or...). It's every bit as much a sell as Sarah McLachlan showing up and singing over pictures of very sad puppies is today.
(And to be clear... Thank God it worked. It's great to live in one of the decades where my fear of polio is practically nil. But the point is: without marketing, none of that was a given. People didn't just wake up one day and go "I'm going to go get stabbed by a stranger with a needle full of disease-juice..." a vast marketing campaign convinced them that was the right thing to do. Same techniques that were being used to convince them they should drive to the injection site in their shiny new Ford because walking was for suckers).
I would much sooner label 'the march of dimes' a charity and a PSA than marketing, but each to their own. Also: note that exactly those things are trotted out by the marketing people to prove that "hey, marketing isn't all evil" when actually they have to reach back decades into history for an example that people will recognize and that has nothing to do with selling un-necessary stuff, which is the thing they are as a rule heavily engaged in.
I mean, you can, but then you should probably tell Cindy Rahman, their SVP and Chief Marketing Officer, that her job title makes no sense. And the IRS that the 4.9 million-odd they claimed they spent on advertising on their Federal 990 form in 2020 was mis-labeled.
The March of Dimes is and was in the marketing business.
> actually they have to reach back decades
March of Dimes is still here. It's a modern example as well as a decades-old one. Their primary purpose all but accomplished, they've re-targeted their efforts into information, support of families in NICU, and general patient advocacy.
I could have pulled a more recent example, but the polio campaign has the advantages of lack of ambiguity, common understanding, and the historical perspective to come to general agreement that it was an more-or-less un-alloyed good thing that we can avoid getting bogged down in those dimensions.
Nowadays, I'd point to the billions spent on COVID-19 vaccination advocacy and messaging as the good marketing can do, but I didn't really want to drag the modern-era anti-vaxxers out of the woodwork.
But: you are still stuck on the same theme: health related, charities and so on. The fact that charities have marketing is by itself a negative, often enough this translates into them spending a very large fraction of their donation on soliciting more donations. And there are quite a few examples of that being the larger part of the total collected, which shouldn't really happen.
We did not start the discussion about the march of dimes or any such project, that's just a convenient fig leaf, what matters here is companies selling commercial products and services that people don't need while using armies of psychologists and a continuous barrage of media expressions to battle down the natural defenses to get people to act against their own interest.
If you want to have a side discussion that there are some applications of those same techniques that may have positive effect then you're free to do so but preferably not with me.
Like I said, you don't hate marketing; you hate that most of what is marketed sucks.
Take away the marketing and we have a world where most products still suck, and when we seek one out at random we'd be statistically likely to lay hands on something we don't need.
'You don't hate guns, you just hate what they are used for' -> No, sorry, I really do hate guns and I have a very low opinion of everything related to marketing.
> Marketing is almost by definition not going to act ethically: their whole goal is to create a need where there isn't an organic one
That's very single-minded. Marketing mainly informs about a product, which obviously also works even if you already have the need for it. And it can also help in realizing a specific need which the customer has not pinpointed yet. That's the whole point of acting ethically, to support, not to bait, trap and abuse.
Indeed. That's exactly what our marketing department does.
Our product helps our customers comply with the law. The law created the need, we're just trying to make our customers lives easier by assisting them with complying.
So our marketing team focuses on informing potential customers what it takes to be in compliance as few are well aware of what it takes, and how our product can help with that.
Your customers were required to comply with the law, whether or not your company exist.
Whether you help them or not is up for debate, what isn't up for debate is that you sell them something, which they may need but not necessarily so. It's not your product that they need, it is compliance.
Making their lives easier is great: as long as your product doesn't mess up, at which point I'm sure your terms of service will say something to the effect of 'well, sorry, but it was your responsibility after all' and 'informing potential customers' typically - in that context - takes the form of pressing the fear buttons for possibly not being compliant and selling them a solution which they may not even need.
Seriously: this is a fantastic example of how being on one side of such a story you might lose objectivity, if I wanted to know whether your product is useful or not the last party I would trust is your marketing department. Who would I trust? My lawyer, who I would ask to establish whether or not (1) this particular law applies to me, (2) the risk of non-compliance outweighs the cost of your product, (3) whether the products terms and services really protect me or if it opens me up to a new level of liability, (4) whether there is a better / cheaper product and so on.
> Your customers were required to comply with the law, whether or not your company exist.
Indeed. And a lot of companies don't know that they have to, to what degree, or how to do so effectively.
> It's not your product that they need, it is compliance.
It's true they don't need our product. But it can absolutely help them, by spending less time and resources on compliance and the surrounding processes.
But they can't get all those benefits if they don't know we exist.
> Seriously: this is a fantastic example of how being on one side of such a story you might lose objectivity
I really struggle to see how you can come to that conclusion without having seen our product or our marketing.
> [If] I wanted to know whether your product is useful or not the last party I would trust is your marketing department.
But if you didn't know about our product, you certainly couldn't evaluate if it was useful or not. Without word-of-mouth, how would you even find our product?
To be fair, word-of-mouth worked very well for a long time. But there are still a lot of companies out there who aren't in compliance because they don't know any better, and a lot who still use a lot of time on compliance that could be spent on their core business instead.
What's wrong with trying to tell those companies that our product exists?
What would be the utmost, top dream of a Marketing team? I think it is to be able to read my mind. Followed by being able to project an ad into my retina (if writing into my mind is not possible).
If the above is not possible, then they will come to analyze my behavior online.
It's truly sad...
Paraphrasing The Godfather 3 "Finance is a gun, politics is knowing when to pull the trigger" and I would add "marketing is knowing HOW to pull the trigger".
> And it can also help in realizing a specific need which the customer has not pinpointed yet
Don't you love cold calls, spam and pop-ups?
Marketing helped to ruin the latest and finest revolution of our time, that is, the Internet.
Ridiculous. "Tracking" and your so called "artificial" metrics have significantly increased my site's conversions to paying users and my users' experience. I did nothing unethical in the process.
- This thread is about marketing. Did you do all of the marketing, or did an existing infrastructure perform tracking and serve ads for you?
- What data support claims about your users’ experience? Conversions are not a good metric of user experience.
- People generally have a hard time evaluating the ethical merits of things that benefit them. Do you have some kind of independent evaluation so support your claim that you did nothing unethical? If a politician hires a lawyer as a fixer, and pays them to make problems go away with a minimum of information returned, is that politician acting ethically? If the fixer hires a hitman for that problem, does the politician’s ignorance of that act constitute ethical impunity?
> the second essential condition that marketing departments act ethically
This seems like a pretty strong assumption, given that both an engrained culture, lived experience, and an analysis of the different parties' incentives stand against this.
Until we have strong (and crucially, really enforced) legislation against this, I'd say technical means (blocking JS mostly) will be the only thing I'd be willing to bet on.
> I don't have a problem with websites measuring what I view, click, add to cart or buy. I want them to be able to see what doesn't work in terms of user experience.
The problem is not that they measure things. The problem is that they enter the user's private area; they run code on the user's computer and probably grab information about the user too (I don't know exactly how tag managers work because I have never used one). It's like if I enter your home and start measuring things, the problem is not that I measure things, it's that I entered your private area.
Well actually it is more like they you are entering their store. They are measuring the number of people that come in. The number of items (and what items) these people look at. Add to their basket. How many stand in line at the cashier and how many buy. And how many filled baskets stand in the isles at the end of the day.
But - they also could write down the gender of anyone entering the shop. Or the hair color. Or they could note down the license plate of your car. With whom you arrive. The brand of your car. The color. The brands of the clothes you visibly wear.
Then they correlate that to the payment method, your Visa card, the credit ranking they receive back from visa (digitally at least). And so on.
and they measure how often you return.
They could do all of this (and actually a big lot of them does) and not only log that for themselves and do whatever analysis with it, but also send this data happily to the advertising agency that manages the big signs all over town so that they can show you additional advertisements for a new car, because you have money, but your car is old.
That is were the problem begins. It begins when doing way too invasive logging of user attributes that do only marginally have anything to do with measuring how the shop (or the website) work. And more so when this data is being sent to who knows whom in this advertising space out there.
I have no problem with an online store storing the fact that I came by clicking on a display ad. Or on an email newsletter. Or that I am using Firefox. Or Chrome. And that I am on a WIn10 desktop device. Or that I tend to add a lot of stuff to my shopping cart, wait two hours and then sort what I don't need.
I even do not have a problem showing me additional products based on what I looked at in their shop.
But to correlate that with offsite data, sending this to advertisers and so on is a no go for me.
No, you are voluntarily downloading and running their code on your computer. What you describe is hacking into somebody's computer, that is different. Stores take measurements about their customers, so do sites.
I'm also voluntarily running uBlock Origin whose entire purpose is to sanitize their borderline malware code into something that I can actually consume. As you said, it's my computer and they really need to submit to my will instead of finding creative new ways to work around it like some malware developer.
> Stores take measurements about their customers, so do sites.
When stores use Bluetooth or other tech to track their customers movement within their stores, that is also a creepy and unethical.
Also "voluntarily" is a complete misnomer as nobody is volunteering for this, a more correct world would be "unwittingly" or possibly "begrudgingly" depending on their level of tech saviness.
Sadly, most publishers are not interested in developing their own proxy solution just for the sake of data privacy. They vastly prefer a ready-made solution that they can just use.
Much of the power of the advertising space come from people (publishers, consumers and advertisers) generally choosing the path of least resistance. They don't have the technical know-how and they would only acquire it if there were enough benefits. Sadly, privacy is not enough on its own.
I think the solution that can solve all that is when a company acts as a "wall" between consumers and publishers/advertisers. Then, that company can protect the consumer while keeping the user experience as simple as possible.
"Sign in with Apple" is one such solution. But of course, it brings its own (different) downsides.
You're hitting the nail on the head.
I'm not against the website owners seeing what I do on their website.
What I am against is what other parties are able to do with the data when sold.
They're able to correlate website visits with specific businesses and linkedin profiles.
The are at least quite able to correlate these. Tracking TV advertising'impact is relatively easy and straight forward. Same for out of home advertising. And with a bit more effort attribution to newspaper/magazine advertising is also possible.
But. It often isn't necessary. More often than not these forms of advertising are not direct marketing. They don't necessarily have a call to action. They are a branding asset. And brand awareness is measured differently. With different means.
So while you can and should measure the direct impact, this isn't the main focus.
The same way response and conversion rates on direct marketing efforts were meticulously measured long before the internet. There were even AB tests being run on mailings (snail mail) on test flights to identify the campaigns with the best ROI.
I have a booklet from 1978, the year I was born, explaining AB testing for direct marketing campaigns.
Except for the speed, nothing changed. Nowadays we only have more intrusive tracking methods if we decide to go that route. But the underlying methods (statistics, measuring success, et al) habe not significantly changed.
>The problem imho isn't GTM (Google Tagmanager) running as proxy. This would (or at least could) be a data privacy win if done ethically. At least under one imho essential condition: I could be able to run the proxy on any infrastructure that I like. Not only one Google's cloud offering.
Yup that is where rubber meets the road. Would like to offer google as little data as possible. And use as little google products as possible on the web and internet.
Sibling comment shares this link, but you can run this in your own infrastructure (this is actually how Segment does server-side publishing to Google Analytics, because until very recently there hasn't been a proper API for it): https://developers.google.com/tag-platform/tag-manager/serve...
While I agree with the ethical matter, from what I understand Google offered some form of server-side analytics APIs since ages[0]. I know, this is different from this new GTM server-side thing, but nonetheless it already offered technical ways of proxy-tracking data with whatever infrastructure available, also circumventing ad-blockers.
This to say that this server-side approach is nothing totally new. I'm sure some big business already implemented it, you can't just easily notice it everywhere like the client-side counterpart. The difference here is that now Google has tinkered some ready made solution, using its own infrastructure.
Maybe it's also a matter of convenience: It has always been mostly trivial to setup some JS to collect this data (often, as easy as just pasting a single script tag in your HTML). Once you need App Engine, DNS setup, etc not every business will likely jump into all this technical burden, and this could slow the adoption of the whole server-side tracking.
Impossible. All marketing is inherently unethical. At best it's got massive conflicts of interest everywhere: who trusts the opinion of someone who's being paid to say good things about a product or service? I want to talk to real humans with real experiences and real opinions, not paid for ads and testimonials.
Marketing at its worst is kind of an undefined thing because they reach new lows every day, there's no limit they won't cross. It's gotten to the point I consider advertising to be abuse if not mind rape. We don't tolerate people assuming they have arbitrary
access to our bodies, and our attention and cognition are absolutely part of our bodies and deserving of respect.
On the conversion tracking point, because I just wrote a privacy policy section on this: I just send the conversion event for the ad, but the advertiser almost certainly has all the user info tied to that already, right? I can say "not my department" but still.
Of course facebook would prefer you just send it all app events, in perpetuity, just in case.
Similarly, I want to be able to show my users ads. They're not really bad ads, but otherwise I lose money on providing service. And then we risk the "youtube paradox": keep showing more ads to your ad watching users so they subsidize the growing number of ad blockers, but this causes more to use ad blockers so show even more ads.
Can't you just switch out the users for bots that watch the ads without adblockers and then gradually switch out the content for ads to keep the growing number of bots busy? That way you can also show really bad ads without anyone complaining. win win.
>ethical data collection
Oxymoron. Hence your need to prefix 'ethical'.
>ethically
>ethically
I am overdosing reading your post; rationalise it however you wish, you're well aware of what you're doing and it's clear no comment I could make would change your mind.
This! The most valuable information is collected via classic communication! We include basic opt-in tracking (selectable in our installer) to get information about basic usage untangled to certain users. While this is just a statistical overview, it shows to us which parts of our software get used only for the customers who activated this kind of tracking.
The most valuable information we get is through our forum which is open to everyone regardless of whether tracking is activated or not.
Most companies do both. If just asking users questions was strictly better than passive tracking, that's probably all they'd do - analytics have a real cost to use, that cost wouldn't be paid if the information gathered was useless.
But, people are pretty remarkably bad at asking for things. It's mostly the "better horse" problem. People ask for fixes to proximal issues (make this faster, cheaper, better) and not the big things.
In my own product, we use gtm to understand where in our sign up funnel people fall off. It is a complicated product and a complicated sign up flow. Since people who fall out of the funnel are unreachable, we can't just ask them why. But we can observe that (say) 40% of users bounce off of step X, so let's make that step easier.
I read the original article back when it was published in November 2020[0]. This is what led me to introduce new static network filter options:
- strict1p, strict3p [1]
- header=, experimental, disabled by default [2]
I used Simo Ahava's blog as test case, and with these new options, I could craft a filter to block the Google Tag Manager script on Simo Ahava's blog. However due to the lack of more test cases, no more progress has been made about this since then.
Things that stood out to me when reading about all this:
Simo Ahava's refers to the CNAME approach as "vulnerable"[3]:
> This way you’ll be instructed to use A/AAAA DNS records rather than the vulnerable CNAME alias
"Vulnerable" to what? To uncloaking as I understand it, and by extension, "vulnerable" to users taking steps to protect their privacy.
Whether the very experimental solution in uBO ends up working or not, this case shows very well how Google Chrome's Manifest Version 3 (MV3) put a lid on innovation content-blocking wise: All the new filter options introduced above can't be implemented with declarativeNetRequest.
Thanks for adding this comment. My immediate reaction when seeing this was that I thought it looked familiar to previous conversations I saw a while back. But I didn't know for sure that they lined up exactly, and I wasn't looking forward to doing the research to find out.
> All the new filter options introduced above can't be implemented with declarativeNetRequest.
My understanding was that stuff like CNAME uncloaking was already unsupported in Chrome[0]. Of course, Manifest V3 won't make the situation any better though.
As someone who has spent a lot of time on both sides of this, I think this is a great outcome, personally.
The most annoying part of ad-tech for me, as a user, was the fact that I was running all sorts of random javascript, any bit of which could blow up performance on my browser.
As someone who used to lead an e-commerce operation, I hated running all of this crap in my users' browsers because I knew it would get blocked randomly or cause hard-to-diagnose errors.
I eventually moved us to basically this approach using a home-grown solution and everyone was happier. It was even more robust because it just used session/cookie data and didn't require running any javascript execution to work.
Isn't it so strange that if you or I were to do these kinds of things to an individual it would be considered creepy cyber stalking but when companies do it they are rewarded?
No reason ad tech companies should have freedom to associate real world data with online data. This seems like the perfect candidate for a US state proposition.. no company engaged in online ad tech may combine or allow any other entity to marry online identities with real life.
Imagine if Google offered a retail solution advertised as “record who came in and out of your house”. They would offer a CCTV for free and run centralized face recognition on everybody visiting. They’d give you a bit of stats, but truly they would aggregate data on where people go and build shadow profiles (supposedly to facilitate ad targeting). And imagine 90% of households were using it.
That's not even the half of it. It's not only building a record of who came in and out, but what they did, where they went, what or who they "engaged" with in the house, and arbitrarily more granular information. And the person visiting your house, on average, has no clue any of this is happening.
You think installing cameras on your own property is stalking? Putting aside that this is legal nonsense, are you saying that the millions of private retail stores, offices, and houses that install security cameras are actually stalking and the majority of citizens that visit grocery stores are stalking victims?
I mean, maybe you do believe that, but it's a little ridiculous to freak out over something that most people do and are used to. At most, it's an extension of the status quo.
Edit: I suppose it's not that ridiculous if you think most of the world is evil, but I am genuinely curious if you believe that.
Individual businesses aren’t stalking anyone if their CCTVs are watching out for themselves. But as soon as there is a centralized company offering the service and gobbling all the data, and that company acts like Google does with regards to web tracking, then it’d be in some sense no better than stalking (or even worse, stalking at scale).
If it only obtains the data to provide you the service of knowing who comes in or out, and deletes the data as soon as it’s not needed anymore, there would be no question; but that’s not where profit is in a double-sided market.
Like ADT? Like a lot of security companies that offer monitoring solutions on behalf of clients, especially smaller businesses and individual homeowners?
"gobbling all the data" is vaguely scary while being totally meaningless. GTM data is fully managed by the client, Google contractually does not randomly spy on it. Many businesses would argue that they do delete user data after they don't need it anymore, but analytics is useful and therefore necessary for a fairly long time (many platforms have natural retention limits, usually a few years). Google themselves deletes user data on their first party products after 18 months by default (referring to things like Web & App activity and Location history) and users can set it as low as 3 months, approximately the same amount of time as security footage.
> You think installing cameras on your own property is stalking?
The moment that someone responded in bad faith was right here.
You know full well that we're talking about the companies that get the data from these devices and what they do with it, not the rubes that these companies trick into buying their stalking products.
You also know full well that ADT is in no way comparable to Google in this discussion given the order of magnitude difference in revenue between the two companies and the extensive integration between the intelligence community and Google.
Key difference is one’s revenue stream (do you profit by selling security system or through data accumulated from your customers).
> Google themselves deletes user data on their first party products after 18 months by default (referring to things like Web & App activity and Location history) and users can set it as low as 3 months, approximately the same amount of time as security footage.
Security footage is not the problem, after all you may want to look back a few days to see who was around at the time something went missing. The problem would be processing footage into data on where each individual goes, storing that and finding various ways to profit off of it. This is not necessary for the core value proposition, and in my opinion is ethically questionable.
Sure, if they don’t store it for long, and especially if they comply with GDPR, that would help. However, I’m not deeply familiar with this, but I suspect they can easily claim that they don’t store data on you and don’t need to delete it simply by storing it in a way not obviously connected to your identity—even if this connection is very easy to make at any point.
So this is only a problem if the person thinking of visiting their neighbors' or friends' house has an issue with it. Why can't I install such a system if I want to? Why does it matter that 90% of households use this system?
In fact, because 90% of households use this system, doesn't that mean society at large agrees that this is an OK thing to have? We all opt for wearing clothes only because society at large has agreed that wearing clothes is a requirement; there is no law of nature mandating this, and select small groups of people congregate in nudist colonies to escape from this societal requirement. Even on the non-private side, if I don't like clothes, why should I be forced to enter government buildings (for official government business such as court appearances) with them on? Surely society shouldn't be forced to make accomodations for me, just because I have a different opinion on these topics. If 90% of households did in fact use such a system, it would be the new normal because it's a nearly universal collective opinion on the technology. A society almost never caters to those that are the ultra-minority if it inconveniences the 90% or directly challenges the 90%'s own freedoms and choices when it comes to their lives, especially when that's in regards to something as low-impact as what sort of privacy visitors to a residence have while on that property.
Yes. Slavery was OK in the US for a long while. If things hadn't been done to get this changed in the US, it would still be seen as an OK thing to do, and in reality no higher power or law of nature would stop that, even in $current_year - evidenced by how worldwide modern slavery/forced labor is still going strong[0].
My point is that there is no correct moral compass, no general rule as to what behavior is good or evil and no arbitrator that will correct the wrongs humans are doing in the world. Society is only governed by itself, and thus a 'supermajority' of ideals is what will reign over the superminority in terms of law and general consensus. If society accepts and encourages one company to control an absolute record of human movement and presence, it's not going to be stopped and that majority isn't going to cater to the small portion of society that doesn't agree.
I find it hard to believe that no Persian Gulf countries made that list. I was under impression that most of the manual labour workforce in places like UAE, Saudi Arabia, Qatar and Kuwait are slaves imported from the Indian subcontinent.
Not the guy you're responding to, but this trap question seemed like you either misunderstood their comment or are unintentionally putting words in their mouth.
Their comment explicitly subscribes to a form of ethical relativism [1], which argues that there is no universal concept of "morally right" or "morally wrong", and that morals are determined solely by the society judging them at that time.
[1] >Ethical relativism is the theory that holds that morality is relative to the norms of one's culture. That is, whether an action is right or wrong depends on the moral norms of the society in which it is practiced. The same action may be morally right in one society but be morally wrong in another. For the ethical relativist, there are no universal moral standards -- standards that can be universally applied to all peoples at all times. The only moral standards against which a society's practices can be judged are its own. If ethical relativism is correct, there can be no common framework for resolving moral disputes or for reaching agreement on ethical matters among members of different societies.
It is not a particularly helpful take in an ethical debate (which this whole privacy thread is) outside of making a populist argument ("if everything thinks X is morally acceptable, then it is; who are you to say it's not?").
That said, I'm not sure I'd want to make the loaded comparison of equating "taking notes of who does what in your house" to slavery. One of these things is very clearly significantly worse than the other.
Right, I'm saying moral relativism ends up in inacceptable or at least widely not accepted answers as soon as you apply it to charged topics. It sounded to me like they were making a relativism argument, and I wanted to highlight this - to give them the opportunity to avoid saying that slavery is acceptable (even in the past) - while at the same time warning them against walking into this position unintentionally.
I'm not saying it should be unacceptable, relativism is an interesting position with some upsides, such as that the future, if relativist, will not judge us harshly for our undoubtedly manifold transgressions by their standard, but "slavery was okay actually" is still something that one should, if at all, say with deliberate intent, not as an accidental implication.
edit: To clarify my own view, I think that inasmuch as we now think that slavery was wrong, we have gained understanding - that slavery was just as wrong at the time, at least that it followed from moral precepts that were already believed, but this fact was obscured by the social and economic reality that people lived in. Evidence for this would be that people were already arriving at the view that slavery was wrong based on reasoning that matches, in hindsight, our own.
A good candidate for a similar moral mistake that we'd be making is, of course, the meat industry - meat is tasty and vegetarianism is effort. But I would expect the future to condemn meat-eating for the same reasons that vegetarians today condemn meat-eating, indicating moral progress (or at least technological progress reducing moral effort) rather than value drift.
I'm not sure that morality always works that way, to be clear, but I do think it works that way in these specific cases.
I'm gonna take an adversarial point of view here. Wrong is wrong, and the magnitudes aren't really comparable at the resolution of the individual. At the maximum, according to Statista, there were about 4mn slaves. There are about 5bn people online, out of what is projected to be 8bn. While there are certainly cultural boundaries, that 5bn almost certainly interfaces with Google. So taking a step back and looking at the magnitude implied by the scale, and the outsized power of Google in virtually every facet of society, I wonder if it really is stepping out of line. Keyword dragnets, indefensible tracking... What's next?
Purely numerically comparing it, assuming slavery counts as a life spent in suffering, and there's a 1:1000 factor, given a forty year life expectancy, Google must cause the equivalent of 14 slavery-equivalent-suffering-days or more to be worse.
How many days of back-breaking labor and abuse would you put in to get freedom from Google tracking for the rest of your life? For me at three days, it'd be arguable; three weeks would be a stretch. (Of course, I have no actual experience to compare.)
It's more like Target, Walmart, and Best Buy recording everything you do in the store (where your eyes go, what you say to your spouse, etc.) and then selling that information to random companies you've never interacted with, including each other.
Together, they can create a comprehensive log of everything you do outside (and inside!) your house and secretly sell it.
This isn't even an analogy. With Alexa and Google Home, we should expect that it's literally happening.
Why does selling the data matter? If it's fine to collect but not sell it, people would already be fine with Google Ads tracking as Google is solely in possession of that data and will never sell it, lest their competitors gain an edge by out-header-bidding Google (offering higher profit margins to sites) with Google's own user data.
It is somewhat galling for your private behavior to be monetized.
But you're right that the selling itself is not the core issue. The core issue is that it's being shared. The monetization is an incentive to share, and that's where the problem lies.
By contrast, think about your doctor: they can't legally sell your private data. If they share it with anyone, it is for the express purpose of helping you, their patient. No problem there! My doctor shares my data with their lab testing partners and cloud vendor, and it doesn't bother me at all.
Now imagine if my doctor could legally sell my data to anyone and make even more money from me. We know with 100% certainty that every hospital would sell that data far and wide.
This is what adtech firms are doing, just with (slightly) less sensitive data than my doctor has.
> By contrast, think about your doctor: they can't legally sell your private data.
This is not a reasonable comparison. You choose to tell the doctor private information because of patient-doctor confidentiality. The other type of “private information” is collected by observing you in public (e.g. in a Walmart).
> You choose to tell the doctor private information because of patient-doctor confidentiality. The other type of “private information” is collected by observing you in public (e.g. in a Walmart).
I think this distinction is irrelevant. The salient questions are:
- Is this information private and potentially damaging to me?
- Do I expect [third party] to have access to it?
This is especially important if [third party] can be a government. In the massive web of interconnected buyers/sellers of adtech data, there is no reason to expect that oppressive governments will be unable to get anything they want.
But to address your point:
I absolutely do not expect "observing in a public place" to include personal conversations and/or data about exactly what products my eyes land on.
And leave a webcam on the door of every single person I'm professionally engaged with, to record their visitors? Use it to understand where each of those persons spends all of their time, to the best of my capability? Learn who has what vices, and sell that information (or a service to employ it) to anyone who would take advantage?
I would love to leave all of the blinds on the windows in my home open all time, but I live in a neighborhood. The price I pay for privacy is the cost of the blinds and the action of closing them when I want privacy. When those blinds are closed, it is not in any way acceptable for anyone to come along and try to find a way to see around or through them, even if they're trying to sell something.
Nobody would be harmed in the above example any more than they would be by having their privacy violated online. Nobody is physically harmed, or had their property stolen. They wouldn't even be inconvenienced in any a way, so long as they are unaware of the intrusion.
Now for a personal experience that stuck with me and helped shaped my views on privacy:
Many years ago I walked in on my girlfriend in the bathroom, and she asked me to leave. I was going for something in the medicine cabinet and thinking she just didn't want me to see her on the toilet, I replied "I don't mind" and continued toward the cabinet. She exclaimed "But I do!".
Of course, she was right and I was wrong, because privacy is about respecting the individual's desire for it.
Hire a bunch of PIs to follow and publicly report on all the movements and actions of every exec you can manage at Google, Facebook, and smaller/shadier ad companies
Actual it would be more like a company recording what (physical) mail you read, when you read it, where you were when you read it, how long you read it, where you looked at on the paper, etc. You request data, they send it to you.
For example, ad blocking is more akin to paying someone to cut advertisements out of a magazine before you read it.
Blocking of feigning responses to particular remote APIs is still better than having to run a bunch of random tracking JS snippets, because without one of them a page just errors out.
I have mixed feelings about it, even just as a user. There are two reasons people block tracking scripts: 1) privacy, and 2) to stem the deluge of crap that marketing departments dump onto the page, harming performance (both load-time and otherwise) [1].
This basically gives everyone the benefit of #2, even if they don't or can't use an ad blocker. That's pretty cool, in isolation. But of course it also makes it much harder to accomplish #1.
[1] I've seen React-based websites with literally 10x as much JavaScript (by weight) coming in from GTM and other third-party marketing vendors, as the amount powering the actual app functionality. This happens (partly) because every single ad provider has you load their own arbitrary JS bundle onto the page, just so they can measure conversions. This is obscenely inefficient (and frankly, even though it makes things easier to block, in some ways it's potentially a lot more insecure/privacy-invading). People on here complain about frameworks ruining web performance, but in reality GTM is far more responsible (or has been, so far).
All that random crap will still run in your browser though.
The important thing here is that Google are asking users to proxy scripts from a Google server via a subdomain of their site. That's relatively trivial to do as far as the code and config goes, and not costly for the user or for Google. The advantage to the site and Google is that those scripts now look like first party files; Google are using a first part subdomain to subvert the Same Origin Policy via a proxy.
Every other tracking and ad service will set up the same thing. The reason it hasn't happened in the past is because it was hard to configure. Google are giving every other service the gift of explaining how to do it to users. Going to a website that had 50 tracking bugs from 50 domains will now have 50 tracking bugs from 50 Same Origin Policy allowed subdomains, all unique to that site, and all different so blockers will have a much harder time working out what to block.
The code that runs in the browser doesn't change. The only difference is where it appears to originate from.
That’s inaccurate. You do still need to run a client side GTM script that adds event listeners for specific actions (like “clicks purchase button”). This is then sent to a server side container with whatever first party identifier the site may have (3rd party IDs aren’t supported as there’s no 3rd party cookies from Facebook and the like). From there a server to server network request is made to whatever tracking platforms (GA, Google Campaign Manager, etc).
Most of the tracking script these days is well written, at least the Google and Facebook libraries, so they generally don’t affect page performance, but some of the smaller players have script that can slow down performance.
With server side GTM, only it’s client side component needs to run, everything else will be server side.
Citing adblock feels like clickbait. Google Tag Manager can't run ads so I don't follow the comparison. Marketing analytics could always side-step anti-adblocking tools through server-side tracking.
GTM is still GTM and can be trivially blocked; the container itself isn't moving server-side.
It's just gained the ability to proxy data to third parties instead of needing to load scripts for every tracker. This is better for performance, and should be explicitly in control of exactly what data is passed on to where.
All you really lose is the ability to block a subset of analytics scripts selectively.
How are you going to block it "trivially" if you don't know which script to block? They recommend changing the name of the GTM script, and paired with changing the content slightly, you won't be able to tell which script is GTM and which is actually important to the functioning of the site.
Where does Google recommend changing the name of the script? The author claims that they do, but their link just recommends self-hosting the script. In Google's recommended JS, the path is exactly the same, only the hostname is different ("www.googletagmanager.com" replaced with "<DOMAIN NAME>").
Self-hosting by itself might make blocking marginally more difficult, but there are other reasons to do it:
- Browsers these days segment caches by origin, so there's no caching benefit to using Google as a CDN.
- With HTTP2, a first-party request is likely to immediately go through an existing (multiplexed) connection, saving a handshake.
This was my exact thought when I wrote that comment. Then I remembered Manifest v3.
ITP, ETP, and plugins that can block requests based on heuristics will make pretty short work of this. In Chrome, come Manifest v3, plugins won't be allowed to.
So... this is all uglier and more complicated than I thought.
So they need to change the first couple bytes then, automatically.
Essentially I don't understand how possibly could free adblocking lists defeat advertisers or trackers if they truly cared about them: simply have a system running with the latest adblock lists against their test site, and if it is able to filter them, have an engineer make a modification—or have the system automatically pull up a pre-made modification or even generate a new one. In addition, the content-driving JS and the site JS could be bundled in one and obfuscated.
Best functioning filters are secret ones and thus only the technically minded minority has access to them.
Adblockers block ads and tracking, if the new gtag manager makes easier to defeat the tracking protections of an ad blocker then it seems accurate.
I think the key thing here is that ad/tracking blockers often rely on domains or requests being 3rd party. In the past it was more work to hide the 3rd party trackers as 1st party, this makes it easy so its more likely to happen now.
Saying that Adblock users want it 100% to block ads and 0% to protect their privacy is a misleadingly narrow analysis, even this use isn’t completely effective.
Server side tracking based on what, server access logs? That's not particularly helpful compared to the info you get with clientside analytics libraries.
No, the gtag in the browser sends all the data to the server-side proxy. Then on the server-side config you can pick which parts of the data to share with 3rd parties. So there is still client side data capture, its just reduced to one component capturing the data.
Pretty sure a big ban hammer is coming for Google with all such shenanigans, especially in trigger happy places like Europe and India who don't like their citizens tracked and are happy to create legislative bans.
So you may win the cat and mouse adblock game but what are you gonna do when countries start making it illegal to use GA? (1)
I can't wait for this to happen. Personally I think we just need to ban all targeted advertising based on viewer profiles, even session data such as IP and geo-location. This in turn should severely limit or destroy business models based on optimizing for engagement, as non-paying users are no longer profitable. It's going to cost a lot of people in ad-tech their jobs, but there is no shortage of demand for IT work, so surely they'll find something else to do.
The other day I learned from an ad that my favorite 6 year old Bergans jacket can be repaired at a shop next to where I work for a price that is next to nothing.
We also need to include hefty fines for handling data to Google and their ilk behind the back of users. It is required, but not sufficient to ban businesses like ad and spy business of Google.
> > The default server-side tagging deployment is hosted on an App Engine domain. We recommend that you modify the deployment to use a subdomain of your website instead.
The reason is simple: it creates a denial of service attack on DNS block lists used by things like Pi-Hole and NextDNS. Sure, Google knows that some of the subdomains will be blocked for some block lists... but the vast majority won't be blocked on the vast majority of block lists.
Looks like the only sane thing to do is to block routes to GAFAM AS directly on your router instead of relying on DNS tricks. I knew people doing that over ten years ago and i thought they were kind of crazy, but in retrospect they were right all along.
What if your website is hosted by Google Cloud Engine or AWS, should we block it? I certainly would. Please find a decent host that does not use their customers as human shield/leverage to engage in criminal conspiracies against privacy.
Maybe this will drive people back to Firefox? It's a perfect opportunity for Mozilla to do a marketing drive... oh, wait, they are busy partnering with Facebook (er, Meta) to do advertising stuff. Sigh.
If only some (former?) Mozilla workers setup a workers coop that relies solely on donations to produce a decent web browser... Something like what The Document Foundation did for Libreoffice sounds like a good economic model.
I'd be more than happy to donate 10€/month (though i'm really not rich) to keep business incentives outside of the web in at least one well-supported browser. I'm sure there's other likeminded folks. But donating money to help COs and managers make in a month what i make in several years*? Never.
EDIT: Just to be clear i'm explicitly not talking about Brave which is an advertisement company investing in so-called cryptocurrencies, both of which is a redflag for a web browser (although they have some cool tech to showcase).
Blocking all GCP and AWS hosted sites is about as effective as turning off all javascript. It reduces the usable set of sites on the web to basically worthlessness.
I've found the web to be very enjoyable without Javascript. Some sites don't work but fortunately they're usually of the SEO-clickbait kind without any sort of interesting content. I'm already blocked by many providers for using tor, which is a redflag for abusive behavior on their part.
I just wish we had a manifesto, automated test suite, and dedicated search engine for websites that respect their users.
It is clear Google is finally feeling the hurt from adblockers and the like. That means we are winning. Google knows it's not what people want, but they clearly do not care. In my opinion, if you work for Google on things like this, you are equally to blame. You have Google on your CV, you can easily go elsewhere and find a decent job.
Having said that, uBlock Origin, and I'm assuming other similar extensions, offer inline script filtering. The code being served has to have some common code since it's all coming from a single org. What is stopping a filter that includes a filter like this?
The issue obviously being that this still prevents DNS filters from blocking Google, which is equally a big issue. Assuming the scripts indeed have some common code that can be blocked, perhaps this is where we start crowdsource filters. Something that runs in the background, and inspects scripts, which then gets posted to a server, validated automatically, and then later served as a block list that anyone can download.
Yes a Google employee could go work elsewhere. But is there an equally well paid position at a more ethical company? As far as I can tell, all FANGs are as unethical as each other
I don't understand the reasoning here. How does being paid more justify unethical acting? Especially since you are getting by very very well in the tech industry in general. Isn't that like saying "I'm kicking puppies all day, but it's paying enough to finance the second Lamborghini, so how could I decide against it"?
(If you were referring to moral offsetting, that could indeed work, assuming you donate enough to charities, but your post didn't sound like that.)
How does being paid more justify unethical acting?
Honestly, it doesn't. But trying to appeal to someone already working in an unethical position isn't going to work - that person themselves is unethical. Like most things, the driving force will be down to economics and prestige. What else is keeping that employee at Google? I doubt it is loyalty
There are no perfect outcomes in life - if you're going to make an ethical decision then more often than not you'll have to compromise elsewhere. Another example would be cheap goods that come at an ethical and/or environmental cost - you'll usually have to pay extra to avoid those because the bad behaviour is what allows companies to keep costs down.
In some sense, FAANG employees are being paid extra to look the other way.
Note that the Google announcement in question was August 2020. This didn't seem to make any significant changes to the ad-block space when it rolled out, and pretty much every site is still running the Javascript frontend.
Using Google Tag Manager doesn't mean you are using the server-side tagging. You have to configure it in your account. It is something you have to pay for. If you read the instructions on https://developers.google.com/tag-platform/tag-manager/serve... you have to have GCP billing setup to pay for the App Engine instance running the server-side tagging proxy.
thx for the explaination, btw, do you think server side GTM can let Adsense bypass the adblocker, since it is what claimed in the article. Though after Googled a bit, I can't find a single article/video about this.
Somewhat. Some of the tracking protections center around 1st party vs 3rd party. If the site owner takes the time to configure the DNS records for this server-side proxy then the page is only communicating with 1st party domains so that protection is gone.
Next, ad blocker components often target various parts of the URL. By hosting on your own domain the domain name matching patterns that would be used for blocking no longer apply. But the ad blockers can also use just the path or file name portion of the URL to block on.
Easylist has a set of lists that are commonly used by ad blockers such as UBlock Origin. The tracking/privacy centric list is https://easylist.to/easylist/easyprivacy.txt which I'm using in UBlock Origin. If you look at it there are lines like '/gtag.js' which might match on the name of the JavaScript file and still block it.
Of course site owners might change the name of their script files to a non-default name making it harder to detect.
The next step in the arms race would be having more dynamic names for the files and URLs. You could rotate the names of the scripts and endpoints automatically at which point the adblockers would have to preform content inspection or some other strategy which is more resource intensive.
Server-side tracking has been around for a while (indeed this article is dated Nov 15, 2020; and of course, you could argue simply parsing your Apache/nginx logs to get visitor stats has existed forever). The article I think conflates several different pieces.
There's probably a few actual use cases marketers may care about for tagging/tracking/analytics:
1. Simplest: I want to know how many people use my site/app, how many come back, how many are real (not bots), which pages are popular, etc. I'd like to see all this in a nice UI where I can cut and filter the data.
2. Same as #1, but I'd like to do it across devices. Still all within my own site/app, but simply connecting a non-logged in session across desktop and mobile web. Google and FB probably have the largest available dataset on this.
3. I'd like to enrich all this information with data from other sources, for example to target ads, serve ads, etc.
Site owners/marketers then try and tackle these in a few ways, the first 3 equally bad:
1. Just dump a bunch of scripts into your site (GA, FB, Segment, whatever). Pros: easy. Cons: very easily blocked, so your data is super biased.
2. Self host some of these scripts, or CNAME them. Pros: maybe a bit better for performance? Cons: still rather easily blocked with content signatures etc. A nightmare to ensure consistency if self-hosting.
3. Run your own JS that sends events to your server, and then your server fans out to whomever. Pros: much harder to block, and likely quite performant. Cons: its unlikely your self built lib is going to give all the same 'features' as GA (features meaning device fingerprinting and so on).
4. Just get everything from HTTP logs. Pros: very performant, can't be blocked. Cons: much more limited data to work with.
Personally, I think #4 is the future (and also where we started 20 years ago). What I don't think anyone is doing yet is relaying that data out to all the other parts of the stack: GA, FB, Mixpanel, whatever. If you could solve both - giving users privacy and performance and giving marketers the same tools they're used to - sounds like a win. You might argue "well we'd be missing a bunch of user data", but you're already missing it with adblockers and iOS privacy features.
1) can be done trivially with first party cookies.
2) you can already tell what device someone is using. If you mean “I want to know if the same person is on different devices” get them to login, don’t try in effectively spy while also providing google etc with the ability to actually spy
3)you cannot know how to target ads on a per user basis unless you are spying on your users. You have no justification that supports a claim to such information.
Yea, I think we're saying the same thing. Ultimately both the best choice (for privacy, performance etc.) and the one that's most likely (given adblockers and and ever increasing push for privacy from browsers and OSs) is to stop trying to find a way around adblockers, and simply invest in the technologies that work - http, cookies, sessions, logins, and os on.
I think some of the whiplash in the market isn't just the tit for tat battle with ad blockers and regulators but the realization that there's so much useless data being collected. The best data we get is first party (ie things people click or type into forms on our sites) or qualitative feedback from surveys. GA and GTM are valuable tools for us but Google's network isn't really.
Yea. Though, GA does (at least) two things: analyzes your own data, and, uses the data they collect from all their other sites to improve your experience via better bot detection, recommendations, insights. Google's network is useful, like it or not, for a) their cross device graph - they know which mobile devices and which desktop browsers are the same user (ish) and b) from that, building better MTA models than you can with pure first-party data - especially if most of your traffic isn't logged in.
But I agree, the future is pointing toward a world where privacy and empowerment is more in the hands of the user, and that's a good thing.
This article and thread got me to just install NoScript finally and start using it. It's not only part of an adblocking regime, but also am sick of the persistent nagging over consent walls (me being in Europe), adblocker walls, etc. If the content is meaningful enough, I'll subscribe (like my local newspaper, my only news subscription.)
Simple JS and site analytics is perfectly fine for me (and to be fair, not just because I work on analytics software myself, site analytics is a useful tool), but having it bundled in with constant nagging on top of heavily bloated sites and pointless (and sometimes slightly offensive) advertising that even leaks through adblocking gets on my nerves a lot.
I am not sure OP has the proper background to discuss blocking ad+tracking techniques. Such utilities do a lot more than blocking domains. Blocking domains is just first step as it's the simplest and cheapest win. Signatures/Content inspection being sent can go a long way and can accurately identify patterns.
So long as we're on the topic of fighting ad targeting... if you've never heard of uBlock Origin, you should get it. It's probably the reason YouTube still thinks I'm Hispanic.
The current version doesn't but there's not really a reason to believe it can't be updated. I think the author overstates the complexity of documenting these proxies and URLs for sites that run them.
You're going to lose this cat-and-mouse game, it's the same one that gets played with malware C2 domains (except it's worse because both the proxy operator and the actual domain operator are colluding). Add in the zero-cost nature of subdomains as opposed to needing to pay for new DGA root domains and the fact that they can run the whole thing behind e.g. cloudflare to prevent IP blocking? Forget about it.
History is full of sentiments like that, from power structures that were never able to stop subversion. The game itself is perpetual, so there's always another turn coming.
Google’s recommending that people set a A record in their own domain for the server, and change the name of the script. Given this, documenting such proxies and URLs and maintaining that documentation doesn’t seem practical.
On the other hand, I wonder if you could just block all IP addresses associated with google, or those associated with their cloud/app engine? I suppose that could be handled at the firewall maybe? Are there ASNs google uses specifically for their app engine and cloud computing resources? Others have mentioned that a lot of government agencies rely on google app engine, but it’d be nice to kill all traffic to/from anything google.
I am fascinated that the popular press has described this as Google adding privacy (which is how google describes it of course) where really it’s a massive escalation of their spying network.
Well it sounds like they're plugging the RCE hole in how ads operate which is even better. That's the real elephant in the room which no one seems to be talking about. With all these zero click exploits I don't want an entire industry to exist that's dedicated to people bidding to run code on my computer. If all that bloat is running somewhere else in the cloud and this tag manager is filtering the information they access so that it's actually just boring marketing analytics then I'd imagine it does a lot to help improve the sovereignty of personal spaces.
Since this runs entirely on the domain of the website, it can easily ignore your privacy rights, with Google more or less washing their hands clean of it.
Indeed, if we take blocking trackers as expression of consent, the only possible reason this exists at all is to illegally circumvent privacy preferences.
In other words, if you work for Google, you are literally working for a criminal organization.
How times have changed.
It seems the only possible option to retain privacy rights given to us by law (eg in the EU) is to disable JavaScript and cycle IPs or other fingerprinting features. None of that is realistic.
As a EU citizen, i hope that our ineffectual administration at least tries to fight this somehow. Of course, there is little hope.
It always saddens me to see EU citizens talk in absolutes like that. With some exceptions, and by comparison, we have some of the best governments in the world, and, for all its faults, the EU has been a huge net positive. Perpetuating these overly negative stereotypes just aids populists in replacing our good governance with the other kind that we see all over the world.
I agree. I understand people like to talk in this way to show their emotional connection to the topic, but it’s not very helpful and like you mention, too absolute.
It’s a system in progress, and we need to be invested in its ideals (fair, just, democratic)
Most often such comments come from eastern parts of Europe, where nationalistic movements have a nice resurgence in past few years. A prime example is Czech republic, a very euro-skeptical nation despite all the benefits it brought them. Hungary would be another one.
That being said, as somebody coming from east too and seeing clearly all the direct and indirect benefits of EU, its far from ideal. The whole concept of central planning resembles old east communist block when soviets forced down our throats whatever they pleased (we had to refuse Marshall's plan, they took all of our uranium reserves for free for which more appropriate term is stealing, and many many other cases) and that's an association many older people have knee-jerk reaction of.
> Most often such comments come from eastern parts of Europe, where nationalistic movements have a nice resurgence in past few years.
I wish people would stop attributing our attitude to nationalistic resurgences.
I’m a globalist and think nationalism and regionalism should be relics of the past and I keep getting put in the same box as nationalists because I am Euro-realist.
With this frame of mind I think the EU politicians are shit at building the foundations for a truly globalized civilization and the current system devalues entire areas of the continent both of natural resources as well as human resources.
It's not realism to believe the EU can't exist within or facilitate your idealised frame of reference (assuming it makes sense and is something people should want), it's just negativity.
> I wish people would stop attributing our attitude to nationalistic resurgences.
Quite frankly nationalistic resurgence is the #1 indicator for "euro realism", so this is a very reasonable stance to take.
Before the whole brexit issue, even most ardent EU supporters would admit that the institution was terribly dysfunctional and would need to be reinvented to survive the next few decades.
The Brexit debate seems to have polarised the whole issue into either you hate the EU and everything it stands for, or you think the EU is perfect and if it wasn't for these damn national governments then we could live in utopia.
Unfortunately my country is no longer part of this project, but I hope that pro-EU people take on board some of the valid criticism of the institution and make the necessary changes. Otherwise, what happened here will inevitably happen elsewhere.
> even most ardent EU supporters would admit that the institution was terribly dysfunctional
That's a mischaracterization. "Most" would have accepted that there was (and is) room for improvement, but "terribly disfunctional" is an extreme term. The view that the whole institution had to be reinvented has always been a very English idea, based on the fact that some key policies (like agricultural support) benefited other countries over Britain. Most of the continent, much more pragmatically, always understood that the EU is fundamentally a set of compromises that will continue to expand. As such, it can look confusing from a distance, but once you unpack it, the compromises actually make sense (or are the only possible way towards cooperation among such different peoples). Britain benefited hugely from infrastructure support programs, for example.
The EU has always been kept together more by the sheer will of European middle-classes at large, than by this or that particular set of rules. National governments are in a constant state of tension with something that they see as a new competitor for the absolute power they enjoyed for centuries. This will likely continue to be the case for a very long time.
The UK didn't even have the worst public opinion of the EU in Europe on average.
Public polling has generally shown other countries - including Italy, Greece and France - have an approximately similar (or worse) opinion of the EU than we did. There's a significant chance that Sweden would have ended up having a referendum on membership if we hadn't, but how terribly it's gone for us has put off many of the eurosceptics elsewhere. During the worst of the Eurozone crisis, there were many who genuinely thought that the entire bloc would - or should - collapse.
I also think people here do understand it's a set of compromises. The question for many is whether the set of compromises has become too large and unwieldly. The common view of eurosceptics in the UK was that the scope had crept too far, and that we could gain most of the benefits through a normal trade agreement without having to compromise on aspects like agriculture, fisheries, immigration control and ceding control over national law and third party trade. I think so far this is not going well, but it's still an open question.
What you point out about Brits not understanding EU press is touching on an major issue a lot of people had with it: how can a supranational institution taking over national government function be truly democratic if you don't even have a standard language, and can't understand each other's press? A common aspect of countries with poorly functioning democracies is they don't have a common culture or language. Whenever I've needed information about the EU, it's always been difficult to find because the EU websites are poor and the source material is often in French or another language that I can't understand.
I absolutely agree that the compromises are necessary for the EU to function in its current state. However, perhaps the EU scope has become too large given how disparate the members are? If your partner desperately wants to live in Europe and you desperately want to live in the USA, does it really make sense to compromise by living on a boat in the Atlantic? Or is it better to just be friends instead...
> The UK didn't even have the worst public opinion of the EU in Europe on average.
The UK is the only country where significant chunks of the elites kept explicitly advocating for (and are now putting in practice) a future outside the bloc. I'm Italian, and with all the usual complaints about this or that policy, Italian elites have never seriously considered backtracking on the project - because they all realize that the European nation-state is dead meat in the age of continent-sized superpowers. Of course they'll bitch and moan that they can't currency-inflate their way out of economic crisis anymore, but that is it; once Eurozone institutions are tweaked to allow for more fiscal transfers across the Union, as it's slowly happening, there won't be any real reason to leave.
Same basically goes for French elites - with the last humiliation in Mali a painful reminder of their actual standing in this brave new world. The only country with a potential future outside the bloc is Germany, but they benefit from it so much in practice that it's never going to happen.
> how can a supranational institution taking over national government function be truly democratic if you don't even have a standard language
This is really a non-issue, EU institutions employ an army of translators and everything is available in any chosen lingo. The working lingua franca are effectively two, French and English. Any decently-educated European is bilingual, these days, to a decent level.
It's more about insularity of the intellectual and political classes in this or that country. Probably because of the overabundance of cultural production coming from the US, the UK outside London is extremely insular. Pretty much any continental elite-person will consume The Economist and the Financial Times in addition to their local press; whereas the UK intellighentsia hardly every touches any continental press.
> f your partner desperately wants to live in Europe and you desperately want to live in the USA
When the alternative is being overrun by Russian tanks and American F15, yes, the Atlantic island will have to do. We will all bitch and moan, sure, but we'll get on it.
I don't think the UK is as far from other European countries as you think it is. Our elites, bar, historically, a small contingent of the conservative party, have always been _far_ more pro-EU than the population at large. Indeed, they still are - possibly about 3/4ths of parliament are Europhiles. Eurosceptics were typically political misfits and weirdos, like Farage, Corbyn, Banks, Gove, Wetherspoon and Cummings. BoJo only jumped on the Leave bandwagon as he's an opportunist. Nigel Farage seemingly made it his life goal to separate the UK from the EU and was fairly wealthy, but not even close to the kind of wealth you see on a day to day basis around London, let alone an elite. I personally know far wealthier, more politically connected "elite" pro-EU individuals than Farage. Most business leaders and elites in London, especially those in finance, were solidly pro-EU as their livelihoods were based on it. The EU is arguably the world's largest elite globalist capitalist organisation.
Farage's influence was minimal until he managed to position himself as the leader of the British anti-EU movement, which as far as British political movements go, was as close to a grassroots movement as it gets. Few of the mainstream Conservative political elite were pushing for Brexit until it became increasingly apparent that they were losing votes to UKIP based on the anti-EU sentiment that had been boiling under the surface for the better part of half a century. The nature of our political and voting system is that the two major parties tend to try and placate the extremes to diminish their influence. There's a lot to dislike about how that system works, but historically that has resulted in a relatively stable political system. Once this discontent reached a certain level, Cameron decided to gamble the future of the country to save the Conservative party, thinking they'd easily walk the referendum and kill the grassroots opposition - but despite almost every major mainstream political influence being on the side of remain, leave won.
There is clearly a certain amount of Russian influence, dodgy money and disinformation that pushed us that direction, but honestly I think it's overstated. Without it, maybe it would have gone 52/48 the other way, but clearly it was going to be very close no matter what. The EU has never sat right with a lot of people across the entire political spectrum for many of the same reasons it's unpopular with both the left and right in other European countries. I suspect if France was to have a similar referendum, the results would be similarly uncomfortably close - even if Frexit ultimately lost.
Arguably the main difference between the UK and other European countries is our political mainstream tends to shift more to placate the extremes and stop them becoming a mainstream force in their own right. This is evident in how UKIP/BNP/BXP are now irrelevant again and have no representation, whereas AFD, SD, M5S, RN and others are still significant forces in European politics. I would bet money that if we had a different voting system, Brexit wouldn't have happened. Whether or not our voting system's trade-offs are the correct ones or not is certainly debatable (and I personally vote for voting reform at any opportunity), but our system has served us well throughout history and one must always be careful about changing something so fundamental to a successful democracy.
What also emboldens the UK is that despite no longer being an Empire, it still is a very powerful country in its own right. Irrespective of how much of that power we dumped by leaving the EU, we're still permanent members of the UNSC, members of G7, FVEY, somewhere between #5 and #7 in global GDP, one of the strongest militaries, one of maybe two or three global force projection blue water navies, one of five NPT designated nuclear weapon states, one of the top countries for education, business and media output, have one of the world's two global cities, etc. If Sweden had a similar level of global relevance, the equation there might be substantially different too.
Another reason other countries haven't left the EU is that the EU was intentionally designed to make it hard to leave. This isn't a conspiracy theory, the people who wrote those protocols have stated such. Obviously part of the point of the EU was to make us interdependent so we don't start killing each other again.
> This is really a non-issue, EU institutions employ an army of translators and everything is available in any chosen lingo. The working lingua franca are effectively two, French and English.
Not only is this a huge waste of time (and thus I would argue reduces the overall quality of the output of EU institutions - which is certainly extremely poor compared to UK government resources), the quality of those translations were often questionable. It was not uncommon for me and European friends to find pages where the pages would say something subtly different depending on what translation you were reading.
But I would argue that it's not just about EU institutions, but rather for it to be a strong union you need to have an understanding about the domestic policies, culture and general goings-on within the other countries within the union. The UK has almost no cultural overlap with somewhere like Romania, which makes it hard for British people to accept that level of immigration and integration. Imagine every US state had a different language. Even if they also all spoke English as a second language, it's hard to imagine that would be as strong of a union as it currently is.
And of course, many EU citizens speak other languages, but most commonly they speak their native language, intermediate English and then sometimes a tertiary regional language (e.g. Finns speaking Swedish). NW continental Europe tends to be a bit better, with places like Belgium, Netherlands, Switzerland often being conversational in 3 or 4 languages, but that's not particularly representative of the whole EU. Europe is still very much a continent where people don't understand each other particularly well.
As for the UK intelligentsia not touching European press, bilingual ones certainly do - but in general, why would we? It obviously doesn't make sense to learn German to read BILD. Anything important gets translated into English, and between our own press and the rest of the English speaking world, we have access to more quality media and news than we could possibly hope to consume in our lifetimes. Such is the nature of natively speaking the world's dominant language: no other languages reach a critical level of importance that we generally ever bother to learn them well. Personally speaking, if I was to learn another language, it would be either Spanish or Mandarin, neither of which would probably help me out too much in European matters...
> The view that the whole institution had to be reinvented has always been a very English idea, based on the fact that some key policies (like agricultural support) benefited other countries over Britain.
Most of the important discussions about EU are not held in English. I think a good part of the negative talk about EU in the English speaking sphere comes from English (Who have different needs than continental, or eastern Europe) talking with Americans (Who understand the EU even less).
A lot of the moderate, compromise analyzing discussions will not be perceptible in English, because it will be held in French, German, Italian, Spanish, etc...
Half of Wales and Scotland was rebuilt with European money that Westminster would not have dispensed otherwise, preferring people in decaying cities to "get on yer bike". If that's a "rounding error", think what the UK government could have achieved before and since, and never bothered to.
> It's not realism to believe the EU can't exist within or facilitate your idealised frame of reference (assuming it makes sense and is something people should want), it's just negativity.
As a citizen of the EU, I am arguing for the debureaucratization of institutions, for capital unlocking in proper ventures, nuclear energy, and the appropriate handling of countries from which human capital is departing faster than some war-torn ones. Frankly, I don't give a damn that some people might perceive this as 'negativity' on a forum when I have (hopefully) an entire life to live under this construct.
> Quite frankly nationalistic resurgence is the #1 indicator for "euro realism", so this is a very reasonable stance to take.
Quite frankly, if you're going to shove me, against evidence, in the nationalist insurgence "euro realism" and then claim it as a reasonable stance to take. I'm not sure where that leaves me in this debate. Argue with your constructed image of me all you want.
> I wish people would stop attributing our attitude to nationalistic resurgences.
Why should we stop? Where I live (NW Europe) this sentiment is almost exclusively echoed by members of the refreshed "neoconservative/nationalistic" right wing parties.
Other parties also have their qualms about government institutions, of course, but for different reasons and expressed with different attitudes.
We should stop because it bothers them that the "clever" ways they try to undermine democracies and the EU aren't that clever at all and easily observable.
It would not be headline news because bit doesn't benefit any big capital player.
Continuous support of Germany to autocrats is so widely known it even has a name, stabilocracy meaning that a country is ruled by an autocrat that is favourable to German and by extension EU business.
Most blatant support to that kind of leadership happens to be when the German PM and EU commissioners congratulated Serbia on its EU path often just days after some protest or antidemocratic measures done by the Serbian dictator. Or the support that Quinta gave to constitutional amendments which reinforced the control of the current regime over the judicial branch.
Why would it be headline news? It doesn't benefit any big capital.
Most significant incident was definitely in 2012 when Serbia had tight elections on all levels including parliamentary and presidential elections. The problematic part was that German PM at the time congratulated the new president even before the polls were officially closed. I'm not saying that Germany is the EU but various EU commissioners were not much better over the years, praising Serbian EU path days after controversial anti-democratic actions by the government. Lately this has began to change but it's a little bit late, Serbian president consolidated power not unlike Orbán or Putin.
All this has contributed to lowest support for EU ascension among Serbian population in a generation.
The EU is probably not at ease adding a lot of "recent democratic" countries.
As shown in Hungary for example, that democracy is still very fragile.
The goal of the EU is to remain a partner for now and see that democracy mature and stabilize. As can be seen that the main economic partners are from Europe.
But they are still very dependant on Russia ( more than average) for gas, for example.
Two quick examples would be the left party consider the secret mass surveillance by government entities to be wrong on multiple levels and is continuously criticising the government for it. Another would be that the same group of parties consider the government being too slow to implement carbon taxation and other measures to prevent further damages due to climate change.
Those two words are verbatim what our right-wing parties use to describe the EU as a whole, especially when arguing why we should do our own Brexit and leave the union because we are better on our own.
But that's the phraseology. You specifically mentioned reasons / attitudes.
If this is another "dog whistle" argument, I think you need far more evidence before you smear another user what you assume their motivations are; It's possible to use terminology borrowed from right-wing parties, language is free to use - and ThalesX has explicitly stated their position.
In Eastern Europe before joining the EU, the most anti EU parties were the "ex"- communist and neomarxist and the conservative parties couldn't wait to get in. There can be 2 explanations why this has changed today.
1. The "ex"-communist and neomarxist parties became enlightened democrats and the conservatives changed to nationalistic anti democrats.
2. Something changed within the EU, which made it a suitable environment for "ex"-communist and neomarxist to thrive in and reminded the conservatives what was it like to live under old communist regimes.
I think the number 2 is the right explanation. The news about undemocratic Poland, Hungary and occasional other eastern-southern countries is mostly spreading through leftist western media by activist reporters who take for granted what their leftist activist colleagues from eastern countries are feeding them. For a person who reads newspapers in both parts of Europe, that fact is painfully obvious. Throw in some leftist activist MPs (like Sophie in 't Veld) and good old geopolitical power struggles and the world quickly becomes black and white (us vs them).
You should also note that across much of Eastern Europe, the "ex"-"communist" and "neomarxist" parties were always either nationalistic and populist (e.g. the PDSR/PSD in Romania) or subservient to Russia. This means that there was a very easy pivot from "communist" parties to far-right ultranationalism, usually with a good dash of oligarchy, authoritarianism, and/or kleptocracy which also characterized the old regimes. There are very few, if any, leftist ideals held by any remnants of the Cold War-era government parties.
Yes, communist never had troubles with nationalism. And communism is by definition a populist ideology. The legendary elusive communist who shapeshift the moment one points a finger at one (no true communism), is more of an idea of western leftists.
Unfortunately the communist ideals are very much alive and well, especially in those countries where communism arose from within, without an external force.
Well, "communism" in the Eastern Bloc is more appropriately called State Capitalism, it has nothing really to do with the left, socialism or communism.
Maybe you'll get it right next time. Then you'll have true communism, at least until it fails again. Then the kids from the last round of red nobility will call it "capitalism something" and agitate for new true communism again.
If you believe that the USSR (or China, etc.) were actual attempts at socialism or communism, do you also believe they were democracies?
Socialism, by definition, is democratic workers' control of the means of production. A socialist dictatorial state is therefore an oxymoron.
If the state itself is controlled by a violent maniac (Stalin, Mao, etc.), and the state owns and controls every aspect of society, including the means of production of course, then there is simply no logical connection to socialism.
The USSR and China claim(ed) they are are democratic and socialist states. The "democratic" part is obviously a lie, and was ever since the beginning, since Lenin stole the revolution - and everyone of course knows this. Why then do people believe the "socialist" part?
I know, every time it fails, it's not true communism.
There was a running joke in communist countries on this subject too:
There was once an important communist dignitary who was treating a sick cow. After the cow died, he said: "What a shame, I had so many more ideas to try!".
If you honestly believe that the workers in a factory under Stalin could decide how much of a good they wanted to produce, or decide if they wanted to increase automation, or even decide if they were allowed to go to the toilet, then you really don't understand how the USSR worked.
The Soviets (factory committees) at best held some sway during the early days of the revolution, before Lenin seized power. By the time Stalin replaced Lenin they were long since just a propaganda tool, hollowed out of any democratic control whatsoever and turned to a simple bureaucratic management unit entirely controlled by the party hierarchy.
It is still socialism, even if it doesn't work as theoreticized. Flat-earthers are still flat-earthers even though their theory doesn't hold up to reality.
> Why should we stop? Where I live (NW Europe) this sentiment is almost exclusively echoed by members of the refreshed "neoconservative/nationalistic" right wing parties.
This is the 2nd post ignoring the fact that I have declared I am, in fact, not a member of such a group. Assuming that I'm lying, you'd be correct in holding your stance. Considering I am not lying, you are basically closing in the door to communication and possible expansions of subject matter from someone that's really not an extremist in any sense of the word.
You might not be formally member of such groups, but if you are spreading their values and repeating their propaganda, you're working for them.
That would make you de facto member even if you're not de iure member.
e: and based on Paradox of Tolerance, shutting down communication with anti-system efforts might be the only way. You can't be tolerant to intolerance, you can't be democratic to anti-democracy, etc.
Mind underlying where I am spreading the values and propaganda of 'refreshed "neoconservative/nationalistic" right wing parties'? I would like to not do such a thing if possible.
I'm quite surprised that so many don't realize that there exists an entire category of people that are not radical, but do hold opinions on some reforms that should be taken, including the quote that started this conversation "our ineffectual administration".
I'm not saying you are. I'm saying that if someone says X and there's groups saying X than expecting that person to be part of that group is kinda normal and not some kind of character assassination.
Speaking of ineffectual administration - I think it might be hard for some people to grasp that any bureaucracy is going to look inefficient. The point of bureaucracy is to replace ad-hoc decision making with a repeatable, documented, audited and justifiable process. Ad-hoc "the dictator decides" is always going to be faster.
> Most often such comments come from eastern parts of Europe, where nationalistic movements have a nice resurgence in past few years.
That kind of gas-lighting should not have place on HN. That's unfair and dismissive generalization.
We, Europeans from west and east, center, north and south walked blind into privacy abuse. If awareness coincides with increase of nationalist movement in Europe and US, that is not a correlation.
As if England didn't broadcast its share of fact-free euro-skeptical gaslighting all over Europe. As if their voice wasn't echoed by both PVV and FVD in The Netherlands, FN in France, AFD in Germany or M5S in Italy.
I must echo the other comments in this thread and point out the fact that this sort of generalisation does more harm than good by helping to cement one of the negative stereotypes concerning Eastern Europe (EE) (that somehow they lack the ability or the drive to work towards a more democratic society), which is also not backed by data. According to this 2019 BBC article [0] that looks at where in Europe's political landscape the right-wing nationalists hold sway, 8 out of top 10 countries are in Western Europe (WE). The UK is not on that list (nor other EE countries like Croatia for that matter), but I think it should be.
There's also a noticeable increase in right wing terrorism, which appears to take place more in WE than EE ("measured by overall volume of right-wing terrorism, Germany and Italy, the two former World War II Axis powers, lead the way"), where most targets show that the substantial majority of right-wing terrorist attacks have been aimed at immigrants and Muslims [1]. Possible explanations include the displacement of people from conflict zones like Syria and Afghanistan, but also the fact that most migrants in Europe are economic migrants, which means that they go from less economically developed countries to more developed ones, thus from EE to WE, which is why the rise of nationalism is higher in WE than EE. This, of course, is but speculation on my part, especially since countries like Hungary, Poland and Czechia have behaved rather poorly in this respect, on par with Austria, Italy and the UK.
Plenty to discuss here and there's a lot of information available, but I doubt we can simply point to EE and consider the matter closed, since this seems to be a global phenomenon.
> such comments come from eastern parts of Europe, where nationalistic movements have a nice resurgence
Speaking as an American (and a Swissman), the country that has done the most to undermine the EU has been Germany. First with austerity. Next by hyperventilating over nuclear. Then by implementing the results of said hyperventilation by vacillating over Russia. Almost pathologically, it has been Berlin putting its interests ahead of Europe that has caused Brussels’ stumbles.
If these issues weren’t blocked (nor the common defence and deposit insurance schemes) nationalism in Eastern Europe wouldn’t be as pressing.
True. If you compare Hungary / Poland and for example Ireland and Portugal, the difference couldn't be greater in terms of effectiveness of government.
In fact, I think especially when you look at digital privacy and curbing ever more intrusive tracking practices, the EU has been THE most engaged international body by far. Of course it's a game of cat and mouse, but advertisers will do what advertisers do and when the practice is exposed don't think it'll go unnoticed.
A huge net positive for buisness, that's for sure. There are currently over 25,000 lobbyists in Brussels and Berlin [1]. As for the citizens, that is up to debate, and highly individual.
Truckers in Sweden, for example, that currently find themselves competing with truckers from all over europe who also fill the tank in countries with far cheaper gas, cant really be said to enjoy positive gain from the EU [2].
> who also fill the tank in countries with far cheaper gas
So we are talking here about inter-country transport, right? Because I don't think it's very econimical to fill up your gastank in Poland if your driving deliveries locally inside Sweden? That will probably not be a net-win.
If you are a Swedish company importing from for example Poland you could always let a Polish transport company handle the transport. The EU didn't change much about that. A Swedish trucker driving to Poland could also fill up it's truck in Poland with cheap gas.
So what did the EU do that made cheaper gas more of an competitive advantage then it was before?
BTW gas prices are something that Swedens goverment themselve handle...
I'm not a trucker, so you would have to ask them about the gas they complain about. But there are others more obvious issues mentioned by the unions by international trucking - they have to compete with companies utilizing slave labour and sometimes even cases of trafficking. Hence my point that benefits of the EU is highly individual. Many have surely won, such as large companies, and many have lost.
>So what did the EU do that made cheaper gas more of an competitive advantage then it was before?
Enable all european truckers to work anywhere.
>BTW gas prices are something that Swedens goverment themselve handle...
I don't see how this is relevant to anything said previously, and yes, that is quite obvious.
> I'm not a trucker, so you would have to ask them about the gas they complain about.
You presented it as a (I presume good) example of your point. So I'm asking you because it definitly does not sound logical.
> Enable all european truckers to work anywhere.
That's not an answer to the question what the EU has to do with cheap gas prices in countries like Poland being a issue for a Swedish truck driver. A Polish truck driver working in Sweden is going to bring his own cheap gas from Poland and undercut Swedish transport companies? It just doesn't make sense how that is related to allowing to work everywere.
The wages could be a problem, sure, but that gap has also been largely plugged [1]. But gas prices...?
> I don't see how this is relevant to anything said previously, and yes, that is quite obvious.
Its relevant because if it's a real problem Sweden can lower taxes on the gas prices in order to remain competitive. That's not something the EU needs to do.
My point is that local politicians are quick to point to the EU. However it wasn't local politicians that managed to for example get the mobile roaming fee's gone for good. If you want to have a laugh just look at the UK. Vodafone et al said the roaming costs wouldn't return after brexit. Yet somehow the roaming costs are back for UK citizens...
I think the underlying problem is that Sweden taxes gas very high, very good reasons. Poland, being a regressive climate denying conservative place, relatively speaking, lets gas be at a natural price.
In the US trucking companies would just relocate to a state with cheaper gas, but maybe Swedish people dont want to move to Poland, and they also want fossil fuels taxed across the entire EU, so they feel aggrieved.
>You presented it as a (I presume good) example of your point. So I'm asking you because it definitly does not sound logical.
It doesn't sound logical to you that companies based in Sweden who endure some of the highest gas prices in the world does not want to compete with companies based out of eastern european companies with far cheaper gas - because they could just fill the tank outside of Sweden themselves?
As I said previously, I'm not a trucker myself, so I don't wanna go into the specifics, but that is one reason their union cites among others. And I don't find it THAT hard to imagine that no, it is not as simple as to just fill your tank outside of the country where the competition does.
> but that gap has also been largely plugged [1].
Your source is a proposal, critized by western unions as mentioned by your own posts. The proposal went through a compromise but is still being challenged in court by eastern european nations [1]. Anyway its too late, considering the EU is currently in a trucking crisis, that's what happens when you undercut a workforce for decades and suddenly demand increases rapidly.
>Its relevant because if it's a real problem Sweden can lower taxes on the gas prices in order to remain competitive. That's not something the EU needs to do.
And Sweden has high gas prices to try combat climate change, but it can lower those measures to be able to be competetive with the EU? How does this lead to an overall 'net benefit' through the EU, generally and individually, when the ecosystem collapses?
>My point is that local politicians are quick to point to the EU. However it wasn't local politicians that managed to for example get the mobile roaming fee's gone for good. If you want to have a laugh just look at the UK. Vodafone et al said the roaming costs wouldn't return after brexit. Yet somehow the roaming costs are back for UK citizens...
I was in UK when brexit came through and I still remember all the headlines about how severe and devastating the consequences were gonna be, yet I've still to see them realize. My question is, in the case of Vodafone, why wouldnt one company just not use roaming costs and undercut the competitors?
I'm not sure this is a convincing example of policy that results in a net negative? It seems to be a positive for truck drivers from other parts of Europe. Maybe for most EU citizens too if it leads to lower transport prices?
Hence the word 'individually'. Great for truckers from poorer countries with weak or no unions sure, and great for companies that get cheaper trucking.
I am not denying that there are problems for truckers in Sweden caused by open borders to other EU-countries and that those problems should be fixed. However, without EU there would probably be a lot less stuff to truck around.
> we accepted two non-democratic countries in EU, Poland and Hungary, and these are the results.
I can't speak for Poland, but the political landscape of Hungary was different when it joined the EU, and the country was by no means considered non-democratic or EU-skeptic.
> They infected all the other countries
The EU was infected by rising inequality and the degradation of purchasing power by the middle class, which is a global issue that gives an opportunity for populists to gain power, and for the population to find scapegoats, like pointing fingers at a foreign country.
Poland's political landscape has also changed since they joined the EU, perhaps in a less spectacular way than in Hungary.
Both countries are democracies, current leaders were elected in democratic elections.
It's the adherence to the rule of law that's an issue in both cases.
I don't think it's fair to put Poland and Hungary in that basket. It's not like they were like this when they joined the EU. They slowly drifted towards anti-EU sentiment over the years thanks to populist politicians. The same can happen to any country. The same happend to Britain.
> Or they slowly drifted towards anti-EU sentiment due to the EU.
Poland, through 7 national and 17 regional programmes, benefitted from EU funding of EUR 91.3 billion under the 2014-2020 ESIF programmes (as of January 2022). This represented an average of 2 400 euro per person in the 2014 population
they didn't drift
they already had it in their belly, they simply hid it to take EU money and build their anti-democratic platforms.
Don't get fooled by appearances.
People of Hungary and Poland are not responsible for what's happening to them and to their countries and they do not deserve it.
One can argue that the EU itself is rather undemocratic, as the Parliament does not hold much power, and there isn't a clear separation between executive and legislative, as the Commission and the Council of Ministers both participate in the process.
I agree that it's not ineffectual. It's very effective at imposing austerity, privatisation and deregulation, especially on the periphery countries. It's also effective at encouraging foreign ownership of industry and exploitation of migrants.
On occasion, the EU does something that is accidentally useful to most people. But in general, it's bad for all workers and even businesses of the periphery countries.
That's true, but EU governance is byzantine to say the least. I realise that this is a political necessity, but at some point people have to understand that we're losing a majority of the benefits while increasing costs in having such a cumbersome arrangement.
Maybe with Russia being so aggressive people will realise unity and cooperation should be a priority.
> That's true, but EU governance is byzantine to say the least.
That's largely because the fight for primacy between continental authorities and national ones is still ongoing. Unlike the US, where (beyond the occasional tactical posture) Congress, Presidency, and Supreme Court, have long been established as fundamentally supreme to their equivalent in local states, for the EU this has not yet been the case in many areas. Even the courts of one of the pillars of the union, Germany, recently refused to certify such primacy, and are currently in the process of being sanctioned.
For all it's faults Google was great. Now it isn't.
Why wouldn't we think the EU is just the same, but on a longer timespan. Maybe if we had been more critical of google in the beginning, despite it's initial comparative goodness, it would have found it harder becoming rooted.
Are you charging me with hypocrisy? Ok here’s the difference:
- “Ineffectual EU”: this could be a well-informed or badly informed opinion. Or it could be a lazy stereotype. The OP did not elaborate so we have no way of knowing that at this point.
- “EU stereotypes → aids populists”: the reasoning or association being drawn is right there in the post—You said A (or rather my interpretation of A) and that causes B.
My own point was simply that one can make a counter-argument instead of complaining about how a certain assertion aids populists.
Could my point have been made without the EU fan stereotype charge? Sure. But taking the high road at all costs is not my personal policy and responding tit-for-tat is OK in my book.
Firstly, the "ineffectual EU" stereotype is a well-known trope of anti-EU populist politicians, so I'm not sure what more should be proven to you?
Secondly, you say yourself, that OP does not in any way support their "ineffectual EU" statement, which is according to you not a problem. Not once did you see it as a problem. In fact, you go out of your way to hide away the implied associations in zwaps comment.
But when dxdm points out that it's a populist opinion, then you become the debate police.
A problem? It’s neither here nor there—people spout off all sorts of opinions on HN or any fora. So no—it’s not a problem. It’s just an opinion, not some vigorously well-researched argument.
People can say that the EU is the best thing since sliced bread—also not a problem.
I’m not a fan of the EU but I’m not going to accuse people who like the EU that they are “aiding the technocrats of Brussels” (or some similar over-the-top rhetoric).
Yes. I do take issue with jumping to the “aid populists” conclusion from merely two words. Saying that some off-hand Internet comment is aiding authoritarians—because that’s surely the implication of “the other kind [of governance] that we see all over the world”—is hysterical.
Here is an overview of all GDPR related fines. I often show it to clients to help them understand what could happen. https://www.enforcementtracker.com/
The EU had some great time not long ago but it lost its way. Now apart from GPDR what was the last good news you heard from this EU? Was it about automatic censorship filter? About Frontex turning into a military organization designed to help people die at sea?
From some perspective, the EU is much better than my local corrupt/authoritarian government (France) and effectively serves to keep french abuses of power in check (though it always takes 5+ years of litigation to reach the European Court of Human Rights or the ECJ). But in even worse-off countries like Hungary the EU is essentially powerless against human rights abuses.
Also in France the EU had zero negative impact because the EU is more or less controlled by France (and a handful other countries) so the neoliberal anti-social policies are usually already in place before they became mandatory on a european level, but in some EU countries the EU is the reason your kids can't study, your cousin lives on the street, and your grandma can't afford healthcare. I'm thinking about Greece among others here, where EU has put enormous pressure on an entire country to pay for banking shenanigans and created enormous suffering for the entire population just to pay of a few french/german banks who can well do without (and without whom we could do well, as well).
So it's not exactly one-sided. And in fact, we could make the argument corruption and anti-democratic policies in the EU (anti-social regulations, proposals ignored by the parliament which has very little power compared to the commission) is part of what's led to the new rise of fascism across Europe. To keep Greece as an example, people massively voted for Tsipras a few years back, but under Troika pressure he took away all his campaign promises and sent the riot cops against the local population just like the previous government. So now they have a right-wing authoritarian government who's cracking down even harder on social services and launched a military assault on the only free commune of the capital (Exarchia) where life was a little less worse than elsewhere around the country.
Is it supposed to be that hard to keep only the good stuff and say fuck you to bankers and other suit-and-tie people?
How is this crazy? Server administrators could have done, and have done anything on their side of the code. Nothing changed on this front since the invention of the HTTP request.
It shouldn’t be on the todo list of the average user to be knowledgeable on this subject, just like the average consumer should not have to be an expert in airbags to expect the ones installed in their car to work.
I think there's a huge assumption implied in an analogy between airbags and user tracking. Airbags save lives. Anti-tracking guards against some hand-wavey philosophical concerns regarding privacy (in an inconsistent fashion, even... It's hard for me to buy that we need to make user-behavior tracking for ad targeting illegal in a world where user-purchase tracking for credit reporting is legal).
My point is that an average consumer does not and should not need to understand some complex embedded technology in the products they buy and use, and that their lack of interest and understanding of such technologies can’t be used to infer their intent on a broader subject (privacy,safety,health, etc)
Absolutely. People don't care about this stuff and honestly, I'm not expecting them to, because I don't care about much of the world either. But I do care about this issue and so, I'd like better regulation so that the individuals' privacy is better protected, with the same level of them not caring.
Previously GA and GTM would share private data with Google but we could at least see requests going out to google, so if you had rejected data being shared with 3rd parties or hadn't been asked at all (think GDPR) you could see that the website was breaking the law. This clever solution from Google hides it from us, consumers, so that we will just have to trust that if a website doesn't ask if it may share our details with Google, or when we tell them not to share data with Google, they actually won't do that.
Just to enphasise: for GDPR it really doesn't matter where your data is shared with a third party, from the browser or server. It's your data so they have to ask your permission to share it and otherwise they can't.
No we couldn't see the requests, and that's because we couldn't see what the backend does, which was always the case since the inception of remote procedure calls.
> Since this runs entirely on the domain of the website, it can easily ignore your privacy rights.
This is not exactly correct; unless the user consents, they still can't transmit this data to any 3rd party. I mean they can, but they're not allowed to. I mean they're not allowed to, but IF they investigate and IF they find evidence that data is shared with third parties and IF they can be arsed to proceed with legal action, the company using this technology MIGHT be in trouble.
It does work to circumvent ad- and tracking blockers though, if they can hide the endpoint and scripts well enough.
Any website can ingest data and then pass it off to another 3rd party. This has been possible since the dawn of the internet and very common. There is absolutely nothing new here.
The technical workings of how data is collected on websites is completely orthogonal to legal doctrine that protects user privacy.
I was thinking about something. There is belief that Old Boeing died when they 'bought' McDonald Douglas, with the result that MD's cancerous bloated failed defense contractor management then injected itself into Boeing.
Hear me out. Google bought Doubleclick in 2007. And Doubleclick's sleezy amoral management culture injected itself into Google.
From the outside, Eric Schmidt basically put them on the current track and he long predates the acquisition. Most likely when the company was in its infancy and growing at high rates relied on cranking out products loved by all, it was easy to do the right thing/humor the founders (assuming they cared at least). At this stage though there is not much utility (as far as increasing ad revenue) in improving products, so its harder to hide what really mattered all along if they want to meet the growth expectations that the market/themselves have set.
Technically none. But google helps circumvent protections that would prevent illegal cases where website owners are breaking the law. Now we can't defend ourselves any more. Would be fun to see if any law makers would consider this abedment (?) or even go directly after google for this kind of thing.
Is it safe to assume you've never had to deal with those downright malevolent dark patterns and button labyrinths, designed to make it extremely unlikely for anyone in the general population to actually reject tracking?
Don't blame the lawmaker for the bad behaviour of people who are trying to bypass it...
If you're on such website, you know that the website itself shouldn't be trusted.
Yes, absolutely blame the lawmaker for making laws which are completely detached from how people operate. Yes, absolutely, blame lawmakers for making laws that don't actually fit reality.
the laws are teethless if they are not enforced, and playing hot potatoe with responsibilities like is the case with Max Schrems makes it all laughable.
dont blame the lawmaker for participants bad behaviour?
well, ok. allright.
but i DO blame the responsible authorities for licking the misbehaving participants' boots
Ok, but they are enforced. So this entire line of reasoning makes absolutely zero sense. If your demand is that every infraction is enforced immediately, then you will be disappointed. Such things take time.
> i DO blame the responsible authorities for licking the misbehaving participants' boots
There's a single European country that does this (Ireland) and it is definitely a stain on an otherwise healthy situation in terms of enforcement. It is not fair to attribute their willful ignorance in the face of plain bribing to the rest of the enforcement agencies.
Enforcing requires court cases and time. That's how law works, unfortunately.
Fortunately organizations like NOYB (with Max Schrems) are doing exactly this: https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-ner... Once there are a few high-profile cases with high fines to set a precedent, this hopefully changes the way companies handle cookie banners.
Those are (nice) solutions to a problem that shouldn't be allowed to (legally) exist. The industry shouldn't be allowed to play clever with the ways to coerce their users into giving up their information just because they know that most of those users are not interested in navigating difficult dialogs.
They shouldn't be allowed, and they aren't allowed. Actually the new digital services act [0] is shaping up to clarify these, but IIRC there have also been first cases decided in courts.
This particular behavior is actually illegal.
GDPR [Recital 32] clearly states that "Consent should be given by a clear affirmative act <...> Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
The decision to force service providers collect consent from their own users is a political decision.
And a fundamentally bad one: providers' incentive is to make it easy to get consent and hard to refuse.
I don't know what policy is better than this, but right now, we only get more annoyance without any benefits in privacy. Pretty much every page I've visited issues 3rd party requests before I consent to data sharing.
I some cases the "people do illegal things regardless" argument can hold some water, but that's not the case for the GDPR, which is worded very clearly and hence it's really obvious that this kind of thing violates it.
Most of these banners violate the GDPR even before they're showing up, because the GDPR actually restricts your ability to embed non-first-party content without consent. That's why Google Fonts violates the GDPR, for example. Arguably every vanilla Wordpress install violates the GDPR because Wordpress embeds something from s.w.org on every page (presumably for install count / analytics reasons).
This kinda sounds like a bad thing but it's not. It's actually a huge boon, because it's an excellent legal excuse to get rid of embedding stuff from 213789 origins and CDNs, which only has negative performance effects since caches have been origin-segregated for years, meaning that even if another page uses the same jQuery version from cdnjs, it will be downloaded again anyway.
Hard disagree. I've been racking my brain as of late trying to decide if default apache access logs violate the GDPR, and stackexchange searches on the topic seem to confirm the confusion.
If the legality of data collection hinges on what is considered necessary for service maintenance in the eye of a judge, the law is not clear.
You can keep such logs under article 6.1.f if the retention period is 30 days or less (causing self-fulfillment of article 17) or indefinitely if you remove/anonymize PII from them. Of course article 17.3 gives you an exemption for various purposes, e.g. if you had a breach you don't need to delete the logs from that period while investigating it.
I fail to see how a 30-day or fewer retention policy impinges on article 17 one way or the other, nor do I see how article 6.1 gives any protection on the topic of the default Apache HTTP access logs (which include IP addresses).
Those patterns are more and more being punished by GDPR enforcement. Companies may try playing around the letter of the law, but Europe runs pretty solidly on the spirit of the law. See events like these: https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europe...
And American companies are absolutely dumbfounded when they try to play the “misplaced comma” card in the EU and they still get slapped down. It is a very American attitude — I always wondered what ST:TNG would have been like if Picard wasn’t always able to save the day by invoking some obscure sub paragraph of some obscure treaty. Note to Elon that if he launches lawyers into space it doesn’t kill them, he just ends up with a lot of lawyers in space.
The other aspect of EU law that always gets US companies is that penalties are large enough to actually be penalizing. In the US companies can basically ignore the law until they get caught, pay a token $100,000 or $1,000,000 fine (which sounds impressive in all the papers), then invent a new interpretation of the law and go do it again. In the EU the regulators start looking at percentages of income during the entire time the illegal activity occurred, so again the US companies are caught completely off guard when they get asked to forfeit billions of dollars.
So what do you propose: "People are working around it so we should just give up"? I don't think it's time to admit defeat like that.
This can change, but enforcement and courts by nature are slow. With EU courts striking down asymptotic consent banners as illegal, sites are spooked, and you now see sites adding a "reject all" button next to the "accept all". I still have hope we get there.
In my experience, almost all of those consent popups work the same way. On the first popup, press the button that doesn't say they can just use all cookies. On the second popup, press the button that says it saves your preferences.
Did it really make the world a better place? Most sites collect as much data as ever, but now we need many more clicks, and can't have nice things like photos from kindergarden parties anymore.
I'm less likely to use a site that offers obnoxious cookie consent forms, and I think I'm better off without them. so yeah, it made the world better for me.
My anger is directed towards the criminal websites that seek to circumvent the spirit of the law (most if the web today)
To my observation, there are no sites with more than a dram of content on them that haven't been compelled by GDPR compliance to put an obnoxious cookie banner up.
... but "correct operation of your site" is in the eye of a judge and can't be evaluated before someone brings suit, so "better safe than sorry" behavior (at the cost of user time) is completely predictable.
... It's not even clear that it's safe to log IP addresses in the style of a default Apache configuration on a static website without user consent.
It's completely predictable that there are people who don't want to comply. Collecting personal information is a lucrative business.
Re. Website logs: in fact it's perfectly clear that a website log retained for the purposes of site management is fine. It's on the face of the regulation.
Right, collection for the purpose of running the site and all that. But does that mean "I run my site without having ever configured apache's HTTP access logs off the default, but I never read the logs" is fine? Because that sounds like collecting more PII (in the form of stored IP addresses) than is strictly needed to run the site. https://law.stackexchange.com/questions/42438/do-default-apa...
... and that's the problem and the reason that it's probably wise for even site administrators who aren't doing advertising-related data collection to pop the banner. Because the answer to that question is on the other side of a judge's ruling after a very expensive lawsuit. Better safe than sorry.
The law, as written, has entirely too many "The resolution of that ambiguity is on the other side of a judge's ruling after a very expensive lawsuit" for people to have not predicted a million banners. The defaults of the most ancient tools we use to host websites are, under the GDPR, ambiguously compliant.
Fair, but I'd wager that's the average case for small blogs and personal sites... That most administrators of such sites don't read their access logs until there's a problem.
At least, every small blog and personal site that hasn't just given their content to one of the FAANGs already to do those jobs for them (which will, of course, "solve" these problems by throwing a cookie-consent banner and hooking the content up to their view-tracker of choice).
> probably wise for even site administrators who aren't doing advertising-related data collection to pop the banner.
I disagree.
As far as I can see, GDPR enforcement is not heavy-handed. You get a warning before any attempt at enforcement; then you get a modest "warning" fine.
Also, I'm not aware that the silly cookie banners provide any protection against GDPR enforcement; it's how you handle the data that matters, not a two-liner banner offering [OK] [Later] buttons.
If you want to "be on the safe side", handling data correctly will help; cookie banners won't.
The point is: the regulator simply can't prosecute every website, even if he wanted to. The regulator's goal is to achieve compliance. Accordingly, the regulator will first warn you that your site appears to be non-compliant. He will advise you on steps to be taken to come into compliance.
Regarding Apache logs, a default install of logrotate will probably bring you into compliance (not sure, haven't looked into it lately). Scrubbing IP addresses from Apache logs defeats the purpose of the logs; you need to know what IP addresses are attacking your server.
To reach the stage of a modest fine, you will have to ignore that warning and advice, effectively saying "So fine me, regulator!" And if your violation isn't egregious, you'll be a long way down the list of forthcoming legal actions.
Basically, making a reasonable effort to understand GDPR and come into compliance is probably both a protection against action, and a defence against conviction.
It's not hard to comply with the GDPR, unless you are running a business that depends on violating GDPR.
Yes, hence the issue with photographs of events of our children.
I'm not convinced yet it is a net positive. For sure it increased senseless bureaucracy by a huge margin (not just the clicks on web sites, it creates more work in other places, too).
The real players collect just as much data as before, but private people can't do most basic things anymore.
I'm not convinced yet that it isn't a net positive, given that a lot of what you described is illegal according to it, and said illegal behavior is being punished
"a lot of what I describe" - you mean big players collecting even more data? Not really illegal, you just have to get the users to consent somehow. Which most do anyway.
Do we really need more or new legislation if there is still ample room for improvement on the enforcement side of GDPR. Just a not so far stretch: all or most of the GDPR supervisors now think Google Analytics is a no-go. Publish this and an intention to fine say 2% of revenue, set an expiration date six months ahead and do a EU-tender for a scraping facility finding all users of Google Analytics. Then in six months, re-scrape and send out the fines. Rinse and repeat.
Google Tag Manager could be declared illegal on the outset, with a 5 to 10% fine for Google if they continue to offer it in the EU. Do a top-down assessment of the usage of Google Tag Manager in the largest e-commerce users in Europe. Fine them as well. At the end of the day privacy enforcement could easily pay for itself.
(Edit: After typing this I think you were writing from a US perspective. I think GDPR is a big win as well, but enforcement is feeble ;)
are you certain? would be certainly nice, but i dont believe there is a majority in the US that would support such a change. I mean there are probably more individual people interested in doing that than not, but I bet in comparison there are more individual $$$ being invested in keeping data privacy laws as lax as possible
You think the GDPR is a good idea? Wow, mate, that's quite the detachment from reality.
In reality, GDPR is pure nonsense. It's a serious burden for anyone putting up a site. Any site. They all have cookies. All of them. It is so bad, there are now services taking care of this, because it's so much of a bullshit that people need to rely on others to get it right.
You'll probably spin this as a net win, right? Because more businesses, right? Right??
The odds of 99% of the people not simply clicking "accept all" are slim to none and anyone insisting otherwise would make himself look like a moron. It's like you're assuming the masses out there are actually thinking about things.
They don't! It's not how people work! They just click it away and are done with it, because it's super fucking annoying to constantly click that bullshit away and it does literally nothing for us people, no matter how much anyone would want to insist that it does, theoretically, do benefit us.
The GDPR is pure nonsense. It is not made for the people. It in fact completely ignores how people operate.
It seems you're not fully clear on what GDPR is. You could check this page for more info: https://gdpr.eu/what-is-gdpr/
Just as a very brief note: it's not really about cookies, it's more about how companies should store data about people and what kind of rights people have concerning that data.
AND NOBODY FUCKING CARES! THAT'S THE FUCKING POINT!
ALL IT IS
IS AN ANNOYING WINDOW
WHICH HAS TO BE CLICKED AWAY!
That's what I mean by "detached from reality." For you it's something glorified, but the vast majority of humanity do not give a flying fuck and just think it's annoying.
You think this is good!
It's not!
You're just so deep in that bubble, you don't fucking recognize that your bubble isn't actual reality!
Again, go ahead and read the link I posted. You're talking about cookie consent pop-ups, those are not what the GDPR is about at all. Putting a cookie consent pop-up on your website does not make you compliant with the GDPR.
The GDPR is about protecting personal information of EU citizens, giving them rights to demand access to data that is held about them, and giving them rights to request deletion of any personal data that is held about them.
To be super clear, I'm not saying that cookie consent pop-ups are good - I also think they're not really serving any real purpose. But this fact has very little to do with the GDPR!
Well, it‘s not the only possible reason (but probably the core one).
It will theoretically also improve website performance. I‘ve personally seen some bad things injected by GTM. For now, this doesn‘t actually work for the thousands of trackers by flimsy adtech companies, so I guess that benefit won‘t materialise.
I don‘t think this is really different from what usually happens with Segment and pretty much exactly what happens with (Cloudflare aquired) Zaraz. I guess the problem is that google is doing it and why.
In terms of blocking, isn‘t it good for you when a website uses segment? One script and you‘re done. For now, this looks like the same thing.
What is their means to correlate users between sites, though? On IPv6, the IP itself is often enough (or IP+Browser/OS version).
Currently, at home, I’m behind a CG/NAT (and with a somewhat fingerprint resistant setup - rotating user agent, blocked canvas, a few other things). What would they use to correlate my identity across sites, when there’s no common “google.com” cookie to anchor against?
The main benefits are performance and security (performance because the tagging can be online with other resource requests, so user agents aren't pausing on additional requests to third-party resources).
This system is giving site owners a fancy way to do analytics they could build into their own server. Hardly evil as long as it's disclosed and managed in a GDPR-compliant fashion.
I'll probably get roasted hard for saying this on HN. Maybe not the tracker part, but I am excited by server side ads. I hate that I can't either make the ~30% of my audience that block ads stop using my site or see the ads anyway because they continue costing me resources. Especially since my ads aren't awful or invasive or slow.
> It seems the only possible option to retain privacy rights given to us by law (eg in the EU) is to disable JavaScript and cycle IPs or other fingerprinting
features. None of that is realistic.
As a last resort, using a VPN and automatically scrambling your fingerprint seems doable
- No 3rd party cookies or equivalents, fully compartmentalized browsing, no automated cross-domain GETs/POSTs, no domain can leak data to another domain without manual intervention
- No User-Agent leak, just a standards compliance level ex. HTML/5.0
- No Java-Script leaks, fonts or any other way to do client fingerprinting
- Cycle your IPv6 addresses or even use persistent IP-domains binding, with OS support, in a Tor-like manner.
- & Many more
It will break the current web yes, but the web needs a do-over, it has become a toxic soup of massive surveillance.
Hum. Do you care to explain how any of them could stop the attack on the article? Because they are all aimed at stopping cross domain leaks that have nothing to do with it and fingerprinting that is moot once you share cookies.
I'd say when it comes to privacy laws, the EU is actually doing better than almost any other countries. Yes, they could be faster, but the GDPR is still a big win for users everywhere. And a pita for Facebook / Google, which is intentional.
Laws are meaningless if they are not enforced. It has been more than 3 years and all kind of illegal cookie banners, unauthorized processing of the data and data leaks without any discourse to the public are still there.
Things has changed indeed. Modern economy (I mean the one that has started somewhere deep in the Middle-ages) which finally led to the appearance of capitalism, was built on several foundations, one of them was ethics - in the olden days, in the times of lack of communication, invoices, the state authority that could enforce any law quickly, people had to count on the honesty of the others. One merchant had to trust another, otherwise no trade would be possible, there were no courts that could block dishonest party bank account or take any action to prevent fraud.
There were dishonest merchants, sure, but when finally message was spread, nobody would trade with them (if they managed to stay alive).
In the western world this ethics come from Christianity, those who were stealing, cheating, were going to hell - People really believed that and were afraid of this. Today for a lot of people, and for sure for Google management, this sounds like some fairy tale of the Princess Mononoke or Little Red Riding Hood type. Nobody (including a lot of Christians) is not scared by the devil, hell and all that stuff any more.
Unfortunately, as we see, ethics is still needed. Whatever EU does, Google will find the way to circumvent any regulation as it happens with GDPR, which is easily bypassed by the maze of buttons, 6pt light grey text, etc. And even if Google will be forced at some point to close its service officially in Europe (escalation that probably will never happen, but I also though that probably there will no war in Europe during my lifetime), people will use VPN-s, etc. to keep using it, as there is no viable alternative (the issue in itself).
It all can stop only if some people in Google would just decide that doing X is nasty and that they are abandoning the idea, even if income will be smaller next year.
This would be an ethical behavior, but nowadays to be ethical company it is cheap - it is sufficient to add to your company management board "person of color", person from "oppressed minority" (luckily there is so many such minorities to chose from so this is not a problem) which costs somewhere around $500K per year plus change your company logo to LGBT+ rainbow once a year ($100 for an HTML expert to handle this).
Once this is covered, company is ethical in the eyes of the public and can use all possible tax avoidance schemes, exploit it workers as Amazon does in its warehouses, steal their data and use them to create conflicts between people and manipulate them like Facebook does. And so on.
As a result Google can do what it wants and nobody will stop them. More, people would not even know about this outside tech/privacy oriented circles as mass media are living from the ads, so this change is actually what they dream of.
The benefits and ethics of diversity are unrelated to this topic or anything else touched upon by your post
It seems like you're using this topic as a pretext to complain about the chip on your shoulder that is opposition to any conscious embracing of diversity
Also, you don't have to put "people of color" in quotes, they're actually people
I don't think Google or any other tech company is doing something new here. If you look on Enron scandal or shady things tobacco companies did or car manufacturing not doing recalls etc etc. This isn't that different.
Nevertheless it could be strictly better: the new version gives the OPTION to share less data, whereas the old version does not really give you the option. If you include third party scripts, they can just send the information to third parties directly.
Google could also be audited and would then have to prove that they really didn't share ay data, or whatever.
That's definitely not trolling, that's just correct. We have nice laws and stuff, but it's not widely enforced and almost all websites do not implement these laws correctly. So why is it trolling? You also need to enforce it and make it hurt.
That's the thing here, morals are flexible for most people if there's a decent paycheck on the other side. It's another reason why politics are so corrupt these days. There's plenty of ways to avoid direct corruption, via "campaign funds", board of director seats, and lucrative corporate positions after a political career - most recently there's Nick Clegg, a former UK politician who will now be paid $15 million a year and probably bonuses and stocks as well to represent Facebook.
>I really hate to even say this, but "Crazy Vlad" nearby is what true evil is about.
I would say that systematic evil, evil that is a consequence of technology or reality, will always surpass individual evil. It's like comparing the horrors of slavery as an instituted system compared to one really evil, sadistic slave-owner. Or how the native Americas we're to the 90% killed by viruses, rather than the evil of greedy conquerors. Perhaps you could argue that Putin is a manifestation of an evil system as well, but I'd think that if he was replaced by a good person tomorrow, the world would be a radically better place.
Google is clearly working hard, as an powerful institution, to perpetuate the system.
There is nothing new about this at all. Websites can collect data and forward it on the backend since the dawn of the internet. Google Analytics has an HTTP API [1] for sending events that's used by plenty of large sites. Consolidating event collection and forwarding to various sources is a large SaaS category with several billion-dollar companies, and one of the biggest success stories is Segment from YC [2].
In past adblocking discussions, many users mentioned that they were fine with ads if they were served by the 1st party without data leakage, but the entire issue is that 1st-party on a technical basis has no bearing on the custody and access of the data itself. The only serious way to protect privacy is through legal doctrine that regulates collection and sharing. Browser-based adblockers were always a short-term technical bandaid to a much broader surveillance problem, but the real solutions take much more work.
There is nothing new for the few experts out there (yes Segment has been doing it, yes others also, yes you can do it yourself). But Google proposes it, well, the adoption is not the same...
Actually this article strengthens my believe that adblockers will even become more essential.
I mean, even if the server decides to send some ads, the client doesn't have to show them.
Or am I missing something?
As long as the countermeasures are public, the advertisers can also automatically react to them, if they put enough effort in it e.g. in the form of preparing alternatives ahead of time.
> Automatically detect these "1st party" calls to the "proxy" server via the URL parameters sent. Except that these URL parameters will change from one site to another, depending on the library used, the page viewed, etc
> Detect the javascript library responsible for calls to the "proxy" server to block its execution. Except that you should not simply detect the javascript library provided by Google, but potentially all the javascript tracking libraries, even home libraries.
Seems like this would be a great case for AI/ML. I say that in half jest.
> Block the IP addresses of these proxy servers.
This seems doable, even with the caveats included in it.
Even if these measures work on some sites and not others, they would be valuable.
Meanwhile, please get your non-tech circle to use ad blockers and/or browsers that support ad blockers on desktops, laptops and mobile. And instruct them that browsers that don’t support ad blockers are from a “be evil corporation”.
The only reasonable way to interact with the modern web is to disable everything by default including images, cookies, CSS, JavaScript, video, frames etc and then develop strategies for interacting with each website. Either in the browser or in reimplemented frontends like nitter/bibliogram or externally using things like yt-dlp, gallery-dl, woob etc.
Edit: oh and only contact the web via Apple private relay or Tor etc.
I completely agree, most of the Major Websites (TM) are as user-hostile as it gets. But, the "bypasses" (to try to encircle all approaches with a single term) would require constant vigilance and updates, the ever-lasting game of cat & mouse, not to mention possibility of lawsuits or other shenanigans by the said Websites.
Honestly, I'd donate certain amount every month and support the effort, if it was a very wide-service/website encompassing, and would give logical end-user easily/very customizable behaviours within options, easy for the everyday Joes, and that it wouldn't treat its power users as garbage.
And here's an idea for a starting recipe for every website: a library of set of actions that would run on the first visit and would result in decline/block for each and every cookie category and "partner" (and no, there is no such thing as "legitimate uses", GTFO), since most websites either roll their own ot customize some existing solutions (from what I see), but usually invert/dark pattern options and choices to a certain degree (usually "to hell").
This looks like an opportunity for antivirus developers. Now as antivirus software has became less relevant the talents can be reallocated to apply heuristic and signature-based code analysis to protecting web users against tracking. I would gladly pay money to a trustworthy company to sanitize my traffic blocking every bit except what I really need to be there.
Wouldn't it be possible for a potential client-side blocker for this to intercept the gtag() method invoked on the client side ("Tag Manager web container"), even if that function is provided by a script hosted on the website owner's domain, as Google recommends[1]?
Highly doubtful the method would continue to be called "gtag"; any js bundling / minification would replace that with a randomly generated string, and it's just as easy to randomize the server-side api endpoint url, making this virtually impossible to block (maybe a pattern analysis on the data being transmitted, but that can also be encrypted with random algorithms and keys, beyond recognition).
Yes, it can surely be obfuscated, but ultimately there will be a client-side function with near-identical functionality prevalent all over the web. It's harder, but seems possible to build an extension to identify this function.
This is literally the same game virus scanners played against mutation engines. Ultimately, the halting problem won.
There are two places this can end:
* Redesign the runtime environment so it doesn’t matter if you download trackers. The execution environment doesn’t offer the I/O facilities that it requires to actually produce harm. This is what Apple Private Relay and Tor Browser try to give you. By analogy, this is why Web Apps became so popular in the first place — web publishers who do not intentionally collude are protected from each other by the SOP, so opening a web page should be less risky than running an EXE. It’s “just”[1] extending the existing sandbox to prevent differing origins from being able to collude.
* Instead of blocking bad scripts, allow only known-good ones. To match the convenience of current-day ad blocking, it needs to be a collaboratively-produced list. In other words, a gatekeeper. By analogy, this is why installing “unrecognized” applications on Windows and macOS is behind a scare screen, and why doing it on iOS is prevented entirely.
The former seems less dystopian, but much more difficult.
I was going to suggest introducing the kind of heuristic analysis found in antivirus engines. Kind of like your item #2 - don’t run scripts that behave badly (for some heuristically recognizable “bad behavior”.) Basically a browser built-in AV scanner. Maybe give a user the option to permit the script once per session, or forever. Something like this would definitely introduce a UX speed bump, it sounds terrible.
You can use CTPH algorithms to fingerprint the function, so you'd need an extension that fingerprints each function before the browser runs it. Or you could man-in-the-middle yourself and patch the malicious code before it gets to your browser.
Better still would be to fingerprint the syntax tree, so obfuscators need to change more than just the names of things (Unison does this, Javascript would probably be less friendly).
I'd love an app where I could crowd-fund the inevitable game of cat/mouse that would ensue. Like maybe I put $5 in at the beginning of each month and as I browse I curate a list of sites that I'd like tampered with. Better developers than I could then publish patches for the malicious functions, which are applied as I browse. At the end of the month, my $5 gets distributed to the people who fixed the parts of the web that I browsed that month.
I'm working on a tool that facilitates collaboration on CTPH-identified blobs of data, but it's more of a `curl shadysite.com | mytool` kind of thing. I'm not sure what would go into integrating it into a browser.
Exactly. And the end result might be as bad as antivirus: horrendously slow software with a huge database of heuristics that cause false positives and at the same time let malware through. It's going to suck.
To be clear, this is not new - many of the comments suggest this is some new front by ads/marketeers against privacy. It's not, it's just being used more.
Server-side analytics has been available as an option for decades. You can do server-side GA for a long, long time now.
Its generally a bit more of a pain to setup and and can be a bit most costly (depending on your cache/cdn/hosting setup).
Forgive me if this is ignorant. Wouldn't an adblock simply need to inject an impersonation payload into the page, so the report would send incorrect attribution to the proxy server?
In case of Google it could be (initially) quite simple. Randomly change um-Parameters, gclid-Param and the like. This would at least make marketing tracking more "interesting".
Years ago there was an extension that did that for GA and Adobe Analytics at least.
But that would only be an arms race. We (analysts and marketing agencies) would obfuscate the params we use and switch that in the server side container.
Having spent a good amount of time looking at potential JavaScript malware that ended up being repackaged GTM, I'm pretty confident anyone who says they're "blocking Google Tag Manager" has their head in the sand.
Ok. MotherFuckers be pirates. Does this affect me?
I have a dozen or so websites for clients running the normal google analytics script on those pages. This article is hard for me to parse, but, it just sounds like the idea of keeping some session alive and serving it off the same backend (if the same backend is calling google...?)
I'm probably not understanding what's going on here or how it would affect independent web devs or privacy towards users of our sites (even if we use analytics). Someone explain how this leaks my users info if I don't integrate with any google apis on the back...(?)
I’m actually in this industry! So Server Side GTM (SS-GTM) is still relatively new and a bit limited in the number of integrated partners.
GTM in itself doesn’t do any tracking, not even Google tracking, its just a manager. So hypothetically you could use GTM or SS-GTM to listen for clicks on a purchase button and then send a hit to your own URL with your own user identifier (or none at all). Google wouldn’t record this anywhere. If you add Google Analytics or Google Marketing tags into your GTM container, then Google would store that data in their platforms.
The real concern with privacy advocates is that you lose transparency with SS-GTM. When you run client side GTM, you can see hits going off to Google Marketing, Facebook, etc when a site has implemented those tags, and you could use ad block to prevent those network requests.
SS-GTM would only show a request going to client.com/track (or wherever GTM has been set). The privacy benefit is that Facebook and the like cannot set their own 3rd party cookies to track you across the web, however Facebook allows advertisers to pass in hashed PII (like email addresses) to match with users in their database, so if you’re logged in via email, hypothetically Facebook could be linking interactions to you. I have seen very few companies do that yet though, as it’s more complicated to setup that most things and marketing teams aren’t usually made up of engineers.
Thanks! I'm still not sure what the privacy danger is, though.
When a customer clicks a checkout form on a site that's usually via a Stripe or Square form, but we do capture a receipt on the backend. If I wanted to, I could send that data to Google now through the tracking API. I don't need to since we log it all locally on the server.
Aren't we just talking about another way to inform Google if a page is hit, with some session variable, which would be totally optional to the webmaster?
Stupid question: What value, if any, does "Google Tag Manager" offer the end user? By "end user" I do not mean website operator or advertiser.
I never ran this stuff. There is no Javascript engine available, there is no DNS and the local forwarding proxy does not forward traffic to Google domains. I am not asleep at the wheel and probably not the target end user. But I always wondered why any end user would want to allow this garbage, assuming they exercised a conscious choice.
Google Tag Manager data can be used to optimize your recommendation engine. It can help with Google Ads as well. It is a 3rd party handling some precious and maybe private data, but it has a low barrier of entry.
They shouldn't. Perhaps it's time to stop treating a behavioural problem as a technological one.
Perhaps instead a movement needs to start where if a website uses these technologies there's a way to inform them they've just lost a customer. Technology can help by automatically detecting these evils, aborting loading the page, then informing the webmaster of their offence, and the community of the offending page.
Increasingly, the only solution I see to this is Apple's Private Relay [1].
"When Private Relay is in use, the user’s device opens up a connection to the
first internet relay (also known as the “ingress proxy”).
As the user browses, their original IP address is visible to the first internet
relay and to the network they are connected to. However, the website names requested by the user are encrypted and cannot be seen by either party.
The second internet relay (also known as the “egress proxy”) has the role
of assigning the Relay IP address they’ll use for the session, decrypting the
website name the user has requested and completing the connection.
The second internet relay has no knowledge of the user’s original IP address and
receives only enough location information to assign them a Relay IP address
that maps to the region they are connecting from, conforming to the IP Address
Location preference they selected in Private Relay settings."
I don't trust Apple; they are shady AF and I'm convinced they are hard at work building an AD empire to rival Google and Facebook behind the scenes. Their so-called "privacy" moves are very clearly designed to limit Facebook's and Google's ability to profit off their platform giving themselves an advantage: https://www.forbes.com/sites/johnkoetsier/2020/08/07/apple-a...
That said, Private Relay has some interesting ideas, maybe a few trustworthy VPN providers adopt some of them.
"Private Relay uses both the CONNECT and CONNECT-UDP methods in HTTP/3
to set up connections quickly. For connections to websites that support TLS or
QUIC, the initial TLS handshake messages are sent in the same set of data as
the proxy request"
Would this not hinder the proposed mechanism discussed in the article?
Edit: forgive me, for my knowledge of networking is limited and I'd like to learn more if I am incorrect.
I fail to see how this is any different (for the purposes of getting around google) than any other VPN or proxy service out there. The proposed mechanism is just using a script that comes from the same server as the main website with perhaps slightly changed up code and a different file name to trick up adblockers. It can still fingerprint you without your actual ip address, as it collects data clientside.
Folks, this stuff only works because of browser fingerprinting.
Google couldn't do this before, because letting the ad-displaying website sit between them and the user meant the websites could defraud google like crazy.
This idea isn't new. What's new is that browser fingerprinting got good enough that google can catch fraudful customers by sending fingerprinting scripts through their proxy and watching what comes back.
firefox still has profiles, so you could use a profile that's not locked down instead. Although you'd probably wanna use a differnt theme on both to distinguish them.
Fortunately, as bad as this is, I don't believe many companies will implement the worst version of it. (Server side + subdomain + different name scripts)
The reason is that we had server-side analytics available for years and virtually every big website still implements the clientside part. If they can't be bothered with that, I don't expect they'll move the whole tag manager any time soon.
I have to agree. Working as consultant/data analyst none of the clients I know (most of them on the paid 360 version) are anywhere near to switching.
Complexity as well as the price tag for the proxy is keeping (even is it would be just a fraction of the 360 bill) keep them from jumping. But mostly the complexity and effort for the migration.
If the were to start from scratch they would probably go for it.
Additionally most data privacy departments actually have some influence nowadays. They would not stand by if marketing were to implement this and not honoring consent.
With PlatformStorage on Android 12, which lets apps share key/values and things like this, it really looks like two steps back, one step forward for privacy if Topics/FLEDGE ever make it to browsers. The cat and mouse games need to stop.
A strong privacy law that cracks down on fingerprinting and lets users opt-out of tracking and delete their data really seems necessary. Even ephemeral data collection online needs to be checked. The user should be in control, and be served context-based or random ads, unless they approve interest based ads. The LiveRamps of the world will still be able to collect 3rd party data offline, but it's not anonymous, and can be deleted, at least if you're in CA for now through the CCPA.
Most users would likely be fine with consented context-based or interest-based ads, but an option for no analytics tracking or other tracking should be respected.
Well, I am blocking google tag manager and everything else from google, also forever caching CDNs and disabling caching for everything, for more than a day.
Also blocking every domain found on any blocklist including CNAME resolving.
And injecting my scripts trough mitm proxy that effectively disable any fingerprinting for my whole home network and all the mobile devices (they are all configured to use the proxy trough ssh tunnel).
Some sites dont work. Do you think I care? Do you think I will ssh home and change the settings for your site as it is so special, that I "need" to have its content? Every content is quadrupled on internet and if one site doesn't work, I go to next, I couldnt care less.
Someone doesn't want me to be his visitor? I will cry a river (not really), close the tab and find someone else while the site will have one visitor less.
I think it's going to be important to recognize and block javascript/wasm by the bytecode it compiles down to. As far as I know we don't have this ability to "jump into" the process. ublock or umatrix can't be extended to do this currently. You could send the scripts the browser downloads to an outside service for fingerprinting, but doing this in the same browser isn't possible right now.
This wouldn't completely stop a server from generating code that compiles to slightly different bytecode. Then the move would be to identify side effects of the execution?
It's likely that we can still block this. My thought is: either the link between the frontend and the proxy is completely up to the developer, which means that developers can write whatever they want between the proxy and google. Possibly opening the doors to the proxy sending fake data to google - which I assume Google wants to avoid. Or the data that is being transmitted is encrypted somehow in the browser so that the proxy can't fiddle with it.
A smart browser extension could be able to figure out that some encrypted data is being transmitted, no?
it occasionally gets in the way, but does make things a bit more enjoyable (i can now happily click 'allow all tracking' on all the popups not blocked by ublock -- all that lasts until i close the tab).
ideally i should also use something to resist fingerprinting (i.e. randomising fingerprintable features).
I always wondered how much negative revenue the adblock extension is generating for Google. It must be in the billions. Crazy to think a simple extension can be involved with that much money.
What if blockers did not allow any js loaded form any cname except the currently loaded one? This would surely break a lot of website that load their js from something like static.example.com but at least would help against server side tracking, perhaps it could be an optional feature that is off by default. Setting up a proxy for the same cname as the current page is loaded on is several times more difficult so I think Google wouldn't consider that as an alternative anytime soon.
I've been using Google Tag Manager on this website https://transcendrecoverycommunity.com/, so far it's great. Tag Manager gives you the ability to add and update your own tags for conversion tracking, site analytics, remarketing, and more. There are nearly endless ways to track activity across your sites and apps, and the intuitive design lets you change tags whenever you want.
I always wondered why they didn't just do this in the first place. Despite having that much power Google always seemed oddly tolerant towards content blockers even when they were directly a slap on the face of their main offerings. Spoofing ads to act as first-party content through proxies was something I thought they were perfectly capable of making websites do with their existing behemoth network infrastructure. Surprising it actually took so long.
Do you believe ad-blockers could checksum these scripts or do some sort of pattern recognition - like some anti-viruses do - match and deny these scripts?
So, where I work. I actually manage our Google Tag Manager infrastructure. Our marketing department make change requests that we review and implement. They do not get to do whatever they want. We actually consider it to be a backdoor.
It's a useful tool but it should be managed by the people building the product and we have to clean up and remove tracking code when it has served it's purpose.
If the standard deployment will be a separate IP in the same range (Google cloud) which is also bound to a subdomain of the site I’m viewing, isn’t that an easily identifiable situation? Couldn’t blockers like unlock just block the subdomain.site.com for every site.com? Or even block all subdomain calls to Google hosts?
It's a good point, those endpoints can't change forever. Ultimately there will be solutions to detect and prevent this tracking just like whatever exists today.
> How has Google been able to impose itself again? As with Google Analytics, the standard version of Google Tag Manager is free (market solutions are generally paid), it is very well integrated with other Google solutions and it is well done.
Not sure what they mean by 'market solutions' here?
So if the script comes from the owners site instead of Google. And all the rest requests are proxied via the owners site. Would this not result in people forking a browser that looks at http requests before they are packaged and issued to remove tracking data or block the request?
And how do you differentiate between a request that is sending over tracking data and a request that is sending over data required to fetch the page you requested?
So, this means that they can do server-side analytics with just one JS call from the browser. But doesn't adblock still stop them serving any ads to me as a result, as those presumably still come from the ad server's CDN?
It doesn't sound like this technology interferes with the main purpose of adblockers: blocking ads. As long as I don't see any ads, I don't see why I should care how the website tracks my behavior.
Basically it's time to treat ad trackers and everything involved as viruses. Adblock software needs to start fingerprinting and monitor mutations in privacy-harmful javascript packages
UK local newspapers have been bought up by a company called Reach. Most of their sites look the same. On my laptop visiting their home page is burdensome on my laptop.
Looking at firefox's network tabs. It mostly completed after 41 seconds and almost 9MB. In the article pages there are adverts dynamically loaded every couple of lines of text
At the end of the day the data is still coming from the client so perhaps the best approach in future would be to find ways to make the data less useful or useless.
Any organization still running Google Tag Manager and allowing random marketing people to insert whatever someone told them to in a webinar must be having a death wish when the GDPR exists. You would think security teams would have put an end to that madness years ago but here we are.
So now Adblockers need to become like anti-virus software, heuristically determining a piece of Javascript as undesirable. The arms race will continue.
Can someone explain how they claim that TMS is running on 31.9% of top 10 million Alexa websites if Google Cloud itself only has 7% market share[1] (compared to AWS at 32% and Azure at 19%), if the TMS relies on the site being hosted on Google Cloud?
Apple and Firefox brought this on by killing 3rd party cookies.
The reason why client send requests to the 3rd party domain directly is that the cookies attached to that domain are sent and which can track you better! With a server-side request there's no way to use that cookie info.
But browsers increasingly limit 3rd party cookies. With 3rd party cookies becoming useless for tracking there's far less to lose by moving all these analytics calls to the server side.
There is one positive here: if this is widely adopted it means less third-party JS libraries run on your browser. That's better for speed and security. Frankly, Google is probably better at avoiding and fixing vulnerabilities than [insert third party ad network here] is.
Plus, as noted, Google will restrict what data is transmitted to third parties like IP address. That's a positive. Fear of regulators is more likely to keep Google in line than it is to some basement operation in Serbia.
I actually wonder if third party ad networks want to give up their power to Google in this way. It wouldn't surprise me if they don't.
As for the negative... I think the reality is it won't be as negative as people make it out to be. Why? Imagine if this is widely deployed. It creates a single call for all tracking so the adblockers just have to focus on that finding and blocking that call. The article claims this will be difficult. It will be harder but there'll be more incentive.
Next, a question: I don't know the ins and outs of GDPR and similar legislation well enough, but doesn't this put Google on the hook for data collection and transmission of that data to third party sites by virtue of them running these "proxies"?
Lastly, in general I don't really care if websites run A/B tests. They do this anyway and it's done serverside all the time as is. So that part of this isn't really a big deal.
Ad blocking is and will continue to be an arms race with advertisers. This feels like business as usual, honestly.
The proxy is by default running in App Engine under the responsibility and control of the website owner, so I'd presume it would be handled the same as any other PaaS or IaaS service a company uses. The data sent Google products, like Analytics, via the proxy would still be subject to GDPR as it would if sent directly from the client.
Note that they do give website operators the option of running the proxy in their own environment, it's made available as a Docker image.
TLDR
I'm fine without JavaScript? I've the impression that JavaScript is worse than ever assumed during early 2000s. I don't criticize the language it is the actual usage scenario which was bad for people and got even worse. Web 3.0 should be server side again with interactive code at all in browser. No interpreter on your computer should ever execute foreign code.
For a pretty long time I believed that many of the privacy and security issues in current tech could have (at least partial) technical solutions.
This convinces me more than ever that regulation is necessary and, in the long run, unavoidable.
Yes, GDPR rules suck for somebody who has to write software that deals with personal data, but we can no longer act as if good ad blockers would solve the problem for us.
That's why we need generic legislation without consideration of specific technologies, restricting the general goals, not just one particular way to achieve them. GDPR would forbid this tracking without opt-in consent - the fact that you have the technical ability to effectively handle tracking information server-side without support from the user/browser (as for cookies) does not imply that you have the right to do so.
We don't have to win a technical fight, we have to ensure that privacy-invasive tracking is not profitable because all the major legitimate megacorp advertisers throwing billions at internet ads are prohibited from using that.
Wait, Google wants to proxy the entire internet through Google servers? Just so ad tracking will work? This lets Google spy on the entire session in both directions, right?
And also makes it harder for any alternative - you can’t use two different systems to proxy the same content at the same time, and you can’t expect one company to not “protect user privacy” by filtering competitors.
Honestly the only reason this is even an option for google is because a bunch of web admins said “I want to know who is browsing my site, and who cares if that lets google spy on every person who uses my site”, and now they’re just offering this “improvement” to spying.
It’s just another mechanism to maintain their existing spyware systems. What google absolutely depends on is having as much of the web as possible including their code.
Essentially: if every website includes some amount of their code it becomes increasingly difficult to block every tentacle. Presumably the goal is that it doesn’t matter if 90% of their crap is blocked by browsers: as long as a single tentacle leaks enough info on any given page they can track you.
How true this is in the face of privacy preserving vpns like Apple’s private relay I don’t know.
Yes, you misunderstand it. Google isn't getting any more information / power than they previously did. What server side tagging does it separates the creation of tags outside of a user's browsers and into a server that is a part of your infrastructure. You can host this tagging server on Google Cloud, but you can also self host it if you choose to.
To restate what happens, a website's users send events to a first party tagging server and then that tagging server can communicate with 3rd parties.
Which is fine, but will it be enforced? So far GDPR rules haven't done a whole lot of damage except make sure everyone knows what a cookie might be. Until the EU is willing to better enforce the GDPR rules, Google will keep doing what they're doing.
I run a B2C e-commerce business, and want to offer a little insight into this from the other side.
Advertising online has changes a lot over the last ten years, I don’t believe advertisers are particularly happy about it.
On Google we almost exclusively just to search result page advertising, very little display network and re-marketing. My comment here is about search result place adverts, with is where Google started and why they are so successful.
As an advertiser search result page as arising is amazing, you are paying to get you product in front of people you pretty sure are already looking for it or something like it. When it works it’s magic.
Ten years ago when we stated it was super simple, you would bid individually on keywords that people are searching for, and the tracking on your site was only about attributing advert clicks to conversions for reporting. There was no (or very little) data mining and profile building, at least from my perspective as an advertiser.
Then came the “shopping ads”, you upload a list of your products and google decided when to show them with their magical ML/AI. As an advertiser you could only use “negative keywords” . Gone was the ability to control properly when your ad was shown.
The latest is “smart shopping ads”, it’s a great big magic black box, and all advertisers are bing agreeably pushed towards it, all calls with google advisors are basically sales calls push it on you. Advertisers have basically no control of when their ad is shown, it’s all down to AI/ML. They have also folded the display network and re-marketing into this, you can’t turn that bit off.
I am pretty sure the old keyword bidding is on its way out will not be available in a few years.
In order for all these new ML based advertising work we have to send google a lot of data, there is no option. They know everything about your business, all revenue numbers, they no exactly how much every business that uses their advertising is making. The level of “spying” on advertisers is frankly amazing, I wish it wasn’t necessary, just as I wish I wasn’t being spied on as a user.
Google have made a rot for their own back, they need this data for the ads to work and advertisers have no choice. I believe part of the problem is that the old style keyword bugging relied on advertisers being able to see what peoples search terms were, due to GDPR I think this is no longer possible and so they have to go the ML route.
I long for going back to super simple search ads with just simple attribution.
I've been running NoScript for the past year. It's pretty nice once you get to a stable set of policies. I load mainstream media sites in incognito tabs with JavaScript enabled for the tab.
It provides a modicum of social and legal enforcement. A website with any sort of brand risks legal and PR costs if they violate DNT. I'm happy for them to take that risk.
Legal risks? I'm unaware that it's ever been enforceable anywhere, and I don't think there's ever been enough awareness of its existence to cause reputational damage.
Personally I think the whole thing fell through the moment it was conceived in 2009. We're going to ask nicely that people who are tracking us, who know that we don't want to be tracked anyway, kindly refrain? The whole idea was laughable.
Its advocates got annoyed when Microsoft enabled it by default on a version of IE several years ago, as then it wouldn't be perceived as a reliable indicator of intent. This really just exposed the problem with the whole thing, that it was going to be hidden away in settings where few people would go, and rely on the good will of effectively known-bad actors to respect it, and just maybe they would respect it if we keep it more-or-less a secret that only techy people bother with.
(Sorry, this rant is not aimed at you, it's just a bit of a pet hate)
This is all valid. But like I said, it was always about social and PR pressure (edit with reputable sites). (I was mistaken earlier when I thought it also had the force of law behind it.) That still has some, depreciating, value. To repeat my question, what else is there?
They can identify a device. Without JavaScript, you don't have nasty client-side hints telling sites exactly what OS, CPUs, Graphics Cards, etc. With a VPN and changing your UA, no JavaScript does a pretty good job at preventing sites from tracking you.
So it's essentially a keylogger snippet and API with a backend for analytics? Plus some how-to's on how to best hide it? Intentionally acting as a middleman between the publisher and all the shady advertisers? Seems like a slam-dunk GDPR violation to me.
What's the next step? Obfuscation of the keylogger and unique snippets for every visitor? That's pretty much malware deployment technology.
An obvious GDPR violation. So obvious, that you could think they are getting desperate due to the latest developments around Google Analytics and Google Fonts.
Tag Manager gives you the ability to add and update your own tags for conversion tracking, site analytics, remarketing, and more. There are nearly endless ways to track activity across your sites and apps, and the intuitive design lets you change tags whenever you want. I've been using Google Tag Manager on this website <a href="https://transcendrecoverycommunity.com/">Transcend Recovery Community</a>.
I don't know who made the translation and when it was made, but the original article in french (https://pixeldetracking.com/fr/google-tag-manager-server-sid...) contains more information on recent GTM "improvements"): mainly on how you can easily change JS library names and detailed instructions on how to host your container in other clouds or self-host