This is what we get for letting companies like Google decide what technologies win and reshape the landscape. We have become so dependent on javascript blobs and server side rendering that blocking ads will be an uphill battle. Honestly I think Google could shove ads down our throats if they wanted to, but they are holding back, for now.
The bulwark against this encroachment was Mozilla Firefox, and the OSS community. Firefox was supposed to provide a legitimate alternative vision for the web. But Mozilla decided to let Google define what was normal, and what features a web browser should and should not have.
Can't people see that Google's vision is box canyon?
I'm speechless, I just want to put some emphasis on this.
I wonder what other kinds of evil practice they push to this demographic. Perhaps more malware, because they are "less likely to understand them" too?
You're implying the creator of the website is okay letting you receive the service or content on your terms. They are not. Ads and tracking are there because they earn the creators some amount of money.
One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?
What I don't understand is why they insist in fighting against people who hate excessive ads. Adblockers don't install themselves, users install them, which sends the message they're resistant to advertising, so why embarking in this endless war costing them even more money to show an ad to people who wouldn't buy the service or product anyway? If a company screws with my adblocker and manage to show me an ad for something I need at 100€, I swear all divinities in the Universe I'll go buy that thing elsewhere for €150 rather than them. Been there, done that.
I would rather go for a much nicer alternative: "You using an adblocker? Fine, you get the content anyway but your traffic get the least priority so that users seeing ads will get some precedence over you". To me that would be nicer to all users while giving some advantage to those without adblockers, and to the company as well since adblocking users would never be able to clog the network. Would it be so hard to implement?
I’m actually happy to pay for the media I consume, I actually do pay for some things, but nobody gets their advertising/trackers let through because the whole industry is patently untrustworthy. If publishers want ad revenue from me, they can remove pervasive tracking, it until then, they get nothing.
> One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?
Easy, paying money. I already do where it's an option.
Fine, but this cuts both ways. They're wrongly assuming I'm okay accepting arbitrary content on their terms.
The no-blocker system holds that by navigating to a URL, I accept whatever the domain owner cares to serve me. We had one attempt to embed user conditions in the request, that was Do Not Track, and the most common outcome was that sites neither honored it nor put up walls against users; they simply disregarded it and kept tracking. In fact, they started to fingerprint users based on their request to not be tracked.
If, prior to using a site, I want to see what it asks me to give up in terms of privacy and security, I don't know an alternative to visiting the site with blocking in place. The creator can put up a wall and tell me to turn it off, in which case I'll make a site-specific decision to leave or disable blockers just like I do for cookies. This isn't hypothetical, I do it regularly.
If I bypass a wall or ignore clear notice that I don't have permission to browse with blockers, then sure, we're both lying to each other about our usage conditions and it's just an arms race. But I reject the idea that an initial visit to a site constitutes consent to accept some unknown pile of privacy intrusions and security risks; the moral burden there really is on the site owner who's circumventing a clear refusal to accept those things.
Well companies should aks themselves what they did to users in first place that everyone hates these ads so much now! How they pushed too far!
They have to look into the root cause of it.
But instead, most of them are making it even more annoying.
Nevertheless, the content quality is dropping as well. everyone is making unnecessary long content and a lot of click-baits.
What do you expect? It is called consequences and humans are really bad to understand it.
An ad blocker is no different except being automated. And the analytic spying it fights is automated too.
> If we're going to use ad blockers, at least let's admit to what we're doing and not claim a moral high ground.
If we are going to use psychological warfare to part people from the fruits of their labour in exchange for cheap crap they don't need by exploiting human weaknesses and insecurities, just so we can keep an unsustainable and highly damaging model of growth going; and also serve malicious software to those people, then let's not pretend we have any moral standing at all.
Adblocking is has a hell of a lot more moral substance to it than advertsing does.
They are not allowed to simply track me and serve me ads regardless, though. I pay for an email provider specifically to avoid this, and I pay for magazines and books as well.
And also it will probably be ads+tracking+various levels of paying money.
The creator is sending the content to my machine for free. Whether my machine displays the ads (aka cancer) attached to that content is my decision.
Also regarding paying money, don't forget in pretty much any case you still end up tracked. If anything, you get tracked less by the ad-supported version because at least you're not giving them any billing information and are not consistently logging into the same account (which you'd have to do for your subscriber benefits to kick in).
> One day when our tech will limit you to a binary choice of ads+tracking versus paying money, which way are you going to swing once your hand is forced?
I'd love such a choice as it will allow me to say no to cancer & stalking once and for all. However it will have to be implemented in such a way that it's technically impossible for anyone to track me through the subscription system.
I think the noscript solution offers less data collection but can still be reverse proxied (try for yourself on the page).
If you're using GA to prove your site's worth, e.g. in some M&A deal, this is useless - your proxying means that you can fudge numbers and thus is no better than anything else you say. (This is a significant use case among looking-for-exit startups).
If you're using GA to get insight about your website, it would be somewhat useful, but not really - because GA would not be able to correlate the cookies to figure out the demographics, etc (and I don't know how much it would trust Via / Proxy-for headers, so other statistics it gives you are also limited).
Also, if you have non trivial traction, you're going to get flagged by their fraud filters.
You're probably better off running a local Piwik or whatever it's called these days.
A proxy can send whatever cookie it wants to the server (a proxy can actually hide the fact it's a proxy and make itself look like a normal client).
However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain. The proxy using a different domain means it won't be able to neither access nor set those cookies. Good for privacy but obviously (and thankfully) bad for the author's nefarious goal.
Looking at my dashboard now I can see data on language, browser, mobile model, referral, etc. I think some are just not present in the mobile version of analytics, but I can't see what data this would not be collecting.
> However a lot of GA's stalking behaviour relies on having cookies on a specific Google-controlled domain
This also reminds me that this simple technique can bypass 3rd party cookies rules.
> author's nefarious goal.
You clearly misunderstood my goal.
It's my understanding that GA cookies do not actually do this.
When a site operator turns on demographic reporting in GA (which is optional), it adds Doubleclick cookies in order to provide that information to the site operator. I know because I did this and I had to update my privacy policy to reflect the Doubleclick cookie (GA prompts the site operator to do this).
It seems like people have come to take it on faith that GA, in its default installation, tracks users across all GA and Google properties in order to improve their ad targeting profile. If there is documentation of that, could someone link it for me?
Maybe I'm just out of date, but I don't think GA does that out of the box. In fact GA expressly forbids site operators from pushing any data into GA (via custom variables etc) that would help them identify users.
Now, they might not provide it to the site owner unless they opt in (to also share it with DoubleClick or whatnot), and they might pinky swear not to use it (though I have never seen that promise myself).
But using GA, a site makes your naive browser send all that data to google. Why would you assume it is not being used? Does it matter if for now it is only directly visible to google?
The original question that I was trying to answer was if the numbers that I was seeing for mobile users were skewed by how much more difficult it is to get an ad blocker for mobile.
Putting google into the mix, through a proxy or not, will definitely skew your results.
Yes, there is an Israeli company offering to publishers to configure nginx as a reverse-proxy ( https://vip.wordpress.com/plugins/yavli/ ) and they serve the ads as small chunks of images (to not match the usual 300x250 or 468x60).
It made Easylist quite angry at the time: https://easylist.to/2015/08/19/issues-with-yavli-advertising...
To go further on the proxy idea, I think that the best strategy could be to actually do server-side calls to GA: https://ga-dev-tools.appspot.com/hit-builder/ (yes there is an API for server-side hits).
The minus of the proxy idea, is that since you don't have access to *.doubleclick.net (which should be blacklisted by any decent track/adblocker) you don't get demographics info back into GA.
But after all, like other comments said, aren't you simply a first party tracker ? GA is just a more evolved storage point than, let's say using goaccess on raw logs.
What are you trying to achieve here? Your entire domain will just end up blocked if you do this at scale, not to mention Google themselves would ban your reverse proxy’s IP because of too many queries (since you’ll be proxying all your visitors’ requests from a single IP).
However this example is a bit different, the site in question is going out of their way to being a reverse-proxy for a spyware command & control server, and the entire domain should be considered & blocked as such.
The problem is that creating reverse proxies on random domains is too easy, by distributing this to different domains it wouldn't be possible to block this effectively!
It is kind of unfortunate that third-party tracking can 'hide' this way but in this case there's not really much you can do if the content author is going out of their way to pull a fast one...
I think you (probably unintentionally if I understand you correctly) actually just pointed out a good reason why those who really really care should block analytics even from the same domain as the site they are visiting : )
Not that it will help against a determined web site owner trying to track though: Very much of the tracking can be done one the server side (and even proxied from the server side to another third party).
I get why people would want or expect tracking blockers to work on reverse proxying but it seems silly to try. On the bright side, if the tracking is being done first-party it makes it much clearer who's taking your data and who's responsible for where it goes - it's going through them even if they're just bouncing it to another server.
But the entitlement of ad-blockers is astounding sometimes: https://github.com/easylist/easylist/pull/900, in which the easylist maintainer defended blocking OpenStreetMap advertising OpenStreetMap events on openstreetmap.org, still makes my jaw drop.
In that case, would you also say it's entitlement to be installing antimalware or security updates so malware authors are no longer able to run malware on your computer?
One should note that this inclusion, without an opt-in consent banner for instance, is not GDPR compliant. The URL https://analytics-bypassing-adblockers.netlify.com/proxy/htt.... sends personal data to a third party (Google) without my explicit consent. See Article 7 and Recital 32 of the GDPR:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
IANAL but as I understand GDPR, this is incorrect. The paragraph you cite discusses personal data. Google's FAQ on GA is instructive (emphasis mine) [0]:
> When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.
They admittedly keep things as vague as they can, but to me it kind of reads like: using GA to collect site usage analytics is actually fine and requires no explicit consent as long as you've configured it to anonymize the IP addresses (toggle this in GA) and you're not tracking e.g. user IDs and such.
Similarly, using GTM to deliver a paragraph like OP did is also fine.
In both cases the spirit and the letter of the law would seem to be respected if you add some notice about tracking going on in your footer. No explicit consent is needed here, because no personal data is getting tracked.
Edit: clarity.
Here, the first party (analytics-bypassing-adblockers.netlify.com) has to obtain consent before collecting personal data. And IP addresses are not the only personal data that GA can collect.
/rant off
I feel that your point, even if valid, doesn't quite apply to what I'm describing, which is to go around ad blockers.
I'm not an expert of Analytics but I'm also assuming that since the cookies are different (because the HTTP call to analytics happens on a different domain than usual) it shouldn't be able to track you just as well: G Analytics don't know your IP and have no trace of your previous anonymous IDs set in your cookies!
The cookies will be different because the host is different, but I think that Netlify does a good job at keeping the connection like for like.
Taking this further, you could have your server send an event to GA when /index.html is requested, this can even be from tail -f access_log. No one will know GA was requested.
It's malicious software, circumventing the protections afforded to me by my ad/tracker blocking software.
I'll contribute in any way I can to adblocking tech, and to any impotency of this kind of technology.
Having said that, I must add, I don't think this is malicious software. Beside the legalities and the GDPRities which I may have overlooked, when you ask a website for its content that comes with analytics, but you want to block analytics. I don't think you can complain about the content provider bypassing your attempt at blocking it. Don't get me wrong, when I come across websites that stop me from browsing them because I use uBlock I usually bypass their block, or close the tab, but I can hardly complain at their attempt, or deem it as malicious, IMHO.
lol... pages look better if you send the actual document instead of assuming you have permission to run software in my browser.
It's not a bug, it's a feature!
Personally, I've found that JS off and all the GA/GTM domains (along with many others) blacklisted is sufficient in daily use; no JS gets rid of most of the crap, and the blocked domains clean up the rest. My goal is not to become completely untrackable (I believe that's next to impossible), but just to stop slow-loading pages full of junk I don't care about (which is what I suspect most people using ad-blockers are aiming for.)
I saw a boost of about 7-8%. Remember, most adblockers (like Adblock Plus) don't block Google Analytics. uBlock and Ghostery are probably the 2 main GA adblockers, but as a % of adblockers as a whole they're not that large.
It's probably not worth it.
- Block entire domains - Prevent javascript from running - Use the internet less, read books, use your local library.
Happily, I was able to get my browser from the default message: Hello from Google Tag Manager. This text is being added by a tag running from GTM.
To the blocked message: This content should be overridden by GTM.
But, how far will this game of cat and mouse go?
