Incapacitating Google Tag Manager (2022)

Original Article ↗ Hacker News Discussion ↗

Blocking JS and Third‑Party Trackers

  • Several commenters say browsing with most JavaScript blocked is practical: allow first‑party scripts, selectively enable per site, and many pages work fine or even better.
  • Others find it burdensome, especially when visiting many new or vendor sites for work, where constant tuning of per‑site rules is tedious.
  • Mobile support for fine‑grained blocking is seen as weaker and less usable than on desktop.

Tools and Techniques

  • Common stacks: uBlock Origin (often in “advanced”/hard mode), uMatrix, NoScript, Privacy Badger, Cookie AutoDelete, DNS‑level blocking (Pi‑hole, NextDNS), and hosts file lists.
  • Strategy patterns: block all third‑party by default; allow only what’s needed; sometimes keep a separate “clean” browser with minimal extensions for testing or problem sites.
  • DNS/hosts‑based blocking is limited when GTM/analytics are proxied or served first‑party, including server‑side GTM and Cloudflare Insights.

What Google Tag Manager Actually Does

  • Multiple explanations clarify GTM beyond the article:
    • It’s a central container for injecting scripts (“tags”) without redeploying site code.
    • Primarily used by marketing to add/modify analytics pixels and ad trackers (Google Analytics, Facebook Pixel, etc.) and to attach triggers (URL, page state, events).
    • Offers versioning, preview, and permissions so non‑engineers can iterate quickly on campaigns.

Security, Performance, and Governance Concerns

  • Characterized by many as “XSS‑as‑a‑service”: non‑technical teams can inject arbitrary JS into production without code review, staging, or performance evaluation.
  • Reported problems: site breakage from bad third‑party scripts, large performance hits from dozens of tags, privacy‑policy drift as tags accumulate and are never cleaned up.
  • Some consider GTM among the worst software they’ve worked with; others note it can be “a good tool if you insist on doing those things.”

Ethics of Tracking and Advertising

  • One side: tracking via GTM is “racketeering”/spyware; advertisers historically measured performance without invasive surveillance and should do so again.
  • Other side: measuring ad effectiveness is framed as a legitimate business need; GTM is just the current mechanism.
  • Debate over whether widespread blocking would meaningfully degrade UX: some fear loss of behavioral insight; others argue good UX doesn’t require intensive analytics.

Data Poisoning and Active Resistance

  • Some propose polluting trackers’ data (e.g., fake events, AdNauseam, TrackMeNot) to degrade profiling.
  • Counterpoints: this mainly wastes advertisers’ budgets and may push Google to improve bot filtering; impact on the ad ecosystem is contested but viewed by some as worthwhile pressure.

Alternatives and Scope

  • For basic, privacy‑friendlier analytics (e.g., on static/GitHub Pages sites), commenters suggest many GA alternatives such as lightweight, non‑tracking services and server‑side, event‑level logging.
  • Several note that if you block GTM, you likely also want to consider blocking other analytics platforms like Yandex Metrica and Cloudflare Insights.