This was one of my favorite examples of how there was much more to NoScript than most people assumed, and it had a depth of features that could not be matched by "alternatives" like uMatrix. But that feature was killed by the mass extension breakage in Firefox 57: https://github.com/hackademix/noscript/issues/133#issuecomme...
So in a way, this feature can be seen as more than three years overdue.
I'm happy with this. Some extensions are so important they should be integrated into the browsers themselves. NoScript, uBlock Origin, uMatrix and Privacy Badger should just be standard browser features.
That would give the browser owners control over ad blocking behaviours, while they rely on funding from companies which sell ads. That's not a great situation for the users. The authors providing an unopinionated API for plugins is much safer.
You're absolutely right. Though the problem is the conflict of interest, not the idea that these things should be browser features.
The truth is everyone trusta these particular extensions and so they should have more privileges and deeper integration. For example, Google's new extension APIs actually make a lot of sense: they allow extensions to do useful things without actually looking at user data. This is a big improvement and it should be imposed on all extensions on their store. It's just that uBlock Origin is so important that it shouldn't be subjected to these limitations. That's why I say it might as well become a browser feature.
Indeed, it also raises the question: Why do we pay for something like MS Office but not for a browser?
I think I'd pay 50/year or so for Firefox.. Even if Chrome is free. In fact I already donate about half that. But the point of course is getting a lot of people to do that so they can achieve independence from Google.
I wouldn't pay for a browser, they all track me, or try to, and experiment on me, and extract personally identifiable information which I am told is "anonymized" but you'd have to be a complete moron to believe that.
I'm already paying with all the data Mozilla and Google extract from me. In fact, they should pay me. I haven't asked for or wanted any of the new browser features which have appeared since, say, 2001. They all serve somebody else, not me.
Yeah, what's up with these experiements? Sometimes I run htop and notice lots of Chromium processes with field-trial-id parameters. Don't think I ever signed up for this!
I am also actively looking for a way to fund Firefox.
I have donated to the servo project under the Linux Foundation and I'll possibly pay for Firefox VPN when it becomes available if I know the money goes into the corporation and not the foundation (yep, weird, but the corporation is where the browser gets developed. And money only goes from the corporation to the foundation, so if I want to support the development of the browser I guess that's how it has to be.)
but if they are already taking money from Google, why should I donate to Firefox?
IMO companies that aren't getting direct money from ad businesses deserve my donations more.
There's no guarantee that reaching independence from Google will stop Firefox from getting Google money, disabling features that made Firefox different or cutting jobs.
Most of their revenue comes from Google (for providing it as the default search engine in the browser) because they can't get enough revenue from donations to pay for their work. If they got enough money from donations, they wouldn't need to rely on Google's spare change.
Do you realize that 0 donations go to Firefox development?
Firefox development is done by Mozilla Corporation (that doesn't accept any donations, AFAIK). A part of their earnings are given to their owner, Mozilla Foundation, that you are suggested to donate to, and it may not be a bad idea, but it does not finance Firefox development in any way.
Or they can just cripple the APIs so extensions don’t work as effectively anymore. Kind of what happened in practice with Safari (although this was not malicious).
I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.
Or to put it in another way: browser developers cannot imagine every possible use case that may come out of browsers nor are always the best judges of what is important and what not. It is just a matter of limited human imagination. The combined imagination of all potential extension authors is much greater than the combined imagination of whoever makes decisions about the features in a single browser - and extension authors do not have to convince anyone about adding those features in the browser, they can just throw them at the wall (users) and see what sticks.
For a similar see X11 vs Wayland and how the latter has to make application-specific extensions for functionality provided by programs written using functionality the former provided since practically forever.
> I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.
I agree. I'm not saying we shouldn't have extensions. The entire ecosystem should be healthy, varied and with a low barrier to entry. I'm saying some extensions turned out to be so incredibly important that they really ought to be installed by default for every user. The only thing that stops uBlock Origin from being a browser feature is the fact it is an extension.
I installed uBlock Origin not only in my own browsers but also in the browsers of every single computer I have ever used. Sometimes people even comment on how much nicer the whole web browsing experience has become and they can't explain why when I ask them. People also seem to magically become immune to malware since malicious ads are no longer being shown and malware domains are being blocked.
When an extension has such an immensely positive impact on your users, browser developers need to recognize that fact and integrate it into the browser. At the very least they should ship the extension with the default browser package.
There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.
Open source has an advantage when it sets itself up as basic infrastructure that can be tailored to many roles. It is notable that Brave, being started by a CTO from Mozilla with extensive experience in Mozilla, went with Chromium as the browser base for whatever reason.
Maybe if Firefox hadn't damaged its extension ecosystem instead Brave's niche could maybe have been done with extensions. Who knows. The former userbase has been delivering powerful votes of no confidence against Firefox for a decade now.
> There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.
I was just warning people. Depending on something like umatrix that also uses "lists" that aren't being updated should at least be known about. I wouldn't recommend using it without combining it with something like noscript or ublock (depending on how aggressive you are).
I'm very worried about this, to be honest. There doesn't appear to be anything even remotely close to a proper replacement for uMatrix. The thought of going back to the relentless spyware that is the web today (without uMatrix) is literally scary.
Someone here (long-ago thread) suggested uBlock Origin but it doesn't come anywhere near the functionality of uMatrix.
I'll continue using uMatrix and it continues to work perfectly but if Mozilla ever breaks it with incompatible changes, I'm at a loss what to do. Keeping fingers crossed it works for a long time.
I'd be happy to pay substantial money for something like uMatrix.
uBO static filters work fine as a replacement for most uM rules, except that you have to write them by hand instead of the convenient table UI that uM had.
The first three lines disable a whole bunch of things on all websites, then the fourth selectively re-enables some of them (@@ are exception rules) in 1p cases. Then for each web property I have a section that selectively re-enables more things for that web property's domains (exception rules with a domain= filter).
Eg the first rule in the GH section says that github.com is allowed to make websocket and XHR requests to s3.amazonaws.com. If that line wasn't there, the very first line's rule would've blocked it.
Notice that 1p JS appears to be enabled by the fourth line, but I actually have dynamic rules to prevent JS by default, unless enabled per site:
The reason I do this with dynamic rules instead of static filters is that uBO has the ability to simulate noscript tags on websites where it disabled JS, but it only does that when JS is disabled via the `no-scripting` dynamic rule, not when it's disabled via static filters.
The only thing that uM does and uBO doesn't is cookies, so I still use uM for that.
I thought NoScript was a single-purpose extension for disabling scripts. Naming and messaging matters, I guess. "JSControl" would've been a better name.
The full name as shown on addons.mozilla.org is "NoScript Security Suite", which more accurately conveys its purpose. Some of the features it provided really had nothing to do with JavaScript, such as NoScript's implementation of Strict Transport Security about 1.5 years before Firefox itself implemented that feature.
Still sounds like a JavaScript blocker, that doesn't clarify anything for me. I've never even looked at it as I've somehow associated it with "block all Javascript", seems like I missed out.
"Block all JavaScript" never required an extension. All the browsers have an option to turn JavaScript off entirely. NoScript started out as a way to provide an easy UI for selective blocking of scripts.
But it experienced the best kind of scope creep: it gained the ability to block other dangerous web features (eg. Flash and other plugin objects, web fonts, etc.), gained features to make life easier when blocking scripts (ie. the surrogate scripts feature), gained other security features for blocking evil actions by the scripts that are permitted (XSS blocking, clickjacking protection), and helped pioneer some security measures that weren't related to scripting (HSTS, ABE as a precursor to and superset of CORS).
IIRC if you turn JS off in the browser, the "noscript" blocks on sites get executed. But if you turn NoScript on, the "noscript" blocks aren't executed.
Thanks for the correction. My point remains that the "NoScript" extension doesn't do anything with those "noscript" blocks, so they're not shown to the user despite the user not executing JS on the site.
This is a bit of a PITA when one tries to make the site "work well" with JS both enabled and disabled; or provide _alternatives_ for when the user-agent isn't running JS.
Those work really well when the user-agent is blocking JS globally, but not for NoScript: broken behaviour everywhere.
No script blocks all scripts though so it's a tad bit extreme. They had bigger fish to fry but they finally got around to this. I'm happy they're doing it and I'm not going to complain about water under the bridge.
NoScript selectively blocks scripts on a per-domain basis, which is almost always sufficient to block the bad scripts but allow the necessary scripts on a site. The exceptions where a surrogate script (or blocking scripts by URL regex) is required are relatively rare.
It requires a lot of work from the user unlike something like ublock. It's fine for power users and hardcore privacy adherents but I would never recommend it for your general internet user as they'll just get confused.
Well, you should be able to remake it by now, since that was in 2016, so Firefox should have replaced all the functionality the previous extensions had, right?
Too little too late for me personally. I couldn't keep my two versions of Firefox from interfering with each other so these days it's Chrome for all my casual browsing and Firefox 56 for the functions I can't do without.
It's whack-a-mole, but better whack-a-mole to learn-to-love-the-mole.
Another way to think of it besides the futility of whack-a-mole is, it's pushback, resistance, sand in the gears. It's making an undesired behavior less valuable. Yes you didn't stop sites from including analytics, yes tomorrow google will have some counter move, but that doesn't mean the effort was pointless. If you can exert a 5% pressure on some system and maybe only get a 5% reaction, that's perfectly fine.
They already have a counter move, to an extent. One of the deployment models for GA is via Google Tag Manager. One of the deployment models for GTM is this[1] server-side mode deployed to an App Engine container in Google Cloud. The only browser-visible communication happens between your browser and the App Engine instance, and then you send server side calls from that to the downstream systems based on those events (GA, Facebook Conversion API, etc).
It can also be used like the traditional GTM model, where it loads the primary GTM script browser-side, then that loads additional browser-side scripts based on the tags you implement (GA, Facebook, chat systems, map widgets, whatever). But the default GA support built into it avoids loading anything from Google's domains directly by the browser. And it's not even subject to the CNAME cloaking protections[2] that ITP have implemented, since it's not using the "CNAME to third party" technique that's typically common for these sorts of things to get first party access/privileges and is instead actually running on your infrastructure.
Integrating with Google Analytics on the server-side as opposed to the client-side has always been available. Developers just rarely do it because it is easier to add a JavaScript snippet to the page.
It gives much more detailed data like how long a user keeps a page open, and browser fingerprinting data that's not available server-side like querying fonts or viewport size.
Not familiar with the particulars, but server-side GA, has the same theoretical ability as the current Javascript-based GA. The only difference is that the client code is served by the first party, and not the Google servers.
What's really clever is that at the scale that GA is deployed, it's really really hard for Google to willy-nilly break API just to get around this because a lot of webmasters will simply not bother updating their scripts, and if Google forcefully pushes a breaking change, people might stop using GA, or worse, they get an avalanche of bad PR for breaking half the web.
My understanding is they are veeery careful around rolling out changes and deprecations. The cleverness is that there's a huge asymmetry in how fast Firefox can globally deploy updated shims vs how fast Google can change GA API.
People use analytics to decide where to focus there efforts. For example, if most of your users are on mobile, invest more in the mobile experience. The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome. This would degrade the experience for Firefox users as subtle breakages start appearing.
Folks advocating for the use of hosted analytics instead of GA are correct ... but that’s not what most people will do. It’s just simpler to add a one line GA tracker to your code and call it a day. And these people will see Firefox usage drop to 0.
We have already seen “this site works best/only on Chrome”, especially on Google products like Inbox. Expect to see more of that as the web becomes a Chromium/Safari duopoly, according to analytics.
You don't need Google Analytics to figure out what browser your audience is using. That information is literally embedded in every single request to your website. There's no need to siphon requests over to Google for something so trivial.
I get that people would like you know as much as possible about who visits their website. Sometimes even for legitimate reasons and not just out of an obsession with collection as much data as possible. But this analytics madness has gone too far. Pretty much every website you visit ships a bunch of data about you to multiple third parties. Often without consent. Just stop doing that. It's not a hard thing to do.
This is hardly new, people have been using ad blockers and various other scripts for years to block GA et el. In my experience it's something which PMs and other key decision makers are already well aware of. If there are still companies out there basing all of their decisions on GA metrics that's really their problem.
The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome.
Bad developers already only test in Chrome regardless of what GA is telling them. This won't have much impact there.
Sarcasm aside, sites breaking or not working when analytics scripts are blocked is nuts. Is there a Wall of Shame for such sites (it may probably be the size of a search engine index)?
FWIW it's usually not malicious. What usually happens is that the analytics script provides some API for the developers to add additional logging functionality[1]. The developer then sprinkles calls to those APIs throughout their code, assuming that those functions will be available. If the scripts are blocked then you get an error like "ga is not defined" and the rest of the code doesn't execute, causing the page to be broken.
To be honest the web is a pretty hostile environment to program in.
Imagine if calling into a library randomly failed in Python. Or random apps directly inserted data into your SQLite database. Or users regularly injected code into your iOS at runtime to remove or change views.
One classic example we ran into was DOM that we'd just rendered suddenly had a different structure because Google Translate would insert new DOM nodes. So after a.appendChild(b); b.parentNode would be some random value instead of a. As a coder that's hard, you need some certainty to build on top of.
Experienced devs can develop intuition about stuff that breaks. But it's hard to be exhaustive. And there isn't a great deal of tooling available for fuzz testing this kind of stuff.
> One classic example we ran into was DOM that we'd just rendered suddenly had a different structure because Google Translate would insert new DOM nodes.
Gosh, this continues to be one of the problems I have with all of the major frameworks. Rather than assuming the DOM is a mutable, shared resource like it actually is, they treat unexpected DOM changes as undefined behavior, and will usually break at the slightest attempts by browsers or extensions to help the user. The Google Translate issue is still largely unsolved, and I’m always frustrated whenever I attempt to translate a blog post on development from Chinese and find out that it’s not working because they’ve decided to render in client-side with React.
React does make this worse, but even with vanilla JavaScript, having a third party make arbitrary changes to the DOM means that there may be no way to safetly perform certain operations.
Expecting every website developer to code defensively for every single operation is unsustainable. A better solution might be to just build APIs for common cases; like creating new nodes that are anchored to existing DOM nodes.
> Or users regularly injected code into your iOS at runtime to remove or change views
That used to be more of a thing. A big iOS app I was indirectly involved in eventually added jailbreak detection. Not because they wanted to block it, but to log it so they could track down some fun bugs caused by random tweaks that changed the UI in impressively hacky ways.
Well, that's just what you get for abusing a document viewing platform into being a programming environment. The Web was never supposed to be an application platform; it did well what it was designed for, which somewhat implies the ability of the user to have the final say over how the content should be displayed.
It's not even sloppy. When people write code with dependency X, they don't check if X is available before every call. The website works as designed. The user decided to change the environment behaviour in an unexpected way.
If you load jQuery as part of your first party bundle, sure. But if you load it from a 3rd party CDN, you can assume it will independently fail at some point. If you’re making something important, the proper resiliency practise would be to gracefully handle it.
Obviously if jQuery is critical to your site working at all there’s not much you can do, but for any dependencies that are not critical or only critical to a small portion of features, it’s a much better UX to degrade only those features.
It's actually reasonable for sites to be able to estimate the proportion of their population who block their analytics by looking at say, the proportion of signups or conversions or sales or whatever that come from 'untracked' sessions. But that is confounded by the fact that the population who uses ad and script blockers is not necessarily similar in behavior to the population who don't.
If 2% of signups to my newsletter come from sessions that don't show up in google analytics, does that mean 2% of my site traffic is using an ad blocker, or are they actually 10% of my site traffic - but those users are just 5 times less likely to give me their email address?
You'd be astounded how many sites break when you turn off cookies.
I'm not just talking "can't log in"/"add to cart" break (obvs), but like, fail-to-catch-the-exception-thrown-by-localStorage-in-render()-so-completely-blank-white-page break.
As a Russian, I sometimes encounter sites that break when Yandex.Metrica is blocked. It's basically the same thing as GA, just from Yandex. And uBO didn't have a shim for it. Not sure if it does now.
I have mixed feelings about this. From the privacy angle I am pleased (I've been blocking GA ever since I knew it existed, via HOSTS), but from the "neutral browser" angle, not so much. Then again, FF is already not neutral with things like "safe browsing" and extension blacklists...
They must be neutral in the sense that they should not make specific rules for specific services. We have seen in a previous hn post that webkit has specific rules for quite some websites, now firefox has these replacements for some javascript codes.
This is wrong and will break things: if there are bad behaviors, like the cookie usage, the rules should be changed to prevent it, that's great, but having ifs and replacing selected scripts is a horrible way to go.
First reason for this is that obviously Google will try to go around that rule and change it's script. Or some nasty tricks like using script proxies, ...
Second is that if Google Analytics is blocked by name, then other tracking services will take the space, and users will loose anyway.
Exactly this, web-browsers should look after the user, and should protect the user against webbrowser-exploits e.g. 1px png tracking images and cookies.
If Chrome didn't allow the user to configure that same performance boost to work on other websites, then Chrome would be failing to operate as a user agent.
That's not how tag managers work. Tag managers are managed by the website who pays them (it's yet another SaaS), and the website can put whatever it wants there. Various site functionality could break if parts of the site logic is missing.
You can argue it is bad engineering, but it isn't exactly the tag manager's fault any more than it is the CDN's fault.
People use tag manager for tracking scripts, but it's also used for anything that you can put into a JS script (tracking or not). Not every script is a tracking script.
A) Here is a computer communication protocol that can be used for many things. One of those things is infringing copyright.
B) Here is another computer communication protocol that can be used for many things. One of those things is infringing copyright.
The internet, being the IP protocol and the bit torrent protocol built on top of IP each are described above.
Differentiate A from B identifying which is IP and which is Bit torrent.
This demonstrates the silliness of the argument made. You either have principles and rules applied equally or you don't. I'm very, very much for the former. Being a an utterly essential foundation of functioning democracy, the rule of law and opposition to the tyranny of government by whim.
Yep, that's exactly what a tag manager is. It lets the marketing department make changes, without the IT department getting involved and slowing things down with non-money-generating activities like code reviews or testing.
It's used to add tracking and advertising. But I've also seen it used for chat bots and chat agents. I've even seen it used for bug fixes that designers wanted to get out the door quickly.
The problem that he seems to be alluding to is that general problem of WYSIWYG cp. bespoke software - in particular, when tools like GTM are used in a way that adds to requirements cruft and detracts from software reliability.
You should post a blog post about this to HN. It's not related to tracking and it's still really interesting, so it deserves more than just a tangential comment here.
The best solution is to self-host your analytics platform, to avoid any data being stored by 3rd parties and it gives you the best chance to not use the next platform that will be blocked like Google Analytics.
If you want to try one, I am building https://userTrack.net, you can PM me on Twitter if you need a discount.
Of course, ~every GA alternative is going to be a paid service.
My meta-recommendation is actually to opt for zoho's "one" suite, which gives you basically everything they offer for $30/mo/full-time employee: https://www.zoho.com/one/pricing/
Firefox should really double down on this. All this strict privacy protection could be branded as Firefox Pro and they could charge for it. This would make for a nice revenue stream as more and more people begin to see the value of this. If Hey can do it for email, Firefox Pro Can do it for browsers!
Counterpoint: this would destroy Firefox' credibility.
I use Firefox because of their strong pro-privacy stance. If they started charging for "real" privacy, it would damage that image - "privacy for those who can afford it" would be a bad slogan.
Also, Firefox has made it clear that they don't want our money, as seen in their continuous refusal to accept donations.
I've been using Firefox since the Phoenix/Firebird days, and I fear the day that Google ends their search funding to the project.
They are absolutely on the right track with Mozilla improving the actual -browser- with all of these new privacy features and core improvements. This could put them in a position to create a revenue stream independent of Google, where people would actually be willing to pay to have a browser wholly decoupled from these ad companies.
There's some risk there indeed, but there would be also big anti-monopoly scrutiny risk from Google's side doing that if they indirectly kill alternative browsers.
Right now there's some kind of equilibrium by having alternative browsers/engines, on Windows especially, plus Google still gets traffic from millions of Firefox users by being default search engine, which makes them $$$.
I don't mind blocking ads, but analytics? That seems like the taking the desire for privacy too far.
Why shouldn't site owner know you've visited their site? How will they do their job if they don't know where people come from, what content they enjoy, what devices they should optimized for, general demographic of their audience, etc.
These are all the things a restourant owner would know about their customers, for example. But no one seems to have a problem with that.
The problem is with the centralisation and aggregation of that knowledge. It’s not (necessarily) bad that the site owner knows you’ve visited their site, it’s bad that Google knows all of the sites you’ve visited.
While I am not as concerned about big tech's data siloing as some, I can see why it's worrying.
Unfortunately, not only is GA the best totally free analytics solution that any marketeer will know how to use, many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google.
> many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google
That's because you don't need analytics scripts to see if people visiit your site - you have the original page request for that. Analytics script collect additional information beyond that, which users that block them have deemed to be not acceptable.
Less about stopping analytics and more about stopping privacy-malicious analytics (which google analytics could arguably be defined as). Install a privacy friendly analytics package and I suspect it won’t be much blocked.
That'd be a reasonable counter-point if extensions like uBlock Origin weren't also blocking self-hosted analytics packages, like Matomo.
I think people in general have gotten so sick of ad powered big tech they are having a bit of an over-reaction against analytics in general, not just google's product.
> These are all the things a restourant owner would know about their customers, for example
The restaurant I visit most often "knows" only my first name (only) plus my mobile phone number, I suppose if they really tried they could probably collect data on my approximate height, build, eye and hair colour, and that I have multiple kids. That's it (since I pay them in cash).
Oddly enough they don't worrying about tracking their customers and instead focus on delivering an excellent product with excellent service. They're known in the region for that, they're usually busy, so one might think their strategy seems to be working(?)
You could do all that without involving the world's largest advertising corporation. Use the data you already receive with each request. You know, count how many pages you've served, use a GeoIP database on visitors' IP addresses, parse their user agents, all that kind of stuff.
A lot of relevant interactions in modern apps are client based. You'd have to send those data points via ajax, but then you've just recreated google analytics.
They know I visited the page by their servers serving me the page. Why the hell does Google need to be involved for that?
And why should a random page I visit get to know my demography, interests and where I come from? How can you portray avoiding that as taking privacy too far??
I don't care if that makes it harder to optimize your business. Find another way or perish.
How do the real life businesses know that? If I explicitly tell them, that's fine. If they know it through some nefarious collection I would have a problem with that.
Would it be reasonable for a restaurant to know about every other restaurant you visit? And every store you look at, and every newspaper article you read?
Fair point. I am not a heavy GA user, I just use the basic functionality.
Nevertheless, I don't feel iffy about my Interests profile participating in aggregate data available to the sites I visit. Since virtually all sites are free of charge, giving some of that insight back seems like a fair trade.
That said, having ALL that data available to Google without anonymization is a bit more worrying, although I haven't seen many examples where it hurt someone in real world.
Web site owners can analyze their web server's log, which has at least client's IP address, user agent, timestamp and the URL. Already too much if you ask me.
I’m mostly interested in what moves like this will mean for e-commerce. Not the sites themself, but all the shady and honestly unprofessionel retargetting, ad-agencies and online marketing in general. Most of those business rely on questionable JavaScript based tracking. I don’t see the majority of those business have the resources or knowledge to survive without JavaScript tracking.
Most of those things are easily analysed in-house or with much less invasive solutions than GA.
> general demographic of their audience
This is not useful to improve a product unless combined with proper research into the demo, which most people don't do. They just apply their own biases and make their product _worse_.
So many people are making all their decisions based on shallow data like this and never do a simple usability test that yields massively more impact.
Put differently, people use this data to try to focus in on specific traits of their audience before even testing that their software works for "humans".
You can, as the owner of a site, check that someone has visited your site, but you cannot give that information to Google (without consent). That's illegal under the GDPR.
Also, you have zero control of what code any client executes on their machine. Zero say, whatsoever.
So what about sites that claim that certain cookies are necessary for operation of the site, when that's at best bending the truth and at worst an outright falsehood?
Many sites work perfectly well and - amusingly - become blazingly fast once you block all scripting and cookies. No annoying GDPR notices, no annoying ads, no (client-side) tracking. So much for "necessary" cookies :/
I am not deep into analytics space, but I know from experience that the most popular ad blocker (ublock origin) will block the most popular self hosted analytics package (matomo).
The thing about blocking self-hosted analytics is that it's very easy to avoid being blocked if you want. You can just change the included tracker name, or request parameter names.
Lots of moles to whack. You can try using a non-chromium browser, decked out with privacy addons like uBo, Decentraleyes, Temporary Containers, Privacy Settings. If you'd like a chromium browser, Iridium Browser could work.
Also if you have an Android phone, you could try to install LineageOS without gapps, or go with /e/.
If you use Drive, Sheets etc, you could try ONLYOFFICE. They use GA, but your decked out Firefox should already block that.
This feature only applies if you are already blocking GA with Firefox.
The change is that now the GA JS API will stay available for the website so that it can keep calling GA functions. The stub won't actually send any info to Google though.
This perfect. I don't have all the storess following me around and where I came from, what my tendencies are etc. They also forget about me, generally when I leave the store. This tracking is not okay and nobody, absolutely nobody, gets to decide for me. Google doesn't own the internet
Maybe a dumb question: Why isn't it enough to simply block the Analytics JS, why is it necessary to substitute it with a "fake no-op" script? Does blocking GA regularly break sites?
One use case I noticed: Don't render the site until Google Tag Manager is loaded. Because of this, when using an adblocker that blocks GTM, the site will never load.
I guess the reason to block GTM until load it use it show some personalized ads/pricing/buttons.
Yes. Many sites assume that GA is there, and for example clicks on buttons may fail to work if the GA click call fails. It isn't great engineering from the site but Firefox wants its users to still be able to browse the web.
I don't understand the hate for this trick. It still breaks cross-site user tracking. It's just sort of a hack around installing a hypothetical Google Analytics app on-prem or pumping in data via a server-to-server integration.
Google Analytics can't cross-reference data from other sites on the browser, b/c it's not a third party cookie now... what's the problem?
I like ads tracking as much as the next guy. However, I am not comfortable with a browser modifying content in any way. I am fine to have extensions that do that, but the browser itself shouldn’t do it “by default” without user explicitly enabling it.
If Google don't pay for Firefox's continued existence, they'll have to deal with anti-trust lawsuits over their Chrome market share. That's essentially why they keep paying.
They could have, if they focused on their core mission the whole time and invested the excess in an endowment that made them independent of corporate donations.
I thought Google Analytics tracked you within a site, and that it's fundamentally not really any different from analyzing server logs except the logs are simply hosted in Google's cloud and visualized using Google's tools. I realize it uses cookies but that's to build analytics around sequences of user actions, since many users can be collapsed into a single IP. Privately hosted analytics software needs to use cookies to achieve the same thing as well.
Google Analytics doesn't have anything to do with building an advertising profile around users, correct?
I know it's popular to hate on Google but does this achieve anything against tracking users across sites in order to build advertising profiles? I was under the impression all the profile-building people object to was done via the pages with ads themselves.
Is Google Analytics actually an evil tool? Or is just "evil by association" because Google ads track users across sites, and Google Analytics also does "tracking" albeit a different kind? I'm just wondering if this is actually anything substantive, or if it's more symbolic.
Edit: wow those were some FAST downvotes. I'm just asking some basic questions to understand how meaningful this is, folks. Hopefully nobody's taking offense.
Google Analytics tracks you across different sites AFAIK. Mozilla supposedly has a special option in GA to not correlate data gathered on their sites with what GA gathers on others.
Even if it didn't, it still tells Google what you're visiting: with so many sites using it, they can get a pretty much complete view of your browsing history, just like Google Fonts.
> Google Analytics tracks you across different sites AFAIK.
See that's the thing, I keep seeing this asserted but when I search for any evidence, I can't find a single article that demonstrates this to be true.
If you own multiple sites you can enable analytics across them, but that's all.
And if Google wants to know what you're visiting to build advertising profiles, they have so many options -- not just Fonts, but DNS, Chrome, ads... it's not like GA by itself is making any substantive difference. But again, just because it could be used for this doesn't mean it is.
So I don't get how this is actually helping. I worry it's a distraction from actual achievements.
Nope, nothing will break. I am blocking GA in the following ways: NoScript, PrivacyBadger, Windows HOSTS file. I see the thing being called, and nothing gets through, and websites work properly.
Edit: the bugzilla article mentions both GA and googletagmanager.com, which (both) I have been successfully blocking in the above ways for many years. I never had any website not working because of those two pieces.
Edit: "we are scum. We want to ** your privacy any way we can. We just got hit with a multi-million fine, so we will continue. You want to unsubscribe? Sure, be tracked a bit more while at it." /end-rant
Only anecdotal, and no longer happening: The top menu on https://www.easyjet.com/en/ used to break if you disabled Google Analytics, the submenu just wouldn't appear.
This was one of my favorite examples of how there was much more to NoScript than most people assumed, and it had a depth of features that could not be matched by "alternatives" like uMatrix. But that feature was killed by the mass extension breakage in Firefox 57: https://github.com/hackademix/noscript/issues/133#issuecomme...
So in a way, this feature can be seen as more than three years overdue.