"We're long past the days when it was possible to simply say "no" to corporate stalking without consequence. Today, when we say "no", we get punished for it. But that only goes to show WHY, more than ever, we should be saying "no"."
Google Tag Manager. It's a product which, by design, cloaks a range of the Internet's most invasive and unethical scripts in an opaque closet, then springs them out in disguise. Combining immense power with obfuscation and vast scale of use, Google Tag Manager is the WWW's single most destructive tool to public privacy and online ethicism.
And it's getting worse. Google is now driving Tag Manager into the first-party domain, switching from third-party to first-party cookie usage, for example. Whilst this may look like a warm-hearted bid to increase privacy protection for the public, it's really just part of Google's relentless string of attempts to circumvent third-party content-blocking by shifting surveillanceware into a first-party container.
This probably also explains why Google has not sought to prevent site admins from running Tag Manager on the server-side, despite such practises technically breaching this line in the Tag Manager ToS...
"You agree not to... interfere with or circumvent any aspect of the Service;"
I'll come to the burning issue of server-side GTM usage in due course, but don't worry, there are solutions...
Whilst Google would love the general public to believe that Tag Manager covers a wide range of general purpose duties, it's almost exclusively used for one thing: surveillance. Tag Manager's close link with Google Analytics has ballooned the level of intrusion we now face across the bulk of the Web, as well as making Google Analytics more covert and more resistant to blocking.
Making Google Analytics harder to block was fairly evidently not part of Tag Manager's original brief upon launch, circa 1st October 2012. The goal back then was probably just to put Google's finger on the pulse of third-party people-profiling strategies and maintain the giant's ad-tech dominance on a classic knowledge-is-power basis.
"Using this blocking method, GTM will run if it's on the server-side, but none of the scripts it launches will work."
Conversely, Tag Manager's now inseparable companion, Google Analytics 4, was born at a time when content-blocking (as opposed to just ad-blocking) was going mainstream. With the proportion of people blocking at least some form of third-party surveillanceware estmitated to be heading for 40%, Google Analytics was under existential threat. In this light, GA4's orientation towards Tag Manager definitely did appear to be an attempt to sidestep content-blocking, and hide Google Analytics in a more general container which most of the public would not identify as a harbour for surveillanceware.
A general container which content-blockers with weak algorithms notably do not block. And which can evade blocking altogether if relocated to the first-party domain.
But thinking positively, our takeaway should be: Google recognises that we, the great, content-blocking public, have successfully rendered the old, Universal Google Analytics unfit for purpose. UGA is being deprecated next year. That's right - we won a battle against Google! Our next challenge is to kill off UGA's replacement - Google Analytics 4 + Tag Manager - in the same way.
That will be harder, because the new system can punish those who incapacitate it. So is it worth the bother?...
Definitely! And here's why...
Once upon a time, Google Analytics existed as a simple means to record website traffic volume and generalised user behaviour, so as to determine which content performed the best, and offer pointers on improving the appeal of future content.
Not anymore. Used in conjunction with Tag Manager, Google Analytics now offers scope for much more detailed behaviour-monitoring. As a result, it's commonly used to uniquely identify individual people, engage them in experiments, build dossiers on them, analyse those dossiers for psychological vulnerabilities, and then exploit those vulnerabilities unethically, for profit. Let's be clear. That's what Google Analytics is now about.
"Tracking is not only getting more aggressive - it's also getting more sneaky. We don't know where the tracking utility will be located, so we can't rely on URL-based block-lists."
In times past, there was a barrier to entry into this field, since only the site admins serious enough to hire cutting-edge developers could turn a website into a hardcore surveillance machine. But Google Tag Manager now makes the integration of powerful spyware into such a straightforward DIY task, that any random half-ass who decides to open a website can build, exploit and/or sell detailed dossiers on real people. Tag Manager has not reduced the barrier to entry. It's completely removed it.
The GA4 + Tag Manager combo records page scrolling, mouse clicks, mouse movements, screen touches, key taps, media engagements - any movement you make on the page, basically. It also times visits and attention spans a lot more accurately than the old Google Analytics. Coupled with your identity - also monitored by Google Analytics - this type of lab-ratting is obviously a licence to exploit psychological traits. Mental health issues, even.
Meanwhile, Google Tag Manager is regularly popping up on Government sites. This means not only that governments can study you in more depth - but also that Google gets to follow you into much more private spaces.
The more of us who incapacitate Google's analytics products and their support mechanism, the better. Not just for the good of each individual person implementing the blocks - but in a wider sense, because if enough people block Google Analytics 4, it will go the same way as Universal Google Analytics. These products rely on gaining access to the majority of Web users. If too many people block them, they become useless and have to be withdrawn.
This has become a burning question of the moment.
Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.
Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...
"Block cookies. All of them. Third-party and first. Some third-party cookies are now masquerading as first-party cookies, which means they'll still function if you only block third-party."
True: technically, we cannot block something in the browser if it doesn't run in the browser. If it's running on a remote server we can't reach it.
But equally, we have a switch that the surveillance-crazed website cannot reach. If we essentially cut off the power at our end of the connnection, the tentacles of the surveillance system will fail to extract their detailed information. The tracker can thus only gather limited data. Tag Manager itself is only a launcher. Without the tentacles it fires up, it's useless.
Let's now look at some different methods for incapacitating Google Tag Manager...
Tracking is not only getting more aggressive - it's also getting more sneaky. We don't know where the tracking utility will be located, so we can't rely on URL-based block-lists. And we don't know what Tag Manager will fire, because the whole point of it is to allow a site admin complete flexibility.
So here are the options...
Pre-requisite... Block cookies. All of them. Third-party and first. Some third-party cookies are now masquerading as first-party cookies, which means they'll still function if you only block third-party. If you need cookies for specific sites, clear the domains as exceptions. You can do this in Firefox or Chromium-based browsers. Better still, use separate browsers for the sites that need cookies, and keep cookies fully disabled when randomly browsing. If you need to log into Google services (or multiple services from another tech giant), group all of the services into one browser, allow it to accept first-party cookies, and don't use that browser for anything else.
Blocking cookies while randomly browsing won't just block the actual text file drops. Most browsers interpret numerous "other technologies" as cookies too. Chromium and its derivatives, for example, will not accept service workers or local data dumps for a site whose first-party cookies are blocked.
Method 5... Use the Lynx browser in conjunction with Frogfind. This will only show you the text on a given page, but if the page is loadable, you should get a readable layout, and you don't have to think about anything as regards blocking. Lynx will just block every piece of surveillanceware if used with cookies disabled, as described in the post I linked to.
If you're using Method 1, you can feasibly tighten your privacy further by loading a blacklist into your hosts file to block third-party content. There are quite a few of these blacklists on Github - just search for hosts file blacklist on a search engine. This will, however, slow down your system, and it's not as watertight as Method 3.
If you decide to block images (which stops tracking pixels from loading), blocking them in the browser is much more reliable than blocking them with an extension.
Comprehensively incapacitating Google Tag Manager, and indeed maintaining online privacy in general, does not come without sacrifice. We're long past the days when it was possible to simply say "no" to corporate stalking without consequence. Today, when we say "no", we get punished for it. But that only goes to show WHY, more than ever, we should be saying "no". Do you really want to be dealing with people who punish you when you ask not to be exploited?