How to Incapacitate Google Tag Manager and Why You Should (2022)
51 comments
·July 4, 2025BurnerBotje
chamomeal
Now there’s a fun idea!! I wonder how difficult it would be to spoof events.
Edit: looks like this might exist already: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
genewitch
Since installing it on firefox on this computer (18 months ago or so) Ad Nauseam has clicked ~$38,000 worth of ads, that i never saw.
Between this and "track me not" i've been fighting back against ads and connecting my "profile" with any habits since 2016 or so. I should also note i have pihole and my own DNS server upstream, so that's thiry-eight grand in ad clicks that got through blacklists.
cj
[Preface: I hate ads, I love uBlock origin, I use pihole, I'm a proponent of ad blockers]
I manage a Google Ads account with a $500,000 budget. That budget is spent on a mix of display ads, google search, and youtube ads.
If I knew that 10% of our budget was wasted on bot clicks, there's nothing I can do as an advertiser. We can't stop advertising... we want to grow our business and advertising is how you get your name out there. We also can't stop using Google Ads - where else would we go?
$38,000 in clicks boosts Google's revenue by $38k (Google ain't complaining). The only entity you're hurting are the advertisers using Google. Advertisers might see their campaigns performing less well, but that's not going to stop them from advertising. If anything, they'll increase budgets to counteract the fake bot clicks.
I really don't understand what Ad Nauseam is trying to achieve. It honestly seems like it benefits Google more than it hurts them. It directly hurts advertisers, but not enough that it would stop anyone from advertising.
Google has a system for refunding advertisers for invalid clicks. The $500k account that I manage gets refunded about $50/month in invalid clicks. I'm guessing if bot clicks started making a real dent in advertiser performance, Google would counter that by improving their bot detection so they can refund advertisers in higher volumes. If there's ever an advertiser-led boycott of Google Ads, Google would almost certainly respond by refunding advertisers for bot clicks at much higher rates.
Wowfunhappy
I would worry about being labeled a bot and denied access to websites at all.
null
aerzen
Am I dumb or does this article fail to explain what does the tag manager actually do? And not just with a loaded word, such as surveillance or spying, but actually technically explain what they are selling for and why it is bad.
mlinsey
Google Tag Manager is a single place for you to drop in and manage all the tracking snippets you might want to add to your site. When I've worked on B2C sites that run a lot of paid advertising campaigns, the marketing team would frequently ask me to add this tracking pixel or another, usually when we were testing a new ad channel. Want to start running ads on Snapchat? Gotta ad the Snapchat tracker to your site to know when users convert. Now doing TikTok? That's another snippet. Sometimes there would be additional business logic for which pages to fire or not fire, and this would change more often. Sometimes it was so they could use a different analytics tool.
While these were almost always very easy tickets to do, they were just one more interruption for us and a blocker for the stakeholders, who liked to have an extremely rapid iteration cycle themselves.
GTM was a way to make this self-service, instead of the eng team having to keep this updated, and also it was clear to everyone what all the different trackers were.
a2800276
I was tasked with auditing third party scripts at a client a couple of years ago, the marketing people where unable to explain wtf tag manager does concretely without resorting to ‚it tracks campaign engagement´ mumbo jumbo, but were adamant they they can’t live without it.
sandspar
Google Tag Manager lets you add tracking stuff on your website without needing to touch the code every time. So if you want to track things like link clicks, PDF downloads, or people adding stuff to their cart.
It doesn't track things by itself. It just links your data to other tools like Google Analytics or Facebook Pixel to do the tracking.
This kind of data lets businesses do stuff like send coupon emails to people who left something in their cart.
There are lots of other uses. Basically, any time you want to add code or track behavior without dealing with a developer.
xiande04
There's a section in the article titled, "WHAT DOES GOOGLE TAG MANAGER DO?":
> Whilst Google would love the general public to believe that Tag Manager covers a wide range of general purpose duties, it's almost exclusively used for one thing: surveillance.
munchler
That’s a single word, not much of an actual explanation.
Finnucane
the "general public" probably has no idea that Tag Manager is a thing that exists.
fguerraz
Maybe you’re being misled by the cryptic name. It’s got nothing to do with managing tags, it’s a behaviour tracker and fingerprint machine.
9dev
I mean technically you can use it to manage HTML tags to inject into a site.
snowwrestler
This is in fact what it is primarily used for.
slow_typist
Well I can inject HTML tags (or elements) with native JavaScript. Or manage them. Why would I want a bloated third party piece of software doing that?
gleenn
I'm all for blocking surveillance but how tiring is it to block JavaScript as suggested and then watch the majority of the internet not work?
pluc
It really isn't. I've been blocking all JavaScript for years now, selectively allowing what is essential for sites to run or using a private session to allow more/investigate/discover. Most sites work fine without their 30 JS sources, just allowing what is hosted on their own domain. It takes a little effort, but it's a fair price to pay to have a sane Internet.
The thing is - with everything - it's never easy to have strong principles. If it were, everyone would do it.
roywiggins
It's certainly not that bad if you have uMatrix to do it with, but I haven't found a reasonable way to do it on mobile. uMatrix does work on Firefox Mobile but the UI is only semi functional.
bornfreddy
Not quite the same (I love uMatrix UI), but advanced mode in uBO is similar. It lacks filtering by data type (css, js, images, fonts,...) per domain, but it does resolve domains to their primary domain, revealing where they are hosted. A huge kudos to gorhill for both of these!
1vuio0pswjnm7
uMatrix is fully-functional on Nightly.
Using Firefox Add-Ons on a "smartphone" sucks because one has to access every Add-On interface via an Extensions menu.
In that sense _all_ Add-Ons are only semi-functional.
I use multiple layers: uMatrix + NetGuard + Nebulo "DNS Rules", at the least. Thus I have at least three opportunities where I can block lookups for and requests to Google domains.
baobun
NoScript + uBO is all right.
1vuio0pswjnm7
Impossible to know because when I disable Javascript "the majority of the internet" works fine. As does a majority of the web.
I read HN and every site submitted to HN using TCP clients and a text-only browser, that has no Javascript engine, to convert HTML to text.
The keyword is "read". Javascript is not necessary for requesting or reading documents. Web developers may use it but that doesn't mean it is necessary for sending HTTP requests or reading HTML or JSON.
If the web user is trying to do something else other than requesting and reading, then perhaps it might not "work".
heavyset_go
Whitelisting JS has worked on my end for a while.
I won't browse the Internet on my phone without it, everything loads instantly and any site that actually matters was whitelisted years ago.
sureglymop
It's easier than I thought. I just use uBlock Origin with everything blocked by default and then allow selectively.
kevin_thibedeau
StackOverflow switched over from spying with ajax.google.com to GTM in the past year or so. All for some pointless out of date jQuery code they could self-host. I wonder how much they're being paid to let Google collect user stats from their site.
goopypoop
People who want you to run their scripts aren't really your friends
anothernewdude
The sites that don't work are usually the worst websites around - you end up not missing much. And if it's a store or whatever, you can unblock all js when you actually want to buy.
Rapzid
About as tiring as hearing about it all the time. Thank god it's a fringe topic these days but this article snuck it in. Probably the constant use of the word "surveillance" was an early tell haha.
adamiscool8
I don't think this article makes a good case for why you should.
>The more of us who incapacitate Google's analytics products and their support mechanism, the better. Not just for the good of each individual person implementing the blocks - but in a wider sense, because if enough people block Google Analytics 4, it will go the same way as Universal Google Analytics. These products rely on gaining access to the majority of Web users. If too many people block them, they become useless and have to be withdrawn.
OK - but then also in the wider sense, if site owners can't easily assess the performance of their site relative to user behavior to make improvements, now the overall UX of the web declines. Should we go back to static pages and mining Urchin extracts, and guessing what people care about?
card_zero
But I like it better when they have to guess. If it's something we care about enough, we'll let them know.
bredren
Belt and suspenders approach is to attach analytics to the most important events on the server side and combine with the session.
If the frontend automatic js is blocked, it doesn’t matter.
throw123xz
Analytics can have good uses, but these days it's mostly used to improve things for the operator (more sales, conversions, etc) and what's best for the website isn't always the best for the user. And so I block all that.
slow_typist
Effective and accessible UX design is a solved problem. It’s a matter of education of front end developers, not of A/B testing your users to death.
add-sub-mul-div
If the analytics brought us to this, of what use are the analytics?
fvgvkujdfbllo
> surveillanceware
I thought the term was spyware.
Surveillanceware almost sounds like something necessary to prevent bad stuff. Is this corporate rebranding to make spyware software sound less bad?
Eggs-n-Jakey
I don't know, the memetics of Surveillanceware or spyware mostly leads me to the belief that everything is weaponized to drain your money thru ads/marketing instead of the direct approach of stealing my money.
Animats
Blocking Google Tag Manager script injection seems to have few side effects. Blocking third party cookies also seems to have few side effects. Turning off Javascript breaks too much.
alganet
Use a whitelist-based extension such as NoScript:
You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.
The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.
Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.
rurban
Just add the domain to your /etc/hosts as 0.0.0.0
Doing that for years
future10se
As mentioned on the blog post:
> Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.
> Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...
By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)
One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.
https://developers.google.com/tag-platform/tag-manager/serve...
1oooqooq
iknownothow
I just did a wget of the site and noticed the following line at the end.
> <script async src="https://www.googletagmanager.com/gtag/js?xxxxxxx"></script>
I am going to use this for sure, but it is a little ironic.
drcongo
Google Tag Manager and the whole consent management platform certification business is nothing more than a shakedown. It's racketeering.
I have an idea that another way of preventing being tracked is just massively spamming trash in the data layer object, pushing thousands of dollars worth of purchase events and such, pushing randomly generated user details and other such events. Perhaps by doing this your real data will be hard to filter out. A side effect is also that data becomes unreliable overall, helping less privacy aware people in the process.