This was one of my favorite examples of how there was much more to NoScript than most people assumed, and it had a depth of features that could not be matched by "alternatives" like uMatrix. But that feature was killed by the mass extension breakage in Firefox 57: https://github.com/hackademix/noscript/issues/133#issuecomme...
So in a way, this feature can be seen as more than three years overdue.
I'm happy with this. Some extensions are so important they should be integrated into the browsers themselves. NoScript, uBlock Origin, uMatrix and Privacy Badger should just be standard browser features.
That would give the browser owners control over ad blocking behaviours, while they rely on funding from companies which sell ads. That's not a great situation for the users. The authors providing an unopinionated API for plugins is much safer.
I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.
Or to put it in another way: browser developers cannot imagine every possible use case that may come out of browsers nor are always the best judges of what is important and what not. It is just a matter of limited human imagination. The combined imagination of all potential extension authors is much greater than the combined imagination of whoever makes decisions about the features in a single browser - and extension authors do not have to convince anyone about adding those features in the browser, they can just throw them at the wall (users) and see what sticks.
For a similar see X11 vs Wayland and how the latter has to make application-specific extensions for functionality provided by programs written using functionality the former provided since practically forever.
There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.
Open source has an advantage when it sets itself up as basic infrastructure that can be tailored to many roles. It is notable that Brave, being started by a CTO from Mozilla with extensive experience in Mozilla, went with Chromium as the browser base for whatever reason.
Maybe if Firefox hadn't damaged its extension ecosystem instead Brave's niche could maybe have been done with extensions. Who knows. The former userbase has been delivering powerful votes of no confidence against Firefox for a decade now.
I thought NoScript was a single-purpose extension for disabling scripts. Naming and messaging matters, I guess. "JSControl" would've been a better name.
The full name as shown on addons.mozilla.org is "NoScript Security Suite", which more accurately conveys its purpose. Some of the features it provided really had nothing to do with JavaScript, such as NoScript's implementation of Strict Transport Security about 1.5 years before Firefox itself implemented that feature.
No script blocks all scripts though so it's a tad bit extreme. They had bigger fish to fry but they finally got around to this. I'm happy they're doing it and I'm not going to complain about water under the bridge.
NoScript selectively blocks scripts on a per-domain basis, which is almost always sufficient to block the bad scripts but allow the necessary scripts on a site. The exceptions where a surrogate script (or blocking scripts by URL regex) is required are relatively rare.
Well, you should be able to remake it by now, since that was in 2016, so Firefox should have replaced all the functionality the previous extensions had, right?
Too little too late for me personally. I couldn't keep my two versions of Firefox from interfering with each other so these days it's Chrome for all my casual browsing and Firefox 56 for the functions I can't do without.
It's whack-a-mole, but better whack-a-mole to learn-to-love-the-mole.
Another way to think of it besides the futility of whack-a-mole is, it's pushback, resistance, sand in the gears. It's making an undesired behavior less valuable. Yes you didn't stop sites from including analytics, yes tomorrow google will have some counter move, but that doesn't mean the effort was pointless. If you can exert a 5% pressure on some system and maybe only get a 5% reaction, that's perfectly fine.
They already have a counter move, to an extent. One of the deployment models for GA is via Google Tag Manager. One of the deployment models for GTM is this[1] server-side mode deployed to an App Engine container in Google Cloud. The only browser-visible communication happens between your browser and the App Engine instance, and then you send server side calls from that to the downstream systems based on those events (GA, Facebook Conversion API, etc).
It can also be used like the traditional GTM model, where it loads the primary GTM script browser-side, then that loads additional browser-side scripts based on the tags you implement (GA, Facebook, chat systems, map widgets, whatever). But the default GA support built into it avoids loading anything from Google's domains directly by the browser. And it's not even subject to the CNAME cloaking protections[2] that ITP have implemented, since it's not using the "CNAME to third party" technique that's typically common for these sorts of things to get first party access/privileges and is instead actually running on your infrastructure.
Integrating with Google Analytics on the server-side as opposed to the client-side has always been available. Developers just rarely do it because it is easier to add a JavaScript snippet to the page.
What's really clever is that at the scale that GA is deployed, it's really really hard for Google to willy-nilly break API just to get around this because a lot of webmasters will simply not bother updating their scripts, and if Google forcefully pushes a breaking change, people might stop using GA, or worse, they get an avalanche of bad PR for breaking half the web.
People use analytics to decide where to focus there efforts. For example, if most of your users are on mobile, invest more in the mobile experience. The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome. This would degrade the experience for Firefox users as subtle breakages start appearing.
Folks advocating for the use of hosted analytics instead of GA are correct ... but that’s not what most people will do. It’s just simpler to add a one line GA tracker to your code and call it a day. And these people will see Firefox usage drop to 0.
We have already seen “this site works best/only on Chrome”, especially on Google products like Inbox. Expect to see more of that as the web becomes a Chromium/Safari duopoly, according to analytics.
You don't need Google Analytics to figure out what browser your audience is using. That information is literally embedded in every single request to your website. There's no need to siphon requests over to Google for something so trivial.
I get that people would like you know as much as possible about who visits their website. Sometimes even for legitimate reasons and not just out of an obsession with collection as much data as possible. But this analytics madness has gone too far. Pretty much every website you visit ships a bunch of data about you to multiple third parties. Often without consent. Just stop doing that. It's not a hard thing to do.
This is hardly new, people have been using ad blockers and various other scripts for years to block GA et el. In my experience it's something which PMs and other key decision makers are already well aware of. If there are still companies out there basing all of their decisions on GA metrics that's really their problem.
The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome.
Bad developers already only test in Chrome regardless of what GA is telling them. This won't have much impact there.
Sarcasm aside, sites breaking or not working when analytics scripts are blocked is nuts. Is there a Wall of Shame for such sites (it may probably be the size of a search engine index)?
FWIW it's usually not malicious. What usually happens is that the analytics script provides some API for the developers to add additional logging functionality[1]. The developer then sprinkles calls to those APIs throughout their code, assuming that those functions will be available. If the scripts are blocked then you get an error like "ga is not defined" and the rest of the code doesn't execute, causing the page to be broken.
You'd be astounded how many sites break when you turn off cookies.
I'm not just talking "can't log in"/"add to cart" break (obvs), but like, fail-to-catch-the-exception-thrown-by-localStorage-in-render()-so-completely-blank-white-page break.
As a Russian, I sometimes encounter sites that break when Yandex.Metrica is blocked. It's basically the same thing as GA, just from Yandex. And uBO didn't have a shim for it. Not sure if it does now.
I have mixed feelings about this. From the privacy angle I am pleased (I've been blocking GA ever since I knew it existed, via HOSTS), but from the "neutral browser" angle, not so much. Then again, FF is already not neutral with things like "safe browsing" and extension blacklists...
They must be neutral in the sense that they should not make specific rules for specific services. We have seen in a previous hn post that webkit has specific rules for quite some websites, now firefox has these replacements for some javascript codes.
This is wrong and will break things: if there are bad behaviors, like the cookie usage, the rules should be changed to prevent it, that's great, but having ifs and replacing selected scripts is a horrible way to go.
First reason for this is that obviously Google will try to go around that rule and change it's script. Or some nasty tricks like using script proxies, ...
Second is that if Google Analytics is blocked by name, then other tracking services will take the space, and users will loose anyway.
Exactly this, web-browsers should look after the user, and should protect the user against webbrowser-exploits e.g. 1px png tracking images and cookies.
You should post a blog post about this to HN. It's not related to tracking and it's still really interesting, so it deserves more than just a tangential comment here.
The best solution is to self-host your analytics platform, to avoid any data being stored by 3rd parties and it gives you the best chance to not use the next platform that will be blocked like Google Analytics.
If you want to try one, I am building https://userTrack.net, you can PM me on Twitter if you need a discount.
Firefox should really double down on this. All this strict privacy protection could be branded as Firefox Pro and they could charge for it. This would make for a nice revenue stream as more and more people begin to see the value of this. If Hey can do it for email, Firefox Pro Can do it for browsers!
Counterpoint: this would destroy Firefox' credibility.
I use Firefox because of their strong pro-privacy stance. If they started charging for "real" privacy, it would damage that image - "privacy for those who can afford it" would be a bad slogan.
Also, Firefox has made it clear that they don't want our money, as seen in their continuous refusal to accept donations.
I've been using Firefox since the Phoenix/Firebird days, and I fear the day that Google ends their search funding to the project.
They are absolutely on the right track with Mozilla improving the actual -browser- with all of these new privacy features and core improvements. This could put them in a position to create a revenue stream independent of Google, where people would actually be willing to pay to have a browser wholly decoupled from these ad companies.
There's some risk there indeed, but there would be also big anti-monopoly scrutiny risk from Google's side doing that if they indirectly kill alternative browsers.
Right now there's some kind of equilibrium by having alternative browsers/engines, on Windows especially, plus Google still gets traffic from millions of Firefox users by being default search engine, which makes them $$$.
I don't mind blocking ads, but analytics? That seems like the taking the desire for privacy too far.
Why shouldn't site owner know you've visited their site? How will they do their job if they don't know where people come from, what content they enjoy, what devices they should optimized for, general demographic of their audience, etc.
These are all the things a restourant owner would know about their customers, for example. But no one seems to have a problem with that.
The problem is with the centralisation and aggregation of that knowledge. It’s not (necessarily) bad that the site owner knows you’ve visited their site, it’s bad that Google knows all of the sites you’ve visited.
While I am not as concerned about big tech's data siloing as some, I can see why it's worrying.
Unfortunately, not only is GA the best totally free analytics solution that any marketeer will know how to use, many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google.
Less about stopping analytics and more about stopping privacy-malicious analytics (which google analytics could arguably be defined as). Install a privacy friendly analytics package and I suspect it won’t be much blocked.
That'd be a reasonable counter-point if extensions like uBlock Origin weren't also blocking self-hosted analytics packages, like Matomo.
I think people in general have gotten so sick of ad powered big tech they are having a bit of an over-reaction against analytics in general, not just google's product.
> These are all the things a restourant owner would know about their customers, for example
The restaurant I visit most often "knows" only my first name (only) plus my mobile phone number, I suppose if they really tried they could probably collect data on my approximate height, build, eye and hair colour, and that I have multiple kids. That's it (since I pay them in cash).
Oddly enough they don't worrying about tracking their customers and instead focus on delivering an excellent product with excellent service. They're known in the region for that, they're usually busy, so one might think their strategy seems to be working(?)
You could do all that without involving the world's largest advertising corporation. Use the data you already receive with each request. You know, count how many pages you've served, use a GeoIP database on visitors' IP addresses, parse their user agents, all that kind of stuff.
A lot of relevant interactions in modern apps are client based. You'd have to send those data points via ajax, but then you've just recreated google analytics.
They know I visited the page by their servers serving me the page. Why the hell does Google need to be involved for that?
And why should a random page I visit get to know my demography, interests and where I come from? How can you portray avoiding that as taking privacy too far??
I don't care if that makes it harder to optimize your business. Find another way or perish.
Would it be reasonable for a restaurant to know about every other restaurant you visit? And every store you look at, and every newspaper article you read?
Web site owners can analyze their web server's log, which has at least client's IP address, user agent, timestamp and the URL. Already too much if you ask me.
I’m mostly interested in what moves like this will mean for e-commerce. Not the sites themself, but all the shady and honestly unprofessionel retargetting, ad-agencies and online marketing in general. Most of those business rely on questionable JavaScript based tracking. I don’t see the majority of those business have the resources or knowledge to survive without JavaScript tracking.
Most of those things are easily analysed in-house or with much less invasive solutions than GA.
> general demographic of their audience
This is not useful to improve a product unless combined with proper research into the demo, which most people don't do. They just apply their own biases and make their product _worse_.
So many people are making all their decisions based on shallow data like this and never do a simple usability test that yields massively more impact.
Put differently, people use this data to try to focus in on specific traits of their audience before even testing that their software works for "humans".
You can, as the owner of a site, check that someone has visited your site, but you cannot give that information to Google (without consent). That's illegal under the GDPR.
Also, you have zero control of what code any client executes on their machine. Zero say, whatsoever.
So what about sites that claim that certain cookies are necessary for operation of the site, when that's at best bending the truth and at worst an outright falsehood?
Many sites work perfectly well and - amusingly - become blazingly fast once you block all scripting and cookies. No annoying GDPR notices, no annoying ads, no (client-side) tracking. So much for "necessary" cookies :/
I am not deep into analytics space, but I know from experience that the most popular ad blocker (ublock origin) will block the most popular self hosted analytics package (matomo).
Lots of moles to whack. You can try using a non-chromium browser, decked out with privacy addons like uBo, Decentraleyes, Temporary Containers, Privacy Settings. If you'd like a chromium browser, Iridium Browser could work.
Also if you have an Android phone, you could try to install LineageOS without gapps, or go with /e/.
If you use Drive, Sheets etc, you could try ONLYOFFICE. They use GA, but your decked out Firefox should already block that.
This feature only applies if you are already blocking GA with Firefox.
The change is that now the GA JS API will stay available for the website so that it can keep calling GA functions. The stub won't actually send any info to Google though.
This perfect. I don't have all the storess following me around and where I came from, what my tendencies are etc. They also forget about me, generally when I leave the store. This tracking is not okay and nobody, absolutely nobody, gets to decide for me. Google doesn't own the internet
Maybe a dumb question: Why isn't it enough to simply block the Analytics JS, why is it necessary to substitute it with a "fake no-op" script? Does blocking GA regularly break sites?
One use case I noticed: Don't render the site until Google Tag Manager is loaded. Because of this, when using an adblocker that blocks GTM, the site will never load.
I guess the reason to block GTM until load it use it show some personalized ads/pricing/buttons.
Yes. Many sites assume that GA is there, and for example clicks on buttons may fail to work if the GA click call fails. It isn't great engineering from the site but Firefox wants its users to still be able to browse the web.
I don't understand the hate for this trick. It still breaks cross-site user tracking. It's just sort of a hack around installing a hypothetical Google Analytics app on-prem or pumping in data via a server-to-server integration.
Google Analytics can't cross-reference data from other sites on the browser, b/c it's not a third party cookie now... what's the problem?
I like ads tracking as much as the next guy. However, I am not comfortable with a browser modifying content in any way. I am fine to have extensions that do that, but the browser itself shouldn’t do it “by default” without user explicitly enabling it.
I thought Google Analytics tracked you within a site, and that it's fundamentally not really any different from analyzing server logs except the logs are simply hosted in Google's cloud and visualized using Google's tools. I realize it uses cookies but that's to build analytics around sequences of user actions, since many users can be collapsed into a single IP. Privately hosted analytics software needs to use cookies to achieve the same thing as well.
Google Analytics doesn't have anything to do with building an advertising profile around users, correct?
I know it's popular to hate on Google but does this achieve anything against tracking users across sites in order to build advertising profiles? I was under the impression all the profile-building people object to was done via the pages with ads themselves.
Is Google Analytics actually an evil tool? Or is just "evil by association" because Google ads track users across sites, and Google Analytics also does "tracking" albeit a different kind? I'm just wondering if this is actually anything substantive, or if it's more symbolic.
Edit: wow those were some FAST downvotes. I'm just asking some basic questions to understand how meaningful this is, folks. Hopefully nobody's taking offense.
Google Analytics tracks you across different sites AFAIK. Mozilla supposedly has a special option in GA to not correlate data gathered on their sites with what GA gathers on others.
Even if it didn't, it still tells Google what you're visiting: with so many sites using it, they can get a pretty much complete view of your browsing history, just like Google Fonts.
> Google Analytics tracks you across different sites AFAIK.
See that's the thing, I keep seeing this asserted but when I search for any evidence, I can't find a single article that demonstrates this to be true.
If you own multiple sites you can enable analytics across them, but that's all.
And if Google wants to know what you're visiting to build advertising profiles, they have so many options -- not just Fonts, but DNS, Chrome, ads... it's not like GA by itself is making any substantive difference. But again, just because it could be used for this doesn't mean it is.
So I don't get how this is actually helping. I worry it's a distraction from actual achievements.
Nope, nothing will break. I am blocking GA in the following ways: NoScript, PrivacyBadger, Windows HOSTS file. I see the thing being called, and nothing gets through, and websites work properly.
Edit: the bugzilla article mentions both GA and googletagmanager.com, which (both) I have been successfully blocking in the above ways for many years. I never had any website not working because of those two pieces.
Edit: "we are scum. We want to ** your privacy any way we can. We just got hit with a multi-million fine, so we will continue. You want to unsubscribe? Sure, be tracked a bit more while at it." /end-rant
Only anecdotal, and no longer happening: The top menu on https://www.easyjet.com/en/ used to break if you disabled Google Analytics, the submenu just wouldn't appear.
NoScript implemented this over a decade ago, as part of its surrogate scripts feature: https://hackademix.net/2009/01/25/surrogate-scripts-vs-googl...
This was one of my favorite examples of how there was much more to NoScript than most people assumed, and it had a depth of features that could not be matched by "alternatives" like uMatrix. But that feature was killed by the mass extension breakage in Firefox 57: https://github.com/hackademix/noscript/issues/133#issuecomme...
So in a way, this feature can be seen as more than three years overdue.
I'm happy with this. Some extensions are so important they should be integrated into the browsers themselves. NoScript, uBlock Origin, uMatrix and Privacy Badger should just be standard browser features.
That would give the browser owners control over ad blocking behaviours, while they rely on funding from companies which sell ads. That's not a great situation for the users. The authors providing an unopinionated API for plugins is much safer.
20 replies →
I'm not because without extensions that now you think they should be standard browser features actually existing you may not even have imagined about those features in the first place.
Or to put it in another way: browser developers cannot imagine every possible use case that may come out of browsers nor are always the best judges of what is important and what not. It is just a matter of limited human imagination. The combined imagination of all potential extension authors is much greater than the combined imagination of whoever makes decisions about the features in a single browser - and extension authors do not have to convince anyone about adding those features in the browser, they can just throw them at the wall (users) and see what sticks.
For a similar see X11 vs Wayland and how the latter has to make application-specific extensions for functionality provided by programs written using functionality the former provided since practically forever.
1 reply →
There isn't a very wide gap between builtin and "we bundle this extension by default" - which was always an option. The difference would have been marginal if Mozilla wanted to make it so.
Open source has an advantage when it sets itself up as basic infrastructure that can be tailored to many roles. It is notable that Brave, being started by a CTO from Mozilla with extensive experience in Mozilla, went with Chromium as the browser base for whatever reason.
Maybe if Firefox hadn't damaged its extension ecosystem instead Brave's niche could maybe have been done with extensions. Who knows. The former userbase has been delivering powerful votes of no confidence against Firefox for a decade now.
1 reply →
umatrix is dead by the way
4 replies →
I'm not familiar with all those extensions, but this sounds exactly like what Brave does.
uMatrix has been abandoned, sadly.
6 replies →
uBlock origin exposes this via https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-ru... . In particular, https://github.com/uBlockOrigin/uAssets/blob/master/filters/... will translate requesting google-analytics.com/analytics.js into this stub: https://github.com/gorhill/uBlock/blob/master/src/web_access... .
Not sure if you can easily substitute arbitrary scripts (would probably be placing too much trust into filter lists) but the resource library seems to be quite extensive: https://github.com/gorhill/uBlock/wiki/Resources-Library#url...
Does this imply NoScript just hasn't migrated to newer APIs, or does uBlock do something extreme to achieve it?
I thought NoScript was a single-purpose extension for disabling scripts. Naming and messaging matters, I guess. "JSControl" would've been a better name.
The full name as shown on addons.mozilla.org is "NoScript Security Suite", which more accurately conveys its purpose. Some of the features it provided really had nothing to do with JavaScript, such as NoScript's implementation of Strict Transport Security about 1.5 years before Firefox itself implemented that feature.
7 replies →
NoScript evolved over time.
NoScript evolved over time.
It's not like you downloaded a Mozilla's executable one day and expected to see a Flaming Canine instead of a web browser.
No script blocks all scripts though so it's a tad bit extreme. They had bigger fish to fry but they finally got around to this. I'm happy they're doing it and I'm not going to complain about water under the bridge.
NoScript selectively blocks scripts on a per-domain basis, which is almost always sufficient to block the bad scripts but allow the necessary scripts on a site. The exceptions where a surrogate script (or blocking scripts by URL regex) is required are relatively rare.
1 reply →
Well, you should be able to remake it by now, since that was in 2016, so Firefox should have replaced all the functionality the previous extensions had, right?
Edit: Not you specifically, but someone.
Too little too late for me personally. I couldn't keep my two versions of Firefox from interfering with each other so these days it's Chrome for all my casual browsing and Firefox 56 for the functions I can't do without.
I love this.
It's whack-a-mole, but better whack-a-mole to learn-to-love-the-mole.
Another way to think of it besides the futility of whack-a-mole is, it's pushback, resistance, sand in the gears. It's making an undesired behavior less valuable. Yes you didn't stop sites from including analytics, yes tomorrow google will have some counter move, but that doesn't mean the effort was pointless. If you can exert a 5% pressure on some system and maybe only get a 5% reaction, that's perfectly fine.
They already have a counter move, to an extent. One of the deployment models for GA is via Google Tag Manager. One of the deployment models for GTM is this[1] server-side mode deployed to an App Engine container in Google Cloud. The only browser-visible communication happens between your browser and the App Engine instance, and then you send server side calls from that to the downstream systems based on those events (GA, Facebook Conversion API, etc).
It can also be used like the traditional GTM model, where it loads the primary GTM script browser-side, then that loads additional browser-side scripts based on the tags you implement (GA, Facebook, chat systems, map widgets, whatever). But the default GA support built into it avoids loading anything from Google's domains directly by the browser. And it's not even subject to the CNAME cloaking protections[2] that ITP have implemented, since it's not using the "CNAME to third party" technique that's typically common for these sorts of things to get first party access/privileges and is instead actually running on your infrastructure.
[1] https://developers.google.com/tag-manager/serverside
[2] https://webkit.org/blog/11338/cname-cloaking-and-bounce-trac...
Integrating with Google Analytics on the server-side as opposed to the client-side has always been available. Developers just rarely do it because it is easier to add a JavaScript snippet to the page.
4 replies →
Does the server-side integration allow cross-site tracking? I don't see how it possibly could.
2 replies →
What's really clever is that at the scale that GA is deployed, it's really really hard for Google to willy-nilly break API just to get around this because a lot of webmasters will simply not bother updating their scripts, and if Google forcefully pushes a breaking change, people might stop using GA, or worse, they get an avalanche of bad PR for breaking half the web.
I don’t think this is true. GA has at least 2 versions it doesnt support in the past decade.
I imagine the opposite is true, in that they hold so much power they can do as they please.
1 reply →
Code that logged the message: https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
The GA specific shim: https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
Oh interesting, they also have shims for google analytics tag manager[0], facebook SDK[1] as well as a bunch of other things.
[0] https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
[1] https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
Here's how they're pattern-matched:
https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
People use analytics to decide where to focus there efforts. For example, if most of your users are on mobile, invest more in the mobile experience. The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome. This would degrade the experience for Firefox users as subtle breakages start appearing.
Folks advocating for the use of hosted analytics instead of GA are correct ... but that’s not what most people will do. It’s just simpler to add a one line GA tracker to your code and call it a day. And these people will see Firefox usage drop to 0.
We have already seen “this site works best/only on Chrome”, especially on Google products like Inbox. Expect to see more of that as the web becomes a Chromium/Safari duopoly, according to analytics.
You don't need Google Analytics to figure out what browser your audience is using. That information is literally embedded in every single request to your website. There's no need to siphon requests over to Google for something so trivial.
I get that people would like you know as much as possible about who visits their website. Sometimes even for legitimate reasons and not just out of an obsession with collection as much data as possible. But this analytics madness has gone too far. Pretty much every website you visit ships a bunch of data about you to multiple third parties. Often without consent. Just stop doing that. It's not a hard thing to do.
> You don’t need GA
No, but it’s what people use. Let’s not ignore reality.
That doesn’t give you shiny graphs with no effort though.
This is hardly new, people have been using ad blockers and various other scripts for years to block GA et el. In my experience it's something which PMs and other key decision makers are already well aware of. If there are still companies out there basing all of their decisions on GA metrics that's really their problem.
The unintended consequence of this change is people looking at which browsers are hitting their website, finding that it’s mostly Chrome and therefore testing only with Chrome.
Bad developers already only test in Chrome regardless of what GA is telling them. This won't have much impact there.
It’s harder for good developers to justify effort if it seems like that effort has no impact.
If only Google Chrome would adopt this too!
Sarcasm aside, sites breaking or not working when analytics scripts are blocked is nuts. Is there a Wall of Shame for such sites (it may probably be the size of a search engine index)?
FWIW it's usually not malicious. What usually happens is that the analytics script provides some API for the developers to add additional logging functionality[1]. The developer then sprinkles calls to those APIs throughout their code, assuming that those functions will be available. If the scripts are blocked then you get an error like "ga is not defined" and the rest of the code doesn't execute, causing the page to be broken.
[1] https://developers.google.com/analytics/devguides/collection...
Not malicious but sloppy.
15 replies →
You'd be astounded how many sites break when you turn off cookies.
I'm not just talking "can't log in"/"add to cart" break (obvs), but like, fail-to-catch-the-exception-thrown-by-localStorage-in-render()-so-completely-blank-white-page break.
https://sneak.berlin/20200211/your-website/
Now I work around the terrible exception-throwing behavior of localStorage by leaving cookies on, but using the Cookie Autodelete extension.
As a Russian, I sometimes encounter sites that break when Yandex.Metrica is blocked. It's basically the same thing as GA, just from Yandex. And uBO didn't have a shim for it. Not sure if it does now.
I have mixed feelings about this. From the privacy angle I am pleased (I've been blocking GA ever since I knew it existed, via HOSTS), but from the "neutral browser" angle, not so much. Then again, FF is already not neutral with things like "safe browsing" and extension blacklists...
Browsers aren't supposed to be neutral. Browsers are the user's agent; they're supposed to serve the user and nothing else.
They must be neutral in the sense that they should not make specific rules for specific services. We have seen in a previous hn post that webkit has specific rules for quite some websites, now firefox has these replacements for some javascript codes.
This is wrong and will break things: if there are bad behaviors, like the cookie usage, the rules should be changed to prevent it, that's great, but having ifs and replacing selected scripts is a horrible way to go.
First reason for this is that obviously Google will try to go around that rule and change it's script. Or some nasty tricks like using script proxies, ... Second is that if Google Analytics is blocked by name, then other tracking services will take the space, and users will loose anyway.
Exactly this, web-browsers should look after the user, and should protect the user against webbrowser-exploits e.g. 1px png tracking images and cookies.
Yeah somehow I think you would have a different opinion if Chrome offered users a performance boost only on Google owned websites.
4 replies →
It's not on by default. It's in the "strict settings" not the "standard settings" so it's opt in.
Agreed. Also there are already extensions that already do this! This looks unnecessary, and hostile. To the extensions community, and the web.
Or maybe just a publicity sham since Firefox by default already sends all the links we visit to Google.
You can turn it off.
They need to do the same for tag manager. That's the real poison pill.
They do: https://github.com/mozilla/gecko-dev/blob/master/browser/ext...
Tag manager loads more than just tracking scripts.
Every script it loads is a tracking script. They don't host that code out of an abundance of altruism.
2 replies →
Yes, thats their point, its the thing that loads all the fucking ads.
Please don't suggest it loads other meaningful things.
May as well claim torrenting is used for downloading Linux isos so its not a piracy problem.
11 replies →
You should post a blog post about this to HN. It's not related to tracking and it's still really interesting, so it deserves more than just a tangential comment here.
How would that work? You'd still need to make a request to figure out what scripts to add.
What should I use in replace of Google Analytics for basic web traffic analytics?
I've been using plausible (https://plausible.io/) recently and I've been really happy with it. I've written about the move from GA to plausible, for my use-case, here: https://www.bookstackapp.com/blog/replacing-ga-and-mailchimp...
I switched! Thank you.
GoatCounter[1] or Plausible[2]
[1]: https://www.goatcounter.com/ [2]: https://plausible.io/
Matomo https://matomo.org/
The only real free alternative to Google Analytics tbh.
https://goaccess.io/
It analyzes your log files instead of client-side tracking.
The best solution is to self-host your analytics platform, to avoid any data being stored by 3rd parties and it gives you the best chance to not use the next platform that will be blocked like Google Analytics.
If you want to try one, I am building https://userTrack.net, you can PM me on Twitter if you need a discount.
Zoho's Pagesense is great: https://www.zoho.com/pagesense/
Wow, that is expensive! $16 a month for analytics.
1 reply →
Pirsch https://pirsch.io/
"Please disable your analytics blocker to view the content on this page"
Sure! visits page through archive.is
Annoyingly enough, archiv.is itself will present you with a buttflare CAPTCHA if you don't feed it enough tracking information.
1 reply →
Firefox should really double down on this. All this strict privacy protection could be branded as Firefox Pro and they could charge for it. This would make for a nice revenue stream as more and more people begin to see the value of this. If Hey can do it for email, Firefox Pro Can do it for browsers!
Counterpoint: this would destroy Firefox' credibility.
I use Firefox because of their strong pro-privacy stance. If they started charging for "real" privacy, it would damage that image - "privacy for those who can afford it" would be a bad slogan.
Also, Firefox has made it clear that they don't want our money, as seen in their continuous refusal to accept donations.
I've been using Firefox since the Phoenix/Firebird days, and I fear the day that Google ends their search funding to the project.
They are absolutely on the right track with Mozilla improving the actual -browser- with all of these new privacy features and core improvements. This could put them in a position to create a revenue stream independent of Google, where people would actually be willing to pay to have a browser wholly decoupled from these ad companies.
There's some risk there indeed, but there would be also big anti-monopoly scrutiny risk from Google's side doing that if they indirectly kill alternative browsers.
Right now there's some kind of equilibrium by having alternative browsers/engines, on Windows especially, plus Google still gets traffic from millions of Firefox users by being default search engine, which makes them $$$.
> I fear the day that Google ends their search funding to the project
I look forward to that day - until then, all decisions Mozilla makes are impacted by that fear.
I don't mind blocking ads, but analytics? That seems like the taking the desire for privacy too far.
Why shouldn't site owner know you've visited their site? How will they do their job if they don't know where people come from, what content they enjoy, what devices they should optimized for, general demographic of their audience, etc.
These are all the things a restourant owner would know about their customers, for example. But no one seems to have a problem with that.
The problem is with the centralisation and aggregation of that knowledge. It’s not (necessarily) bad that the site owner knows you’ve visited their site, it’s bad that Google knows all of the sites you’ve visited.
That's a fair point.
While I am not as concerned about big tech's data siloing as some, I can see why it's worrying.
Unfortunately, not only is GA the best totally free analytics solution that any marketeer will know how to use, many ad blockers nuke ALL analytics scripts, even if they have nothing to do with google.
1 reply →
Less about stopping analytics and more about stopping privacy-malicious analytics (which google analytics could arguably be defined as). Install a privacy friendly analytics package and I suspect it won’t be much blocked.
That'd be a reasonable counter-point if extensions like uBlock Origin weren't also blocking self-hosted analytics packages, like Matomo.
I think people in general have gotten so sick of ad powered big tech they are having a bit of an over-reaction against analytics in general, not just google's product.
Perhaps I'm old fashioned but I would not expect a restaurant owner to track where I come from, my demographics etc?
Restaurant owners do exactly that - just by looking at you sitting in there (and other customers).
1 reply →
They wouldn’t have to “track” it scientifically in a database.
They would just know implicitly by observing their customers who are right in front of their eyes. (At least pre-covid)
1 reply →
> These are all the things a restourant owner would know about their customers, for example
The restaurant I visit most often "knows" only my first name (only) plus my mobile phone number, I suppose if they really tried they could probably collect data on my approximate height, build, eye and hair colour, and that I have multiple kids. That's it (since I pay them in cash).
Oddly enough they don't worrying about tracking their customers and instead focus on delivering an excellent product with excellent service. They're known in the region for that, they're usually busy, so one might think their strategy seems to be working(?)
They also know when you like to visit, what you like to order, how long you stay, who are you with...
All together, that's more data than a Google Analytics user knows about any of their visitors.
You could do all that without involving the world's largest advertising corporation. Use the data you already receive with each request. You know, count how many pages you've served, use a GeoIP database on visitors' IP addresses, parse their user agents, all that kind of stuff.
A lot of relevant interactions in modern apps are client based. You'd have to send those data points via ajax, but then you've just recreated google analytics.
Also, feels like a bit of an arbitrary boundary.
They know I visited the page by their servers serving me the page. Why the hell does Google need to be involved for that?
And why should a random page I visit get to know my demography, interests and where I come from? How can you portray avoiding that as taking privacy too far??
I don't care if that makes it harder to optimize your business. Find another way or perish.
But these are all things that real world business can learn as well about you, more or less.
You don't have a problem with them knowing that.
1 reply →
Would it be reasonable for a restaurant to know about every other restaurant you visit? And every store you look at, and every newspaper article you read?
As a user of google analytics, I don't know any of that.
2 replies →
JS analytics gives away too much.
Web site owners can analyze their web server's log, which has at least client's IP address, user agent, timestamp and the URL. Already too much if you ask me.
I’m mostly interested in what moves like this will mean for e-commerce. Not the sites themself, but all the shady and honestly unprofessionel retargetting, ad-agencies and online marketing in general. Most of those business rely on questionable JavaScript based tracking. I don’t see the majority of those business have the resources or knowledge to survive without JavaScript tracking.
Most of those things are easily analysed in-house or with much less invasive solutions than GA.
> general demographic of their audience
This is not useful to improve a product unless combined with proper research into the demo, which most people don't do. They just apply their own biases and make their product _worse_.
So many people are making all their decisions based on shallow data like this and never do a simple usability test that yields massively more impact.
Put differently, people use this data to try to focus in on specific traits of their audience before even testing that their software works for "humans".
You can, as the owner of a site, check that someone has visited your site, but you cannot give that information to Google (without consent). That's illegal under the GDPR.
Also, you have zero control of what code any client executes on their machine. Zero say, whatsoever.
> That's illegal under the GDPR [..]
So what about sites that claim that certain cookies are necessary for operation of the site, when that's at best bending the truth and at worst an outright falsehood?
Many sites work perfectly well and - amusingly - become blazingly fast once you block all scripting and cookies. No annoying GDPR notices, no annoying ads, no (client-side) tracking. So much for "necessary" cookies :/
You can still self-host your web analytics and they won't be blocked, plus it's 100x better than using a "free" service that centralizes data.
I am not deep into analytics space, but I know from experience that the most popular ad blocker (ublock origin) will block the most popular self hosted analytics package (matomo).
1 reply →
best to ask. Do you generally advertise your ethnicity/country when you go to a restaurant?
How do I effectively opt out of google tracking me?
I don't know that you can, entirely, but installing uBlock Origin and adding a DNS-level adblocker is a good start.
Lots of moles to whack. You can try using a non-chromium browser, decked out with privacy addons like uBo, Decentraleyes, Temporary Containers, Privacy Settings. If you'd like a chromium browser, Iridium Browser could work.
Also if you have an Android phone, you could try to install LineageOS without gapps, or go with /e/.
If you use Drive, Sheets etc, you could try ONLYOFFICE. They use GA, but your decked out Firefox should already block that.
For more alternatives, there are different resources that try to be helpful, like this one: https://degooglisons-internet.org/en/
the current state of evasion is somewhat precarious and requires a lot of knowledge and continuous manual work to reduce the tracking from big tech.
you have to keep a safe distance from computers/smartphones in order to effectively avoid it.
Won't Firefox shoot themselves in the foot here?
I mean devs will see that Firefox market share is way lower due to this than it is actually true. And will stop bothering about FF?
Ir am I misunderstanding about what this feature does?
This feature only applies if you are already blocking GA with Firefox. The change is that now the GA JS API will stay available for the website so that it can keep calling GA functions. The stub won't actually send any info to Google though.
Next weeks stats are in, Firefox’s market share has dropped 50%!
This perfect. I don't have all the storess following me around and where I came from, what my tendencies are etc. They also forget about me, generally when I leave the store. This tracking is not okay and nobody, absolutely nobody, gets to decide for me. Google doesn't own the internet
Maybe a dumb question: Why isn't it enough to simply block the Analytics JS, why is it necessary to substitute it with a "fake no-op" script? Does blocking GA regularly break sites?
One use case I noticed: Don't render the site until Google Tag Manager is loaded. Because of this, when using an adblocker that blocks GTM, the site will never load.
I guess the reason to block GTM until load it use it show some personalized ads/pricing/buttons.
Yes. Many sites assume that GA is there, and for example clicks on buttons may fail to work if the GA click call fails. It isn't great engineering from the site but Firefox wants its users to still be able to browse the web.
LOL, this is beautiful!
And then every website starts doing the CNAME nonsense.
I didn’t know what you meant, so for others equally confused, this is a decent article:
https://www.theregister.com/2021/02/24/dns_cname_tracking/
I don't understand the hate for this trick. It still breaks cross-site user tracking. It's just sort of a hack around installing a hypothetical Google Analytics app on-prem or pumping in data via a server-to-server integration.
Google Analytics can't cross-reference data from other sites on the browser, b/c it's not a third party cookie now... what's the problem?
Work is ongoing on that front too: ttps://webkit.org/blog/8146/protecting-against-hsts-abuse/
If it’s only a CNAME, you’re one DNS lookup away from continuing to block it.
One DNS lookup you’re doing anyways.
It's random CNAMEs and they use the unique cname you queried as another tracking point.
Why isn't there more effort to subvert tracking vs trying to block it. Ruin the data and they can collect as much as they want
There is a Chrome extension named Ad Nauseam. Was arguably but ultimately blocked by Google extension store. I still manually install and use it.
Have they replaced the Google Analytics on the add-ons site with this yet?
Being that Google funds Firefox, how long can this kind of thing last?
I like ads tracking as much as the next guy. However, I am not comfortable with a browser modifying content in any way. I am fine to have extensions that do that, but the browser itself shouldn’t do it “by default” without user explicitly enabling it.
It's not on by default, you have to turn it off by going from "standard" to "strict" settings so there's not really anything to complain about.
Is there a Mozilla source for this Mozilla news, not just Twitter?
The tweet links to https://bugzilla.mozilla.org/show_bug.cgi?id=1493602, which is a Mozilla source
And source code helpfully found by some other commenters:
https://github.com/mozilla/gecko-dev/tree/master/browser/ext...
Doesn't Firefox get all its money from Google?
Yes, but Google is buying service from Firefox, Google is not donating to Firefox.
Hm, the line between Foundation and Corporation is getting blurry from here
1 reply →
Google can afford not buying that service though. Can Mozilla afford Google not being their customer? I genuinely don't know.
4 replies →
That is just lovely.
What a great idea.
Fantastic. There is no excuse for using Chrome nowadays.
Thankfully we don't need an excuse.
OMG I love this.
Talk about bitting the hand that feeds you
Power to the people
I'm confused.
I thought Google Analytics tracked you within a site, and that it's fundamentally not really any different from analyzing server logs except the logs are simply hosted in Google's cloud and visualized using Google's tools. I realize it uses cookies but that's to build analytics around sequences of user actions, since many users can be collapsed into a single IP. Privately hosted analytics software needs to use cookies to achieve the same thing as well.
Google Analytics doesn't have anything to do with building an advertising profile around users, correct?
I know it's popular to hate on Google but does this achieve anything against tracking users across sites in order to build advertising profiles? I was under the impression all the profile-building people object to was done via the pages with ads themselves.
Is Google Analytics actually an evil tool? Or is just "evil by association" because Google ads track users across sites, and Google Analytics also does "tracking" albeit a different kind? I'm just wondering if this is actually anything substantive, or if it's more symbolic.
Edit: wow those were some FAST downvotes. I'm just asking some basic questions to understand how meaningful this is, folks. Hopefully nobody's taking offense.
Google Analytics tracks you across different sites AFAIK. Mozilla supposedly has a special option in GA to not correlate data gathered on their sites with what GA gathers on others.
Even if it didn't, it still tells Google what you're visiting: with so many sites using it, they can get a pretty much complete view of your browsing history, just like Google Fonts.
> Google Analytics tracks you across different sites AFAIK.
See that's the thing, I keep seeing this asserted but when I search for any evidence, I can't find a single article that demonstrates this to be true.
If you own multiple sites you can enable analytics across them, but that's all.
And if Google wants to know what you're visiting to build advertising profiles, they have so many options -- not just Fonts, but DNS, Chrome, ads... it's not like GA by itself is making any substantive difference. But again, just because it could be used for this doesn't mean it is.
So I don't get how this is actually helping. I worry it's a distraction from actual achievements.
1 reply →
> to prevent websites from breaking
Nope, nothing will break. I am blocking GA in the following ways: NoScript, PrivacyBadger, Windows HOSTS file. I see the thing being called, and nothing gets through, and websites work properly.
Edit: the bugzilla article mentions both GA and googletagmanager.com, which (both) I have been successfully blocking in the above ways for many years. I never had any website not working because of those two pieces.
I mean the Bugzilla literally has an example of a website that breaks.
/rant
Someone built the unsubscribe mechanism in a way so that they FORCE the user to be tracked by GA. That someone is... Xfinity? By Comcast? Hahahaha!!
One.Website. So we should yield to those **(profanity)? That one website does not deserve our respect.
Comcast: https://www.geekwire.com/2019/comcast-fined-9-1m-consumer-pr...
Edit: "we are scum. We want to ** your privacy any way we can. We just got hit with a multi-million fine, so we will continue. You want to unsubscribe? Sure, be tracked a bit more while at it." /end-rant
What are you saying? Firefox should stop doing this because no sites have broke for you when blocking the script?
Only anecdotal, and no longer happening: The top menu on https://www.easyjet.com/en/ used to break if you disabled Google Analytics, the submenu just wouldn't appear.
counter-anecdote: I encountered multiple sites that break because of blocked scripts. and this is with ublock origin, which has shims for common analytics scripts: https://github.com/gorhill/uBlock/wiki/Resources-Library#url...