Unblock Google Tag Manager

[pschneider87]

In your Blocking List, you also block Google Tag Manager. Since Google Tag Manager is not collecting any data, you should remove it from your list.

If someone opts out of tracking, you disable Google Analytics or other Trackers already. But Google Tag Manager can also be used for essential features without any tracking of users.

[vibhorj]

AGREED! GTM should be off the list

[lukemulks]

I'd strongly advise not removing GTM, without clear session captures establishing that cookies are not set and custom parameters are not included from the GTM request and response that would be used for tracking user behavior.

No one on this thread has shown this not to be the case. GTM can load many different tracking events aside from page-level tracking. Please consider GTM container tracking data passed back to Google.

GTM: Google Tag Manager...it's whole job is to manage/proxy on behalf of tags that would typically be hard-coded on the page.

No examples of functional use cases were provided, and parameters can be set into the GTM request that can be used for tracking users.

Someone should identify these functional use cases that would warrant removal, provide a session capture and verifiable, reproducible test.

Addt'l info on GTM:

https://support.google.com/tagmanager/answer/6163796?hl=en&ref_topic=6163649

https://developers.google.com/tag-manager/devguide#events

(check the IDs here - GTM is a container for these events, intended to replace calls made from the page)

https://support.google.com/tagmanager/answer/6164470

Also note other "approximation" tracking can be leveraged via GTM, to track users and get a rough read on what GA would track from client-side GA tags

• this is just another form of tracking the user:

https://support.google.com/tagmanager/forum/AAAAnP_FwdI7i40enhIMIs?hl=en

Removing GTM from the list would require maintaining/monitoring for these additional cases on a go-forward basis, and keeping up to date with GTM updates that may provide additional tracking params not covered by the disconnect.me list.

Even if I'm proven wrong, it should be something proven, given Google Tag Management is primarily used as a container for ads and tracking. This type of removal should not be based on claims without reproducible proof. I'm very experienced with this field, and there are some red flags here.

Users aren't opting out of tracking, they are opting into privacy protection. It's not worth damaging the reputation of this list, as many of us use and trust it for privacy protection for other repos.

Source check:

1. OP

OP was made as the first post from a user that is employed by an agency that messages "track, think, make", with user tracking as a service.

• https://www.udg.de/en/service/ (scroll mid-page)
• https://www.udg.de/en/agency/ (track, think, make)

2. Response to OP encouraging GTM removal

The supportive reply to the OP was made by a user that has a GH repo for using facebook to track user sleeping habits, and is testing conversion tracking and tracking with GTM in other

• https://github.com/vibhorj (all repos)

• https://github.com/vibhorj/development/blob/master/AW-conversion.html (adwords conversions, remarketing and google ad services tracking)

• https://github.com/vibhorj/ProgrammingAssignment2/blob/master/Desktop/D/Documents/index.html#L6

(test using GTM - corresponding tracking event: https://github.com/vibhorj/ProgrammingAssignment2/blob/master/Desktop/D/Documents/index.html#L35 )

Please keep GTM on the list, or at least investigate prior to any removal. Thanks.

On Fri, Dec 15, 2017 at 1:59 PM, vibhorj notifications@github.com wrote:

AGREED! GTM should be off the list

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/disconnectme/disconnect-tracking-protection/issues/31#issuecomment-352122477, or mute the thread https://github.com/notifications/unsubscribe-auth/AIkDKIl6gzFlpMy5kFxKE6GxRSXHkSi0ks5tAuuzgaJpZM4RAYjx .

-- Luke Mulks m.707.373.4350

[googleanalyticsresoneo]

@ lukemulks, a few points of interest if you are likely to embrace the whole case

• GTM isn't sending any tracking pixel in itself, do you agree ? Take a blank GTM container, enable all the built in features, double check => nothing

• GTM is a version management tool and a CMS for javascript code Do you block all sites built with Wordpress because some site owners put tracking scripts in Wordpress ?

• Indeed, most of the time people put marketing tags into GTM, since this is usually the primary reason for using it. But any code can be put into GTM, and it can be very valid to have feature rich user experience assets live in GTM. Dropping GTM by default and systematically would mean break the user experience. For example go to https://www.fondationcartier.com/ and tell me your experience with different adblocking extensions.

• I believe that every adblock list that forgets about user experience will fail. Every systems that claims to protect people and fails to preserve usability of the web has no future. Either it finds a better way to prevent tracking, either people will drop it: end users, non professional, can't fix manually every site they visit because the adblock they're trying to use is breaking their user experience. Dropping GTM is a lazy approach and a bad approach: every single script that IS indeed a tracker will exist somewhere outside of GTM=> you'll need a solution for that case, out of GTM.

Forget about suspicion regarding usages and people. Internet professionals really care about what they do and the value they bring to the ecosystem. Better looks at spam / phishing / malware / adware / and all sorts of extorsion that happen on the net. Guys running those don't have github repos nor public articles, but they hurts a lot of people.

Take your part of the job, and make it smart, clever, without breaking the stuff built by others

Cheers

[googleanalyticsresoneo]

Another example: you don't block JS CDNs because some of the scripts they may host can be used to track site usage, do you ?

Would you block jQuery because people could load a tracking script with jQuery ? You could afford doing this. Then why would you block Google Tag Manager ? because it's made by Google ? Do you know why Google did build GTM ? Have you taken the time to look at the GTM client side code ?

I'll be happy to see comments on this.

[lukemulks]

We're not talking about jquery, or CDN scripts that may do something - we're talking about Google Tag Manager - and yes, I know why Google created GTM, and am familiar with the client side and server side implementations (I used to help Google resell, implement and support it, fwiw).

Disregard what I may or may not know, and look directly at how Google describes the purpose of the product:

Use Google Tag Manager to manage tags (such as tracking and marketing optimization JavaScript tags) on your site. 
Without editing your site code, you use GTM user interface to add and update AdWords, Google Analytics, Floodlight, and non-Google tags. 
This reduces errors and allows you to to deploy tags on your site quickly.

From: https://developers.google.com/tag-manager/

This isn't about what people believe will fail or succeed, it is about not allowing a client side script used for tracking, passing data params back to a larger server side tracking profile.

This is not about trying to pull a fast one - the client side script works in conjunction with what Google uses server side, similar to how Google has a server side exchange layer for ad bidding that used to typically be handled client side through separate requests. Data params passed in GTM requests can be used server side to track users.

I'm going through the effort here because it's not a simple black and white "google bad" type of thing - this product is designed for the purpose of optimizing tracking and data collection for marketers, who unfortunately currently heavily rely on user data collection for their offerings.

A lot of questions for me here - but no one is showing an example where GTM being blocked is actually harming anything.

[pschneider87]

Although my daily job is to help companies to better understand their users , I'm quite aware of users privacy and respect it. Thats why we do not implement trackings which will undergo a users choice not to be tracked.

It's totally right, that the main purpose of GTM is to better include marketing tags of all kinds.

Your list is aiming to be complete, so you probably already block all of the marketing tags one can insert in GTM anyway. No matter if implemented via GTM or directly in the page, they are just blocked.

You were asking for examples, where GTM is not used for Tracking:

1. you could use the GTM e.g. for enrich your page with schema.org (https://www.simoahava.com/analytics/enrich-serp-results-using-gtm/) This has nothing to do with tracking the user.

2. you implement a cookie notice banner via GTM (https://www.analyticsmania.com/post/google-tag-manager-cookie-consent/)

Take the example of Ghostery: they are grouping Google Tag Manager not into Analytics or Advertisment, but Essential Tools

[groovecoder]

I'm a fan of analytics and I understand why people like using GTM to help manage it. THANK YOU to the analytics professionals (@pschneider87) who care about user privacy and take the time to participate in the conversation in process.

Having said that, GTM is a cross-site "black box" for JS code. A less-respectful tracker can absolutely use GTM to track users across many sites.

[pschneider87]

but it doesn't matter if it is a blackbox or not. Take this example. Your lists blocks the analytics.js by Google Analytics.

I implement the native Google Analytics code on the Website, your list will block it. I could also implement this js-Library via GTM, and your list will block it too. So no need to block GTM.

To take it metaphorical: you do not have to block the whole train, if you prevent the passenger from exiting it.

[groovecoder]

It does matter.

If the GTM "black box" only adds a GA tag, it's fine.

If the GTM "black box" sets a cookie, that cookie effectively replaces a GA cookie as a cross-site tracking identifier.

Since the list only blocks connections at the domain level, allowing GTM connections opens users back up to cross-site tracking by GTM.

[carbureted]

Not going to unblock GTM at this time - in addition to commonly being used to serve other trackers, I believe it's a tracker as per our policy.

[googleanalyticsresoneo]

Thus decisions are being taken based on personal believe, not on demonstrable & reproducible evidence ?

Thus you are preventing end users to select which tags they accept and which they block by blocking the container itself ?

Looks like a victory from fake news and rumors. Happening now @Mozilla ??! very bad news

[andronocean]

I'm late to the party, but I wanted to note that I think this is a poor decision and should be reconsidered. While there's no argument that one of GTM's core functionalities (as advertised) is to serve trackers and make it easier to set up tracking, regarding GTM itself as a tracker and therefore blocking it is unjustifiable IMHO.

It's a trivial matter to create an empty GTM container and install it on a simple webpage. If you do so, you'll see that GTM itself creates no cookies (either on the installed domain or on googletagmanager.com) does not save anything to LocalStorage or SessionStorage, and does not generate any network traffic beyond the initial gtm.js request. Going further, this does not change even if you enable all of GTM's built-in variables and create a custom HTML tag (empty or not) loaded on pageview.

In fact, after browsing through several sites that I know use GTM, I cannot see any instance where any cookies are being passed with the gtm.js request. The only exception is when I am logged into my Google Tag Manager account (which is obviously necessary to authenticate me to the debugging tools). The only potentially identifying information passed with the request is the IP address and user-agent and referer headers... all of which are pretty standard for web browsing, I think you'll agree.

So unless you count a single standard request to a Google-controlled domain as hard evidence of tracking*, that argument is suspect.

The other contention is that there are no functional use cases for GTM beyond tracking. This is false. I'm aware of several organizations (including my own) that use GTM to load customer support or live chat widgets. My org has also used it to broadcast notices to our users across multiple sites at once. (One example of when this proved useful: when Amazon S3 had outages last year, we were able to quickly alert our users that a number of resources were unavailable, why, and ultimately when they'd be available again. Without GTM this would have required manually editing and deploying code across over half a dozen systems.)

Generally, the flexibility and ease of use of GTM is a boon to small organizations that don't have the development resources to build their own systems, or the financial resources to invest in purpose-built SaaS offerings. Is it ideal to rely on GTM for all this? Obviously not. But for a growing business it's a hell of a lot better than not providing our users with these features and information.

Conclusion: there's no real added benefit to protecting Disconnect users from tracking by blocking GTM, and any tracking it loads can be blocked by other means as they desire. There is a potential to break non-tracking features on sites that also benefit users, however. That's my position. Hopefully, it will invite some reconsideration.

*_If so, I think you must assume that every HTTP request is "tracking" ... protecting against that would require an extremely literal interpretation of "Disconnect Me"._

[Jul-ehr]

Please unblock GTM We use GTM for many more reasons than Marketing. It helps us to get far more flexibile in doing changes on the website. As a small company not using the GTM means far higher costs in programmers and far longer cycles for changes on the website. Greetings

[Jul-ehr]

Hi,

why did the Tealium Tag Manager get off the List and not the Google Tag Manager. Is Tealium doing better things than Google?

[disconnectus]

Tealium made the following public binding commitment: "Tealium iQ Tag Management System does not process any personal data. The static content delivered from Tealium’s mCDN solution, including the domain tiqcdn.com, does not collect or store any visitor data, device identifiers or IP address. This service exists to serve static content files and does not collect or process user-specific data."

[googleanalyticsresoneo]

@disconnectus , interesting. You already have this statement from GTM at the bottom of this page: https://www.google.com/analytics/tag-manager/use-policy/

Our use of Google Tag Manager data We may collect information such as how the Service is used, and how and what tags are deployed. We may use this data to improve, maintain, protect and develop the Service as described in our privacy policy, but we will not share this data with any other Google product without Your consent.

[disconnectus]

Not sure how that applies to Google collecting and retaining user IPs / unique device id's?

[Jul-ehr]

IP and device Id's is a thing that is connected to Google Analytics or any other tracking Tool. But by the google tag manager we are able to switch this part off (this was a neccessity to be done after GDPR). We got the whole thing approved by the data protection office.

[googleanalyticsresoneo]

@disconnectus , can you elaborate on the points that you would like to see addressed by Google GTM in terms of privacy ? I'm pretty sure we can get those out as a public and legal statement since they don't process any data indeed.

[Jul-ehr]

@disconnectus : is there a way to proceed now? I still think that the rules should be the same for all Tag Manager (if they come from Tealium or from Google) as long as they comply to the rule set for the Blockade List.

[BDUG]

Hi, I am also new to this topic. Is it just a black list or will the blacklist checked in dependency to technical behaviour e.g. using cookies?

[disconnectus]

@bdug You can find our policy here: https://disconnect.me/trackerprotection.

@Jul-ehr As stated previously, just above, Tealium made the following public binding commitment: "Tealium iQ Tag Management System does not process any personal data. The static content delivered from Tealium’s mCDN solution, including the domain tiqcdn.com, does not collect or store any visitor data, device identifiers or IP address. This service exists to serve static content files and does not collect or process user-specific data." Google has made no such written commitment. GTM is capable of collecting user IP and UUIDs on third-party domains and retaining this data, thus meeting our definition of tracking.

[BDUG]

@disconnectus Many thanks for your feedback. This implies you assuming/ knowing that Google Tag Manager does tracking by its own? I can understand, that/ If a postloaded tag may do tracking.

[BDUG]

@disconnectus At least as a Google 360 User i can enable IP annonimization, disable product improvements,...

[disconnectus]

Google Tag Manager updated it’s public policy to make clear it does not engage in tracking as defined by Disconnect. Specifically they state: "In order to monitor system stability and performance, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any user-specific identifiers that could be associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited.” https://support.google.com/tagmanager/answer/9323295#data