How to Fully Incapacitate Google Tag Manager and Why You Should

amarok · June 3, 2025, 4:13pm

After reading this latest infuriating revelation: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica today…

I looked into Google Tag Manager further, and found this deep dive: How to Fully Incapacitate Google Tag Manager and Why You Should

Sharon · June 3, 2025, 6:08pm

Wow. Very slimy bunch of tricks.

I wonder how all this, the content of both links, will impact the Purism products, especially the L5.

Too bad governments don’t just past a law stating that no company or persons are allowed to use any tracking tools that reach outside their own web sites.
Except governments of course - - and the police and… Google.

amarok · June 3, 2025, 7:29pm

This kind of tracking occurs in the browser (and in commercial apps), and Purism’s products have mostly the same browsers as other systems, with, as far as I know, no additional privacy adjustments other than those normally available in the browsers’ settings, or via the browser’s standard privacy extensions (NoScript, uBlockOrigin, Privacy Badger, etc.).

Unfortunately.

At least the operating system in Purism devices and other reputable GNU/Linux distros (distributions, aka OS) don’t enable additional surveillance of the user, compared to commercial operating systems.

This is why it’s important to put a lot of thought into your choice of operating system, your browsers, your search engines, your other applications, and your privacy/anti-surveillance measures.

amarok · June 3, 2025, 8:15pm

No doubt endemic to most over-the-top streaming boxes, smart TVs, gaming platforms, Virtual Reality devices, late-model automobile electronics, IoThings, etc.

And of course, smartphone operating systems that haven’t been decontaminated.

amarok · June 3, 2025, 11:29pm

Well, it seems being publicly shamed by researchers sometimes gets results…! Meta Pixel halts Android localhost tracking after disclosure • The Register

Lol!

irvinewade · June 4, 2025, 12:59am

I only reviewed the first link (so far) but it really shouldn’t ever be a problem on the Librem 5.

Here’s how app security works on Android¹:

you run random untrusted blackbox app code (so there’s your actual problem right there!)
in an attempt to make that secure and private, Android runs that app code in a so-called “sandbox”, where Android does its best to check every function that the app performs where the function attempts to do something outside the sandbox for authorisation against what the app is allowed to do, where the user has been asked by Android and then Android remembers this for the specific app (so the only privacy violations that should happen, over and above what the user authorises, are the ones that Google authorises)
for reasons beyond the technical scope here, there are some specific functions that an app is allowed to perform outside the sandbox but which are not controlled or blocked by Android - and apps are able to exploit that weakness and apps are actually doing so (in other words, there’s a loophole and various app developers have become aware of the loophole and are exploiting it).

This is embarrassing for Google. (See the parenthetical comment in bullet point 2 above.) So I expect Google will eventually lock this down better.

However, as directly stated above, you, the user, cause the underlying problem by running untrusted blackbox code - and you can easily avoid doing that - and that is basically the open source model. There is no such thing as blackbox code in the open source world. So the underlying problem doesn’t really apply on the Librem 5 (unless you run Waydroid).

Also noting, as it stands today,

this is only targeting Android, and
this is only being done by the “three” listed apps (Facebook, Instagram, Yandex) - so even if you choose to use Android, if you don’t use those apps then it isn’t a problem - and it is difficult see how you would be using these kind of social media apps / social media web sites at all if you want to maximise your privacy. (The problem in this thinking is of course that now that this weakness has been exposed, other apps can rush in to use it, until such time as Google locks it down better - and also that there may already be other apps exploiting this but the apps have not yet been discovered as doing so.)

Now all that said, the same kind of sandbox model is used by web browsers to run Javascript code, which is also untrusted often obfuscated code - and it is much much harder to avoid doing this, even as a privacy-conscious user and even in a fully open source device. (Sure, you can disable Javascript, but then a zillion web sites will just break - even web sites that do not in fact represent any privacy risk.)

The small good part of it is that in the specific described exploit, the weakness is being used to allow unauthorised communication between Javascript running in the browser (and communicating with web sites) and the app running in its own sandbox (communicating with the origin of the app) - so if you avoid the app, the Javascript is still running out of control as always but the Javascript has no app to talk to anyway.

¹ … with the disclaimer that I have not ever owned or been a user of an Android phone. So don’t take my word for it as to how Android works.

amarok · June 4, 2025, 4:41am

Of course, the fact that Google Tag Manager exists in the first place is also a problem.

Privacy2 · June 4, 2025, 4:13pm

… and Palantir which will, shortly, be so tightly intertwined with the US government they will have the full combination of Government + Private Industry spying. They will be the black-ops mercenary for digital tracking in the US.

[Edit: And who names their company after an evil orb connected to the power of the ultimate embodiment of evil (Sauron) ???]

adamk · June 4, 2025, 4:42pm

well, switch off javascript and watch this site!

i followed advice to default to javascript disabled.

amarok · June 4, 2025, 4:45pm

Yeah, I know. The author did mention that lots of websites wouldn’t work without it. It’s unfortunate.

adamk · June 4, 2025, 4:50pm

yes, that’s what i am doing right now!

not much left right?

amarok · June 4, 2025, 5:19pm

Reminder that there’s always the nuclear solution (AS number blocking) against digital surveillance companies: A guide on how to completely block Fb and other companies

It’s one of my favorites, along with Pi-hole, NoScript, uBO, Privacy Badger, and Blokada5 on degoogled Android. [EDIT: and my VPN provider’s filter lists.]

Google, unfortunately, has so many different AS numbers, that it would be difficult to find the right one(s) to block and still be able to get through gatekeeping at millions of sites.

adamk · June 4, 2025, 5:53pm

I have just sent the case to my local data protection authority.

antonis · June 4, 2025, 6:06pm

So currently there is no solution for Google?

adamk · June 4, 2025, 6:13pm

against 1st party there no protection. no pi-hole, no pfDNSBlocker.

tell your data protection officer.

amarok · June 4, 2025, 6:24pm

Unless you want to run numerous blocking services for the whole list at https://bgp.he.net/search?search%5Bsearch%5D=google&commit=Search

Or try each one to find the ones that are worth blocking.

Personally, I just block Google Tag Manager in browsers, Pi-hole, my VPN’s blocklist, and Blokada5 (on degoogled Android), as well as other Google nastiness I come across, and which doesn’t interfere with various websites’ functioning/access.

amarok · June 4, 2025, 6:29pm

NoScript.

adamk · June 4, 2025, 6:38pm

the HTML tag or the AddOn?

first, plain HTML, yes (less surveillance).
second, the Addon, no!

amarok · June 4, 2025, 6:50pm

I was referring to the Add-on. Start with all scripts disabled, then allow only the ones you want. Is that ineffective?

adamk · June 4, 2025, 6:54pm

GTM is injecting
<script src="https://3rdparty-server/3rd_party_myscripts.js"></script>
can be blocked!

or GTM is injecting the content of “3rd_party_myscripts.js”
than its coming from 1st party server.

its impossible to block this!