Ad blocker & browser privacy protection mechanism is circumvented by Google Tag Manager function



The blog `` Tracking pixel '', which summarizes monitoring technology, warns that the ``

server-side tag '' function of Google Tag Manager, which appeared in 2020, can ignore the defenses of browsers and ad blockers and track users. .

Google Tag Manager, the new anti-adblock weapon | Tracking pixels
https://chromium.woolyss.com/f/HTML-Google-Tag-Manager-the-new-anti-adblock-weapon.html


Google Tag Manager is a system that allows you to manage tags embedded in websites without changing the code. According to a survey by W3Techs , it is used on 42.8% of websites and has a 99.6% share among tag managers. increase.



Traditionally, on pages where Google Tag Manager was embedded, Tag Manager read the code of various services and sent data directly from the browser to Google Analytics, Google Ads, and third parties.



In this case, depending on the settings of the site, similar data may be sent to each service registered in the tag manager, which caused the loading speed of the site to decrease and the traffic volume to increase.

Also, if the tracking code is loaded directly into the browser, there is a risk of collecting more data than necessary, allowing user identification through

fingerprinting , and infringing on privacy. In addition, it was possible to leak personal information from URL parameters and edit cookies.

The `` server-side tag '' announced in August 2020 is a function that can solve these problems at once. By preparing a server that receives all the data once, and entrusting that server with data distribution to each service, it is possible to combine the conventional browser communication with individual services into a single communication. became.



When using server-side tags, it is OK if the site can communicate only with Google, so there is also a secondary effect that it is possible to strengthen the defense against XSS and site tampering by appropriately setting the content security policy. About.

On the other hand, following Google's recommended procedure would set the intermediate server to a subdomain of your website. By doing this, Google Tag Manager is no longer treated as a 'third party' but a 'first party', and it is possible to bypass various privacy protection mechanisms set by the browser.

In addition, if the request was made directly from the browser, it was possible to block trackers that violated privacy with the ad blocker function, but if the server side tag function is used, what kind of data is sent from the intermediate server to the third party? The user cannot confirm whether it is flowing. Even if personal data is leaked, it can be said that it is impossible for users to recognize it.

In order for users to defend themselves against server-side tags, there are only realistically difficult measures such as analyzing all JavaScript before executing it, blocking all Google servers, and not executing JavaScript. . Tracking pixel concludes the blog that users need a means to protect themselves while acknowledging the benefits in terms of convenience and security.

in Web Service,   Web Application,   Security, Posted by log1d_ts