> I'm disappointed that the Privacy Report has such clumsy wording. To use terms like block, prevent, and tracker can lead to confusion, as the aftermath of WWDC showed, unless they are clearly defined in the report itself.
Yeah, this part really needs some cleaning up. It's hard to explain exactly how ITP works, but it is important to note that Safari is not trying to block the tracker from loading but instead detect its ability to track you and take appropriate action.
This (the reports this article is answering to) is really a good example for the state of information and information spread on the Web. It does not just start with "fake news" and manipulative messages, it' really about this kind of reporting, which is setting the standards – and it's mostly down-hill beyond those outlets. (This isn't specific to any domain or topic. Journalistic standards are mostly down to where they have been in the 1920s, with most of the lessons learned forgotten.)
It should block sensitive data, but obviously not full service. If they start blocking services who said yours won't be next? It's like google and blocking websites when they want. You just can't do that because it's wrong in so many ways.
You can't make a great product without analytics (in vast majority of cases). It just should collect only required data for improving product, not marketing purposes.
If you start blocking all analytics then expect that you will have to use garbage products.
> If you start blocking all analytics then expect that you will have to use garbage products.
The whole analytics/spyware era properly started in the last decade, and the last decade is surprisingly also when most software started going to shit, like Windows 10, iOS or even macOS.
I'm not convinced that analytics leads to better software in any way, and all the information I've got so far leads me to believe the opposite.
The fact they went to shit has nothing to do with analytics.
Analytics is just a tool. Like any other it can be used for bad or for good. Just like a hammer.
> The fact they went to shit has nothing to do with analytics.
Perhaps, perhaps not. Analytics can definitely guide developers along the wrong path. A typical example is that it leads to simplification to cater to 80% of their userbase at the expense of the power users. After all, analytics tells us all these extensive options are only used by 20% of the people, why offer them at all?
But then the power users become frustrated and leave, and the remaining 80% who were mostly beginners on their way to becoming power users now find that the software lacks the in-depth options they needed later on. Then they don't stick around either because you just gutted your own product.
I agree with you that analytics is a tool; it can be useful, but often it is not and often it hurts more than it helps. I also claim that it is definitely not essential to modern software development.
Analytics can also allow anyone to misrepresent the data in any way they want in order to push their narrative, either deliberately or accidentally because analytics don't show everything and you might be making a worse decision in the long-run based on those misguided insights.
"If you torture the data enough, it will confess to anything".
My favorite analytics trick is to prove that every time a bug or complaint crops up, it only has a 1% chance of happening in any given month, and then slack off on fixing it
.. Woopsies, if there are 200 bugs that happen once a month, that means that there's only a 13% chance of making it through a month without experiencing at least one of those bugs..
I don't really know, but I can assure you we had great products before Google Analytics existed and, fwiw, an advertising industry existed before tracking.
Not much to contribute to the conversation (other than I would be happy if something like Pi Hole were built into my computer directly), but I find it interesting how frequently the top 5-10 stories on HN are basically top level responses or refutations to stories that were in the top 5-10 earlier in the day.
I have to admit that I ended up in this situation with one of my posts earlier this year—I just find it interesting that it seems to be happening more frequently lately.
This. Someone else is hosting it which to some is a pro while others is a con, but it's been great at replacing my finnicky pihole instance, and supports DoH and DoT natively.
I recently had to give up on uMatrix. Not only is it a bit of a hassle, but things break in very bad ways. Where this is particularly problematic is with CAPTCHA (not a fan). I've been detected as a bot many times and it takes a bit to enable each little bit per detain (XHR, script, images, etc.), and by the time you enable all the right stuff, you may be locked out. The last straw was failing the CAPTCHA at Bill.com where I failed the CAPTCHA and was using a VPN and got my account banned and couldn't get paid for a contract. I'm also going to encourage people to not use their service as well, but this kinda thing happens far too often with uMatrix.
I just remembered I got banned from Gumtree for posting multiple times in a row because a script was blocked and wasn't giving me feedback about whether or not it was posted. As I enabled each script and tried resubmitting to get it to work, I was incrementing a counter to get banned. When I asked about it, they, like Bill.com, just pointed to the ToS saying they could terminate anyone for any reason and have no requirement to explain why or undo.
Using uBlock Origin in ‘medium’ mode (dynamic filtering turned on, static 3rd party resources like images and css allowed) achieves much of the same safety & privacy gains of uMatrix without sacrificing a ton of usability.
Right, but until you know this, you'll run into issues if you try to enable each little box as needed. There's also some at google.com to enable. And this doesn't change the callbacks the site consuming reCAPTCHA might be using.
Firefox on Windows has the same problem with it's Enhanced Tracking Protection. I've just decided to disable it all together* and just use uBlock Origin and Privacy Badger.
* Actually, you can't just disable it. You have to select the "custom" preset and then disable all the "protections".
I use uBlock Origin, Privacy Badger and Firefox's tracking protections. I don't see why not all three.
There's actually a lot that Firefox blocks in strict mode. On iOS for example it works like a poor man's ad blocker as it breaks ad exchanges. And it blocks Google Analytics too.
Not quite. ETP blocks access to third-party storage from .doubleclick.net, .google.com, and any other source in the Disconnect.me list. You can easily verify this by visiting a site that runs Google's remarketing tags, and see the console messages and the missing "Cookie" headers from cross-site requests to these domains.
ETP doesn't block resource loads by default, unless they are known fingerprinting libraries or cryptomining sources. Only in Strict / Private Windows ETP mode is content actually being blocked, and in those cases most Google services won't work at all (as the domains have been blocklisted).
Facebook doesn't generally leverage third-party cookies anymore, as it uses the &fbclid parameter to enable first-party cross-site tracking. Thus ETP is somewhat weaponless against this behavior (except in Strict / Private Windows mode) because, as stated above, ETP doesn't block resource loads in default mode.
I believe Google Analytics without enhanced tracking is a net benefit. The information on how many users visit and how they use the site is incredibly helpful. The problem with Google Analytics is that Google tracks are lot more than they need to and use it for their own benefit as well. Safari seems to mostly prevent that now.
The IP address & user-agent combination alone is enough to track a home user (whose IP doesn't change that often) with a high degree of accuracy, and even more so if you happen to be logged into a Google account in another tab/browser which will allow them to attribute any new IPs to you.
I was saying that being logged-in in one tab would let Google know of any new IP that you would be using, which would in turn allow them to attribute non-logged-in traffic from other tabs because they now know your new IP.
The author is very naive on what Google Analytics does:
> That doesn't mean there might not be cookies set on google-analytics.com. I would imagine there are some that are used for debugging and monitoring purposes, for example.
Google links GA data to their DoubleClick and Adwords cookies. So it's not just "debugging", they're collecting data and using it to create audiences in Adwords and the DoubleClick products. As a user it's only available if you pay for Analytics 360, but Google gets the data either way even if you don't get to use it.
As someone who has wrestle with GA and GTM regularly, I think it's fair to say that the author (Simo Ahava[1]) is the preeminent authority on how they work, and his blog is generally more useful than the official documentation Google provides.
As someone who has setup and managed countless GA accounts for his career, it at least gave me a good chuckle.
As others have noted, Simo is the go-to resource for anything technical and nuanced with GA and GTM.
When I'm troubleshooting some issue with them, I know if I see his site pop up at the top that he's either solved the problem, or confirmed it is a much bigger issue that is going to ruin my day.
In that case it's not nativity and sounds more like deliberately muddying the water on Google's practices while he knows about the audience features. That's worse in my opinion.
I think you have misunderstood what he is saying with that sentence.
He is not speaking about "GA data", but is discussing the very precise issue of whether HTTP 3rd party cookies, set on cross-domain requests to google-analytics.com, being blocked has an impact on the the functionality of GA.
Those cookies being in contrast to 1st party cookies set by GA's javascript code.
No, he is using this example; "I would imagine there are some that are used for debugging and monitoring purposes, for example."
While he knows full well that GA uses third party cookies to support their audience creation features, not "debugging and monitoring". And from the other comments it sounds like he did that on purpose because he has a vested interest in GA.
And because I want to be constructive, here's how the DoubleClick redirect works.
If the site has advertising features enabled, a task in analytics.js named "displayFeaturesTask" fires after the /collect hit to Google Analytics has been sent.
This payload includes, among other things, the UA ID of the Google Analytics property, and the Client ID of the user (same UA ID and Client ID that's sent with the GA hits).
When you go into Analytics 360 and build those audiences, you are essentially building a dataset of Client IDs that should be included in the audience. When that data set is passed to DoubleClick, DC can then link those Client IDs to the third-party cookie written on doubleclick.net and assigned to the same Client IDs. That's how it can leverage both your GA data and its cross-site tracking network to target the audiences.
As I wrote, any possible 3P cookies written on google-analytics.com are not used in this process. The request to google-analytics.com only leverages the GET/POST payload sent with the request itself.
Yes, Google uses third-party cookies to support building cross-site profiles of users. This is an opt-in feature via GA admin, where the settings for the property require "Advertising Features" to be enabled.
This can also be controlled on tracker- and tag-level on the site itself.
What you're misunderstanding is that google-analytics.com doesn't leverage this behavior. The third-party cookies are written on doubleclick.net, to which GA's analytics.js library sends a payload of data if advertising features have been enabled.
So everything I wrote in the article stands. google-analytics.com is not being used for cross-site tracking. Any third-party cookies written on that domain are not involved in either first-party tracking by analytics.js, or the audience building efforts by doubleclick.net.
Your insults are completely unnecessary, especially when they're based on a complete misunderstanding of how Google's advertising and analytics stack works.
This is not correct; you can see in Google’s documentation and legal documents that the GA service is distinct from DoubleClick and Tag Manager, although these three services are often implemented together (in fact Google recommends this).
GA places both first and third party cookies but only needs first party cookies to do basic reporting.
The service is distinct, but go and log in to a GA 360 account and see for yourself that you can select users based on the pages they have seen and send that group to DoubleClick. That's done through a third party cookie that the author conveniently forgot about.
That's irrelevant. If a cookie isn't shared between websites then the analytics software can't easily track you between websites, which is what ITR helps with.
Also the publisher has to willingly share that data for use by Adwords. And in Europe at least sharing that data is illegal without user consent due to GDPR.
Create a new Google account, go to Google Analytics, register a new domain and you'll see those options off.
Yeah, this part really needs some cleaning up. It's hard to explain exactly how ITP works, but it is important to note that Safari is not trying to block the tracker from loading but instead detect its ability to track you and take appropriate action.