https://www.googletagmanager.com injected in all WHM Installations by cPanel Inc?

[lorio]

It looks cPanel Inc. is delivering GoogleTagmanager Script inside WHM.

I see that as a security risk and dataprivacy issue, when a thirdparty script is injected in the WHM console of every server.

    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
            j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
            'https://www.googletagmanager.com/gtm.j

The dataLayer contains an ID and certain license data.

DNSOnly:
window.COMMON.licenseType = 'standard';
window.COMMON.resellerType = 'reseller';
window.COMMON.resellerType = 'root';
window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "DNSONLY",
            }];
            

VPS:
        window.COMMON.licenseType = 'standard';
        window.COMMON.resellerType = 'reseller';
        window.COMMON.resellerType = 'root';


            window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "STANDARD",

 

[cPanelLauren]

Hi @lorio

I brought this up to the team responsible for maintaining this, and they'll be responding here with some information as soon as possible.

 

[cPanelAdamF]

We, like many other organizations, deploy a tag management system. We use the information gleaned to make important business and product decisions in an effort to make your experience using our offerings better. These systems use the injection mechanism that you point out in order to operate. We designed our use of this technology to respect your privacy as well as assist us in discovering vital business intelligence. It's always a fine line to walk; therefore, we take security and operations seriously when implementing and configuring the tag management system. We restrict access to it carefully and strictly control any publication through it. As always, you can review our Privacy Policy and other amendments here.

 

[lorio]

Thanks for your answer. The preception of what marketing wants and security suggests, seems to be a bit distorted.
You are injecting a third party script (a JavaScript from a Google server not under the control of your company) into every WHM console.
The differentiation between your Website and Server and the panelsoftware installed and hosted by your customers is not clear.
What scripts are next when I login tomorrow? Scriptblocks on selfhosted panelsoftware seems to be the new normal.

Examples of compromised JavaScripts are nothing new.

How to stop Google Tag Manager being hacked | Littledata blog

In light of the Ticketmaster and British Airways breaches, what can you do to protect your data?

blog.littledata.io

 

[Duplika]

There is no way to disable the forced injection of Google Analytics?

I thought disabling cPanel Analytics at WHM, or running /usr/local/cpanel/scripts/uninstall_cpanel_analytics would solve this, but it does not.
Google's javascript is still there.

 

[cPanelAnthony]

Hello! While you can disable interface analytics, configuration analytics cannot be disabled.

cPanel Analytics - The Data We Use | cPanel & WHM Documentation

cPanel Analytics features collect data about interface use and server configuration. The data that we gather may change in the future.

docs.cpanel.net

Warning:
In cPanel & WHM version 78 and later, we always collect Configuration Analytics for the server. We have classed this data as operational data that cPanel, L.L.C. requires in order to make vital business decisions.

This does not enable Interface Analytics or alter your participation (or choice not to participate) in that program.

For more information on what exact information we grab for analytics, please see the following article.

cPanel Analytics - The Data We Use | cPanel & WHM Documentation

cPanel Analytics features collect data about interface use and server configuration. The data that we gather may change in the future.

docs.cpanel.net

 

[Duplika]

Thanks for the update Anthony!
It's a pity we can't disable Google Analytics inserted at our WHM. Makes me want to disable Analytics alltogether instead of sharing useful information with cPanel.

Are we able to submit a feature request for this? Maybe reconsidering this makes more people interested in enabling Analytics at their servers.

 

[cPRex]

Sure! If you get a feature request submitted our team will at least know there is interest.

 

[Duplika]

Awesome! I've added it: Make inserted Google Analytics tracking at WHM, optional

In case it needs some edits to make it published, please edit it instead of removing it.
I'm sure this could help avoid negative opinions towards cPanel by a simple change.

 

[cPRex]

Yup - I just saw it come in and got it approved!

 

[cPanelAdamF]

Our use of Google Tag Manager is to deliver the in-product survey found in the bottom right of WHM (2087) thus why you observed no effect to it when trying to disable Google Analytics.

You can disable participation in Google Analytics using the WHM » Configure cPanel Analytics feature in WHM (for server-wide) or from the slide-out to the right if you only want to operate on a user account. When either of those two options is set to NO, the analytics embeds are removed entirely from the UI. The uninstall script you cite will totally do it too, but we assume simply disabling the server setting is easier for most.

Starting with v98, we do distribute analytics tags in cpanel (2083) only for Jupiter users. This happens via a separate container embed, different from the one delivering the in-product survey, and is beholden to the same participation settings I described. The entire container tag is removed if you or your server owner chooses not to participate.

 

[Duplika]

Our use of Google Tag Manager is to deliver the in-product survey found in the bottom right of WHM

Oh that seems like a small feature!
There are probably many people thinking you are forcing user tracking, and it's probably something accidental.

Hopefully it's integrated into your "cPanel Analytics" package, so it's either added or disabled as a whole.

 

[cPanelAnthony]

Thank you for submitting a feature request and getting back to us! We'll update this thread if there are any changes.

 

[lorio]

Our use of Google Tag Manager is to deliver the in-product survey found in the bottom right of WHM (2087) thus why you observed no effect to it when trying to disable Google Analytics.

Transmitting an IP to a third party can be seen as GDPR incident. E.g. in Germany there are currently a lot of issues around embedded Google Fonts transmitting the IP of website visitors.

Google Fonts, an IP address, and the GDPR: must I now self-host all my web page resources? - decoded.legal: Internet, telecoms and tech law decoded.

[The Register](https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/), and probably other places, are reporting about a decision by

decoded.legal

Embedding a survey icon via GoogleTag manager should be made optional and part of the cPanel Analytics control.
It's not your server and not your users you injecting your GoogleTag account tools into.

Even without an GDPR in place, I don't get the mindset to enforce thirdparty surveys into a controlpanel payed by customers towards users which you have no direct customer relationship to. You have to explain your "legitimate interest" into forcing a tool onto my customers.

When a bogus script is implemented via that GoogleTag embedding, what is your stance?

 

[cPRex]

@lorio - if you have concerns about GDPR, please email [email protected]. We aren't able to answer official legal questions through the forums.