• In the Adalytics report, Colossus SSP is accused of distorting user identifiers, which may indicate fraud.
• For its part, Colossus SSP denies responsibility for the forgery of identifiers, citing the complexities of technology and interactions with partners.
• The situation is complicated by technical aspects and differences in data interpretation and requires further investigation.

In ad technology, nothing is simple. What seemed to be a clear case of fraud may in fact be more complex and multi-layered. In this article, Digiday publication attempts to delve deeper into the details of the scandal with Colossus SSP.

According to Adalytics, a startup focused on advertising transparency, Colossus SSP has repeatedly been observed distorting user identifiers. Moreover, the altered identification information mimicked cookie identifiers that attracted high bids from The Trade Desk DSP.

This behavior resembles fraud.

This is where the complexities begin: Colossus SSP first released a press release addressing the industry, and then sued Adalytics for defamation, false statements, and unfair advertising.

To understand why Colossus SSP, which at first glance was engaged in fraud, is so vigorously defending its reputation, it is necessary to understand exactly what happened.

At the beginning of May, Adalytics discovered that when purchasing advertising, The Trade Desk DSP received distorted identifiers from Colossus SSP (oRTB specification). These identifiers, supposedly belonging to premium audiences, were in fact not such — significant discrepancies were observed between the characteristics of the audience stated at the time of purchase and those actually present in the browser at the time the ad was displayed.

In its defense, Colossus SSP did not deny the findings of the study, but disputed the accusation that it was responsible for the substitution of identifiers. CEO Mark Walker shifted the blame to the complexity of the AdTech industry — something that Adalytics also recognized in its report.

Here is what Walker told Digiday in his email statement:

«The claims made in the Adalytics report are clearly false and demonstrate a troubling misunderstanding of the complexities of programmatic advertising. Due to the technical peculiarities of integrating multiple different providers, our system is subject to various discrepancies. Our task is to correct them. Even the largest and most reputable AdTech companies must tirelessly work to ensure everything is done correctly. Colossus SSP has experience in successfully cooperating with partners on any issues that arise and working together to promptly resolve them.»

This really could be the case, but Walker's arguments are not ironclad — they leave enough room for doubt and speculation. Notably, he does not even entertain the thought that these identifiers could have been incorrectly matched intentionally.

The theory becomes plausible only when you understand how these identifiers are processed. Digiday examined the documentation of BidSwitch, the traffic and demand management company used by Colossus SSP to sell inventory to The Trade Desk DSP, to get a clearer picture of this process.

BidSwitch inserts its user identifier into the synchronization pixel URL (i.e., Colossus SSP), which is then loaded into the user's browser. When it loads, the provider automatically extracts its cookie from the browser, creating a direct link between the BidSwitch cookie identifier and the provider's cookie identifier. This happens instantaneously, and here both identifiers are visible.

This process is standard for cookie synchronization across all AdTech companies.

Thus, Colossus SSP does not directly handle user identifiers, but it potentially could substitute the cookie identifier when sending bid requests to BidSwitch. Then, when BidSwitch forwards these requests to The Trade Desk DSP, it uses the already substituted identifier.

If everything were so, it is easy to see why the Adalytics report caused such a resonance. And why Colossus is now defending itself.

According to the owner of Colossus, the company Direct Digital Holdings, Digiday misunderstood the documentation. He confuses EID with Buyeruid. These are two different things. All data must be synchronized according to specific rules. But if that were the case, then Adalytics would not have found cases of substitution.

However, let's consider the possibility that Colossus SSP did not commit any fraud. Perhaps everything in the Adalytics report was just the result of a technical glitch. Such mishaps occur, they happen quite often and for various reasons. Among them are revenue optimization methods that include bid enrichment, probabilistic matching methods, data integration issues, device fragmentation, and identification failures.

But usually, when such failures occur, their impact on identifier mismatches is minimal. In the case of Colossus SSP, this does not seem to be the case. The Trade Desk DSP, Google, and other companies reported similar problems to Adalytics, and such reports paint an unpleasant picture. Moreover, identifiers continue to be substituted even when BidSwitch is not involved.

«Yes, there are other platforms besides Colossus SSP that have been noticed in such a practice, but this does not make such practice normal», — commented the head of one of the AdTech companies anonymously. «It is still fraud when information is substituted in a bid request.»

And this is not just rhetoric. This anonymous executive personally observed tests from February to May, and the results were analyzed by Digiday.

The test results showed that although most SSPs, where he purchases inventory, indeed encounter such cases of identifier mismatches, these cases usually occur at the level of a specific publisher. In the case of Colossus SSP, this was not observed. According to the expert, identifiers never matched, indicating a systemic problem in the operation of Colossus SSP.

It is understandable that this expert stopped purchasing inventory from Colossus SSP. The fact that user identifiers constantly do not match is concerning. If an SSP knows that a user is using browser "123", it should not distort the bid request with altered information. The only possible explanation for this is either deliberate deception or absolute incompetence. Either of these explanations is extremely bad for Colossus SSP.

However, not everything is so straightforward.

Dr. Augustine Fou from FouAnalytics, an independent researcher in cybersecurity and ad fraud, asserts that there is nothing malicious in this.

Here's his explanation: «Colossus SSP passes the identifier to BidSwitch, BidSwitch matches it with its existing identifier from The Trade Desk and sends that identifier in the bid request. Neither Colossus SSP nor BidSwitch can read The Trade Desk identifier from the browser storage because it was set by adsrvr.org (a domain owned by The Trade Desk). None of these parties intentionally substituted data. The fact that The Trade Desk DSP sent a different user identifier in its response indicates that The Trade Desk served the ad to a different user, not the one that was specified in the browser storage. That's how the technology works».

For Publishers

It's important to regularly verify the correctness of advertising to avoid potential fraud issues. Work with reliable partners and use understandable technologies. Read my blog to stay updated :)

Forecast

Companies will be forced to implement stricter data control and transparency measures.

Other Materials on This Topic:

• MRC Guide Update on Identifying Low-Quality Traffic
• DSP Accuses SSP and Publishers of Manipulating User Data