How to trick the advertiser? ID spoofing!

  • ID spoofing — substituting the user identifier to increase the value of the impression.
  • Surprise, surprise — you can't do that!
  • DSPs and verifiers fight against such actions.

Earlier this month, one of the players in the American AdTech industry, Colossus SSP, was accused by the company Adalytics of deceiving advertisers by altering audience data of their impressions in such a way to get the maximum amount of money. But it’s not so straightforward.

Note that in this article, Digiday will use the term ID spoofing specifically in the context of deliberate fraud. Keep in mind that in other places on the Internet, you may encounter a different interpretation.

Terminology

Cookie stuffing — when clicks or impressions are incorrectly attributed to inappropriate users to gain unwarranted revenue. For example, a user visits a site, and the attacker loads several additional cookies from different advertisers onto them. As a result, when the user makes a purchase, commissions are wrongly credited to the attacker's account.

ID Mis-matching — when a user's identifier is mistakenly matched to another device, leading to incorrect data attribution. For example, an advertising platform mistakenly matches a user's identifier with another user's device. As a result, an ad intended for one person is shown to another.

ID spoofing — when an ad inventory seller intentionally substitutes a user's or device's identifier with another identifier that has greater value to the buyer. This is only possible in environments operating with cookies, such as Google Chrome.

ID stuffing — when extra user or device identifiers are added to increase the number of ad impressions or clicks. For example, when an attacker adds numerous fake user identifiers to real ad impressions, increasing the number of clicks and impressions, creating the illusion of greater traffic.

Are user identifier data completely forged?

According to Chris Kane, co-founder of Jounce Media, in the worst-case scenario, the identifier information is completely fabricated. However, it can also happen that a new identifier is taken by finding the identifier of the same user but on another device or another person living in the same place. Thus, fake identifiers can be entirely made up or borrowed from real data but not belonging to the same device or user.

How can linked identifiers be used for substitution?

Suppose a user with a certain identifier previously searched for car insurance information from their home computer, but is now using their work computer. The SSP knows that the home computer identifier of this user will be extremely valuable to an insurance services advertiser, but the user is currently on another device. Nonetheless, the SSP decides to substitute the work computer identifier with the home computer identifier to increase CPM, knowing that the advertiser will pay more for a user with a higher propensity to buy insurance.

In reality, it is still unknown if this user is the same person who used the personal computer and searched for car insurance. Even if the CPM remains the same as the original work computer identifier, you are still buying ads targeted not at the user you think you are targeting.

Is this fraud?

It seems that it depends on the motives. Although spoofing or stuffing identifiers is not explicitly named in the Media Rating Council's guide for detecting invalid traffic, however, cookie stuffing is mentioned and described as “insertion, deletion, or incorrect attribution of cookies to manipulate or falsify previous user actions.”

Moreover, this action aims to increase the value of a user who is not who the seller claims them to be. Especially if the altered user identifier contains falsified data or even represents a completely fake user.

When an SSP interacts with a DSP to show ads, they synchronize data to determine the unique identifier of the user's browser, for example, '123'. If the SSP knows for sure that the identifier '123' is used for a given user, it should send bid requests with this value.

If the SSP intentionally uses another identifier instead of '123', it is considered fraud and a violation of the standards established by the MRC (Media Rating Council). So, to not violate the rules and not deceive advertisers, the SSP must always use the correct and synchronized user identifiers.

Mike O'Sullivan, co-founder of Sincera, a company specializing in ad data, says that, in his opinion, spoofing/stuffing identifiers falls into a gray area, especially if the identifiers actually come from another source.

In Mike's opinion, forging user identifiers is a complex and not always clear-cut story. There's no apparent harm, like with bot traffic, but it is still a dishonest action. Systems need to be developed that can recognize and document such cases.

Who should catch ID spoofing?

According to industry experts, either verifiers or the DSPs themselves should handle this task. There is no consensus on this.

Given that "manipulating or falsifying previous user actions" is included in the MRC's SIVT guidelines, some experts argue that any organization accredited by the MRC to detect fraudulent activity in the programmatic products market should be responsible for detecting it.

Other experts argue that since the DSP should be able to detect a user identifier different from the original one sent during the auction, it is the DSP that should detect and report the discrepancy to its clients.

Mike O'Sullivan emphasizes the importance of trust in the bid request process. He says that each bid is a kind of declaration of who will see the ad. It is possible to verify the data in these bids, but he doubts that verification companies can always keep up with what is happening in the vast Internet and what will be reflected in a bid request.

How is this different from ID bridging?

ID bridging — a legal method of tracking a user without cookies by linking their identifiers across different devices and browsers, helping advertisers target ads more accurately and continuously. This method is widely used in environments where third-party cookies are already disabled, such as Apple Safari.

According to Mike O'Sullivan: “The difference between ID spoofing and ID bridging is that ID bridging has a plausible explanation of what is happening, and sellers and buyers have an agreement on how it should be done correctly.

Will the problem be solved with the disabling of third-party cookies?

Theoretically, ID spoofing should disappear along with third-party cookies. However, it is impossible to predict whether this technology will be adapted to new conditions. There will always be those who want to bypass the system.

For Publishers

Always remember, free cheese is only in a mousetrap. However, this situation does not pose any threat to publishers. It is unlikely that SSPs share or have ever shared the revenue obtained unfairly with any publisher. Moreover, publishers are not involved in this process.

Forecast

Pressure and distrust towards SSPs will increase. New technologies (and ways to bypass them) will emerge to check traffic. Trust in the Open Internet will decrease.

Other materials on this topic: