“Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by James Avery, CEO at Adzerk.
Fraud is the ad industry’s not-so-secret problem. It impacts publishers just as much as advertisers. Advertisers have finite budgets to spend filling placements each year, and the amount that gets wasted on fraud hurts the payouts of legitimate publishers.
It’s not as simple as blocking unwanted domains from accessing a site or demand-side platform because fraudsters adapt faster than publishers and advertisers can detect their exploits. But a century-old solution using a secure sockets layer (SSL) may hold the key to stopping fraudsters in their tracks. Since it creates a boundary between those who serve and display advertisements, I call it the secure ads layer.
We are all familiar with fraudsters’ ploys. They can repeatedly make ad requests to a site, not only refreshing a page but also mimicking valid user agents to avoid detection. They can build sites that look legitimate but are filled with stolen content, with ad units stacked on top of each other. Fraudsters can even make ad requests from inside a 1x1 pixel.
And they’re probably using new techniques now that the industry doesn’t even know about.
Fraudsters also use countless adware and malware plugins that insert or replace ads on legitimate publisher sites. Often, these toolbars are presented as Trojan horses to end users, promising to donate revenue to charities of their choice or deliver some marginal benefit to their web browsing experience. Of course, the revenue is directed to the plugin creator while the publisher loses the value of its inventory.
This is not just a short-term loss of revenue – the overall value of a publisher’s inventory will diminished through fraud. It contributes to ever-shrinking CPMs, and it’s only getting worse.
Ultimately, trying to solve ad fraud through various “patches” that detect fraudulent activity and block users or patterns is like trying to put out a forest fire with a cup. You might see some short-term successes, but you’re guaranteed to lose the war
The core issue is that ad platforms use domain as the main identifier when identifying traffic. This can be easily spoofed on nearly all major platforms, and in many platforms it can just be passed in as a query string on the request. As long as a fraudster can masquerade as a different domain, there will always be ad fraud.
Better Than A Domain
There is, however, a potential solution based on technology that goes back to 1874. It uses the same basic principle as SSL.
SSL is a fairly well-known technology, although the average user probably doesn’t know that it works because of a technique called public key cryptography. A browser can use a public key to confirm that a certificate was signed with the corresponding private key, without having access to the private key.
One use of public key cryptography is the ability to sign a message and then verify that the message wasn’t tampered with. What I envision is for publishers to host a set number of valid public keys, perhaps stored at a central repository or just exposed through a simple endpoint, such as a /_keys folder off their main domain. The publishers would give the corresponding private keys to vendors, such as their ad server and SSP, who they’ve already vetted.
Say The New York Times adopts a secure ads layer. Whenever impressions are served on nytimes.com, their private key is used to sign the full URL, a time stamp and the ad request’s user ID (cookie). The buyers, including the exchanges, DSPs or networks, would then use the Times’ public key to verify that the URL was indeed certified by the publisher.
Not only does this secure ad requests for publishers, it’s a huge opportunity for DSPs because they could enable buyers to purchase verified traffic and choose publishers based on their verified keys, as opposed to domain.
This technology could be a game-changer for programmatic advertising, but to get this done, we need the support of the major ad servers, exchanges and DSPs.
Secure ad traffic is better for advertisers and publishers. The secure ads layer is something everyone could implement without any proprietary technology or extra cost.