Google's Ad Security Push Spurs Industry To Batten Down Hatches

HTTPS photoWhen Google announced last month its ad networks would move to HTTPS by June 30, it marked another Internet giant adding security features that benefit the user – but that also inconvenience publishers and advertisers.

HTTPS makes websites more secure by authenticating websites and web servers and by encrypting client-server communications. In the past, adapting this protocol had been left to individual sites. In recent years, Facebook, Twitter and YouTube have all embraced it.

But for advertisers, the change creates an extra burden. In March, Google sent emails to buyers using DoubleClick and AdX instructing them how to make sites secure in advance of the switch. Every element on a web page, including ads, needed to be secure. Buyers were warned that if their creative didn’t add encrypted SSL protocol to make ads secure, they wouldn’t be able to buy on secure sites.

Serving secure creative requires checking all tags – including viewability tags – pixels and creative to make sure they are running using an encrypted script, SSL.

Most vendors have secure versions of their tags. In 2014, the IAB found 80% of member ad-delivery systems support HTTPS.

“I don’t know of any vendors that don’t support HTTPS,” noted Yahoo Chief Information Security Officer Alex Stamos. “You just have to make sure that the script is asking for it over HTTPS.”

The real issue is the human factor.

Troubleshooting problems can be a logistical headache, requiring a publisher or advertiser to sort through complex redirect chains to find out which partner isn’t running secure.

“Since human error will lead to some components (ad creative, tracking pixels, conversion beacons and so on) being delivered over HTTP, time and resources will need to be spent tracking these errors down,” said Scott Cunningham, SVP of technology and ad operations for the IAB.

Going secure used to be associated with higher data loads and slower loading times, but that’s no longer the case.

“That’s honestly an outdated view of SSL,” Stamos said of the secure script that makes sites like Yahoo Mail secure. “It generally increases the amount of data only by a tiny amount. If you set it up correctly, you only have to do the handshake once, and for hours or days you have a secure connection.”

Google said it will encrypt its ad calls and its RTB callouts independently of each other. It expects its shift to HTTPS to have little impact on the time it takes to read the callout and package a response. Bidding will be unchanged by HTTPS.

While HTTPS helps with man-in-the-middle attacks and eavesdropping on a user session, it doesn’t help the ad fraud issue. It will not protect the ecosystem from common forms of ad injection or ad fraud, according to fraud researcher Augustine Fou.

The Publisher Side Of HTTPS

Publishers are in a different position. Though Google is doing the bulk of the communication with advertisers, publishers still need to make sure their advertisers understand the change.

And although secure ads can usually be shown on both secure and insecure sites, Google is working to incent publishers to transition their sites to HTTPS. Last fall, Google announced that secure sites would be increasingly nudged up the search results – as long as the publisher sticks with Google-supplied inventory.

It’s also trying to make a common problem on secure sites – a browser warning that a user is on a site with secure and insecure elements – less likely to make the user leave the page.

“Regular consumers get totally freaked out by those warnings, and it causes drops in conversions,” said Scott Meyer, CEO of Ghostery.

Those warnings lead to revenue loss. The Ponemon Institute and Ghostery found in a joint study that 57% of ecommerce customers would stop their purchase session if they saw this message. The top 100 retailers lose $310 million per year simply from glitches causing this message to load.

Even publishers without an ecommerce component risk seeing users bail from their sites when the warning appears.

In the new version of Chrome, Google makes these mixed-content warnings less prominent. It addresses the fact that some parts of pages are tough to migrate to HTTPS, like older parts of a site that might have hard-coded URLs, which are difficult and time-consuming to change to HTTPS.

The IAB is encouraging publishers to go secure, since it provides a more private experience for users, Cunningham noted. Plus, going secure improves Google PageRank.

“Our guidance at this time is that all systems in the advertising industry should support HTTPS, with the understanding that HTTP delivery remains necessary to serve some difficult-to-update sites, like static news archives and hard-coded URLs,” Cunningham said.

It also protects publishers. “HTTPS makes it more difficult for intermediaries to use advertising cookies as a way of passively tracking users,” Cunningham said.

Google As Leader, Google As…

So is Google leading the charge to make the Internet more secure? After all, its move brings instant scale to secure ads, theoretically creating a snowball effect that will likely require other players to follow its lead.

Not everyone, however, is convinced.

“My sense is that this is more marketing,” said Tom Shields, SVP of AppNexus’ publisher product. “There’s no real security issue here. Advertising doesn’t include sensitive information in the ad or the ad call that would need SSL encryption.”

AppNexus supports secure and nonsecure ad creative, but leaves the choice up to the advertiser and publisher. “Most advertisers that I’ve talked to have run into this one way or the other,” Shields said. “It’s a pain, but it’s part of the creative process.”

Going secure increases the cost of doing business.

One executive, who didn’t want to publicly critique Google, offered a positive and cynical interpretation of Google’s actions: Either the company is setting the bar high, leading to a better Internet, or it’s setting the bar high because it’s easier for Google than anyone else, tilting the playing field in its favor.

By requiring all buyers to make creative secure, Google will affect all the vendors placing tags in digital creative, requiring them to incur costs that for Google barely register. For the betterment of the Internet – and itself – it will tip the entire advertising world toward an entirely secure delivery system.

2 Comments

  1. This seems like a natural reaction to NSA snooping programs. The PBS documentary "The United States of Secrets" showed that the NSA are essentially piggybacking off the behavioral tracking mechanisms of the ad tech industry, specifically Google, for their own collection purposes.

    Reply
  2. Anton

    Also, Secure creative's are creating 10% - 20% discrepancy for third party creatives, which means buyers are losing 10% of the media spend due to the latency issues.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>