Q&A: AppNexus CEO Brian O'Kelley On Fraud And Certifying Digital Ad Supply

BrianOKelleyAn AdExchanger story published Wednesday describes the persistent problem of fraudulent ad impressions in the AppNexus inventory supply, and the company's plans to fix it.

Its plan of attack includes a new certified supply program that will clearly label inventory AppNexus has deemed "valid." Buyers can choose to purchase only the good stuff, while ignoring the uncertified inventory that could be harboring botnet-generated, toolbar-injected, nonviewable or otherwise undesirable ad impressions.

Much of the material in the story came from a direct interview with AppNexus CEO Brian O'Kelley. Since the interview has substantial material that didn't make the story, we're publishing it in full here.

AdExchanger: How do you respond to concerns about fraudulent impressions trafficked through the AppNexus platform?

BRIAN O'KELLEY: AppNexus is a different kind of platform than almost anything else in the industry in that we are usually indirect in how we access supply. We have plugged into every supply source on the planet: every SSP, every exchange, every ad network, everything else. There's a very broad range of traffic we see. Some of it is fantastic, it's the best inventory in the world. Some of it is mediocre at best.

A key thing we talk about is "valid" vs. "invalid," not good vs bad. Valid traffic to us is, to the best of our knowledge, a human being on a web page or app. It looks to us like some source of inventory that is not hateful, pornographic, that is not a site supporting piracy. We have a whole list of criteria. The vast majority of our work goes into trying to delineate between invalid and valid. It's been in our policies for a long time. There's a ton of effort in the line between invalid and valid.

Inside the question of "valid," one challenge we face is that we don't physically see every user, meaning that we allow both from major players like a Google and from small regional players. Meaning they tell us who the user is, and we never touch the user directly. We don't get browser characteristics directly. We don't know what URL the page is. We don't know if it's viewable. We implicitly trust our suppliers to tell us who the user is and whether they're human. And since we don't ever deliver an ad to that person we don't know what we're buying.

That's where people upstream of us would say, "Hey, we're getting a lot of traffic from AppNexus that we can't validate."

Where we're seeing explicit fraud in the ecosystem is from mislabeling of sites. We're seeing a spike in people saying, "This is from ESPN.com." But when we drop Javascript and look at the site, what we actually see is a sketchy ad farm in some faraway land. We were lied to in that case. But in a sense we're part of the lie because we're passing it along to an upstream partner.

What are you doing to solve the issue?

We are in the process of rolling out tools to demand truth in advertising from our upstream partners. Some of those partners are small sites you've never heard of, or networks. Some are the biggest players in the industry. We're going to move to a "verify first, then trust" mentality, away from a "trust then verify."

That's never been our approach. Our approach has always been if someone says it's ESPN, it's probably ESPN. You can call us naïve, but in the early days, it was ESPN. What's happening now is, there's so much money out there in the ecosystem that people are flipping it and saying, "Well, let's just tell these guys it's ESPN."

We now have an automated detection system that's looking for this, and we're blocking something like 600 million impressions a day of mislabeled impression volume. I know we can do better. There's a lot more we're working to do to root this out. Over the next couple of months, you'll see some significant policy changes that make it "trust second, verify first." It's how we'll work with new inventory. And not just directly listed inventory, but indirectly. When people give us inventory directly it's very easy to tell who it is. When they don't it's difficult. That's why our ecosystem is very different than, for instance, an OpenX. To clean up all they have to do is work with legit publishers. For us, we have to go check that all of our partners are doing the same.

In fact we've had to go out and help them clean up their business rules and practices. In one case one of our partners had to fire their BD guy because their BD guy was lying to them. The CEO said, "I thought this really was ESPN, I couldn't understand why we could buy ESPN for a $0.03. I thought my BD guy was a genius." Their BD guy was lying to him and lying to us. Because I trust this guy, and I do trust him, I sent that traffic on to upstream buyers, effectively lying to them.

How do you respond to a situation like that?

We do our best when we find this to rip out those impressions and credit everybody and do the right thing. But we're doing this at a scale that I don't think has ever been seen before. I'm not making excuses. We're going to fix some of the trust gaps that we've got in our ecosystem. But because we're operating at such a large scale, and because we have so many partners in so many different parts of the world, there are more openings for folks to tell us things than we previously thought.

You seem very receptive to concerns. I might have expected you to push back with arguments that AppNexus is a pure technology company, and that technology should be applied to solve the problem. Does part of you still feel that way?

Fifteen months ago I would've said yes. In about August of last year we had this spidey sense that people were using our system in ways that we didn't feel good about. We pulled the team together and looked at what our partners were doing, and we thought to ourselves, on one level it's great we're enabling people to do whatever they want. But if what they're doing ruins people's trust in the Internet and in marketing in general, why do we want to work here? I want to work at a company that makes online advertising better. I feel like we have an obligation, even as a SaaS provider, to help clean up the Internet.

What's been the reaction?

When we talked to our largest customers, we expected some backlash. The opposite was true. "We know that we'll lose a bit of money here or there," they said. "But we don't make that much money from the fraudulent stuff." They have upstream partners too. We're trusting people too. "If you guys could root out the trust issue, it'll help our businesses grow" was the message.

That gave us the courage to start a process internally, which will culminate in us rolling out a certified supply program, where we put an AppNexus brand on supply. Not all the supply we roll out will have that logo. But you can buy supply that we believe is not just valid, but valid-plus. We can use viewability techniques and other methods, we can be better than our policy.

[As an aside], we feel really good that if you apply best practices, you can absolutely buy great inventory from us and not have any problems. And if you talk to some of our biggest buyers, they'll say, "Hey, we know what's good and bad and we don't buy the bad stuff."

If you talk to our biggest customers worldwide, if they were being intellectually honest they'd say, "Yeah, if you buy the stuff that's actually good you'll be fine. If you go out into the gray areas, it gets… gray."

So it's a dumb money issue.

I don't think that's true. I think it's a greed issue. I think a lot of companies in the space intentionally buy gray-area inventory, and then if anything happens they point the finger. There's a willful aspect of this across the board. All I can tell you is that we do not ever allow anything that looks suspicious to get past us. I'm not saying we catch everything that's suspicious. But, just to be clear, there's no grin and wink on our part.

Why do you plan to let the noncertified stuff live on in the auction environment? Why not block it?

This is where the moral question comes in. We get supply in where we can't detect the source domain. It's not invalid technically, because it's not lying about the domain. But it's also not valid, because we can't comfortably auction it with a domain. If we dump it, we're penalizing somebody for something.

If it's obviously not valid, we will not serve it. If it's obviously valid, we can tell you that. We find about a third of the inventory sits in a gray area where we can't tell. If we don't mark it valid, the CPM, based on our experiments, will go down by half to three quarters. As a seller, if you've got valid inventory there's a strong incentive to [label accurately].

The right answer is to inform buyers that it's not certified. If you're a bidder, we can just turn off noncertified and you'll never see it. And for our customers, you'll never buy it.

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>