Retargeting platform Criteo has been smashed in two new reports. The first was written by an ad fraud consultancy called Method Media Intelligence and the second by financial analysts Gotham City Research (GCR), which sought to validate the MMI study based on its own analysis.

As a result of that analysis, Gotham City Research last week released an assessment where it said it believes 50 per cent of Criteo’s revenues originate from suspect sources.

See also:

That wasn’t the only bad news for the French-based Nasdaq-listed company. It was also revealed that as much as 20 per cent of its revenue could be adversely affected by Apple’s Intelligent Tracking Prevention — much worse than the figure the market expected, which was closer to eight per cent.

Gotham City Research turned its focus to the performance marketing company after getting hold of a report written by Shailin Dhar of Method Media Intelligence. Which-50 also has a copy of that report, and we discussed some of the findings with Dhar in May, but agreed to withhold them from publication while he completed his work.

With regard to Criteo, the GCR analysis offers four fairly critical opinions of the company’s business. (At this stage it is also worth filtering GCR’s opinions through the prism of its vested interest — as a short-selling investor, it wins if the share price falls.)

Its opinions include:

Over 50 per cent of Criteo’s revenues originate from suspect sources (e.g. clickbots, fake/low quality web sites, etc);

Criteo takes credit for clients’ sales it did not contribute to and, in some cases, that never actually occurred;

Clients will leave or demand reimbursements from Criteo, out of brand safety and revenue misattribution concerns;

Criteo’s sales and profits will decline as a result of increased client scrutiny, leading to a 67 to 77 per cent decline in its share price.

In preparing its analysis, GCR reviewed the work by Method Media Intelligence, which analysed Criteo’s engagement by retailer Ivory Ella. It then did its own analysis.

According to the GCR report, “After three months of due diligence, which included an analysis of Criteo and its peers’ web sites, we have concluded that the evidence overwhelmingly supports MMI’s thesis; over 50 per cent of sites where Criteo ads are displayed — and therefore clicks and revenue — seem to be of suspect quality.”

The analysts say they believe Criteo’s stock price could drop dramatically once investors and consumers develop a better understanding of its exposure to ad fraud.

GCR is promising more disclosures in a second report shortly.

The MMI study

Method Media Intelligence analysed the performance of Criteo with regard to an online retailer named Ivory Ella. In describing the purpose of its research it notes, “From August 2015 to May 2017, Ivory Ella had paid $1,063,167.35 to Criteo for clicks generated, attributed to $1,007,280.13 in sales. Ivory Ella agreed to allow MMI to investigate on its behalf, to assess whether Criteo was delivering legitimate traffic and to decide if it should continue spending money with Criteo.”

Criteo, unlike many of its competitors, gets paid when an ad is clicked, rather than on the cost per thousand ads served.

As Dhar writes in his report, “It is fairly easy to understand that within advertising technology, any company whose business model relies on selling clicks as performance is prone to fraudulent traffic activity because industry-wide CTRs are at 0.05 per cent (five clicks for every 10,000 ads). This CTR includes the estimated 51.8 per cent of all web traffic being robots.

“While we could make theoretically logical claims of why Criteo’s traffic sources and billing activities are opaque and suspicious, we will instead use evidence to prove systematically and methodically that Criteo and its clients have a massive exposure to fraudulent web traffic that results in massive advertising fraud.”

What follows from MMI is a 34-page technical analysis of the Ivory Ella campaign. You can read the report on the Gotham Research site.

However, some of the key findings with regard to the investigation of the Ella Ivory data include:

Criteo operates with no transparency as to where the clicks it charges advertisers for are being generated;

Criteo displays and pays for ads delivered to even simple bots;

Criteo claims attribution credit to its ads for transactions that were falsely triggered by a bot. It is able to do this despite having a window of up to 24 hours to verify or scrutinise the transaction occurring and reporting it in their console with attribution one way or the other;

Criteo reported 42 per cent higher clicks than our own tracking code on the same web page;

Visits from Criteo-attributed clicks have an approximately 40 per cent frequency of unregistered referrers;

Criteo’s average CPC rises from $0.31 to $0.50 with the adjustment of unregistered and unattributable clicks. Criteo charged Ivory Ella advertising costs at least 61 per cent higher than what was truly delivered. and it over-reported $10,312.52 in the amount of attributed sales to its advertised users over a 30-day period;

Criteo’s transaction timestamps are dated after Shopify’s transaction timestamps, which allows extra clicks to be billed to those user IDs even after a purchase is made.

When we initially discussed his work with Ivory Ella earlier this year, Dhar told Which-50 that one of the early red flags from the analysis was that his client spent more on clicks with Criteo than it generated in revenue. That first number was substantial — approaching seven figures.



That punctures a typical Criteo response when claims such as this are raised. Responding to criticism late last year the company argued “We make money only when our clients do, because our business model is fully aligned to driving their sales.”

Other problems quickly became apparent.

Criteo told the company its ads would only appear in brand-safe environments — described by Criteo in emails to the client’s agency as “Disney safe”.

However, Dhar told Which-50, “We have screenshots of ads on all types of salacious content. Obviously, things that cannot be justified as PG-13.”

Criteo also refused to provide the client’s agency with a list of sites on which it buys ads, claiming confidentiality agreements with publishers, the report said. This is despite the fact that the Criteo tags can be scraped from the public source code of sites where they are present. Criteo also buys inventory on open exchanges, where such privacy considerations are not relevant, Dhar said.



As the researchers dug more deeply into the data, their findings echoed many of the criticisms of Criteo that emerged in the SteelHouse dispute, and which were later publicised in an article in Seeking Alpha and subsequently investigated by Which-50.

Working with Ella Ivory, the researchers were able to see every visit to the site and where it came from. This threw out another disturbing discrepancy. “We found that Criteo was over-reporting the number of clicks that we could detect as coming from them.”

In the period tested, Criteo reported 3500 clicks. Yet the researchers could only reconcile 2100 clicks to the dedicated url IvoryElla.com/product1234/UTMsource=Criteo

This is a significant discrepancy — about 40 per cent.

After initially planning a seven- to ten-day analysis, the test was extended to a month. “Now, we’re looking at all visits coming in. We are seeing lots of headless browsers, which are just phantom browsers. We were also seeing referrers. If you just rely on Criteo or Google Analytics, you only see the first referrer.”

However, Method Media Intelligence was able to look a few further steps back in the chain, and that also set alarm bells ringing. “We started seeing a frequency of referrers like r.search.yahoo. That’s associated with a well-known piece of malware from a company called Spigot.”

While not a 100 per cent confirmation, says Dhar, the frequency of this referrer strongly hinted that traffic is being purchased from adware companies. This was one of the few allegations Criteo specifically denied after the Seeking Alpha story was published earlier this year. In responding to the Seeking Alpha and Which-50 stories, most of the rest of its denials were general in nature.

“If there is no connection, there is no reason for that to happen,” Dhar told Which-50.

Nothing to see here, move along

In June this year, after being briefed on the MMI research, Which-50 wrote to Criteo with a set of detailed questions raised by the report. Criteo declined to answer the questions and instead sent us the following statement which we are now free to publish.

“Whilst Criteo does not comment on individual cases, we would like to reaffirm that Criteo’s goal has always been to serve as a trusted partner and ensure a high quality, brand-safe environment for our community of more than 15,000 advertising clients. When advertising with Criteo, brand safety covers both the appropriateness of the site content and the integrity of the traffic the site generates. We are committed to detecting and combating fraud in digital marketing through numerous internal and external prevention methods.

Our proprietary targeting and bidding engine has built-in detection of signals that indicate non-human activity. We have a dedicated operations team who constantly monitors the extensive reporting from our systems to pick up suspicious click activity which could indicate fraud. When such activity is uncovered we immediately reimburse affected clients. Criteo also employs a robust blacklist process to enforce our brand safety guidelines. Our publisher account teams regularly review advertiser performance metrics on publisher sites to spot suspicious trends, and terminate any sites that may be generating invalid traffic. Criteo continuously enhances its protection by adding any new fraudulent agents or suspect behaviour types to our detection tools. In addition, we are a member of TAG (Trustworthy Accountability Group) and work with leading third-party vendors to assess any additional protection they can offer to our own tools and processes to prevent fraud and non-human traffic.”

You can read our questions to Criteo here.

Why is this trouble for Criteo?

Criteo’s business model and practices were already under scrutiny following its legal dispute with Steelhouse last year. The research by MMI raises some significant questions but as a single piece of research it would have been easy for Criteo to ignore it and perhaps settle any concerns directly with its client Ivory Ella.

Many of MMI’s findings have now apparently been validated independently by a third party — Gotham City Research — which says it will release more information shortly.

Already, however, its initial assessment raises important questions that Criteo’s management should address.

Among them: GCR says that based on an analysis of over half a million web sites, the majority of Criteo’s ads seem to be displayed on suspect web sites and as many as a third of its disclosed business partners and suppliers have proven ties to click fraud adware, malware and viruses. They also say they found that almost a thousand “… malicious files/urls have been detected/associated with Criteo domains.IP addresses.”

The GCR analysts also looked at the hit the company would take if its revenues were to decline by just five to ten per cent. Under such circumstances, net earnings would decline by 29 to 44 per cent.

So who is Gotham City Research? According to the Financial Times in London, the company has a solid track record in its assessments. In 2014, for instance, the FT wrote, “Over the medium term, the group’s record has been good.” That FT article followed a Gotham City Research report that wiped 900 million pounds off the value of claims-processing company Quindell.

As of Sunday evening, September 17, Criteo has not formally responded to the Gotham City Research report.