The Programmatic Principle:

Despite its many acronyms, the founding premise of the programmatic buying model was relatively straightforward; automate the interaction between publishers and advertisers to reach audiences at scale. Data pathed the way for more accurate audience valuations and promised to deliver advertising’s holy grail; right message, right time. The technology has been so successful that its come to define the industry. According to Zenith’s programmatic marketing statistics, In 2019, programmatic buys will account for 67% of digital display spend, a 59% increase on 2017 (Zenith, 2017).

Trouble in Paradise:

Its no secret though, that in many respects, the reality has parted ways with the principle and with ever larger sums of money reliant on the infrastructure, its more important than ever to address the underlying problems head on. Its estimated by the ANA that $7 billion will be lost to ad fraud this year, a large proportion of which will be enabled by two relatively straightforward supply-side vulnerabilities; non-human traffic and domain spoofing.

Bot networks vary in configuration but broadly, they are a horde of computers that have been infected and programmed to perform specific tasks without the owners knowledge. Bot networks have been around for some time but their recent notoriety stems from the discovery of HyphBot (Adform, 2017), and MethBot (WhiteOps, 2016). Bot networks are used to increase the volume of impressions on a site and therefore extract more money from buyers who think they are buying human viewers.

Coupled with this, deficiencies in the way supply chain partners authenticate themselves to each other makes it possible for demand partners to buy miss-labelled inventory. For example, it’s been possible for a Publisher to falsely declare their domain name (or some other parameter of a bid request) to an exchange, thereby inviting heightened demand for their ad inventory by imitating that of a reputable publisher. Using this spoofed domain in conjunction with a bot network can generate a lot of revenue for an immoral individual.

Part of the problem lies in the incentive model of the current system. Supply chain entities are generally compensated on a CPM basis which means that those with the most scale receive the biggest rewards. A system where incentives are inexorably aligned with scale and where measurement issues abound encourages unscrupulous actors to defraud the system for their own gain.

The Industry Fights Back:

In response to the growing distrust between buyers and suppliers, the initial solution for agencies and their advertisers was to increase the volume of inventory bought through private marketplace deals and to exercise stringent safety controls on anything outside of these. The IAB’s release of the ads.txt (Authorised Digital Sellers) protocol has now ushered in a more sustainable solution. In essence, publishers host a text file listing in full the partners they’ve certified to sell their inventory. The files are publicly available and crawlable by buyers, third party vendors and exchanges. The beauty of ads.txt is in its simplicity; buyer spend can flow freely to those that adopt it whilst those that don’t will invite questions over the veracity of their supply chain. However, whilst adoption is recommended, it isn’t mandatory and of the four pieces of information that constitute each line of the ads.txt file, perhaps the most valuable, the certification authority ID, is not enforced (Doubleclick, 2017). This ID is important as it gives unequivocal credence on behalf of the publisher to the prior three pieces of information.

To compound this, the initial launch of ads.txt hasn’t been without its issues. Reports of resellers asking to be listed on publisher ads.txt files and the fact that files do not specify the inventory format a given reseller is authorised to sell allow arbitrage opportunities to remain.

Introducing AdChain:

Programmatic problems have also attracted the attention of a number of companies in the blockchain space. MetaX’s AdChain is one such company. Built on top of the ethereum blockchain, AdChain’s primary goal is to eradicate the ad fraud associated with domain spoofing by creating an authenticated registry of accredited supply partners. To be included in the registry, a publisher supplies a domain name and a small amount of the networks native currency; adToken. If the network agrees unanimously that the publisher is credible then they are admitted into the registry. However, each network participant can dispute the legitimacy of prospective participants by initiating a challenge and staking an amount of adToken. Once a challenge is opened, the network as a whole votes on the legitimacy of the publisher and the staked adTokens are distributed based on the outcome of the vote. Maintaining the authenticity of the network is therefore the onus of those that participate within it and in theory, the system works effectively to remove deceitful players by gamifying inclusion. As long as the registry is considered a clean pool of authenticated inventory then advertisers will want to buy from it.

With a high quality, zero-cost whitelist in place, advertisers can choose whether or not to service in-bound bid requests. Fundamentally though, the registry is just a list of approved domains and therefore still vulnerable to rudimentary attacks in which origin headers are falsely declared. For the registry to be valuable the industry must settle on a standardised way for exchange partners to authenticate themselves. One solution lies in the highly substantiated Transport Layer Security (TLS) protocol which pushes authentication out of the application layer and into the transport layer. In the simplest example the publisher serving a bid request must be able to authenticate themselves to the SSP using the certificate signing key of the domain they solicit bid requests for, therefore authenticating themselves as legitimate supply.

The Solution Lies Somewhere In-between:

Cognisant of the limitations of ads.txt, the IAB has already proposed its follow up solution, ads.cert. Where ads.txt sought to solve the issue of authorisation, ads.cert tackles authentication. You can think of authorisation as a guest-list for a party, it gives the door staff a list of who is permitted to enter. Ads.cert is the drivers license or passport you show them to prove who you are who you say you are. The roll out of ads.cert relies on the full release of RTB 3.0, an upgrade that sees the largest overhaul of the protocol since 2010 (iabtechlab, 2017).

It proposes the introduction of cryptographically signed bid requests that will verify that inventory is not only from a trusted publisher but is also un-modified in its entirety. To do so, ads.cert utilises the same cryptographic methods as blockchains like Bitcoin. In the case of Bitcoin, when one person sends bitcoin to another, the sender encrypts the transfer using the public key of the recipient. The recipient can then use their private key to decrypt the inbound transfer and receive the funds. The public key is like a mailbox, people are able to post letters to you if they know your address but only you, the holder of the (private) key can open the box to access those letters.

Applied to programmatic, the parameters that constitute a bid request are canonically serialised into a standardised sequence and used to generate a digital fingerprint of the transaction. This produces a numerical signature which can only be produced by the party in possession of the unique private key, in this case, the publisher. The exchange receiving the bid request only sees the publisher’s public key but with this and the signature they can verify the request as legitimate. Combined with ads.txt this delivers a solution on par with AdChain’s and most importantly; a key blow to fraud.

So Where does leave us?

So where does this leave us? No doubt, the AdChain registry is a novel solution for tackling the problem of AdFraud and its mechanics have the added bonus of promoting cooperation between publishers. It also grants them greater control over the programmatic ad space in the process and puts pressure on existing SSP design. However, through the combined action of ads.txt, ads.cert and RTB 3.0, the industry has taken solid steps in curing its own ills, at least in so far as domain spoofing is concerned. All of a sudden, the long fought game of cat and mouse is more like a game of chess with one key move stifling a now tired attack.

Perhaps AdChain has already had an impact on the landscape; but by putting pressure on existing companies to adopt smarter systems, rather than via the AdChain registry. What makes the industry’s own solution slightly more tenable is that it fits into the existing architecture without necessitating too comprehensive a re-design. Of course, there is an argument to be had that storing a shared digital record of verifiable publishers is more favourable than each publisher compiling their own ads.txt file and having bidders crawl through them. But with behemoths like Google controlling much of the supply chain there will likely be significant pushback against new entrants looking to dislodge their hegemony.

It’s time for the industry to stop patching up the holes with new technology and address the problems beneath head on. Once we are able to buy through trusted supply chains and offer reliable measurement we’ll be able to squeeze out the companies who monetise a void in trust and prosper off inefficiency, and get back to delivering our ad campaigns.