Nothing in ad tech is ever easy, even the years of mayhem. What seemed like a clear cut case of a dodgy ad tech vendor is actually a lot more hierarchical. The ad tech vendor in question is Colossus supply-side platform, owned by Digital Holdings Group.
Ad transparency startup Adalytics says its programmatic marketplace has repeatedly seen user IDs misrepresented. Additionally, the altered ID information consistently mimicked the cookie ID that was attracting high bids from The Trade Desk, his DSP that Adalytics used for analysis.
This means that this pattern of behavior closely resembles a scam.
This is where things start to get complicated. Colossus sued Addalytics for defamation, harmful falsehoods, and false advertising.
To understand why ad tech companies with seemingly questionable practices are so eager to protect their reputations, it's important to dig deeper into what happened.
Earlier this month, Adalytics revealed that The Trade Desk was frequently presented with false identities whenever it bought ads through Colossus. These identities, which were purportedly targeting premium audiences, did not match up. There were significant discrepancies between the audience characteristics claimed at the time of purchase and the audience characteristics that were actually present in the browser when the ad was served.
In its defense, Colossus did not deny the findings, but disputed accusations that it was responsible for identity spoofing. CEO Mark Walker shifted the blame to the broader complexities of the ad tech ecosystem. Adalytics also acknowledged this in their report.
Here's what Walker told Digiday in an emailed statement:
“The assertions made in the Adalytics report are patently false and demonstrate a troubling misunderstanding of the complexities of the programmatic environment. Technology integrations across numerous vendors make it easy for discrepancies to arise in the ecosystem. Our job as an industry is to resolve them. Even the largest and most reputable ad tech companies must continually work with their advertising partners to ensure programmatic campaigns execute correctly. Colossus SSP has a track record of working with our partners to collaborate on any issues that may arise and to immediately resolve them.”
While this may be true, Walker's rebuttal is not complete and leaves the door open to doubt and speculation. Remarkably, it does not even acknowledge the idea that these IDs may have been intentionally mismatched.
This theory becomes reliable only when we understand how these identities are processed. Digiday examined documents from BidSwitch, the traffic and demand management company Colossus used to sell ads to The Trade Desk, to get a clearer picture of the process.
BidSwitch embeds the user ID within the URL of the supplier's (i.e. Colossus) sync pixel and loads it in the user's browser. Once loaded, the supplier automatically retrieves her cookie from the browser, creating a direct one-to-one link between her cookie ID in BidSwitch and the supplier's cookie ID. This occurs in a single event where both IDs are displayed.
This process is standard for cookie syncing across all ad tech companies.
So, while it's technically true that Colossus doesn't directly handle The Trade Desk's cookie user IDs, it doesn't need to since the ad tech vendor receives Colossus' data via BidSwitch. Colossus may incorrectly report the BidSwitch cookie ID when sending bid requests to his BidSwitch. Then, when BidSwitch forwards these requests to The Trade Desk, he needs to look up the DSP Cookie ID based on the information provided about the BidSwitch Cookie ID in Colossus' bid request.
If this were to happen, it's easy to see why the Adalytics report caused such a stir. And why is Colossus now on the defensive?
Direct Digital Holdings, Colossus' owner, said Digiday misread the document. You are confusing EID and Buyeruid. Two different things. All data synchronization must be coordinated across technologies, the company said. However, if that's the case, even if there is a cookie, it's not very likely that Adlaytics will monitor the different IDs for the correct cookie.
However, let's consider the possibility that Colossus is not cheating. Perhaps everything flagged by Adalytics is simply the result of a technical glitch in the ad tech intermediary they used. These types of incidents do happen, and as this video shows, they happen frequently at many ad tech vendors for a variety of reasons. These include revenue optimization practices involving bid enrichment, probabilistic matching techniques, data integration challenges, device fragmentation, and identity resolution failures.
However, when these failures occur, they typically have minimal impact on identity mismatches and are considered isolated incidents. That doesn't seem to be the case with Colossus. The Trade Desk, Google, and other ad tech vendors have all reported similar issues to Adalytics, but the collective feedback doesn't paint a positive picture. Even if BidSwitch is not involved and the ad tech vendor is working directly with Colossus, not only will the IDs change, but in most cases the IDs may not match.
“Yes, there are other supply-side platforms besides Colossus that are doing this, but that doesn't make it OK,” said one ad tech executive, who asked not to be named due to commercial considerations. “It's still fraudulent to misrepresent this fact in a bid request.”
This is not just rhetoric. The ad technology executive personally oversaw the test from February through May, analyzing data from the first week of each month and reviewing the results with Digiday.
Their findings show that while most of the exchanges they purchase from have experienced some instances of identity mismatch, these typically occur at a publisher-specific level and are unexpected events for the exchange itself. It was often the case. This pattern was not observed in Colossus. His ID in the bid request and the ID observed during ad delivery never match, the ad tech executive said, suggesting a more systemic problem in the ad tech vendor's operations.
Not surprisingly, the ad technology executive stopped buying ads from Colossus. The fact that the user IDs do not always match is very worrying to them. If the SSP knows definitively that your browser is currently calling “123” based on a cookie sync with his DSP, such as The Trade Desk, then bid on a value other than that specified value. The request should not be issued. When that happens, as in the case of this advertising technology executive, alarm bells ring. The only possible explanations are either some kind of deliberate deception or sheer incompetence, but both scenarios are concerning.
However, not everyone sees it that way.
For example, Dr. Augustine Fou claims that nothing evil was done.
Fou, an independent cybersecurity and ad fraud researcher, explains: “Colossus passes the ID to his BidSwitch, which matches it against The Trade Desk's ID on file and sends the ID to The Trade Desk in a bid request.” Neither Colossus nor his BidSwitch can read The Trade Desk's ID from the browser store because it is set by adsrvr.org (a domain owned by The Trade Desk). None of these parties intentionally tampered with The Trade Desk for any malicious purpose. The fact that The Trade Desk sent back a different ID in the win notification passback pixel indicates that The Trade Desk served the ad to a different user than the ID that was in the browser store. Again, that's how technology works. ”
