Nothing in ad tech is ever easy, even the years of mayhem. What seemed like a clear cut case of a dodgy ad tech vendor is actually a lot more hierarchical. The ad tech vendor in question is Colossus supply-side platform, owned by Digital Holdings Group.
Ad transparency startup Adalytics says its programmatic marketplace has repeatedly seen user IDs misrepresented. Additionally, the altered ID information consistently mimicked the cookie ID that was attracting high bids from The Trade Desk, his DSP that Adalytics used for analysis.
This means that this pattern of behavior closely resembles a scam.
This is where things start to get complicated. Colossus sued Addalytics for defamation, harmful falsehoods, and false advertising.
To understand why ad tech companies with seemingly questionable practices are so eager to protect their reputations, it's important to dig deeper into what happened.
Earlier this month, Adalytics revealed that The Trade Desk was frequently presented with a false ID each time it bought ads through Colossus. These IDs purportedly targeting premium audiences were not matched. There was a significant discrepancy between the audience characteristics claimed at the time of purchase and the audience characteristics actually present in the browser when the ad was served.
In its defense, Colossus did not deny the findings, but disputed accusations that it was responsible for identity spoofing. CEO Mark Walker shifted the blame to the broader complexities of the ad tech ecosystem. Adalytics also acknowledged this in their report.
Here's what Walker told Digiday in an emailed statement:
“The claims made in the Adalytics report are demonstrably false and demonstrate a troubling misunderstanding of the complexity of programmatic environments. Technology integration across numerous vendors makes it easy for ecosystems to be mismatched. Our job as an industry is to solve them. Even the largest and most reputable ad tech companies need to continually work with their advertising partners to ensure programmatic campaigns are executed correctly. “Colossus SSP has a proven track record of working with our partners to resolve any issues that may arise.”
While this may be true, Walker's rebuttal is not complete and leaves the door open to doubt and speculation. Remarkably, it does not even acknowledge the idea that these IDs may have been intentionally mismatched.
This theory becomes reliable only when we understand how these identities are processed. Digiday examined documents from BidSwitch, the traffic and demand management company Colossus used to sell ads to The Trade Desk, to get a clearer picture of the process.
BidSwitch embeds the user ID within the URL of the supplier's (i.e. Colossus) sync pixel and loads it in the user's browser. Once loaded, the supplier automatically retrieves her cookie from the browser, creating a direct one-to-one link between her cookie ID in BidSwitch and the supplier's cookie ID. This occurs in a single event where both IDs are displayed.
This process is standard for cookie synchronization for all ad tech companies.
So, while it's technically true that Colossus doesn't directly handle The Trade Desk's cookie user IDs, it doesn't need to since the ad tech vendor receives Colossus' data via BidSwitch. Colossus may incorrectly report the BidSwitch cookie ID when sending bid requests to his BidSwitch. Then, when BidSwitch forwards these requests to The Trade Desk, he needs to look up the DSP Cookie ID based on the information provided about the BidSwitch Cookie ID in Colossus' bid request.
If this were to happen, it's easy to see why the Adalytics report caused such a stir. And why is Colossus now on the defensive?
Direct Digital Holdings, Colossus' owner, said Digiday misread the document. You are confusing EID and Buyeruid. Two different things. All data synchronization must be coordinated across technologies, the company said. However, if that's the case, even if there is a cookie, it's not very likely that Adlaytics will monitor the different IDs for the correct cookie.
However, let's consider the possibility that Colossus is not cheating. Perhaps everything flagged by Adalytics is simply the result of a technical glitch in the ad tech intermediary they used. These types of incidents do happen, and as this video shows, they happen frequently at many ad tech vendors for a variety of reasons. These include revenue optimization practices involving bid enrichment, probabilistic matching techniques, data integration challenges, device fragmentation, and identity resolution failures.
However, when these failures occur, they typically have minimal impact on identity mismatches and are considered isolated incidents. That doesn't seem to be the case with Colossus. The Trade Desk, Google, and other ad tech vendors have all reported similar issues to Adalytics, but the collective feedback doesn't paint a positive picture. Even if BidSwitch is not involved and the ad tech vendor is working directly with Colossus, not only will the IDs change, but in most cases the IDs may not match.
“Yes, there are other supply-side platforms besides Colossus that do this, but that doesn’t mean it’s OK,” said one ad tech executive, who requested anonymity for commercial reasons. “Misrepresenting these facts in a bid request remains fraudulent.”
This is not just rhetoric either. The ad tech executive personally oversaw the test from February to May, analyzing the first week of each month's data and reviewing the results for Digiday.
Their findings show that while most of the exchanges they purchase from have experienced some instances of identity mismatch, these typically occur at a publisher-specific level and are unexpected events for the exchange itself. It was often the case. This pattern was not observed in Colossus. His ID in the bid request and the ID observed during ad delivery never match, the ad tech executive said, suggesting a more systemic problem in the ad tech vendor's operations.
Not surprisingly, this ad tech exec has stopped buying ads from Colossus. The fact that the user IDs don't always match is a real pain point for them. If an SSP knows conclusively that the browser is currently called “123” based on cookie syncs with DSPs like The Trade Desk, then they shouldn't be issuing bid requests with any value other than the one specified. If that were to happen, it would raise alarm bells just as it did for this ad tech exec. The only explanation they can think of is either some kind of deliberate deception or total incompetence, both scenarios of concern.
However, not everyone sees it that way.
For example, Dr. Augustine Fou claims that nothing evil was done.
Fou, an independent cybersecurity and ad fraud researcher, explains: “Colossus passes the ID to his BidSwitch, which matches it against The Trade Desk's ID on file and sends the ID to The Trade Desk in a bid request.” Neither Colossus nor his BidSwitch can read The Trade Desk's ID from the browser store because it is set by adsrvr.org (a domain owned by The Trade Desk). None of these parties intentionally tampered with The Trade Desk for any malicious purpose. The fact that The Trade Desk sent back a different ID in the win notification passback pixel indicates that The Trade Desk served the ad to a different user than the ID that was in the browser store. Again, that's how technology works. ”