Hear what The Media Trust’s Alex Calic, Chief Revenue Officer, has to say about how GDPR will drive transparency into publisher digital ecosystems. He shared his thoughts with Joost Schipperijn, Index Exchange, during DMEXCO.
Hear what The Media Trust’s Alex Calic, Chief Revenue Officer, has to say about how GDPR will drive transparency into publisher digital ecosystems. He shared his thoughts with Joost Schipperijn, Index Exchange, during DMEXCO.
Authored by Alex Calic, Chief Revenue Officer, The Media Trust
Malware is a serious problem in the digital advertising ecosystem. Not only is it a contributing factor to ad blocking adoption, but also a significant driver of ad fraud. The World Federation of Advertisers estimates that the total cost of ad fraud could exceed $50B by 2025. Clearly, something must be done.
Various groups have attempted to address this malware problem with little success, but one group is taking decisive action. The Trustworthy and Accountability Group (TAG)—supported by the IAB—recently launched a malware certification program. As an inaugural certification recipient, The Media Trust is fully behind this initiative—just ask for program details.
The certification program is open to any entity that touches creative as it moves through the digital advertising ecosystem, from buyer to intermediary to seller. Even malware scanners like The Media Trust have the option to participate and commit to industry efforts for creating a healthier advertising supply chain.
TAG’s “Certified Against Malware” seal is awarded to enterprises that can demonstrate adherence to rigorous anti-malware standards, especially those delineated in TAG’s Best Practices for Scanning Creative for Malware.
The program yields a host of benefits for publishers and their upstream partners. Specifically, participating companies can:
Anti-malware certification program participants promise to adhere to malware scanning best practices, make best efforts to identify and terminate malicious activity, and submit to a TAG-directed audit.
You, too, can join industry efforts by following these steps:
Upstream partners should be identified and points of contact for security violations documented. Appraise each partner according to their history of addressing malware incidents, industry reputation and general relationship experience. Especially if a direct contract is not involved, discuss respective malware scanning responsibilities.
NOTE: Watch this quick overview of TAG’s recommended scanning cadence.
The future of the digital ecosystem rests on everyone’s shoulder—advertiser, agency, ad tech and publisher. Let’s make it a better place. Verify your inventory is malware-free. The Media Trust can show you how—Just ask.
In October The Guardian’s Chief Revenue Officer revealed that numerous ad tech providers in the ad supply chain were extracting up to 70% of advertisers’ money without quantifying the value to the brand. Yes, this revenue loss situation is eye opening, but it’s not the only activity affecting your bottom line. Protecting your data assets is critical for maintaining and maximizing revenue. Inability to control digital audience data within the supply chain is a catalyst for revenue loss. The looming General Data Protection Regulation (GDPR) regulations, that take effect in May 2018, makes the case for data protection that much stronger.
Every digital publisher intrinsically knows that one of their most valuable assets is their audience data – it drives a publisher’s stickiness with lucrative advertisers, their inventory value, and ultimately their brand image.
Data leakage is the unauthorised transfer of information from one entity to another. In the digital ad ecosystem, data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorisation. Today, this scenario is much more convoluted due to the volume of players in the digital advertising landscape, causing data loss to steadily permeate the entire digital ad industry.
Publishers lose when they can’t control their valuable consumer data:
1. Depleted market share: With your audience data in their hands, advertisers and ad tech providers can always go to other publications and target the exact audiences, thereby devaluing your brand.
2. Reduced ad pricing: When advertisers or ad tech providers can purchase your audience at a fraction of the cost it decreases the demand for your ads, thus devaluing your ad prices.
3. Exposure to regulatory penalties & risk mitigation: Collection and use of consumer data is a publisher’s prerogative, but protection of this data is a weighty responsibility. Inability to safeguard data gathered from your website leaves a publisher vulnerable to running afoul of government regulations. Saying the penalties under GDPR are severe is an understatement. The repercussion of noncompliance is losing up to 4% of your total global turnover or €20 million, whichever is greater.
4. Reputation loss: Ultimately, data loss and any news of noncompliance could negatively affect consumer trust and brand reputation.
On average, The Media Trust detects at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and at times more than 100, depending on the size of the campaign, type of ad, and so forth. The contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, DMPs, CDNs and other middlemen who actively participate in the delivery of the ad as it traverses from advertiser to publisher. Any upstream player, including the advertiser or original buyer, has access to a publisher’s proprietary audience data if not monitored for compliance.
The advertising ecosystem isn’t the only offender. The bulk of third-party vendor code that executes on the publisher’s website goes unmonitored, exposing the publisher to excessive and unauthorised data collection. In these cases, a publisher’s own website acts as a sieve leaking audience data into the digital ecosystem.
Resolving revenue lost from data leakage isn’t an unsolvable conundrum, but one that can be addressed by applying the following:
Ultimately, every publisher needs to monitor and govern third-party partners on their website to close loopholes that facilitate data leakage before pointing fingers at others.
If your job is even remotely connected to the digital advertising ecosystem, you are probably aware that data leakage has plagued publishers for many years. But you are most likely still in the dark about the scope and gravity of this issue. Simply put, data leakage is the unauthorized transfer of information from one entity to another. In the digital ad ecosystem, this data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorization. Today, this scenario is much more complicated due to the sheer number of players across the digital advertising landscape, which causes data loss to steadily permeate the entire digital ad industry, and leading to a “whodunit” pandemonium.
On average, at The Media Trust we detect at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and in some cases more than 100, depending on the size of the campaign, type of ad, and so forth. The other contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, CDNs and other middlemen that actively participate in the delivery of the ad as it moves from advertiser to publisher. Just imagine the cacophony of “not me!” that breaks out when unauthorized data collection is detected. To make matters worse: few understand how data leakage impacts their business and ultimately, the consumer. As a result, an unwieldy game of whodunit is afoot.
To unravel this data leakage mystery, let’s get down to brass tacks and build a basic story around just four actors: Bill the Luxury Traveler (Consumer), Brooke the Brand Marketer (Brand), Blair the Audience Researcher (Agency), and Ben the Ad Operations Director (Publisher).
Case File: As a typical consumer, Bill researched vacation package for his favorite Aspen resort on a popular travel website. He found a great bargain but wasn’t ready to make the final booking. As he spent the next few days thinking about his decision, he noticed ads for completely different resorts on almost every website he visited. How did “they” know he wants to travel?
Prime Suspects: Bill blames his favorite resort and the leading travel website for not protecting or, even worse, selling his personal data.
Case File: Brooke is the marketer for a popular Aspen luxury resort. She invested a sizeable percentage of her marketing budget on an agency that specialized in audience research and paid a premium to advertise on a website frequented by consumers like Bill. To her dismay, she realized that this exact target audience is being served ads for competitive resorts on several other websites. How did her competitors know to target the same audience?
Prime Suspects: Brooke questions her ad agency leaking her valuable audience information to the ad ecosystem and also fears the leading travel website does not adequately safeguard audience data. What Brooke does not suspect is her own brand website, which could by itself be a sieve that filters audience data into the hands of competitors and bad actors alike.
Case File: With a decade of experience serving hospitality clients, Blair’s agency specializes in market research to understand the target audience and recommend digital placements for advertising campaigns. However, one of Blair’s prestigious clients questioned her about the potential use of the brand’s proprietary audience data by competitors. How does she prove the client-specific value of her research and justify the premium spend?
Prime Suspects: Blair is concerned about the backlash from her clients and the impact on the agency’s reputation. She now has to discuss the issue with her trading desk partner to understand what happened, but she is unaware that she is about to go down a rabbit hole that could lead right back to her client or the client’s brand website as the main culprit.
Case File: Ben is the Director of Ad Operations for a premium travel website. As a digital publisher, the sanctity of his visitor/audience data directly translates to revenue. In this scenario, he suffered when his valuable audience data floated around the digital ecosystem without proper compensation Almost every upstream partner had access to his audience data and could collect it without permission. When his data leaked it devalued ad pricing, reduced market share and customer trust, and also raised data privacy concerns. How does he detect data leakage and catch the offending party?
Prime Suspects: Everyone. Publishers like Ben are tired of this whodunit scenario and the resulting finger-pointing. While ad exchanges and networks receive a bulk of the blame for data collection, he is aware that many agencies, brand marketers and their brand websites play a role in this caper, too.
And at the end of the day, consumers, people like Bill whose personal data is stolen, are ultimate the victims of this mysterious game.
While the whole data leakage mystery is complex, it can be cracked. The first step is accepting that the entire display industry is riddled with mistrust and every participant is guilty until proven innocent. Several publishers, responsible DSPs, trading desks, exchanges, marketing agencies and brands have already taken it upon themselves to solve this endless whodunit. To bolster their innocence, these participants need to carefully review:
Ultimately, every participant in the digital advertising ecosystem first needs to monitor and govern their own website in an attempt to close loopholes that facilitate data leakage before pointing fingers at others.
Note: View webinar at https://www.themediatrust.com/videos.php
The advertising industry’s crackdown on malvertising has begun. TAG’s recently-released malware scanning guidelines clearly state that every player in the digital advertising ecosystem has a role in deterring, detecting and removing malware.
However, these guidelines need to be translated into action plans. As with many cross-industry initiatives, the TAG guidelines serve several different groups across the digital ecosystem while also introducing security concepts to advertising/marketing professionals. The use of words such as: interdict, cloaking, checksum, and eval(), may baffle many ad ops professionals just like defining “creative” as a payload may baffle security teams.
The good news is that The Media Trust’s existing malware clients are already 100% compliant with the guidelines. Other ad ops teams at agencies, ad tech providers, and publishers, will need to translate the best practices into tactical actions in order to bring their operations into compliance.
Every entity that touches or contributes code to the serving of an ad plays a role in malware deterrence – this much is clear. Agencies, ad tech providers and publishers alike are, therefore, expected to proactively and repeatedly review their ads for malware.
Specifically, the guidelines state that:
The complexities of the digital ecosystem make it almost impossible to explicitly state what each player in the advertising ecosystem should do. Typically, the amount of scanning required is directly proportional to the risk of serving a malware-infected ad or directing to a malware-infected landing page. While there are some directional tips, the guidelines also present a few abstract recommendations:
Ad formats, demand types, consumer reach and access to an ad as it traverses from advertiser to publisher, affect the frequency of recommended scanning.
For instance, a publisher with a campaign using hosted, static ads, targeting a small number of impressions does not have as robust a scanning requirement as a publisher running campaigns with rich media served programmatically. And, an ad contaminated by malware needs to be scanned more frequently than one that doesn’t set off alarm bells during the initial scan. And, an ad that changes mid-flight—modifying targeting, increasing number of impressions, introducing rich media—requires additional scanning.
Claiming an ad is scanned is not sufficient. As a best practice, all parties should document proof of scanning and this proof should contain creative id, tag specifications, date of initial and subsequent scans and scanning results. In addition, each party in the advertising value chain should establish a point of contact for reporting malware and communicate it to their upstream and downstream partners.
A critical factor that informs rescanning cadence is the provider’s confidence in their upstream partner(s). Long-standing relationships with reputable, responsive partner(s) infers a reduced likelihood of malicious activity, as opposed to a newly-formed partnership with a one-man shop based in a foreign country. And, the provider should also track and document if their partner adheres to the scanning guidelines, too.
The guidelines clearly set the stage for optimizing ad quality and its resulting effect on the user experience, with an emphasis on security. A 100% malware-free advertising experience can’t be guaranteed, but everyone agrees it can be greatly improved. Future steps will undoubtedly address data privacy, ad behavior and more.
While these guidelines provide the impetus to tackle malvertising, it’s a safe bet that industry leaders will push to make them standard a la TAG Certified Against Fraud and Certified Against Piracy programs. And, in order to standardize, a certification and evaluation or audit process will be needed.
In October 2015, the Interactive Advertising Bureau (IAB) announced L.E.A.N. Ads (LEAN), an initiative to overhaul and update standard advertising principles. In response to the steady rise in ad blocking capabilities, Flash furor, surge in HTML5 creative and a corresponding battery drain on mobile devices, the IAB proposed these principles to guide the development of the next phase of advertising technical standards. These principles aim to address consumer concerns regarding the affect advertisements have on site performance, security and data privacy.
What exactly is LEAN? That’s what The Media Trust clients want to know.
In a nutshell, LEAN aims to tighten the guidelines associated with the delivery of advertising content across desktop, mobile and tablet devices. As clients have discovered, The Media Trust’s Media Scanner service already supports the proposed LEAN elements, and more.
This is easier said than done. The actual size of an ad’s creative design can be weighty, and the larger it is the longer it takes to load on a browser. For example, a 10MB design file loading on a 10k page destroys the user experience, especially if viewed on a mobile device.
But, the creative file size is not the only contributor to an ad’s disruption to the user experience. Once the initial creative is inserted into an ad tag, it moves through the advertising ecosystem accumulating additional components not critical to the actual rendering of the ad. For the most part, well-intentioned parties append tags to evaluate and optimize the ad’s overall performance and provide a more positive customer experience so that, in the future, the user is served a relevant ad when and how he wants to see it.
Managing the total ad file size is critical to the user experience—if it takes too long to load then the entire experience is at risk, negatively impacting both the advertiser and publisher. Hundreds of publishers and advertisers already use features in Media Scanner to set policies to alert on ads that exceed client-determined policies spanning total creative file size, total download size, number of calls/connections and CPU utilization, among others.
Site security initiatives took the world by storm earlier this summer when Google ad networks moved to HTTPS and the White House directed federal sites to be HTTPS compliant. As outlined in a previous post, to have a truly encrypted site EACH and EVERY connection made must communicate through HTTPS, including all third-party code, not just advertising. This means other site vendors—content delivery networks, data management platforms, hosting services, analytic tools, product reviews, video platforms, etc.—need to ensure all of their connections are made via HTTPS. Just one break in any call chain will cause the entire site to be unencrypted.
However, encryption is just one element of providing a secure consumer experience. Publishers and ad tech partners need to continuously be on the lookout for compromised ads exposing site visitors to malware. The only way these will be found is through continuously scanning sites and ads for malware, vulnerable ads and all encryption call failures.
Launched in 2011, AdChoices is an industry self-regulation program outlining how advertisers and publishers collect consumer data used for re-targeting and giving consumers control over the process by allowing them to opt out of data collection activity. While created with good intentions, the program is not well understood by most consumers with the net effect that many who are against data collection do not actually opt out.
Determining an ad’s compliance with AdChoices is relatively straightforward. The tricky part is ensuring compliance with the myriad of state and federal regulations covering healthcare and children. In these instances, compliance isn’t a consumer choice, it is the law.
Data privacy is a serious concern among the general public who want to know the “who,” “what” and “how” of data collection—who is collecting, what is collected and how is it going to be used. Publishers want to know the answers to these basic questions and use Media Scanner to identify, analyze and report on all vendors executing on their digital properties with particular attention paid to the players involved in serving an ad. What publishers frequently discover is that their vendors—and external parties called to help the vendor render a service—perform actions that are not germane to the contracted relationship, such as dropping customer-tracking cookies. Besides giving up valuable customer data, publishers know that these unauthorized actions are contrary to many privacy policies posted on their sites and use Media Scanner to track this violating behavior.
This vague statement can be broken down into two categories that affect the consumer experience: technical performance and visual quality of an ad. Technical aspects of an ad, such as download size and CPU utilization, are represented in the “L” of LEAN described earlier. Visual ad quality refers to how an ad looks and behaves to the user. There’s nothing quite as startling as visiting a page to be greeted with ads automatically blaring audio or playing a video. And almost everyone is annoyed at ads that shake, blink, expand and push content around, or take over the page.
Reputable publishers have policies regarding the presence of these irritating ads on their sites. They use Media Scanner to enforce the policies by alerting on any ad in violation. In addition, publisher clients set policies regarding appropriate content of ads for their audience. While many clients ban adult, alcohol and gambling, some categorize ads by company, industry and brand to ensure the ads don’t conflict with the content. For example, an airline would not want their ads appearing on pages featuring a plane crash; nor would an automotive company appreciate their ads appearing on pages chronicling a safety recall for their vehicle brand.
The mounting backlash from consumers regarding slow site performance, malware exposure and data collection activities generated from digital advertisements must be addressed. Publishers that truly understand the value of a positive customer experience already closely protect it and avoid serving resource-draining, unsecure and intrusive ads. They use The Media Trust to preview ads (and third-party code) before being served and to continuously monitor and detect any policy-breaking activity.
In the end, the best way to protect the consumer experience is for advertisers and publishers to work together, adopt LEAN and enforce compliance with the proposed technical standards.
The continuous threat of malware in the advertising ecosystem keeps many advertising operations professionals awake at night. The speed at which ads are bought and served and the number of players involved comes at a steep price—vulnerability to malware. For years, The Media Trust has tackled this vulnerability head on by detecting malware in our clients’ digital ecosystems and providing the critical details that allow the malware to be located and shut down. Impacted clients then communicated these details with the specific partner serving the infected ad. This daisy-chain process involves a series of communications with upstream partners, a process that can take up to 72 hours while the malicious ad continues to circulate.
To minimize the daisy-chain effect, The Media Trust introduced Media Scanner’s Resolution Services, an information sharing service that provides for simultaneous communication of malware alert details among partners. Announced in April, Media Scanner’s Resolution Services has proven to be a resounding success with 20 digital publishers and more than 20 ad tech partners enrolled in just under six months.
Media Scanner’s Resolution Services is a SaaS-based service that provides real-time information sharing with upstream and downstream business partners about malicious ads detected in a client’s advertising operation. As part of the Media Scanner product family, this solution is available as a complimentary add-on to existing clients with significant ad tag volume.
Designed for publishers, ad networks, ad exchanges, demand platforms and paid-content engines, the service’s continuous, real-time information sharing compresses cycle times for malware detection, notification and remediation from several days to mere seconds, drastically reducing infected tags’ ability to harm site visitors and the site’s brand reputation. By compressing this cycle time, companies can speed incident remediation, protect revenue by ensuring ad tags stay active and strengthen business relationships.
Real-time, actionable malvertising intelligence delivers a host of benefits to the entire digital ecosystem.
In the past few months, this solution simultaneously communicated hundreds of malware incidents to impacted publishers and their authorized ad tech partners, greatly accelerating the termination of malware, removing hours—sometimes days—from the cycle. This increased speed of malware incident resolution exponentially improves the level of protection across the greater online and mobile advertising ecosystem. But more can be done.
Ad tech providers want to get into the game and initiate this program with their buying partners, attesting to the true value of Media Scanner’s Resolution Services. The Media Trust is now working with ad tech clients to share incidents with authorized agency media buyers and trading desks—a critical step to tackling malware as it enters the advertising environment. Malvertising will never be eradicated, but, limiting its ability to rapidly propagate throughout the digital ecosystem helps everyone rest a bit easier.