Chasing the Revenue Dragon

While chasing the smoky revenue dragon, publishers miss a different monster: Data Leakage.dragon-fotolia_34730412_s

In October The Guardian’s Chief Revenue Officer revealed[1] that numerous ad tech providers in the ad supply chain were extracting up to 70% of advertisers’ money without quantifying the value to the brand. Yes, this revenue loss situation is eye opening, but it’s not the only activity affecting your bottom line. Protecting your data assets is critical for maintaining and maximizing revenue. Inability to control digital audience data within the supply chain is a catalyst for revenue loss. The looming General Data Protection Regulation (GDPR) regulations, that take effect in May 2018, makes the case for data protection that much stronger.

Data: a Publisher’s lifeblood

Every digital publisher intrinsically knows that one of their most valuable assets is their audience data – it drives a publisher’s stickiness with lucrative advertisers, their inventory value, and ultimately their brand image.

Data leakage is the unauthorised transfer of information from one entity to another. In the digital ad ecosystem, data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorisation. Today, this scenario is much more convoluted due to the volume of players in the digital advertising landscape, causing data loss to steadily permeate the entire digital ad industry.

Publishers lose when they can’t control their valuable consumer data:

1. Depleted market share: With your audience data in their hands, advertisers and ad tech providers can always go to other publications and target the exact audiences, thereby devaluing your brand.

2. Reduced ad pricing:  When advertisers or ad tech providers can purchase your audience at a fraction of the cost it decreases the demand for your ads, thus devaluing your ad prices.

3. Exposure to regulatory penalties & risk mitigation: Collection and use of consumer data is a publisher’s prerogative, but protection of this data is a weighty responsibility. Inability to safeguard data gathered from your website leaves a publisher vulnerable to running afoul of government regulations. Saying the penalties under GDPR are severe is an understatement. The repercussion of noncompliance is losing up to 4% of your total global turnover or €20 million, whichever is greater.

4. Reputation loss: Ultimately, data loss and any news of noncompliance could negatively affect consumer trust and brand reputation.

The hands behind data loss

On average, The Media Trust detects at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and at times more than 100, depending on the size of the campaign, type of ad, and so forth. The contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, DMPs, CDNs and other middlemen who actively participate in the delivery of the ad as it traverses from advertiser to publisher. Any upstream player, including the advertiser or original buyer, has access to a publisher’s proprietary audience data if not monitored for compliance.

The advertising ecosystem isn’t the only offender. The bulk of third-party vendor code that executes on the publisher’s website goes unmonitored, exposing the publisher to excessive and unauthorised data collection. In these cases, a publisher’s own website acts as a sieve leaking audience data into the digital ecosystem.

Ending the chase

Resolving revenue lost from data leakage isn’t an unsolvable conundrum, but one that can be addressed by applying the following:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider for ad quality should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With GDPR, EU-US Privacy Shield, and many more such timely regulations and programs, the onus is on the publisher to understand what data activity their upstream partners engage in via advertising. Instead of today’s rampant mistrust, the supply chain must move to accountability for non-compliant behavior.
  1. Governance: Publishers absolutely need to start adopting and enforcing stricter terms and conditions around data collection and data use.

Ultimately, every publisher needs to monitor and govern third-party partners on their website to close loopholes that facilitate data leakage before pointing fingers at others.

The Great Data Leakage Whodunit

Safeguarding valuable, first-party data isn’t as easy as you think

If your job is even remotely connected to the digital advertising ecosystem, you are probably aware that data leakage has plagued publishers for many years. But you are most likely still in the dark about the scope and gravity of this issue. Simply put, data leakage is the unauthorized transfer of information from one entity to another. In the digital ad ecosystem, this data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorization. Today, this scenario is much more complicated due to the sheer number of players across the digital advertising landscape, which causes data loss to steadily permeate the entire digital ad industry, and leading to a “whodunit” pandemonium.

Surveying the Scene

On average, at The Media Trust we detect at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and in some cases more than 100, depending on the size of the campaign, type of ad, and so forth. The other contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, CDNs and other middlemen that actively participate in the delivery of the ad as it moves from advertiser to publisher. Just imagine the cacophony of “not me!” that breaks out when unauthorized data collection is detected. To make matters worse: few understand how data leakage impacts their business and ultimately, the consumer. As a result, an unwieldy game of whodunit is afoot.

Sniffing out the culprit(s)

To unravel this data leakage mystery, let’s get down to brass tacks and build a basic story around just four actors: Bill the Luxury Traveler (Consumer), Brooke the Brand Marketer (Brand), Blair the Audience Researcher (Agency), and Ben the Ad Operations Director (Publisher).

data-leakage-who-dunnit

Bill the Luxury Traveler

Case File: As a typical consumer, Bill researched vacation package for his favorite Aspen resort on a popular travel website. He found a great bargain but wasn’t ready to make the final booking. As he spent the next few days thinking about his decision, he noticed ads for completely different resorts on almost every website he visited. How did “they” know he wants to travel?

Prime Suspects: Bill blames his favorite resort and the leading travel website for not protecting or, even worse, selling his personal data.

Brooke the Brand Marketer

Case File: Brooke is the marketer for a popular Aspen luxury resort. She invested a sizeable percentage of her marketing budget on an agency that specialized in audience research and paid a premium to advertise on a website frequented by consumers like Bill. To her dismay, she realized that this exact target audience is being served ads for competitive resorts on several other websites. How did her competitors know to target the same audience?

Prime Suspects: Brooke questions her ad agency leaking her valuable audience information to the ad ecosystem and also fears the leading travel website does not adequately safeguard audience data. What Brooke does not suspect is her own brand website, which could by itself be a sieve that filters audience data into the hands of competitors and bad actors alike.

Blair the Audience Researcher

Case File: With a decade of experience serving hospitality clients, Blair’s agency specializes in market research to understand the target audience and recommend digital placements for advertising campaigns. However, one of Blair’s prestigious clients questioned her about the potential use of the brand’s proprietary audience data by competitors. How does she prove the client-specific value of her research and justify the premium spend?

Prime Suspects: Blair is concerned about the backlash from her clients and the impact on the agency’s reputation. She now has to discuss the issue with her trading desk partner to understand what happened, but she is unaware that she is about to go down a rabbit hole that could lead right back to her client or the client’s brand website as the main culprit.

Ben the Director of Ad Operations:

Case File: Ben is the Director of Ad Operations for a premium travel website. As a digital publisher, the sanctity of his visitor/audience data directly translates to revenue. In this scenario, he suffered when his valuable audience data floated around the digital ecosystem without proper compensation Almost every upstream partner had access to his audience data and could collect it without permission. When his data leaked it devalued ad pricing, reduced market share and customer trust, and also raised data privacy concerns. How does he detect data leakage and catch the offending party?

Prime Suspects: Everyone. Publishers like Ben are tired of this whodunit scenario and the resulting finger-pointing. While ad exchanges and networks receive a bulk of the blame for data collection, he is aware that many agencies, brand marketers and their brand websites play a role in this caper, too.

And at the end of the day, consumers, people like Bill whose personal data is stolen, are ultimate the victims of this mysterious game.

Guilty until proven innocent

While the whole data leakage mystery is complex, it can be cracked. The first step is accepting that the entire display industry is riddled with mistrust and every participant is guilty until proven innocent. Several publishers, responsible DSPs, trading desks, exchanges, marketing agencies and brands have already taken it upon themselves to solve this endless whodunit. To bolster their innocence, these participants need to carefully review:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With the General Data Protection Regulation (GDPR), EU-US Privacy Shield, and many more such timely regulations, the onus is on every player in the digital ad ecosystem to understand what data their upstream and downstream partners can access and collect via ads. Instead of today’s blame game, the industry should slowly see accountability for non-compliant behavior.
  1. Governance: Every entity across the ad ecosystem should adopt and enforce stricter terms and conditions around data collection and data use. This is especially crucial for publishers and brands – the two endpoints of the digital ad landscape.

Ultimately, every participant in the digital advertising ecosystem first needs to monitor and govern their own website in an attempt to close loopholes that facilitate data leakage before pointing fingers at others.

Malvertising: Is this the beginning of the end?

TAG Malware Scanning Guidelines

Decoding TAG malware scanning guidelines for tactical use 

Note: View webinar at https://www.themediatrust.com/videos.php 

The advertising industry’s crackdown on malvertising has begun. TAG’s recently-released malware scanning guidelines clearly state that every player in the digital advertising ecosystem has a role in deterring, detecting and removing malware.

However, these guidelines need to be translated into action plans. As with many cross-industry initiatives, the TAG guidelines serve several different groups across the digital ecosystem while also introducing security concepts to advertising/marketing professionals. The use of words such as: interdict, cloaking, checksum, and eval(), may baffle many ad ops professionals just like defining “creative” as a payload may baffle security teams.

The good news is that The Media Trust’s existing malware clients are already 100% compliant with the guidelines. Other ad ops teams at agencies, ad tech providers, and publishers, will need to translate the best practices into tactical actions in order to bring their operations into compliance.

What is clear: Scanning is in your future

Every entity that touches or contributes code to the serving of an ad plays a role in malware deterrence – this much is clear. Agencies, ad tech providers and publishers alike are, therefore, expected to proactively and repeatedly review their ads for malware.

Specifically, the guidelines state that:

  1.    Ads and their associated landing pages must be scanned for malware
  2.    Scanning should be performed before an ad is viewed by the end consumer
  3.    If initial scanning detects malware, then the ad must be rescanned until malware-free

Read between the lines: Reap what you sow

The complexities of the digital ecosystem make it almost impossible to explicitly state what each player in the advertising ecosystem should do. Typically, the amount of scanning required is directly proportional to the risk of serving a malware-infected ad or directing to a malware-infected landing page. While there are some directional tips, the guidelines also present a few abstract recommendations:

  • Scanning frequency

Ad formats, demand types, consumer reach and access to an ad as it traverses from advertiser to publisher, affect the frequency of recommended scanning.

For instance, a publisher with a campaign using hosted, static ads, targeting a small number of impressions does not have as robust a scanning requirement as a publisher running campaigns with rich media served programmatically. And, an ad contaminated by malware needs to be scanned more frequently than one that doesn’t set off alarm bells during the initial scan. And, an ad that changes mid-flight—modifying targeting, increasing number of impressions, introducing rich media—requires additional scanning.

  • Proof of scanning

Claiming an ad is scanned is not sufficient. As a best practice, all parties should document proof of scanning and this proof should contain creative id, tag specifications, date of initial and subsequent scans and scanning results. In addition, each party in the advertising value chain should establish a point of contact for reporting malware and communicate it to their upstream and downstream partners. 

  • Know your partner

A critical factor that informs rescanning cadence is the provider’s confidence in their upstream partner(s). Long-standing relationships with reputable, responsive partner(s) infers a reduced likelihood of malicious activity, as opposed to a newly-formed partnership with a one-man shop based in a foreign country. And, the provider should also track and document if their partner adheres to the scanning guidelines, too.

Look ahead: This is just the beginning

The guidelines clearly set the stage for optimizing ad quality and its resulting effect on the user experience, with an emphasis on security. A 100% malware-free advertising experience can’t be guaranteed, but everyone agrees it can be greatly improved. Future steps will undoubtedly address data privacy, ad behavior and more.

While these guidelines provide the impetus to tackle malvertising, it’s a safe bet that industry leaders will push to make them standard a la TAG Certified Against Fraud and Certified Against Piracy programs. And, in order to standardize, a certification and evaluation or audit process will be needed.  

Stay tuned.

Learn more
The Media Trust hosted three informative webinars presenting specific direction to publishers, ad tech providers and agency/buyers. To view, visit https://www.themediatrust.com/videos.php

To mock or not to mock?

Avoiding fraudulent advertising campaign verification is critical for publishers

ad-mockup

That is the question frequently asked by media publishers trying to meet advertiser demands related to digital campaign success. The industry’s intense focus on viewability and transparency issues associated with ad fraud hijacks the limelight from another vital area of interest for advertisers: Are campaigns actually running as contracted?

What the advertiser wants, the advertiser gets

To justify the millions (and millions!) of dollars spent promoting products, advertisers rightfully demand proof that their campaigns execute as promised.

From expected ad rendering on the page to accurate targeting by geography and behavior profiles, advertisers want to know that the right ad has been served in the right way in the right location on the right page to the right demographic. In fact, when considering the average spend of a large-scale national campaign flight, many advertisers will assert they deserve to know their campaign is performing as promised.

Authenticated ad inventory yields benefits

The advertising ecosystem is a dynamic environment processing millions of ads covering billions in spend at any one time. Considering that 5% of display and mobile ads are served incorrectly at launch and countless more break during flight, publishers need to actively monitor and protect their ad-generated revenue channels.[i]

Authenticated ad inventory helps publishers secure ad revenue by avoiding pre-planned delivery overages to compensate for anticipated discrepancies. In addition, it also reduces the frequency of misfiring campaigns, thus minimizing instances of “make good” campaigns.

Ad verification is more than good looks

Reputable publishers recognize the value of their high-quality inventory and demonstrate it by providing proof of ad delivery according to established terms. This is a complicated prospect in an age of large-scale campaigns incorporating ads of varying formats (i.e., HTML5, pre/mid/post-roll video, native, etc.) through multiple platforms (i.e., display, tablet, smartphone, gaming consoles, etc.) across increasingly granular targeting segments.

A Photoshopped “mock-up” or full-page capture of the ad on a screen is a start, but it isn’t enough. Presenting a “mock-up” of how an ad should look could be considered fraudulent as it’s not a true representation of how an ad performs across all formats, devices and geographies. In fact, several industries (Tier 2 automotive, pharmaceutical, etc.) and countries (especially those in Latin America) regulate advertising-based billing processes and require third-party verified screenshots upon invoice presentation.

Beyond the visual of “how” an ad looks on a device, publishers must prove that each ad is delivered as contracted with the advertiser. Continuous monitoring of campaigns at launch and throughout flight will quickly detect errors associated with targeting, creative and device-specific issues that impede optimal campaign execution.

Authentication of possibly hundreds of ad combinations—by size, format, device and geography—is used by publishers to substantiate inventory value and by advertisers to audit and measure campaign ROI.

Consider this

To verify accurate ad placement, execution and targeting, a publisher must consider these five factors:

1.    Legitimacy: Screenshots of ads in a live environment truthfully demonstrate that an ad is delivered to the right target. A “mock-up” or “test page” may display how an ad appears on a site, but in reality it provides a false sense of security for how the ad is actually executing. It also infers that the ad will render the same across all devices, OS, formats and geographies.

2.    Accuracy: Mock-ups can’t prove ad placement as many ad units only occur behind paywalls or require an IP address in order to serve the correct messaging to the individual user.

3.    Automation: Imagine scaling the manual process of verifying ads across the overwhelming number of devices, browsers, user profiles, formats, sizes and geo-locations. Without automation, the task is almost impossible. Leverage technology to streamline the process.

4.    Costs: Carefully consider the total cost of ownership when deciding between an in-house or outsourced process. While in-house resources are easier to control, it is difficult to secure funding and keep the staff engaged. On the flip side, outsourcing requires integration, training, probable coordination with targeting vendors, and continuous oversight which could ultimately be more costly than anticipated—not to mention the complications of managing a remote team, in a case of choosing a non-local entity if a non-native entity is selected.

5.    Quality Assurance: Reliance on mock-up designs to certify campaign execution will not catch errors that occur at launch or throughout the campaign flight.

Ad verification is a complex, yet critical endeavor for publishers looking to highlight inventory value. Don’t mock it.

 

[i] The Media Trust analysis of millions of ad campaigns verified over the course of 10 years.

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Malware Alert

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.

Eyeota announces partnership with The Media Trust

Bringing world-class protection solutions to online publishers in Asia Pacific and Europe.

Eyeota The Media Trust partnership

SINGAPORE, July 7, 2014 – Eyeota, the world’s largest international audience data marketplace, today announced a partnership with The Media Trust, a global leader in monitoring and protecting the online and mobile advertising ecosystems, to provide world-class transparency, verification and protection tools to Eyeota’s publishers and data providers across the globe.

With a physical presence in 500 global cities located across six continents, The Media Trust’s proprietary website and ad tag scanning technology provides continuous, non-stop protection against malware, web and mobile anomalies, site performance issues and data leakage, which can lead to lost revenue and privacy violations. Both collectively and individually these can and do harm the customer experience, negate a publisher’s ability to monetize its own audience data, lead to possible privacy violations and damage the publisher’s and data provider’s reputation and, ultimately, revenue. More than 400 publishers, ad networks, exchanges, agencies and corporate enterprises from across the online and mobile ad ecosystems use The Media Trust’s suite of continuous, non-stop detecting, inspecting, alerting and verification services to protect their website.

“As audience-based ad targeting is becoming the norm, publishers have realized their data is their number one asset. Publishers are exposed daily to data theft, data skimming and data leakage. Eyeota has partnered with The Media Trust to bring the best protection, transparency and verification tools to publishers across the globe. The Media Trust is the world leader in data and malware protection for publishers. More than 75% of the top publishers in the United States use their solutions to monitor, protect and shield their data.” Said Kevin Tan, CEO, Eyeota.

He added, “Given the inherent complexity of online ad serving, publishers need continuous, 24/7 monitoring of all ad tags and tools running on their sites, as well as real-time alerts on any unauthorized tracking of website visitors. This partnership not only brings a comprehensive suite of services to our publishers, but it also demonstrates the importance Eyeota continues to place on publishers and the job of protecting their online assets. The Media Trust offers best-in-class solutions, and we are very pleased to announce this partnership.”

Chris Olson, chief executive officer and co-founder of The Media Trust said, “Partnering with Eyeota in international markets was a natural decision. Not only is Eyeota the trusted leader in third-party monetization and management solutions for publishers worldwide, but their publisher-centric focus demonstrates they understand publishers’ challenges and needs as well as the value of their data.”

The Media Trust monitoring and protection solutions will be available worldwide on the Eyeota platform beginning immediately.

For more information please contact:

Eyeota: Laura Keeling – lkeeling@eyeota.com, Telephone: +65 9117.3718

The Media Trust: Ellen Donovan – ellen@themediatrust.com, Telephone +1 404.374.7822