Home Online Advertising Adalytics Claims Colossus SSP Is Misdeclaring IDs In Its Bid Requests

Adalytics Claims Colossus SSP Is Misdeclaring IDs In Its Bid Requests

SHARE:

Call it another colossal error in the long history of ad tech spoofing.

Colossus SSP, a DEI-focused supply-side platform owned by Direct Digital Holdings (DDH), is the subject of Adalytics’ latest report released Friday. Through matching data logs and the Chrome developer toolkit, it documented the SSP repeatedly misrepresenting IDs in openRTB fields. What’s more, the altered ID info consistently replicated cookie IDs that were recently bid on highly by The Trade Desk, the DSP used by Adalytics in the report.

Essentially, the best cookie IDs generated by sites in the Colossus network were being duplicated to impersonate particularly desirable audience targets.

According to the Adalytics, an outright majority of impressions bought through Colossus on The Trade Desk over the course of several months didn’t match the ID identified with data from the browser when the ad was served.

For the 15 other SSPS evaluated for the report, the IDs matched every time.

The buck stops elsewhere

The scandal at hand involves one vendor, but it’s representative of how the programmatic ecosystem has shielded obvious bad practices in the past, and is now grappling with basic questions like, “What constitutes fraud?”

Colossus CEO Mark Walker, in a call with AdExchanger, attributed the issue to BidSwitch, a vendor it uses to manage traffic and demand, and to Colossus’s status as an indirect seller.

“Because Colossus SSP is not directly connected to The Trade Desk, but rather through a publicly traded intermediary [by which they mean BidSwitch, owned by Criteo], Colossus SSP does not add or pass any Trade Desk user IDs in the bid request in accordance with Open RTB protocols and The Trade Desk requirements,” according to DDH’s public statement.

In its statement, DDH also levied a common compliant with Adalytics reports: “Adalytics refused to allow us to review the report prior to its publication, which we believe falls in line with a prior record of Adalytics seeking attention instead of accuracy.”

The Adalytics report also looked at other supply-side vendors, such as TrustX and MediaGrid, which use BidSwitch for the same purpose, and found no ID injection.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

However, something or someone is injecting false IDs into the bidstream. And BidSwitch says it’s not the one making those changes to openRTB fields.

“Any claims or implications by Colossus SSP that BidSwitch is to blame for Colossus SSP’s manipulation of the content of bid requests are untrue and we encourage all parties to investigate further into the merits of any such statements before publishing untrue statements,” according to statement by Criteo’s general counsel, Ryan Damon.

BidSwitch operates a “passthrough” platform, Damon said in the same comment. It doesn’t alter bid requests by SSPs or bid responses from advertisers.

Who knew?

For anyone asking themselves why The Trade Desk didn’t detect this problem; the company wants you to know it’s on it.

“The Trade Desk Marketplace Quality team has been aware of issues with the SSP mentioned in the Adalytics report for more than a year,” according to comment from a spokesperson.

When The Trade Desk DSP makes the calls on ad buys, it never buys Colossus inventory. The team identified Colossus last year when it saw aberrations in results for high-value targets, and put the puzzle pieces together, according to a source at the company on background. When an ID has been altered or injected to represent a different audience, it’s deemed sophisticated invalid traffic (SIVT).

“The only exception has come if an advertiser makes a specific request to knowingly transact through this SSP,” according to the statement.

In other words, if an advertiser bought a programmatic direct deal with Colossus, The Trade Desk will act as the pipes.

The Trade Desk is also not the only DSP to have raised an issue with Colossus.  According to a source at Google speaking on background, Display & Video 360 flagged this problem last year. But the issue was rectified and Colossus was reinstated by Google’s DSP.

Colossus is an unusual case, since it deals with minority-owned sites and makes much of its money via direct deals. Many large brands and agency holding companies have created requirements and marketing budgets for minority-owned media.

Sequential liability in this case is another complicating factor. The Trade Desk and other DSPs might have the right to withhold payments to Colossus for impressions deemed SIVT. But they were budgets meant for minority-owned sites as part of a DEI initiative. And the minority-owned publishers selling their inventory through Colossus would be the ones to take the hit. These publishers are generating real traffic and their own cookies. The injection of false information is happening at the tech level.

The F word

What Colossus is documented doing by Adalytics is plainly fraud, says Jay Friedman, CEO of the agency Goodway Group. But the agency head said the ID injection falls along a spectrum of misrepresentation issues in programmatic. All the issues involve ad tech companies extracting money from advertisers by deliberately or cynically failing to deliver on what’s been sold.

Just last month, Adalytics also made headlines when it caught Forbes selling inventory on a shady subdomain – “www3.forbes.com” – to advertisers who obviously expected the actual Forbes site.

Or take bid caching, when an SSP holds on to an ad bid and applies that same price to a later impression, which remains a commonplace tactic to this day, Friedman says, despite being an obvious case of the publisher failing to deliver on their purported deal.

Does anyone remember the word “centroid”? That was an early mobile tactic when publishers realized advertisers paid more for impressions with location data attached, and so simply attached generic location info made up from whole cloth.

A big part of the issue, Friedman said, is that vendors rarely face repercussions from other ad tech companies.

After all, even The Trade Desk, which saw what Colossus was up to plainly, continued to buy the inventory and carry the SSP. The fact is, it’s a vendor to agencies and advertiser; not their nanny.

Where are the verifiers?

Adalytics noticed the mismatched IDs coming from Colossus in the bidstream by looking at publicly available Chrome developer info. Any general Chrome user could (in theory) look up the cookie ID associated with that device and browsing session.

And just like with the recent case of a Forbes subdomain for executing made-for-arbitrage ads, there was a mismatch that wasn’t called out by anyone, even verification vendors. Instead, these cases are breaking as public scandals.

“We [at Goodway Group] changed our position in 2024, to the point that we now recommend advertisers not use verification providers,” Friedman said.

The typical verification partners – IAS, DoubleVerify, HUMAN and Oracle’s Moat – are no longer fit for the purpose, he said. Instead of using a pre-bid technology provider, companies should adopt analytics businesses that evaluate post-campaign data for incongruities. Adalytics is one such option, he said, alongside FouAnalytics and many other pure-play ad analytics vendors.

“We’ve learned that stuff really doesn’t work,” Friedman said of the Big Four verification vendors, who predominantly use pre-bid tech to determine what media and ad placements are served. “We’ve been able to root out waste at orders of magnitude greater rates than when we were using verification providers.”

What happens next?

For DDH and Colossus SSP, this scandal comes at the worst possible time.

A month ago, the company was forced to delay its earnings report, and also announced that its accounting firm had resigned. Two weeks ago, Nasdaq gave notice that DDH has 60 days to submit a plan to regain compliance or it will be delisted.

Individually, these are normal and surmountable problems. Taken as a whole, with a compelling claim of repeated fraud in their SSP business, it’s a lot of red flags.

Friedman said he had no knowledge of what was going on at Colossus in particular. But he added that, although this particular issue is specific to Colossus and likely doesn’t exist with other SSPs, it does reflect systemic problems within programmatic.

“Was I surprised?” he mused of this Adalytics report. “There are 40 SSPs out there where if you told me tomorrow that they’re mostly fraud and are going out of business, I wouldn’t be surprised.”

Must Read

Inside The Fall Of Oracle’s Advertising Business

By now, the industry is well aware that Oracle, once the most prominent advertising data seller in market, will shut down its advertising division. What’s behind the ignominious end of Oracle Advertising?

Forget about asking for permission to collect cookies. Google will have to ask for permission to not collect them.

Criteo: The Privacy Sandbox Is NOT Ready Yet, But Could Be If Google Makes Certain Changes Soon

If Google were to shut off third-party cookies today and implement the current version of the Privacy Sandbox, publishers would see their ad revenue on Chrome tank by around 60% on average.

Platforms Are Autogenerating Creative – And It’s Going To Be Terrible

This week, we’re diving into the most important thing in advertising – the actual creative – and how major ad platforms are well on their way to an era of creative innovation. Actually, strike that. I meant creative desolation.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.

Mozilla acquires Anonym

Mozilla Acquires Anonym, A Privacy Tech Startup Founded By Two Top Former Meta Execs

Two years after leaving Meta to launch their own privacy-focused ad measurement startup in 2022, Graham Mudd and Brad Smallwood have sold their company to Mozilla.