Secure Ads Layer: The Ad Fraud Solution You’ve Never Heard Of

jamesaveryddtData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by James Avery, CEO at Adzerk.

Fraud is the ad industry’s not-so-secret problem. It impacts publishers just as much as advertisers. Advertisers have finite budgets to spend filling placements each year, and the amount that gets wasted on fraud hurts the payouts of legitimate publishers.

It’s not as simple as blocking unwanted domains from accessing a site or demand-side platform because fraudsters adapt faster than publishers and advertisers can detect their exploits. But a century-old solution using a secure sockets layer (SSL) may hold the key to stopping fraudsters in their tracks. Since it creates a boundary between those who serve and display advertisements, I call it the secure ads layer.

We are all familiar with fraudsters’ ploys. They can repeatedly make ad requests to a site, not only refreshing a page but also mimicking valid user agents to avoid detection. They can build sites that look legitimate but are filled with stolen content, with ad units stacked on top of each other. Fraudsters can even make ad requests from inside a 1×1 pixel.

And they’re probably using new techniques now that the industry doesn’t even know about.

Impact On Publishers’ Bottom Lines

Fraudsters also use countless adware and malware plugins that insert or replace ads on legitimate publisher sites. Often, these toolbars are presented as Trojan horses to end users, promising to donate revenue to charities of their choice or deliver some marginal benefit to their web browsing experience. Of course, the revenue is directed to the plugin creator while the publisher loses the value of its inventory.

This is not just a short-term loss of revenue – the overall value of a publisher’s inventory will diminished through fraud. It contributes to ever-shrinking CPMs, and it’s only getting worse.

Ultimately, trying to solve ad fraud through various “patches” that detect fraudulent activity and block users or patterns is like trying to put out a forest fire with a cup. You might see some short-term successes, but you’re guaranteed to lose the war

The core issue is that ad platforms use domain as the main identifier when identifying traffic. This can be easily spoofed on nearly all major platforms, and in many platforms it can just be passed in as a query string on the request. As long as a fraudster can masquerade as a different domain, there will always be ad fraud.

Better Than A Domain

There is, however, a potential solution based on technology that goes back to 1874. It uses the same basic principle as SSL.

SSL is a fairly well-known technology, although the average user probably doesn’t know that it works because of a technique called public key cryptography. A browser can use a public key to confirm that a certificate was signed with the corresponding private key, without having access to the private key.

One use of public key cryptography is the ability to sign a message and then verify that the message wasn’t tampered with. What I envision is for publishers to host a set number of valid public keys, perhaps stored at a central repository or just exposed through a simple endpoint, such as a  /_keys folder off their main domain. The publishers would give the corresponding private keys to vendors, such as their ad server and SSP, who they’ve already vetted.

Say The New York Times adopts a secure ads layer. Whenever impressions are served on, their private key is used to sign the full URL, a time stamp and the ad request’s user ID (cookie). The buyers, including the exchanges, DSPs or networks, would then use the Times’ public key to verify that the URL was indeed certified by the publisher.

Not only does this secure ad requests for publishers, it’s a huge opportunity for DSPs because they could enable buyers to purchase verified traffic and choose publishers based on their verified keys, as opposed to domain.

This technology could be a game-changer for programmatic advertising, but to get this done, we need the support of the major ad servers, exchanges and DSPs.

Secure ad traffic is better for advertisers and publishers. The secure ads layer is something everyone could implement without any proprietary technology or extra cost.

Follow Adzerk (@adzerk) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Interesting view point. Could you elaborate on the reference you made to SSL being based on technology from 1874? Am really curious. Thanks!

  2. Keith,
    Shot you an email! If anyone else want to connect directly please feel free to email me at James at

  3. Hi,
    I’m not entirely sure this would work as you propose. How do you imagine signing requests that are on syndicated domains? For this to be possible that you would only have to serve adverts on domains that are directly controlled or there would be multiple levels of signing as the request filtered through all layers of ad servers. This multi level approach would provide ample opportunity for fraud to still take place, no?

    Very intrigued, but not sure it’s a catch-all solution.

  4. This is a fine idea for legacy Display where the publisher owns the domain, but in a modern video world where content is syndicated and socially embedded & shared around the web, and by extension the ad opportunities with them it is unworkable.

    What’s really needed is whole array of data points pre-bid, things that the Buyside already gets post impression. This is should be a handshake based on commonly validated tech methods, not ‘black box solutions’.
    That is the only way for the Buyside to regain trust in the Sell.