Another industry research report is raising the alarm about invalid traffic (IVT), exposing glaring vulnerabilities in the programmatic CTV supply chain.
A report released Wednesday by curation startup CleanTap claims to have proof that CTV and programmatic ad tech platforms served ads to spoofed devices pretending to be connected TV sets.
CleanTap jury-rigged a Raspberry Pi computer and equipped it with a dummy HDMI connection to make it seem as if the device had a display surface like any smart TV.
Over the course of 10 days in July, CleanTap tracked thousands of bid requests from two distinct IP addresses associated with the device. The result? CleanTap claims that 100% of the invalid traffic it spoofed was accepted into live auctions run by programmatic platforms and was successfully bid on by advertisers.
A total of 54 different brands purchased ads that were served to CleanTap’s spoofed CTV device. Meanwhile, a who’s who of publishers and ad tech platforms – including major streaming services, DSPs, SSPs, verification vendors and ad servers – allegedly participated in the auctions.
AdExchanger decided not to name any of these companies because the IVT was manufactured rather than uncovered by CleanTap.
The problem of spoofed devices
The report claims CleanTap was able to track events and web request logs associated with auctioning and serving ads to its spoofed device. But it’s unclear from the report whether advertisers were ultimately charged for the impressions.
According to the report, CleanTap saw evidence that although third-party verification and analytics vendors flagged the impressions as invalid, programmatic platforms still allowed ads to be delivered and transacted. It’s unclear from the report whether the invalid impressions were caught by pre-bid or post-bid verification solutions.
It’s hard to say for sure what other platforms caught or didn’t catch based on the evidence CleanTap initially examined, Will Rand, co-founder of CleanTap, told AdExchanger. “All we know is that ad space ran.”
Still, the report comes at a time when savvy buyers are increasingly questioning how much non-human traffic is being transacted on in the CTV channel, said Wayne Blodwell, global SVP of programmatic at ad agency Assembly Global.
These findings suggest that fooling programmatic CTV tech isn’t all that hard to do, he said.
Unlike digital advertisers that have come to expect some degree of IVT on the web – programmatic deals for online display ads can include as much as 10% to 20% IVT – CTV buyers are unsurprisingly loathe to accept IVT as a cost of doing business, said Blodwell, who saw the CleanTap report before it was published.
CTV inventory is more expensive on average than display ad CPMs, he said, and so buyers have far less tolerance for spending on impressions that aren’t seen by humans and have no chance of leading to any meaningful action.
This is an issue buyers are concerned about, Blodwell added, and there is currently a lack of information as to how big of a problem spoofed devices really are. CleanTap’s methodology doesn’t shed light on the scale, he said, but it does illustrate how lax the protections are for preventing ads from being served to non-humans and screenless devices.
The most surprising takeaway from CleanTap’s report, Blodwell said, is the ease with which the company was apparently able to fool programmatic platforms into bidding on IVT.
CleanTap claims to have put together its spoofed CTV device using less than $100 worth of hardware and freely available code to simulate virtualized versions of TV operating systems and FAST channels. The company used proxy configurations to generate geolocation data for the device.
User agent & IP address
The report serves as more evidence that the methods advertisers expect to protect them from bot traffic don’t always work in practice.
An Adalytics report published in March posited that certain types of non-malicious IVT should be easily caught pre-bid by examining the user agent and IP address associated with an ad impression. Several bot-detection experts who spoke with AdExchanger agreed with that thesis.
And yet, as that report demonstrated, ads were still served to bots even when they declared as bot user agents or when they used IP addresses associated with data server farms.
For its experiment, CleanTap took pains to make its IVT easily recognizable, Rand said.
Its methods included listing a user agent that should appear suspicious to any system familiar with typical CTV device types, he said. A user agent string describing a Raspberry Pi running Android 15, for example, should be considered “completely out of left field” for a CTV ad impression, he said.
CleanTap also had its spoofed devices use IP addresses and location data associated with Ashburn, Va.’s “Data Center Alley,” home to the largest concentration of data centers in the US.
In some cases, CleanTap even included a message in the user agent string that literally read, “I’m a bot, don’t buy or sell ad space that I’m seeing!” The report includes an example of this user agent being served an ad.
According to Blodwell, CleanTap’s clear use of suspicious user agent and IP address signals suggests that ad tech companies aren’t paying enough attention to either signal when attempting to weed out bots on a pre-bid basis.
Method to the madness
Still, the CleanTap report comes at a contentious time for this type of research. For example, ad verification platform DoubleVerify sued Adalytics for defamation after the release of its March report.
Given such tensions, CleanTap told AdExchanger that it prioritized sharing its findings before publication with the tech companies it calls out.
AdExchanger also asked CleanTap to address some potential criticisms of its methodology.
A consistent knock against research of this nature is that it’s done to promote the company behind the research. And, sure enough, CleanTap claims its tech – which helps ensure that only CTV devices that meet its strict criteria are included in programmatic buys – can screen out spoofed devices.
But according to CleanTap’s Rand, by publishing this report, the company isn’t doing anything “dramatically different than any other company that wants to make things better in the space.”
Assembly’s Blodwell likewise hand-waved any concerns of self-promotion on CleanTap’s part, saying that such criticisms are an easy charge to level against any company pointing out a problem. He added that the report “stands up on its own merit.”
Also, Rand said, CleanTap isn’t hiding that it manufactured IVT for this experiment. And it deliberately made sure that any IVT it created would be a “minuscule” portion of the potentially millions of invalid CTV impressions created every day, he said.
“It’s not like we generated millions and millions of bid requests and took serious money out of the pockets of advertisers,” Rand said.
Speaking of which, he said, it’s also a fair criticism that the traffic covered in the report – less than 10,000 impressions over 10 days – is just a fraction of a percentage of the overall traffic seen over the same time period by programmatic platforms, which handle hundreds of billions of impressions daily.
However, even if CleanTap had created thousands of spoofed devices and millions more invalid impressions, Rand said, those impressions likely wouldn’t have been successfully prevented from being shown ads “based on the evidence we have here.”
Action items
So what outcome does CleanTap want to see from its research?
“The intention of our work is to not point blame at a company or platform type,” said CleanTap Co-Founder Jenna Martinez. “It’s a failure of detection at multiple points, because almost all systems are still operating on an exclusion basis for traffic quality.”
Rather than programmatic systems assuming an ad impression is valid unless it sees signs to the contrary, Martinez said, they should “assume counterfeit until verified.”
The report also illustrates that real-time scrutiny of the user agent alone doesn’t go far enough to root out IVT, Rand said, because user agent data is provided in multiple places in bid requests and different user agent strings in the same bid request often contain conflicting data.
Plus, he said, third-party verification systems that filter out IVT pre-bid are fighting an uphill battle because “the MRC has publicly stated that platforms can ignore third-party verification signals.”
“Upstream verification needs to be intrinsic to the system,” Rand added. “We want all platforms to work towards this.”
But there are things buyers can do to protect themselves from spoofed devices and other kinds of IVT, Blodwell said.
For one, they can prioritize direct buying from trusted publishers and curators over pure programmatic auctions, he said, because any kind of automated buying at scale is subject to some degree of risk.
And buyers can also do more to hold their programmatic partners accountable. Blodwell suggested that they talk to their tech providers about how they filter IVT, whether they offer make-goods for ads unintentionally served to IVT and how the make-good process works.
But it would also be great to see the platforms offer more help to protect buyers from IVT.
“There should be more default always-on settings,” Blodwell said, “as opposed to needing someone to understand the DSP setup and where to find the [setting] you need to turn on to remove IVT.”
