Call it another colossal error in the long history of ad tech spoofing.
Colossus SSP, a DEI-focused supply-side platform owned by Direct Digital Holdings (DDH), is the subject of Adalytics’ latest report released Friday. Through matching data logs and the Chrome developer toolkit, it documented the SSP repeatedly misrepresenting IDs in openRTB fields. What’s more, the altered ID info consistently replicated cookie IDs that were recently bid on highly by The Trade Desk, the DSP used by Adalytics in the report.
Essentially, the best cookie IDs generated by sites in the Colossus network were being duplicated to impersonate particularly desirable audience targets.
According to the Adalytics, an outright majority of impressions bought through Colossus on The Trade Desk over the course of several months didn’t match the ID identified with data from the browser when the ad was served.
For the 15 other SSPS evaluated for the report, the IDs matched every time.
The buck stops elsewhere
The scandal at hand involves one vendor, but it’s representative of how the programmatic ecosystem has shielded obvious bad practices in the past, and is now grappling with basic questions like, “What constitutes fraud?”
Colossus CEO Mark Walker, in a call with AdExchanger, attributed the issue to BidSwitch, a vendor it uses to manage traffic and demand, and to Colossus’s status as an indirect seller.
“Because Colossus SSP is not directly connected to The Trade Desk, but rather through a publicly traded intermediary [by which they mean BidSwitch, owned by Criteo], Colossus SSP does not add or pass any Trade Desk user IDs in the bid request in accordance with Open RTB protocols and The Trade Desk requirements,” according to DDH’s public statement.
In its statement, DDH also levied a common compliant with Adalytics reports: “Adalytics refused to allow us to review the report prior to its publication, which we believe falls in line with a prior record of Adalytics seeking attention instead of accuracy.”
The Adalytics report also looked at other supply-side vendors, such as TrustX and MediaGrid, which use BidSwitch for the same purpose, and found no ID injection.
However, something or someone is injecting false IDs into the bidstream. And BidSwitch says it’s not the one making those changes to openRTB fields.
“Any claims or implications by Colossus SSP that BidSwitch is to blame for Colossus SSP’s manipulation of the content of bid requests are untrue and we encourage all parties to investigate further into the merits of any such statements before publishing untrue statements,” according to statement by Criteo’s general counsel, Ryan Damon.
BidSwitch operates a “passthrough” platform, Damon said in the same comment. It doesn’t alter bid requests by SSPs or bid responses from advertisers.
Who knew?
For anyone asking themselves why The Trade Desk didn’t detect this problem; the company wants you to know it’s on it.
“The Trade Desk Marketplace Quality team has been aware of issues with the SSP mentioned in the Adalytics report for more than a year,” according to comment from a spokesperson.
When The Trade Desk DSP makes the calls on ad buys, it never buys Colossus inventory. The team identified Colossus last year when it saw aberrations in results for high-value targets, and put the puzzle pieces together, according to a source at the company on background. When an ID has been altered or injected to represent a different audience, it’s deemed sophisticated invalid traffic (SIVT).
“The only exception has come if an advertiser makes a specific request to knowingly transact through this SSP,” according to the statement.
In other words, if an advertiser bought a programmatic direct deal with Colossus, The Trade Desk will act as the pipes.
The Trade Desk is also not the only DSP to have raised an issue with Colossus. According to a source at Google speaking on background, Display & Video 360 flagged this problem last year. But the issue was rectified and Colossus was reinstated by Google’s DSP.
Colossus is an unusual case, since it deals with minority-owned sites and makes much of its money via direct deals. Many large brands and agency holding companies have created requirements and marketing budgets for minority-owned media.
Sequential liability in this case is another complicating factor. The Trade Desk and other DSPs might have the right to withhold payments to Colossus for impressions deemed SIVT. But they were budgets meant for minority-owned sites as part of a DEI initiative. And the minority-owned publishers selling their inventory through Colossus would be the ones to take the hit. These publishers are generating real traffic and their own cookies. The injection of false information is happening at the tech level.
The F word
What Colossus is documented doing by Adalytics is plainly fraud, says Jay Friedman, CEO of the agency Goodway Group. But the agency head said the ID injection falls along a spectrum of misrepresentation issues in programmatic. All the issues involve ad tech companies extracting money from advertisers by deliberately or cynically failing to deliver on what’s been sold.
Just last month, Adalytics also made headlines when it caught Forbes selling inventory on a shady subdomain – “www3.forbes.com” – to advertisers who obviously expected the actual Forbes site.
Or take bid caching, when an SSP holds on to an ad bid and applies that same price to a later impression, which remains a commonplace tactic to this day, Friedman says, despite being an obvious case of the publisher failing to deliver on their purported deal.
Does anyone remember the word “centroid”? That was an early mobile tactic when publishers realized advertisers paid more for impressions with location data attached, and so simply attached generic location info made up from whole cloth.
A big part of the issue, Friedman said, is that vendors rarely face repercussions from other ad tech companies.
After all, even The Trade Desk, which saw what Colossus was up to plainly, continued to buy the inventory and carry the SSP. The fact is, it’s a vendor to agencies and advertiser; not their nanny.
Where are the verifiers?
Adalytics noticed the mismatched IDs coming from Colossus in the bidstream by looking at publicly available Chrome developer info. Any general Chrome user could (in theory) look up the cookie ID associated with that device and browsing session.
And just like with the recent case of a Forbes subdomain for executing made-for-arbitrage ads, there was a mismatch that wasn’t called out by anyone, even verification vendors. Instead, these cases are breaking as public scandals.
“We [at Goodway Group] changed our position in 2024, to the point that we now recommend advertisers not use verification providers,” Friedman said.
The typical verification partners – IAS, DoubleVerify, HUMAN and Oracle’s Moat – are no longer fit for the purpose, he said. Instead of using a pre-bid technology provider, companies should adopt analytics businesses that evaluate post-campaign data for incongruities. Adalytics is one such option, he said, alongside FouAnalytics and many other pure-play ad analytics vendors.
“We’ve learned that stuff really doesn’t work,” Friedman said of the Big Four verification vendors, who predominantly use pre-bid tech to determine what media and ad placements are served. “We’ve been able to root out waste at orders of magnitude greater rates than when we were using verification providers.”
What happens next?
For DDH and Colossus SSP, this scandal comes at the worst possible time.
A month ago, the company was forced to delay its earnings report, and also announced that its accounting firm had resigned. Two weeks ago, Nasdaq gave notice that DDH has 60 days to submit a plan to regain compliance or it will be delisted.
Individually, these are normal and surmountable problems. Taken as a whole, with a compelling claim of repeated fraud in their SSP business, it’s a lot of red flags.
Friedman said he had no knowledge of what was going on at Colossus in particular. But he added that, although this particular issue is specific to Colossus and likely doesn’t exist with other SSPs, it does reflect systemic problems within programmatic.
“Was I surprised?” he mused of this Adalytics report. “There are 40 SSPs out there where if you told me tomorrow that they’re mostly fraud and are going out of business, I wouldn’t be surprised.”
