Home Publishers PubMatic Code Didn’t Wait For User Consent: Why Publishers Need To ‘Be Distrustful By Design’

PubMatic Code Didn’t Wait For User Consent: Why Publishers Need To ‘Be Distrustful By Design’

The Rube Goldberg machine of ad tech

Ad tech companies manage billions of advertising bids across thousands of publishers in a matter of milliseconds.

So, when a privacy error slips through cracks, it can metastasize into a potential GDPR concern in the blink of an eye.

First, in simple language: Technology developed by PubMatic and deployed on nearly 2,500 websites, including Barstool Sports, Maxim and Time.com, was as recently as this week configured in a way that put sellers and publishers at risk of GDPR violations.

AdExchanger was first alerted to this activity by Sincera, a startup that specializes in gathering and supplying media telemetry data to the ad tech ecosystem. Although Sincera declined to name the SSP, AdExchanger was able to confirm that PubMatic is the company in question by examining code that was shared with us.

PubMatic claims that the issue is due at least in part to a bug within Prebid’s code.

So, what’s happening here, exactly?

Time out

For those who speak ad tech, this is what Sincera observed:

A default setting within Identity Hub, PubMatic’s Prebid-based identity management tool, was set so low as to effectively ignore user consent strings. Separately, the tool was seen to be pushing IDs from Identity Hub into the bid requests of other SSPs within a publisher’s primary wrapper (which is typically a Prebid-based wrapper). More on that later.

timer going offA PubMatic spokesperson said that the company “never ignores the consent of the user,” adheres to any consent signals it receives and only “passes unaltered signals to its partners in every transaction in which we engage.”

But the issue isn’t that Identity Hub is purposely ignoring user consent. Rather, it was not giving consent management platforms enough time to load or users enough time to interact with the mechanism.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Prebid’s timeout default for calling a CMP to obtain a GDPR consent string is 10,000 milliseconds (or 10 seconds). The timeout in Identity Hub was regularly set to either 1 millisecond or 50 milliseconds, which is just 0.001 or 0.005 seconds.

Although there is a consent module in place, Identity Hub wasn’t waiting long enough to log the interaction. Sincera Co-Founder Ian Meyers described this as akin to inviting someone to a party by calling them on the phone but then hanging up before they answer. (In short: That person won’t be showing up to your party.)

The purpose of Identity Hub is to make it easier for publishers to work with whichever identity providers they choose within a managed service wrapper, which means it’s likely that many publishers never bother to change the default settings.

PubMatic told AdExchanger that, “out of an abundance of caution” for its publisher customers, “it’s taking the proactive step of resetting the default consent timeout” so consent queries have more time to get a response.

It’s since force reset the consent timer within Identity Hub to between 497 and 500 milliseconds (roughly half of one second), which is still far less than the Prebid default.

The average consent timeout across the top 1,600 publishers by traffic in the Prebid ecosystem, excluding Identity Hub, is roughly 7.7 seconds.

Why was this a problem?

When a webpage loads in Europe, publishers need to check for consent before calling an identity provider’s API with consent signals.

But such a low consent timeout threshold makes that impossible.

Identity Hub would therefore frequently mark its enrichment requests to identity providers as “GDPR = 0,” presumably meaning that it didn’t believe the law applies in that instance.

programmatic pipesIf an identity provider takes this at face value, they would end up generating unconsented IDs, Meyers said.

Fortunately, most identity providers don’t just take a wrapper’s word for it, he said. They also check for an opt in before enriching a bid request as a matter of course.

Still, it’s not always possible to do that. A server-side wrapper, for example, would show an SSP’s server address rather than a user’s true IP address, making it difficult or impossible to verify that person’s location.

“This is a good wakeup call for ad tech vendors,” Meyers said. “You need to know who’s upstream of you and you also can’t assume that you have consent without verifying.”

Risky business

It’s easy for publishers and even SSPs to be unaware that any of this is happening.

There are numerous handoffs that occur in milliseconds up and down the supply chain to support addressable advertising. If the internet is a series of tubes, then ad tech is a vastly interconnected series of partnerships across a warren of codependent programmatic pipes.

And regulators are getting savvier about how those pipes function and how data flows within and between them. That’s the case even in jurisdictions where consent typically isn’t required, like the US.

But in regions like Europe where it’s illegal not to honor consent-related requests, publishers that don’t have a clear grasp of what their ad tech vendors are doing put themselves at high risk of an enforcement action.

“Understand what you’re deploying and ask questions – lots of questions – about how something works,” Meyers said. “If there’s one takeaway from all this, it’s that there can be a big difference between thinking a solution is privacy safe and actually knowing what it’s doing on your website.”


Speaking of, it’s time to get back in the weeds, because there’s a little more weirdness to unpack.

Many publishers use a header bidding wrapper to host multiple Prebid modules, such as real-time bidding, user identity and consent management. Some also deploy so-called “secondary wrappers” to outsource specific functions to third parties, like to Identity Hub for identity management.

Sincera, however, observed Identity Hub monitoring Prebid API activity and then replacing identifiers sent to all SSPs within a publisher’s main Prebid wrapper with IDs retrieved by Identity Hub.

balled up paperThis is a practice known as identity stuffing, said Sincera Co-Founder Mike O’Sullivan, and it’s problematic for multiple reasons, including data leakage risk and poor identity performance due to conflicts between the wrappers.

Stuff gets … funky

Overwriting a publisher’s existing identifiers also disregards Prebid’s code of conduct, which states that “the auction layer must not modify bids from demand partners unless specifically instructed to do so.”

A PubMatic company spokesperson told AdExchanger that Identity Hub “does not substitute, overwrite or manipulate identifiers provided by other wrappers unless the identifier is expired.” The spokesperson also said that the tool is only used by publishers to “supplement the bid requests created by other wrappers” and that this is fully the publisher’s choice.

The company later said that it had found a bug in “an outdated version” of Prebid from last year whereby Prebid’s user ID module wasn’t waiting long enough to get the consent signal. This issue was fixed months ago for anyone using the latest version of Prebid.

PubMatic is now “encouraging impacted publishers to update their Identity Hub and Prebid instances so that they are using Prebid 7.0 or above to prevent this issue from occurring,” said Nishant Khatri, PubMatic’s SVP of product management.

Although this is a valid recommendation, the bug that PubMatic points to is unrelated to the consent timeout default in its own Identity Hub product and also doesn’t address the identifier overwriting issue.

Prebid’s code is open source and it’s up to any company that forks one of its GitHub repos, as PubMatic does, to be responsible for their own practices.

PubMatic also emphasized that it would get no financial benefit from altering bid requests, because all parties have access to the same IDs – and that is true.

Which is why the most important takeaway from all of this is that suppliers and their partners should keep regular tabs on themselves, on their vendors and on every tool they deploy.

“I’m partial to the phrase, ‘Be distrustful by design,” O’Sullivan said. “That means, do your own checks – on everything.”

AdExchanger reached out to Prebid about the identity stuffing issue on Tuesday, which was before being alerted to the bug by PubMatic on Thursday afternoon. A Prebid spokesperson said on Tuesday that the organization was unable to comment, but it’s looking into the issue.

Must Read

Nope, We Haven’t Hit Peak Retail Media Yet

The move from in-store to digital shopper marketing continues, as United Airlines, Costco, PayPal, Chase and Expedia make new retail media plays. Plus: what the DSP Madhive saw in advertising sales software company Frequence.

Comic: Ad-ception

The New York Times And Instacart Integrate For Shoppable Recipes

The New York Times and Instacart are partnering for shoppable recipe videos.

Experian Enters The Third-Party Data Onboarding Business

Experian entered the third-party data onboarder market on Tuesday with a new product based on its Tapad acquisition.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Albertsons Takes Its First Steps Into Non-Endemic Advertising, Retail Media’s Next Frontier

Albertsons is taking that first step into non-endemic advertising next week via a partnership with Rokt to serve ads to people who have already purchased groceries.

Marketecture Buys AdTechGod (No, Really)

Marketecture has acquired AdTechGod – an anonymous ad tech Twitter poster turned one-man content studio – and the AdTech Forum, an information resource hosted by AdTechGod and Jeremy Bloom.

Why The False Advertising Lawsuit Against Poppi Is Bad News For RMNs

This week’s dispatch explores the new trend of false advertising class-action suits in the food and CPG industry and how the evolution of online, data-driven retail media could exacerbate the problem.