Making sense of the allegations and defenses in the Colossus ad tech controversy

The implication being that this pattern of behavior looks a lot like fraud. 

Here’s where things start to get complicated: Colossus has sued Adalytics for defamation, injurious falsehood and false advertising.

To grasp why an ad tech company – which seemingly engaged in dubious actions – is so vehemently defending its reputation, it’s crucial to delve into what exactly transpired. 

Earlier this month Adalytics revealed that The Trade Desk was frequently presented with misrepresented IDs whenever it purchased ads through Colossus. These IDs, purportedly targeting premium audiences, failed to match up — there were significant discrepancies between the audience characteristics claimed at the time of purchase and those actually present in the browser when the ad was served.

In its defense, Colossus hasn’t denied the findings, but contested the accusation that it was responsible for the ID spoofing. CEO Mark Walker shifted the blame to the broader complexities of the ad tech ecosystem –something Adalytics also acknowledged in the report. 

Here’s what Walker told Digiday in an email statement: 

“The assertions made in Adalytics’ report are patently false and demonstrate a troubling misunderstanding of the complexities of the programmatic landscape. Technical integrations across a multitude of vendors open up our ecosystem to discrepancies. Our job as an industry is to resolve them. Even the largest, most reputable ad tech firms must continuously work back-and-forth with ad partners to ensure that programmatic campaigns are executed correctly. Colossus SSP has a track record of successfully working with partners on any issues that might arise, working together to fix them immediately.”

This could indeed be the case, but Walker’s rebuttal isn’t watertight – it leaves the door open for doubt and speculation. Notably, it doesn’t even acknowledge the idea that those IDs could have been mismatched intentionally. 

The theory only becomes credible when you understand how these IDs are handled. Digiday examined documentation from BidSwitch, the traffic and demand management company that Colossus used to sell ads to The Trade Desk, to get a clearer picture of the process.

BidSwitch embeds its user ID within the URL of the supplier’s (i.e Colossus) sync pixel, which then loads in the user’s browser. When it loads, the supplier automatically retrieves their cookie from the browser, creating a direct 1 to 1 link between BidSwitch’s cookie ID and the supplier’s cookie ID. This occurs in a single event where both IDs are visible.

This process is standard for cookie syncing across all ad tech companies.

So, while it’s technically true that Colossus doesn’t directly handle The Trade Desk’s cookie user IDs, since the ad tech vendor receives Colossus’s data via BidSwitch, it doesn’t need to. Colossus could potentially misreport the BidSwitch cookie ID when sending bid requests to BidSwitch. Then, when BidSwitch forwards these requests to The Trade Desk, it must look up the DSP cookie ID based on the information provided about the BidSwitch cookie ID in Colossus’s bid request.

If this were to happen, it’s easy to see why the Adalytics report has caused such a stir. And why Colossus is now on the defensive. 

According to Colossus owner Direct Digital Holdings, Digiday has misread the documentation. It is confusing the EID with the Buyeruid. Two different things. All data syncs have to be in alignment across the tech, it said. If they were, though, there would not be so many instances where there was a different ID being observed by Adlaytics to the correct cookie, even though there is a cookie. 

However, let’s consider the possibility that Colossus wasn’t engaged in any wrongdoing; maybe everything flagged by Adalytics was just a result of a technical glitch with the ad tech intermediary they used. These kinds of mishaps do occur, and as this video demonstrates, they happen quite often across many ad tech vendors and for various reasons. These include yield optimization practices that involve bid enrichment, probabilistic matching methods, data integration challenges, device fragmentation and failures in identity resolution.

But normally, when these glitches occur, the impact on ID mismatches is minimal and considered isolated incidents. That doesn’t seem to be the case with Colossus. The Trade Desk, Google and other ad tech vendors have all reported similar issues to Adalytics, and the collective feedback doesn’t paint a favorable picture. Not only are IDs still being altered when BidSwitch isn’t involved and ad tech vendors are working with Colossus directly , they’re also almost always mismatched at times. 

“Yes, there are supply-side platforms other than Colossus doing this, but that doesn’t make it ok,” said an ad tech executive, who asked to remain anonymous due to commercial sensitivities. “It’s still fraud to misrepresent facts like this in a bid request.”

This isn’t just rhetoric either. This ad tech exec personally oversaw tests from February to May, analyzing data from the first week of each month, with the results reviewed by Digiday.

Their findings indicated that while the majority of exchanges it buys from do experience some instances of ID mismatches, these typically occur at a publisher-specific level and often came as a surprise to the exchanges themselves. This pattern was not observed with Colossus. There is never a match between the IDs in the bid requests and what is observed when ads are served, said the ad tech exec, suggesting a more systemic issue within the ad tech vendor’s operations.

Understandably, the ad tech exec has stopped buying ads from Colossus. The fact that user IDs consistently fail to match is deeply troubling to them. If an SSP knows deterministically based on its cookie sync with a DSP like The Trade Desk that it currently calls browser “123”’ it should not issue a bid request with any value other than that specified value. If it does, then that will set off alarm bells like it did for this ad tech exec. The only explanations they see possible are either some form of deliberate deception or sheer incompetence – either scenario is concerning.

Not everyone sees it this way, though. 

Dr. Augustine Fou, for instance, argues that there’s nothing nefarious at play whatsoever. 

Here’s how Fou, an independent cybersecurity and ad fraud researcher, explained it: “Colossus passes an ID to BidSwitch, BidSwitch matches it to an ID from The Trade Desk it has on file, and sends that ID in the bid request to The Trade Desk. Neither Colossus not BidSwitch can read The Trade Desk’s ID from the browser store because that was set by adsrvr.org (The Trade Desk owned domain). Neither of these parties deliberately falsified The Trade Desk for nefarious purposes. The fact that The Trade Desk sent back a different ID in the win notification pass back pixel tells you that The Trade Desk served the ad to a different user than the ID that was in the browser store. Again, that is how the tech works.”