Making sense of the allegations and defenses in the Colossus ad tech controversy

As a Digiday+ member, you were able to access this article early through the Digiday+ Story Preview email. See other exclusives or manage your account.This article was provided as an exclusive preview for Digiday+ members, who were able to access it early. Check out the other features included with Digiday+ to help you stay ahead

In ad tech, nothing is ever straightforward – not even the perennial snafus. What seemed like a clear case of an ad tech vendor being shady is actually a lot more layered. The ad tech vendor in question is the Colossus supply-side platform owned by Digital Holdings Group. 

According to ad transparency startup Adalytics, there were repeated instances of user IDs being misrepresented in its programmatic marketplace. Moreover, the altered ID information consistently mimicked cookie IDs that had attracted high bids from The Trade Desk, the DSP utilized by Adalytics in their analysis.

The implication being that this pattern of behavior looks a lot like fraud. 

Here’s where things start to get complicated: Colossus has sued Adalytics for defamation, injurious falsehood and false advertising.

To grasp why an ad tech company – which seemingly engaged in dubious actions – is so vehemently defending its reputation, it’s crucial to delve into what exactly transpired. 

Earlier this month Adalytics revealed that The Trade Desk was frequently presented with misrepresented IDs whenever it purchased ads through Colossus. These IDs, purportedly targeting premium audiences, failed to match up — there were significant discrepancies between the audience characteristics claimed at the time of purchase and those actually present in the browser when the ad was served.

In its defense, Colossus hasn’t denied the findings, but contested the accusation that it was responsible for the ID spoofing. CEO Mark Walker shifted the blame to the broader complexities of the ad tech ecosystem –something Adalytics also acknowledged in the report. 

Here’s what Walker told Digiday in an email statement: 

“The assertions made in Adalytics’ report are patently false and demonstrate a troubling misunderstanding of the complexities of the programmatic landscape. Technical integrations across a multitude of vendors open up our ecosystem to discrepancies. Our job as an industry is to resolve them. Even the largest, most reputable ad tech firms must continuously work back-and-forth with ad partners to ensure that programmatic campaigns are executed correctly. Colossus SSP has a track record of successfully working with partners on any issues that might arise, working together to fix them immediately.”

This could indeed be the case, but Walker’s rebuttal isn’t watertight – it leaves the door open for doubt and speculation. Notably, it doesn’t even acknowledge the idea that those IDs could have been mismatched intentionally. 

The theory only becomes credible when you understand how these IDs are handled. Digiday examined documentation from BidSwitch, the traffic and demand management company that Colossus used to sell ads to The Trade Desk, to get a clearer picture of the process.

BidSwitch embeds its user ID within the URL of the supplier’s (i.e Colossus) sync pixel, which then loads in the user’s browser. When it loads, the supplier automatically retrieves their cookie from the browser, creating a direct 1 to 1 link between BidSwitch’s cookie ID and the supplier’s cookie ID. This occurs in a single event where both IDs are visible.

This process is standard for cookie syncing across all ad tech companies.

So, while it’s technically true that Colossus doesn’t directly handle The Trade Desk’s cookie user IDs, since the ad tech vendor receives Colossus’s data via BidSwitch, it doesn’t need to. Colossus could potentially misreport the BidSwitch cookie ID when sending bid requests to BidSwitch. Then, when BidSwitch forwards these requests to The Trade Desk, it must look up the DSP cookie ID based on the information provided about the BidSwitch cookie ID in Colossus’s bid request.

If this were to happen, it’s easy to see why the Adalytics report has caused such a stir. And why Colossus is now on the defensive. 

According to Colossus owner Direct Digital Holdings, Digiday has misread the documentation. It is confusing the EID with the Buyeruid. Two different things. All data syncs have to be in alignment across the tech, it said. If they were, though, there would not be so many instances where there was a different ID being observed by Adlaytics to the correct cookie, even though there is a cookie. 

However, let’s consider the possibility that Colossus wasn’t engaged in any wrongdoing; maybe everything flagged by Adalytics was just a result of a technical glitch with the ad tech intermediary they used. These kinds of mishaps do occur, and as this video demonstrates, they happen quite often across many ad tech vendors and for various reasons. These include yield optimization practices that involve bid enrichment, probabilistic matching methods, data integration challenges, device fragmentation and failures in identity resolution.

But normally, when these glitches occur, the impact on ID mismatches is minimal and considered isolated incidents. That doesn’t seem to be the case with Colossus. The Trade Desk, Google and other ad tech vendors have all reported similar issues to Adalytics, and the collective feedback doesn’t paint a favorable picture. Not only are IDs still being altered when BidSwitch isn’t involved and ad tech vendors are working with Colossus directly , they’re also almost always mismatched at times. 

“Yes, there are supply-side platforms other than Colossus doing this, but that doesn’t make it ok,” said an ad tech executive, who asked to remain anonymous due to commercial sensitivities. “It’s still fraud to misrepresent facts like this in a bid request.”

This isn’t just rhetoric either. This ad tech exec personally oversaw tests from February to May, analyzing data from the first week of each month, with the results reviewed by Digiday.

Their findings indicated that while the majority of exchanges it buys from do experience some instances of ID mismatches, these typically occur at a publisher-specific level and often came as a surprise to the exchanges themselves. This pattern was not observed with Colossus. There is never a match between the IDs in the bid requests and what is observed when ads are served, said the ad tech exec, suggesting a more systemic issue within the ad tech vendor’s operations.

Understandably, the ad tech exec has stopped buying ads from Colossus. The fact that user IDs consistently fail to match is deeply troubling to them. If an SSP knows deterministically based on its cookie sync with a DSP like The Trade Desk that it currently calls browser “123”’ it should not issue a bid request with any value other than that specified value. If it does, then that will set off alarm bells like it did for this ad tech exec. The only explanations they see possible are either some form of deliberate deception or sheer incompetence – either scenario is concerning.

Not everyone sees it this way, though. 

Dr. Augustine Fou, for instance, argues that there’s nothing nefarious at play whatsoever. 

Here’s how Fou, an independent cybersecurity and ad fraud researcher, explained it: “Colossus passes an ID to BidSwitch, BidSwitch matches it to an ID from The Trade Desk it has on file, and sends that ID in the bid request to The Trade Desk. Neither Colossus not BidSwitch can read The Trade Desk’s ID from the browser store because that was set by adsrvr.org (The Trade Desk owned domain). Neither of these parties deliberately falsified The Trade Desk for nefarious purposes. The fact that The Trade Desk sent back a different ID in the win notification pass back pixel tells you that The Trade Desk served the ad to a different user than the ID that was in the browser store. Again, that is how the tech works.”

https://digiday.com/?p=545383

More in Marketing

Marketing Briefing: Understanding CMOs’ top priorities ahead of the next Trump presidency

CMOs and agency execs say brands need to listen to voter feedback to understand if they know what resonates with consumers. 

AppLovin stands out in the latest round of quarterly earnings calls

Oracle’s exit from the ad business proves a boon for some as ad tech’s leading publicly listed companies continue to post gains (even if modest) as pundits moot consolidation.

As programmatic rises on Roblox, in-game studios are feeling the competition

Roblox’s programmatic video ad business, which launched in May of this year, represents a much more direct advertising revenue stream for the company, so it’s no surprise that Roblox has encouraged marketers to explore the opportunity over the past year.