The latest trend in ad tech fraud: Faking GDPR consent strings
The digital ad industry has been on tenterhooks since the Information Commissioner’s Office released its warning report to ad tech in June, which stated the current way data is used for real-time bidding isn’t legal under the General Data Protection Regulation.
Since then, publishers and vendors have been going back over their compliance strategies, and more audits are being undertaken to check if all as it should be. Some of these audits are highlighting dodgy practices, like fraudulent consent strings.
Given GDPR is relatively new, so is consent-string fraud. It first began bubbling to the surface as an issue last August just after the arrival of the law. It’s also been a bone of contention with ad tech vendors who have witnessed other vendors injecting fraudulent consent strings into the digital ad ecosystem.
But what exactly is it, and what problems does it cause? Here’s a primer.
Remind me what a consent string is.
It’s what’s used by all ad tech vendors to identify whether or not they have a user’s consent to use their data in order to send them GDPR-compliant targeted ads. A publisher’s consent management platform stores whether a user has said yes or no to allowing their data to be used. The CMP then passes the information through to the publisher’s programmatic ad partners so everyone is on the same page. Consent strings have been assigned by the Interactive Advertising Bureau Europe, and every vendor that is part of its Transparency and Consent Framework uses one. The string itself is a string of ones and zeros: “1” = yes there is consent, “0” signals there is no consent. The positions of the numbers identify which vendors have consent and for what purposes (like sending targeted ads).
So that’s now being manipulated?
This is ad tech, so of course. Dummy strings are being created in some instances. Currently, it is easy to manipulate a consent string, and some vendors are doing so in order to appear as though they have user consent more than they do, so they’re not blocked from buying and selling inventory. “There’s some very odd stuff going on,” said Chloe Grutchfield, co-founder of RedBud, which has developed a tool to audit compliance on behalf of publishers clients. “Completely fake consent strings are being hardcoded and shared with the ad ecosystem when the user has actually revoked consent across all purposes and vendors.”
How easy is that to do?
Surprisingly easy. You can create a dummy consent string that looks very similar to a legitimate one, but which uses a different CMP ID to the one it should. That’s only visible once it has been decoded.
Who is responsible for this?
The cases that have been detected by Red Bud are so-called “tier-two” level vendors, which means those that don’t work directly with the publisher, but rather the bigger vendors that do and which have been granted permission by that publisher to use data for certain purposes that help those publishers monetize their inventory. It’s at that secondary stage in the passing of data that there are instances of fraudulent consent strings popping up.
How common is this?
Like much of programmatic, that’s unclear. Indications from businesses that are starting to track it haven’t yet accrued enough data to show the scale of it.
Why is this happening when there are GDPR fines at stake?
Like with any kind of fraud: There’s money to be made and low risk of getting caught.
What is being done to address it?
Currently, not much. Consent-string fraud is not yet a problem widespread enough to warrant focusing on finding ways to throttle it entirely. But like any non-policed areas, nefarious tactics can grow, so it is better to be in front of it than to be playing catch up. There are two main options that have been discussed. The first is for it to be audited and policed, preferably by a neutral body. The second is to encrypt the string, something that’s not currently feasible.
“If there was a cop — whether the IAB or someone was appointed to that role — they could randomly check consent signals in the chain,” said Mathieu Roche, co-founder of ID5. “The other option is to have a by-design enforcement, so encryption around the string. It’s something potentially blockchain technology could help with, so nothing can be tampered with.”
‘We don’t do run-of-site anymore’: How Digital Trends Media Group is using its first-party data
Building audience segments has allowed Digital Trends Media Group to more efficiently target commerce content at its readers.
Why Facebook keeps collecting people’s data and building their profiles even when their accounts are deactivated
Facebook does not make it clear to people or advertisers that, when accounts are deactivated, its vampiric data connections continue to suck in new information.
Kill Your Algorithm: Listen to episode two of the podcast featuring tales from a more fearsome FTC
As the FTC makes moves to get tougher on big data-gobbling tech, partisanship, politics -- and the agency's past -- could get in the way.
SponsoredHow cloud technologies are helping media companies unlock the value of data collaboration
Bill Stratton, global head of media, entertainment and advertising vertical, Snowflake Many of today’s media businesses and advertisers are redefining their business models in response to shifts in consumer behavior and the availability of new technologies. For instance, over the past few years, content creators such as Disney, NBCUniversal and HBO have begun selling their […]
Member ExclusiveMedia Briefing: As supply chain issues threaten stock and shipping disruptions, publishers see opportunity — and more work
In this week's Media Briefing, media reporter Sara Guaglione looks at how companies' supply chain challenges are affecting publishers' commerce businesses heading into the holiday shopping season.
HBO Max, Degree and Verizon are among the 2021 Digiday Awards finalists
New audiences, inclusivity and reemergence from quarantine became the backbeat of this year’s Digiday Awards shortlist. Take a look at the finalists.