WTF is the difference between ID bridging and ID spoofing?

Illustration of a disguised user.

This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

If ID spoofing is the latest villain of the open programmatic market, nefariously trying to siphon ad revenue from advertisers’ pockets, ID bridging is the hero trying to play peacemaker amid cookie deprecation.

But the twist in this story is that the hero and the villain are twins separated at birth, operating on the same genetics, but raised on different moral codes. While ID bridging champions transparency, ID spoofing masquerades behind a lack of reporting, hoping to not get caught.

“It’s a disservice to call it ID bridging and separate that from ID spoofing,” said Justin Wohl, CRO of Snopes and TV Tropes. “[That] might suggest that these are differentiated technologies, but it’s one and the same.”

But before we declare what’s “good or evil” in the grand scheme, let’s first answer the question:  

WTF is ID bridging? 

It’s a way of identifying someone by piecing together different bits of information about them. In programmatic advertising, it’s used to stitch together user signals — including email, IP addresses, device ID, etc. — to confidently infer that it is the same individual accessing a publisher’s site or sites from various devices or browsers, said Lee Lewis, director of platform adoption at Epsilon. 

“The method can vary, either anchoring it in deterministic [identifiers] and layering on probabilistic connections, or solely relying on inferential signals to simulate that cross-device effect,” said Lewis. And while Lewis said Epsilon always favors the incorporation of deterministic signals when ID bridging, other ad tech vendors might only rely on probabilistic indicators.  

At its core, though, ID bridging enables sellers to extend user identification beyond the scope of one browser or device. 

Is ID spoofing different from ID bridging? 

Yes, but again, you should think of them as an evil twin and a good twin. ID spoofing is taking the tactics of ID bridging — piecing together information to infer someone’s identity — and co-opting them to falsify their identity instead.

Both ID bridging and ID spoofing are forms of bid enrichment, which is the act of making a bid request more valuable by adding information, identification and other data not initially provided by the browser, Wohl said. 

When classified as ID bridging, that implies that the sell-side has fully disclosed all of the information added to a bid request to make it more valuable. Then, the buy-side can review all of the identifiers and where they originated from to decide whether to send a bid.

“If you are doing ID bridging … as long as the buy side knows and has agreed [to it], it’s fine,” said Hillary Slattery, senior director of programmatic products at IAB Tech Lab. “If there’s agreement, Bob’s your uncle.”

ID spoofing does not disclose all of that information, providing cover for companies to swap in different IDs and creating an opening for mismatches to occur. 

Why would that information be hidden?  

There’s a stigma around probabilistic and inferred IDs, and advertisers may devalue ad inventory associated with non-deterministic IDs. That could lead publishers and programmatic ad sellers to cover up the amount of probabilistic identifiers used to enrich bid requests, according to Lewis. 

So publishers would be to blame for ID spoofing?

Not necessarily. Publishers rely on data providers to do the ID bridging, which can make the whole process automated and relatively hands off for the publisher, said Wohl. But it can also eliminate the publisher’s ability to examine the IDs being used in real time.

Publishers may be told which IDs their data provider will use at the time of signing the agreement, but there’s a risk of the data provider feeding different IDs into the equation later on without disclosing the change to the publisher.

“If that vendor were to suddenly add new IDs into the process, the publisher would have no knowledge of that happening … and would not become aware of it until an SSP partner said to them, ‘Hey, we noticed that you’ve been sending this strange buyer ID,’” Wohl said.

Why would this happen? 

ID bridging agreements are often structured as revenue shares: The publisher pays the data provider a portion of the revenue generated from ads sold using the IDs, which incentivizes the data provider to add as many IDs as possible to enrich the bid request and secure a high-priced sale, said Wohl. 

He argued that this ultimately diminishes the importance of supply quality in favor of short term profit, which could lead to advertisers eventually pulling away from the publisher’s supply. That’s why he’s trying to move to a software-as-a-service model. 

What’s the software-as-a-service model for ID bridging?

A SaaS model is a set fee in exchange for a consistent service, which ensures that the IDs used in bid enrichment are standard and nothing is added later on in the bid enrichment process that the publisher is unaware of. 

Are there limitations to ID bridging when it comes to how much data can be added to an ID graph? 

Ultimately, it will come down to each individual party’s comfort level. 

Wohl said that he would only entertain ID bridging if the IDs used in bid enrichment were UID 2.0 or RampID, but it requires specific agreements with data providers to make those terms happen. 

“I believe so much in supply quality and the publisher’s role in ensuring supply quality, and so plugging in these vendors and allowing them to foundationally change the nature of your supply by adding all these IDs and things to it that you didn’t generate yourself, it could be detrimental to the long-term view of the supply quality,” said Wohl.

Do publishers stand to benefit from ID bridging?

Yes and no. 

ID bridging can improve the volume of authenticated traffic a publisher would be able to sell to advertisers, increasing that share from 5% to upwards of 20%, said Wohl. “It is a force multiplier, and it’s probably more effective at quickly scaling up the ability to add UID 2.0s or RampIDs to your bid requests. It just has to be done in a responsible way.”

However, if not done responsibly and publishers allow data providers to load up bid requests with any and all identifiers they see fit, ID bridging could be overrun by ID spoofing and have ripple effects on the perception of the publisher’s supply in the open market. 

Are there standards for ID bridging yet? 

No, not yet. Some members of the industry are discussing how to attach ID bridging labels to bid requests, said Lewis. Meanwhile, IAB Tech Lab has created working groups to define the terms governing ID bridging. That would include declaring in the bidstream:

  • Which party added an ID in the bidstream?
  • Which party created the ID?
  • Does it pertain to multiple applications or websites?
  • What was the method used to create the identifier — authenticated user or inferred? 

The guidelines for ID bridging were published as part of the Tech Lab’s OpenRTB Updates in May, which are wrapping up their public comment feedback phase on July 8, Slattery said. 

“I think the lesson out of all of this is everybody needs to do their due diligence and really understand the origin stories of how attributes that are really important to decision algorithms are being created and generated,” said Slattery. “Not all uses of this are untoward. You just need to tell people what you’re doing.”

More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.