Welcome back to BRANDED, the newsletter exploring how marketers broke society (and how we can fix it).
Here’s what’s new with us (we’ve been BUSY!):
Last BRANDED, we revealed an undercover(ish) scheme that enables unrelated groups of publishers to quietly share account IDs meant for only one of them, pool the collective ad revenues and then split it up amongst themselves.
We’ve always understood Breitbart’s business model as a classic programmatic play: they publish hateful content and earn $$ through impressions and clicks. The logic behind the Sleeping Giants campaign was: block their website and they won’t get your money.
And yes, that shut them out of earning ad revenue the normal way. But we’ve now identified another lucrative way for them to continue collecting within the same ad tech ecosystem: by sharing DIRECT account IDs and cashing out through unknown entities called dark pool sales houses.
(This is roughly equivalent to one restaurant sharing its liquor license and card reader with a bunch of other bars in your city and then splitting the cash at the end of the night — it’s both a zany potential episode of It’s Always Sunny In Philadelphia and illegal.)
One company — the world’s biggest ad exchange — could help us end this practice overnight. But they’re holding out on us.
Today, we’re going to explore how unknown entities around the world are extracting unlimited sums of money from unsuspecting advertisers because Google is holding onto key data like it’s a state secret, in order to maintain its own competitive advantage.
This goes beyond a standard brand safety issue. It’s a privacy issue, an antitrust issue, and because of the international money laundering implications, an issue of national security.
The following companies issued responses to our last issue:
33Across (the SSP we highlighted in our last issue) issued a response saying:
“We have reached out to our supply partners and the sites who list the 33Across Ads.txt line on either Breitbart.com and RT.com to have them removed.”
Since publication, the 33Across records have been removed from Breitbart’s ads.txt file.
Saambaa (a self-described ‘event discovery platform’) reached out to us to point the finger at a ‘3rd party ad management company’:
“The Breitbart ad inventory is managed by a 3rd party ad management company. We work with them on other sites and they have grouped our ads.txt as part of their larger assembly of ad buyers on Breitbart.”
The company that Saambaa is talking about here is Granite Cubed, the exclusive advertising broker for Drudge Report, which has been extensively covered by Craig Silverman at Buzzfeed. Drudge Report and Breitbart have numerous overlapping ads.txt records, a potentially telltale sign of dark pool sales houses at work.
Microsoft updated nearly 100% of their ads.txt files on Bing and MSN using their own schema. All their sales houses (and any dark pool sales houses) are now labeled, and even include schema that identifies business names and countries. See for yourself!
The IAB (the ad industry association) defended ads.txt (which they created) in a blog post titled “Don’t blame the tools; Learn how to use them”. Here’s Zach’s response to that letter. We thank the IAB for their attention, and look forward to seeing how they help marketers protect their ad budgets.
We’re also thrilled that our research inspired a handful of new products to help advertisers cross-check their ads.txt records. Like this one, which found “a handful of sellers misclassify nearly all their sources as a direct relationship (publisher), when the sources are, in fact, intermediaries.”
When Breitbart was shut out of 90% of its ad revenues, it was because thousands of advertisers blocked their domain (www.breitbart[.]com). That closed up one revenue stream — we’ll call it “the front door.”
But there would still be another way for Breitbart to cash out: they could enter into partnership agreements with other publishers, use those publishers’ DIRECT IDs, direct the ad dollars to dark pool sales houses — a name we came up with because they can operate as untraceable shell corps — and split the cash from there.
We call this “the back door.”
When Breitbart became the subject of the Sleeping Giants campaign, they only lost “front door” access. But the back door is still open: there’s nothing stopping them from using other account IDs or partnering with other publishers who agree to mislabel DIRECT inventory with them.
What does it mean to go through the back door? It means you can cash out from the other end:
Advertisers would never know who the money actually ends up with, because there is no publicly available directory of sales houses for them to check on.
If you were, say, part of a global fascist propaganda effort, you might partner up with alt-right organizations around the world, set up a common shell corp and use this back door to fund your activities. The added bonus? You can use all that user data you’re collecting together to target citizens more efficiently ahead of important elections. ¯\_(ツ)_/¯
Let’s work backwards together to look at how the adtech ecosystem makes high-stakes fraud possible.
After our last issue, a lot of folks asked us why it matters if publishers are sharing DIRECT IDs. You can technically make up anything you want on an ads.txt file. Maybe they just copy/pasted more records in so it looks like they’re popular with vendors?
That surface-level understanding of mislabeling is why it has not generally been policed by DSPs and why marketers aren’t aware of what’s going on.
There are actually two financially sound reasons the bad guys would share DIRECT IDs:
Whether a publisher like Breitbart partners with their friends around the world or just buys up a bunch of websites on their own, sharing DIRECT IDs is a fast track to racking up high value impressions and clicks.
That would give Breitbart a new lease on life as a data broker.
Now, once you have the money, you need to get it out, right? So where do those ad revenues actually go? To the sales house. Lucky for Breitbart, anyone can form their own dark pool sales house — easy to do because you can legally link it to an anonymous LLC — and serve themselves and their friends.
This structure is how most SSPs operate, except without the sketchiness and anonymity. That’s why you can think of a dark pool sales house as a “pseudo-SSP.” It works like any other SSP, but you don’t know who owns it.
Sure, that’s one way to put it. You could also call it “rampant money laundering.” If you’re able to be a data broker (which you can) and control a sales house (also very simple), you can effectively control your own secret supply chain.
The IAB (the Interactive Advertising Bureau) says they’ve built the tools and architecture to check on these things. Together, the following two standards are meant to bring a level of transparency to ad buying:
But there are some glaring holes:
And then there’s this dealbreaker:
In other words, there is no process that documents bad actors for advertisers. There’s really no one in the ecosystem holding anyone accountable for anything.
Google has God’s dashboard to ads. But even their records contain hundreds of mislabeled domains. (And we only looked at a tiny fraction of Google’s total inventory).
So how is anyone in the industry supposed to properly conduct their ads.txt-sellers.json checks when not buying through Google?
We tried to find out for you. Before we released the last issue, we reached out to Google with a list of account IDs from the Breitbart dark pool sales houses, which were from Google’s own advertising system. We still haven’t heard back. Most of those records are still active.
As of now, Google’s policy still allows for shell corporations to create seller accounts, get approved as both publisher and intermediary (aka DIRECT vs. RESELLER), and then label those account IDs as DIRECT across hundreds of unique websites.
Google does offer more information if you use their ad exchange instead of their competitors. In other words, you can reduce fraud only if you advertise through Google, because they haven’t made those tools available to anyone else.
If Google is the only safe place to buy ads because they own all the data, that seems like an antitrust issue to us.
The seller.json directory they released a couple months ago has two problems:
What can we do with this information? Two things. First, check out Nandini’s Twitter thread about how to ask your ad exchanges to fix ads.txt labels.
Then, send Google an email — here’s a handy template:
I’m writing today to understand how you plan to address ad fraud taking place across the ecosystem.
That’s it for us. Thanks for reading, we’ll be back next time with more!
Claire & Nandini
Did you like this issue? Then why not share! Please send tips, compliments and complaints to @nandoodles and @catthekin. Big thanks to Zach Edwards (@thezedwards) for making this story possible.
Check My Ads Institute is a non-profit 501(c)3 organization.