Dr Augustine Fou, from Marketing Science Consulting Group, Inc. and creator of FouAnalytics, emphasises the importance of advertisers using fraud-detection technology and requiring details from every vendor they pay when buying digital ads.  

Why are we talking about the Gannett mess-up one month after the story broke on Wall Street Journal –  “USA Today Owner Gannett Co. Gave Advertisers Inaccurate Information for Nine Months”? Because that’s how little time it took for the whole thing to blow over; everyone’s already forgotten about it and everything is back to business as usual. And that’s NOT OK, especially if you are an advertiser paying millions of dollars for digital ads.

A mistake, and not malicious

The Gannett mess-up was a mistake, rather than malicious, because the national news site – usatoday.com – was also mis-declared to be small hometown newspaper domains like Seacoastonline, Detroit Free Press, Indystar, etc. If it were malicious, the local news sites would always have been declared to be the national news site to get higher CPMs, not the other way around. In all cases, the domain was still incorrect – i.e., “mis-declared” – and the buyers of those digital ads were not getting what they paid for. This mistake continued for at least nine months. Billions of ads were transacted and no one in digital advertising noticed. But two independent researchers entirely outside of ad tech did “notice”. Researchers from Well-Known.dev and Adalytics.io analyzed header bidding code, plainly visible and unencrypted on the webpages, and documented for nine months that the domain passed in the bid request did not match the domain from which it originated.

The elephant in the room, the cover up

The “elephant in the room” is now the “cat’s out of the bag” as the saying goes. Such a simple mistake, euphemistically called “mis-declared domains,” was apparently missed by all the advertisers who paid for the ads, all the ad exchanges (a dozen), the media-buying agencies, and the fraud detection tech companies. Or was it that they noticed, but ignored it anyway? We’ll never know that for sure.

But what we do know now, in the month since this went public, is that every single fraud-detection vendor has sent out press releases, written blog posts, and sent emails to clients saying that this was not a problem, that this problem was so small they didn’t alert their clients, or that they caught all of it and none of their customers were affected by it. Those claims seem to run counter to the facts.

Data shows that every month nearly 31 billion bid requests with the domain usatoday.com flow through two dozen ad exchanges for buyers to bid on and every single exchange has paid for fraud detection tech. But after nine months and an estimated 279 billion bid requests, no one thought to alert buyers about the “mis-declared” domains or do anything about it, before the WSJ article? And this was from one single publisher. Hundreds of trillions of bid requests pass through dozens of exchanges every month. Unlike the mainstream newspaper publisher who “mis-declared” the domains accidentally, fraudsters falsify the domains purposefully, all the time.

To be more specific, a bid request originating from fakesite123.com has to pass a falsified domain; otherwise, no one would bid on it. Clever fraudsters can even commit ad fraud with no websites or web pages. They simply fabricate bid requests with algorithms and lie – i.e., “mis-declare” – everything from the domain to the page URL. Will the fraud-detection tech that failed to catch the Gannett mess-up actually catch the fraudulent bid requests with purposefully “mis-declared” domains? Or will they just re-assure customers that fraud is so small they didn’t alert them or that “they caught all of it” and “none of their customers were affected”? Oh, they’ve been doing that for years – sending out press releases and quarterly media quality reports showing single-digit IVT (“invalid traffic”).

The real problem, and what buyers should do next

Advertisers and their agencies have also been paying for fraud detection for years. Let’s assume the tech from those vendors does catch some of the fraud; but we should also assume that the tech doesn’t catch all of it. The point of this real-world lesson is that buyers should ask for more details from every vendor they pay, when buying digital ads.

The best next steps

  1. Ask the exchange for detailed placement reports and look at the domains listed. If there are domains that are missing, N/A, or “not set” ask why. How would you know where your ads went, or if your ads were served at all, if the report lists no data?
  2. Ask your media agency to show you detailed reports and give you logins to dashboards so you can spot check during the campaign and not wait till the campaign is over – only to find out that half your ads went to “N/A.”
  3. Ask your fraud-detection vendor to send you detailed reports that show both the domain where the ad ran and the domain passed in the bid request, so you can spot check if there are any obvious mis-matches – like the independent researchers did. It’ll be obvious when you see it.

Advertisers, brands, and ad buyers – don’t let the learning opportunity from the Gannet mess-up go to waste and go back to business as usual. The cat’s out of the bag, now. Or was it the elephant?