consent ad vendors data strings publishers tech
The latest trend in ad tech fraud: Faking GDPR consent stringsThe digital ad industry has been on tenterhooks since the InformationCommissioner’s Office released its warning report to ad tech in June, whichstated the current way data is used for real-time bidding isn’t legal underthe General Data Protection Regulation.Since then, publishers and vendors have been going back over their compliancestrategies, and more audits are being undertaken to check if all as it shouldbe. Some of these audits are highlighting dodgy practices, like fraudulentconsent strings.Given GDPR is relatively new, so is consent-string fraud. It first beganbubbling to the surface as an issue last August just after the arrival of thelaw. It’s also been a bone of contention with ad tech vendors who havewitnessed other vendors injecting fraudulent consent strings into the digitalad ecosystem.But what exactly is it, and what problems does it cause? Here’s a primer.Remind me what a consent string is. It’s what’s used by all ad tech vendors to identify whether or not they have auser’s consent to use their data in order to send them GDPR-compliant targetedads. A publisher’s consent management platform stores whether a user has saidyes or no to allowing their data to be used. The CMP then passes theinformation through to the publisher’s programmatic ad partners so everyone ison the same page. Consent strings have been assigned by the InteractiveAdvertising Bureau Europe, and every vendor that is part of its Transparencyand Consent Framework uses one. The string itself is a string of ones andzeros: “1” = yes there is consent, “0” signals there is no consent. Thepositions of the numbers identify which vendors have consent and for whatpurposes (like sending targeted ads).So that’s now being manipulated? This is ad tech, so of course. Dummy strings are being created in someinstances. Currently, it is easy to manipulate a consent string, and somevendors are doing so in order to appear as though they have user consent morethan they do, so they’re not blocked from buying and selling inventory.“There’s some very odd stuff going on,” said Chloe Grutchfield, co-founder ofRedBud, which has developed a tool to audit compliance on behalf of publishersclients. “Completely fake consent strings are being hardcoded and shared withthe ad ecosystem when the user has actually revoked consent across allpurposes and vendors.”How easy is that to do? Surprisingly easy. You can create a dummy consent string that looks verysimilar to a legitimate one, but which uses a different CMP ID to the one itshould. That’s only visible once it has been decoded. Who is responsible for this? The cases that have been detected by Red Bud are so-called “tier-two” levelvendors, which means those that don’t work directly with the publisher, butrather the bigger vendors that do and which have been granted permission bythat publisher to use data for certain purposes that help those publishersmonetize their inventory. It’s at that secondary stage in the passing of datathat there are instances of fraudulent consent strings popping up.How common is this? Like much of programmatic, that’s unclear. Indications from businesses thatare starting to track it haven’t yet accrued enough data to show the scale ofit.Why is this happening when there are GDPR fines at stake? Like with any kind of fraud: There’s money to be made and low risk of gettingcaught.What is being done to address it? Currently, not much. Consent-string fraud is not yet a problem widespreadenough to warrant focusing on finding ways to throttle it entirely. But likeany non-policed areas, nefarious tactics can grow, so it is better to be infront of it than to be playing catch up. There are two main options that havebeen discussed. The first is for it to be audited and policed, preferably by aneutral body. The second is to encrypt the string, something that’s notcurrently feasible.“If there was a cop — whether the IAB or someone was appointed to that role —they could randomly check consent signals in the chain,” said Mathieu Roche,co-founder of ID5. “The other option is to have a by-design enforcement, soencryption around the string. It’s something potentially blockchain technologycould help with, so nothing can be tampered with.”https://digiday.com/?p=348922