Supply-side provider Colossus accused of misrepresenting user IDs in ad auctions

A report released today by Adalytics, an advertising quality and transparency platform, alleges that a supply-side provider (SSP), Colossus SSP, systematically misrepresented user IDs in ad exchanges.

The report – which analyzed publicly-available data via ad source code and bid responses served by demand-side provider (DSP) The Trade Desk on behalf of various advertisers and across a range of publishers – found that, out of 16 common SSPs, 15 accurately matched declared user IDs with those stored in user browsers. Colossus, however, stood out as an outlier, frequently presenting mismatched IDs.

So why does this matter? Programmatic advertising relies heavily on user IDs to deliver targeted ads to specific audiences. These IDs, like digital fingerprints, hold valuable information about user demographics and browsing habits. For advertisers, accurately targeting these IDs can significantly impact the effectiveness of their campaigns. Thus, a mismatch between the IDs stored on user browsers and the IDs presented to media buyers could result in ads being served to the wrong audiences.

“The information and evidence we saw suggests … that Colossus, in this case, was misrepresenting IDs in a way that is inconsistent with what advertisers believe they are buying,” says Jay Friedman, chief executive officer at Goodway Group, a digital marketing agency.

Outside of advertisers’ interests, misrepresenting user IDs could have significant implications for users’ data privacy. Inaccurate user IDs might, in theory, prevent users from exercising their rights under key privacy legislation like the EU’s General Data Protection Regulation or the US’ 15 state privacy laws, as users may be unable to verify the information being collected about them.

A spokesperson for Colossus’ parent company Direct Digital Holdings (DDH), said in a statement shared with The Drum it was not given the opportunity to see the report before its publication, in spite of “repeated requests.”

Nonetheless, the company spokesperson said: “We believe that there has been a concerted effort to seek financial gain by attempting to discredit the performance and operations of DDH … We have learned that there is a so-called research report from Adalytics, a for-profit entity, making intentionally false, misleading and inaccurate statements…”

The blame game gets muddled

Colossus feels Adalytics’ statements “do not accurately represent the connections within the programmatic value chain and the role of Colossus SSP through The Trade Desk,” the spokesperson said.

Specifically, they said that Colossus doesn’t directly share any user IDs from The Trade Desk when participating in ad auctions, but through “a publicly traded intermediary” – something the company does, according to the spokesperson, in order to comply with both The Trade Desk’s rules and OpenRTB, a standardized framework governing how media is traded in the programmatic ecosystem.

That intermediary is BidSwitch, a ‘middleware’ that connects players within the programmatic ecosystem.

Though it would appear that Colossus is pointing the finger at BidSwitch, Criteo defends the integrity of BidSwitch’s role. “BidSwitch operates as a neutral ‘passthrough’ platform, sending traffic from SSPs to DSPs without manipulating the content of bid requests from SSPs or bid responses from DSPs,” Criteo’s general counsel, Ryan Damon, said in a statement. “Bidswitch has been doing this for over 11 years with hundreds of partners throughout the industry, including the very largest. Any claims or implications by Colossus SSP that BidSwitch is to blame for Colossus SSP’s manipulation of the content of bid requests are untrue and we encourage all parties to investigate further into the merits of any such statements before publishing untrue statements.”

The Adalytics report also explains that, in comparing Colossus with another SSP that transacts via BidSwitch, TrustX, discrepancies between declared and actual user IDs were only observed with Colossus, not TrustX.

So, what could be going on?

Adalytics does not allege that Colossus has misrepresented user IDs knowingly, nor does it speculate on the company’s motivations. However, one source tells The Drum that the findings insinuate that Colossus could have been purposefully misrepresenting user IDs – a practice that could potentially trick media buyers into thinking they are buying higher quality audiences than they actually are.

“This research shows us that it's possible the millions of dollars spent identifying target audiences, and aligning creative to said audience could be wasted,” a Fortune 500 brand executive said in the report. “This also creates a worse experience for the consumer, as the advertising being shown could be completely irrelevant.”

An executive at a media publishing network, who spoke with The Drum on the condition of anonymity, said that, upon reviewing data from their own properties, they initially thought that Colossus may simply be practicing user ID bridging.

User ID bridging is a technique that links user identities across different platforms or environments, particularly in scenarios where traditional tracking methods like cookies are not available or effective. It involves correlating user IDs from one environment, such as a browser with third-party cookies, to another environment with limited third-party cookies or different kinds of data signals, such as mobile apps or a cookieless browser like Safari, ultimately helping adtech players to make an educated guess at a user’s identity.

The practice aims to maintain continuity in user targeting and tracking across touchpoints, enabling advertisers to deliver more personalized, consistent experiences. In lieu of deterministic signals, it’s generally thought to be acceptable so long as it’s done transparently and ethically, in a privacy-preserving way.

While there are legitimate reasons for ID bridging, it’s not always necessary, especially when long-term deterministic identifiers like third-party cookies are available. In fact, misrepresenting user IDs (via ID bridging) in cases where accurate, deterministic identifiers are readily available, might fall into the Media Rating Council’s definition of ‘Sophisticated Invalid Traffic,’ and may therefore be considered fraudulent.

However, it’s possible that Colossus is up to something more complicated and potentially nefarious.

If an SSP like Colossus wanted to con media buyers into paying higher sums, it’s possible that it could routinely swap out the ID associated with a user’s unique profile or device, misrepresenting the user ID during ad auctions. The SSP might do so to trick a media buyer into believing they are reaching a more high-value user or to bypass frequency caps and thereby get a bigger paycheck by bombarding one user with the same ad over and over.

This behavior, known as ID rotation, can of course lead to inaccuracies in ad targeting and measurement. ID rotation is generally considered to be an unethical practice in the industry.

“ID rotation helps SSPs – in the very short-term – increase revenue for themselves and their publishers on a given ad call,” says Goodway Group’s Friedman. But it’s a dangerous game, he warns. “Of course, once it’s been discovered, it’s more likely to lose significant revenue for them as advertisers lose trust.”

The media publishing executive we spoke to said that their team, which uses Colossus, found some anomalies in its source code. The team set up a variety of devices to test what kind of IDs popped up and won bids on its site. Among the 33 SSPs used by the company, all but Colossus presented IDs that matched the IDs of the devices they’d set up. Colossus sometimes presented IDs that did not match the device IDs. The source caveats that their team’s in-house experiment was limited in scale and that a third-party evaluation by a group like Adalytics is likely to present a more comprehensive picture.

The source says that a number of demand-side providers (DSPs) have flagged their own concerns about Colossus. On Tuesday of this week, the source’s company paused all business with Colossus.

A failure on the part of ad verification partners?

Colossus partners with at least three ad verification and anti-malware partners – Human, Oracle Moat and Confiant. While these partnerships suggest a commitment to combating ad fraud, the observed discrepancies in user IDs raise questions about the effectiveness of these measures.

The spokesperson for Direct Digital Holdings said: “Colossus SSP has always been diligent when it comes to quality and transparency, working with Human, Confiant, Moat and other trusted industry partners to ensure we meet the highest standards in supply.” The spokesperson also emphasized that “integrity, accountability and transparency” are “core values” at the company.

The company’s website indicates that Human works with the SSP on both the pre- and post-bid sides to mitigate fraud, while Oracle Moat provides Colossus with viewability and invalid traffic metrics. Both Human and Oracle Moat are Media Rating Council-accredited for ’Sophisticated Invalid Traffic Detection/Filtration,’ as well as Trustworthy Accountability Group-certified.

Confiant, meanwhile, offers creative scanning and security measures to the SSP to prevent malware or ad hijacking.

However, not all industry players are confident in verification providers’ ability to spot inaccuracies, misrepresentations or bad behavior in the ecosystem. Goodway Group, for its part, “has advised its clients to use analytics platforms – like Fou or Adalytics – in lieu of, and not in addition to, verifications vendors,” says Friedman. “In side-by-side tests we saw analytics platforms reveal significantly more, and more useful information about how we could minimize ad waste than we were exposed to with verification vendors.”

A spokesperson for Confiant told The Drum: “Confiant is not an ad verification or fraud prevention vendor. Creative verification – anti-malvertising, our expertise – is often confused with ad verification.“

At the time of publishing, neither Human nor Oracle have responded to The Drum’s requests for comment.

A financial incentive at play?

Though the extent of Colossus’ knowledge about its ID misrepresentation issues is unclear, the company appears to be facing some degree of financial pressure. Direct Digital Holdings revealed in mid-April that its independent accountant, Marcum, resigned in the wake of a late SEC filing. (An extension was needed, the company said in early April, because it needed additional time to finish the audit of its financial statements).

The company, however, denies that it’s facing financial trouble. “DDH remains operationally well-positioned and financially strong with estimated 2023 [financial year] earnings of $157 million and is experiencing continued growth into 2024,” the company spokesperson said in a statement. “We maintain a solid financial relationship with our partners and are committed to continuous improvement and strengthening our products and services.”

The spokesperson said: “We will vigorously defend our company’s reputation and will pursue all appropriate legal actions and remedies to address these intentionally false statements and fundamental misrepresentations.”

The need for media buyers to audit their own investments

Adalytics’ handling of this report, the spokesperson suggested, indicated that the ad quality firm is “seeking attention instead of accuracy.”

It’s certainly not the first time Adalytics has stirred the pot with allegations of bad behavior in the adtech world. Just last month, the company accused Forbes of operating a secretive, spammy, ‘made for advertising’ subdomain that misled major brands like Microsoft and Disney into believing they were buying media on the publisher’s flagship news site. Last summer, Adalytics took over headlines when it shined a spotlight on some of Google’s unsavory ad practices.

Adalytics’ report on Colossus concludes with a call-to-action urging media buyers to be scrupulous in assessing SSP and DSP partners – and ultimately to take the health of their media investments into their own hands.

“Brands and ad tech entities are encouraged to audit their own media buys,” the study reads, “to analyze how much each entity transacted with any given vendor and whether the ad delivery via that vendor was consistent with their expectations.”

For more, sign up for The Drum’s daily newsletter here.