WTF is ID spoofing?


This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

In light of the discovery, ad tech execs accused Colossus of tricking advertisers into buying audiences they weren’t trying to target. The claim was that the sell-side platform was changing the user ID attached to an ad impression to make it more appealing to advertisers. Thus, the SSP could charge a higher CPM.

A few terms were thrown around in the report — as well as by digital ad execs debating the impropriety — to describe the alleged misbehavior, including “cookie stuffing,” “ID mis-matching,” “ID spoofing” and “ID stuffing.”

At its purest, cookie stuffing is the misattribution of a click or impression to an unintended user or company. Digiday covered cookie stuffing a few years back as it pertains to affiliate marketing, but turns out it can be done in programmatic advertising as well. The latter three terms, however, seemed to be used interchangeably, all insinuating that an ID was changed without knowledge or agreement by the buyer to yield a better result for the seller.

For the purposes of this article, we’ll use “ID spoofing,” given the nefarious connotation of “spoofing,” and the fact that trickery is involved in the action, versus an accidental mis-match. Just know, you may encounter the other terms in your readings.

WTF is ID spoofing? 

ID spoofing is when an ad exchange or an ad inventory seller swaps the user ID targeted by the buy side in the DSP to a different ID that is either of higher value or offers more appealing data to an advertiser. It primarily occurs in a third-party cookie friendly environment, like the Chrome browser, and relies on cookie IDs. 

Are these spoofed IDs completely made up?

The most nefarious version would be the fabrication of a user ID, but it can also happen by finding another user ID associated with a different device the user owns or perhaps one for someone else in that user’s household, according to Chris Kane, co-founder of Jounce Media. 

Here’s a visualization exercise that Kane shared: 

Imagine the user you’re trying to target is the bullseye on a dartboard and the dart closest to the bullseye is the user ID that’s the most accurate identifier for said user. That ID is pulled from the cookie in the user’s current browser or IP address, so you are close to certain you know who that user is. 

However, there are other darts on the board that are in the further out circles. They represent other IDs known to be adjacent to the user, or perhaps to someone in that user’s household, but they’re not guaranteed to be that exact same person. The darts are appealing, though, because they have different information about that person from what was collected by the bullseye’s ID. 

Can you give me an example of how associated IDs can be used for spoofing?

Sure. Let’s say the ID from a user’s personal computer could have collected search inquiries for car insurance, but they’re currently on their separate work computer. The SSP knows that the ID from the personal computer would be extremely valuable to you as an insurance advertiser, but that’s not the device that the targeted user is currently on. Regardless, the SSP decides to swap out the ID associated with the work computer — the bullseye ID — and swap in the personal computer ID because it can increase the CPM, knowing full well that you’d pay more for a user that has a higher propensity to buy your insurance. 

You still don’t know if that’s the same person who used the personal computer, though. And even if the CPM remained the same price as the work computer’s original user ID, you’re still not actually buying an ad targeted at the person you think you’re targeting.

Is this fraud? 

It seems to depend on intent. While “ID spoofing” or “ID stuffing” is not explicitly named in the Media Rating Council’s definition of Invalid Traffic Detection (subhead “Sophisticated Invalid Traffic” or SIVT), cookie stuffing is, and it is described parenthetically as the “inserting, deleting or misattributing cookies thereby manipulating or falsifying prior activity of users.”

What’s more, the action is intended to upsell an advertiser on a user that’s not who the seller claims it is. Especially if the user ID being swapped has falsified data — or is even representing a completely fake user — versus actually belonging to a real human being. 

“There is no question at all that if an SSP knows deterministically based on its cookie sync with a DSP, the DSP currently calls browser ‘123,’ you should not issue a bid request with any value other than ‘123.’ And if you do, that is fraudulent and clearly in violation of MRC standards,” said Kane.

Mike O’Sullivan, co-founder of ad data firm Sincera, said he thinks ID spoofing/stuffing is wrong.

“I think this is potentially a new frontier for ad verification, but also, to a certain degree, it’s a little bit of a KYC [Know Your Customer] issue more than anything else,” said O’Sullivan. “It is fairly esoteric,” as it’s not considered brand unsafe, nor is it dealing with bot traffic, but he added “it’s mischievous or malicious intent. And I do think there should be a system that captures that.” 

Who is supposed to catch ID spoofing? 

Either verification firms or DSPs, according to industry executives, though there’s not really a consensus.

Some of the agency and publishing execs who spoke to Digiday about the Colossus snafu said that ID spoofing should be caught by verification firms, but not all agree that this is within the firms’ remit. 

Given the act of “manipulating or falsifying prior activity of users” is included in the MRC’s guidelines for SIVT, several execs argued that any entity accredited by the MRC to detect fraudulent activity in the programmatic market should be held accountable for capturing this. 

Other execs argued that because the DSP should be able to detect a different user ID from the original one it sent during the auction, it’s on the DSP to catch and report the discrepancy to their clients. 

“It just underscores the importance of trust, because the bid request is a declaration. Opportunity exists to verify what’s in that declaration, but I don’t know if verification [firms] can always keep pace with the level of innovation, and thus new data, that’s in the bid request,” said O’Sullivan.

How is this different from ID bridging? 

Again, intent. The short answer is that ID bridging is a cookieless solution to scale the user’s alternative ID across windows and devices. It would only take place in browsers like Safari where the third-party cookie has already been deprecated.

O’Sullivan, meanwhile, considers current ID bridging as falling into a gray area in its current form, because it’s often not disclosed. “The difference is, you have a plausible excuse for when you do it for bridging and in many cases with bridging, buyers and sellers have arrangements to allow for that,” he said.

Will this be an issue once Google deprecates the third-party cookie?

In theory, once third-party cookies are gone, the problem of ID spoofing will go as well. However, there’s no way to know if a new iteration of ID spoofing will crop up in a cookieless environment. While ID bridging and other bid enrichment tactics are done credibly, if we’ve learned anything about the digital advertising industry over the past couple of decades it’s that there will always be someone trying to game the system.

This article has been updated to reflect that, while Adalytics discovered Colossus was mislabeling IDs, it did not accuse the company of tricking advertisers. O’Sullivan also clarified his comments about there not being a gray area in ID spoofing, but there is a gray area in ID bridging.


Please enter your comment!
Please enter your name here

Share post:



More like this