Cleaning up the ecosystem means taking a hard look at the damage done by the rise of programmatic. Domain spoofing, click farms, bot networks, traffic trading and attribution are negatively impacting brand safety and user experience. All the players in ad tech are now well aware that the resulting lack of transparency surrounding ad and inventory quality is taking its toll on the industry, and the creation of ads.txt and ads.cert prove that the everyone has finally come together to take a stand against fraud.
United in the fight against fraud
Unlike the fight to strengthen data privacy (through GDPR), this united front against fraud was born from within the industry, which means it's the result of a true awakening. And the mother organization of ad tech - the IAB - is leading the charge. The IAB has realized that the best way to hit the culprits hard is to go after the money flow.
Ads.txt was the first step
The IAB decided to hit domain spoofing first, creating a standard, ads.txt, to crack down on the sale of unauthorized inventory. Ads.txt allows publishers to indicate to buyers who has the right to sell their inventory. But ads.txt is more than just an opportunity for premium publishers to secure their traffic. As the first real step towards a healthier ecosystem, ads.txt is on track to becoming one of the fasted adopted IAB standards ever.
According to Pixalate, publishers incorporating ads.txt jumped from 3,523 in September to 136,001 (as of 19 February). DSPs have been a bit slower to embrace it, but, as Dr. Niel Richter of Rakuten Marketing explains, many will change their buying mechanisms after Q4 2017, so we'll have to wait until the end of January to have a better picture of the buy-side adoption rate.
One of the most important outcomes of ads.txt, though, is the IAB's recognition that the standard is just the beginning of the fight against domain spoofing. The proof? They've already started working on the follow up, ads.cert.
What is ads.cert?
Ads.cert is a digital signature on a piece of ad inventory, that can be verified against a shared key. It validates the information that passes between the buyer and seller at each stage of the digital ad supply chain and stops fraudsters from tampering with a publisher's inventory.
Neil Richter has been using a great analogy to describe ads.txt vs. ads.cert: Imagine you want to buy a Rolex. You'll naturally want to verify the store you purchase the watch from is an authorized dealer. But you'll want to make sure the goods they sell are authentic as well. For our purposes, ads.txt authenticates our Rolex dealer, while ads.cert tells us the Rolex and all its parts are real, and haven't been tampered during its trip from the factory to the dealer's outlet.
Why publishers should implement ads.cert ASAP, and with the same enthusiasm as ads.txt
As many in the industry now know, companies are trying to trick publishers into adding them to their ads.txt files. That's because once they're in, they have "carte blanche" and can potentially spoof that domain. If the fraudster does get in, the SSP they're running through will send a bid request from a fake or non-existant domain. This SSP may be part of the fraud scheme, but it could also just have a weak fraud detection system that makes it susceptible to receiving fake domains.
Whatever the case, publishers should adopt ads.cert because it aims to put a stop to these companies trying to slip into ads.txt files. This newest standard will require all bid requests to be signed by the real domain with a 64-bit visual signature. These cryptographically signed bid requests authenticate the inventory in question and show its path. Bidders can check adst.txt to see if the bid request was authorized, then verify the authenticity by testing the certificate with the public key. If the inventory passes the test, they know that it has come from a certain server and that the information (name of domain, publisher ID, inventory format) has not been tampered with. Fraudsters will have a very hard time getting through this because only the legitimate publisher and tech providers will have the "fingerprint".
When will ads.cert be available?
The IAB is currently working on the ads.cert specs and it should be available with Open RTB 3.0. Not soon enough for you? Well, as Niel Richter explains, most security approaches are done in layers. Ads.txt was first, but ads.cert will take longer. We may have to wait a few months, but it will surely bring us one step closer to ensuring authentic inventory and cleaning up the ecosystem.
What's next?
Companies are already beginning to explore how blockchain tech (payment terms, measurement, safety and transparency) will look when applied to ad tech. For the buy side, a block chain quality check would mean less discrepancies - advertisers will know where their money is going and they'll better choose their intermediaries. For the sell side, it would mean more direct, quicker, certified payments. A blockchain certification pushed by the biggest players on the buy side is clearly the next step.
https://iabtechlab.com/ads-txt/
https://iabtechlab.com/~iabtec5/wp-content/uploads/2017/09/OpenRTB-3.0-Draft-Signed-Requests-RFC.pdf
https://adexchanger-com.cdn.ampproject.org/c/s/adexchanger.com/online-advertising/will-ads-cert-iabs-next-big-inventory-clean-play/amp/
https://digiday.com/media/what-is-ads-cert/
https://www.youtube.com/watch?v=5pAUHrSE8j4&feature=youtu.be&list=UUC41Wkvj5FyelFirGe4Q8uA
https://www.admonsters.com/ad-ops-decoder-ads-cert/
