A (cookie) bridge too far

When we said we wanted a cookie replacement, we didn't mean THAT!

This article appeared in the Marketecture Newsletter. If you like this kind of coverage, please subscribe.

On the Marketecture podcast we’ve mentioned a couple of times the trouble brewing in the bid stream around unreliable and undocumented identifiers being used to replace the declining third-party cookies. This week Catherine Perloff at AdWeek broke this story with a lot of detail. I’ll do my best to add to it, but her article is a must read.

No ID, no service

First, we all know that auctions without IDs monetize far worse than those with IDs. The benchmark/conventional wisdom for Safari is 30% of the monetization of Chrome. There’s a pretty big incentive to have IDs in the auctions if you’re selling media as a publisher or an SSP.

Second, while we’re all getting excited about moving to the cookieless future (woo hoo!), some of us are moving a little slower than others. Most DSPs were built primarily for the purpose of buying audiences, using cookies. As an unexpected result, when the ID is not present in the bid request the DSP may do strange things, like not bid at all.

Third, and most perniciously, advertisers and agencies may put undue faith in the veracity of deterministic IDs and may not readily be able to test or verify that those IDs are, in fact, deterministic. After all, isn’t a hashed email a real, verifiable data point? Yes, but it might not match the auction you just bid on.

The mechanics

The AdWeek article goes into some depth on how this works. Here’s some bullets to make you seem smart:

• ID Bridging (new term for me, too!). If you don’t have an ID for a user, you use the IP address to see if you have an ID on a different browser or OS, then send that;
• ID Bridging for deterministic IDs: Basically the same as above, but you are resolving to what is supposed to be a reliable and persistent ID such as RampID or UID2;
• Fake cookies / SSP cookies. Some SSPs are putting IDs that they know are unreliable or transitory (i.e. will be deleted almost instantly) into the bid stream to game the DSPs into bidding outside of frequency caps.

You set a cookie on Safari the first time, they grab that ID in the sync request and then probabilistically reinsert it on future bid requests —Anonymous DSP exec

A quick primer on ID taxonomies

Wow, that might be the most dry title I’ve every penned. Please don’t unsubscribe, this newsletter feeds my family.

A lot of the controversy over these IDs is about declaration and disclosure. Just as in dating, it is fine to be 5-foot-2 and 300 pounds, as long as you say that in your profile. Yes, I am fat shaming SSPs.

The Open RTB spec (oRTB) has a lot of flexibility in how they let the user’s identity be represented to the buyer.

user.id - SSP ID. If the DSP is hosting the match (not commonly used)

user.buyeruid - DSP ID or mobile identifier. If the SSP is hosting the match and passed the DSP’s cookie, or if the device provides a persistent identifier

eid (object) - Any other IDs, along with their sources. This is where you would put extended IDs, like ID5, Lotame, RampID, UID2

So if you want to boil down all this controversy into something very simple, it is SSPs using the user.buyeruid parameter for an identifier that should more rightfully be in the eid object.

What is deterministic, exactly?

This fascinating discussion on X, embedded below, needs some parsing. Keith offers a service to manage IDs for publishers, while Jud is an executive at The Trade Desk. Keith is asking about the case when a publisher probabilistically “bridges” a UID2, and Jud seems to say that’s fine, as long as it is declared as such. Not sure if that’s TTD’s policy or if he’s just making the point that I was making above about proper taxonomies, but the accuracy of deterministic data is definitely a trend to watch.

Impact on advertisers

To start with, this is a form of ad fraud. I don’t see a meaningful difference between spoofing the URL an ad is coming from (which we all agree is fraud) versus spoofing the ID of the user the ad will be served to. You can make the argument that it is an approximation, not a deception, but there are clear ways to execute that in the oRTB spec, so failure to do so is fraud.

The impact of these shenanigans varies by what’s being done.

Fake cookies:

• Ads serve above frequency targets with no obvious way to detect
• Ads serve to no-cookie environments when cookies are expected
• Click-through and view-through attribution show zero results (since the cookies never match)

ID bridging:

• Mis-targeting of individuals within the same household (same as pure IP targeting)
• Highly improper media targeting when IP bridging is used on Wifi, data center, or cell tower traffic

Moving forward

On the one hand, the incentive to play loose with IDs will be increasing as signal loss continues. On the other, this sort of thing is pretty easy to detect for DSPs, so I think companies will be told to clean up their acts or risk losing demand. As a result, we’re likely to see a lot more stuff get shoved into the eid object moving forward.

This article appeared in the Marketecture Newsletter. If you like this kind of coverage, please subscribe.