TAG, you're s*!t: Internet advertising industry bods admit self-policing approach is a sham
Meanwhile: Trustworthy Accountability Group CEO dismisses ax-grinding critics
Special report The Trustworthy Accountability Group, or TAG, was formed in 2015 to "eradicate digital advertising fraud, malware, ad-supported piracy, and to increase transparency across the digital advertising supply chain."
As Mike Zaneis, CEO of TAG, explained to The Register in a phone interview, "We're like the Good Housekeeping seal of approval for digital advertising."
TAG, which counts companies like Amazon, Disney, Facebook, and Google among its leadership council, offers various certification programs for digital advertising and publishing companies – the buyers and sellers of online ads and their intermediaries.
One of these is the Certified Against Fraud program. It allows companies to obtain the TAG Certified Against Fraud seal by complying with a set of guidelines tailored to the role a business plays in the digital ad ecosystem.
To become certified, a company simply has to say that it's certified, and pay a sizable fee. And that, some claim, is a problem.
"It's all a sham," said one individual who works at an online ad agency and spoke to The Register on condition of anonymity. "I have worked for companies that are TAG Certified and are not fraud free."
An individual affiliated with a large publisher expressed a more tempered view, allowing that some of that TAG does have value, like its anti-piracy program. "When it comes to anything related to invalid traffic, it's not really as useful, mainly because it doesn't require an independent audit, enforcement, or anything beyond saying you don't do certain things."
In a phone interview with The Register, Shailin Dhar, CEO and co-founder of Method Media Intelligence, a marketing analytics business, said, "The issue is that TAG was meant to address was making sure legitimate businesses operate in the supply chain."
But a self-declared certification doesn't keep bad ads out of the system, Dhar says. "They do have companies that will do third-party audit, but the fact that self-certification is allowed at all is a problem," he said.
The Register also spoke with an individual involved in an ad industry group outside the US who expressed skepticism of TAG's Certified Against Fraud program. This person too saw little value in self-attestation – simply declaring compliance with TAG's guidelines. "We don't see any evidence there's been a state change [in the amount of ad fraud]," this person said.
There is quite a bit of ad fraud. WhiteOps, a vendor several sources spoke well of, put the overall attempted fraud rate at 20 per cent to 35 per cent of all ad impressions in its 2018-2019 Bot Baseline report, with actually monetary losses less than that because some fraud attempts get caught. The firm projected $5.8bn lost to fraud in 2019 and said loses would have been at least $14bn annually without preventive measures and clawbacks (refunds).
However, these figures depend on what gets measured and how, so undetected fraud by definition doesn't show up in such figures. And those involved in ad tech auditing argue there's a significant amount of ad fraud in some parts of the ecosystem that gets missed.
"I've managed campaigns where 100 per cent of the clients were fake and no fraud was detected," our agency source said.
Part of the problem can be blamed on auditing, which Dhar says is done by sampling and extrapolation, a technique that misses the bulk of what's actually happening.
Our publishing source said that even companies with well-regarded anti-fraud tech like WhiteOps, Moat Analytics, IAS, and DoubleVerify tend to miss 40 per cent to 50 per cent of invalid traffic.
"The only thing that will really solve invalid traffic is for agencies and advertisers to say we won't buy shitty sites anymore," our publishing source said.
Nothing to see here
And that doesn't seem to be in the cards at the moment. While reputable sites don't need to do this, the dirty little secret of ad agencies, this person said, is that they will buy tons of invalid traffic on open exchanges to fulfill ad campaigns on clients' sites when those sites underdeliver on legitimate traffic.
This is known as traffic sourcing and it remains an unsolved issue. Our trade group source explained that if you have a website that has no traffic "because it sucks," you can buy a source of traffic to inflate its numbers and make it look like real people visit the site. Then you can sell ad inventory to advertisers who think their ads are reaching real people. "As long as I pay less for traffic than I make in advertising, I'm making money," this person said.
The industry has made some progress with initiatives like ads.txt, designed to prevent unauthorized parties from selling publisher ad inventory.
But ad fraud has persisted for years and appears likely to continue. There's a disincentive among the less scrupulous participants of the digital ad ecosystem to clean things up because fraud generates revenue. "It's a party and no one wants to be the end of it," said our agency source, adding that there's almost no penalty for cheating.
Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, was among the few industry participants to speak on the record about TAG.
"TAG Certification is a 'double whammy' that is harming the digital advertising industry, not helping it," he said in an email to The Register.
"First, it enables fraudulent companies to operate in broad daylight by paying the fee and waving their TAG seal around. And second, it is a racket that extorts fees from good companies that didn't need to be certified in the first place, but get painted with the same brush as fraudsters."
Companies didn't really need to be TAG certified until 2017. That was when Marc Pritchard, chief brand officer at Procter & Gamble, said P&G would require digital media partners to be TAG certified. And because P&G tends to spend about $7bn a year on advertising, companies have a strong incentive to get with the program.
And it's not an insignificant expense. According to Zaneis, the price varies by business model, with small and medium-sized businesses allowed to join TAG's basic level of membership for free. AdAge put the price for an ad tech company at $20,000. The Register spoke with an individual who cited a figure of $75,000, which Zaneis said is what an agency of ad tech company would pay if invited to participate in TAG's Leadership Council.
"It’s worth noting that just because a company pays for a TAG Membership and is thusly eligible for participation in our certification programs, that doesn’t mean they automatically receive a certification," said Zaneis in an email. "Fewer than half of our members have achieved the certifications that they’re eligible to apply for. That’s because the bar is set very high."
Zaneis, it should be said, isn't on the best of terms with Fou. The two have sparred on social media and Zaneis made clear that he considers Fou a source with an agenda.
"You have to be very careful about listening to one or two people who have an axe to grind," he said.
And some are okay with it. The Register asked Google whether it cared to comment on the value of TAG to the ad industry.
"Google is supportive of industry efforts to combat fraud and has partnered closely with TAG since its inception," a company spokesperson said in an email to The Register. "TAG provides a framework for industry collaboration and sharing of information related to common fraud challenges like malvertising and invalid traffic."
Google's spokesperson continued, "TAG has been instrumental in raising the bar for fighting fraud through their certification programs, which for example require the adoption of important standards like ads.txt. Making progress on industry-wide security and fraud challenges requires focused and sustained effort over time, and we fully expect some level of 'trial and error' as there is no silver bullet. As challenges continue to evolve, industry efforts like TAG will also need to adapt to stay ahead of emerging threats."
Let adware be treated as malware, Canuck boffins declare after breaking open Wajam ad injectorREAD MORE
Zaneis insists the TAG Certified Against Fraud program is worthwhile. "We know that our self-attestation process is very strong," he said, adding that 40 per cent to 50 per cent companies participate in independent verification.
About 130 companies have bothered to get certified. TAG claims its program reduces ad fraud, citing a 614 Group study that "found that the use of TAG Certified distribution channels for digital advertising cut the IVT rate to 1.48 percent across more than 6.5 billion display and video impressions, reducing the level of fraud by more than 83 per cent compared to the broader industry average."
Fou argues that TAG's research is flawed and contends TAG and 614 Group deliberately made an invalid comparison to support its assertion that TAG's fraud certification affects the incidence of ad fraud. And he doesn't think much of self-certification.
"This is why the USDA doesn't allow pig slaughterhouses to 'self-attest' they are clean and why the FAA shouldn't have allowed Boeing to self-certify the 737 Max as safe," he said. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust