In a post calling out a recent study that showed huge percentages of online activity coming from suspicious sources as hyperbolic at best, detrimental at worst, Douglas de Jager, head of the traffic analysis firm spider.io, makes several suggestions for the IAB’s Traffic of Good Intent Task Force to address the “systemic failures” afflicting the of display advertising industry.
What Does “Suspicious Traffic” Even Mean?
Prompted by my request to get his take on that particular study, reported on here, the spider.io post calls for a stop to “disingenuous scaremongering” by self-interested parties who stand to benefit from online security fears. De Jager writes, “If the industry continues to be fed these sorts of untruths, the true facts will almost certainly be lost. We will collectively be like The Boy Who Cried Wolf.”
The industry should stop talking about “suspicious traffic” altogether, according to de Jager, because the definition of what is constitutes as suspicious varies widely by source and context.
“Our contention is that if inventory quality is to improve to the extent that it can and should, then it is imperative that the whole industry adopts more fine-grained terminology”
Establish A Common Taxonomy for Illegitimate Ad Requests
De Jager calls for coordination between demand side and supply side of the online advertising ecosystem to be sure both sides are talking about the same thing by establishing a common taxonomy for illegitimate ad requests.
“Ambiguous language/terminology is being used widely to describe the industry’s problems with illegitimate ad impressions—both by the demand side and by the supply side—and this makes solving these problems difficult,” he writes.
To that end, spider.io suggests the industry adopt a fine-grained taxonomy — used by both demand side and supply side. Following is the list of labels the company currently applies to illegitimate ad requests:
- Hijacked device* with a fully automated browser — the Chameleon Botnet, first discovered by spider.io, is an example
- Hijacked device* where the browsing session of the unwitting device owner is hijacked through a redirect/pop-up/pop-under
- Hijacked device* where ads are injected into pages visited by the unwitting device owner — such as Sambreel AdWare injecting ads on YouTube
- Fraudulent ad hiding
- Crawler masquerading as a legitimate user
- Non-browser User-Agent header
- Cloud IP Address
- Browser prerendering
The company calls for additional suggestions and acknowledges the list may not be complete or even granular enough, noting, for example, that brand-safety specialists might have their own site-categorization labels to add to the list.
Establish An Advertising Security Mailing List
Instead of limiting input to the industry leaders on the IAB’s Task Force, spider.io suggests opening the channels of communication to everyone in the industry. A mailing list modeled on the general security mailing list, Bugtraq, on which information security vulnerabilities are often first announced, for example, would allow everyone in the ecosystem to review and debate how best to secure the legitimacy of the ad inventory being traded.
Here again, spider.io calls for specificity when disclosing vulnerability details if such a system is developed: “The credibility of our collective efforts to improve inventory quality is at stake. So as an industry we need to be vigilant for sweeping, unsubstantiated generalisations.”
So, what do you think? Are these proposals worthy of further consideration?