Understanding ID Spoofing in SSP and DSP Mismatch

ID spoofing in digital advertising is a deceptive practice where an ad exchange or ad inventory seller swaps the user ID targeted by the buy side in the Demand Side Platform (DSP) with a different ID. This swapped ID could be of higher value or offer more appealing data to an advertiser, often without the knowledge or agreement of the buyer. It typically happens in environments that are third-party cookie friendly, such as the Chrome browser, and relies on cookie IDs to execute the spoofing.

While these terms are sometimes used interchangeably, they refer to different but related deceptive practices in digital advertising:

• Cookie stuffing: The misattribution of a click or impression to an unintended user or company.
• ID mis-matching: This term isn't clearly defined in the text, but it implies that there is a mismatch between the intended user ID and the one being used, which may or may not be intentional.
• ID spoofing: Intentionally changing a user ID to another ID that is more valuable or appealing to advertisers, often without their knowledge.
• ID stuffing: Similar to ID spoofing, it involves changing the user ID, but the exact definition is not provided in the text.

For the purposes of the article, 'ID spoofing' is used to describe the practice due to the trickery involved.

Associated IDs can be used for ID spoofing by taking advantage of the different pieces of information they hold about a user or their household. For example, an SSP might know that the ID from a user's personal computer has valuable data for an insurance advertiser, such as search inquiries for car insurance. If the user is currently on a different device, like a work computer, the SSP might swap out the work computer's ID (the 'bullseye ID') for the personal computer's ID to increase the CPM. This is done even though the advertiser believes they are targeting the user on the work computer, leading to a misrepresentation of the targeted audience.

Whether ID spoofing is considered fraud in digital advertising seems to depend on intent. While it's not explicitly named in the Media Rating Council's definition of Invalid Traffic Detection (specifically 'Sophisticated Invalid Traffic' or SIVT), practices like cookie stuffing are included, which involves manipulating or falsifying user activity. If an SSP knowingly swaps a user ID with the intent to misrepresent the user to an advertiser, especially if the data is falsified or represents a fake user, it could be considered fraudulent and in violation of MRC standards.

The responsibility for detecting and preventing ID spoofing falls into a gray area, with no clear consensus in the industry. Some believe that verification firms should catch it, as manipulating or falsifying user activity is included in the MRC's guidelines for detecting fraudulent activity. Others argue that DSPs should be able to detect a swapped user ID during the auction process and therefore should report any discrepancies. The importance of trust is underscored in this context, as the bid request is a declaration of the user's identity, and verification firms may not always keep pace with the level of innovation in bid requests.