Unraveling the Complexities of the Colossus Ad Tech Controversy

Colossus SSP, owned by Digital Holdings Group, is at the center of a controversy involving Adalytics, an ad transparency startup. Adalytics claims that there were repeated instances of user IDs being misrepresented in Colossus's programmatic marketplace, mimicking cookie IDs that attracted high bids from The Trade Desk. This behavior suggests potential fraud. Colossus has responded by suing Adalytics for defamation, injurious falsehood, and false advertising, while also blaming the complexities of the ad tech ecosystem for the discrepancies.

Cookie syncing is a standard process in ad tech where a user ID is embedded within the URL of a supplier's sync pixel, which loads in the user's browser. The supplier retrieves their cookie from the browser, creating a direct link between the traffic management company's cookie ID (e.g., BidSwitch) and the supplier's cookie ID (e.g., Colossus). Although Colossus doesn't directly handle The Trade Desk's cookie IDs, it could potentially misreport the BidSwitch cookie ID when sending bid requests to BidSwitch, which then forwards these requests to The Trade Desk. This could lead to mismatches in IDs and raise concerns about intentional misrepresentation.

Colossus SSP's defense, as stated by CEO Mark Walker, suggests that the ID mismatches are due to technical integrations and discrepancies within the programmatic landscape, which the industry works to resolve. However, this rebuttal is not considered watertight because it does not address the possibility that the mismatches could have been done intentionally. The lack of acknowledgment of this potential leads to doubt and speculation about the company's practices.

An anonymous ad tech executive conducted tests from February to May, analyzing data from the first week of each month. The results, reviewed by Digiday, indicated that while ID mismatches do occur across various exchanges, they are usually publisher-specific and often come as a surprise to the exchanges themselves. However, with Colossus, there was never a match between the IDs in the bid requests and those observed when ads were served, suggesting a more systemic issue within Colossus's operations. This led the ad tech executive to stop buying ads from Colossus due to the consistent ID mismatches.

Dr. Augustine Fou, an independent cybersecurity and ad fraud researcher, offers an alternative explanation, suggesting that there's nothing nefarious at play. He explains that Colossus passes an ID to BidSwitch, which matches it to an ID from The Trade Desk it has on file, and sends that ID in the bid request to The Trade Desk. Neither Colossus nor BidSwitch can read The Trade Desk's ID from the browser store because it is set by a different domain (adsrvr.org). The fact that The Trade Desk sends back a different ID in the win notification pass back pixel indicates that The Trade Desk served the ad to a different user than the ID in the browser store, which Fou argues is simply how the technology works.