The role of regulation in the fight against ad fraud

Everywhere you look, ad fraud seems to be making the headlines. Only this month, a couple significant fraudulent operations were uncovered: mobile malware Agent Smith, which is thought to have infected 25 million Android phones in a bid to hack popular apps and push pop-up ads, and a newly-discovered malicious framework, which focuses on bumping up ad impressions. And they’re just the tip of the iceberg. Once again, this brings into question whether the industry and regulatory bodies are doing enough to build a safer digital ecosystem.

To date, much of the answer has relied on self-regulation. For example, industry bodies have launched a number of initiatives such as ads.txt from the Interactive Advertising Bureau (IAB), which enables companies to identify those who are authorised to sell their inventory, and the Trustworthy Accountability Group’s (TAG) 'Certified Against Fraud' guidelines. However, alone, it’s clear these measures are not enough—ad fraud losses are still due to amount to a hefty US$42 billion by the end of 2019, according to the latest figures from Juniper Research.

There’s a long way to go before ad fraud is eliminated from the picture. Indeed, for some, the question is whether the advertising industry can even hope to do it alone. Calls for increased regulatory intervention are growing louder, and with good reason.

The complexity of the digital advertising ecosystem works against transparency. So despite being able to detect fraud, it is very hard to pin-point the origins. Regulations would likely help to address some of this opacity by enforcing standardisation and eliminating weaker links.

It’s also likely that regulation will involve some form of industry consolidation, stripping back layers from the currently convoluted supply chain to reduce the number of places fraud is able to enter the ecosystem.

For example, consider the variations in pricing models, arbitration, attribution models, and differing levels of control advertisers and publishers can exert over advertisements. Each click passing through 10 to 20 adtech platforms and nonsensical numbers of ad engagements every single second makes it easy for bad actors to hide in the noise. Thinning the herd would make it far harder for parties providing or soliciting invalid transactions to enter the ecosystem.

However, regulation is not without its thorns.

Losing efficiencies and value

While reducing the number of intermediaries involved in a transaction would make it harder for fraud to enter the supply chain, it could also mean losing out on much of the functionality the ecosystem relies on to deliver value.

For example, many of the features that are appealing about digital advertising—being able to target specific audiences, buy traffic programmatically, scale ad campaigns quickly and so forth—are enabled by different layers in the supply chain.

If these were to get stripped away, we may well see a period of regression where we go back to traditional media-buying mechanisms like submitting insertion orders (IOs) and managing lots of direct publisher relationships, as opposed to the more efficient means of running and scaling campaigns we have become accustomed to.

Data privacy versus data transparency

The creation and the enforcement of regulations may require parties in the supply chain to prove the legitimacy of their traffic. This presents significant privacy challenges, where the need to demonstrate that ad engagements were generated by real people and not bots may mean vendors need to be able to identify said people. According to The Harris Poll, 83% of internet users globally are concerned about privacy. At a time when privacy is so high on the agenda, regulations to the adtech landscape could open a whole new can of worms.

Indeed, the transparency needed by regulations to prevent ad fraud could act in direct conflict with privacy laws worldwide, such as the General Data Protection Regulation (GDPR), Privacy Shield Framework and California Consumer Privacy Act (CCPA) among others.

Even if, in a hypothetical scenario, the collection of such data didn’t violate data privacy regulations, this would leave intermediaries tasked with the immense responsibility of safeguarding a hoard of user data.

Is regulation truly needed?

This brings us back full circle to whether the industry really needs new regulations that target ad fraud.

Let’s consider the eight perpetrators of ad-fraud operation 3ve, who faced 13 charges after investigations into paper and money trails. These included money laundering, computer intrusion, wire fraud, and aggravated identity theft, but none of the charges specifically mentioned ad fraud.

Indeed, the charges brought against these ad fraud perpetrators were extensive and, despite the absence of a law targeting ad fraud specifically, will ensure they are prosecuted.

Meanwhile, it’s worth noting that a lack of regulation does not mean a lack of recourse. Remedies do currently exist for businesses that have lost out to ad fraudsters. For example, provided their pockets are deep enough, advertisers can enter contractual disputes if they believe they were deliberately sold invalid inventory, as demonstrated by Uber. The ride-sharing company is pursuing up to 100 ad networks and their supply sources over ad inventory that was “nonexistent, non-viewable or fraudulent” in US$70 million worth of ad campaigns.

Don’t lose sight of the root of the problem

However, the Uber case highlights an interesting debate: in adland, we spend a lot of time debating who is responsible for fraud. No advertiser or ad network wants to be liable for it, nor do they want to be embroiled in a legal dispute over fraudulent inventory, so fingers are pointed left, right and centre.

Wouldn’t it be better if the fraud wasn’t there to be debated in the first place?

Regulation could very well assist in the fight against ad fraud, particularly if created in a way that ensures it doesn’t stifle industry innovation, or erode the benefits of digital advertising. The challenge is to find the balance between regulations that are comprehensive, yet not restrictive. That are built for today’s adtech landscape and not immediately rendered useless by the industry’s pace of evolution, all the while staying on the right side of existing privacy regulations.

But to devise regulation that fits all those criteria will take time. As APAC continues to lose US$17 million to ad fraud every day, can we afford to wait for regulation?

---

Luke Taylor is the founder and chief operating officer of TrafficGuard.