Combatting Malvertising with Buyers.json and DemandChain

Four computer screens displaying graphs

The IAB Tech Lab and a group of sell-side, buy-side, and anti-fraud partners recently released two new technical specifications for comment: Buyers.json and DemandChain. Index Exchange has been vocally supportive of buyer transparency for a long time, and we’re proud to contribute to these two proposals. Buyers.json and DemandChain mirror the existing sellers.json and SupplyChain specifications, with the intent to enable the buy-side to share important information with ad tech and publisher partners in order to combat malvertising.

The Many-Headed Malware Hydra

At some point, all players involved in the delivery of an ad to a page have engaged in the following goose chase: first, a publisher urgently flags a bad creative – malware, false advertising, or an ad that does not meet exchange quality guidelines – to their SSP partners, along with the question “where did this ad come from?”

Next begins the forensic effort to trace the origin of the bad ad back through one of the dozens of DSPs and thousands of advertisers. It might take hours for the right source to be found, and in severe cases, the publisher blocks the entire DSP through that SSP in the meantime. Once the source is identified, the seat is blocked and business resumes.

If the fraudster is particularly advanced, the same ad might appear once again the next day, this time through a different seat on a different DSP. The bad actor moves along, taking advantage of the agility offered by DSPs and the lack of transparency currently available to publishers about the identity of the buyer behind the seat and the relationship between them. If the fraudulent buyer’s identity was clear from the start and consistently labeled across DSPs, this problem could be fixed in minutes.

How can we as an industry further uplevel our protections against malvertising, ending these goose chases along with the drain of resources and reputational damage they cause for publishers, SSPs, and DSPs alike? 

Put simply: by advocating for equal transparency provided by the buy-side.

An Opportunity for Transparency on the Buy-Side

There have been several blockers to this kind of transparency coming to fruition: 1) It’s incredibly difficult to organize publishers and the millions of consumers whose interests they represent into a collaborative unit in order to apply pressure; 2) there has historically been lukewarm interest from the buy-side in providing such transparency; and 3) pragmatically, our industry has lacked specifications for a solution.

These newly announced designs allow for advertising systems to efficiently and elegantly disclose information about buyers, such as name and seat ID, through the hosted buyer.json declaration file. They can then create a chain of information on every impression to trace where it came from and whose hands it has passed through via the bidstream demandChain object. Buyers.json and DemandChain can be cross-referenced just the same way that sellers.json and SupplyChain are today.

Buyers.json and DemandChain will help publishers combat malvertising in two ways. First, when implemented by buy-side partners, malware incidents will be rapidly and easily resolved. Second, when partners choose not to implement it, publishers can correlate information about non-support and malware incidents through those buyers, and make decisions to deprioritize their demand or even disable it entirely. 

Publishers aren’t the only ones who benefit: everyone in the supply chain wins when there is traceable information about buyers. It can be used by partners to enhance reporting data, analyze demand trends, and aid demand path optimization to make sure that more of every working media dollar makes it to the publisher. Buyers benefit from increased protections for their brand. Now, they can declare exactly which seats are allowed to advertise on their behalf so that any other actors are instantly recognized as fake. They’re also protected from reputational damage caused by malware operators, who often impersonate legitimate brands to trick consumers into engaging.

Supporting Buyers.json and DemandChain

Index Exchange is proud to announce that we will support both buyers.json and demandChain. We collaborated with industry partners in the IAB’s Tech Lab working group to design these new specifications, and we believe that adoption of them can make a real difference in the fight against fraud, supporting publishers, protecting brands, and increasing transparency in programmatic advertising. 

Learn More