Equifax, Malware, and the UntrustworthySupply Chain

As if Equifax hasn’t lost enough trust from the first hack, last week it had to disclose that it suffered a second breach, which was called by most reporters a second hack. But apparently last week wasn’t a second hack at all, but a different problem. . Ars Technica wrote:

 A key part of Equifax’s website has been redirecting users to malware for an unknown period of time, a security researcher discovered this week. A video posted by independent security analyst Randy Abrams  showed an Equifax webpage redirecting to a fake Adobe Flash download prompt that installs adware. The infected Equifax page, which the company took offline after discovering the problem, is used to access and update one’s credit report, meaning that many people have likely visited it in the weeks since Equifax disclosed a data breach affecting more than 145 million Americans.

But the new incident was not a second hack – Equifax told MC that the malicious redirect came from a vendor’s faulty code. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” a spokeswoman said. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.” Equifax appears to use a disreputable third-party ad provider, Iron Source, which is known for facilitating “malvertising,” the process of implanting malware on victims’ machines through the ads they visit.

So a third party vendor did it? Iron Source, which has a reputation for allowing malvertising. Not according to a person from Malwarebytes, a service used to detect malware. This person said it’s incorrect to call this a hack or attribute it to ads. In fact, the third party script was a web analytics component, and not ad code. But the third-party script itself was leveraged to load a domain serving as “ad rotator.”

Apparently, that’s is an issue with 3rd party scripts and any site that was using that particular one was at risk.  The ad rotator delivered very low quality redirects, suggesting that these were not even targeted ads.

While malvertising remains quite common, compromised analytics tags are less so. What could the takeaways be from this incident?

Our biggest takeaway is that you have to know every single step in your supply chain, and every partners must be certified and trusted. There are far too many unknown intermediaries in digital transactions for us to feel comfortable about our visitors’ data, and we have to limit the number of those for safety’s sake.

That’s why we have a private platform where this cannot happen. We have weeded out low quality sites, we have only quality inventory, only high quality partners, and no one else enters the supply chain once we set up a buy. This must be the way the entire industry operates in the future. If we don’t let the bad apples in, they can’t corrupt our supply chain or compromise the data of any of our partners.

 

2018: The Year of Data Security

It doesn’t take much to predict that 2018 will be the year of enhanced online security. We were headed toward more emphasis on consumer privacy anyway, but the massive Equifax data breach forced every consumer to face what geeks have known for ages: that left to their own devices, the companies that collect, handle and sell our data do not care about keeping us safe. We have to be in charge of our own data security. This event will change the thinking of just about every American on the internet, and since the Europeans already relish their privacy and have begun to take steps to enhance it, we can look forward to a real difference in how marketers, developers, and publishers operate online.

Here’s what we think will happen in 2018:

  1. Apple, which has made security a differentiator in its products for a long time, will block cookies automatically in Safari 11.  All the major marketing trade groups are fighting this, saying they are “deeply concerned” with Apple’s plan to override and replace user cookie preferences with a set of Apple’s own standards. This is called “Intelligent Tracking Prevention,” will provide consumers the gift of a 24-hour limit on ad retargeting. So that pair of shoes can only follow you around on the internet for 24 hours.
  2. A new browser, Brave, developed by the inventor of Javascript and the former CEO of Mozilla, loads news sits two to eight times faster than Chrome or Firefox by blocking ads and trackers by default. Through Brave’s use of blockchain technology, it pays content creators viewed through its browser in micro payments.  The block chain is coming to advertising in other use cases as well, mostly to make the digital media supply chain more transparent. We predict Brave will catch on with the geeks who favor ad blocking and security, although the general public probably won’t know it exists.
  3. The big Kahuna of changes is the launch of the Global Data Privacy Regulation in May 2018.  The GDPR, as it is lovingly referred to, affects how marketers can interact with European consumers: they can only market to a consumer who gives permission. Because this regulation was passed by the European Commission, it carries the force of law and if you violate its terms you can be liable for a hefty fine.

Although the UK is in the process of Brexiting the EU, because its companies handle so much data from EU members it will follow the conventions of the GDPR.  America will be dragged along kicking and screaming, because most online businesses do not have a convenient window into where every data point comes from, it will be easiest simply to comply.

4. There will be a major business opportunity here as small businesses who haven’t paid much attention to these issues in the past re-examine how they handle customer data or who they partner with.

5. And then there’s the obvious windfall for companies that sell data security solutions, which will not be far more appealing.

There may also be a change in advertising from an emphasis on performance ads based on data to brand ads, which do not involve having to violate privacy by tracking consumers around the web.

 

 

 

 

Publishers Speak Out at Advertising Week

It seems as if the biggest takeaway from Advertising Week is that the Financial Times announced it has been ripped off by ad fraud, even though it doesn’t sell its own video ads programmatically. And it was a big loss.  The fraud happened entirely outside the magazine’s control,  which only served to underline the lack of trust in the supply chain surfacing again this year. Although a couple of new organizations have formed to solve the problem of fraud in the media supply chain, not much appears to have changed.

Here’s what happened:

The Financial Times found display ads against inventory masquerading as FT.com on 10 separate ad exchanges and video ads on 15 exchanges — the publisher doesn’t even sell video ads programmatically — with 300 accounts selling inventory purporting to be the FT’s. The equivalent of a month’s supply of bona fide FT.com video inventory was fraudulently appearing in a single day. The FT estimates the value of the fraudulent inventory to be $1.3 million (£1 million) a month.

This is called domain spoofing, and it’s the main problem of using open exchanges. The Financial Times had to write to the exchanges involved and ask them to remove the fraudulent inventory. Then it had to write to agencies and their clients telling them not to source inventory from anywhere but Google AdX or TrustX, through which FT sells its display.

“The scale of the fraud we found is jaw-dropping,” said Anthony Hitchings, the FT’s digital advertising operations director. “The industry continues to waste marketing budgets on what is essentially organized crime.”

This is why we developed a totally secure private exchange a couple of years ago.  When we handle transactions end to end, we know where every ad is at any given time, and we can also track its response. We have never understood why the industry tolerates wasting marketing budgets as it has in the past, although we hope this is (slowly) changing.

How can we tell it is changing? Agencies holding companies are reporting poor financial results. That’s because brands are now far more careful about entrusting their budgets to trading desks that engage in arbitrage. Who knew that one of the biggest ways agencies made money was by buying media in bulk and not passing on the savings to their clients? We thought that only happened in the world of late night TV and informercial companies.

The other important media announcement out of Advertising Week was the re-branding of Advertising Age Magazine as AdAge, and the promise to guide this industry through a disruption the publisher admits is under way. We’re a bit suspicious of the publisher’s new recognition that

Everything is a brand. Everything is an ad for itself. So our coverage needs to reflect the broader culture beyond the weeds of our industry. We’ll still get into those weeds, but we’ll also explore the flowers. And we’ll do it with a tone that’s inviting, accessible, wry, witty and sharp.

This leads us to believe that Ad Age is going to be less an industry publication than a cultural publication, and we wonder how its core audience, advertising and brand professionals, will respond to that.

 

IOS11 Forces Ad Industry Innovation

Last week Apple announced IOS11 and with it the new version of its Safari browser. Now Safari is not at all the most popular browser, because most of the world uses Android, but it is a browser used by almost half of all web traffic in North America and a quarter of all the traffic in Europe. And that traffic is highly desirable to advertisers.

Apple, however, does not care about advertisers. Advertising isn’t its business model, because it sells hardware and software.  And to illuminate the cause of its unconcern:  Apple’s differentiator is security and privacy.

Remember when the F.B. I. asked the company to break into the iPhone of Syed Rizwan Farook, who perpetrated the mass shooting in San Bernardino, Calif a year ago and the company refused? 

Bureau officials [said] that encrypted data in Mr. Farook’s phone and its GPS system may hold vital clues about where he and his wife, Tashfeen Malik, traveled in the 18 minutes after the shootings, and about whom they might have contacted beforehand.

Apple went to court and fought the government rather than write new software to compromise the iPhone’s security.

It only stands to reason that Apple would try to protect its users further by incorporating anti-tracking software into Safari; that’s right in line with its brand strategy.

Safari 11… intelligent tracking-prevention technology makes it harder for ads to follow you around from one site to another and for advertisers to keep track of your browsing habits over the longer term. One part of the approach is deleting even first-party cookies if it’s been more than 30 days since you interacted with the website that set the cookie.

This drove the advertising industry wild, with a coalition of industry groups publishing a letter last week telling Apple that Safari’s new settings would endanger internet economics.

Apple’s Safari move breaks [cookie-setting] standards and replaces them with an amorphous set of shifting rules that will hurt the user experience and sabotage the economic model for the internet.”

But the ad industry shouldn’t worry. We remember when pop-up ads were blocked, and the industry squirmed. We also remember when third party cookies began to be blocked in browsers, and the industry wrung its hands again. Now the blocking of first party cookies will be used as an incentive to innovate, because consumers have already sent the message that they hate retargeting and don’t want to be followed around the web by a pair of shoes they just bought.

And besides, not all first party cookies are blocked, and that’s because some of them are actually desirable for users. Those are the ones that make it possible for you to log into a site without re-registering each time. Safari uses a machine learning model, so if a user visits a site and logs in with Facebook or Twitter, a cookie will still be set to allow that user to log in again.

We are gradually moving toward an era of brand advertising, in which users will be shown content and incentivized to interact with ads for a reward. This gives users a choice,  and does not put all the power in the hands of advertisers and their ad tech to force an ad in front of an unwilling user, where it has rested for the past two decades.

 

 

Native and Mobile Ads Draw High CPMs

The advertising landscape continues to shift. This time the news appears to be good for the publishers. MediaRadar’s newest study on advertising trends in 2016 and Q1 2017, which came out at the beginning of the summer, revealed that high CPM ad placements are on the rise (whew!), especially if they’re mobile or native; niche and enthusiast sites still flourish in print (along with regional titles,) and native ad placements have grown 74% in Q1 year over year.

Native ad formats have grown the most and command the highest CPMs. While many forms of native advertising are still frowned on,  the demand for native has nearly tripled since 2015. That’s partly because native ad formats typically escape ad blockers, but also because consumers don’t mind reading or viewing something that’s truly informational and isn’t interruptive. Native ads are predominantly  brand ads, and the further good news is that digital advertising has finally arrived at a point where it’s not all remnant inventory, performance ads, and low CPMs. This will allow digital advertising to be effective at points nearer the top of the funnel.(If there is still a funnel at all). For now, native seems to outperform more traditional ad units.

As for print advertising, it still hasn’t gone away, although spend did decline 8% year over year. While general interest titles are languishing, niche and regional publications appear to be on the rise. And many advertisers have begun to target smaller volumes of engaged users over sheer reach.

This seems counterintuitive to us, but we’ve observed it ourselves: programmatic buying has declined. In fact it’s down 12%, and we think it’s because media planners are tired of not knowing where their ads are going to be seen. Brand safety is one of the problems, and the other is viewability.  Viewability is the new currency for advertisers and it’s tough to track viewability accurately with programmatic buying. Brands really need to buy programmatically, however, because it’s far less effortful, especially for large buys. We think the market will settle somewhere around programmatic direct, which allows far more control than simple programmatic.

If the current market trends continue, publishers should see increases in revenues, brands should see growing effectiveness of ad spend, and consumers should be less annoyed by formats that offer little else than interruption.

 

 

 

 

 

European Privacy Rules Should Not Kill Free Media

Randall Rothenberg, CEO of the Interactive Advertising Bureau, one of our largest digital media industry groups, is on the warpath again. This time he is afraid that a new proposed rule in the GDPR (General Data Privacy Regulation), which takes effect in May of next year, will eventually kill  the ad supported free media ecosystem that has been in place for the entire existence of newspapers.

Buried in pages of amendments to the European Union’s latest privacy proposal, the ePrivacy Regulation, members of the European Parliament recently recommended language that would strip European publishers of the right to monetize their content through advertising, eviscerating the basic business model that has supported journalism for more than 200 years. The new directive would require publishers to grant everyone access to their digital sites, even to users who block their ads, effectively creating a shoplifting entitlement for consumers of news, social media, email services, or entertainment.

The language specifically says

“No user shall be denied access to any [online service] or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent […] to the processing of personal information and/or the use of storage capabilities of his or her [device].”

In practice, it means this: The basic functionality of the internet, which is built on data exchanges between a user’s computer and publishers’ servers, can no longer be used for the delivery of advertising unless the consumer agrees to receive the ads – but the publisher must deliver content to that consumer regardless.

Rothenberg refers to this proposed regulation as about to enable behavior akin to shoplifting or turnstile-jumping. Moreover, he says that since 76% of internet media is supported by advertising, much of the world’s free media would inevitably disappear, leaving us essentially without all the freedom of the press that the internet enabled for the past twenty years.

Rothenberg is paid to advocated on behalf of the internet advertising business model, and we all realize that, but here is an exceptionally good point that he makes about mobile advertising and how its demise would affect democratic values:

The impact in the mobile environment, where the majority of mobile applications depend on advertising revenue to survive, would be just as devastating. With few consumers willing and able to pay the additional taxes, the majority of the online content they enjoy today could disappear forever – at exactly the time authoritarian governments around the world are attempting to seize more control of the news and entertainment media.

While some might argue that Rothenberg’s latest rant is overstated, we think  this is a very unusual period in the history of the world’s democracies, and it makes sense to advocate strongly for free, ad-supported media  –as long as it is not overly intrusive and provides value to consumers.  That’s the key point that Rothenberg forgets to make, but is never far from our minds. To earn consumers’ attention, we have to provide fundamentally better advertising. And that, paired with free media, can preserve the array of voices in the digital media landscape that contribute to the preservation of both human rights and democratic values.

 

Fixing the News Business (For Now)

Jeff Jarvis, former founding editor of Entertainment Weekly and creator of Buzz Machine, and now professor of Journalism at CUNY,  has written a very profound article on how to save newspapers. The article is relevant not only to newspapers, but also to any publication that seeks to maintain its life in the current digital environment. In this environment, there is competition for attention, and an almost infinite supply of news, both fake and real, and entertainment.

As an experienced partner to publishers (since 1999), we would like to recommend that they think about some of the points Jarvis makes in his article. He begins by setting the stage:

The burning house sits on the foundation of media’s old business model, which is built on volume: reach and frequency in mass media terms, unique users and clicks online. This house is doomed to commoditization as the abundance and competition the internet spawns drive the price of the scarcity we once controlled — media time and space — toward zero. Yet this is the model that still makes us our money and so, just to survive and perchance to invest in an alternative future and home, we must still feed that fire with cats, Kardashians, and every new trick we can find, from programmatic ads and so-called content-recommendation engines (which commoditize media yet further) to native advertising (which, when it fools our readers, only depletes the seed corn that is our trust and brand). We know where this ends: in ashes.

Well, we all know that. Now what do we do about it? Jarvis says we have to build our businesses on value over volume, and we must develop relationships that go deep into communities. And by communities he means not just localities, but affinity groups and other self-identifying niches and segments — perhaps parents, perhaps, transgender young adults, perhaps cancer patients. The key here is self-identifying.

This means not buying data, but developing our own — first party data that comes from talking to our current customers, subscribers, visitors, and finding out more of what they want. For some publishers, this is more difficult than it would seem. As publishers, we’re used to putting out content and assuming we can target the audience from outside. We can target, for instance, Hispanics. But Hispanics don’t necessarily define themselves as Hispanics; they have characteristics that cut across the obvious label.

Note well that in each of these situations, we must shift from media-centric products — our newspaper, our content, our home page, our comments — to public-centric services: a place for people to come together with residents of their town; a place where seniors can find the right adult development for them; continuing alerts about developments in an issue a high-school parent cares about; a means of connecting with others who are concerned about filthy park to get it fixed; and so on. I am not talking about personalizing the serving of the content we already have (though that would be a good and necessary start). I am talking instead about building new products to serve specific constituencies in new ways.

And what do we do to solve this?

Start with advertising. At the most basic level, if you are making products and services that are more useful, engaging, relevant, and valuable to people, then you will get greater loyalty, engagement, and usage, and even under the old, CPM-based advertising business, you will have more ad inventory. More important, knowing about people’s interests and needs — at an individual level — will enable you to sell higher-value and highly targeted advertising.

The only way we can fight media’s commoditization at the hands of programmatic and retargeting advertising and the large platforms is by gathering our own first-party data. And the best way to gather that data is not by forcing our users to give it to us through registration, by inferring it through demographics, or by sneakily compiling data from privacy-pillaging services such as Acxiom.

This is your decision, publishers. What kind of publication do you want to be?

How to Make User Experience Better on Digital Sites

Ad blocking is not the end of the world for ad-supported digital content. In fact, it’s just forcing all of us to do better. It’s as if we received an industry-wide wakeup call while there was smoke but not yet an outright fire.

A combination of better ad formats and different KPIs for advertisers can save the current situation from getting worse, and can even repair the damage already done. ZEDO is always working on behalf of publisher partners to find ways to monetize and protect the viability of free digital content. We have representatives at the major industry groups, and a constant stream of input into industry developments.

For example, a recent Digiday webinar we attended on publishers and ad blockers shared the emerging best practices of premium publishers, which are really all over the place as they struggle to keep ahead of industry changes.  These publishers make frequent changes and perform lots of A/B testing to find out how to respond to consumer demand.

There is general agreement that asking consumers to turn off ad blockers only works a small percentage of the time. And charging for content only works in the case of very high value financial information.

But here is the good news: several publishers have simply used a technology to turn ads on for consumers who have installed ad blockers, and their page views have not gone down. They only turn on a small number of ads, and they’re careful how the place the ads and they try to serve ads that are truly engaging. This has told them that consumers often install ad blockers and forget they’ve done it, and don’t mind when the ads return. As long as the ads are not overwhelming. Further research has demonstrated that when people install ad blockers they do it to avoid tracking and slow page load times rather than to avoid ads per se.

We think that programmatic came in too quickly, making it too easy for publishers to stuff their sites with ads that cheapened the user experience. And users, who couldn’t get through a slow-loading site loaded with ads, bailed in droves, either by not visiting the site again or by installing ad blockers or both.

This is easy to fix. Don’t measure the old outdated stuff: how many ads served, how many ads seen. Measure engagement, which may be more difficult, but will ultimately produce the right rewards. We know we’ve ruined display advertising, so let’s not overuse video either. And let’s not think that all digital advertising is for direct sales; let’s make sure our sites are places where advertisers can place a brand ad and receive value. A smaller number of ads in engaging formats,  strategically placed and served to the right customers, can co-exist quite nicely with ad blockers.

 

 

 

 

Brand Safe Outstream Video for Publishers

We have been offering what the market now calls “outstream video” ads for almost three years.  As one of the earliest experimenters with the format as we knew it — as a video ad placed on a text site — we found the ads well-received. Indeed, when we began offering this format, we called it “instream,” because it was a  mobile video that showed in a stream of text content. It was a way for publishers to get the higher CPMs for video advertising without having to produce their own video content.

We have no idea why the industry re-named this format “outstream,” which has caused confusion about what the format really is and whether it has advantages for publishers. Now EMarketer has done a study showing that this format has a future, if certain obstacles can be overcome. These obstacles do not apply to the way we sell outstream, because we are not an open exchange; we use our ZEDO secure premium platform.

Here are eMarketer’s reservations about the future of outstream  along with our responses:

Concerns over potential ad fraud

When we sell an ad format to a brand, we do not put the ad on an open exchange. Instead, we go after publishers in our network who we think will want the ad, and fill from our internal publisher partnerships. We have been measured as 97% fraud free, and we have purged our network of suspicious “publishers.” We will only do business with premium publishers, which is why we are smaller than some of the open exchanges. Most of those open exchanges will eventually have to change their business models to accommodate new IAB and Trustworthy Accountability Group certifications coming next year.

A relative lack of measurement data to corroborate its value

On a private platform, it is easier to see where and when an ad appears. We have partnerships with measurement tools so we can provide information on completion rates

A perceived disconnect between text-based content and video-based ads

Again, in our case we use a partner to scan all our publisher pages for appropriateness of content and brand safety. Truthfully, it’s possible to track many of the things that have given digital advertising a bad name if people will just try a bit harder. All the brand safety tools are out there, and have been out there for the past five years. In the past, we partnered with a company called Proximic, which was eventually sold to comScore, and now we are partnering with AmplifyReach.

The possibility that out-stream ads could be detrimental to media brands in the long term.

This has more to do with design thinking on the part of media brands and the way they present ads on their own sites than about outstream itself.  Fewer ads at higher CPMs appearing within a stream would naturally upset visitors less than obtrusive takeover ads that appear before a visitor even begins to interact with a site. A big reason for us to develop outstream was our desire to get away from takeovers and interstitials, which brands loved and publishers hated.

 

Highly Differentiated Offerings Survive

We recently listened to Terence Kawaja, founder and CEO of Luma Partners, our industry’s investment bankers. Kawaja participates in many of the mergers and acquisitions now occurring in the industry, and he had some interesting information that made us believe ZEDO and ZINC are moving in the right direction — toward highly differentiated offerings.

We are no longer defining ourselves as an ad tech company, because we are no longer simply a middle man in transactions. We are a private platform that services a premium publisher network on the one hand, and major brands who want innovative formats that generate high engagement on the other. Our latest innovation is “Watch and Engage,” designed for affinity groups and fans on mobile devices and made to run within apps.

Kawaja says that the dark night of ad tech is occurring in the pullback of undifferentiated companies, many funded during the ad tech hey- day by venture capital.  Some of those companies, which he declined to name, “are zombies, under siege but hard to kill.”

There are currently 4000 companies in the Lumascape. (We remember when there were fewer than 2000.) In the current environment, you can have a company with $20, $50, or even $100 million in revenue and not be safe, because most ad tech companies are not SaaS and they do not have continuing revenue. To succeed, a company today needs scale, growth and profitability.

One company Kawaja mentioned favorably is The Trade Desk, whose IPO was highly successful even in what has been called the dark hours for ad tech.

When questioned about the “duopoly” of Facebook and Google, and its effects on the future of the sector, Kawaja was surprisingly optimistic. There will still be market opportunities, he said, even when everyone is perceived to be fighting about scraps, because the industry is now so large that a good company can take market share from another, less technically astute and customer-focused company and grab a slice of  the $34 billion market remaining after the duopoly has soaked up 75% of the ad spend. Behind Google and Facebook,  Amazon has the best shot at being a credible #3, because with its Alexa devices, Amazon has made every house into a Trojan horse for information.

Another cause for Luma’s  optimism is Kawaja’s belief that ad tech will see multiple exits next year over $100 million each. He says ad tech is like any other tech sector, although it has more “false positives,” by which he means companies that appear to be innovative and successful, but are actually not differentiated enough in their product offerings to compete in the marketplace. Those will continue to be acquired next year.

In the media industry itself, Kawaja sees the beginnings of a big migration from I/O to programmatic that we have been seeing and participating in for four years. When he spoke of the beginnings, we thought he must be referring to the video end of the business, convergent TV, or streaming over the top, because display went to programmatic years ago. But the convergences of TV and video, happening as we speak, disintermediates a market that consists of $75 billion in cable and network TV spend, and another $75b in paid TV.

So there’s plenty of money for companies that can truly add value, as we believe we can.  Get in touch with us at adsales@zedo.com to find out.