The latest trend of ad tech fraud

The way companies are receiving GDPR fines for non-compliance, we can say that soon the tech world will face the worst phase of all times.

Lately, in June, the Information Commissioner Officer (ICO) released a warning report to ad tech. Now the digital industry is on tenterhooks and trying its best to get out of this red zone.
According to the ICO, the way data is used for real-time bidding isn’t legitimate under the General Data Protection Regulation.

Ever since the ICO issued a warning report, the publishers and vendors are re-analyzing their compliance level and strategies. Moreover, the ratio of audits they are undertaking to examine their current compliance condition has increased.

A few audits highlighted dodgy practices such as fraudulent consent strings.

In the era of GDPR fines, the latest tricks were found to hack data and money every day. It is paradoxical, anyway, fraud of consent string is a new buzz. The issue boiled-up a little in last August, right after the advent of the law.
It assumed to be a core reason behind vendors injecting fake consent strings in the digital ad ecosystem, according to the ad tech vendors.

Let us dig a little more to find the root of this problem. Like, what exactly it is?

What is a consent string?

Consent string is used by ad tech vendors to verify whether or not they contain user consent to use their personal data to send them GDPR-complaint targeted ads.

A publisher’s consent management platform gathers the information that either user has allowed them to use his data or not. The CMP then transfers the information to the publisher’s programmatic ad partners to let everyone know.

Consent strings are assigned by the Interactive Advertising Bureau Europe, and every vendor who is a part of this Transparency and Consent Framework uses one.

The string itself is a string of ones and zeros: “1” = yes there is consent, “0” means no consent. Numbers’ position identifies which vendor got consent and for what purpose.

So that’s now being manipulated?

In ad tech, dummy strings are created in some situations. But, consent string can easily be manipulated. Similarly, some vendors, just to appear to have user consent, are doing so. In this way, they don’t get blocked from buying and selling inventory.

Chloe Grutchfield, the co-founder of RedBud, who developed a specific tool to audit compliance on behalf of publisher clients, said, “There’s some very odd stuff going on. Completely fake consent strings are being hardcoded and shared with the ad ecosystem when the user has actually revoked consent across all purposes and vendors.”

Is it an easy job to do?

Yes, it is quite easy. A fake dummy consent string can be created, which will look like the legitimate one. But, it uses a different CMP ID, which can be visible when it has decoded.

How common is this?

Like much of programmatic, that’s nebulous. Besides, businesses that are instigating to track it haven’t accumulated enough data to show the scale of it. Through this fraud, money can be made in bulks with a low risk of getting caught.

Are there any defensive measures to address it

Well, no such means are built for this. The Consent string is not a widely spread problem, which needs enough focus to find ways to throttle it. It is not wise to neglect these nefarious tactics, and we must halt them to grow, then to complying with some regulation later on.

There are two options for us to deal with this. First, the procedure must be audited and policed by a neutral body. Second, the string should be encrypted.

Mathieu Roche, the co-founder of ID5, said, “If there was a cop whether the IAB or someone was appointed to that role they could randomly check consent signals in the chain. The other option is to have a by-design enforcement, so encryption around the string. It’s something potentially blockchain technology could help with, so nothing can be tampered with.”