The secret way they collect ad revenues

Google’s secrecy around sales houses is the gift that keeps on giving — to global propaganda rings.

Welcome back to BRANDED, the newsletter exploring how marketers broke society (and how we can fix it).

Here’s what’s new with us (we’ve been BUSY!):


Last BRANDED, we revealed an undercover(ish) scheme that enables unrelated groups of publishers to quietly share account IDs meant for only one of them, pool the collective ad revenues and then split it up amongst themselves. 

We’ve always understood Breitbart’s business model as a classic programmatic play: they publish hateful content and earn $$ through impressions and clicks. The logic behind the Sleeping Giants campaign was: block their website and they won’t get your money.

And yes, that shut them out of earning ad revenue the normal way. But we’ve now identified another lucrative way for them to continue collecting within the same ad tech ecosystem: by sharing DIRECT account IDs and cashing out through unknown entities called dark pool sales houses.

(This is roughly equivalent to one restaurant sharing its liquor license and card reader with a bunch of other bars in your city and then splitting the cash at the end of the night — it’s both a zany potential episode of It’s Always Sunny In Philadelphia and illegal.)

One company — the world’s biggest ad exchange — could help us end this practice overnight. But they’re holding out on us. 

Today, we’re going to explore how unknown entities around the world are extracting unlimited sums of money from unsuspecting advertisers because Google is holding onto key data like it’s a state secret, in order to maintain its own competitive advantage.

This goes beyond a standard brand safety issue. It’s a privacy issue, an antitrust issue, and because of the international money laundering implications, an issue of national security. 

A few updates about what happened after the last issue

The following companies issued responses to our last issue

33Across (the SSP we highlighted in our last issue) issued a response saying: 

“We have reached out to our supply partners and the sites who list the 33Across Ads.txt line on either Breitbart.com and RT.com to have them removed.” 

Since publication, the 33Across records have been removed from Breitbart’s ads.txt file.

Saambaa (a self-described ‘event discovery platform’) reached out to us to point the finger at a ‘3rd party ad management company’:

“The Breitbart ad inventory is managed by a 3rd party ad management company. We work with them on other sites and they have grouped our ads.txt as part of their larger assembly of ad buyers on Breitbart.”

The company that Saambaa is talking about here is Granite Cubed, the exclusive advertising broker for Drudge Report, which has been extensively covered by Craig Silverman at Buzzfeed. Drudge Report and Breitbart have numerous overlapping ads.txt records, a potentially telltale sign of dark pool sales houses at work.

Microsoft updated nearly 100% of their ads.txt files on Bing and MSN using their own schema. All their sales houses (and any dark pool sales houses) are now labeled, and even include schema that identifies business names and countries. See for yourself!

The IAB (the ad industry association) defended ads.txt (which they created) in a blog post titled “Don’t blame the tools; Learn how to use them”. Here’s Zach’s response to that letter. We thank the IAB for their attention, and look forward to seeing how they help marketers protect their ad budgets. 

We’re also thrilled that our research inspired a handful of new products to help advertisers cross-check their ads.txt records. Like this one, which found “a handful of sellers misclassify nearly all their sources as a direct relationship (publisher), when the sources are, in fact, intermediaries.”

Could this be Breitbart’s “back door” business model?

When Breitbart was shut out of 90% of its ad revenues, it was because thousands of advertisers blocked their domain (www.breitbart[.]com). That closed up one revenue stream — we’ll call it “the front door.” 

But there would still be another way for Breitbart to cash out: they could enter into partnership agreements with other publishers, use those publishers’ DIRECT IDs, direct the ad dollars to dark pool sales houses — a name we came up with because they can operate as untraceable shell corps — and split the cash from there. 

We call this “the back door.”

When Breitbart became the subject of the Sleeping Giants campaign, they only lost “front door” access. But the back door is still open: there’s nothing stopping them from using other account IDs or partnering with other publishers who agree to mislabel DIRECT inventory with them. 

What does it mean to go through the back door? It means you can cash out from the other end: 

  1. Set up revenue-share agreements with your friends 

  2. Buy up tons of websites together (even random ones — it doesn’t matter)

  3. Place the same DIRECT account IDs on all of them 

  4. Link them to the same sales house

  5. Divvy up the cash 

Advertisers would never know who the money actually ends up with, because there is no publicly available directory of sales houses for them to check on.

If you were, say, part of a global fascist propaganda effort, you might partner up with alt-right organizations around the world, set up a common shell corp and use this back door to fund your activities. The added bonus? You can use all that user data you’re collecting together to target citizens more efficiently ahead of important elections. ¯\_(ツ)_/¯

Let’s work backwards together to look at how the adtech ecosystem makes high-stakes fraud possible.

Breitbart as a data broker

After our last issue, a lot of folks asked us why it matters if publishers are sharing DIRECT IDs. You can technically make up anything you want on an ads.txt file. Maybe they just copy/pasted more records in so it looks like they’re popular with vendors? 

That surface-level understanding of mislabeling is why it has not generally been policed by DSPs and why marketers aren’t aware of what’s going on.

There are actually two financially sound reasons the bad guys would share DIRECT IDs:

  1. They can spin up new sites with higher CPMs quickly — DIRECT IDs generate more revenue than RESELLER labels because RESELLER IDs are more often blocked by buyers. This makes it easier to pool user data across partner sites, allowing them to offer more targeted audience profiles on newly minted websites. . 

  2. More targeted ads (which are worth more $$) — Advertisers are obviously willing to pay more for better targeting, so these impressions are worth more. Pooling user data means they can offer more targeted audience profiles across all their partner sites. A rising tide of audience profiles lifts all publisher boats.

Whether a publisher like Breitbart partners with their friends around the world or just buys up a bunch of websites on their own, sharing DIRECT IDs is a fast track to racking up high value impressions and clicks.

That would give Breitbart a new lease on life as a data broker. 

Breitbart as a sales house

Now, once you have the money, you need to get it out, right? So where do those ad revenues actually go? To the sales house. Lucky for Breitbart, anyone can form their own dark pool sales house — easy to do because you can legally link it to an anonymous LLC — and serve themselves and their friends.

This structure is how most SSPs operate, except without the sketchiness and anonymity. That’s why you can think of a dark pool sales house as a “pseudo-SSP.” It works like any other SSP, but you don’t know who owns it. 

Breitbart as a vertical integration scheme???

Sure, that’s one way to put it. You could also call it “rampant money laundering.” If you’re able to be a data broker (which you can) and control a sales house (also very simple), you can effectively control your own secret supply chain.

Where the hell are the ad tech cops?

The IAB (the Interactive Advertising Bureau) says they’ve built the tools and architecture to check on these things. Together, the following two standards are meant to bring a level of transparency to ad buying: 

  • Ads.txt = a directory of account IDs

  • Sellers.json= a directory of sellers (incl. company name, address, location, etc.)

But there are some glaring holes: 

  • There’s no way to know when bad actors are removed from sellers.json. There is no “sellers removed” schema or standard to alert us to trouble.

  • Organizations have permission in sellers.json to use both DIRECT and RESELLER labels in ads.txt. They don’t get in trouble when they use DIRECT across more than one website.

  • Sellers.json is applied inconsistently. Sellers.json has been largely ignored by Google and haphazardly applied by other ad tech vendors. 

  • Google only just released a“beta” version of a sellers.json. In June 2020, 2+ years after pushing the ads.txt standard, they’ve released an extremely limited sellers.json directory. It’s still not enough to do a basic fraud check.

And then there’s this dealbreaker:

  • There’s no official global ads.txt directory. You can’t cross check for mislabeled DIRECT inventory across multiple domains because the IAB hasn’t made it publicly available!

In other words, there is no process that documents bad actors for advertisers. There’s really no one in the ecosystem holding anyone accountable for anything.

This is a major antitrust issue for Google

Google has God’s dashboard to ads. But even their records contain hundreds of mislabeled domains. (And we only looked at a tiny fraction of Google’s total inventory).

So how is anyone in the industry supposed to properly conduct their ads.txt-sellers.json checks when not buying through Google?

We tried to find out for you. Before we released the last issue, we reached out to Google with a list of account IDs from the Breitbart dark pool sales houses, which were from Google’s own advertising system. We still haven’t heard back. Most of those records are still active. 

As of now, Google’s policy still allows for shell corporations to create seller accounts, get approved as both publisher and intermediary (aka DIRECT vs. RESELLER), and then label those account IDs as DIRECT across hundreds of unique websites. 

Google does offer more information if you use their ad exchange instead of their competitors. In other words, you can reduce fraud only if you advertise through Google, because they haven’t made those tools available to anyone else.  

If Google is the only safe place to buy ads because they own all the data, that seems like an antitrust issue to us. 

The seller.json directory they released a couple months ago has two problems:

  1. It was just 5% of the records. Google has only released about 5% of their sellers.json records. They’ve kept the other 95% for themselves. You can see the records here

  2. You can completely hide the ownership of an accountID. Google has an optional “make my business confidential” toggle for the Google sellers.json listing, which if you squint, does help maintain privacy. But mostly it just helps dark pool sales houses proliferate.

Bottom line: We should be able to check our ads

What can we do with this information? Two things. First, check out Nandini’s Twitter thread about how to ask your ad exchanges to fix ads.txt labels

Then, send Google an email — here’s a handy template: 

Dear Google, 

I’m writing today to understand how you plan to address ad fraud taking place across the ecosystem. 

  • Why have you allowed clients to hide their ownership through a confidentiality flag? What efforts are you undertaking to stop money laundering through this loophole?

  • Why are you giving organizations permission to append both SELLERS and DIRECT labels without any apparent punishments against organizations who label DIRECT across hundreds of unrelated sites?

  • Does Google have any process to help the industry identify bad actors? 

A suggestion: Seller accounts that are removed from the sellers.json for malicious activity or TOS violations should be listed under a “sellers-removed.json” file instead of just being quietly removed from sellers.json files without notice to other ad tech vendors or buyers.

Google and all DSPs should also ban the use of shared accounts by shell corporations (SSPs/pseudo-SSPs) who are not registered as data brokers in both Vermont and California.

If a seller is found to be cloning DIRECT labels across publisher websites, the seller should get one warning that pauses all their bids and access to the bid stream, and a complete suspension upon a second violation.

I look forward to hearing from you. 

Best,

[Your name]

That’s it for us. Thanks for reading, we’ll be back next time with more!

Claire & Nandini


Did you like this issue? Then why not share! Please send tips, compliments and complaints to @nandoodles and @catthekin. Big thanks to Zach Edwards (@thezedwards) for making this story possible.