Secure 2024: Forrester Wave™ Q2 2022 Showcases Leading Bot Management Solutions
HUMAN Blog

State of the Union: IAB Tech Lab Supply Chain Standards Adoption

In the six years since the IAB Tech Lab debuted its ads.txt standard for fraud prevention, several other (often more complex) standards have been added to build on the protections ads.txt offers. App-ads.txt, sellers.json, and SupplyChain Object all surface different aspects of the digital advertising supply chain for verification and investigation. These standards are powerful tools for rooting out fraud in programmatic advertising. Used together, they can provide buyers valuable insight into who they’re buying from, what path the inventory took from the publisher to them, and whether all the parties involved are actually authorized by the publisher.

The below slide helps illustrate how these standards coexist and cooperate to protect the ecosystem:

IAB Supply Chain Transparency GraphicBuyers can validate inventory by cross-checking data from the bid request (domain/app, final seller account, SupplyChain Object) against data from the publisher (ads.txt, app-ads.txt) and the ad systems involved (sellers.json). However, any missing, incorrect, or inconsistent data can cause legitimate inventory to fail these validations.

If buyers can’t trust validation results due to that missing or inaccurate data, actual fraud can hide in the noise. The effectiveness of these standards is contingent on widespread and precise adoption.

Unfortunately, the current state of adoption isn’t stellar. The following findings reflect bid requests protected by HUMAN’s MediaGuard:

Issue

% of web bid requests affected

% of CTV and app bid requests affected

Ads.txt/App-Ads.txt Missing

3.0%

25%

Seller Unauthorized

8.1%

5.0%

Sellers.json Entry Missing

8.2%

9.1%

Seller Domain Missing

1.2%

14%

OWNERDOMAIN Missing

40%

58%

As the oldest and simplest standard, ads.txt unsurprisingly has the widest adoption - 3% of web bid requests are for websites without a known ads.txt file. Achieving 97% compliance with anything is impressive, but given the comparatively low barrier to entry for ads.txt compliance and its importance in preventing domain spoofing, getting even closer to 100% is both possible and necessary.

App-ads.txt, in contrast, has significantly lower adoption - a full 25% of app bid requests are for apps without a known app-ads.txt file. That represents hundreds of billions of bid requests a day without the barest of spoofing protection. There are a number of reasons why app-ads.txt compliance may be harder for publishers to achieve—including the use of non-standard app IDs and limited adoption of developer domain metadata in app stores—but it’s critical that this is improved.

Sellers.json data — particularly seller domains — is key to validating the integrity of SupplyChain objects. Here, 8.2% of web bid requests and 9.1% of app bid requests come from sellers without a known sellers.json entry. An additional 1.2% of web bid requests and 14% of app bid requests come from sellers with a sellers.json record, but without a declared seller domain. Note that this is after taking dozens of known ad system aliases into account.

The OWNERDOMAIN variable was introduced relatively recently, but is required to validate completeness of SupplyChain objects for publishers with multiple sites or apps. 40% of web bid requests are for sites that don’t declare an OWNERDOMAIN in their ads.txt. For app bid requests, it’s 58%.

These gaps are only a small subset of a wide array of issues that can cause a bid request to fail validation, but they hint at the scale of the problem buyers face when trying to use these standards. Their fraud-tackling potential won’t be realized until these issues are addressed and the vast majority of legitimate inventory is fully compliant, freeing buyers to use them to their fullest.

This type of change isn’t going to happen overnight, and will require a collaborative effort across the programmatic ecosystem. HUMAN is committed to working with our partners to tackle these issues, so we can all benefit from the collective protection these standards can provide.

We’ll have more to say on this in the coming months, but in the meantime, we recommend publishers and SSPs start with the basics by reviewing their supply to ensure that:

  • All sites have an ads.txt file, and all apps have a developer domain with an app-ads.txt file linked in their app store page,
  • The files are up to date, authorizing all owned publisher accounts and any intermediaries used, and have the correct OWNERDOMAIN variable set,
  • The files are accessible by all crawlers, e.g. not behind a CAPTCHA wall.