TAG, You’re It: Beyond TAG Malware Scanning Guidelines
When the Trustworthy Accountability Group (TAG) released its best practices for malware scanning in October, anyone seeking a more secure advertising supply chain would have been eager to read through the first-of-its kind, 16-page document. In a quest to outline basic malware scanning processes,TAG delivered plenty of suggestions about when to scan, noting that in some environments publishers and their providers might want to scan more or less often—but it didn’t offer hard numbers or strict parameters.
Instead TAG lays out a number of scenarios and circumstances, and weighs them more or less relative to each other. As a publisher, where your own zero point might be depends on factors like the scale of your digital properties and served impressions, and the sources of your ad creative.
Ad tech people love talking about how digital media is a “self-regulating industry,” but in order for that to be true, it needs to actively keep itself in check… And this is now more important than ever as the ever-present threat of full-on government regulation begins to take shape. In September, FTC Chairwoman Edith Ramirez addressed the ongoing consumer-targeting ransomware epidemic and confirmed 60-plus enforcement actions against companies that didn’t offer reasonable consumer security controls. Rumor has it that severalad tech companies and publishers have been and continue to be on the hit list.
While there’s more to the TAG guidelines than simply saying, “Use your best judgment,” the document does frequently ask everyone along the ad supply chain—not just publishers, but exchanges, DSPs and SSPs, trading desks, and various tech solution providers—to use their best judgment.
Digital publishers, as the point of contact with consumers, often end up getting shamed when malware appears. So when something like the TAG guidelines comes along, it’s natural for publishers to ask whether this is one more thing for which they’re going to be held accountable, or whether the guidelines can help them share the “malware prevention” burden with other players from one end of the ad supply chain to the other.
Don’t Kick the Scan Down the Road
TAG does indeed address the whole supply chain, explicitly stating that its guidelines are meant to be put into action by everyone involved in distributing digital ads. In short, the guidelines call for scanning all ads and landing pages, either using in-house or third-party solutions, prior to any ad’s first exposure to the user.
As a best practice, ads (creative and ad tags) require frequent scanning and re-scanning. TAG points out scanning once is “likely insufficient” and that the number of scans should be “mathematically appropriate” to the factors involved in a particular environment or user experience. (As TAG suggested, ads with 100 impressions per day might require, say, weekly scanning, but ads with millions of impressions per day might require hourly scanning. Those scan frequencies per size are just suggestions, by the way, not across-the-board prescriptions.) All players along the chain should employ “commercially reasonable and best efforts.”
To determine suitable frequency of scanning, look at the total number of impressions, mid-campaign changes in impressions or spend, changes in targeting, or changes in tech. To know when to re-scan previously scanned ads, consider data from initial results, errors, physical domain location, domain and IP ownership, and confidence in partnerships. Proof of scanning is generally recommended, and ads that have already been contaminated need to be rescanned more frequently.
Getting Buyers to Play Ball
Ideally, these guidelines offer publishers the incentive to put the heat on demand partners and other vendors: Monitor your goods, send us uncompromised ads whenever possible, show us documentation of your efforts, or we’ll cut you off and you won’t reach the audience you want. Adding to teeth to the effort, TAG announced a “Certified Against Malware” program, which will certify a company’s compliance with industry-driven malware best practices.
The question is whether that gambit will work. Plenty of publishers will look at the TAG guidelines and say they’re already following these recommendations on their end. In many instances, some will say their scanning processes are currently more stringent. However, being particularly stringent won’t keep your nose entirely clean in programmatic: TAG believes the most risk-prone ads are those that have active creative and are hosted remotely, unavoidable factors when you’re transacting at scale. Alex Calic, The Media Trust’s Chief Revenue Officer, calls TAG’s best practices and ensuing certification program “a starting point,” and says they at least set the stage for ensuring all key players involved in an ad’s execution understand scanning is essential.
“The final buy-in has to be at the agency side of things, which for the longest time has said, ‘Not my problem,’” he says. “Once an agency understands their role, their downstream partners can start tightening the acceptable parameters.”
That said, advertising is only worth something when it reaches an audience, and publishers ultimately deliver the audience. Publishers have a strong incentive to influence what happens with vendors and platforms that have a lower profile to the public.
“If you’re adopting TAG’s best practices, you’re going to get preferential treatment from the entire digital ecosystem,” Calic says. “As an advertiser, I’m going to do everything I can to comply, so users start seeing my ads. If every player supports the standards, no single provider or entity has to maximize the scanning on their end and bear the full brunt of the cost.”
Best Practices Make Perfect… Or at Least They Make Better
At the most basic level, a publisher’s business relies on earning revenue by monetizing ad inventory. One of the problems with preventing malware—and otherwise upholding user security—is that a lot of the time, resources are limited, and it’s prohibitive to look very far past the complexity involved in managing the expectations of demand partners. Malware prevention is its own set of issues. Scanning isn’t free.
But publishers now have more robust strategies than ever for driving yield, and Calic is hopeful that ostensibly democratizing developments such as header bidding can buy them some time to re-evaluate relationships with demand sources.
“Publishers are going to be more savvy and say, ‘It’s fine that my revenue is going up, but quality can mean many different things.’” he says. “It can mean malware; it can mean the creative is too big and freezes the site. As revenue starts increasing, publishers can be a bit more picky when it comes to how they treat different partners.”
Ideally, premium publishers can use context as a bargaining chip for driving partner compliance. But that assumes everyone on either the buy side or sell side will be motivated by best practices, which is too much to take for granted.
Quality publishers typically don’t need to be reminded to work with partners who exhibit good behaviors. But it’s much harder on the pub side to ensure agencies engage only with publishers that exhibit good behaviors themselves.
When agencies are motivated to go forth into the marketplace and buy the cheapest inventory they can—even when they know that inventory isn’t in a quality environment—they’re putting their business at risk. And they’re potentially encouraging bad actors who might already be present in those low-quality environments.
One publisher we spoke with told us about a situation a publisher peer recently experienced with a buyer. The publisher in question had gone through the arduous process of scrubbing bots off their site. The buyer reached out and said there was a problem with their campaigns—clicks through to the advertiser’s site had dropped precipitously. The pub explained how the site was, in reality, delivering more value with a fully human audience at the same CPM. The buyer didn’t care: His compensation was based on per-site visits, and it didn’t make a difference to him whether the click-through traffic was human or bot.
This story underlines the critical need to change industry attitudes. Correcting this thinking means key players can’t look at the TAG guidelines and ignore them because their bottom line is more important.
“How do you build the right incentive structure?” asks Calic. “It starts at the top. If you need more people to visit your website and you’re going to pay for it, that’s not a problem for you. The ad tech industry is awesome at solving for exactly what you want and not worrying how you get there.
“The goals of TAG’s best practices are twofold: clean up the issues that can be fixed because they’re unintentional and make it harder for bad guys to enter the ecosystem who are trying to do things intentionally.”
Who Are the Deciders?
The TAG malware guide may not be the be-all and end-all for malware prevention, but it is a statement of purpose with room for case-by-case interpretation. And it’s worth it to nudge all parties along the ad supply chain toward compliance which will also demonstrate to government regulators that the industry is taking tangible steps to keep its house clean.
If TAG doesn’t go far enough, it reminds us we’re not just preaching to the choir when we talk about best practices for malware prevention—malware is an ongoing problem in part because some decision-makers are still making decisions that open the door to malware.
Frequent scanning can help prevent malware for parties who care about it. For the rest, the industry will need to maintain a longer conversation about priorities.