Is the Colossus SSP Pile On Deserved?

“If cookie mismatches indicate fraud, then all SSPs are committing fraud. All SSPs are NOT committing fraud, and all SSPs HAVE cookie mismatches.” — Dr. Augustine Fou

There’s been a lot of name-calling when it comes to Colossus SSP lately, they’ve been called a witch practicing black magic, and a big man strutting around on campus, among other names. A recent Adalytics report prompted the name-calling, but as the dust settles, some ask: Is the pile-on deserved?

Adalytics claimed that Colossus mis-declares user IDs in the bid requests it sends to The Trade Desk to make its inventory appear more valuable than it actually is. Stung by the accusation of fraud, Colossus’s parent company, Direct Digital Holdings (DDH) filed a defamation lawsuit against Adalytics (ergo the “big man strutting” comment).

Many pundits took Adalytics at its word. For them, the smoking gun was the fact that of the 16 SSPs that send bid requests to The Trade Desk only Colossus’s are problematic per the Adalytics report.

But new testing and analysis by independent cybersecurity and ad fraud researcher, Dr. Augustine Fou, suggests that Adalytics may have been too quick in asserting Colossus intentionally mis-declares user IDs. According to his data, Colossus is not the only SSP experiencing user ID mismatches.

Been There Done That

In a LinkedIn post titled, Can Intent Be Deduced? Yes and No. Read On, Dr. Fou describes tests he conducted between multiple SSPs and The Trade Desk to assess the degree to which ID mismatches occur.

Interestingly, the first sections of his article are a trip down memory lane, reminiscing about previous instances where Adalytics accused companies of foul play when in reality they may have been experiencing the type of technical snafus that arise when multiple players are involved in a transaction.

First up, Dr. Fou refers to a 2022 Adalytics blog post that said, “Gannett Media, the largest U.S. newspaper publisher as measured by total daily circulation and purveyor of USA Today, the Detroit Free Press, The Indianapolis Star, and several hundred other local news sites, was observed using custom Javascript that appeared to mis-declare what pages and domains are submitted into header bidding ad auctions.” The Adalytics’ post highlighted that domain spoofing is a serious issue and implies that Gannett media was pulling a fast one to boost revenues.

But in tests Dr. Fou found that the mis-declarations went both ways, noting that bid requests from national newspapers, including USA Today, were classified as local publications and likely to earn lower CPMs in the market.

Dr. Fou concludes: “The fact that misdeclarations occurred in both directions suggests this may indeed have been an error, rather than malicious, intentional fraud.”

Intentional Fraud or Synching Stale Cookies?

This brings us to his analysis of Adalytics’ accusation that Colossus has been acting in bad faith.  Dr. Fou takes issue with several aspects of the Adalytics’ report, beginning with the data sample it used to make its claims. He writes, “The data used by the [Adalytics] report was disclosed to be a ‘convenience sample’ of approximately 25 human volunteers that installed the Adalytics browser extension in their Chrome browser.” So not exactly a robust testing scenario.

Dr. Fou also points out that Colossus doesn’t have a direct connection to The Trade Desk so the SSP connects through BidSwitch. That means Colossus matches its ID to the BidSwitch ID, which then matches to The Trade Desk ID (TDID). It’s kind of a game of telephone.

“BidSwitch does get direct cookie syncs from Trade Desk. But it is unclear how soon they update their match tables with the new TDID,” Dr. Fou explains. He continues: “NO SSP can read the TDID in browser store, so it is impossible for an SSP to read a TDID/cookie and replace it with a higher value one in the 50 milliseconds between the bid request and the bid response.” In other words, it’s simply impossible, Dr. Fou suggests, for Colossus to do the bait-and-switch implied in Adalytic’s report.

Dr. Fou also directly challenges the claim that Colossus is the only SSP to exhibit ID mismatches with TDID. He writes, “Mismatches were observed in ALL cases, and ALL SSPs. Experimental results showed that the accuracy of the match tables depend on how aggressively the SSP syncs cookies and updates the match tables.”

He reiterated that point in a follow-up LinkedIn article posted on Sunday, “If cookie mismatches indicate fraud, then all SSPs are committing fraud. All SSPs are NOT committing fraud, and all SSPs HAVE cookie mismatches.”  

Now let’s return to the small sample size of the Adalytics’ report. Had Adalytics used data from 50 or 100 human volunteers, they may have observed mismatches among the other SSPs.

Dr. Fou vs. Other Pundits

Okay, so now it’s Dr. Fou’s word against other pundits, some, such as Pesach Lattin and Ari Paparo, have been quite vocal. Lattin has penned at least five articles on the Colossus scandal, and Paparo wrote a lengthy piece titled A Colossal Mess. Who should one believe?

In one of Pesach Lattin’s articles, he says that when it comes to ad tech data, Dr. Fou has some serious creds, way more than Paparo. Paparo, he says, is better at selling ideas, writing, “But let’s not forget, while Paparo is a fantastic guy with a knack for selling ice to an Eskimo, he’s not exactly the Sherlock Holmes of ad tech intricacies.”

(While we’re on the topic of not forgetting, let’s also not forget the word “Eskimo” is a colonial term imposed on the Inuit and Yupik peoples, one that Native Alaskans find offensive.)

For his part, Paparo says in a comment to Dr. Fou’s LinkedIn article that he was the first to say that this whole debacle could be the result of a technical issue. And in truth, his article offers seven distinct scenarios that could explain the ID mismatches, only one of which is intentional fraud.

So in the end it may turn out that Colossus’ mis-declarations result from one of its partners synching with user IDs that are a tad bit stale.  And here’s the thing: Issues happen all the time in campaigns, and they’re resolved the most efficiently when they’re raised directly with the parties involved so that they can understand what happened and why. That kind of cooperative troubleshooting actually benefits the entire industry. For instance, if ID mismatches occur when match tables aren’t updated frequently enough, that’s a learning that benefits everyone. 

Israel Mirsky, Chief Strategy & Marketing Officer of Wesana said in a LinkedIn post that in this instance, it’s worth soliciting input from other players in the ecosystem, as Dr. Fou’s research indicates “some pretty serious allegations being made about the overall quality and integrity of cookie matching across the programmatic ecosystem.”

Edit Update: An earlier version of this story stated that Dr. Fou concluded that Adalytics has no real proof of intentionality that Forbes was committing fraud by transacting mis-declared inventory on a subdomain – www3.forbes. Dr. Fou states: “So while the 2022 Gannett case seemed to be unintentional, the 2024 Forbes case seemed to be intentional, due to the 3 additional observations.”