Ad tech companies manage billions of advertising bids across thousands of publishers in a matter of milliseconds.
So, when a privacy error slips through cracks, it can metastasize into a potential GDPR concern in the blink of an eye.
First, in simple language: Technology developed by PubMatic and deployed on nearly 2,500 websites, including Barstool Sports, Maxim and Time.com, was as recently as this week configured in a way that put sellers and publishers at risk of GDPR violations.
AdExchanger was first alerted to this activity by Sincera, a startup that specializes in gathering and supplying media telemetry data to the ad tech ecosystem. Although Sincera declined to name the SSP, AdExchanger was able to confirm that PubMatic is the company in question by examining code that was shared with us.
PubMatic claims that the issue is due at least in part to a bug within Prebid’s code.
So, what’s happening here, exactly?
Time out
For those who speak ad tech, this is what Sincera observed:
A default setting within Identity Hub, PubMatic’s Prebid-based identity management tool, was set so low as to effectively ignore user consent strings. Separately, the tool was seen to be pushing IDs from Identity Hub into the bid requests of other SSPs within a publisher’s primary wrapper (which is typically a Prebid-based wrapper). More on that later.
A PubMatic spokesperson said that the company “never ignores the consent of the user,” adheres to any consent signals it receives and only “passes unaltered signals to its partners in every transaction in which we engage.”
But the issue isn’t that Identity Hub is purposely ignoring user consent. Rather, it was not giving consent management platforms enough time to load or users enough time to interact with the mechanism.
Prebid’s timeout default for calling a CMP to obtain a GDPR consent string is 10,000 milliseconds (or 10 seconds). The timeout in Identity Hub was regularly set to either 1 millisecond or 50 milliseconds, which is just 0.001 or 0.005 seconds.
Although there is a consent module in place, Identity Hub wasn’t waiting long enough to log the interaction. Sincera Co-Founder Ian Meyers described this as akin to inviting someone to a party by calling them on the phone but then hanging up before they answer. (In short: That person won’t be showing up to your party.)
The purpose of Identity Hub is to make it easier for publishers to work with whichever identity providers they choose within a managed service wrapper, which means it’s likely that many publishers never bother to change the default settings.
PubMatic told AdExchanger that, “out of an abundance of caution” for its publisher customers, “it’s taking the proactive step of resetting the default consent timeout” so consent queries have more time to get a response.
It’s since force reset the consent timer within Identity Hub to between 497 and 500 milliseconds (roughly half of one second), which is still far less than the Prebid default.
The average consent timeout across the top 1,600 publishers by traffic in the Prebid ecosystem, excluding Identity Hub, is roughly 7.7 seconds.
Why was this a problem?
When a webpage loads in Europe, publishers need to check for consent before calling an identity provider’s API with consent signals.
But such a low consent timeout threshold makes that impossible.
Identity Hub would therefore frequently mark its enrichment requests to identity providers as “GDPR = 0,” presumably meaning that it didn’t believe the law applies in that instance.
If an identity provider takes this at face value, they would end up generating unconsented IDs, Meyers said.
Fortunately, most identity providers don’t just take a wrapper’s word for it, he said. They also check for an opt in before enriching a bid request as a matter of course.
Still, it’s not always possible to do that. A server-side wrapper, for example, would show an SSP’s server address rather than a user’s true IP address, making it difficult or impossible to verify that person’s location.
“This is a good wakeup call for ad tech vendors,” Meyers said. “You need to know who’s upstream of you and you also can’t assume that you have consent without verifying.”
Risky business
It’s easy for publishers and even SSPs to be unaware that any of this is happening.
There are numerous handoffs that occur in milliseconds up and down the supply chain to support addressable advertising. If the internet is a series of tubes, then ad tech is a vastly interconnected series of partnerships across a warren of codependent programmatic pipes.
And regulators are getting savvier about how those pipes function and how data flows within and between them. That’s the case even in jurisdictions where consent typically isn’t required, like the US.
But in regions like Europe where it’s illegal not to honor consent-related requests, publishers that don’t have a clear grasp of what their ad tech vendors are doing put themselves at high risk of an enforcement action.
“Understand what you’re deploying and ask questions – lots of questions – about how something works,” Meyers said. “If there’s one takeaway from all this, it’s that there can be a big difference between thinking a solution is privacy safe and actually knowing what it’s doing on your website.”
Unwrapped
Speaking of, it’s time to get back in the weeds, because there’s a little more weirdness to unpack.
Many publishers use a header bidding wrapper to host multiple Prebid modules, such as real-time bidding, user identity and consent management. Some also deploy so-called “secondary wrappers” to outsource specific functions to third parties, like to Identity Hub for identity management.
Sincera, however, observed Identity Hub monitoring Prebid API activity and then replacing identifiers sent to all SSPs within a publisher’s main Prebid wrapper with IDs retrieved by Identity Hub.
This is a practice known as identity stuffing, said Sincera Co-Founder Mike O’Sullivan, and it’s problematic for multiple reasons, including data leakage risk and poor identity performance due to conflicts between the wrappers.
Stuff gets … funky
Overwriting a publisher’s existing identifiers also disregards Prebid’s code of conduct, which states that “the auction layer must not modify bids from demand partners unless specifically instructed to do so.”
A PubMatic company spokesperson told AdExchanger that Identity Hub “does not substitute, overwrite or manipulate identifiers provided by other wrappers unless the identifier is expired.” The spokesperson also said that the tool is only used by publishers to “supplement the bid requests created by other wrappers” and that this is fully the publisher’s choice.
The company later said that it had found a bug in “an outdated version” of Prebid from last year whereby Prebid’s user ID module wasn’t waiting long enough to get the consent signal. This issue was fixed months ago for anyone using the latest version of Prebid.
PubMatic is now “encouraging impacted publishers to update their Identity Hub and Prebid instances so that they are using Prebid 7.0 or above to prevent this issue from occurring,” said Nishant Khatri, PubMatic’s SVP of product management.
Although this is a valid recommendation, the bug that PubMatic points to is unrelated to the consent timeout default in its own Identity Hub product and also doesn’t address the identifier overwriting issue.
Prebid’s code is open source and it’s up to any company that forks one of its GitHub repos, as PubMatic does, to be responsible for their own practices.
PubMatic also emphasized that it would get no financial benefit from altering bid requests, because all parties have access to the same IDs – and that is true.
Which is why the most important takeaway from all of this is that suppliers and their partners should keep regular tabs on themselves, on their vendors and on every tool they deploy.
“I’m partial to the phrase, ‘Be distrustful by design,” O’Sullivan said. “That means, do your own checks – on everything.”
AdExchanger reached out to Prebid about the identity stuffing issue on Tuesday, which was before being alerted to the bug by PubMatic on Thursday afternoon. A Prebid spokesperson said on Tuesday that the organization was unable to comment, but it’s looking into the issue.
