Ad tech companies manage billions of advertising bids across thousands of publishers in a matter of milliseconds.
So, when a privacy error slips through cracks, it can metastasize into a potential GDPR concern in the blink of an eye.
First, in simple language: Technology developed by PubMatic and deployed on nearly 2,500 websites, including Barstool Sports, Maxim and Time.com, was as recently as this week configured in a way that put sellers and publishers at risk of GDPR violations.
AdExchanger was first alerted to this activity by Sincera, a startup that specializes in gathering and supplying media telemetry data to the ad tech ecosystem. Although Sincera declined to name the SSP, AdExchanger was able to confirm that PubMatic is the company in question by examining code that was shared with us.
PubMatic claims that the issue is due at least in part to a bug within Prebid’s code.
So, what’s happening here, exactly?
Time out
For those who speak ad tech, this is what Sincera observed:
A default setting within Identity Hub, PubMatic’s Prebid-based identity management tool, was set so low as to effectively ignore user consent strings. Separately, the tool was seen to be pushing IDs from Identity Hub into the bid requests of other SSPs within a publisher’s primary wrapper (which is typically a Prebid-based wrapper). More on that later.
When a webpage loads in Europe, publishers need to check for consent before calling an identity provider’s API with consent signals.
But such a low consent timeout threshold makes that impossible.
Identity Hub would therefore frequently mark its enrichment requests to identity providers as “GDPR = 0,” presumably meaning that it didn’t believe the law applies in that instance.
It’s easy for publishers and even SSPs to be unaware that any of this is happening.
There are numerous handoffs that occur in milliseconds up and down the supply chain to support addressable advertising. If the internet is a series of tubes, then ad tech is a vastly interconnected series of partnerships across a warren of codependent programmatic pipes.
And regulators are getting savvier about how those pipes function and how data flows within and between them. That’s the case even in jurisdictions where consent typically isn’t required, like the US.
But in regions like Europe where it’s illegal not to honor consent-related requests, publishers that don’t have a clear grasp of what their ad tech vendors are doing put themselves at high risk of an enforcement action.
“Understand what you’re deploying and ask questions – lots of questions – about how something works,” Meyers said. “If there’s one takeaway from all this, it’s that there can be a big difference between thinking a solution is privacy safe and actually knowing what it’s doing on your website.”
Unwrapped
Speaking of, it’s time to get back in the weeds, because there’s a little more weirdness to unpack.
Many publishers use a header bidding wrapper to host multiple Prebid modules, such as real-time bidding, user identity and consent management. Some also deploy so-called “secondary wrappers” to outsource specific functions to third parties, like to Identity Hub for identity management.
Sincera, however, observed Identity Hub monitoring Prebid API activity and then replacing identifiers sent to all SSPs within a publisher’s main Prebid wrapper with IDs retrieved by Identity Hub.
Overwriting a publisher’s existing identifiers also disregards Prebid’s code of conduct, which states that “the auction layer must not modify bids from demand partners unless specifically instructed to do so.”
A PubMatic company spokesperson told AdExchanger that Identity Hub “does not substitute, overwrite or manipulate identifiers provided by other wrappers unless the identifier is expired.” The spokesperson also said that the tool is only used by publishers to “supplement the bid requests created by other wrappers” and that this is fully the publisher’s choice.
The company later said that it had found a bug in “an outdated version” of Prebid from last year whereby Prebid’s user ID module wasn’t waiting long enough to get the consent signal. This issue was fixed months ago for anyone using the latest version of Prebid.
PubMatic is now “encouraging impacted publishers to update their Identity Hub and Prebid instances so that they are using Prebid 7.0 or above to prevent this issue from occurring,” said Nishant Khatri, PubMatic’s SVP of product management.
Although this is a valid recommendation, the bug that PubMatic points to is unrelated to the consent timeout default in its own Identity Hub product and also doesn’t address the identifier overwriting issue.
Prebid’s code is open source and it’s up to any company that forks one of its GitHub repos, as PubMatic does, to be responsible for their own practices.
PubMatic also emphasized that it would get no financial benefit from altering bid requests, because all parties have access to the same IDs – and that is true.
Which is why the most important takeaway from all of this is that suppliers and their partners should keep regular tabs on themselves, on their vendors and on every tool they deploy.
“I’m partial to the phrase, ‘Be distrustful by design,” O’Sullivan said. “That means, do your own checks – on everything.”
AdExchanger reached out to Prebid about the identity stuffing issue on Tuesday, which was before being alerted to the bug by PubMatic on Thursday afternoon. A Prebid spokesperson said on Tuesday that the organization was unable to comment, but it’s looking into the issue.