Cybersecurity Firm DEVCON Says It Can Knock Out ‘Bad Ads’ Costing Publishers Billions
Just about everyone knows ad fraud is big. The latest estimate is that it will hit $19 billion by the end of 2018, and publishers bear most of that cost through loss of revenue. But though it’s been happening for years, since programmatic advertising started, ad fraud keeps getting worse, and there have been no good answers why.
Now, the cybersecurity company DEVCON, which says its executive team has “30 years of combined commitment to journalism,” claims it has foolproof solutions to end ad fraud and stop publishers from losing millions of dollars daily to fraudsters. To help prove itself, DEVCON is offering a basic free service, called “FREEDOM for MEDIA,” to every publisher.
In this Q&A, DEVCON co-founder and CEO Maggie Louie details how she says her company halts “bad ads” before they victimize publishers and their readers.
To begin with, whose problem is ad fraud?
It’s not a network problem, it is not a publisher problem, a consumer problem—it’s an industry problem. But, the threats are not from bad actors within the industry—they’re coming from criminal attackers outside the industry who are exploiting the ad-tech ecosystem and deploying a wide variety of attacks to steal money, consumer data, computing power, traffic and much, much more.
Ad fraud has been around for years, and it keeps growing, but the industry’s solutions have been piecemeal. What’s different about “FREEDOM for MEDIA”?
The benchmark has always been, “How much of your traffic is fraudulent, Mr. Naughty Publisher? You better pay someone to audit that traffic!” But publishers are saying, “We’re not trying to inflate our traffic or game the system, and now we’re being penalized and being told that 10% to 15% of our traffic is fraudulent.”
But our research is showing that publishers are the real victims, not only in the revenue criminals have been stealing but also in how they can game publisher sites and steal the data, the targeting, and also being able to deploy an attack against their audience.
We’ve been able to say to publishers for the first time, “Hey, when you’re blocking, we can not only show you who the bad actors are and how they are getting into your programmatic pipe, but we also can actually quantify the ROI of blocking it.
Finally, publishers can finally validate that it’s not them doing this, and we can show who is doing this. This is a major change in how we model out the reconcile for the payment of ads. To penalize publishers for any kind of perceived fraud that’s not coming from them doesn’t make sense.
What would publishers get with your “FREEDOM for MEDIA” free access to DEVCON software?
From our four major products, we’ve opened up free access for news publishers, some of whom don’t have the resources to pay for the service. With the free tier, publishers will be able to see every bad ad that is hitting their sites, the campaign ID, the type of bad ad, the severity of the exploit, and the network it came from. They’ll also get a daily email summary of all alerts of all attacks, unverified tags and revenue dips. By granting publishers free access to the DEVCON yield manager, we are able to quantify the attacks and develop industry-wide research on the revenue impact of these bad ads and the effects of blocking them.
The data is shocking. So far, just in the first 90 days, we can see on average a 26% increase in network revenue when sites are blocking bad ads. We also see a dramatic drop off of attacks after 60 days. That’s really driven by hacker ROI. After 60 days of spending money to attack sites that are blocking attacks, they just move on to sites that are more easily exploited. Think of it like an ADT sign in the yard.
We heard a lot about ad.text and ad.cert as verification tools to fight fraud. Are they effective?
The reality today is that trying to do real-time verification before the programmatic buy is made is challenging. In the world of RTB (Real-Time-Bidding) and programmatic revenue, speed is everything. Trying to use blockchain or really any type of real-time verification carries with it not only latency issues, but scale issues, to the magnitude of billions of immutable records a day. While I think we all agree that real-time verification is needed, I don’t think that post-audit reconciliation is a true solution. i.e., hackers don’t publish their tags, and they use ad accounts, tags, and domains like burner phones.
So, are ad.text and ad.cert obsolete?
By all means, no! These are great initiatives and demonstrate how focused the industry is at solving the problems and closing the loops. We’re integrating with ads.txt so we can make value of the data that’s put out there by publishers. We provide a one-touch, automated process that validates all tags on a site and alerts publishers whenever a non-verified tags show up. They can then whitelist or blacklist that tag and ether block it from their site or add it to their ads.txt file with a new txt file our platform generates.
How will DEVCON make money?
With our paid tier, we filter out/block all the bad ads. You continue to make money from the good ads. Without blocking, if you’re a publisher and you see a mobile pop-up coming and your consumers are calling and complaining, you’re going to try and figure out which network it’s coming from. During this process, you will lose all the money you would have made from that network.
We look for the actual exploit code that we have signatures for, and we’re filtering just that bad code and letting all the good ads continue to run.
On the free tier, we’re showing you which ad networks and which ad creative IDs are infected. It even links to your exact creative in the campaign within DFP [an intermediary ad server between publishers’ ad inventory and ad networks], so you’re still saving a lot of time. Obviously our real-time blocking removes the need to do anything, but for publishers who honestly just can’t afford anything, this option is great.
How much can a publisher lose who doesn’t have blocking?
When a publisher turns off a network, that can cost $3,000 a day in lost revenue. Our pricing is not even half that amount per month. Publishers who are really being hit by ad fraud and want to monetize their inventory can see a really huge lift from our premium service.
What about the small, independent local news publisher who has one site? Will he or she be able to afford your premium services?
Yes, the cost of the lowest tier is $20 a month. If you’re only doing a million impressions a month, you can protect yourself with our services that will cost as little as $1,000 a month. If you’re a bigger publisher, your cost will still be reasonable. Our lower-tier Enterprise tool is available to Local Media Association members for $1,500 a month. It provides unlimited blocking for up to 25 million impressions a month.
Would you quantify what a publisher could expect to save in lost ad revenue with your premium service?
Publishers will see a 20% to 26% increase in their normal revenue.
What are examples of the kind of ad fraud that bedevil publishers and which you say you can stop cold?
How would you characterize the effectiveness of your system to fight ad fraud?
It’s like the Norton anti-virus. It will eliminate the problem, and it will provide you with the tools and data you need to understand the problem at scale and how it affects your revenue and how you can manage it.
By creating the data that’s needed, you’re going to see more and more announcements like the recent one from the U.S. Department of Justice. With consequence comes barrier to entry.
The more evidence we get at scale and the impact on publishers, that should really get the DOJ and the FBI engaged. We’ve brought to DEVCON the former head of the FBI’s cyber-threats investigations. He’s now our head of global cyber.
Summing up what you’re doing, can ad fraud, instead of continuing to grow, be reduced to a minor problem in a reasonable period of time?
I hope so, but there isn’t a silver bullet. It will take collaboration, with government, private software companies with information specific to industries and discrete domain expertise, as well as industry leaders from all sides: publishers, ad tech companies, advertisers and agencies. With that we can put up strong walls of defense, real consequences and higher standards that will safeguard the industry and consumers.