Malicious publisher group could influence auctions for other publishers #4
Comments
|
The PUFFIN value is only affected by impressions that actually happen, which means that for each price entering into the calculation, some advertiser was willing to pay that amount and the user was willing to visit the page that had that ad on it. A publisher, or group of colluding publishers, can't move the PUFFIN just from the publisher side. If they tried setting their own floor higher than the market would bear, they wouldn't get the contextual ad. |
|
There's no need for having a market if you are a colluding set of publishers that is malicious, the point is for them to set a bad (too high) series of values for purchased impressions. Money doesn't need to be exchanged with anyone. |
|
The PUFFIN for a user is independent of any floor set by the publisher (or by a group of publishers colluding). It can't go too high, because it only moves up if a bidder agrees to buy a contextual impression at a value higher than that user's existing PUFFIN. (If all the winning impressions to a user were interest group impressions, the PUFFIN would remain at 0.) |
|
So this is from the spec:
This means that if I as a publisher, together with a buyer, decide to show in the browser that we're paying $200 for contextual ads, then for this browser to be shown any interest based ads, someone needs to pay at least $200 no matter what publisher they are on. Am I reading it wrong? Now that I've built such a mechanism I can arbitrarily raise that value to $40000. There's no real need for the buyer and publisher later to actually exchange that money because it's not legally mandated. |
|
You are reading it right. If the user really only visits sites that are part of the colluding group, then yes, the PUFFIN would only reflect the high contextual bids that the colluding group agreed to make. For a normal user who visits the sites of multiple publishers the PUFFIN would move depending on all the contextual ads they end up seeing. The PUFFIN is a rolling average for the prices of all winning contextual ads for that user. The colluding group can't prevent non-members' contextual ads from winning auctions and being seen, since PUFFIN only applies to interest group ads. The user's visits to non-member publisher sites would pull the PUFFIN back down. Could an advertiser and a publisher collude to place fake $40,000 impressions to raise the PUFFIN for the publisher's audience? It seems like it would not be worth it just to move the PUFFIN up, because they would end up incurring fees based on a percentage of the $40,000. |
|
I'm not sure I think you can really dismiss a threat like that by saying it isn't worth it. And the fact that they visit other sites seems a bit irrelevant, one can place a fake huge price that simply will never really average to anything meaningful. And interest based ads are revenue stream for other sites, maybe not yours, so influencing those from a third party site should indeed qualify as a threat to their business revenue. |
|
Does this problem go away if (because of some other security and/or anti-fraud fix) an advertiser and publisher can no longer report a fake price to the browser? Or if a fake price can be sent but it is disregarded for calculating PUFFIN? |
I think without looking at a geometric mean for the floor setting, or at least siloing the floor on a per-publisher basis, I think the behavior explained in the spec could lend itself to a set of malicious publishers setting very high contextual prices with the purpose of making bids more difficult for other do-good publishers.
As mentioned somewhat already, I think siloing the floor setting on a per-pub basis would alleviate this issue.
The text was updated successfully, but these errors were encountered: