Server-side ad insertion is common in CTV environments, but a few high profile fraud schemes like ICEBUCKET have exposed its vulnerabilities. In this piece Daniel Elad, chief strategy officer at TheViewPoint, a CTV monetisation platform, explains why SSAI has risks attached to it, and why the industry needs stop allowlisting SSAI servers by default.
The growth of CTV viewing during the pandemic is drawing more attention to the role of SSAI – server-side ad insertion. SSAI is very common in CTV environments, with a recent Pixalate report finding that in Q1 this year, 40 percent of all programmatic OTT/CTV impressions were delivered via SSAI.
But there are still many within the industry who view SSAI technology with caution. It has been crucial in helping to grow ad-supported OTT, but at the same time SSAI is fraught with the risk of ad fraud.
What SSAI brings to the table
Unlike traditional video ad serving, where ad requests originate on the client-side and ad content is delivered separately via a third-party ad server, SSAI allows the delivery of ads and the video content in a single stitched stream. This helps to eliminate video latency, which significantly improves the viewer experience.
SSAI was originally created to help publishers bypass ad-blocking measures and provide users with a better viewer experience, eliminating any latency issues and buffering. But SSAI has a number of other benefits too, including:
- Transparency: SSAI provides publishers with metrics and insights into the supply chain, and ensures transparency.
- Measurement: SSAI can take care of most of the data management and measurement attribution across OTT and CTV environments, which is essential for platforms like Roku or PlayStation. And with SSAI, publishers don’t need to get too sophisticated with client-side code.
- Fraud analysis: So far, there’s still no one-size-fits-all solution, but progress has been made on identifying untrustworthy servers, and blocking/allowing their activities more efficiently.
The dark side of SSAI
But on the other hand, SSAI integrations are extremely vulnerable to ad fraud schemes. And as ad spends shift to OTT and CTV channels, SSAI is ripe for exploitation on a large scale. This is due in part to the tendency in the industry to allowlist all SSAI servers. This security gap in SSAI allows fraudsters to spoof user requests by faking all the associated HTTP header fields, and other actions and interactions with ads.
There are also broader risk factors across the CTV and OTT landscape in general, not specifically related to SSAI. We saw two big examples of this recently: Monarch and DiCaprio.
Put briefly, the DiCaprio scheme spoofed ad requests, imitating real users interaction with an app (accessing it via real users devices). This resulted in a violation of 114 unique Roku store URLs, 98 unique app Bundle IDs, and at least 134 unique app names.
While the DiCaprio scheme was implemented mainly through users’ mobile devices, the more recent case, Monarch, performed spoofing on actual OTT/CTV devices and apps.
These cases have different mechanisms behind them, but both show how easily scammers can abuse security loopholes within OTT and CTV, with the help of SSAI. And big name brands like Lexus, Uber, Chipotle, have tended to be the main target of fraudsters.
Combatting Invalid SSAI Transactions
For every action, there is a reaction, and we’ve seen a number of efforts develop within the industry to tackle these problems.
For instance, IAB Tech Lab is working closely with the Advanced TV committee to craft guidelines for improving measurement in SSAI, and more broadly across OTT/CTV advertising.
And there is work under way towards accreditation of SSAI measurement metrics. These metrics include the OTT and CTV environment where an ad was shop, display tracked ads and impressions, and SIVT (sophisticated invalid traffic) detection and filtration across display and video within desktop and mobile environments.
And Pixalate has developed solutions to help evaluate both individual IP addresses and the overall reputation of a proxy server without going “all-in” (allowlist) or “all-out” (blocklist) on proxy servers.
By working together on standards, guidelines, and metrics, as well as pushing for faster adoption of all these things, the industry can maintain the benefits of SSAI within CTV while cutting out its risks.
