Sellers.json and SupplyChain Object Ready for Industry Adoption

The Problems Solved by sellers.json and SupplyChain, and all the Clickbait Titles You Will (hopefully) not Have to Read this Year

throw out this vegetable!

By Sam Tingleff and Jennifer Derke

What’s new?

After a thorough public comment period with OpenRTB Working Group feedback and review, the sellers.json and SupplyChain object specifications are now finalized and ready for full industry adoption. Access the specs here: sellers.json, SupplyChain object.

With the finalization of these specs, and supporting resources in the FAQ, we expect to see industry adoption throughout 2019. Any early adopters should update their implementations to comply with these final specifications. Learn more in the FAQ/Implementation guidelines document.

The Problem

sellers.json and SupplyChain together are intended to solve for one simple problem: providing buying platforms (DSPs) and intermediaries with transparency into the origins, paths, and legitimacy of ad inventory as it arrives on their front doors.

With this data, platforms are empowered to make impression-level business decisions, for example:

  • Validating the complete financial path through corresponding ads.txt entries;
  • Blocking impressions traveling through particularly untrustworthy intermediaries, where “untrustworthiness” comes from out-of-band data such as a (lack of) TAG certification or a poor previous experience;
  • Blocking impressions passing through more than n intermediaries, where the value of n could be at the discretion of the buyer or platform-wide;
  • SPO (supply path optimization) to prioritize spend through shorter or preferred paths relative to longer or less preferred paths.

If you have not yet read both of these specifications, please go do so. They work together, and without some understanding of both of them, none of the following will make any sense.

So, what gut-doctor-vegetable clickbait headlines might you read later this year when sellers.json “fails” to solve every problem in advertising?

This SupplyChain Exploit is Driving up Ad Fraud!

This article would describe an “exploit” in which an intermediary erases any previous SupplyChain object and sends bid requests with a new chain and a “complete” value of 1.

{
 ...
 "schain": {
   "complete": 1,
   "ver": "1.0",
   "nodes": [
    "asi": "directseller.com",
    "pid": "2849234",
    "rid": "EB383F1F-0881-4650-8480-E50DBC80BE7D"
   ]
 }
}

Suppose this intermediary is listed in ads.txt only as an authorized RESELLER. The supposed exploit here is that the reseller claims to have a direct relationship and relies on downstream ignorance around ads.txt enforcement (ignoring the distinction between RESELLER and DIRECT).

We can debunk this attack on the SupplyChain object twofold;

  1. Until SupplyChain, DSPs had little reason to differentiate DIRECT and RESELLER. Now they do, and they will! A platform which is only authorized by the publisher as a reseller is unlikely to be considered authorized when claiming to be direct.
  2. The same activity could have occurred all the time prior to sellers.json/SupplyChain; now buying platforms have the tools to confirm the legitimacy.

The #1 sellers.json Hack Doctors Hate!

In this “exploit”, an attacker attempts to reuse an anonymous sellers.json entry in a quest for legitimacy. First, a confidential sellers.json record is found on exchange.example.com:

{
  "seller_id": "9BB83CA0",
  "is_confidential": 1,
  "seller_type": "PUBLISHER"
}

Next, the attacker adds this entry to their own ads.txt record on some malicious domain:

 

placeholder.example.com, 9BB83CA0, DIRECT

 

Oh no! Now this domain is authorized!!!

Sorry, no. For one thing, attempting to monetize traffic on this domain using the provided seller id (“9BB83CA0”) would (if allowed by the exchange at all, which is unlikely) result in payment to the original, legitimate publisher. Which defeats the point of the fraud entirely.

The Three SupplyChain Problems Your Platform Won’t Tell You About!

To be clear, sellers.json and the SupplyChain won’t solve everything. Here are at least three problems they can’t solve:

  1. The complete elimination of fraud from digital advertising. Sorry.
  2. Cryptographic verification of a declared SupplyChain path. We think this is important, and we’ll get there eventually with ads.cert or a derivative.
  3. Discrepancies. Ask any ad tech engineer: the three hardest problems in computer science are cache invalidation, naming things, and campaign discrepancies (original credit to Martin Fowler).

Thanks for tuning in to this blog post. We hope you’ll implement sellers.json and SupplyChain object. The FAQ/Implementation guidelines are extensive, and most of your questions should be answered within the documentation. The path to supply chain transparency has many steps, and with these specs now published, we encourage you to take this step with the industry.

Leave a Reply