• by Laurie Sullivan  @lauriesullivan, March 9, 2022

Gannett, publisher of USA Today and many other news media sites, provided inaccurate information to advertisers for nine months, misrepresenting where billions of ads were placed, according to researchers.

Sears, Nike, Adidas, Ford, State Farm, Starbucks, Ford, Semrush, Kia, General Motors, Facebook, Marriott, and many others were among the major brands that purchased ad space labeled incorrectly in auctions.

Advertisers thought they bought an ad on one Gannett site, but actually purchased space on another, according to the research. The Wall Street Journal broke the news late Wednesday, but the researchers have detailed explanations for what occurred.

A spokesperson for Gannett told The Wall Street Journal that Gannett “provided the wrong information and that it regrets the error,” which was unintentional. The publisher said “its auctions still had some information, such as page URLs, that would enable advertisers and ad-tech companies to detect the true identity of the website where an ad was being placed.”

The error occurred in May 2021, and was detected and corrected by the company on March 4. It’s not clear how and when the company will issue refunds to advertisers.

Braedon Vickers, an independent ad industry researcher, called the error “domain spoofing” -- when ad inventory is misrepresented as being from a different site.

“USA Today and hundreds of local newspapers owned by Gannett were sending spoofed bid requests to multiple ad exchanges for over 9 months,” Vickers wrote in a post.  

Vickers found the spoofing through header bidding. Scripts running in a browser make the requests that trigger the auctions, so it’s possible to inspect the requests the browser sends to see how Gannett represents the ad inventory, he wrote.

“In September 2021 I noticed that the domains and page URLs included in some of those requests didn’t seem to match the actual page being loaded,” Vickers wrote.

It wasn’t only the domain and page being spoofed. Data about the article section and subsection, keywords, and brand safety was also being provided based on the spoofed page, not the actual page. This spoofed data served up in requests to affected exchanges.

The research was done in collaboration with Krzysztof Franaszek, founder of Adalytics, a crowdsourced social experiment. He examined the ads served in response to header-bidding requests that included spoofed data, and after Vickers discovered the discrepancy, found evidence suggesting advertisers were bidding on spoofed ad inventory via multiple exchanges.

Many companies were involved during the nine months that the spoofing was observed, according to Franaszek.

Several major SSPs, including Magnite, Pubmatic, and TripleLift were observed serving ads when a mis-labeled ad-bid request was submitted.

Human, Pixalate, Oracle Moat, and Integral Ad Science received data about the bid URL mislabeled on Gannett Media websites.

Google’s DV360, Xandr, Adobe, Conversant, The Trade Desk and MediaMath and others were observed serving impressions with inaccurate bid URLs.

Many of the ad-tech vendors involved with the spoofing were “Certified Against Fraud” by third parties, such as the Trustworthy Accountability Group (TAG), according to Franaszek.

This file has been updated to reflect the impact of the human error.