Viewability Measurements Are Lying to You, Here's How

Cross-domain (XSS) security restrictions built into all browsers

Fundamental browser security (built into the very first browsers ever made) prevents cross-domain communications. That means contents in one iframe cannot read the contents or actions taking place in another iframe if the contents are not from the same origin (same domain). This is necessary because if one iframe could read the content and actions of another iframe then ads served on a banking website could easily steal logins and passwords. (But this is moot if the javascript is installed on the page - see: Covert Collection of Logins, Passwords, and Mass Surveillance.)

Javascript in foreign ad iframes cannot see outside of itself

The javascript ad tags that advertisers use to measure viewability and fraud ride along with the display ad when it is served. The display ad creative and the javascript tag are served inside a "foreign" iframe (not from the same domain) on a publisher's website. Because of the cross-domain security restrictions mentioned above, the javascript inside the foreign iframe cannot read any content, see any actions (e.g. mouse movements, page scrolling, or clicks) on the page of the publisher. It therefore cannot see itself -- that is, where the iframe itself is on the page. That means it won't know if it is above the fold or below the fold. Furthermore, because it cannot read any characteristics of the parent page, it cannot tell if the parent page itself is inside another iframe, e.g. a 1x1 or 0x0 pixel iframe.

The only reliable measurement of viewability is if the JS tag is installed on the publishers' pages directly, as first party javascript -- like Moat. 

Cash-out sites are massively scalable and 100% viewable

Since bad guys cheat, why stop at sticking 131 ads on a page? Why not stick that entire page inside a 1x1 iframe and put 100 of these iframes on a page. So with a single bot hitting a single page, it can generate 13,100 ad impressions, all of which are measured as viewable? Viewability not a good measure of quality or usefulness in driving business impact; it cannot even be measured accurately given the cross-domain restrictions of all browsers.  

We looked in our data for visits to webpages where the window was 0x0, to see how prevalent this form of fraud was. And look at what we found! Between 5 - 10% of the time depending on the campaign or website. Clearly window 0x0 and window 1x1 visits were very strongly correlated with bots (dark red). And 0x0 pixel phenomenon is strongly associated with mobile (the 94% green vertical bar), while the 1x1 pixel case is associated with desktop.

So the ads that are reported as "viewable" by standard javascript based measurement platforms are lying to you -- because they are reporting impressions as viewable when they are not. 

See also: On-Site Javascript Trackers Open Gaping Security Holes

About the Author:  “I advise advertisers, publishers, and agencies on the technical aspects of fighting digital ad fraud and improving the effectiveness of digital advertising. Using forensic technologies and techniques I help to assess the threat and recommend countermeasures to combat fraud and improve ROI.”  

Follow me here on LinkedIn (click) and on Twitter @acfou (click)

Further reading:  http://www.slideshare.net/augustinefou/presentations

Anh-Tuan GAI

CEO, co-founder @ Adagio

6y

Could you update your post based on browser optimisation (Flash based) and new solutions throttle rendering pipeline and Intersection observers?

Chris Liberti

Head of Web Data and Infrastructure

7y

How about vendors who use browser optimization signals to bypass the hostile iframe condition?

Like
Reply
Dr. Augustine Fou

FouAnalytics - better analytics for your media - "see Fou yourself"

7y

Or if you really really wanted to place ads on long tail sites, take a few minutes to manually check a few of them. Let me know what you find (not you Ken). You might wonder if any human would ever go to those sites. And you'd be right to wonder -- those sites were never created to provide good, useful content for human readers anyway, just to carry lots of ads and be visited by bots. The bots don't care about the quality of the content; they are there just to load the pages to cause the fake ad impressions, for which they get paid.

Like
Reply
Dr. Augustine Fou

FouAnalytics - better analytics for your media - "see Fou yourself"

7y

Or go with premium publishers who already have directly measured viewability with on-site javascript. (i.e. skip the long tail sites that below to ad exchanges, where the viewability has to be estimated by 3rd party JS in a foreign iframe).

Like
Reply
Kenneth Zinn

Chief Marketing Officer @ American Bar Association | MBA, CEAE, OMCP

7y

Brilliant job explaining the issue! Now who fixes it!? Auditors have no means, browsers can't breach security, media buyers don't care. DSP's? Ad Servers? meanwhile the advertiser continues to lose.

To view or add a comment, sign in

Insights from the community

Explore topics