A Colossal Mess

No one could avoid the mess of allegations and lawsuits relating to the SSP Colossus, so we go deep on everything you need to know. And the pod this week focuses on attribution and MMM.


RainBarrel is a cookieless, consented audience graph that helps advertisers interact with their best-fit customers. Digital advertising shouldn’t be a black box — which is why RainBarrel was created by media buyers, for media buyers. Get started with RainBarrel audiences on DV360, The Trade Desk, LiveRamp, and more, or try out RainBarrel for free at rbarrel.com.

IAB Tech Lab: Open RTB

For the tenth anniversary of the IAB Tech Lab we have a special series of interviews with the people responsible for the most impactful standards to come out of that organization.

Arguably the spec with he greatest economic impact has to be OpenRTB, or oRTB. Before oRTB every connection between buyer and seller was custom and cumbersome. Bill Simmons of the Trade Desk joins us to tell us how this was fixed.

Due to the generosity of the IAB Tech Lab, these interviews will remain outside the paywall for all users.

Podcast: Ron Jacobson on attribution, MMM, and MTA

Ron is the CEO of Rockerbox, an independent attribution company. He tells us about how modern attribution is working without cookies, and what that means for Media Mix Models (MMM) and Multi-Touch Attribution (MTA).

Also this week we discuss Colossus (see below) and Israeli fake content farms.

Listen to the pod now:

A Colossal mess


The big ad tech news this week was about the SSP Colossus and allegations they were defrauding buyers by replacing low quality user IDs with high value ones. We discuss this at length in this week’s pod, and are covering the facts below.

Who is Colossus?

This, honestly, was my first reaction.

Turns out they do exist. Colossus is an SSP focused on reaching multicultural audiences (their words, from their S1) which was acquired by Direct Digital Holdings, a public company under the ticker $DRCT. The company has both a buy-side and sell-side business, but most of the growth is coming from the SSP. According to their most recent financial filing in 2023 the SSP more than doubled in revenue to $112 million with a take rate of 13.5%.

Interestingly, DRCT is in jeopardy of being delisted after their auditor resigned and the company was unable to file timely financial statements (SEC docs). There is no indication as to why their auditor resigned or whether that is relevant in any way to this discussion.

Adalytics report accuses of fraud

Adalytics is an independent auditor of programmatic advertising, and has been in the news over the past year for pointing out various problems, such as the well-covered existence of the “www3” version of the Forbes website (see previous newsletter).

The Adalytics report claims that the IDs being sent from Colossus to The Trade Desk (“TTD”) were consistently not matching the IDs present when TTD responded to the bid request, and that this phenomenon was not present in other pre-bid integrations. The implication of the report is that this behavior is a form of fraud. The report also indicates that they used TTD for convenience, and the same behavior could be present on other buyers.

It can be a little hard to get your head around what is being alleged here, so let me break it down step-by-step.

Step 1: Prebid loads and allows SSPs to collect data and send that data to their servers for auction. In this step, the identity of the user is the SSP’s identity, not the DSP’s identity. Even if the browser has a set cookie from TTD or another buyer, the SSP cannot read that cookie since cookies are domain specific.

Step 2: Colossus uses BidSwitch to manage auctions. Colossus looks up the BidSwitch ID that corresponds to the Colossus ID in a match table Colossus hosts, and sends a requests to BidSwitch with this matched ID. This is the step that could have shenanigans, since the SSP could send BidSwitch the wrong ID, either on purpose or by accident.

Step 3: BidSwitch looks up the IDs of all of Colossus’ trading partners and sends auction requests to them with the buyers’ IDs in the uid field. TTD at this point should be getting their own ID in the bid request, and it should, most of the time, match the ID that’s actually on the user’s browser.

Step 4: TTD’s bid response is sent through and appears in the browser. In this response, TTD repeats back the uid they were sent. Here is where Adalytics is noticing the discrepancy. TTD can also detect the discrepancy because when they run the ad’s code on the browser they can natively read their own ID from the browser, and see that it doesn’t match.

AdExchanger gets more context

Here’s where it starts going off the rails. James Hercher of AdExchanger covers the Adalytics report and gets a lot of interesting background. The whole article is worth reading, but the highlights include:

  • Colossus throws BidSwitch under the bus, says it’s their fault. BidSwitch (owned by Criteo) denies this.

  • Google’s DV360 had previously turned off Colossus for quality issues, then turned them back on.

  • TTD says they don’t include Colossus in buys by default because of known quality issues but that they allow individual buyers to target. Curious.

“The Trade Desk Marketplace Quality team has been aware of issues with the SSP mentioned in the Adalytics report for more than a year,”

—TTD statement regarding Colossus

Colossus strikes back

Living up to their brand name, Colossus wasn’t going down easy. A couple of days later they filed suit against Adalytics.

Colossus also published an explainer video showing how the browser’s cookie can sometimes not match the cookie returned by the bid response.

You can make your own judgement, but I spoke with several industry experts who made the case that this video is unpersuasive in multiple ways. Foremost, the video does not show any real-world context in which the browser’s cookie was set in a seemingly incorrect way, nor how the server-side match tables may have been involved. Sincera CEO Mike O’Sullivan whipped up his own video showing a similar set of actions.

Meanwhile, everyone’s favorite anti-fraud crusader, Dr. Fou, chimed in on Reddit saying that everything was working as expected. The masses told him he was wrong, as did I on the podcast. I also mentioned that Colossus is a client of Fou, and he corrected me to assert that they are not a client, they just get unlimited usage of his tech for free.

Ari does some journalism

Power brokerage firm Medialink then slid into my DMs with an offer to interview the executives of Colossus. That counts as journalism in my book, so I got on the phone with Geoff Schmidt, the VP of Technology and Anu Pillai, the CTO of the holding group. Geoff indicated that he was the creator of the video in question.

I learned two interesting nuggets that had not been reported previously. First, I asked Geoff about the Google DV360 issue alluded to in the AdExchanger article. He confirmed that it happened and that they had a hard time getting a meeting with Google since they had an indirect connection through BidSwitch. He said they didn’t know how to fix the issues being described by Google, so they took the drastic step of nuking their entire cookie pool and starting over. Apparently, that did the trick and DV360 starting buying again. This is the ad tech version of “have you tried unplugging it and then plugging it back in?”

Second, based on some chatter I had heard I asked if the company used TapAd for any “ID Bridging” type activity. (Note, throughout this whole episode we’ve been dealing with stable cookies on Chrome, so we aren’t in a situation where we have a lot of no-cookie users.) Geoff and Anu confirmed they had experimented with TapAd, but no longer used them but instead they are currently using LiveIntent. I was unable to get any more details about how, exactly, LiveIntent is being used.

Time to MECE this baby

MECE = Mutually Exclusive, Collectively Exhaustive.

Here are your options for what actually happened:

Option 1: Nothing happened, IDs sometimes don’t match. Given this was found by Adalytics, Google and TTD, we can rule this out.

Option 2: There’s a bug in the way Colossus reads and writes cookies from the browser. Imagine if Colossus occasionally (or regularly) writes the wrong cookie ID to the browser. This would cause their match table to mismatch to older, more valuable IDs.

Option 3: There’s a bug in the Colossus match table. Same net effect as Option 2, and very possible. Note, the evidence for options 2 and 3 include the anecdote about how nuking the cookie database temporarily solved the DV360 problem.

Option 4: Fraud. Colossus is intentionally mismatching IDs in their match tables to make more money. This would be intentional fraud and is essentially what people are assuming they are doing.

Option 5: LiveIntent. They have an ID bridging solution in place, it could be causing ID mismatches to happen, presumably by accident.

Option 6: BidSwitch. The company accused BidSwitch of being the problem, but this seems extremely unlikely given the company’s history and reputation.

Option 7: TTD. In the Reddit thread Dr. Fou seems to point the finger at TTD for buying the wrong users, but that doesn’t hold water given they are operating properly in other SSPs, and given the Google problems.

After speaking with the technical leadership of the company, I did not get the impression that they were RTB masterminds. Having seen what tricky people can do to make money in this ecosystem, I just didn’t get that I-worked-at-Appnexus-I-can-make-money-at-will vibe at all. As such, if I was a betting man, I would say options 2, 3, or 5 are the most likely and that this whole shit show is the result of bugs or misconfigurations.

Why are we still talking about this?

Mike O’Sullivan coined the phrase “ad tech Rashomon” to describe this mess since there’s so much going on. The biggest story-within-a-story is why we’re giving so much ink and attention to what is frankly a third-tier SSP.

According to multiple sources, the reason why Colossus remains relevant and in business is because major blue chip brands have commitments to buy from minority-owned media. These sources say that is the reason why DSPs like TTD leave them integrated for PMPs even though the quality is not up to the standards to be part of default buys. It’s worth noting that you can find Colossus in the ads.txt file of major media companies like USA Today (Gannett), the NY Post (News Corp), etc. so read into the “minority owned media“ thing however you’d like.

BidSwitch, meanwhile, quite reasonably turned them off. Meaning that unless they get a direct integration with TTD and others there will be a major interruption in buying and revenue for the company. I understand there is a lot of backroom discussions for the pipes to be turned on, but it isn’t clear what’s going to happen.

And, finally, we have the lawsuit against Adalytics, which presumably will have a discovery process that will answer all of our questions once and for all.

Reading list

  • Sincera found publishers are partnering with 3P vendors that generate programmatic ad revenue via paid traffic and point it to subdomains that the 3P vendors own. The vendor ContentIQ, owned by Israeli company Perion, makes it super easy to create MFA sites. MFA-as-a-Service. The other company is also an Israeli public company, Samyo News owned by Viewbix. (link)

  • OpenAI releases multi-modal GPT-4o with “Her” mode and big price cuts the day before Google’s IO. (link)

  • Google I/O - Publishers freaking out about SGE — Search Generated Results. (link)

  • Netflix plans to launch its own ad tech platform “by next year” + partner with programmatic (TTD, DV360 and Magnite named) and measurement companies (iSpot, TVIsion). (link)

  • Netflix also breaks into sports rights with 3 year deal w/ NFL for Christmas Day games. (link)

Join the conversation

or to participate.