IAB Tech Lab's Trusted Server Kerfuffle

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising and music for decades and I’m now writing for The Monopoly Report. If you have a tip to share in confidence, find me on Twitter or Bluesky.

Our latest Monopoly Report podcast is out with Rick Bruner - ad research and measurement guru, CEO at Central Control and OG in the ads space. We talk about the state of measurement - and Rick shares a few ideas to ensure more effective measurement if/when we move into the post-UID era.

IAB Tech Lab is Taking Charge

Last week, the IAB tech lab announced the Trusted Server - an “open-source server-side ad management framework” designed to circumvent certain browser functionality by moving key ad data flows into the publisher-operated infrastructure.

I’m not typically into amplifying the press releases of our industry trade bodies - regardless of whether I think they are worth amplifying. We’ve got the trade press for that (btw, LOVE the Howard Beals reference by Allison Schiff in AdExchanger). However, the release, the problem(s) Trusted Server is designed to solve, and the criticism it has received touch on so many of the issues we cover here in TMR, I couldn’t help myself.

What problem(s) is Trusted Server intended to solve?

The tl;dr is that Trusted Server is an attempt to put more of the processing decisions currently being made within the digital ads space into the hands of publishers and the entities publisher’s trust enough to allow them to put their code on page. To state that this is a laudable goal would be an understatement. Big kudos to Tony and the IAB TL for the attempt.

But at what cost?

But Trusted Server is ALSO an escalation in the decades long battle between browsers and the ads space. I’ve covered the history of that arms race in some detail here.

Historically, browsers’ primary role has been to serve and protect their Users - sometimes protecting them from the shadier elements in the ads space. For example, going back twenty-some years to the era of adware/spyware, browsers stepped in to protect Users from being carpet bombed by those super annoying X-10 camera and punch-the-monkey ads. Browsers have also sought to protect users from tracking. And as you probably know all too well, some browsers are now blocking third-party cookies by default.

Thing is, browsers’ “serve and protect” role is running head-long into a conflict of interest as they increasingly look to enter the ads space. Yeah, Mozilla and others have dabbled in ads over the years, but two recent trends have escalated things:

1. Traditional browser monetization options (e.g.,sending user search queries to Google) are in serious jeopardy as per the DOJ proposed remedies in the Google search antitrust trial.

2. The Privacy Sandbox has normalized the concept of browser as an ad platform.

Protecting users from ad call X & ad call Y feels different if that protection only serves to insert the browser’s ad call Z into the mix - particular if that ad pulls data from the User’s browsing preferences in one way or another. I should also mention that all three ad calls probably constitute a sale or share of data under CCPA, but that may cause many of you to doze off…

Criticism of the IAB Tech Lab Trusted Server Specification

Mike O’Sullivan, co-founder at Sincera shared his thoughts on the spec. Mike had the courage to stand up and ask questions - something that is in short supply around here. Even if I disagree with some of Mike’s points, I applaud the fact that he’s willing to do what many in this space are not. We need MORE - not less - of this in the ads space. (On a related note, big props to Erez Levin for his recent thoughts).

A few thoughts specific to some of the criticism from Mike and others follows.

Is the juice worth the squeeze?

As a starting point, here’s some feedback I received based on initial discussions with a few colleagues who have a wee bit more tech acumen than me:

• The spec is a bit undercooked - one wonders whether it was worth the coverage it has received (sorry about that, btw).

• It only works in display, (no video or rich media) which undercuts its value,

• It will likely create additional complexities, expenses and latency issues.

• The CDN component is interesting, but as of now, it’s only Fastly involved.

The spec condones the creation of a fingerprint!

This is a common refrain to imply that a particular ad tech data flow is “bad”. Personally, I find it frustrating that if you put 10 ad tech people in a room, you'll get at least 7 different definitions of the term fingerprint. This wouldn’t be such a big deal except that within our cultural lexicon, fingerprinting = bad.

And that’s a problem - particularly given that the distinctions being drawn between what counts as fingerprinting are often razor thin. I’m just thinking out loud here, but a few things come to mind:

• I’m a bit uncomfortable with a definition that implicates a good chuck of both the CTV and mobile attribution space. (Which is one of the reasons Google has softened it’s approach to fingerprinting).

• I believe its more helpful to focus less on the specific technology used and more on ensuring that there are reasonable controls in place. (Although defining what’s “reasonable” here can devolve quickly.)

• Pointing to the W3C definition of fingerprinting as gospel ignores a long historical back story with all kinds of political undertones.

There are smart, thoughtful people in and outside the ads space who believe a cookie or similar type of tracking technology should never be placed without full-on opt-in user consent. If that’s your position - more power to you.

But calling out a particular practice as “bad” in the face of evidence that browsers have taken everything else off the table might not be productive. Even more so when browsers are taking these steps in order to push a competing ad product - or (in the case of Apple) to push users towards subscription models where the browser’s parent company obtains a cut.

The IAB spec doesn’t focus enough on user trust

I’m probably going to tick people off by writing this, but I think User trust is one of those concepts that becomes sort of a catchall for a bunch of different issues - at least some of which have very little to do with the ads space. It’s much easier to say “we need to focus on increasing user trust” - but much more difficult to quantify how trust (or lack thereof) really works in the context of the ads space. Is it really all about ad blocking?

Don’t get me wrong, I’m all for creating a list of ways the ads space has reduced trust both with Users and amongst ourselves. Anyone who wants to be part of that discussion should ping me. Maybe together we can get somewhere… (you’re welcome).

As of today, if Tech Lab’s Trusted Server does nothing other than force publishers to re-evaluate the number of entities they work with - that’s a win.

But browsers are at least using privacy enhancing technologies (PETs)?

Despite what I’ve written above, I believe that there’s something to the notion of pervasive tracking as eroding consumer trust. Anyone that is investing in PETs should be applauded - and that includes browser ad platforms. Although in fairness, that’s really a separate question from the one being answered by the Tech Lab under this spec. Publishers need to monetize their content. And setting up entirely separate ad platforms that leverage publisher data but don’t necessarily contribute to publisher bottom lines isn’t workable.

But you can’t audit the darn thing!

I’m sympathetic to the idea that you’ve gotta start somewhere. That said, it’s disappointing that brand safety, ad fraud prevention and auditability (not to mention privacy) are left to the future given how quickly the ads space tends to go sideways into a scene from Lord of the Flies without those things in place.

So maybe we can collectively stay on the tech lab to ensure that this spec ultimately includes privacy-by-design and all that other stuff.

My View: This is about control - privacy & trust are often red herrings

All the great privacy and security work that’s taken place in connection with the Privacy Sandbox (and other browser ad platforms) does not negate the fact that many of these efforts serve as window dressing to a concerted attempt to exercise control over the ads space.

I will continue to level criticism at the ad tech space for its failure to invest more heavily into measurement, ad fraud and privacy-by-design solutions. And I’ll also try to be sympathetic to the revenue concerns most browsers are facing.

But equally - I don’t think privacy should be used as a pretext for browsers, mobile o/s providers, or others to take over the digital media marketplace.

Alan’s Hot Takes…

Here are a few stories that hit me over the past week:

• A modest proposal to help improve the ads space – Rob Leathern shared his thoughts on how our industry could address many of the underlying reasons that consumers are flocking to block ads online. Ari Paparo and others built on it via LinkedIn comments. I’m sharing here because I suspect that it’s related to the User trust issue. But also, because I’ll have Rob on TMR pod over the next few weeks.

• Another proposal to fix measurement - This article was written by Rick Bruner last fall - about a solution to improve measurement. Rick references an idea from this article in this week’s TMR podcast so I thought I’d share.