A Longitudinal Analysis of the ads.txt Standard

“…To identify resource inclusion from third-party A&A domains, we apply two heuristics to the HTTP requests in our inclusion trees. First, we match each requested URL against the EasyList and EasyPrivacy 10 block lists [10,11,13]. Second, we apply the methods developed by Fouad et al to identify inclusions of tracking pixels [35].…”

“…To estimate the number of unique Californians visiting websites in our corpus, we use data from the marketing research company Semrush. 11 In September 2020 we purchased a "custom report" from Semrush for $750 that contained the unique monthly US visitors to 203,365 of the 497,870 domains in our corpus in August 2020 (Semrush did not have visitor estimates for the remaining domains). These visitor counts are based on Semrush's proprietary measurement and estimation methods.…”

“…We scaled the unique visitor counts down by 88%, since California accounts for 12% of the internetenabled US population. 12 Thus, we assume that unique visitors to websites are uniformly distributed throughout the US. We revisit this limitation in § 6.1.…”

Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

“…To identify resource inclusion from third-party A&A domains, we apply two heuristics to the HTTP requests in our inclusion trees. First, we match each requested URL against the EasyList and EasyPrivacy 10 block lists [10,11,13]. Second, we apply the methods developed by Fouad et al to identify inclusions of tracking pixels [35].…”

“…To estimate the number of unique Californians visiting websites in our corpus, we use data from the marketing research company Semrush. 11 In September 2020 we purchased a "custom report" from Semrush for $750 that contained the unique monthly US visitors to 203,365 of the 497,870 domains in our corpus in August 2020 (Semrush did not have visitor estimates for the remaining domains). These visitor counts are based on Semrush's proprietary measurement and estimation methods.…”

“…We scaled the unique visitor counts down by 88%, since California accounts for 12% of the internetenabled US population. 12 Thus, we assume that unique visitors to websites are uniformly distributed throughout the US. We revisit this limitation in § 6.1.…”

Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

“…In this type of attack, fraudsters take advantage of the impossibility to validate the veracity of the information included in ad-tags or OpenRTB messages. Domain spoofing is a wellknown attack to introduce counterfeit inventory in the programmatic ecosystem [16]. In particular, fraudsters launch fraudulent ad requests from instrumented browsers claiming to come from popular domains, referred to as premium sites, where ad spaces are more expensive.…”

“…There is a not negligible portion of publishers not adopting it. Moreover, Ads.txt imposes to blindly trust authorized sellers [20] and authorized resellers that could have received the requests through an unauthorized source [16]. Given the limitations of Ads.txt, the IAB launched the Ads.cert specification, whose beta version is included in OpenRTB 3.0.…”

Establishing Trust in Online Advertising With Signed Transactions

A Study of the Partnership Between Advertisers and Publishers