Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Turning the Tide on Dark Pools? Towards Multi-Stakeholder Vulnerability Notifications in the Ad-Tech Supply Chain

Yash Vekaria, Rishab Nithyanand, Zubair Shafiq

TL;DR

This paper investigates dark pooling in the online advertising supply chain and tests vulnerability notifications as a remediation strategy across publishers, ad-networks, and advertisers. It introduces an automated pipeline to identify dark pools using static and dynamic analyses and executes a nine-month, multi-round notification campaign with treatments delivered by academics and an activist organization, CheckMyAds. Using propensity-matched difference-in-differences, it finds that notifications reduce dark pooling vulnerabilities across all stakeholder groups, with ad-networks showing the strongest remediation and activists performing comparably to academics, while publishers are comparatively less responsive. The work demonstrates the feasibility and value of multi-stakeholder vulnerability notifications in ad-tech, providing a template for interventions in other complex supply chains.

Abstract

Online advertising relies on a complex and opaque supply chain that involves multiple stakeholders, including advertisers, publishers, and ad-networks, each with distinct and sometimes conflicting incentives. Recent research has demonstrated the existence of ad-tech supply chain vulnerabilities such as dark pooling, where low-quality publishers bundle their ad inventory with higher-quality ones to mislead advertisers. We investigate the effectiveness of vulnerability notification campaigns aimed at mitigating dark pooling. Prior research on vulnerability notifications has primarily focused on single-stakeholder scenarios, and it is unclear whether vulnerability notifications can be effective in the multi-stakeholder ad-tech supply chain. We implement an automated vulnerability notification pipeline to systematically evaluate the responsiveness of various stakeholders, including publishers, ad-networks, and advertisers to vulnerability notifications by academics and activists. Our nine-month long multi-stakeholder notification study shows that notifications are an effective method for reducing dark pooling vulnerabilities in the online advertising ecosystem, especially when targeted towards ad-networks. Further, the sender reputation does not impact responses to notifications from activists and academics in a statistically different way. In addition to being the first notification study targeting the online advertising ecosystem, we are also the first to study multi-stakeholder context in vulnerability notifications.

Turning the Tide on Dark Pools? Towards Multi-Stakeholder Vulnerability Notifications in the Ad-Tech Supply Chain

TL;DR

This paper investigates dark pooling in the online advertising supply chain and tests vulnerability notifications as a remediation strategy across publishers, ad-networks, and advertisers. It introduces an automated pipeline to identify dark pools using static and dynamic analyses and executes a nine-month, multi-round notification campaign with treatments delivered by academics and an activist organization, CheckMyAds. Using propensity-matched difference-in-differences, it finds that notifications reduce dark pooling vulnerabilities across all stakeholder groups, with ad-networks showing the strongest remediation and activists performing comparably to academics, while publishers are comparatively less responsive. The work demonstrates the feasibility and value of multi-stakeholder vulnerability notifications in ad-tech, providing a template for interventions in other complex supply chains.

Abstract

Online advertising relies on a complex and opaque supply chain that involves multiple stakeholders, including advertisers, publishers, and ad-networks, each with distinct and sometimes conflicting incentives. Recent research has demonstrated the existence of ad-tech supply chain vulnerabilities such as dark pooling, where low-quality publishers bundle their ad inventory with higher-quality ones to mislead advertisers. We investigate the effectiveness of vulnerability notification campaigns aimed at mitigating dark pooling. Prior research on vulnerability notifications has primarily focused on single-stakeholder scenarios, and it is unclear whether vulnerability notifications can be effective in the multi-stakeholder ad-tech supply chain. We implement an automated vulnerability notification pipeline to systematically evaluate the responsiveness of various stakeholders, including publishers, ad-networks, and advertisers to vulnerability notifications by academics and activists. Our nine-month long multi-stakeholder notification study shows that notifications are an effective method for reducing dark pooling vulnerabilities in the online advertising ecosystem, especially when targeted towards ad-networks. Further, the sender reputation does not impact responses to notifications from activists and academics in a statistically different way. In addition to being the first notification study targeting the online advertising ecosystem, we are also the first to study multi-stakeholder context in vulnerability notifications.
Paper Structure (20 sections, 13 figures, 4 tables)

This paper contains 20 sections, 13 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. The online advertising supply chain
  4. Dark pooling vulnerabilities
  5. Vulnerability notification campaigns
  6. Research Methods
  7. Identifying dark pooling vulnerabilities
  8. Designing multi-stakeholder notifications
  9. Recipient Engagement with Notifications
  10. Rate of engagement with notifications
  11. Nature of engagement with notifications
  12. Notification Impact on Dark Pooling
  13. Assessing the impact of notifications
  14. Effect of notification recipient
  15. Effect of notification source
  16. ...and 5 more sections

Figures (13)

  • Figure 1: Stakeholders in the ad-tech supply chain
  • Figure 2: Our threat model representing ad-tech supply chain vulnerability of dark pooling.
  • Figure 3: An overview of the timeline of the the notification campaign.
  • Figure 4: An illustration of the measured remediation metrics before and after notifications in different rounds to different stakeholders. The difference-in-differences is computed from these metrics as $\Delta_{(t,c)} = (t_{post} - c_{post}) - (t_{pre} - c_{pre})$ for each ad-tech entity.
  • Figure 5: Approaches to resolution
  • ...and 8 more figures