How Publishers Are Getting “Data-Fleeced” by Ad Networks
Melody Kramer’s recent piece, “When newsrooms don’t own their data, other companies profit” on Poynter should be a hard and fast wake-up call for publishers. Kramer, a former digital strategist at NPR and former visiting Nieman Fellow at Harvard University, offers several insights from publishers about how newsrooms collect then give away data programmatically without fair compensation. Most of the examples she provides are related to behavioral data, however “data fleecing” publishers stretches way beyond link tracking and location check-ins.
The Value of Hashed Data: Myth Vs. Fact
Precise individual targeting has become the holy grail of digital marketing as evident in Facebook’s stratospheric valuation. Facebook’s ability to create custom audiences based on unique identifiers, such as email addresses, cookies, and phone numbers, is a dream come true for marketers as other social media and ad networks have quickly followed. Unlike Facebook, since many ad networks don’t own the audience they serve ads to, they require the cooperation of the publisher to help target individuals on desktop and mobile devices. One such method of identification is using a subscriber’s encrypted email address (MD5#, Sha1), alone, or coupled with a cookie or DeviceID to target advertising within an email or across multiple devices. In a hasty effort to monetize digital properties with ad exchanges, many publishers sometimes unknowingly relinquish their rights to valuable data, particularly hashed email addresses. The publishers who are in the know usually rationalize that their subscribers’ encrypted email addresses are secure and or have little value. This sentiment couldn’t be further from the truth.
Despite its nascent size compared to other marketing and advertising channels, email continues to deliver one of highest ROIs. And since there has been wide adoption of using an email address as a universal unique identifier both inside and outside the email channel, its value to advertisers has significantly increased over the past few years. With the rise of programmatic advertising, the demand for non-personally identifiable data, such as cookies and hashed email addresses for targeting via demand service providers (DSPs), is on an upward trajectory.
Publishers are unaware that many ad networks have joint rights to not only use their hashed email addresses to target advertising on other publishers’ properties, but to also sell or lease this coveted piece of data at their discretion. Depending on the quantity, demographics, and history of the hashed email addresses and cookie combos, it’s not unheard of to receive anywhere from a couple thousand dollars a month for small publishers to tens of thousands of dollars of month for larger publishers from data brokers. By simply giving this data away, it represents a lot of missed revenue for publishers as many scramble to find new revenue streams and business models.
In addition to the in-house agencies publishers are erecting, they need to give careful consideration to what role data monetization will play either within these agencies or via a separate practice. Fortunately, for publishers wanting fair compensation for their hashed email addresses, there’s been a fresh crop of businesses waiting to help them. New companies such as Traverse are helping publishers monetize these assets in new and creative ways. Craig Swerdloff, CEO of Traverse says:
“The ad tech industry, in their desire to chase unnecessary growth and extraordinary company valuations, has chased advertiser dollars at the expense of publishers. The result has been catastrophic for traditional publishers. It’s time for publishers to take back control, and get their fair share of the ad dollars generated from their user data.”
MD5 Security: Myth Vs. Fact.
Originally development by the National Security Agency, The Secure Hash Algorithm (SHA) at least a 160 bit encryption methodology of 40+ hexadecimal characters (depending on the SHA version) used to secure and non personalize email addresses. According to many security pundits, hashed email addresses are not as secure as publishers might think for the simple reason that both the encryption methodology (Secure Hash Algorithm - SHA) and large pools of email addresses are widely available to the public. It’s possible that the unscrupulous can buy hundreds of millions of email addresses cheap, encrypt them using the same SHA methodology, match the large pool against a stolen hashed list, then decrypt the matched list from the pool, which results in an email list that can be sent to.
While this process is theoretically possible it shouldn’t sway publishers from working with ad networks that ask for the email hash to target or to monetize them using a third party. Aside from working with reputable companies, publishers should insist in their agreements that hashed email addresses are used for targeting purposes only and then destroyed by the ad network once the targeting process is over. Additionally, to source possible leaks, publishers and data brokers will need to find ways to seed lists per transaction, hash, and monitor accordingly.
As programmatic trading continues to be the preferred vehicle for purchasing advertising, hashed email data will continue to play a major role in expanding advertisers’ targeting capabilities. Publishers should be wary about how their agreements with ad networks are structured for hashed email sharing and insist on fair compensation for this type of data.