20% of ad clicks on average are frauds

Cookie stuffing is a popular form of fraud mainly used in campaigns available on affiliate networks. In Poland, this subject was particularly popular in 2018 when the 4finance capital group (then the owner of such brands as Vivus and Zaplo) discovered the so-called „cookie scandal”. Frauds of this type are inextricably linked with cookies, which are slowly becoming a technology that is not only obsolete, but also undesirable (due to the need to protect user privacy) and in the near future were to be eliminated from most known web browsers (including, in particular, Google Chrome). Does this mean that cookie stuffing is a thing of the past?

What exactly is cookie stuffing?

Cookie stuffing is a marketing fraud related mainly to affiliate marketing and consisting in placing additional third-party cookies (not related to the visited website) to the user visiting a given website. Cookies, i.e., small pieces of code that a given website leaves in the user’s browser, collect information about logins and preferences and are intended to make the user’s life easier - they remember their logins and passwords, display personalized ads or content. Usually, internet users are informed when and for what purpose cookies of a given website are saved on their devices (for example in the message that a given website uses cookies or thanks to the information contained in the cookie policy), but if this type of fraud has occurred, the internet user is unlikely to be aware, that bonus files were saved in his web browser.

What is cookie stuffing scam for?

Affiliate marketing, implies that an advertiser is looking for external partners (so-called publishers) to bring him new leads or generate sales. Affiliate networks, i.e., platforms on which publishers can establish cooperation with selected advertisers, also mediate in this process. It is the affiliate networks that inform the advertiser from which of the publishers a given customer or sale came - and they determine it thanks to cookies, because they contain data about the conversion path (i.e., the path that the internet user has traveled from seeing a given advertisement to clicking, buying or filling in the contact form on the website). Cookie stuffing occurs when a person visits a website of a given publisher devoted to, for example, automotive, and instead of leaving cookies for that website in that person’s browser, scammer also places there cookies containing code fragments of other campaigns in which he participates - for example, exclusive coffee machines. As a result, if a given internet user in a week sees an advertisement for these expensive coffee machines and makes a purchase - the sale may be wrongly attributed to the fraudster, even though he has never tried to persuade this particular internet user to buy a coffee machine. This will happen because the cookies with the code of the fraudster coffee machine advertising campaign will precede those installed by the publisher that actually generated the sale. Consequently, the fraudster will steal the commission owed to someone else.

Of course, over time, affiliate networks tried to counteract cookie stuffing, for example by thoroughly analyzing the conversion path and precisely determining which publisher contributed the most to it. There were also concepts of awarding partial commissions to various publishers who, at different points in the conversion path, persuaded the internet user to buy a given product. However, the fraudsters used more and more complex codes in the files they placed - they could, for example, wait in sleep mode and then activate only when an internet user visited a given page.

End of cookies?

The need to eliminate cookies has been recognized by internet giants for years. For example, Apple, which included a new privacy tool in the iOS 14.5 update - App Tracking Transparency. Its main idea is to give control of the data collected about them to users who have to approve or reject the IDFA for each downloaded application. The result of this action is that each app that wants to be available on devices with this update must explain what it intends to use the downloaded data for and obtain consent from the user to track his activity in the indicated scope.

The Trade Desk has been working on its unified identifier (Unified ID 2.0.) from several years to replace cookies. It uses identity tokens created from encrypted e-mail addresses or telephone numbers that are voluntarily provided by the user when logging into a website or application. Then the provided data is encrypted and an identifier is created. Unified ID 2.0 technology. will be made available to all interested parties free of charge, but websites using it will have to declare compliance with the code of conduct and agree to regular audits.

In January 2020, Google announced that it intends to remove third-party cookies from its Chrome browser by January 2022, and work on the Privacy Sandbox project began even earlier, in August 2019. This is a huge change for advertisers - so far, cookies allowed to track the behavior of Internet users, which was an invaluable help in their profiling. But that doesn’t mean there will be an end of personalized ads. Instead of collecting data on individuals, Google will „track” entire groups of users with similar interests and only such anonymized data will be made available to advertisers. All this will be possible thanks to the use of FLoC technology - Federated Learning of Cohorts, i.e., a machine learning technique that allows you to group Internet users based on their browsing history. Simply put, it assumes that the browser will create a multidimensional, mathematical representation of all potential browsing histories called interest cohorts, and then, based on the FLoC algorithm, it will calculate and choose the most relevant one for it. There is no single FLoC model - each browser will have to choose how to create cohorts. For example, Chrome has its own FLoC service, but FireFox may opt for FLoC with completely different algorithms.

Although the changes were to enter into force at the latest in early 2022, in June this year, Google announced that it was extending this deadline until the end of 2023. The reason for this decision is that while significant progress has been made in the Privacy Sandbox, the giant needs more time to make the entire ecosystem function properly. It is worth emphasizing that the so-called „First party” cookies will not be blocked or withdrawn by Google.

Does withdrawing cookies end the cookie stuffing scam?

Probably yes, if only because the name itself indicates the use of the cookies’ mechanism. However, let’s not be fooled - certainly the place of stuffing cookies will soon be taken (or already is taken) by another form of scam - probably much more modern and more difficult to detect. Additionally, the postponement of the decommissioning of third-party cookies in Google Chrome gives fraudsters time to develop a new method that will replace cookie stuffing.