Review of IAB SafeFrame 1.0

This review of the IAB SafeFrame 1.0 proposal has been prepared by Dr Simon Overell and Dr Douglas de Jager.

What are SafeFrames?
Currently there are two ways for a publisher to include display ads on a web page: inline or within iframes. This provides publishers with a stark choice.

By including an ad inline a publisher is including an ad in the same way that a publisher would typically include, say, an image. This type of inclusion provides advertisers with full transparency into where ads are placed and it also allows rich ad interactions—in particular, it allows expansion and contraction of ads. However, this type of inclusion also allows negligent or malicious advertisers to break site functionality; to steal data from the host page or from the user; to rewrite any content on the host page; or even to redirect a user to a page on an entirely different domain.

For the security-conscious publisher, iframes provide an impassable barrier between the host page and the ad. This protects both publishers and users from ad scripts. Unfortunately iframes also prevent rich interactions. More troublingly iframes limit what the ad can find out about the host page—for example, geometric position of the ad, whether the ad is viewable within the browser viewport, site metadata, site name, etc.

SafeFrames are an attempt to provide advertisers both with transparency and rich interactions whilst at the same time ensuring publisher and user security (and, indeed, advertiser security). External content is isolated on a trusted third party domain, thereby providing publishers the same protection as provided by traditional iframes. Communication between the host page and the external content is available via a defined API. This allows for rich ad interaction and it allows for certain information to be made available from the host page to the advertiser.

SafeFrames are of limited use across exchange inventory
The key advantage of SafeFrames is that they protect the publisher.

SafeFrames purport also to provide advertisers with increased transparency over standard iframes: including, for example, providing support for viewability classifications as per the 3MS standard and access to the cookies set under the host’s domain. However, it’s important for advertisers to realise that the data they are passed via SafeFrames is trustworthy only to the extent that the publishers are trustworthy. And across exchange inventory—across the long tail, in particular—advertisers would be advised to tread with caution. This is unfortunate as it’s across the long tail of exchange inventory where transparency is most wanted.

As the SafeFrame code is necessarily client-side, authenticating the validity of the messages passed from host page to an ad, via whichever API, is impossible. By modifying the SafeFrame JavaScript on the host site one can return false data to the advertiser.

This is illustrated below. It would be easy for a malicious site to feed fake viewability data into a modified host page. This would then be exposed in the iframe via the $sf.ext API. Any advertiser scripts pulling viewability data would receive fake rather than legitimate viewability classifications. If advertisers optimise their ad buying for viewability, they would be ripe for abuse by unscrupulous publishers who can grossly manipulate their figures. Similarly if publishers are paid only for viewable ads, this too is open to manipulation.

Frame nesting difficulties
Beyond trust, there are two other concerns which are perhaps worth highlighting. The first of these centres on frame nesting.

The SafeFrame Version 1.0 documentation states: “SafeFrame containers are always rendered in the top-level HTML document”. There are, however, legitimate reasons beyond the publisher’s control which make this impractical. For example, the LinkedIn and StumbleUpon toolbars place publisher web pages within iframes.

One might wonder whether the LinkedIn and StumbleUpon toolbars might switch to SafeFrames rather than iframes. Unfortunately, according to the SafeFrame Version 1.0 documentation: “Nested SafeFrame tags are not supported. Any SafeFrame tags that are included in tags from exchanges, intermediaries, proxies, or any other secondary publishing partner or vendor are ignored. If a SafeFrame tag is rendered within a SafeFrame container that has already been created, the rendering process assumes that the container has already been created and skips over to rendering the external content.” This would mean that if the StumbleUpon toolbar embedded the Yahoo! homepage in a SafeFrame, then any SafeFrames intended for ads on the Yahoo! homepage would be ignored and advertiser scripts would be able to rewrite the contents of the Yahoo! homepage.

This nesting difficulty significantly limits the applicability of SafeFrames. For example, a platform provider such as Facebook cannot encase their apps in SafeFrames and have their apps further include ads in SafeFrames.

Open-source but not necessarily free
A final point worth considering regarding SafeFrames is that even if an open-source implementation is released, the use of SafeFrames will not necessarily be free. comScore own a set of patents for measuring the viewability of display ads and comScore have recently shown a willingness to assert these patents in court. These patents specifically cover using geometric location of the ad to determine viewability—the method specified in the SafeFrames external API.

Concluding thoughts
The motivation behind SafeFrames is clear. Protection is needed by both publishers and advertisers from malicious or negligent parties. This is why iframes have come to be the predominant way to serve display ads. At the same time, advertisers require transparency and control on where and how their ads are displayed.

If all the different parties were diligent and their interests were aligned, SafeFrames would be a viable solution. In reality, however, SafeFrames protect only the publisher and they give the advertiser the illusion of transparency. Down the long tail of exchange inventory, where transparency is most needed by advertisers, this is where SafeFrames are least likely to help advertisers.

Compounding this intrinsic SafeFrame problem for advertisers are two structural difficulties. In today’s world, frame nesting is commonplace, and often required, and SafeFrames make no allowance for this nesting. Furthermore, unless comScore dramatically changes its policy on IP enforcement, users of SafeFrames for viewability measurement face the unwanted risk of being taken to court.

 

Q&A about Ad Viewability

This interview with our CEO was conducted by Otilia Otlacan of Ad Operations Online

Otilia: Why has ad viewability become such a hot topic recently?

Douglas: There have been whisperings about ad viewability for a very long time, but without much action. The flurry of recent activity, I’d suggest, is largely down to Google.

On April 18th of this year Google announced to the industry that it would be rolling viewability measurement out across Google AdX. The implications for the industry are profound.

If other networks and exchanges don’t provide similar viewability measurement, then the publishers with the highest viewability rates will migrate to AdX — where they will be rewarded for their higher viewability rates. Leading advertisers will similarly migrate. Given that typical CTRs are only 0.08% (and typical mouse-movement rates are only 3%), information about ad viewability allows advertisers to optimise their buying across the long tail in a way that they have never been able to before. The publisher and advertiser migrations will lead to further migrations. Through this vicious circle of migrations the importance of the other networks and exchanges will quickly erode. And without a healthy ecosystem of competing exchanges and networks, the DSPs and SSPs become markedly less important. The ancillary service providers, similarly, will tend to irrelevance.

The talk in the industry is about how to defend against Google’s push for total dominance.

Otilia: There are now several viewability measurement companies, all making competing claims about their accuracy across different browsers, particularly in unfriendly iframes. How different are the offerings of the different companies?

Douglas: As things stand, there appear to be only two ways to measure ad viewability.

The first way to measure ad viewability is by the geometric approach, an approach used by almost everyone in the industry. This approach typically involves comparing the position of the four corners of the ad relative to the host webpage and then comparing the position of the four corners of the browser’s viewport relative to the host webpage. With these two comparisons one may say whether an ad is within the viewport. A variant of this approach involves comparison with the screen rather than the host page. Comparison is also sometimes made between the ad and the mouse cursor, and then the mouse cursor and the viewport.

comScore controls a key set of patents which govern the geometric approach to measuring ad viewability.

Because of a browser security policy — termed the same origin policy — the geometric approach is limited in its effectiveness when ads are embedded in unfriendly (cross-domain iframes).  When ads are served in unfriendly iframes then any viewability script will typically be unable to communicate with the host page, meaning that the relative position of the ad to the host page cannot be retrieved. In particular, the position of the ad relative to the host page cannot be determined across Internet Explorer, Chrome and Safari. This difficulty has compelled several companies to exploit a notable security hole in Internet Explorer in order to provide viewability measurement. When ads are embedded in unfriendly iframes there is currently no geometric solution for WebKit-based browsers, like Chrome and Safari.

The second way to measure ad viewability is to monitor browser optimisations. With the rise in rich internet applications and mobile browsing, browsers have been under increasing pressure to do more with less processing power. By monitoring how a browser allocates resources to render an ad, one can determine what proportion of the ad is in view.

Because no appeal is made to precise geometric position, the browser-optimisations approach does not suffer the limitations of the geometric approach. The browser-optimisations approach may be used to measure the viewability of ad impressions across all major browsers even when the ads are embedded in (nested) unfriendly iframes.

spider.io developed the browser-optimisation approach and has an international pending patent for this approach dating from June, 2011.

Otilia: What is your opinion on the IAB’s Safe Frame Initiative? How will it impact on the way ad viewability is measured?

Douglas: The IAB’s Safe Frame Initiative is aiming to produce an open-source code base that will allow information to be passed from the host webpage to scripts embedded in unfriendly iframes.

If safe frames come to be adopted throughout the industry, then the information passed from the host webpage should allow advertisers to use the geometric approach to measure ad viewability across iframes in all browsers — to achieve the same level of coverage that the browser-optimisations approach provides. It is important to note: whilst the safe frame code-base is intended to be open-source, any use of the geometric approach via safe frames would still probably be subject to comScore’s patents.

Are safe frames likely to be adopted at the necessary scale? There is reason to think not. Consider Google’s AdX, for example. Google has unfettered access to the host webpages across which AdX ads are included. However, Google locks AdX ads up in DoubleClick iframes. This means that Google can determine ad viewability using the geometric method, as Google can see out from its own iframes, but advertisers who advertise through AdX cannot use their own independent scripts to measure ad viewability via the geometric method. It would be very surprising if Google chose to change DoubleClick iframes to safe frames, thereby giving up control of viewability measurement across AdX.

Finally, there is the small matter of misaligned incentives. The SafeFrame Initiative requires advertisers to trust publishers not to try skew the information passed to scripts, and thereby the viewability classifications. Advertisers are essentially trusting publishers to tell them whether their ads are in view. It is difficult to see how this might happen without creating advertiser demand for a new class of service provider which polices deviant publishers.

Otilia: Do you have any recommendations on best practices for publishers who are looking to minimize the impact of ad viewability issues upon their ad revenue?

Douglas: Independent of any publisher efforts, advertisers are already starting to measure the viewability of their ad impressions. Advertisers are then using these measurements to optimise their ad buying. My advice to publishers would be that they try perform internal viewability audits, and they try increase viewability rates. This is how publishers will retain existing ad spend, and it’s how publishers will win more spend.

A further point worth noting: Google’s efforts will soon make advertisers come to treat ad viewability as a requirement. This is going to mean that publisher are ultimately going to have to provide their direct-sales advertisers with viewability reporting — either directly or through a trusted third party. The more proactive publishers may want to push this sooner rather than later.

The First Technology to Measure the Viewability of Iframed Ads across All Major Browsers [press release]

spider.io provides the first service that demonstrably measures ad viewability across all major browsers, ad exchanges, ad networks and ad servers, even when the ad impressions are served in unfriendly (cross-domain) iframes. In particular, spider.io’s technology is the first to be able to measure the viewability of iframed ads across Chrome and Safari browsers.

According to Dr Douglas de Jager, CEO of spider.io: “In an industry of smoke and mirrors, we aim to be transparent. We have built the industry’s first comprehensive viewability measurement technology and we encourage all prospective partners to confirm our bold claim for themselves. Testing can typically be wrapped up within the day.” [1]

It has been suggested that 40–70% of display ad impressions are typically delivered in cross-domain iframes. [2,3] An unfriendly or cross-domain iframe is an iframe served from a different domain to the host website. Due to a browser security policy, termed the same origin policy, [4] web browsers do not allow communication between webpages and iframes served from different domains. This means that any script which is included to measure the viewability of an ad impression from within a cross-domain iframe cannot ordinarily access either the position of the iframe relative to the host webpage or the scroll offset of the browser window relative to the host webpage. This poses a significant challenge for those attempting to measure viewability from within cross-domain iframes.

spider.io is currently engaged in the MRC’s accreditation process for the company’s comprehensive ad viewability technology.

[1] A demonstration of the testing process can be seen at http://www.spider.io/vSta98h
[2] http://bit.ly/JiD0rd
[3] http://bit.ly/JwMCwe
[4] http://mzl.la/1xN67L

 

–
Notes for Editors
Background Information:
On April 18th, 2012, Google announced to the industry that it would be rolling out its own implementation of the 3MS viewability standard for online display ads, namely Active View. Google’s stated aim is both to make display marketing more appealing to brand advertisers and also to reduce uncertainty for direct-response marketers.

spider.io is currently working with several of the leading exchanges, ad networks, DSPs and retargeters to provide analogous viewability measurement across their display ad inventory.

Dr Douglas de Jager and Dr Simon Overell, both of spider.io, wrote the seminal white paper, “Verifying the Visibility of Display Ads Served within Cross-Domain Iframes.” This white paper surveys the approaches taken within the industry to the problem of cross-domain iframes—providing a survey of patent applications, press releases and publicity material together with a deconstruction of visibility-verification code where available. [5]

[5] This white paper is available upon request.

 

Press Kit
http://spider.io/press/

Join us for a tipple at Spider Towers

We have filled, filed and painted, we have two ales on tap, and the bar is now open. A cheery wassail to you all!

Startups Acquiring Startups for Equity

Preamble: As a member of any startup with options or equity, it is important to know how the capital proceeds of the company will be distributed in different circumstances. Whilst preference schedules, bridge-loan agreements and investor veto clauses appear rather abstract at the outset, these could all make a material difference to the capital proceeds you receive upon exit. This is something we discuss internally. As other startup teams will also be discussing this, we would like to open the discussion. In this post our CEO considers a common type of exit, and the distribution uncertainty typically associated with this type of exit. He proposes standardising the approach to capital distribution.

Hello, Startup World.

In this post I would like to kick off a discussion about best practice for when startups are acquired by other startups for equity.

Having been pottering about in London’s tech startup community since 2006, I have seen several of my peers selling their startups to other tech startups for equity. Sometimes the investors feel as though they have received a bad deal. Sometime the founders feel mistreated. Sometimes both parties walk away after acquisition feeling as though they have been wronged.

In this post I would like to make a proposal. Our team very much look forward to your thoughts on the matter.

Suppose that company A is to be acquired by company B for equity. Suppose also that there is a preference schedule associated with company A’s equity.

Without loss of generality, let’s suppose that the investors have put $500k into company A for 25% of the company’s equity and investors have a 1-times non-participating preference whilst founders have the remaining 75% of the company’s equity and they have no preference. The 1-times non-participating preference means that if the company sells for an amount up to $500k, investors will receive all the proceeds. If the company sells for an amount between $500k and $2 million, then investors will receive $500k and founders will receive the rest. If the company sells for more than $2 million, then all shareholders—investors and founders—will receive proceeds pro-rata according to their shareholdings.

Typically three possible deal structures are discussed during the acquisition process of company A by company B.

Possibility 1:

Company A’s preference schedule is ignored, and all company A’s shareholders get shares pro-rata according to their shareholdings in acquiring company B. This is unlikely to please investors.

Possibility 2:

Company A’s preference schedule comes into force and investors potentially get all (or most) of the newly issued shares in acquiring company B. This is unlikely to please founders.

Possibility 3:

Company A’s preference schedule doesn’t come into force, but investors get compensated by getting a higher percentage of company B’s shares than they would have done had distribution been pro-rata. Neither investors nor founders are likely to walk away from this negotiation feeling particularly pleased.

Proposed Best Practice:

I am of the view that none of the above are ever appropriate. Rather, I contend that acquired company A should simply roll the preference schedule forward. And I don’t just see this as being just another possibility. I believe this to be the only reasonable way to structure this type of deal.

Let me explain.

No cash is changing hands, and without cash changing hands the preference schedule is ill-defined. It is ill-defined because the preference schedule is determined by absolute valuations, whilst this type of deal is only ever about relative valuations.

Anyone who has ever been involved in a startup will know that early valuations—say, during fundraising—are largely plucked from the air. Dubious appeals are made to comparables. Fantastical hockey-stick curves are considered. Most importantly, people talk about competitive tension (without shopping term sheets). The difference between a $1 million valuation and a $10 million valuation is often more than a little arbitrary. During discussions about one startup buying another for equity, some absolute figures will almost certainly also be plucked out of the air. “We are worth X million, because of Y.” However, what the conversation ultimately reduces to is relative valuation. “We are three times as valuable as you, because of Z.”

Suppose acquired company A is bought by buying company B for newly issued stock in company B equal to 25% of company B (after the acquisition). In the share purchase agreement, a valuation will ascribed to company A and also to company B.

Let’s suppose that company A is written as having a valuation of  $500k and company B, before the acquisition, is written as having a valuation of $1.5 million. Because company A’s investors have 1-times preferred stock, this $500k valuation of company A would mean that investors are entitled to all the new equity issued by company B.

Let’s suppose instead that company A is written as having a valuation of $1 million and company B is written as having a valuation of $3 million. Then there would be no change to the deal structure. Company A’s shareholders would still get 25% of company B. However, company A’s investors would now get 12.5% of company B’s shares and company A’s founders would get 12.5% of company B’s shares.

Now let’s suppose that company A is written as having a valuation of $2 million and company B is written as having a valuation of $6 million. Again, there would be no change to the deal structure. In this case, however, company A’s investors would only get 6.25% of company B’s shares and company A’s founders would get 18.75% of company B’s shares—and the investor preference would not come into play.

With the same deal structure—with company A being bought for 25% of company B—it seems non-sensical to distribute proceeds to company A’s shareholders in the purely arbitrary ways illustrated above.

What ought really to happen, I propose, is that the company A’s preference schedule should simply be carried over to the post-acquisition company B.

But does this not mean the buying company B would need to incur unnecessary costs to introduce preference details just for acquired company A’s shareholders? Not so. There is a very simple strategy, which I advocate. Company B buys all company A’s IP, assets, goodwill, team, etc. and in return company B issues shares to company A. At this point company A will now simply be a holding company for founder and investor interests in company B—to the extent that company A’s shareholders still own their shares in company A and company A now owns shares in company B. If company B exits in the future, company B will distribute proceeds to company A according to company B’s agreements, and company A will then distribute its received proceeds to company A’s shareholders according to company A’s preference schedule.

As an added benefit company B will not have to deal with the overhead associated with many new voting shareholders. By having a holding company look after the interests of company A’s shareholders in company B, company B needs only to manage one new shareholder after the acquisition.

Please tweet us your thoughts.

Thanks.

D