UID2 oversight gaps: CTV publisher’s broken tokens went undetected for months

A serious nationwide related tv writer spent three months sending improperly encrypted Unified ID 2.0 tokens via programmatic bid requests. The Commerce Desk, which serves as the only real administrator of the UID2 protocol, by no means detected an issue. The writer mounted the error by itself – after which seen one thing equally troubling: adopting UID2 had made no measurable distinction to its advert income anyway.

The story, reported on Might 7, 2026 by AdExchanger journalist Anthony Vargas, places recent scrutiny on each the sensible mechanics of UID2 integration and the governance construction of an identification protocol that The Commerce Desk controls whereas concurrently utilizing to energy its personal demand-side platform.

The encryption error and the way it stayed hidden

The CTV writer supply, who contacted AdExchanger anonymously, defined that their organisation had resisted UID2 adoption for years. Tv and CTV platforms have historically relied on one-to-many focusing on strategies – family IDs and IP addresses – relatively than the email-address-based, one-to-one method that UID2 allows. After sustained strain from The Commerce Desk to incorporate different IDs in bid requests, the writer moved ahead with UID2, selecting to develop into a non-public operator relatively than delegating encryption to a public operator equivalent to The Commerce Desk itself or one other authorised third celebration.

Personal operators are chargeable for hashing and encrypting viewers knowledge – sometimes electronic mail addresses – to generate UID2 tokens themselves. A whole lot of publishers have taken on this function. The method entails particular cryptographic necessities, and the CTV writer’s crew made inadvertent errors throughout implementation.

Based on Waseem Basheer, SVP of engineering at The Commerce Desk, these errors would have produced UID2 tokens that have been irreconcilable for advert focusing on. “If one celebration is messing up the sign by mistake,” Basheer instructed AdExchanger, “then matching can be very tough to attain, lots of info can be misplaced in these indicators and you’ll not get the proper valuation of the [bid requests].”

Three months handed. The writer’s account representatives at The Commerce Desk offered optimistic suggestions for the writer starting to move the indicators. When the writer’s inside crew ultimately recognized the flaw and corrected the encryption, the account reps didn’t seem to note any distinction within the knowledge high quality both. Neither the damaged tokens nor their substitute prompted any remark from the DSP.

No income elevate – optimistic or adverse

What adopted the correction was arguably extra telling than the error itself. The writer reported no noticeable impression on advert income – no uplift from the mounted tokens, and no degradation in the course of the three months when unhealthy tokens have been flowing. That final result led the writer to conclude that advertisers have been merely not decisioning on UID2 in any respect, and have been as an alternative defaulting to legacy indicators already current in bid requests.

This creates a measurement drawback with structural roots. Based on the supply, The Commerce Desk doesn’t present publishers with reporting on which knowledge indicators patrons are literally transacting in opposition to. The corporate has instructed publishers it’s unable to supply such reporting due to the sheer variety of totally different indicators contained inside every particular person bid request. With out that transparency, publishers don’t have any mechanism to confirm whether or not investing in UID2 infrastructure is producing any business return.

The absence of a income sign is exactly what prevented TTD from detecting the error within the first place, based on Basheer. The Commerce Desk’s post-approval monitoring depends on detecting anomalies – uncommon fluctuations in demand that will recommend one thing had gone incorrect with a writer’s setup. “If there isn’t any anomaly, it is rather tough to establish the issue,” he mentioned.

How TTD describes its oversight function

Throughout the preliminary approval course of for personal operators, Samantha Jacobson, chief technique officer and EVP at The Commerce Desk, instructed AdExchanger that TTD conducts intensive vetting to verify a writer has the correct contracts and protocols in place to create UID2 tokens. The corporate additionally gives testing instruments for operators to examine their setups. Past that preliminary stage, nonetheless, oversight shifts to anomaly detection relatively than energetic monitoring.

Jacobson drew a agency distinction between TTD’s function as a DSP and its function as UID2 administrator. Publishers and advertisers, she mentioned, mustn’t count on TTD to catch errors in UID2 setups throughout its abnormal DSP operations, as a result of these two features are separate. Even when performing as UID2 administrator, she added, it will be impractical to decrypt each UID2 token in each bid request to confirm right implementation. “There may be nothing that requires any third celebration to sit down within the center and have a look at each single impression,” Jacobson mentioned, “as a result of that simply wouldn’t make sense given the amount of impressions which might be thought-about.”

The writer discovered these explanations inadequate. “Even when ‘administrator’ and ‘DSP’ are separate roles, they’re each roles owned by TTD’s enterprise,” the supply instructed AdExchanger.

A former Commerce Desk worker, who additionally spoke to AdExchanger anonymously, provided a extra pointed interpretation. As a DSP, they argued, TTD ought to have recognised that the writer’s UID2s weren’t driving the anticipated enhance in demand. If account representatives had examined the information behind advert transactions relatively than merely confirming that UID2 indicators have been being handed, they mentioned, the representatives would have seen that one thing was off. Moreover, within the administrator function, TTD holds the cryptographic key for reconciling encrypted UID2s between buy-side and sell-side programs with out exposing underlying personally identifiable info. If TTD have been truly making use of decryption on each relevant bid request – as would possibly moderately be anticipated of the protocol’s administrator – it will have recognised that the improperly encrypted tokens couldn’t be reconciled.

The governance drawback behind UID2

The twin function on the centre of this dispute – DSP and protocol administrator – has attracted criticism since UID2’s preliminary rollout in 2020. Some within the trade view the association as a structural battle of curiosity.

The Commerce Desk has tried to deal with this earlier than. The IAB Tech Lab was as soon as thought-about as a candidate for the UID2 administrator function however declined. Right this moment, based on Shailley Singh, COO and EVP of product at IAB Tech Lab, the organisation’s function is proscribed to making sure the UID2 protocol stays open supply. It workouts no oversight authority past that.

Prebid.org was additionally at one level thought-about as a possible UID2 operator – a job distinct from administrator. Based on Garett McGrath, chair of Prebid.org, the organisation would solely have accepted that function on the situation that TTD didn’t function administrator. When no third celebration agreed to tackle the administrator perform, Prebid declined to develop into an operator. McGrath was direct in regards to the reasoning. “Grading your individual homework, being answerable for that, appears slightly funky,” he instructed AdExchanger.

Jacobson acknowledged the priority however argued the non-public operator mannequin has helped tackle perceived conflicts of curiosity. She added that TTD would doubtless nonetheless be open to a third-party administrator if the proper candidate introduced itself.

The governance query has sensible implications that transcend this single writer’s integration error. The OpenTTD portal launched in March 2026 consolidates UID2 alongside EUID, OpenPass, OpenAds, and OpenPath below a single developer entry level – deepening TTD’s structural place as each infrastructure operator and market participant. Jeff Green’s $150 million bet on The Trade Desk features a thesis that corporations with deep knowledge infrastructure will accumulate essentially the most worth in an agentic promoting atmosphere. UID2 adoption figures are a part of that narrative.

Incentives and the bidstream

A number of sources who spoke to AdExchanger raised questions in regards to the incentives surrounding UID2 adoption knowledge. One buy-side supply speculated that bid requests containing UID2 tokens would possibly entice greater CPMs from patrons, which might in flip generate extra income for TTD’s DSP. Jacobson pushed again. Consumers sometimes come to TTD with mounted marketing campaign budgets relatively than goal impression volumes, she defined, which means greater CPMs on UID2-enriched impressions would cut back the variety of impressions purchased relatively than enhance TTD’s complete income from these campaigns.

The identical buy-side supply raised a second concern: that UID2s embedded in bid requests would possibly give TTD’s DSP a extra full image of bidding behaviour throughout the programmatic ecosystem, which could possibly be used to its benefit in auctions. Basheer acknowledged that UID2 is “a robust sign for us to base our decisioning on,” notably for cross-device identification decision. Jacobson famous that TTD derives related insights from different different IDs that the corporate doesn’t administer.

The previous Commerce Desk worker provided the sharpest framing. Based on this supply, UID2 adoption figures serve a company storytelling perform relatively than a business measurement perform. “The corporate is just not evaluating the precise impression of UID2 within the bidstream,” they instructed AdExchanger. Adoption progress, on this studying, exists to validate TTD CEO Jeff Inexperienced’s funding within the protocol and to keep up a public narrative across the ID’s momentum.

The Commerce Desk rejected that characterisation. “We’ve got had endorsement from the entire main broadcasters,” Jacobson mentioned. “The a whole bunch of contributors that not solely are utilizing it however have been public about their endorsement of it speaks to that.”

Broader issues about knowledge high quality in CTV

Everybody interviewed for the AdExchanger story – the writer, The Commerce Desk, and a number of outdoors sources – agreed that neither the writer nor its advertisers seem to have been materially harmed by the three-month interval of damaged tokens. Demand continued to movement. The advert market didn’t penalise the error.

However the episode pointed towards a wider concern. A number of sources raised the probability that some CTV publishers – notably these working FAST channels, which generally lack direct first-party entry to electronic mail logins – could possibly be producing UID2 tokens utilizing knowledge from third-party knowledge brokers or in any other case unreliable sources. These issues, the sources famous, lengthen past UID2 to the alt ID ecosystem throughout the CTV market extra broadly.

The CTV writer supply was direct about their general evaluation: “UID2s are giving a false sense of confidence in identification in an atmosphere the place there may be lots of rubbish knowledge going out and in, with a big quantity of opacity within the center that The Commerce Desk has purposely constructed to get rid of accountability. There is perhaps official knowledge there as nicely, however no person ever is aware of, since you can’t audit and you can’t observe it.”

Prebid’s McGrath provided a extra measured view. He didn’t see something essentially incorrect with TTD not decrypting each UID2 token it processes, and prompt three months is an inadequate window to attract agency conclusions. He agreed, nonetheless, that extra could possibly be completed to shore up oversight of the protocol.

The CTV writer, for his or her half, mentioned their motivation for elevating the difficulty was to not undermine UID2 or advocate for a competitor identification resolution. “I’m a official writer, so I hope they might construct a greater UID2, after which discover some scammers and eliminate them. [That way], there can be extra money within the market for my stock to be offered.” Their account of TTD’s response was much less encouraging. “At a senior stage, they’re like, ‘We’ve got our technique, and it’s important to get on board.'”

For the advertising neighborhood, the case illustrates a structural rigidity that runs via the present part of programmatic CTV promoting. As The Trade Desk’s growth has decelerated – 18% full-year in 2025, Q1 2026 steerage of $678 million implying roughly 10% progress – the corporate continues to quote UID2 adoption as a core indicator of platform well being. The Galileo first-party knowledge matching platform, launched in January 2023, was designed to work in live performance with UID2 to supply omnichannel identification throughout all publishers, platforms, and gadgets. All the business structure will depend on the premise that UID2 tokens within the bidstream are legitimate, consented, and matched in opposition to actual person indicators.

The CTV writer’s case suggests the structure has gaps – and that the mechanisms for detecting these gaps are much less sturdy than the market could have assumed.

IAB Europe’s programmatic CTV guide published in April 2026 documented that 466 distributors have registered to the Transparency and Consent Framework supporting the CTV atmosphere, and that 18 consent administration platforms are validated for CTV. The query this case raises is just not whether or not frameworks exist, however whether or not the information flowing via them is definitely being verified.

Timeline

• 2019: The Commerce Desk’s unique Unified ID resolution positive factors early SSP adoption, with BidSwitch and SpotX among first partners
• 2020: UID2 protocol launches; The Commerce Desk’s twin function as DSP and sole administrator attracts early criticism; Prebid.org declines to develop into a UID2 operator with out a third-party administrator
• January 2023: The Trade Desk launches Galileo, a first-party knowledge matching platform designed to work alongside UID2 for omnichannel identification decision
• 2024 (approx. early): The foremost nationwide CTV writer begins passing UID2 tokens in bid requests after years of strain from The Commerce Desk; encryption errors go undetected by TTD
• 2024 (approx. Q2): Writer identifies and corrects its personal encryption errors after roughly three months; stories no income impression from both the damaged or corrected tokens; TTD account reps make no touch upon the change
• February 12, 2025: The Trade Desk reports its first earnings miss in 33 quarters, triggering a 27% inventory decline and inside reorganisation
• August 27, 2025: Prebid.org disables cross-exchange transaction ID performance; The Commerce Desk responds with OpenAds, a forked version of Prebid
• February 25, 2026: The Trade Desk reports full-year 2025 revenue of $2.896 billion, with 18% progress decelerating from 26% in 2024; Q1 2026 steerage of $678 million implies roughly 10% progress
• February 28, 2026: FreeWheel publishes analysis warning IP-based CTV focusing on can miss 87% of households, highlighting broader identification reliability issues throughout programmatic CTV
• March 4, 2026: The Trade Desk launches OpenTTD, consolidating UID2, EUID, OpenPass, OpenAds, and OpenPath below a single developer portal
• April 2026: IAB Europe publishes its most detailed programmatic CTV guide to date, documenting 466 TCF-registered distributors and 18 validated CMPs for CTV environments
• Might 7, 2026: AdExchanger publishes investigation by Anthony Vargas detailing the CTV writer’s damaged UID2 integration and TTD’s failure to detect it; TTD confirms the errors would have made UID2 tokens ineffective for focusing on

Abstract

Who: A serious nationwide related tv writer (nameless), The Commerce Desk (DSP and sole UID2 administrator), represented by Waseem Basheer (SVP of engineering) and Samantha Jacobson (chief technique officer and EVP), together with Garett McGrath (chair of Prebid.org) and Shailley Singh (COO of IAB Tech Lab)

What: The writer made inadvertent encryption errors when producing UID2 tokens as a non-public operator, passing invalid tokens for roughly three months. The Commerce Desk, regardless of its twin function as DSP and UID2 administrator, didn’t detect the errors. After the writer self-corrected, it reported no measurable income impression from UID2 adoption both earlier than or after the repair – elevating questions in regards to the protocol’s business worth in CTV environments and the robustness of TTD’s oversight mechanisms

When: The mixing errors occurred in roughly early 2024 and ran for roughly three months earlier than the writer corrected them independently; the AdExchanger investigation was revealed on Might 7, 2026

The place: The CTV programmatic promoting ecosystem, particularly inside bid requests passing via The Commerce Desk’s DSP; The Commerce Desk is headquartered in Ventura, California and administers the UID2 protocol globally

Why: The case issues as a result of UID2 is the trade’s most generally adopted different identification resolution following third-party cookie deprecation, and The Commerce Desk is its sole administrator whereas concurrently working the DSP that transacts on it. If errors in non-public operator implementations can persist undetected for months with out business consequence – and with none reporting mechanism for publishers to confirm efficiency – the trade’s confidence in UID2 as a sturdy identification layer for CTV promoting could relaxation on assumptions which might be much less well-supported than its adoption figures recommend