Google search ads spotted in compromising placements

Research delving into a less visible component of Google's search ads business -- a network of third-party sites called Google Search Partners (also known as the GSP network or SPN) -- has documented scores of instances of Google search ads being served on non-Google websites that the media buyers paying for the marketing campaigns probably weren't bargaining for. Such as hardcore pornography websites; sites hosting large amounts of pirated content; and websites of companies located in countries such as Iran and Russia that may be under sanctions by the U.S. government.

The report -- whose title poses the question: "Does a lack of transparency create brand safety concerns for search advertisers?" -- also found instances of search ads bought from Google being served on Breitbart.com, a news website that espouses far-right views, despite brands in question having taken steps to avoid their ads appearing on the site, such as adding it to an ad blacklist.

Screengrab from the report apparently showing BMW ads displayed on Breitbart. Image Credits: Adalytics

"This raises the possibility that ads were served on websites and publishers despite the brand’s deliberate efforts to ensure brand safety and control over their media investments," writes Adalytics, an ad analytics firm that is behind the study of the GSP network, discussing an example involving "a major Fortune 500 brand" client whose Google search ads not only appeared on Breitbart (despite it having the site on a blocklist) -- but, per the report, were also being served on "pirated content sites, hardcore pornographic sites, and hundreds of putatative Iranian websites, which may potentially be under US Treasury Office of Foreign Assets (OFAC) sanctions."

Advertisers running search ads on Google (i.e., that appear on Google's own search engine results pages in response to user inputted keywords) are, by default, opted into this additional ad display network that Google monetizes -- which is composed of third-party websites, including those that have embedded Google's custom search widget and not opted out of displaying its search ads (such as by paying a fee to use the custom search widget ad-free). This means ads running on the GSP network can appear on all sorts of sites around the web.

The GSP network is by no means a new feature of Google's ad business. It appears to be around two decades old at this point -- with references dating back a couple of decades (e.g., here's one from April 2003 that discusses how Google's search ads, then called AdWords, can also be displayed on "a growing network of partner sites").

But at some point over the last several years, Google appears to have flipped a switch that started defaulting advertisers into the GSP network -- whereas, previously, it may have required an active opt in. (See, for example, this Search Engine Land post from 2016 -- which describes an active step being required at that time: "To target users searching on these partner sites, advertisers need only check a box in campaign settings to 'include search partners.'")

This means advertisers buying a Search or Shopping campaign within Google Ads must actively opt out of the Search Partner Network or else their ads might be served to non-Google sites.

Down the adtech rabbit hole . . .

Google does not publish -- and apparently never has -- a comprehensive list of third-party sites participating in its search partners ad network. But using publicly available information and "open source methodologies," including searching for a piece of JavaScript code that websites can use to embed Google's custom search widget, Adalytics says it was able to identify thousands of sites that are (or have been) in the GSP network.

It used additional technical analysis and manual verification to confirm a subset of the sites were running Google search ads -- and its report focuses on sites that appear to fall outside Google's T&Cs for participating as a GSP. Such as the aforementioned hardcore porn sites; sites hosting substantial amounts of copyright-violating material; and websites whose operators are located in countries such as Iran where U.S. sanctions may apply.

Google's Publisher Policies, which its search partners are required to adhere to, do not permit ads being served alongside content that infringes copyright or is graphically sexual. The T&Cs also stress Google must comply with "sanctions and export controls maintained by the United States Treasury Department’s Office of Foreign Assets Control” -- going on to stipulate its ad products are therefore not available to publishers in sanctioned countries or territories, including Iran.

Google's publisher terms also bar GSPs from using deceptive tactics like redirects and pre-scripted searches in a bid try to manipulate the display of search ads.

Yet Adalytics was able to document scores of instances of GSPs that appear to be in breach of one or more of these rules being able to serve Google search ads -- raising questions about the adtech giant's enforcement of its own publisher policies on this third party network it monetizes.

Adalytics also contends it was able to identify examples of controversial sites featured in its report that had been set up to run Google's adtech in a way that potentially allowed them to earn a revenue share from Google on any search ad clicks.

Image Credits: Adalytics

Since Google does not provide advertisers with a list of the entities that participate in the GSP, nor does it appear to allow ad customers to use techniques such as independent third-party verification pixels or JavaScript tags to independently monitor where their ads are being served, it is not obvious how Google's ad customers could take proactive steps to verify that their marketing is not being shown in places where it shouldn't. (Although Google claims its customers can request an SPN report from their account manager to get visibility on where on this third-party network their ads ran after the fact.)

Hence why Adalytics' report poses the question of whether greater transparency is needed on this less visible corner of the mainstream search ad market.

One caveat to note: Adalytics' motivations to undertake the research are not free of self-interest, given it's a for-profit company whose own business is centered on selling analytics services to media buyers -- via a self-styled "ad quality and transparency platform." So it might stand to profit from negative publicity about Google, including any hike in concern around use of its ad tools. (And Google's response to the findings -- see below for its statement -- takes the form of just such an attack on Adalytics' motives.)

Digging into the report a bit more, out of 51,280 different websites that Adalytics found had embedded the Google Custom Search engine JavaScript on their pages at some point in time, it said 46,773 were associated with Google's custom search engine loading -- 36,612 of which appeared to have "some evidence" of search ads being served on them currently or at some point in the past. It also found a subset "of at least 6,414" sites that appeared to have linked publisher AdSense IDs.

Detailing more of its findings, it writes:

The GSP data-set Adalytics has amassed and analyzed for this study is clearly just a snapshot in time -- or "sample" as the report puts it -- of the ad network; and of ads that might appear via partner third-party sites. This is why it characterizes the study as "exploratory" in nature. (The embargoed version of the report TechCrunch reviewed also did not attempt to calculate how much revenue might have been generated by identified GSPs -- which looks to be beyond the scope of the external study, not least given Google search partners would be paid per (ad) click, not simply for displaying Google search ads.)

It's also clear that just because an ad could be observed in response to a keyword typed into a Google search widget embedded on a GSP site does not mean such ads were necessarily served there outside of Adalytics' tests (i.e., via the usual flow of site usage). Whether visitors to any of the GSP-participating porn sites cited in the report, for instance, would be likely to use the search function to look for "FBI careers," say, or even input a paid-for search ad keyword like "buy diapers" seems rather improbable. (Then again, who knows what some of the visitors to porn sites might be searching for!) But the research at least demonstrates the possibility of paid marketing being shown in places that fall explicitly outside Google's publisher T&Cs.

One of Adalytics' findings -- that Google search ads paid for by public bodies like the U.S. Treasury appeared on the websites of companies located in Iran and Russia, including on sites of some companies from these countries that, per the report, are under direct OFAC sanctions -- such as the Tehran-based Iranian Allow Steel Company, or IASCO -- looks particularly uncomfortable for the adtech giant. Although Google claims no ad revenue was shared with any identified sanction entity.

Image Credits: Adalytics

Responding to Adalytics' report, U.S. senator Mark Warner dubbed it the "final straw" for action on long-standing ad fraud and safety concerns. “For over eight years now I have raised grave concerns with the FTC and the Department of Justice over the extent to which digital advertising intermediaries maintain a concentrated ecosystem rife with fraud. The monetization of sanctioned entities' websites should be the final straw for the government to take action to clean up this market,” he told TechCrunch via email.

Examples of official funding ads for politicians being shown served alongside hardcore porn (see our sample screengrab below, featuring fundraising ads for Republican Congressman Mike Johnson in a compromising placement on a Russian porn site) are also likely to cause policymakers to sit up and take notice.

Compromising placements

Adalytics' report contains a long list of the advertisers whose Google search ads it reports being able to observe displayed on U.S. Treasury OFAC SDN sanctioned, Iranian, and/or pornographic websites -- including the following public bodies, companies, organizations and politicians:

The United States Treasury; the European Commission; political fundraising search ad campaigns for Senator Ted Cruz, Senator Amy Klobuchar, Congressman David Trone, Congresswoman Lauren Boebert, House Minority Speaker Hakeem Jeffries, the National Republican Senatorial Committee (NRSC), Republican National Committee (RNC), the Democratic Legislative Campaign Committee (DLCC), and the Democratic Congressional Campaign Committee (DCCC); the U.S. Department of Homeland Security, Federal Bureau of Investigation (FBI), U.S. Secret Service, Department of Defense (Military OneSource), U.S. Intelligence Community, National Security Agency (NSA), General Services Administration (GSA), and U.S. Centers for Medicare & Medicaid Services (healthcare.gov); U.S. Army, Air Force, Coast Guard, National Guard, Space Force, the British Royal Air Force, the Dutch Ministry of Defense, and the Belgian Ministry of Defense; hundreds of major and Fortune 500 brands, including Apple, Lego, Deloitte, Accenture, KPMG, Microsoft, Amazon, BMW, Home Depot, Uber, Google, Meta, Samsung, Paramount+, TikTok, Pinterest, Snap Chat, and Snowflake; adtech vendors such as Human Security & DoubleVerify; nonprofits such as United Jewish Appeal, International Fellowship of Christians and Jews, One for Israel, American Cancer Society, St. Jude Children's Research Hospital, Save the Children, and the British Heart Foundation; several major media publishers, such as the Wall Street Journal, New York Times, Washington Post, The Guardian, The Financial Times, The Globe & Mail, The Economist, Business Insider, USA Today, Axios, Hearst Magazines, and Morning Brew.

If you read that list closely, you'll have noticed that Google's own search ads were even spotted by Adalytics in compromising placements -- which begs the question whether Google's ad buyers even know how Google's adtech works?

On reviewing the report, Laura Edelson, an assistant professor of computer science at Northeastern University whose research interests include algorithmic auditing and transparency, agrees it appears as if Google may not even have a full view of what's going on inside its ads black box. "I don't think that anyone at Google thinks, you know, 'aha, what a great place to run our ads -- an Iranian-state owned enterprise!' That is not true. So, clearly, they do not have visibility into how their own systems work," she suggested.

"I don't know if that lack of visibility is intentional or not. But, one way or another, they have lost the ability to verify their own compliance with U.S. law. And so I think that's where if they cannot do this -- and they've demonstrated they can't -- they certainly need to give advertisers, at a minimum, the ability to verify that advertisers are not violating U.S. law."

Google's third-party ad network may be less well known (and visible) than search ads running on Google.com and other Google-owned domains but the GSP has been criticized as a black box risk before. "The biggest downside is the lack of transparency and control," wrote Search Engine Journal in an article published last year that proposed to bust some "misconceptions" about the GSP (such as advertisers mistakenly assuming the network would only serve their ads on smaller search engines using Google's index). "There is limited data about where your ads are displayed and you can’t prevent ads from displaying in placements with poor performance or controversial content," the author, marketing consultant Amy Bishop, also warned at the time.

Adalytics' research goes further than informed concerns over potential risks for advertisers -- by highlighting multiple, concrete instances where it was able to trigger the display of ads in places where buyers of these campaigns are unlikely to have wanted them to appear. (And, certainly, where Google's own publisher T&Cs clearly seem to prohibit display.)

TechCrunch was able to re-create some of Adalytics' findings. For example we observed Google Search Partner ads for consumers goods (diaper brand Charlie Banana); luxury brands (Prada, Burberry); political campaign funding campaigns (Mike Johnson, see screengrab below; Amy Klobuchar); and entertainment and media companies (Disney, the FT, the WSJ) being served through a Google search widget embedded on a number of adult content websites -- with obvious reputational risk for associated advertisers. (And, as noted above, per Adalytics the list of brands and advertisers exposed to this risk is a lot longer than the handful of examples we directly observed.)

An ad for Congressman Mike Johnson showing on a Russian porn website alongside a NSFW pop-over that the site displayed next to Johnson's ads which we've pixelated for viewer safety. Screengrab: TechCrunch

During testing, we were also repeatedly served pre-scripted search queries on (random) topics on pop-unders triggered when we clicked on the Google-powered search widget embedded on a number of adult content websites. (Note we did not have to type anything in the search box for this to happen -- a simple click on the embedded widget triggered a pre-filled search query that was opened in a separate, concealed [pop-under] browser tab.)

Examples of pre-filled search queries we were served in this way included "seo audit services," "companion pet insurance" (see below screengrab) and "dmp program" -- topics that are entirely unrelated to the contents of the porn site serving them but appear to be popular keyword terms for buyers of Google's search ads.

The latter two pre-filled search queries returned links to Google search ads for insurance firms Fannie Mae and Felix Cat Insurance (see below), among others.

Example of a pop-under, pre-filled with the search term "companion pet insurance," which was served by an Iranian porn website (visible in the browser tab to the left) after we clicked on an embedded Google search widget. Screengrab: TechCrunch

These pre-filled pop-unders look like naked instances of attempted ad fraud by a GSP -- where users of the porn site in question would not even have typed a relevant query to trigger the display of search ads. (Presumably the intent is that the user will subsequently, either accidentally and/or out of curiosity, click on one of the ad links and, in so doing, generate ad revenue for the publisher.)

The automatic redirect being deployed in the above instance was to the following URL: “search.howtolosebellyfat.shop/search/” -- the choice of term used in the link presumably also selected for its potential to lure attention -- a web property that Adalytics' report confirms uses the Google Custom Search Engine.

It's worth noting that we were unable to reproduce (nor did we attempt) all of Adalytics' findings -- for example, searches we tried on some of the flagged GSP websites for a number of major consumers goods brands (including Apple) did not yield display of their Google search ads. Whereas Adalytics says it was able to trigger Apple ads in problematic spots.

Image Credits: Adalytics

Its report, which runs to 219 pages, contains scores of screenshot examples featuring major brands -- including an instance of Apple search ads being served on gpsm.ru, a Russian website Adalytics notes is explicitly mentioned on the OFAC SDN sanctions list; and another of Apple search ads being served on iasco.ir, the aforementioned Iranian steel company's website it says is also explicitly on the OFAC SDN sanctions list. It also recorded several instances of Apple iPhone search ads being served on adult content websites.

Adalytics suggests discrepancies between the search ads it was able to observe and document in the report vs what we could verify subsequently, via our own testing, could be related to the fact of its research bringing the brand safety issues to light. It posits that the report, which was shared under embargo ahead of publication with a number of its industry contacts, as well as with journalists, may have been passed to affected advertisers and/or to Google -- which could have led to implicated actors doing damage limitation by curbing display of their search ads to problematic sites (such as by opting out of the GSP) ahead of the report going live.

"We already see sites being taken down/de-monitized," Adalytics founder Krzysztof Franaszek told us last week.

Once Google was informed of Adalytics' upcoming research Franaszek also reported further instances of sites identified in the report having their search ads (and, indeed, their embedded search functionality via Google's widget) blocked server side -- including adult content sites pornobaza24.top, Forum Porn and comixxx.pro. (Google subsequently confirmed to us it had taken action to remove sites violating its publisher T&Cs against adult content once it was made aware of them.)

Ad campaigns can (and do) also change. So it's possible some of the ad campaigns that were running on GSP when Adalytics carried out its tests were no longer live when we checked -- such as, for example, if an advertiser's campaign budget had already been maxed out.

For the record, in our tests last week, we were unable to reproduce Adalytics' findings related to ads being shown on the website of the sanctioned Iranian alloy steel company mentioned in the report -- such as FBI and U.S. Army jobs ads. We also couldn't reproduce its finding of U.S. Treasury (aka U.S. Mint) ads being shown on the website of a Russian company that's under U.S. Treasury OFAC sanctions under U.S. Presidential Executive Order 13685.

But we were able to observe FBI jobs ads being served on a Iranian website called Arshad Sara (see screengrab below). We also observed FBI careers ads being served on the far right news website, Breitbart.com.

An ad for FBI career opportunities being served on an Iranian website. Screengrab: TechCrunch

Reached for a response to problematic placements of its ads documented in the report, a spokesperson for the FBI declined comment -- saying we should direct questions to Google "regarding its platform and systems."

"High-level vetting failure"

"When I look at this report, the first question I ask is why is this happening? And what it really looks like is that whatever due diligence process that Google has for the program to run these ads, clearly, the vetting is not working," Edelson continued in a phone call with TechCrunch to discuss Adalytics' findings. "There are websites on here that are the websites of directly sanctioned entities -- and, here, I'm thinking particularly of the Iranian state-owned enterprises -- so that is just incredibly clear cut. There's no way maybe someone misunderstood what that website was. It's not really borderline. That's just a matter of U.S. law. There's actually no getting around it.

"There are other websites where Google has made representations to advertisers about where their ads will and will not appeal. And, clearly, the process to verify that is not working either. And this is why it really appears to me to be a very high-level failure of vetting on Google's part."

"Google makes a lot of representations that advertisers and users should trust us," she added. "But I think this is where you really see the problem of the lack of transparency of their systems. Because they're asking people to trust them and clearly, clearly, that trust is not warranted.

"Not again, when entities which are on a U.S. sanctions list are able to run Google search ads. So I think that's where something in their processes has clearly gone very wrong. And if Google wants to start rebuilding trust with the U.S. government, with the public, with advertisers, they need to be a heck of a lot more transparent around where their ads are running, who their partners are, and who they're doing business with. Because whatever vetting they're doing has clearly broken down on a very deep level."

The findings could force regulators to rethink their hands-off approach to the adtech sector, suggests Edelson -- who previously served as chief technologist in the U.S. Department of Justice Antitrust Division. "The credulity that regulators have given tech companies -- it's no longer sustainable," she argued. "We're not talking about a niche player making a very obvious mistake, as this is; we're talking about the largest distributor of ads in the world.

"If Google can't get this right, if Google is not getting this right -- and let me say that: Google could get this right, they're just not -- that's where Google has decided, somewhere along the line, they didn't invest the money they should have invested in compliance. And these very obvious kinds of mistakes are happening."

"The black box of adtech has meant that companies just haven't had to invest a lot of time and money in regulatory compliance. I know they talk about how much they do . . . but whatever they're doing it's not working. And they've been able to hide that because of a lack of transparency of all kinds of adtech systems and that's where we need to start demanding transparency.

"Regulators need to demand transparency, advertisers need to demand transparency. Of course advertisers have very little power in this equation. So that's where, I think very clearly, regulators need to step in."

"This is where you really start to see the power that Google as a dominant firm, can exact on the ad market," Edelson also told us. "Because if you talk to advertisers, and say, hey, are you happy with the lack of transparency that Google provides? Are you happy not knowing where your ads run? I challenge you to find someone who says yes. . . . This is not something that customers want. This is something that Google has the power to decree -- because advertisers don't really have a choice."

Asked whether the findings suggest there's been a failure by antitrust regulators to tackle the scale of the power imbalance in the adtech market Google has dominated for decades, she responded by describing it as "certainly a consequence of when antitrust enforcement is not brought to bear on a market that has clearly gone wrong."

"I think it gives weight, at least, to antitrust enforcement, that is currently in progress," she also said.

"If you want to say what is the cost to advertisers, what is the cost to consumers of Google's very dominant position in this market, it is not only measurable in prices," she added, referencing the standard of harm competition authorities have traditionally focused on. "It's measurable in things like this -- that [could] lead to us sending dollars to the Iranian government. I think that that's a cost beyond, you know, fractions of a penny to advertisers -- a cost that all of society bears and we should think very carefully about."

For its part, as well as claiming it can find no evidence of ad revenue being shared with sanction entities identified in the report, Google says it's committed to complying with all applicable sanctions. Although it also suggests it's been challenging to keep up with the rate at which Russian parties specifically have been added to sanctions lists since the invasion of Ukraine in February 2022. (On ads, Google also says it has paused ads serving in Russia since the Ukraine invasion -- including for Programmable Search Engine [ProSE] with Adsense for Search, which implies it's not currently possible for Russian entities to generate ad revenue via Google's partner programs.)

The adtech giant also told us it maintains a variety of measures to prevent, detect, and remediate unauthorized abuses of its services that violate its policies, including sanctions policies -- without providing any detail on the types of measures it applies. 

Google's publisher terms, meanwhile, are written in such as way as to imply an outsourcing of compliance responsibilities by requiring advertisers and publishers to affirm compliance with applicable sanctions and export regulations -- and to agree to not cause Google to violate these regulations. If it finds an account that violates its policies Google adds that it takes action to revoke access to its tools.

Brand safety and bot fraud in the frame

Also discussing Adalytics' findings in a call with TechCrunch, Jamie Barnard, CEO of Compliant, a SaaS pitching brands and digital media buyers on tools to support compliance across the media supply chain, predicts the report will trigger a wave of advertisers (at least temporarily) turning off Google search ads as a contingency measure -- to shrink their immediate risk of exposure to reputational concerns while they assess next steps.

"Ordinarily, I think, brands would have assumed a degree of brand safety -- because, essentially, Google is running that. But, if Adalytics' research is right, then there are clearly sites -- and not just one or two but scores of sites -- within the Google Search Partner Network which advertisers would not want to buy media on," he told us. "When the report is published brands' first question is going to be have we switched off the Google Search Partner Network? If we haven't, then we need to switch it off immediately while we investigate the potential safety risks."

"This is a brand safety issue fundamentally," Barnard added. "An issue of transparency and brand safety -- and quite a serious issue. There are unintended consequences of buying on Google search."

There's a further risk for Google's media buyers to consider, which he also highlights -- related to an automated ad campaign type Google offers that utilizes its AI technologies to design, target and serve out customers' marketing across its suite of online properties. This product, which is called Performance Max (or PMax), lets customers run a single ad campaign across all Google's ad inventory -- including search ads. And including the GSP.

Currently, there appears to be no way for media buyers of PMax campaigns to opt out of the GSP.  So the report raises an apparently unavoidable reputational risk for customers of Google's fully automated ad offering.

"There are implications for brands using Performance Max ads. Or at least considerations," suggested Barnard. "It's an alarming situation for an advertiser. So I would imagine they will seriously have to rethink their next move. . . . The fundamental issue here is it's black box media. . . . Because you don't know who's in the [GSP] network, and you can't verify who's in the network after your ads run, then you're compromised. You have no idea where your ads are going to go."

The research could force Google to -- at least -- provide more transparency for advertisers over where their ads are running in order to assuage brand safety concerns, Barnard went on to suggest. "Otherwise, advertisers will simply opt out," he predicted.

He raises additional concerns about how Google designs the choices it offers advertisers -- saying he already knows of a number of advertisers who have opted out of Google search ads over brand safety concerns only to be opted back, inadvertently, via PMax. While, even for more vanilla Google search ad campaigns (i.e., that aren't submitting to Google's fully automated solution), he describes the process of opting out of the GSP as "still quite hard."

"I imagine there will be scores of advertisers out there who didn't know that they were opted in [to the GSP]; don't understand the Search Partner network; have no idea who's in it; think that they're buying media on Google websites," he suggested. "In fact, a lot of their media will be appearing on non-Google sites. And not just non-Google websites -- evidently non-Google websites that you wouldn't want to be buying media on. And this is not just global multinationals; any local sole trader who's buying Google Search [ads] to promote their local businesses was probably expecting to appear [only] on Google's websites."

How Google designs these choices for ad buyers could attract attention from regulators in the European Union, he posits -- noting: "The European Commission is getting deeply concerned about dark patterns in general."

"I think the most likely place that action will happen next is Europe," Edelson also predicted on the likelihood of regulators stepping in.

The Commission oversees Google's compliance with two recently implemented updates to the bloc's rulebook for web firms: Namely the Digital Services Act (DSA), where Google Search has been designated a very large online search engine (VLOSE), meaning it's subject to rules, including algorithmic transparency and accountability provisions; and measures combating the use of unfair dark patterns; and the Digital Markets Act (DMA), where Google is designed as a gatekeeper and regulated core platform services include its ads delivery system and search engine.

The EU has extensive powers to sanction violators of these regimes, including the ability to levy fines of up to 6% or 10% (or even more) of global annual turnover, respectively. Although the deadline for gatekeepers to comply with the DMA doesn't kick in until early March. But the DSA has been in force on VLOSE since late August.

The bloc's lawmakers are also in the process of hammering out agreement on a risk-based framework for applications of AI, which the Commission proposed back in April 2021. Where adtech uses of AI should fall on the planned high risk (i.e., triggering some legal obligations) or low risk (just self regulation) axis is one question Adalytics' findings might help to reframe. As it stands, the draft EU AI Act doesn't look like it would do much to put guardrails on ad placement algorithms.

Responding to concerns highlighted by Adalytics' research, EU lawmaker Paul Tang, a member of the European Parliament, urged the bloc's regulators to bust out powers they already have as a result of their new oversight role on Big Tech -- calling for them to audit Google's ad algorithms. "Google's advertising algorithms demand scrutiny," he told TechCrunch. "The EU Commission must wield its audit powers to demand transparency and accountability about the secret $10.5BN* in ad spend every year through PMax and other ad bidding algorithms."

Offering an industry perspective, Giovanni Sollazzo, CEO of demand side platform Aidem -- which bills itself as a "privacy-first," safety-focused DSP (and also claims to differentiate its offering by delivering "radical transparency" for its ad-buying customers) -- describes Google’s push into "fully automated AI" (aka PMax) "without any oversight capabilities" as "a nightmare."

"It should be impossible to place ads on websites affiliated with nations and entities under US sanctions, such as Russia and Iran," said Sollazzo, responding to questions via email. "The fact that this is happening without advertisers’ knowledge point to a deficit in monitoring and reporting capabilities provided by Google."

"If I were the FTC/DOJ, I would investigate how Google's defaults are enabling this whole mess; and Google’s market dominance allow Google to push it to unwilling advertisers," he added.

Aidem was already not running GSP ads due to the lack of reporting transparency clashing with company policy, per Sollazzo. "We never run ads without placement level reporting, and GSP provided no domains report," he noted, adding: "As additional step, we have advised all our clients to stop all PMax campaigns due to the concern of having GSP hidden in the PMax mix."

Steps he suggests Google could take to clean up shrink brand safety risks with the GSP include reverting it to opt-in, instead of opt-out across all Google Ads -- including PMax. It could also require publisher KYC (Know Your Customer) before placing ads on GSP when there's no linked AdSense account to the publisher GSP account. Additionally Sollazzo calls for "full transparency with advertisers about domains where their ads are placed; and providing domain blocklists capabilities"; as well as: "A comprehensive audit of the GSP network to identify and remove any publishers that violate the brand safety guidelines or are on sanction lists."

Media buyer Robert Kadar, a senior director of marketing at Yeshiva University, also didn't sound surprised after reviewing Adalytics' findings. But he points out that Google is not alone in offering a third-party ad network in a bid to extend the reach and revenue generating potential of its ad business.

"I turn off all 'network' and 'partner' placements across all ad platforms. Google, Meta, and LinkedIn all provide the option of placing your ads outside their ecosystems so the advertiser can reach larger audiences. The problem, as these platforms must be aware of, is that bad actors game the system using websites combined with bots and click farms to gain ad revenue," he told TechCrunch via email.

"Bots not only click ads, they also fill lead forms. The deeper problem is that the advertiser gets fake phenomenal results -- meaning huge amount of cheap clicks, leads and great click through rates that never convert to customers -- creating a negative feedback loop between bad actors where everyone is incentivized to continue the chain of fraud."

"The people hurt by this are the business owners who want to build an authentic brand and grow sales from ads," Kadar suggested, adding: "Google entices the advertiser to use networks because according to them it will deliver better results. Not giving the advertiser transparency on where your ads appear is wrong. Google should provide brand and bot safety, and eliminate the opportunities for ads to be gamed. I doubt that there is an incentive for Google and other platforms to eliminate 'network' placements because it is extremely lucrative for them.

"The more people that realize the problem, the ad platforms will be less incentivized to do the wrong thing."

Google responds

Google was contacted for a response to Adalytics' findings. We also sent it a long list of questions regarding the GSP -- such as whether it manually vets partners and its approach to enforcing its publisher policies on these third parties. We also asked how much revenue the GSP generates and requested data on how many partners it has removed from the network for violating its policies in recent years.

The adtech giant did not directly engage with any of our questions. Instead it responded with the following statement, attributed to Dan Taylor, its VP of global ads:

In further attributable background remarks briefed to TechCrunch, Google confirmed that AdSense publishers which use ProSE may apply to it to claim a revenue share -- meaning there could be instances of ProSE users earning ad revenue. But, of the examples shared with it ahead of the report's publication, it claimed virtually none of the sites identified by Adalytics had the ability to earn a revenue share for clicks on ads displayed on their sites. (So some of the sites in the report presumably could earn ad revenue.)

As well as attacking the credibility of Adalytics, Google sought to play down the significance of its research by contending that ProSE represents a tiny piece of the SPN. The majority of impressions on the SPN come from popular sites like YouTube, according to Google. It further claimed that for an average ad campaign which includes SPN in its reach the spend lands overwhelmingly on Google Search, not on the third party network.

Google did not respond to questions about how much revenue it generates from the SPN.

Its spokespeople were unable to confirm whether or not the use of its ad-supported search widget by sanctioned Iranian entities would, in itself, constitute a breach of its publisher T&Cs -- that is, regardless of Google's contention that no ad revenue generation was shared with the sanctioned entities as these Iranian sites were using ProSE without AdSense.

*Adalytics briefed contacts with a guesstimate figure of $10.5 billion for the amount of revenue Google might generate through the GSP, which is what Tang is referring to here. It said it extrapolated this figure based on a large set of search ad campaign data it received from brands it audited -- which allowed it to determine what percentage of their ad spend went to the GSP network when they ran a search campaign. It then says it applied that as a multiple to Google's annual search ads revenue for 2022 ($162.45 billion) -- which was disclosed in a public SEC filing -- doing a multiplication of the percentage spent on the GSP x Google's total annual search revenue to arrive at an estimate of how much revenue might be going to the GSP

This report was updated with a correction to a job title: We originally cited Robert Kadar as director of marketing for the City University of New York; he's since moved on to become senior director of marketing at Yeshiva University