Explaining SIMID – The Standard for Today’s Video Advertising Reality

In 2020, the IAB replaced the VPAID (Video Player Ad Interface Definition) standard for video advertising with two new standards. The first standard, which manages interactivity in a video ad, is SIMID (Secure Interactive Media Interface Definition). The second, for measurement and verification, is OMID (Open Measurement Interface Definition).

Why Did VPAID Need to Be Replaced with SIMID?

For a long time, verification companies had used VPAID as a shortcut to measure viewability in video ads. But VPAID wasn’t actually built for verification. VPAID was built to tell the player how to behave when a video ad is delivered to it. Its verification use cases offered a convenient option, but not the best solution for the task at hand.

VPAID also created a video ad security loophole that malvertisers exploited in order to deploy auto-redirects. In that loophole, the iframe where the video ad is delivered opens up a path to easily access the DOM (Document Object Model). The malicious code basically “jumps out” of the iframe, and then takes over the DOM and forces a redirect to an unsafe website — for example, a page that hosts a phishing scam, a prompt to download malware, an ecommerce store full of fraudulent or non-existent products, or fake news.

Auto-redirects create massive headaches for publishers, abruptly ending the user session, damaging the publisher site’s reputation among users, and preventing the publisher from fully monetizing the user’s session or overall lifetime value. For years, auto-redirects were the top ad security and quality issue for publishers, in the traditional display, video, and mobile ads, as well as other formats. A number of ad security and quality companies were founded specifically to detect and stop redirect code before it could reach the user.

Many publishers were less than happy with VPAID’s functionality and the way it was put into action, so the prospect of SIMID and OMID sounded promising.

What Does SIMID Do Differently?

By the IAB’s explanation, the industry needed to do better than VPAID. So, SIMID was developed to support interactivity with video ads in a secure environment, to support SSAI (server-side ad insertion, a/k/a ad stitching) and OTT environments, and to reduce latency. SIMID is an asset in the VAST document. It separates video ad creative itself from the interactive layer. That separation allows the publisher’s video player to control the video ad. Then SIMID allows the creative and the interactive layer to communicate.

Giving the player control is a key differentiator between SIMID and VPAID. For example, with SIMID, the player will not play a video ad creative file when it doesn’t recognize a video file it can play. That means it will prevent the player from mistaking a malicious payload embedded in code written to resemble real ad creative.

Meanwhile, the measurement side (which VPAID used to handle as well) is separated out into OMID and Open Measurement SDK. Initially, VAST 4.0 was supposed to handle measurement with VPAID. But after VAST 4.0 came out in 2016, the industry at large ended up being slow to adopt it.

Why SIMID Does Not Solve All Ad Security Problems

To enhance security in the video ad player, SIMID is built with sandboxing in mind. The creative is served inside a cross-origin iframe, with the understanding the publisher will sandbox the iframe for added security. SIMID communicates through postMessage protocol only — so it can’t access the DOM directly. There goes the security loophole malvertisers had exploited to hijack the user’s session with a redirect.

The problem is, SIMID does not “solve” redirects in total. The degree to which it prevents bad code from jumping out of the iframe still depends on which sandboxing measures the publisher has implemented. It’s still possible for a bad actor in the ad ecosystem to deploy a file that appears to be a real video file but still contains unverified JavaScript. Unverified JavaScript is a security risk, and can still access the DOM and force a redirect when the iframe is not sandboxed in just the right way.

Why wouldn’t publishers just sandbox all their video iframes “the right way” and allow SIMD to work the way it’s intended? Well, sandboxing, for all of its security-related benefits, may limit the user’s ability to interact with the video ad creative. In fact, sandboxing may disable click-throughs on the ad entirely, or interfere with the performance of other ad units on the page. Many publishers are wary about locking down their iframes as firmly as sandboxing can allow, because they don’t want to negatively affect the creative’s performance and interactivity.

So, SIMID does not stop redirects on its own, nor does SIMID alone keep out IBV (in-banner video, which is popular among arbitrageurs in the video ad space). Publishers are advised to implement ad security and quality tools along with SIMID, so they can have the best ad performance and security. Publishers using SIMID should look to ad security and quality partners that can offer real-time protection against unsafe and undesirable video ads, including redirects, IBV, and cloaked attacks.