For anyone in any aspect of the programmatic video business—and if you’re reading this, this probably means you—understanding SIMID should be at the top of your To Do list right now.
We’re talking about the Secure Interactive Media Interface Definition, up for public comment until May 24. The IAB is aiming for this new standard to replace VPAID, at least for the ways VPAID is commonly used to deliver video advertising.
In short, the aim of SIMID is to provide the interactivity VPAID could, but without the security risks, with less latency, and without the loss of publisher control over the video player itself.
Whether SIMID delivers on those promises, at least in its current form, is less cut and dry. But before we get to that, let’s summarize what’s changing with this new standard.
Regarding Publishers
For many publishers, getting rid of VPAID has been a recurring dream the past few years.
Verification vendors had long used it as a quick way to measure viewability, which it wasn’t built for and which caused latency in the player.
It was built, in short, to be the boss of the player, which opened up security weak points. VAST 4.0 was supposed to take care of measurement, but broad industry adoption of VAST has been relatively slow.
Unpopular as VPAID may be, convenience overrides popularity—something has to handle interactivity.
The Goal
SIMID aims to become that “something.”
It allows for interactivity in video and audio ads—it separates the creative from the interactive layer, and it facilitates communication between the player and the interactive layer.
That separation allows publishers to implement server-side ad insertion and live streaming.
Also, it’s built for all environments including mobile and OTT.
The IAB has described it as “one of the assets listed in a VAST document.” (Meanwhile, the verification piece has been spun off into the Open Measurement Interface Definition, or OMID, and Open Measurement SDK.)
So how is SIMID positioned to be more secure than VPAID?
SIMID is built with sandboxing in mind, serving the creative inside a cross-origin iframe.
This would hand the publisher some important controls: Because SIMID can communicate only through the postMessage protocol, it does not have direct access to the DOM—and redirects have long exploited an easy path from the iframe to the DOM, which it can then take over and hijack the user’s session.
Unlike VPAID, SIMID is not the player’s boss—the player gets the upper hand.
If there is no recognized video file to play in the frame, the “creative” in that frame (which could simply be hazardous code) would not play.
It might sound as though SIMID is poised to end the scourge of redirects. But it’s not that simple.
The creative, which appears to be a real video file, could still contain untrusted, unverified and potentially harmful third-party JavaScript.
If the creative loads in a player that isn’t properly sandboxed, the bad script could still come through and redirect the user anyway.
Sandboxing, after all, is a highly customizable practice that can limit user interactivity with the creative in some cases—which is why some publishers have approached it cautiously.
Moving Forward
While SIMID is a step forward from the industry’s old ways, it doesn’t provide the air-tight across-the-board security publishers need for their inventory—at least not yet.
It still leaves the door open for security and user experience problems like auto-redirects and in-banner video.
Talk to your GeoEdge account rep today about how real-time blocking of security and quality risks can close the gaps SIMID leaves. Security is a difficult and risky game to play alone. Don’t leave everything to a new standard—leave it to an expert.
