The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Senate ‘Malvertising’ Hearing

Leave a comment

The Permanent Subcommittee of the Senate Committee on Homeland Security & Governmental Affairs held a hearing last week on the findings of its ‘Online Advertising and Hidden Hazards to Consumer Security and Data Privacy’ report.
In his introductory remark, Senator John McCain (R-AZ) noted that online advertising is now more profitable than broadcast television advertising. Indeed online advertising revenue was $42.8 billion in 2013, almost $3 billion more than television advertising.

At the same time, ‘malvertising’ increased over 200 % in 2013 to over 209,000 incidents generating over 12.4 billion malicious ad impressions (Testimony of Craig D. Spiezle Executive Director & Founder of Online Trust Alliance).

Online advertisements may be used as a vehicle to install malicious software on users’ computers. The software then steal personal information or attack other computers, most of the time without the user even knowing that his computer has been infected.

Online advertisements is a serious security threat for consumers, yet most consumers are not aware of this issue. During the questions sessions, Mr. Spiezle noted that that issue has been kept quiet from several years. Senator McCaskill (D-MI) reminded panelists that online advertising is the backbone of the Internet economy, yet consumers have not been sufficiently informed that their data is what fuels this economy. Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, stated that the FTC informs consumers about online privacy on its OnGuard online site.

Who is Responsible?

What should be the responsibility of online advertising companies such as Google and Yahoo! ? Senator McCain believes that they “have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver.” They do not directly control the advertisements however, and as many as five or six companies can be involved in the process of publishing an ad, which makes finding which companies are responsible for having let the malware being installed quite difficult.

Also, Senator McCain noted that “commercial actors have limited incentives to develop and institute security measures for fear of becoming the liable party if something goes wrong.” However, the representatives of Google and Yahoo! emphasized that their companies have an incentive to fight malvertising in order to retain their customers’ trust.
Senator McCain asked Alex Stamos, Chief Information Security Officer at Yahoo!, if the site was responsible for malware, to which Mr. Stamos answered that Yahoo! takes responsibility for its users’ safety. Pushing further, Senator McCain then asked Mr. Stamos if Yahoo! would reimburse a user whose bank account has been depleted through a malware encountered on a Yahoo! site, but Mr. Stamos did not believe that Yahoo! has such responsibility.

Possible Solutions

George F. Salem, Senior Product Manager at Google, testified that his company has a two-pronged approach to fighting malware: preventing users from even visiting sites invested with malware and disabling ads which have malware. He also noted that consumers should be careful about downloads, always use the latest version of their browser and also install up-to-date antivirus software, a view shared by Ms. Mithal.

Senator Mc Cain also noted that “another problem in the current online advertising industry is the lack of meaningful standards for security” and expressed frustration that Google and Yahoo!, similar companies as they are, could not have the same best practice standards and implement them the same way, as they face the same problems.

Senator Mc Cain asked Ms. Mithal what could be the solutions to malvertising. She answered that increasing consumer education, having more robust industry self-regulations and also more enforcement would be key. Indeed, the FTC has already brought some enforcement actions against companies involved in online advertising for deceptive practices. Ms. Mithal stressed that there should be enforcement against the purveyor of malware but also against third parties which let the purveyor go by.

What’s Next?

Several online advertising companies, including Google and Yahoo, announced a new initiative called Trust in Ads that has as its goal the protection of consumers from malicious online advertisements and deceptive practices.

New legislation may be ahead. Senator Mc Cain asked Ms. Mithal if the FTC would need additional tools to protect consumer’s online privacy and Ms. Mithal mentioned that the FTC has advocated in the past to be given the authority to fine companies that do not maintain reasonable security practices. In her written testimony, Ms. Mithal wrote that the FTC “continues to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law.”

Advertisements

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s