The Hidden Hazards of Online Ads

Senate panel focuses on malware

Google, Facebook, Twitter and other Internet ad companies no doubt saw Congress coming when they reinvigorated industry efforts to combat malvertising and protect consumers. 

A new report released Wednesday by the Senate Homeland Security Committee’s permanent subcommittee on investigations concluded that the online advertising industry contains “significant vulnerabilities” that cyber criminals exploit to initiate malware attacks against consumers. The report was initiated about a year ago by ranking member Sen. John McCain (R-Ariz.).

The report, “Online advertising and hidden hazards to consumer security and data privacy,” was released just ahead of the subcommittee’s hearing where you could find representatives from Yahoo, Google, the Online Trust Alliance, the Federal Trade Commission, as well as Lou Mastria of the Digital Advertising Alliance.

In some instances, clicking the play button would initiate a pre-roll ad on YouTube or Yahoo that could deliver malware to consumers’ computers, the report found. Sites that consumers would expect to be safe, including The New York Times, Major League Baseball and the San Francisco Chronicle, were found to host ads with malware, many delivered by third-party ad networks.

“Simply displaying ads that consumers see as they browse the Internet can trigger interactions with a chain of other companies, and each link in that chain is a potential weak point that can be used to invade privacy or inflict damage,” said Sen. Carl Levin (D-Mich.), chairman of the subcommittee.

Though the report acknowledges efforts like and the Digital Advertising Alliance’s self-regulatory program to protect consumer privacy, the report claimed that it wasn’t enough, noting that there is a conflict of interest between protecting consumers and making money.

“The self-regulatory efforts in online security to date have been dependent upon online ad networks for their funding and viability, creating a potential conflict of interest in their dual roles as industry advocates and standards-setting bodies. The self-regulatory bodies prioritize industry representatives over consumer advocates in the standard-setting process,” the report said.

Taking issue with the report, Mike Zaneis, the evp and general counsel of the Interactive Advertising Bureau, criticized the 43-page report as a "missed opportunity" to collaborate with the industry on how to fight cyber criminals. "Instead the report conflates security and consumer privacy, and we get in a decades-old debate about cookies of all things," he said.

The panel recommended that companies be legally allowed to share information about security hazards and that self-regulatory bodies develop comprehensive security guidelines for preventing online advertising malware attacks. In the absence of self-regulation, the report urged the FTC to issue regulations to prohibit deceptive and unfair online ad practices. The report also recommended that the industry incorporate “circuit breakers” into the online advertising system, check points that ensure malicious ads are caught at an early stage before they reach consumers.