Permanent Subcommittee on Investigations Releases Report: “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy”

Washington, D.C – The Permanent Subcommittee on Investigations (PSI) today released a report titled “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy” and will hold a hearing on the topic TOMORROW, Thursday, May 15, 2014, at 9:30 a.m., in 342 Dirksen Senate Office Building. U.S. Senators Carl Levin (D-MI) and John McCain (R-AZ), the Chairman and Ranking Member of the Subcommittee, released the following statements:

 “American consumers and the digital economy in general depend on a safe, secure Internet,” said Senator John McCain. “We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online.”

 “Simply displaying ads that consumers see as they browse the internet can trigger interactions with a chain of other companies, and each link in that chain is a potential weak point that can be used to invade privacy or inflict damage,” said Senator Carl Levin

The full report, Online Advertising and Hidden Hazards to Consumer Security and Data Privacy is attached HERE [PDF]

The witness list for the May 15th hearing is attached HERE [PDF] .  

 Summary of the Report

 In 2013, the online advertising industry surpassed broadcast television as the largest advertising medium in the United States, with $42.8 billion spent last year alone. Unfortunately, the industry contains significant vulnerabilities that cyber criminals have used to initiate malware attacks against consumers, often without the consumers even having clicked on an advertisement, according to the findings of a nearly year-long bipartisan investigation by the U.S. Senate Permanent Subcommittee on Investigations.

For example, in February 2014, an engineer at a security firm discovered that advertisements on YouTube served by Google’s ad network delivered malware to visitors’ computers.  In that case, the user didn’t need to click on any ads; just going to YouTube and watching a video was enough to infect the user’s computer with a virus.  A similar attack on Yahoo in December 2013 also delivered malware to consumers’ computers without the need for user interaction.

 The Subcommittee learned that cyber criminals have found ways to circumvent malware scanning processes, target vulnerable consumers, and place malware on consumers’ devices through online ads.  A single online advertisement for an individual consumer routinely goes through five or six companies before finally reaching the consumer’s computer – providing cyber criminals with many entry points along the way to inject malware.

Over the past few years, many websites, including those belonging to the New York Times, Major League Baseball, and the San Francisco Chronicle have inadvertently hosted advertisements with malware.

The Subcommittee’s investigation also uncovered that the advertisements themselves are often not under the direct control of online advertising companies like Google and Yahoo, but are rather delivered to users’ computers by third-parties.

 The Subcommittee investigation reaches several findings of fact:

 1. Consumers risk exposure to malware through everyday activity.  Consumers can incur malware attacks without having taken any action other than visiting a mainstream website.  The complexity of the online advertising ecosystem makes it impossible for an ordinary consumer to avoid advertising malware attacks, identify the source of the malware exposure, and determine whether the ad network or host website could have prevented the attack.

 2. The complexity of current online advertising practices impedes industry accountability for malware attacks.  The online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user’s computer through an advertisement.  An ordinary online advertisement typically goes through five or six intermediaries before being delivered to a user’s browser, and the ad networks themselves rarely deliver the actual advertisement from their own servers.  In most cases, the owners of the host website visited by a user do not know what advertisements will be shown on their site. 

 3. Self-regulatory bodies alone have not been adequate to ensure consumer security online.  Self-regulatory codes of conduct in the online advertising field do not comprehensively address consumer security from malware.  In addition, the self-regulatory efforts in online security to date have been dependent upon online ad networks for their funding and viability, creating a potential conflict of interest in their dual roles as industry advocates and standard-setting bodies.  The self-regulatory bodies prioritize industry representatives over consumer advocates in the standard-setting process.   

 4. Visits to mainstream websites can expose consumers to hundreds of unknown, or potentially dangerous, third parties. Subcommittee analysis of several popular websites found that visiting even a mainstream website exposes consumers to hundreds of third parties.  Each of those third parties may be capable of collecting information on the consumer and, in extreme scenarios, is a potential source of malware. 

 5.  Consumer safeguards are currently inadequate to protect against online advertising abuses, including malware, invasive cookies, and inappropriate data collection.  Cybercriminals are constantly finding new ways to evade existing security methods.  Self-regulatory codes do not significantly address online advertising security, and data collection protections are often limited in scope, and underutilized.  Current FTC safeguards are insufficient to comprehensively protect consumers from online advertising abuses.

 6.  Current systems may not create sufficient incentives for online advertising participants to prevent consumer abuses.  Because responsibility for malware attacks and inappropriate data collection through online advertisements is undefined, online advertising participants may not be fully incentivized to establish effective consumer safeguards against abuses.

Based on those findings, the report makes the following recommendations:

 1.  Establish better practices and clearer rules to prevent online advertising abuses.  Under the current regulatory and legislative framework, legal responsibility for damages caused through malvertising usually rests only with the fraudulent actor in question.  Since such actors are rarely caught and even less frequently able to pay damages, the harm caused by malicious advertisements is ultimately born by consumers who in many cases have done nothing more than visit a mainstream website.  While consumers should be careful to keep their operating systems and programs updated to avoid vulnerability, sophisticated commercial entities, large and small, should take steps to reduce systemic vulnerabilities in their advertising networks. If sophisticated commercial entities do not take steps to further protect consumers, regulatory or legislative change may be needed so that such entities are incentivized to increase security for advertisements run through their systems.

 2.         Strengthen security information exchanges within the online advertising industry to prevent abuses.  Some online advertising companies claim they do not share information about security hazards with other companies, because of fears they will be accused of violating antitrust laws by cooperating with competitors.  The Department of Justice and the Federal Trade Commission recently issued joint guidance suggesting that the sharing of cyber threat-related information would not trigger antitrust liability.  Those agencies should clarify the extent to which online advertising participants may exchange information about security hazards without incurring antitrust or other liability.  If necessary, Congress should pass legislation that removes legal impediments to the sharing of actionable cyber-threat related information and creates incentives for the voluntary sharing of information.

 3.  Clarify specific prohibited practices in online advertising to prevent abuses and protect consumers.  Self-regulatory bodies should endeavor to develop comprehensive security guidelines for preventing online advertising malware attacks.  In the absence of effective self-regulation, the FTC should consider issuing comprehensive regulations to prohibit deceptive and unfair online advertising practices that facilitate or fail to take reasonable steps to prevent malware, invasive cookies, and inappropriate data collection delivered to Internet consumers through online advertisements.  Greater specificity in prohibited or discouraged practices is needed before the overall security situation in the online advertising industry can improve. 

 4.  Develop additional “circuit breakers” to protect consumers.  Given the complexity of the online advertising ecosystem, more “circuit breakers” should be incorporated into the online advertising system, systems that introduce check-points that ensure malicious advertisements are caught at an earlier stage before transmission to consumers.  Online advertising industry participants should thoroughly vet new advertisers and perform rigorous and ongoing checks as often as feasible to ensure that advertisements that appear legitimate upon initial submission remain so.

# # #