Tempers Flare in Hearing on Malicious Online Ads21 May, 2014 By: Doug McPherson
WASHINGTON – During a Senate hearing on malicious online advertising last week, Sen. John McCain (R-AZ) said Google and Yahoo are responsible for protecting consumers from the potential harmful effects of the ads they deliver and that he’s pushing harder for laws protecting consumers against malicious ads.
A Senate report dubbed “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy” suggests the ad industry self-regulatory efforts to prevent ads that disseminate viruses and enable cyber attacks aren’t working. The report recommends tighter regulation of the online advertising industry by the Federal Trade Commission (FTC) and closer scrutiny of who’s placing ads by networks such as Google and Yahoo.
“The consumer is the one party involved in online advertising who is both simultaneously least capable of taking security precautions and forced to bear the vast majority of the cost when security fails. For the future, such a model is untenable,” McCain said in the hearing.
The hearing got testier: “Suppose some individuals on Yahoo became victims of malware that accessed their bank accounts and took their money. Will Yahoo reimburse them?” McCain asked Yahoo Chief Information Security Officer Alex Stamos.
“We believe that criminals are liable for their actions,” Stamos replied.
“So you, as the vehicle, have no liability?” McCain countered.
“We work very vigorously to protect our users,” Stamos said.
“But you have no liability,” McCain pressed.
Stamos and Google Senior Product Manager George Salem told McCain specific data about so-called “malvertising” was spotty and that it’s often impossible to determine which individuals are infected with viruses.
Salem said Google verifies all of its advertisers and that most malvertising comes from criminal elements that masquerade as reputable private companies. When Stamos noted that malware attacks are so widespread that it’s difficult to have accurate data, McCain shot back, “Oh, so you have no accurate data. That’s good!”
Sen. Ron Johnson (R-WI), on the other hand, worked to shield Google and Yahoo: “Say that someone gets in a cab that has safeguards, but a criminal forces his way in and the passenger gets robbed. Is the cab company liable for that criminal activity?” asked Johnson. He also said companies, such as Yahoo and Google, that survive on advertising have a huge incentive to police online data fraud. “What can government do better than what these private companies can do?” Johnson asked. “My concern is that we’ll enact some legislation with the best of intentions that takes [Yahoo’s and Google’s] eye off the ball by making them comply with regulations.”
A nonprofit called Online Trust Alliance testified its research showed malvertising increased more than 200 percent in 2013, reaching more than 209,000 incidents which generated around 12 billion malware ad impressions. Google and Yahoo research indicated malicious ads were less pervasive.
The FTC endorsed enactment of a federal data-security and breach-notification law, in addition to calling yet again for congress to give the commission authority to slap civil penalties in response to data-security breaches. Sen. Carl Levin (D-MI) is among lawmakers supporting the FTC in its request for stronger authority.