Yesterday, the U.S. Senate Permanent Subcommittee on Investigations held a hearing on “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.”  The hearing was based on a year-long investigation into a broader set of issues related to consumer privacy and security on the Internet, which narrowed over time to focus specifically on the online advertising industry and the problem posed by “malvertising,” or advertisement-based malware, which cybercriminals can use to target consumers through online advertising.

The hearing was accompanied by a report jointly authored by Subcommittee Chairman Carl Levin and Ranking Member John McCain.  The report, which focused on the problem of malvertising, highlighted recent malware attacks channeled through well-known websites such as YouTube (owned by Google) and Yahoo!.  The report presented four major recommendations for limiting the risk to consumers posed by malvertising: (1) establishing better practices and clearer rules to prevent online advertising abuses; (2) strengthening security information exchanges within the online advertising industry to prevent abuses; (3) clarifying specific prohibited practices in online advertising to prevent abuses and protect consumers; and (4) developing additional “circuit breakers” to protect consumers once malvertising attacks are discovered.

 

In his opening statement at the hearing, Senator McCain suggested that consumers bear a heavy burden as a result of these malware attacks, to which he claimed even the most technologically savvy consumers are vulnerable.  He also suggested that website publishers that unwittingly host these ads face challenges in protecting the visitors to their sites, because online advertising is typically placed through complex advertising networks over which the publishers lack direct control.  Senator Levin echoed these difficulties in his opening remarks, noting that weak links in the complex chain of actors in the online ecosystem “can be exploited although consumers have done nothing other than visit a mainstream website.”

The hearing consisted of two witness panels.  The first panel consisted of Alex Stamos, Chief Information Security Officer at Yahoo! Inc.; George Salem, Senior Product Manager at Google Inc.; and Craig Spiezle, Executive Director, Founder, and President of the Online Trust Alliance.  Many of the questions addressed to this panel involved the late-2013 and early-2014 malvertising attacks channeled through the Yahoo! and Google websites.  The second panel consisted of Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection of the Federal Trade Commission, and Lou Mastria, the Managing Director of the Digital Advertising Alliance, who focused on potential government-regulatory and industry self-regulatory responses to the challenge posed by malvertising.

A variety of potential approaches to the problem of security with regard to online advertising arose during the course of the two-hour hearing.  Senator McCain repeatedly mentioned the Commercial Privacy Bill of Rights Act of 2011, a bill he introduced in conjunction with then-Senator John Kerry during the 112th Congress that would have developed a regulatory framework under the Federal Trade Commission to establish comprehensive protection of personal data for individuals.  The “safe harbor” provision in that proposed bill, which would shield companies that chose to take effective steps to protect consumer security and privacy, was also referenced in Senator McCain’s opening statement.  Senator Levin suggested an alternative approach, which would require website publishers to notify government regulators when malware attacks or other similar breaches occurred.  Others, including Senators Ron Johnson and Claire McCaskill, touched on the need for voluntary information sharing among website publishers to assist each other in identifying and preventing malvertising attacks, a recommendation also made in the joint report by Senators Levin and McCain.