Yesterday, the U.S. Senate Permanent Subcommittee on Investigations held a hearing on “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.”  The hearing was based on a year-long investigation into a broader set of issues related to consumer privacy and security on the Internet, which narrowed over time to focus specifically on the online advertising industry and the problem posed by “malvertising,” or advertisement-based malware, which cybercriminals can use to target consumers through online advertising.

The hearing was accompanied by a report jointly authored by Subcommittee Chairman Carl Levin and Ranking Member John McCain.  The report, which focused on the problem of malvertising, highlighted recent malware attacks channeled through well-known websites such as YouTube (owned by Google) and Yahoo!.  The report presented four major recommendations for limiting the risk to consumers posed by malvertising: (1) establishing better practices and clearer rules to prevent online advertising abuses; (2) strengthening security information exchanges within the online advertising industry to prevent abuses; (3) clarifying specific prohibited practices in online advertising to prevent abuses and protect consumers; and (4) developing additional “circuit breakers” to protect consumers once malvertising attacks are discovered.


In his opening statement at the hearing, Senator McCain suggested that consumers bear a heavy burden as a result of these malware attacks, to which he claimed even the most technologically savvy consumers are vulnerable.  He also suggested that website publishers that unwittingly host these ads face challenges in protecting the visitors to their sites, because online advertising is typically placed through complex advertising networks over which the publishers lack direct control.  Senator Levin echoed these difficulties in his opening remarks, noting that weak links in the complex chain of actors in the online ecosystem “can be exploited although consumers have done nothing other than visit a mainstream website.”

The hearing consisted of two witness panels.  The first panel consisted of Alex Stamos, Chief Information Security Officer at Yahoo! Inc.; George Salem, Senior Product Manager at Google Inc.; and Craig Spiezle, Executive Director, Founder, and President of the Online Trust Alliance.  Many of the questions addressed to this panel involved the late-2013 and early-2014 malvertising attacks channeled through the Yahoo! and Google websites.  The second panel consisted of Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection of the Federal Trade Commission, and Lou Mastria, the Managing Director of the Digital Advertising Alliance, who focused on potential government-regulatory and industry self-regulatory responses to the challenge posed by malvertising.

A variety of potential approaches to the problem of security with regard to online advertising arose during the course of the two-hour hearing.  Senator McCain repeatedly mentioned the Commercial Privacy Bill of Rights Act of 2011, a bill he introduced in conjunction with then-Senator John Kerry during the 112th Congress that would have developed a regulatory framework under the Federal Trade Commission to establish comprehensive protection of personal data for individuals.  The “safe harbor” provision in that proposed bill, which would shield companies that chose to take effective steps to protect consumer security and privacy, was also referenced in Senator McCain’s opening statement.  Senator Levin suggested an alternative approach, which would require website publishers to notify government regulators when malware attacks or other similar breaches occurred.  Others, including Senators Ron Johnson and Claire McCaskill, touched on the need for voluntary information sharing among website publishers to assist each other in identifying and preventing malvertising attacks, a recommendation also made in the joint report by Senators Levin and McCain. 

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yaron Dori Yaron Dori

Yaron Dori has over 20 years of experience in telecommunications, privacy, and consumer protection law, advising telecom, technology, life sciences, media and other types of companies on their most pressing business challenges. He is a former chair of the Communications and Media practice…

Yaron Dori has over 20 years of experience in telecommunications, privacy, and consumer protection law, advising telecom, technology, life sciences, media and other types of companies on their most pressing business challenges. He is a former chair of the Communications and Media practice group and currently serves as a member of the firm’s eight-person Management Committee.

Yaron’s practice focuses on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

He represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC)—and the U.S. Congress in connection with a range of policy issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications and data privacy regulation. His unique experience in telecommunications, privacy, and consumer protection enables him to advise clients on key business issues in which these areas intersect.

With respect to telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The California Consumer Privacy Act (CCPA);
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Online Behavioral Advertising;
  • Online advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on FCC (Enforcement Bureau), FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.