[Senate Hearing 113-407]
[From the U.S. Government Publishing Office]
S. Hrg. 113-407
ONLINE ADVERTISING AND HIDDEN HAZARDS
TO CONSUMER SECURITY AND DATA PRIVACY
=======================================================================
HEARING
before the
PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
of the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MAY 15, 2014
__________
Available via the World Wide Web: http://www.fdsys.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PRINTING OFFICE
89-686 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Richard J. Kessler, Staff Director
Keith B. Ashdown, Minority Staff Director
Laura W. Kilbride, Chief Clerk
Lauren M. Corcoran, Hearing Clerk
PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
CARL LEVIN, Michigan Chairman
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Elise J. Bean, Staff Director and Chief Counsel
Daniel J. Goshorn, Counsel
Henry J. Kerner, Minority Staff Director and Chief Counsel
Jack Thorlin, Counsel to the Minority
Brad M. Patout, Senior Advisor to the Minority
Scott Wittmann, Research Assistant to the Minority
Mary D. Robertson, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Levin................................................ 1
Senator McCain............................................... 1
Senator Johnson.............................................. 22
Senator McCaskill............................................ 26
Senator Portman.............................................. 30
Prepared statements:
Senator Levin................................................ 47
Senator McCain............................................... 49
WITNESSES
Thursday, May 15, 2014
Alex Stamos, Vice President of Information Security, and Chief
Information Security Officer, Yahoo! Inc., Sunnydale,
California..................................................... 7
George F. Salem, Senior Product Manager, Google Inc., Mountain
View, California............................................... 10
Craig D. Spiezle, Executive Director, Founder, and President,
Online Trust Alliance, Washington, DC.......................... 12
Maneesha Mithal, Associate Director, Division of Privacy and
Identity Protection, Federal Trade Commission, Washington, DC.. 35
Luigi ``Lou'' Mastria, Executive Director, Digital Advertising
Alliance, New York, New York................................... 37
Alphabetical List of Witnesses
Mastria, Luigi ``Lou'':
Testimony.................................................... 37
Prepared statement........................................... 94
Mithal, Maneesha:
Testimony.................................................... 35
Prepared statement........................................... 79
Salem, George F.:
Testimony.................................................... 10
Prepared statement........................................... 59
Spiezle, Craig D.:
Testimony.................................................... 12
Prepared statement with attachments.......................... 67
Stamos, Alex:
Testimony.................................................... 7
Prepared statement........................................... 55
APPENDIX
Report by the Permanent Subcommittee entitled ``Online
Advertising and Hidden Hazards to Consumer Security and Data
Privacy.''..................................................... 106
EXHIBIT LIST
1. GIncrease Display Malvertising, chart prepared by RiskIQ..... 162
2. GProliferation & Impact, chart prepared by Online Trust
Alliance....................................................... 163
3. GThird-Party Website Calls on TDBank.com, chart prepared by
the Permanent Subcommittee on Investigations' Minority Staff,
Source: TDBank.com, Disconnect Private Browsing................ 164
4. GThird-Party Website Calls on TMZ.com, chart prepared by the
Permanent Subcommittee on Investigations' Minority Staff,
Source: TMZ.com, Disconnect Private Browsing................... 165
5. GComparison of Third-Party Website Calls, chart prepared by
the Permanent Subcommittee on Investigations' Minority Staff,
Source: TDBank.com, TMZ.com, Disconnect Private Browsing....... 166
6. GGood Money Gone Bad, Digital Thieves and the Hijacking of
the Online Ad Business, A Report on the Profitability of Ad-
Support Content Theft, February 2014, report prepared by the
Digital Citizens Alliance...................................... 167
7. a. GResponses of Maneesha Mithal, Federal Trade Commission,
to supplemental questions for the record from Senator Carl
Levin.......................................................... 196
b. GResponses of Maneesha Mithal, Federal Trade Commission,
to supplemental questions for the record from Senator John
McCain......................................................... 198
c. GResponses of Maneesha Mithal, Federal Trade Commission,
to supplemental questions for the record from Senator Ron
Johnson........................................................ 201
d. GResponses of Maneesha Mithal, Federal Trade Commission,
to supplemental questions for the record from Senator Kelly
Ayotte......................................................... 202
8. GResponses of George Salem, Google, Inc., to supplemental
questions for the record from Senator Ron Johmson.............. 207
9. GResponses of Alex Stamos, Yahoo! Inc., to supplemental
questions for the record from Senator Ron Johnson.............. 208
10. GResponses of Craig Spiezle, Online Trust Alliance, to
supplemental questions for the record from Senator Ron Johnson. 210
ONLINE ADVERTISING AND HIDDEN
HAZARDS TO CONSUMER SECURITY
AND DATA PRIVACY
----------
THURSDAY, MAY 15, 2014
U.S. Senate,
Permanent Subcommittee on Investigations,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:32 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Carl Levin,
Chairman of the Subcommittee, presiding.
Present: Senators Levin, McCaskill, McCain, Johnson, and
Portman.
Staff present: Daniel J. Goshorn, Counsel; Mary D.
Robertson, Chief Clerk; Henry J. Kerner, Staff Director and
Chief Counsel to the Minority; Jack Thorlin, Counsel to the
Minority; Brad M. Patout, Senior Advisor to the Minority; Scott
Wittmann, Research Assistant to the Minority; Samira Ahmed, Law
Clerk; Rebecca Pskowski, Law Clerk; Kyle Brosnan, Law Clerk to
the Minority; Nick Choate (Sen. McCaskill); Brooke Erickson and
Mike Howell (Sen. Johnson); and Derek Lyons (Sen. Portman).
OPENING STATEMENT OF SENATOR LEVIN
Senator Levin. Good morning, everybody. For almost a year,
the Permanent Subcommittee on Investigations has been
investigating hidden hazards to consumers' data privacy and
security that results from online advertising. Our Subcommittee
operates in a very bipartisan way, and our practices and our
rules provide that the Ranking Minority Member may initiate an
inquiry, and our tradition is for both sides of the aisle to
work on investigations together, and our staffs work very
closely together.
This investigation was initiated and led by Senator McCain,
so I would like to call on him to give his opening statement
first, after which I will add a few additional remarks. But
first I would like to commend Senator McCain for his leadership
and his staff for their very hard work in addressing the facts
and issues that are the subject of today's hearing. Senator
McCain.
OPENING STATEMENT OF SENATOR McCAIN
Senator McCain. Thank you, Mr. Chairman. I appreciate you
and your staff's cooperation in conducting this important
bipartisan investigation, which has been the hallmark of our
relationship together for many years. I believe that consumer
privacy and safety in the online advertising industry is a
serious issue and warrants this Subcommittee's examination.
With the emergence of the Internet and e-commerce, more and
more commonplace activities are taking place on the Internet,
which has led to major advances in convenience, consumer
choice, and economic growth. These advances have also presented
novel questions concerning whether consumer security and
privacy can be maintained in the new technology-based world. We
will examine these issues today specifically in the context of
online advertising, where vast data is collected and cyber
criminals exploit vulnerabilities in the system and use malware
to harm consumers.
As we discuss this complex subject, it is important to keep
in mind the following simple idea that I think everyone will
agree on: Consumers who venture into the online world should
not have to know more than cyber criminals about technology and
the Internet in order to stay safe. Instead, sophisticated
online advertising companies like Google and Yahoo!, whose
representatives are here with us today, have a responsibility
to help protect consumers from the potentially harmful effects
of the advertisements they deliver. Deciding who should bear
responsibility when an advertisement harms a consumer can be a
technical and difficult question. But it cannot continue to be
the case that the consumer alone pays the price when he visits
a mainstream website, does not even click on anything, but
still has his computer infected with malware delivered through
an advertisement.
At the same time, online advertising has become an
instrumental part of how companies reach consumers. In 2013,
online advertising revenue reached a record high of $42.8
billion, surpassing for the first time revenue from broadcast
television advertising, which was almost $3 billion less. With
the continuing boom in mobile devices, online advertising will
become even more lucrative in years to come.
With this hearing, we will outline the hazards consumers
face through online advertisements, how cyber criminals have
defeated the security efforts of the online advertising
industry, and what improvements could be made to ensure that
consumers are protected online and the Internet remains a safe,
flourishing engine for economic growth.
Make no mistake. The hazards to consumers from malware in
online advertising are something even a tech-savvy consumer
cannot avoid. It is not a matter of simply avoiding shady
websites or not clicking on advertisements that look
suspicious. For example, in February of this year, an engineer
at a security firm discovered that advertisements on YouTube
served by Google's ad network delivered malware to visitors'
computers. In that case, the user did not need to click on any
ads; just going to YouTube and watching a video was enough to
infect the user's computer with a virus. That virus was
designed to break into consumers' online bank accounts and
transfer funds to cyber criminals. A similar attack on Yahoo!
in December 2013 also did not require a user to click an
advertisement to have his computer compromised.
A consumer whose bank account was compromised by the
YouTube ad attack has little recourse under the law as it
currently stands. Of course, if an affected consumer managed to
track down the cyber criminal who placed the virus, he--or
relevant law enforcement agencies--could take legal action
against that wrongdoer. But cyber criminals today are normally
part of sophisticated professional criminal enterprises, often
overseas. Tracking them down is exceedingly difficult--even for
professional security specialists. A consumer has essentially
no chance whatsoever of recovering funds from cyber criminals.
How can it be that cyber criminals can sneak malware into
advertisements under the noses of the most technologically
advanced companies in the world? Cyber criminals employ clever
tricks to evade the current security procedures used by the
online advertising industry. One of these key security
procedures is scanning, essentially having a tester visit a
website to see if a virus downloads to the test computer. Just
as normal online advertisers can target their advertisements to
run only in specific locations, cyber criminals can also target
by location to avoid scanning. For example, if a cyber criminal
knows that the facilities responsible for scanning ads are
clustered around certain cities, they can target the malicious
advertisement to run in other areas so that the scanners will
not see it.
Cyber criminals have used even simpler techniques to bypass
security. When law enforcement raided the hideout of a Russian
cyber criminal network, they found calendars marked extensively
with U.S. Federal holidays and 3-day weekends. These cyber
criminals were not planning Fourth of July picnics, of course;
they were planning to initiate malware attacks at times when
the security staffing at the ad networks and websites would be
at their lowest ebb. Just this past holiday season, on Friday,
December 27, 2013--2 days after Christmas and 4 days before New
Year's Eve--cyber criminals hacked into Yahoo!'s ad network and
began delivering malware-infected advertisements to consumers'
computers. The malware seized control of the user's computer
and used it to generate ``bitcoins,'' a digital currency that
requires a large amount of computer power to create.
Independent security firms estimate that around 27,000
computers were infected through this one malware-laden
advertisement.
The result of these cyber criminal tactics has been
countless attacks against consumers online. One major
vulnerability in online advertising is that the advertisements
themselves are not under the direct control of online
advertising companies like Yahoo! and Google. These companies
choose not to directly control the advertisements themselves
because sending out all of those image or video files would be
more expensive. Instead, online advertising companies have the
advertiser himself deliver the ad directly to the consumer.
While it is cheaper for the companies in the online advertising
industry to operate in this way, it can lead to greater hazards
for consumers. Malicious advertisers can use their control over
advertisements to switch out legitimate ads and put in malware
instead. The tech companies who run the online advertising
industry frequently do not know when such a switch occurs until
after the ad is served. Because those companies do not control
the advertisement, their quality control processes are
frequently purely reactive, often finding problems after they
arise instead of before.
As the online advertising industry grows more and more
complicated, a single online advertisement for an individual
consumer routinely goes through five or six companies before
ultimately reaching the consumer's computer. That fact makes it
easier for the various companies in the chain to disclaim
responsibility when things go awry.
One instance where that issue was apparent was the attack
on Major League Baseball's website in June 2012. In that case,
the malicious ad appeared to be for luxury watches and was
displayed as a banner at the top of the MLB Web page. The ad
was shown to 300,000 consumers before being taken down. In the
aftermath of that attack, it was still unclear what entity was
responsible for delivery of the malware. One security analyst
noted at the time that ``the lack of transparency and multiple
indirect relationships'' in online advertising made assigning
responsibility for the attack virtually impossible.
One way to get an idea of how complicated the online
advertising world and online data collection can be is to take
a look at what happens when a consumer actually visits a
website where advertisements are served by third-party ad
companies.
When a user visits a website, that website instantaneously
contacts an online advertising company to provide an
advertisement. That ad company in turn contacts other Internet
companies who help collect and analyze data on the user for
purposes of targeting advertisements to him. Each company can,
in turn, contact other companies that profit from identifying
users and analyzing those users' online activities. Ultimately,
hundreds of third parties can be contacted resulting from a
consumer visiting just a single website.
Using special software called ``Disconnect,'' the
Subcommittee was able to detect how many third-party sites were
contacted when a user visits particular websites. These
contacts are represented in a chart. In this first example--we
will go to a video. \1\ We see what happens when a user visits
the website of an ordinary business that does not depend
heavily on advertising revenues. In this case, our example is
TDBank, a company whose website provides online banking
services for its existing customers and, more importantly, not
to generate income from people visiting the site. For that
reason, it does not need to derive a large amount of revenue
from online traffic and advertisements.
---------------------------------------------------------------------------
\1\ See Exhibit No. 3, which appears in the Appendix on page 164.
---------------------------------------------------------------------------
You can see there--it is very difficult to see, but what
it--a few third parties were contacted. By contrast, when a
consumer visits a website that depends much more heavily on
revenue from advertising--based on the number of people who
visit their website--the number of third parties can be
enormously higher. For example, this video shows what happens
when a consumer visits TMZ.com, a celebrity gossip website. \2\
---------------------------------------------------------------------------
\2\ See Exhibit No. 4, which appears in the Appendix on page 165.
---------------------------------------------------------------------------
And just to make that point even more clear, here are
TDBank and TMZ side by side. \3\
---------------------------------------------------------------------------
\3\ See Exhibit No. 5, which appears in the Appendix on page 166.
---------------------------------------------------------------------------
Finally, another problem in the current online advertising
industry is the lack of meaningful standards for security. The
two primary regulators of online advertising are the Federal
Trade Commission and self-regulatory groups like the Digital
Advertising Alliance and Network Advertising Initiative. The
self-regulatory groups have not been active in generating
effective guidance or clear standards for online advertising
security.
On the government side, the FTC has brought a number of
enforcement actions against companies involved in online
advertising for ``deceptive'' practices pursuant to their
authority under Section 5 of the FTC Act. These cases all
involve some specific misrepresentation made by a company
rather than a failure to adhere to any general standards.
I will just summarize by saying that on the question of
consumer privacy, there are some guidelines on how much data
can be generated on Internet users and how that data can be
used, but these approaches--including verbose privacy notices,
``do not track'' efforts, and ``notice and choice''
procedures--have only been partially effective.
A new approach to preventing abuses of consumer data and
privacy may be necessary. A few years ago, Senator Kerry and I
introduced ``The Commercial Privacy Bill of Rights.'' While
updates will be necessary, it provides a framework for how to
think about these issues moving forward--one that includes
basic rights and expectations consumers should have when it
comes to the collection, use, and dissemination of their
personal, private information online, and specifically in
prohibited practices; a clarified role for the FTC in
enforcement; and a safe harbor for those companies that choose
to take effective steps to further consumer security and
privacy. That legislation also envisions a role for industry,
self-regulators, and stakeholders to engage with the FTC to
come up with best practices and effective solutions.
Consumers deserve to be equipped with the information
necessary to understand the risks and to make informed
decisions in connection with their online activities. Today one
thing is clear. As things currently stand, the consumer is the
one party involved in online advertising who is simultaneously
both least capable of taking effective security precautions and
forced to bear the vast majority of the cost when security
fails. For the future, such a model is not tenable. There can
be no doubt that online advertising has played an indispensable
role in making innovation profitable on the Internet. But the
value that online advertising adds to the Internet should not
come at the expense of the consumer.
I want to thank the Chairman for working with me on this
important hearing and the witnesses for appearing before the
Subcommittee. I thank you, Mr. Chairman.
Senator Levin. Thank you so much, Senator McCain.
Today's hearing is about the third parties that operate
behind the scenes as consumers use the Internet. In particular,
the Subcommittee's report outlines the enormous complexity of
the online advertising ecosystem. Simply displaying ads that
consumers see as they browse the Internet can trigger
interactions with a chain of other companies, and each link in
that chain is a potential weak point that can be used to invade
privacy or host malware that can inflict damage. And we have
seen a very dramatic example of this risk in the visuals that
Senator McCain presented to us, as well as in the example
outlined in the report. \1\ Those weak links can be exploited
although consumers have done nothing other than visit a
mainstream website.
---------------------------------------------------------------------------
\1\ See Exhibit Nos. 3-5, which appear in the Appendix on pages
164-166.
---------------------------------------------------------------------------
The Subcommittee's report and Senator McCain's opening
statement also highlight the hundreds of third parties that may
have access to a consumer's browser information with every Web
page that they visit. According to a recent White House report,
more than 500 million photos are uploaded by consumers to the
Internet each day, along with more than 200 hours of video
every minute. However, the volume of information that people
create about themselves pales in comparison to the amount of
digital information continually created about them. According
to some estimates, nearly a zettabyte, or 1 trillion gigabytes,
are transferred on the Internet annually. That is a billion
trillion bytes of data.
Against that backdrop, today's hearing will explore what we
should be doing to protect people against the emerging threats
to their security and their privacy as consumers. The report
finds that the industry's self-regulatory efforts are not doing
enough to protect consumer privacy and safety. Furthermore, we
need to give the Federal Trade Commission the tools that it
needs to protect consumers who are using the Internet.
Finally, as consumers use the Internet, profiles are being
created based on what they read, what movies they watch, what
music they listen to, on and on and on. Consumers need more
effective choices as to what information generated by their
activities on the Internet is shared and sold to others.
I want to thank all of today's witnesses for their
cooperation with the investigation. And I do not know, Senator
Johnson, do you have an opening statement?
Senator Johnson. No. Thank you.
Senator Levin. I will now call our first panel of witnesses
for this morning's hearing: Alex Stamos, Chief Information
Security Officer of Yahoo! Inc., Sunnyvale, California; George
Salem, the Senior Product Manager of Google Inc., Mountain
View, California; and Craig Spiezle, the Executive Director,
Founder, and President of Online Trust Alliance, Washington,
DC. We appreciate all of you being with us this morning, and we
look forward to your testimony.
Pursuant to our Rule 6, all witnesses who testify before
this Subcommittee are required to be sworn, so I would ask each
of you to please stand and raise your right hand. Do you swear
that the testimony that you will give to this Subcommittee will
be the truth, the whole truth, and nothing but the truth, so
help you, God?
Mr. Stamos. I do.
Mr. Salem. I do.
Mr. Spiezle. I do.
Senator Levin. We will be using a timing system. About a
minute before the red light comes on, you are going to see
lights change from green to yellow, giving you an opportunity
to conclude your remarks. Your written testimony will be
printed in the record in its entirety. We would appreciate your
limiting your oral testimony to no more than 10 minutes. And,
Mr. Stamos, we will have you go first, followed by Mr. Salem,
and then Mr. Spiezle. And then after we have heard all of the
testimony, we will turn to questions.
Mr. Stamos, please proceed. Again, our thanks.
STATEMENT OF ALEX STAMOS,\1\ VICE PRESIDENT OF INFORMATION
SECURITY AND CHIEF INFORMATION SECURITY OFFICER, YAHOO! INC.,
SUNNYVALE, CALIFORNIA
Mr. Stamos. Good morning.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Stamos appears in the Appendix on
page 55.
---------------------------------------------------------------------------
Senator Levin. Good morning.
Mr. Stamos. Chairman Levin, Ranking Member McCain, and
distinguished Members of the Subcommittee, thank you for
convening this hearing and for inviting me to testify today
about security issues relating to online advertising. I
appreciate the opportunity to share my thoughts and to discuss
the user-first approach to security we take at Yahoo!. I
respectfully request that my full written testimony be
submitted for the record, Mr. Chairman.
Senator Levin. It will be.
Mr. Stamos. Thank you, sir.
My name is Alex Stamos. I am Yahoo!'s Vice President of
Information Security and Chief Information Security Officer. I
joined Yahoo! in March. Prior to that I served as Chief
Technology Officer of Artemis Internet, and I was a co-founder
of iSEC Partners. I have spent my career building and improving
secure, trustworthy systems, and I am very proud to be working
on security at Yahoo!.
Yahoo! is a global technology company that provides
personalized products and services, including search,
advertising, content, and communications, in more than 45
languages in 60 countries. As a pioneer of the World Wide Web,
we enjoy some of the longest lasting customer relationships on
the Web. It is because we never take these relationships for
granted that 800 million users each month trust Yahoo! to
provide them with Internet services across mobile and the Web.
There are a few key areas I would like to emphasize today.
First, our users matter to us. Building and maintaining
user trust through secure products is a critical focus, and by
default, all of our products need to be secure for all of our
users around the globe.
Second, achieving security online is not an end state. It
is a constantly evolving challenge that we tackle head on.
Third, malware is an important issue that is a top priority
for Yahoo!. While preventing the distribution of malware
through advertising is one part of the equation, it is
important to address the entire malware ecosystem and to fight
it at each phase of its lifecycle.
Fourth, Yahoo! fights for user security on many fronts. We
partner with other companies to detect and prevent the spread
of malware via advertising and pioneered the SafeFrame standard
to assure user privacy in ad serving. We have led the industry
in combating spam in phishing. We continuously improve our
product security with the help of the wider research and
security communities. And we are the largest media publisher to
enable encryption for our users across the world.
I would like to thank the Subcommittee for your focus on
malware and the threat it poses to consumers. Internet
advertising security and the fight against malware is a top
priority for Yahoo!. We have built a highly sophisticated ad
quality pipeline to weed out advertising that does not meet our
content, privacy, or security standards.
This January, we became aware of malware distributed on
Yahoo! sites. We immediately took action to remove the malware,
investigated how malicious creative copy bypassed our controls,
and fixed the vulnerabilities we found. The malware impacted
users on Microsoft Windows with out-of-date versions of Oracle
Java, a browser plug-in with a history of security issues, and
was mostly targeted at European IP addresses. Users on Macs,
mobile devices, and users with up-to-date versions of Java were
not affected.
As I mentioned earlier, the malware ecosystem is expansive
and complex. A large part of the malware problem is all the
vulnerabilities that allow an attacker to take control of user
devices through popular Web browsers such as Internet Explorer,
plug-ins like Java, office software, and operating systems.
Malware is also spread by tricking users into installing
software they believe to be harmless but is, in fact,
malicious.
We successfully block the vast majority of malicious and
deceptive advertisements with which bad actors attack our
network, and we always strive to defeat those who would
compromise our customers' security. This means we regularly
improve our systems, including continuously diversifying the
set of technologies and testing systems to better emulate
different user behaviors. Every ad running on Yahoo!'s sites
and on our ad network is inspected using this system, both when
they are created and regularly afterwards.
Yahoo! also strives to keep deceptive advertisements from
ever reaching users. For example, our systems prohibit
advertisements that look like operating system messages because
these ads often tout false offers or try to trick users into
downloading and installing malicious or unnecessary software.
Preventing deceptive advertising once required extensive human
intervention, which meant slower response times and
inconsistent enforcement. Although no system is perfect, we now
use sophisticated machine learning and image recognition
algorithms to catch deceptive advertisements. This lets us
train our systems about the characteristics of deceptive
creatives, advertisers, and landing sites so that we can detect
and respond to them immediately.
We are also the driving force behind the SafeFrame
standard. The SafeFrame mechanism allows ads to properly
display on a Web page without exposing a user's private
information to the advertiser or network. Thanks to growing
adoption, SafeFrame enhances user privacy and security not only
in the thriving marketplace of thousands of publishers on
Yahoo! but around the Internet.
We also actively work with other companies to create a
higher level of trust, transparency, quality, and safety in
interactive advertising. We are members of the Interactive
Advertising Bureau's Ads Integrity Task Force, and we have
proudly joined TrustInAds.org.
We also participate in groups dedicated to preventing the
spread of malware and disrupting the economic lifecycle of
cyber criminals, including the Global Forum for Incident
Response and Security Teams, the Anti-Phishing Working Group,
the Underground Economy Forum, the Operations Security Trust
Forum, and the Bay Area Council CSO Forum.
While preventing the placement of malicious advertisements
is essential, it is only one part of a larger battle. We fight
the monetization phase of the malware life cycle by improving
ways to validate the authenticity of email and by reducing the
financial incentives to spread malware. Spam is one of the most
effective ways malicious actors make money, and Yahoo! is
leading the fight to eradicate that source of income. For
example, one way spammers act is through ``email spoofing.''
The original Internet mail standards did not require that a
sender use an accurate ``From:'' line in an email. Spammers
exploit this to send billions of messages a day that pretend to
be from a friend, family member, or business associate. These
emails are much more likely to bypass spam filters, as they
appear to be from trusted correspondents.
Spoofed e-mails can also be used to trick users into giving
up user names and passwords, a technique that is generally
known as ``phishing.'' Here is how Yahoo! is helping the
Internet industry tackle these issues.
Yahoo! was the original author of DomainKeys Identified
Mail, or DKIM, a mechanism that lets mail recipients
cryptographically verify the real origin of email. Yahoo!
freely contributed the intellectual property behind DKIM to the
world, and now the standard protects billions of emails between
thousands of domains.
Building upon the success of DKIM, Yahoo! led a coalition
of Internet companies, financial institutions, and anti-spam
groups in creating the Domain-based Message Authentication,
Reporting, and Conformance, or DMARC, standard. DMARC provides
domains a way to tell the rest of the Internet what security
mechanisms to expect on email they receive and what actions the
sender would like to be taken on spoofed messages.
This April, Yahoo! became the first major email provider to
publish a strict DMARC reject policy. In essence, we asked the
rest of the Internet to drop messages that inaccurately claim
to be from yahoo.com users. Since Yahoo! made this change,
another major provider has also enabled DMARC to reject. We
hope that every major email provider will follow our lead and
implement this commonsense protection against spoofed email.
DMARC has reduced the spam purported to come from yahoo.com
accounts by over 90 percent. If used broadly, it would target
spammers' financial incentives with crippling effectiveness.
Yahoo! also incentivizes sharing to ensure our products are
trustworthy and our users' data is secure. To this end, Yahoo!
operates one of the most progressive bug bounty programs on the
Internet. Our bug bounty program encourages security
researchers to report possible flaws in our systems to us via a
secure Web portal.
In this portal we engage researchers and discuss their
findings. If their bug turns out to be real, we swiftly fix it
and we reward the reporter with up to $15,000. In an age where
security bugs are often auctioned off and then used
maliciously, we believe it is critical that we and other
companies create an ecosystem where both burgeoning and
established security experts are rewarded for reporting, and
not exploiting, vulnerabilities.
Yahoo! invests heavily to ensure the security of our users
and their data across all of our products. In January, we made
encrypted browsing the default for Yahoo! Mail. And as of
March, domestic and international traffic moving between
Yahoo!'s data centers has been fully encrypted. Our ongoing
goal is to enable a secure encrypted experience for all of our
users, no matter what device they use or from what country they
use Yahoo!.
In conclusion, I want to restate that security online is
not and never will be an end state. It is a constantly
evolving, global challenge that our industry is tackling head
on. Threats that stem from the ad pipeline, or elsewhere, are
not unique to any one online company or ad network. And while
criminals pose real threats, we are strongly dedicated to
staying ahead of them.
Yahoo! fights for user security on multiple fronts. We
partner with multiple companies to detect and prevent the
spread of malware via advertising. We pioneered the SafeFrame
standard to assure user privacy in ad serving. We have led the
industry in combating spam in phishing. We continuously improve
our product security with the help of the wider research and
security communities. And, finally, we are the largest media
publisher to enable encryption for our users across the world.
Yahoo! will continue to innovate in how we protect our
users. We will continue to fight cyber criminals who target us
and our users. And we will continue to view user trust and
security as our top priorities.
Thank you very much for the opportunity to testify. I look
forward to answering any questions you may have. Thank you,
sir.
Senator Levin. Thank you very much, Mr. Stamos.
Mr. Salem.
STATEMENT OF GEORGE F. SALEM,\1\ SENIOR PRODUCT MANAGER, GOOGLE
INC., MOUNTAIN VIEW, CALIFORNIA
Mr. Salem. Chairman Levin, Ranking Member McCain, and
Members of the Subcommittee, thank you for the opportunity to
testify on Google's efforts to combat malware on the Web. My
name is George Salem, and I am a senior product manager. I lead
the engineering team that fights the delivery of malware
through advertising, a practice known as ``malvertising.''
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Salem appears in the Appendix on
page 59.
---------------------------------------------------------------------------
Ensuring our users' safety and security is one of Google's
main priorities. We have a team of over 400 full-time security
experts working around the clock to keep our users safe. One of
the biggest threats consumers face on the Web is malicious
software, known as ``malware,'' that can control computers or
software programs. Malware allows malicious actors to make
money off of innocent victims in various ways. It may even lead
to identity theft, which has now topped the list of consumer
complaints reported to the FTC for 14 years in a row.
Advertising has had a tremendous role in the evolution of
the Web, bringing more products, tools, and information to
consumers, often free of charge. It has allowed the Web economy
to flourish. In the last quarter, Internet ad revenues surged
to a landmark $20.1 billion, and the ad-supported Internet
ecosystem employs a total of 5.1 million Americans.
Even though only a tiny portion of ads carry malware,
malvertising undermines users' faith in this ecosystem. Bad ads
are bad for everyone, including Google and our users. Our
incentive is to keep our online performance safe for everyone,
or customers will not continue to use our products. This is why
we believe in providing the strongest protections against
harmful or malicious content online.
Our approach to fighting malware is two-pronged: prevent
and disable. The first piece is prevention. One of the best
ways to protect users from malware is by preventing them from
accessing infected sites altogether. This is why we developed a
tool called ``safe browsing.'' It checks any page a user visits
against a list of known bad sites. Malicious sites are then
clearly identified as dangerous in Google Search results. We
were the first major search engine to provide such a warning
for search results back in 2006. Today over a billion people
use safe browsing.
Safe browsing is also the default for users on Google
Chrome, Mozilla Firefox, and Apple Safari browsers, which helps
to protect tens of millions of users. When a user attempts to
navigate to one of these malicious sites, they get a clear
warning advising them to click away.
We are constantly looking at ways to further disseminate
safe browsing technology, including by providing public
interface for anyone to plug in and review identified malware.
We also provide alerts to Web masters who may not be aware that
malicious software is hosted on the Web properties.
A second piece of our effort is disabling bad ads. We have
always prohibited malware in our ads, and we have a strict
suspension policy for advertisers that spread malware. We
proactively scan billions of ads each day across platforms and
browsers, disabling any we find that have malware.
Our Internet systems have proven to have a very big proven
track record. In 2013, we disabled more than 350 million ads.
Again, this is only a tiny portion of all advertisements in our
platforms, but our systems are constantly evolving to keep up
with those bad actors.
While we may be proactive, we are relatively quiet about
our technology. Malvertisers are constantly seeking new ways to
avoid our detection and enforcement systems, and we want to
stay ahead of them and not tip them off to our efforts.
We are not the only ones involved in these efforts. These
efforts are a team endeavor. We collaborate closely with others
in the Internet community.
Ten years ago, we issued a set of Software Principles, a
broad, evolving set of guidelines available online around
software installation, disclosure to users, and advertiser
behavior. We are a member of StopBadware.org, an nonprofit that
offers resources for website owners, security experts, and
ordinary users. We own and support free websites like
VirusTotal.com and Anti-Malvertising.com to share best
practices and investigative resources and to provide checks for
malicious content on this topic.
We are in constant communication with other industry
players, notifying each of us about new malware attacks and new
trends. Just this month, we, along with Facebook, Twitter, AOL,
and Yahoo!, co-founded TrustInAds.org, a group that offers
guidance to consumers on how to avoid online scams.
Another huge piece is consumer education. A great first
place to visit are websites like Google's Online Safety Center
or Anti-Malvertising.org to learn more.
Of course, users should always up-to-date anti-virus
software, make sure their operating system and browsers are
also up to date, and be careful about downloads. If they
suspect their computer may be infected, they should use a
reputable product to rid it of malware.
We can always use more help in generating awareness among
consumers. Malware is a complex problem, but we are tackling it
head-on with tools, consumer education, and community
partnerships. We believe if we all work together to identify
threats and stamp them out, we can make the Web a safer place.
Thank you again for your time and consideration.
Senator Levin. Thank you very much, Mr. Salem.
Mr. Spiezle.
STATEMENT OF CRAIG D. SPIEZLE,\1\ EXECUTIVE DIRECTOR, FOUNDER,
AND PRESIDENT, ONLINE TRUST ALLIANCE, WASHINGTON, DC
Mr. Spiezle. Good morning, Chairman Levin, Ranking Member
McCain, and Members of the Committee. Good morning and thank
you for the opportunity to testify before you today. My name is
Craig Spiezle. I am the Executive Director and President of the
Online Trust Alliance. OTA is a 501(c)(3) nonprofit with the
mission to enhance online trust, empowering users to control
their data and privacy, while promoting innovation and the
vitality of the Internet.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Spiezle with attachments appear
in the Appendix on page 67.
---------------------------------------------------------------------------
I am testifying here today to provide context to the
escalating privacy and security threats to consumers which
result from malicious and fraudulent advertising known as
``malvertising.''
As outlined in Exhibit A,\2\ malvertising incidents
increased over 200 percent in this last year to 209,000
incidents which generated over 12.4 billion malicious ad
impressions. The impact on consumers is significant.
---------------------------------------------------------------------------
\2\ See Exhibit A or Exhibit No. 1, which appears in the Appendix
on pages 75 and 162.
---------------------------------------------------------------------------
As referenced, Yahoo! experienced an incident resulting in
over 300,000 malicious impressions, of which 9 percent or
27,000 unsuspecting users were compromised. For them, the
infection rate was 100 percent.
As noted, this is not an isolated case. Cyber criminals
have successfully inserted malicious ads on a range of sites
including Google, Microsoft, Facebook, the Wall Street Journal,
New York Times, Major League Baseball, and others. The threats
are significant. As referenced, the majority and an increasing
number are ``drive-by downloads,'' which have increased 190
percent this past year. A drive-by incident is one that when a
user simply visits a website, with no interactions or clicking
required, is infected.
This threat is not new. Malvertising was first identified
over 7 years ago, yet little progress has been made to attack
this threat.
The impact ranges from capturing personal information to
turning a device into a bot where a cyber criminal can take
over a device and use it in many cases to execute a distributed
denial-of-service attack, known as a ``DDOS,'' against a bank,
government agency, or other organization.
Just as damaging is the deployment of ransomware which
encrypts a user's hard drive, demanding payment to be unlocked.
Users' personal data, photos, and health records can be
destroyed and stolen in just seconds.
In the absence of secure online advertising, the integrity
of the entire Internet is at risk. Not unlike pollution in the
industrial age, in the absence of regulatory oversight and
meaningful self-regulation, these threats continue to grow.
For reference, the development of coal mining and the use
of steam power generated from coal is without doubt the most
central, binding narrative of the 19th Century. Jobs were
created and profit soared, but the environment soon felt the
full impact of industrialization in the form of air and water
pollution. Today we are at a similar crossroads which are
undermining the integrity and trust of the Internet.
So how does malvertising occur? Actually if you would go to
Exhibit B,\1\ thank you. The most common tactic to run a
malicious ad is the cyber criminal going directly to an ad
network, selecting a target audience, and paying for an ad
campaign. In the absence of any reputational checks or threat
reporting among the industry, once detected and shut down by
one ad network, the cyber criminal simply ``water falls'' or
goes over to another unsuspecting network to repeat the exploit
over and over.
---------------------------------------------------------------------------
\1\ See Exhibit B, which appears in the Appendix on page 76.
---------------------------------------------------------------------------
Now on the left there, you see the different tactics of how
the malvertising is inserted, and, again, I think it is
important to note here in this diagram that consumers are
clearly bearing the brunt of it, but also quality, brands, and
websites, their image is being tarnished as well.
The impacts of these threats are increasing significantly.
Criminals are becoming experts in targeting and timing, taking
advantage of the powerful tools and data available to Internet
advertisers. They have become what is known as ``data-driven
marketers'' with precision to reach vulnerable segments of
society as well as high-net-worth target audiences. They have
been able to choose the day and time of the exploits as well as
the type of device they choose to exploit.
In the absence of any meaningful policy and traffic quality
controls, organized crime has recognized malvertising as the
``exploit of choice'' offering the ability to remain anonymous
and remain undetected for days.
Recognizing the threats, in 2007, DoubleClick, which was
later acquired by Google, established a mailing list which
today remains one of the primary methods of data sharing. In
2010, OTA established what is now the Advertising and Content
Integrity Group, focusing on security and fraud prevention best
practices. This group of diverse stakeholders leverages a
proven model of threat mitigation and has since published
several white papers including a risk evaluation framework and
remediation guidelines.
These efforts are a small but first step to combat
malvertising, reflecting input from leaders including Google,
Microsoft, PayPal, Symantec, Twitter, and others.
As you heard before, last June, StopBadware, a nonprofit
funded by Google and others, launched a parallel effort known
as the ``Ads Integrity Alliance.'' This past January, this
initiative disbanded due to its members' ``desire to refocus
their resources on aggressively defending industry practices to
policymakers and regulatory bodies.''
In the wake of this group's demise, recently TrustInAds was
formed last week. According to the site, its ``focus is public
policy and raising consumer awareness of the threats and how to
report them.''
It is important to note that, unfortunately, no amount of
consumer education can help when a user visits a trusted
website that is infected with malvertising. Consumers cannot
discern good versus malicious ads or how their device was
compromised. Focusing on education after the fact is like the
auto industry telling accident victims who to call after an
accident from a previously known manufacturing defect, instead
of building security features in the cars they sell and profit
from.
Other industry efforts have been focused on click fraud,
which are fraudulent activities that attempt to generate
revenue by manipulating ad impressions. Click fraud is focused
on the monetization and operational issues facing the industry.
While these efforts are important, please do not be confused:
Click fraud is not related to malvertising or any impact that
is harmful to consumers.
So what is needed? OTA proposes a holistic framework
addressing five important areas: prevention, detection,
notification, data sharing, and remediation. Such a framework
must be the foundation for an enforceable code of conduct or
possible legislation.
In parallel, operational and technical solutions must be
explored. I envision a day when publishers would only allow ads
from networks that vouch for the authenticity of the ads they
serve, and Web browsers would only render such ads that have
been signed and verified from trusted sources. It is recognized
that such a model would require systemic changes; yet it would
increase accountability, and it would protect the long-term
vitality of online advertising and, most importantly,
consumers.
In summary, as a wired society and economy, we are
increasingly dependent on trustworthy, secure, and resilient
online services. As observed in almost every area of our
Nation's critical infrastructure, we need to recognize that
fraudulent businesses, cyber criminals, and State-sponsored
actors will continue to exploit our systems.
For some, malvertising remains a ``Black Swan Event,''
rarely seen but known to exist. For others it still remains as
the elephant in the room that no one wants to acknowledge or
report on. Today companies have no obligation or incentive to
disclose their role or knowledge of such an event, leaving
consumers vulnerable and unprotected for potentially months or
years, during which time untold amounts of damage can occur.
Failure to address these threats suggest the needs for
legislation not unlike State data breach laws, requiring
mandatory notification, data sharing, and remediation to those
consumers that have been harmed.
As learned from the Target breach, it is the responsibility
of a company and its executives to implement safeguards and to
heed the warnings of the community. I suggest that the same
standards should apply for the ad industry. We must work
together, openly disclose and mediate such vulnerabilities,
even at the expense of short-term profits.
It is important to recognize that there is no absolute
defense against a determined cyber criminal. In parallel, OTA
proposes incentives to companies who have demonstrated that
they have adopted such best practices and comply with codes of
conduct. They should be afforded protection from regulatory
oversight as well as frivolous lawsuits. Perceived antitrust
and privacy issues which continue to be raised as the reason
why not sharing data must be resolved to aid in the real-time
fraud detection and forensics that is required.
Trust is the foundation of every communication we receive,
every website we visit, every transaction we make, and every ad
we respond to. Now is the time for collaboration, moving from
protective silos of information to multi-stakeholder solutions
combating cyber crime.
Thank you, and I look forward to your questions.
Senator Levin. Thank you very much, Mr. Spiezle.
Senator McCain.
Senator McCain. Thank you, Mr. Chairman. I thank the
witnesses.
If you put that chart back up about the increase in
malvertising, \1\ would the witnesses agree that the problem is
getting worse rather than better? Would you agree, Mr. Salem?
---------------------------------------------------------------------------
\1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
Mr. Salem. I do not agree that the problem is getting
better. One thing that----
Senator McCain. Is it getting worse?
Mr. Salem. I am sorry. It is not--I do not believe that it
is getting worse.
Senator McCain. You do not believe that chart then?
Mr. Salem. I have not seen that chart. I saw that from the
report. Our indication where we actually----
Senator McCain. So you are saying that chart is not
accurate?
Mr. Salem. That is not the chart--that is not the
information that I have, sir.
Senator McCain. I see. Maybe you can provide the
Subcommittee with the information that you have, Mr. Stamos?
Mr. Stamos. Sir, our data has been pretty much steady on
the kinds of attempts that we have seen coming inbound.
Senator McCain. Would you agree that probably the worst
attacks come from overseas, specifically Russia?
Mr. Stamos. We see attacks from all around. It is usually
very difficult to have accurate--to accurately figure out----
Senator McCain. Oh, so you have no accurate data as to
where it comes from. That is good.
Mr. Stamos. We have accurate data as to where the IP
address----
Senator McCain. Well, then, where does it come from?
Mr. Stamos. We see these kinds of attempts from all around
the world. You are right, we do see a lot from Eastern Europe
and the former Russian Republics.
Senator McCain. Well, thank you for that.
How about you, Mr. Salem?
Mr. Salem. Yes, we also see a lot of the malware itself
will come from servers that are also in Russia and also----
Senator McCain. So this is really an international issue as
well as a domestic issue, I would argue.
Suppose that some individual is the victim of malware, Mr.
Stamos, does Yahoo! have any responsibility for that?
Mr. Stamos. We absolutely take responsibility for our
users' safety, which is why we do all the work we do to
protect----
Senator McCain. So if someone loses their bank account, you
reimburse them?
Mr. Stamos. Senator, I have always believed that the person
who is responsible for committing the crime is the criminal who
does it, and it is our responsibility to----
Senator McCain. Even though it is using you as a vehicle to
commit that crime?
Mr. Stamos. Senator, we work very hard to fight these
criminals, and----
Senator McCain. Is that person liable--are you liable for
reimbursement for loss of that individual who used--that your
services were responsible--were the vehicle for that?
Mr. Stamos. Senator, we believe that the criminals are
liable for their actions.
Senator McCain. I see. And you being the vehicle for it,
you have no liability, sort of like the automobile that has a
problem with it, the maker of the automobile is not responsible
because they are just the person who sold it. Is that right?
Mr. Stamos. No, Senator. I do not think that is a correct
analogy.
Senator McCain. I see.
Mr. Stamos. We work very vigorously to protect our users.
Every single user is important to us. If a criminal commits a
crime, we do everything we can to investigate, figure out how
they were able to do that, and then to defeat them the next
time.
Senator McCain. And you have no liability whatsoever?
Mr. Stamos. Senator, that is a legal question. I am not a
lawyer. I am here to talk about the security side.
Senator McCain. I am asking common sense. I am not asking
for----
Mr. Stamos. I think we have a responsibility to our users,
and we take that responsibility extremely seriously.
Senator McCain. Thank you.
Mr. Spiezle, you have the five recommendations that you
make in your testimony. In prevention, you say, ``Stakeholders
who fail to adopt reasonable best practices and controls should
bear the liability and publishers should reject their ads.''
Are stakeholders adopting reasonable best practices and
controls in your view?
Mr. Spiezle. Today that information does not suggest they
are doing that. One of the challenges is the reluctance to
share information among each other, and it is very isolated
right now. Again, recognizing that there is no perfect
security, in the absence of taking reasonable steps to protect
the infrastructure and consumers from harm, they should be
responsible.
Senator McCain. How many Americans do you think know that
this problem exists?
Mr. Spiezle. This information has been kept very quiet. It
has been suppressed over years. The executives of some of the
trade organizations have actually denied it even exists
publicly. So that is a major challenge.
Senator McCain. We just saw an example of that, disputing
the malvertising facts. Where did you get those facts, by the
way, since they do not share your view?
Mr. Spiezle. Well, actually, we are very fortunate. There
are many players in the industry that see this as a major
issue. In fact, just this past week, we had about a dozen
companies come to us asking for legislation that are actually
in the ecosystem saying they recognize that the absence of this
that their businesses are being marginalized and they need
help.
Our data comes from multiple sources. It comes from the
threat intelligence community. It comes from some of the ad
networks themselves who are willing to share this information
anonymously. They do not want to be public because of the
pressure from the industries and the trade organizations. And
we try to normalize it.
I would suggest that this data probably underreports it by
at least 100 percent. We do not know and, again, the lack of
willingness to share data is impeding the problem today.
Senator McCain. Mr. Stamos and Mr. Salem, do you both have
the same best practices standard between your two
organizations?
Mr. Stamos. Senator, I believe we use about the same types
of technologies and tests.
Senator McCain. Do you have the same best standards
practices?
Mr. Stamos. I believe so, yes.
Senator McCain. You would not know?
Ms. Stamos. We work actually very closely with our ad
partners to trade notes, and we share a lot of the same
technologies.
Mr. Salem. And I would have to also add that we actually do
communicate. We actually do discuss different issues that come
up, different malvertising trends.
Senator McCain. Do you need liability protection to work
more closely together?
Mr. Salem. We work very closely together. I do not see
any----
Senator McCain. Then why don't you have the same best
practices standards?
Mr. Salem. We are different organizations, we are different
corporations. We basically----
Senator McCain. But you are facing the same problem, Mr.
Salem.
Mr. Salem. Yes, and we communicate about the threats.
Senator McCain. I am glad you communicate. I am asking if
you will adopt the same best practices standards.
Mr. Stamos. Senator, I believe we already do adopt the same
practices, but we have diverse implementations. An important
part of security is to have a diversity of different ways to
combat a single threat.
Mr. Spiezle. Senator, if I might add, the OTA has convened
several multi-stakeholder workshops offering Chatham House
Rules to facilitate the data sharing. And, unfortunately, the
response has been--it is being addressed internally. And so,
again, we have asked Google multiple times, we have asked
Yahoo!, we have asked the other companies to come to the table.
And, again, the answer has been, ``It is not a problem. It is
not one that we really see we need to address.''
I will go a step further. The chairman and president of
IAB, Interactive Advertising Bureau, in September 2010 publicly
stood up and said malvertising is not a problem, it only exists
because security vendors want it to be a problem.
Senator McCain. Well, then, I guess we get back to the--Mr.
Stamos, do you agree that it is a problem?
Mr. Stamos. I absolutely agree that this is a problem, but
we need to keep in context--when you look at a graph like that,
we need to put it next to the overall malware problem, which is
honestly the numbers are much, much larger, and there are three
parts to that. There are the authors who create malware, which
is about creating safe software. There is distribution of which
advertising is the part that we are responsible for, but it is
honestly a tiny sliver of the distribution problem of malware.
And then there is the financial side. And from our perspective,
we focus a lot on preventing ourselves from being part of the
distribution problem, but then we also fight the entire life
cycle, because in the end there is going to be no perfect
protection each of those places. What we need to do is decrease
the financial incentives for the criminals to attempt to do
this in the first place.
Senator McCain. And how do you do that?
Mr. Stamos. On the software side, the companies that make
that software try to make it harder for malware to be created.
On the distribution side, we build our analysis systems to make
it harder and harder for them to----
Senator McCain. Well, I will look forward to your data on
the malvertising since clearly that indicates you have got a
lot of work to do. And even though it may be a ``tiny sliver,''
I am not sure that is of some comfort to someone who has their
bank account wiped out. Maybe to you, but it is not to them.
Mr. Stamos. Excuse me, Senator, but every single user is
important to us.
Senator McCain. Well, obviously you are downgrading the
importance of this issue when you say it is only a tiny sliver.
If there are two hundred and some thousand, if I read that
right \1\--what is it, Mr. Spiezle?
---------------------------------------------------------------------------
\1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
Mr. Spiezle. That is correct, 209,000 identified unique
incidents that occurred, that were documented.
Senator McCain. I would say that sliver is a pretty big
sliver, Mr. Stamos.
I thank you, Mr. Chairman.
Senator Levin. Thank you very much, Senator McCain.
Let me ask you, Mr. Stamos, we have testimony here from Mr.
Spiezle on behalf of the Online Trust Alliance that says that,
``Ideally we will have solutions where publishers would only
allow ads only from networks who vouch for the authenticity of
all of the ads they serve, and Web browsers will render only
such ads that have been signed and verified from trusted
sources. It is recognized that such a model would require
systemic changes; yet they would increase accountability,
protecting the long-term vitality of online advertising and
most importantly the consumers.''
Would you support those kind of systemic changes, Mr.
Stamos?
Mr. Stamos. Thank you, Senator. So as to the authenticity
issue for ad networks, I can only speak to how Yahoo! does
this----
Senator Levin. No, not how they do it, but would you
support what Mr. Spiezle is recommending?
Mr. Stamos. So we definitely support the cryptography side.
Currently, technology does not exist to sign an ad all the way
through, but through our efforts to move to HTTPS encryption,
we have moved a great deal of the ad networks in the world to
supporting encrypting, and which is really what is supported in
browsers right now.
Senator Levin. Is their any reason why we cannot require
that ads first, before they are put on, be verified that they
come from trusted sources? Is there any reason you cannot do
that?
Mr. Stamos. Well, I think right now, Senator, the browser
technology does not exist.
Senator Levin. Does it exist, Mr. Spiezle?
Mr. Spiezle. The browser technology does not exist. I think
we are talking about a combination of operational best
practices and technical. It is a very complex ecosystem, as
Senator McCain stated in his opening comments, with multiple
intermediaries. This is a desired state. Again, if we cannot
vouch for who the advertise is, we should not accept the ads in
the first place, and that is the first part, and that is in the
preventative side. But that is operational.
Senator Levin. Can that be done now?
Mr. Spiezle. I believe it can be done now.
Senator Levin. Is it done now?
Mr. Stamos. Yes, we have agreements with the ad networks we
work with to have them pass information through, and if we find
that they are problematic, then we get rid of those networks
from our----
Senator Levin. Do they verify before they put on the ad
that it comes from a----
Mr. Stamos. Senator, I am not sure exactly what each ad
network does.
Senator Levin. Mr. Salem, do you do that?
Mr. Salem. Our ad networks are verified, but they basically
can have advertisers that they have direct relationships with,
and we do not know what those relationships are.
Senator Levin. But do the people that you do have
relationships with verify the credibility of their advertisers?
Mr. Salem. They have a vetting process themselves. I am not
exactly sure. I will say, however, that many of the
malvertising that we have seen has come from companies or
criminals that basically pretend to be legitimate companies. So
even if you said that, we are going to vet them. We have seen
problems like with Sears.com, with Crosspen.com, they actually
may introduce ads with companies that actually appear, create--
they appear to be real. Their vetting process appears to be
perfect. Yet, again, these criminals have come and made
specific companies that look real and----
Senator Levin. OK. So let me ask Mr. Spiezle a question.
What can be done now practically that is not yet being done by
companies like Google and Yahoo!?
Mr. Spiezle. Well, I should note, to help address this very
specific threat, we held full-day workshops, and in October, we
published what we call our ``risk evaluation framework,'' which
I have here and it is referenced in my written testimony. It
provides a checklist on the onboarding of verifying the
reputation. So this was an example of an operational step. We
received a lot of----
Senator Levin. Has that step been taken by Google and
Yahoo!, for instance?
Mr. Spiezle. Again, we make them available to anyone----
Senator Levin. Do you know whether they have been taken?
Mr. Spiezle. I do not know.
Senator Levin. Have they been taken, those specific steps?
Mr. Salem. I do not know.
Senator Levin. Do you know, Mr. Stamos?
Mr. Stamos. I am not sure what exact steps he is talking
about.
Senator Levin. OK. Well, if you had gone to that meeting,
you would have known. How come you did not go to that meeting?
Mr. Stamos. We are part of a lot of groups that are working
on this problem.
Senator Levin. Well, let me change to a different part of
the testimony here then. ``Companies today have little
incentive,'' Mr. Spiezle's testimony, ``to disclose their role
or knowledge of a security event, leaving consumers vulnerable
and unprotected for potentially months or years, during which
time untold amounts of damage can occur.'' And then the
suggestion is that there be legislation adopted similar to
State data breach laws that require mandatory notification,
data sharing, and remediation to those who have been harmed.
Do you support a mandatory notification requirement, Mr.
Stamos?
Mr. Stamos. Mr. Chairman, this is a more complicated issue
than breach notification. In the situation you are talking
about, malvertising, there is often not a direct relationship
with the user, and so there would be no information to know how
to notify them.
Also, in a situation where malvertising is caught early
before it has an impact, we have to be careful----
Senator Levin. Let me get Mr. Spiezle's response to that.
Mr. Stamos. OK.
Mr. Spiezle. So in the context of notification, I agree, it
is more--notification to regulatory authorities of an incident
occurring, and then obviously depending upon that, in most
State data breach----
Senator Levin. Let us talk about regulatory authorities. Is
there any reason why you should not be required to notify
regulatory authorities?
Mr. Stamos. Mr. Chairman, every day we stop malvertising.
So I think it really comes down to the details of whether you
talk about an incident. We are talking about two or three
incidents today over a multi-year period when every--as Google
pointed out, we are talking about finding 10,000 sites a day.
They are finding 10,000 sites a day with malware on it.
Senator Levin. You are talking about where there are
breaches or attempted breaches?
Mr. Stamos. The 10,000 a day I believe he was talking about
are sites that are set up that host malware, and so----
Senator Levin. How many breaches a day?
Mr. Stamos. Mr. Chairman, it is really important for us to
use the right terminology here. When you say ``breach''----
Senator Levin. So let me ask Mr. Spiezle, please use the
right terminology.
Mr. Spiezle. So I think the breach is not perhaps the
context that I was thinking about. It is more of a confirmed
malvertising incident where a network or a site has actually
observed and documented malicious ads going through their site
and properties and infrastructure. That is what we are
referring to.
Senator Levin. OK. There you want mandatory notification to
the regulator.
Mr. Spiezle. And in the absence of that, quite frankly,
that is why there is no good data, and that makes it that much
harder to go back and find out who is the actually perpetrator.
Senator Levin. OK. Putting aside the argument for it, which
sounds sensible to me, is there any reason that you cannot do
that?
Mr. Stamos. I would have to get back to you on that,
Senator. We would have to see the details of what you call a
``malvertising incident'' and what the reporting looks like.
Senator Levin. Mr. Salem.
Mr. Salem. I personally would be very careful about making
a commitment like that. One of the things that we try to do is
within a community, discuss what the issues are and make sure
that it is not public. As soon as you make things public, you
are basically talking about people that have----
Senator Levin. I am talking about to the regulator.
Mr. Salem. But, again, that would be a public document. We
would rather not make some of this information public so that
the criminals find out how we are detecting them and how we are
basically----
Senator Levin. Everything you tell a regulator is not
necessarily public, by the way. You can have proprietary
information, you can have other information that is not made
public. Putting aside that problem, any reason why you cannot
notify the regulator?
Mr. Salem. There is no reason.
Senator Levin. OK. Would you, Mr. Stamos, get back to us
after you study what that recommendation is?
Yahoo!'s privacy policy indicates that you do provide
information to partners of certain personal information so that
Yahoo! can communicate with consumers about offers from Yahoo!
and the marketing partners. Then you say the companies that you
deal with, however, those partners, do not have any independent
right to share this information.
Is the sharing of that information prohibited?
Mr. Stamos. Mr. Chairman, while privacy and security are
intertwined, we have a dedicated privacy team. So if you want
to get into those kinds of details, I will have to take those--
--
Senator Levin. Do you know offhand?
Mr. Stamos. I do not, sir.
Senator Levin. OK. There is a great emphasis here on
education, but here is the problem. The business partners, for
instance, of Yahoo!--and you provide a list on your website--of
these third-party partners, there are over 150 companies that
do advertising work alone. You note in your privacy policy that
these companies may be placing cookies or Web bugs on our
computers as we browse.
How can consumers possibly educate themselves about each of
these third parties? There are 150 of them with names like Data
Zoo, Daltran, Diligent, companies totally unknown to people
outside of this room probably. Do you think it is feasible--and
I am going to ask you, Mr. Stamos, and this will be my last
question--for consumers to evaluate the security policies and
the privacy policies of each of 150 entities? Is that a
practical suggestion?
Mr. Stamos. That is an excellent question, Senator. We are
not expecting consumers to go and make the decisions one on
one. That is why we provide privacy options for users, and we
work with folks like the DAA to provide decisionmaking
authority for consumers across multiple partners. And I believe
that is where we have to go, is to have the choices up in one
place.
Senator Levin. Well, but you are suggesting that they
educate themselves about each of those partners of yours.
Ms. Stamos. I am not suggesting that. I am sorry, Mr.
Chairman. I am not familiar with the language you are referring
to.
Senator Levin. OK. Thank you.
Senator Johnson.
Senator Johnson. Thank you, Mr. Chairman. I would kind of
like to start out just quoting a couple little phrases here to
certainly underscore my feeling on this. I think as the
Chairman said this has enormous complexity, and I think the
Ranking Member said that online Internet advertising plays an
indispensable role. I think those are pretty powerful
statements in terms of what we are trying to do here. The
Internet has been a marvel. It has created all kinds of
economic activity, certainly improved people's lives. So we
need to understand how enormously complex this situation is,
and it is not easy. And the analogy I would use in terms of
crime--because we are talking about criminal activity and who
is going to be held liable for it.
The analogy I would use would be let us say you have a
criminal, that even though you have safeguards in a taxicab,
that criminal defeats those safeguards, takes over the cab, and
kills somebody. Is the cab company to be held liable for that
criminal activity? I think that is probably a more accurate
analogy that we are talking about here.
So I think the purpose of this hearing is what can
government potentially do to help it, and I think I know who
Yahoo! is, I think I know who Google is, I think I know how you
guys obtain revenue and make money. I am not too sure about
OTA, and there are a couple things that have surprised me in
terms of the comments you have made.
So let me first ask you, Mr. Spiezle, who are you? Where do
you get your funding? How do you obtain revenue?
Mr. Spiezle. Well, thank you for the opportunity to provide
clarity. So the OTA, the Online Trust Alliance, got founded, in
2004, as a working group to address and bring forward the anti-
spam standards that Yahoo! referenced in their original
testimony there through a collaborative effort. And it was
recognizing----
Senator Johnson. Who funded that effort? I mean, it takes
money to do that.
Mr. Spiezle. That effort was through companies like
Symantec, Microsoft, PayPal, lots of companies that came
together--Cisco.
Senator Johnson. So do you continue to get funding that way
or do you get funding in other ways?
Mr. Spiezle. Our funding actually comes from multiple---
again, we are a 501(c)(3). We are not a trade organization. We
look across the ecosystem. We have a diverse group of sponsors
and contributors as well as we receive grants from DHS and
others.
So, again, our mission is very clear. We support
advertising, but, again, our most important part is improving
consumer trust in the vitality of the Internet.
Senator Johnson. OK, because here is what sent bells and
whistles going off in my head, and I am not sure I heard you
say it, but the Chairman said that you talked about the fact
that Yahoo! and Google have little incentive--to do what? First
of all, is that an accurate statement? So what do they have
little incentive to do?
Mr. Spiezle. So I think in the context of the question, if
I can clarify that incentive, it is an incentive of data
sharing, and it is really an industry issue that we have been
trying to get people to work on together. And the incentive is
data sharing----
Senator Johnson. Do you deny the fact that Google and
Yahoo! have an enormous free market incentive to make sure that
this criminal activity does not occur on the networks?
Mr. Spiezle. I think as dominant market players, there is a
responsibility in how the lack of data sharing and how it is
marginalizing the ecosystem and----
Senator Johnson. No, but answer the question. Doesn't
Yahoo! and Google, don't they have enormous financial
incentives to try and police this and prevent malvertising and
malware?
Mr. Spiezle. As they have suggested, malvertising is a
small percent of the overall ad industry, and so to add the
operational friction and to change it is a major change in how
they operate today.
Senator Johnson. You are still not answering the question.
Mr. Spiezle. I do not think there is----
Senator Johnson. You really do not think Yahoo! or Google
have an enormous financial incentive to try and police this
stuff and prevent it from happening?
Mr. Spiezle. I think they do. Whether they are----
Senator Johnson. OK. Good. That is what I wanted to--
because here is the point: What can government do better than
what these private companies can do to prevent this? I have sat
through hearing after hearing--for example, just this week, we
talked about the Defense Department who has been unable to get
audit ready in 15 to 20 years.
So my point is: Is there a role the government can play
that does not actually do more harm than good?
Now, as I have been investigating this and been involved in
Commerce Committee hearings, the first step that we need to
take in terms of cybersecurity is information sharing. And the
only way we are going to get information sharing is we have to
provide some liability protection.
I want to ask all three of you: Is that pretty much the
first thing the government has to do, we have to enact some
type of information-sharing piece of legislation that provides
the kind of liability so that you will actually share
information? Let me start with Mr. Stamos.
Mr. Stamos. Thank you, Senator. We are in support of
information sharing as long as there are strong privacy
protections for our users, but we are happy to work on the
details of that, yes.
Senator Johnson. Do you think that is the first step?
Mr. Stamos. I think that is an important step. I also think
something government can do right now is to work on disrupting
the financial side of these cyber criminal networks.
Senator Johnson. So you are actually talking about
enforcement; you are talking about going after criminals and
enforcing and penalizing the criminals.
Mr. Stamos. Yes, penalizing the criminals, but also just
making it hard for them to make money. A lot of these guys are
actually selling products. They are taking credit cards. They
are cashing checks. And so even if we cannot arrest them
because they are in a jurisdiction where that is impossible, we
can make it difficult for them to profit off of targeting
American----
Senator Johnson. So would that require more regulation of
the banking industry, some targeted actions there?
Mr. Stamos. Again, I am not a lawyer, so I do not know the
exact--I think it is all already illegal. It is really just a
focus issue.
Senator Johnson. OK. Mr. Salem, again, what can government
do? What is the first step?
Mr. Salem. Senator, you had mentioned basically looking at
being allowed information. To be quite clear, my team is the
one that does the anti-malvertising, and we are very happy that
we could actually speak to our colleagues, at least in the
industry, very openly about the different threats and what we
can do about it. We actually currently do talk very openly, and
some of the other threats that have come out, like we have
spoken recently about TrustInAds.org where you have scams
basically in the tech support industry. These were terrible for
consumers. Some of them had malware installed on their
computers under the guise of giving a credit card number to
people in India, helping them with their computer.
We are very happy to discuss----
Senator Johnson. OK, but that is between companies. What
about information sharing with the government so that the
government can disseminate some of that information to other
people in the industry that you maybe do not have a partnership
with? And I guess the other thing I want to get to is some sort
of Federal preemption on data breach, so that we have a data
breach standard so you are not having to deal with 50 or more,
potentially hundreds or thousands of jurisdictions. I mean, is
that something pretty important? Is that something the
government can do that would be constructive as opposed to
hampering your activities?
Mr. Salem. Yes, it would.
Senator Johnson. Because here is my concern, is that we
enact some piece of legislation with the best of intentions
that actually makes it more difficult, takes your eye off the
ball of actually solving the problem as opposed to complying
with regulations that are written by people that are not even
close to, as agile, as flexible, and as knowledgeable as what
your companies are.
Mr. Salem. Currently today, we are able to do our scanning,
look for these bad ads, look for sites, and protect consumers,
protect our users, talk to other folks in the industry
currently about malvertising, about the malvertising trends.
Right now we do not feel like we have problems or that there is
anything encumbering us with this communication for the issue
of malvertising.
Senator Johnson. OK. Part of my concern about some of the
answers you are providing in the hearing here is you obviously
do not want to alarm your consumers, and I do not want to put
words in your mouth, but I am a little concerned that that is--
we all know this is a small slice. I mean, this is a big
problem, right? And I want you to kind of answer the question I
asked Mr. Spiezle about the enormous incentives you have. You
mentioned, I think, in your testimony your top priority is
users matter, user trust, and user security is a top priority.
I think that just makes common sense, but I will give you an
opportunity to underscore that point.
Mr. Salem. For Google, user privacy, user security is No.
1. I mean, honestly we are an Internet business. Our users are
one click away from going to our competition, one click away
from doing something else. We have to prove that we take this
seriously, that when they click on any ad that is a safe ad and
that when we deal with our third-party advertisers, that they
are vetted partners as well.
Mr. Stamos. Yes, Senator, we have a huge incentive to
maintain user trust. The biggest sites that Yahoo! ads run on
are Yahoo! sites, and so to maintain those 800 million people
around the world using our sites, we have to maintain the trust
of our users, and we have to live up to our responsibility.
Senator Johnson. I come from a manufacturing background, so
we have gone through ISO certification, which I will have to
admit, when I first got into it, I am going, ``Well, this is a
pretty good deal for the consultants that do ISO
certification.'' But having gone through the process, I became
a real believer that this is extremely helpful in terms of
providing, not only my company the tools to get our process
under control, but to communicate to our customers, to our
suppliers that we had our process under control across a whole
host of different parts of that standard.
From my standpoint, that kind of certification process
would make sense for this particular--and when we are talking
about standards, security standards and advertising, is that
something that Yahoo! and Google would support, some kind of
third-party certification process that would give consumers the
comfort that the standards are in place?
Mr. Stamos. Thank you, Senator. I think we would support
self-regulation to set guidelines. From the actual technical
standards, this is something that we change and innovate on
every single day, so we need to be really careful to not get
too prescriptive to where we are living up to a rule and we are
not doing what we need to do to----
Senator Johnson. Well, that is what I am talking about, a
private sector alternative.
Mr. Stamos. Yes.
Senator Johnson. But I want to make sure it is a
cooperative one, not potentially somebody who is set up in
business and is actually hostile to some of the actors in the
room. You really need to have this very cooperative, very
flexible, very fast moving, because these standards are going
to have to change--what? Daily? I mean, literally what are we
talking about in terms of the level of flexibility we are going
to need if we are going to have any hope? And all we are going
to be able to do is minimize this, right? Probably? I mean, the
criminals are going to be one step ahead of us every time. You
are going to have to continue to change these standards and
what we need to do on an on going basis, correct?
Mr. Salem. Correct. We need to evolve, and we need to
basically be as nimble as possible to make sure that we are one
step ahead of those criminals.
Senator Johnson. I am out of time.
Mr. Spiezle. I might add that the standards that were
addressed earlier that industry came together to address spam
and deceptive email, DMARC and DKIM and SPF, they are examples
of similar technologies that could be employed, so I would
actually say that there could be standards that could be
developed that could help increase the trustworthiness in
advertising.
Senator Johnson. Thank you, Mr. Chairman.
Senator Levin. Senator McCaskill.
Senator McCaskill. Mr. Spiezle, do you know what percentage
of all the malware incidents occurred through advertising? I
think this is your chart, \1\ correct?
---------------------------------------------------------------------------
\1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
Mr. Spiezle. Yes, this is a chart----
Senator McCaskill. And what percentage of malware incidents
are attributable to advertising in the year 2013?
Mr. Spiezle. I do not have that specific data.
Senator McCaskill. Well, how can you not have that data if
you know how many display malvertising there was? Wouldn't you
have to know the context of that number?
Mr. Spiezle. No, this is very specific to documented cases
where malicious ads were documented and observed. So we are not
looking at click fraud, we are not looking at search ad or
fraudulent ad----
Senator McCaskill. And why not?
Mr. Spiezle. Because this is the area, again, that is
coming through the pipeline. The critical infrastructure that
is impacting us today through malicious advertising where
consumers do not have the ability to protect themselves.
Senator McCaskill. Well, if I have malware on my computer,
frankly it does not matter where it came from, and I am trying
to get at the whole problem here. This is obviously one small
piece of it. Do you all know, Mr. Stamos and Mr. Salem, what
percentage of the malware incidents are attributable to
advertising?
Mr. Salem. We do not know that information?
Senator McCaskill. Does anybody know it?
Mr. Salem. We do know that the classic way that a consumer
will get malware is visiting a site, not necessarily the
advertisement on that site. That is the classic way where
criminals----
Senator McCaskill. That is what I am trying to get at. How
much of this is site-specific versus ad-specific?
Mr. Stamos. So the numbers we see, Senator, from other
sources on the number of malware infections are in the tens or
hundreds of millions. So that is the context in which I would
put the hundreds of thousands here.
Senator McCaskill. OK. So we are talking about less than 1
percent.
Mr. Stamos. It is real hard to know, Senator, exactly where
each malware infection comes from. But I do not think that it
is unlikely that it is less than 1 percent.
Senator McCaskill. OK. Some of the people in this room have
heard me say this before--part of the problem here is that
consumers were not brought along early in this process to
understand the importance of being educated and understanding
that what they are getting for free is coming at a price of
advertising. I do not think you would argue, Mr. Spiezle, that
we would have a much different Internet if it were not for--in
fact, the backbone, the foundational backbone of the Internet
as we know it and the explosion of economic activity and jobs
is all around behavioral marketing, correct?
Mr. Spiezle. It is all about advertising, which is great,
and we fully agree that advertising supports the services that
society and businesses get today.
Senator McCaskill. So when consumers hear how unfair it is
that their data is--that they are seeing ads for outdoor
furniture when they have been shopping for outdoor furniture,
when they get creeped out about that, they are not making the
connection that is why their Internet content is free. You all
get that, right? They do not get that connection? And that is
all on you. You have not informed them appropriately about the
bargain they are striking. And perhaps what would be most
helpful in this regard is to figure out what the costs would be
if we were to remove--if we were to clamp down in the
government on the kind of advertising and the prevalence of
advertising on the Internet and the ability to behavioral
market on the Internet by knowing what people are interested in
as opposed to just like we know that somebody who watches Oprah
maybe would--they might want to run an ad for Slim-Fast on
Oprah. I mean, that is what happens in advertising. You try to
target your audience based on what they are looking at.
Does anybody know what this would cost for people to have
an email or to have the search capability they have if it were
not for advertising? Has anyone ever tried to quantify that so
consumers would understand the bargain they are getting?
Mr. Stamos. I just have to say, Senator McCain's number, in
his opening statement he talked about the overall ecosystem
being worth around $43 billion. So I guess that would be the
overall cost.
Senator McCaskill. OK. What is the one thing the government
is supposed to do in this space? I think it is catch criminals,
right?
Mr. Salem. Yes.
Senator McCaskill. OK. Mr. Spiezle, why aren't we catching
more of these criminals? How much time is your organization
spending on the failure of government, both nationally,
domestically, Federal, State, local, and internationally, the
abject failure we have had at going after--and I know it is
really hard because we are talking about IP addresses that
disappear in less than that.
Mr. Spiezle. Thank you for the question. It is clearly a
problem of epidemic proportions, State-sponsored actors and
such international here. One of the biggest challenges--and I
think we have outlined in every area of security best
practices--is data sharing. And it is not just data sharing to
government. We also have to remove the barriers and the
barriers cited by many of the organizations in this room, for
example, antitrust, of sharing this data with each other. That
is the first part. In the absence of that, we cannot peel back
the onion. Working with the FBI and Secret Service, this is a
very difficult problem to go back to and get----
Senator McCaskill. So you are saying that the government's
failure is because Google and Yahoo! and their colleagues are
not sharing information with law enforcement?
Mr. Spiezle. I am saying that in general--it is not a
government failure. It is in general a failure of the industry
sharing data among ourselves and with law enforcement of when
these incidents are occurring. But it is a difficult problem. I
want to underscore, they are also being victimized, their
infrastructure is being victimized as well, and so I certainly
recognize that issue that is hurting their businesses. But we
have to put in place the measures to protect and prevent it and
also to detect it. And when we detect it, then we can notify.
But in the absence of data, we cannot notify the other parties
to bring down the ads as quickly as possible or to look at the
methodology to prevent it from reoccurring.
Senator McCaskill. Well, let us try to drill down on that a
little bit. Mr. Stamos and Mr. Salem, are you all trying to
work in a cooperative and moment-by-moment fashion with law
enforcement?
Mr. Stamos. Yes, Senator, we have a dedicated e-crime team
that we are actually in the process of beefing up, that when we
see an incident where we believe there is enough information,
that we refer that information to law enforcement, that we work
with them throughout the investigation. And we have actually
had some success in the disruption of several cyber criminal
networks.
As Mr. Spiezle said, there is an international component
that sometimes make an arrest difficult, but you do not need to
arrest them to make it economically infeasible for them to be
committing these crimes.
Senator McCaskill. Well, I would like more information on
that, and I would certainly appreciate anything your
organization could bring to that also. I would like to
understand why we are not having more robust success in the law
enforcement space since your companies are being victimized and
consumers are being victimized by criminals.
Mr. Salem. I can give you a few anecdotes, if you would
like, that might help. Google constantly is being asked for
information by law enforcement to give information about cyber
criminals, and we do that. The few times that we have actually
approached law enforcement and said, we have exact IP
addresses, we know exactly where these servers are, they are in
the United States, one of the things we are asked to give is,
``Well, show us the fraud, show who was fraudulent, the amount
of damages.'' We do not have that information.
So that is something where, overall, we have actually had
problems approaching law enforcement to actually take action.
Senator McCaskill. Do you all feel----
Senator McCain. For the record, would you provide an
example of that for us.
Mr. Salem. I can do that offline, yes.
Senator McCaskill. One of the things I think there is a
stress for you all, and that is informing consumers as clearly
and boldly as many of us believe you should inform them--
because a lot of this can be prevented by consumers, as you
well know, Mr. Spiezle. If you understand the ecosystem of the
Internet and if you understand the concept of cookies and if
you understand what your browser is actually doing, if you
understand the power of a click, you can avoid a great deal of
the danger.
But I am sure some of the stress for your companies is that
the more you warn consumers, the more they are going to be
afraid to robustly participate in the Internet in terms of
accessing ads and doing the things that generate a lot of the
income for the overall eco-structure.
So how can you balance this better? I know it is better
than it was when I started harping on this several years ago
about informing consumers. But the secret about their power,
about the individual user's power--I have a great deal of power
on this thing. But I have to be honest with you. The only
reason I know it is because I have an amazing staff that helps
me understand how I can access that power. The average consumer
does not have a clue.
It seems to me that is what the organizations that fund
you, Mr. Spiezle, ought to be more worried about, is how the
consumer becomes more empowered in this environment, because it
is the only real way.
Mr. Spiezle. If I can respond, I clearly agree that
consumers have a shared responsibility here to make sure that
they are updating their computers, patching their systems, and
practicing safe computing practices, absolutely. But, again,
getting back to--I remain that, again, going to a trusted site
they know of, they type it in, they do not click on a link, all
the things that we tell them not to do, and they go to a
trusted site that unsuspectingly deploys a zero-day exploit, an
exploit that has never been disclosed to them before, there is
no amount of consumer education that can solve that problem.
So we have a shared responsibility across all the
stakeholders here--consumers, ad networks, publishers alike
here--and that is why I think we are having this discussion
today.
Senator McCaskill. My final question, Mr. Spiezle, is your
organization--I know that probably a lot of the security--I am
guessing if I was a company that was selling security projects,
I would want to invest in you. I would want to make
contributions to you. So I am assuming a lot of your
contributors are, in fact, the people who make security
products for the Internet.
Mr. Spiezle. Actually, to the contrary. Over 50 percent of
our funding comes from companies like WebMD, America Greetings
Comscore Publishers' Clearinghouse, Twitter, eBay websites and
Web properties that are depending on consumers to trust their
services. They also include interactive markets including
Innouyx, Vivaki, Simplifi, Epsulon, and others.
Senator McCaskill. And do you provide the services to
these--the workshops you provide, are they free of cost to
people who come? Or is part of your income that you actually
need the revenues----
Mr. Spiezle. Our training workshops are basically at a cost
recovery basis, and we hold some throughout the U.S. and Europe
as well on a range of subjects.
Senator McCaskill. So you do not get any revenue stream
from your----
Mr. Spiezle. Like I said, they are designed to cover our
operating costs of the programs.
Senator McCaskill. Thank you.
Senator Levin. Thank you, Senator McCaskill.
Senator Portman.
Senator Portman. Thank you, Mr. Chairman, and thanks for
holding this hearing.
The chart tells it all. \1\ We have seen this dramatic
increase in malvertising, so it is appropriate we are talking
about it.
---------------------------------------------------------------------------
\1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
I also agree with what Senator Johnson said earlier about
how the Internet has really thrived without the heavy hand of
government. We want to make sure that continues, critical to
our economy.
Earlier we talked about a lot of solutions. And I do not
understand enough about the problem to know what the right
solutions are, to be frank with you. But verification standards
certainly seem to make sense. In your testimony, you talk about
information-sharing protocols. Senator McCain rightly talked
about the liability protections that are needed to make that
work well. I know you guys are not lawyers, but we would like
some more information on that, if you could give it to us for
the record.
The accountability measures for the ad networks themselves
seem to make a lot of sense. We talked about enforcement, and I
want to ask you about that in a second. But enforcement
requires the information, which is important to get at what,
Mr. Stamos, you talked about in terms of the financial
incentives that are in the system now.
I have a question just to kind of back up so I maybe
understand this problem better. Mr. Salem, you are with Google,
kind of a big company. And I understand that you scan 100
percent of the ads that enter into your advertising network. Is
that true?
Mr. Salem. We scan 100 percent of the ads eventually. Not
every ad is necessarily scanned unless it is hosted by Google.
So many of the ads----
Senator Portman. Unless it is what?
Mr. Salem. Hosted by Google. So we have third parties, and
we have Google ads as well. So all of the ads that are Google
are scanned immediately before served. A few of the third
parties----
Senator Portman. OK. Let us focus on the ads that are
Google-hosted. If you are scanning all of those ads, then how
did the malvertising that ended up on YouTube earlier this year
circumvent that scanning process? I mean, it was a major issue.
Everybody was aware of it. How did that happen?
Mr. Salem. It happened because ads can go bad. So there are
a lot of third-party components to ads. There are a lot of Java
Script calls. There are potentially, tracking or analytics that
happens along with an ad.
When we scan an ad, we scan an ad and the ad looks great.
We continually scan ads based on the risk, how often they are
shown. These ads went bad before we had a chance to rescan
them.
Senator Portman. So the vulnerability was that you did not
have a continuous ability to analyze that ad, and it went bad.
So what are you doing to address that vulnerability?
Mr. Salem. So what we have done is we have looked at our
risk profile on these ads. We have basically lowered it for
many of them, and we are scanning more often for all of these.
Senator Portman. And are you scanning often enough to avoid
what happened with the YouTube malware happening again?
Mr. Salem. We believe so. We scan all of the ads that we
host, and we rescan them quite a bit. We have hundreds of
thousands of ads we take down continuously. Some of those are
based on the websites that they go to that are bad, and some of
them are based on the ads themselves that are going bad.
Senator Portman. Your prepared testimony focuses a lot on
preventing, which is what this is, and disabling malware. Of
course, both are necessary. I get that.
When prevention fails, as it did with this huge incident,
what can consumers do to protect themselves from harm inflicted
by ads on Google's ad network or any other entity's ad network?
Mr. Salem. Sure. So just on this incident itself, I would
not necessarily call it huge because the website itself was on
our safe browsing list. So users that use Chrome, Mozilla, and
Safari, they were already covered by this. Also, the specifics
were for an unpatched version of Internet Explorer, so this is
actually telling you these are the users that actually got the
malware or were exposed to the malware. We do not even know how
many of them actually downloaded the malware.
Senator Portman. So you do not know what the damage was,
but it was not huge?
Mr. Salem. We know the potential, and when we look at our
numbers, we look at what is the potential when an ad goes bad,
and we look at our last scan. That is when we consider all that
potentially bad advertising.
But that basically shows us that what could protect a user
is knowledge that they need to use anti-virus software, that
they need to update their browsers, they need to update their
operating systems. That in general is best practices, not even
just for malvertising but just for malware in general.
Senator Portman. Let me ask a question, if I could, to both
of you, Mr. Stamos and Mr. Salem, about consumers, because you
talk about how consumers need more information. What can be
done to inform people that they have been infected so that they
know it without tipping off the cyber criminals involved? Isn't
that one area where Senator Johnson was talking about,
consumers are going to be key to this. It is impossible for
people to know how to react if they do not know that they have
been infected. How are you going to let consumers know that?
Mr. Stamos. Thank you, Senator. As the gentleman from
Google said, the cyber criminals are choosing users to attack
based on criteria that are not ours and based upon servers that
are not ours. So we do not have the exact list of users or even
IP addresses for which we are attacked, nor do we have a direct
relationship with those users. So direct notification is a
difficult issue. That is why we do general notification that we
post on our blog, that we have discussion through the press of
what happened, and then we have a safety and security website
that we refer users back to that gives tips on how they can
patch their system and free anti-virus tools to check whether
or not that piece of malware was installed.
Senator Portman. Mr. Spiezle, any thoughts on that?
Mr. Spiezle. I agree, it is very hard, again, knowing where
that ad ran and who it was. There are, obviously, the anti-
virus softwares, I agree, that get data on consumers who get
notifications from them.
There has been a related effort that actually has been led
through the FCC in the CSRIC process with ISP best practices
where they detect abnormal behavior coming from an IP address
of a residential computer. So there is progress in that front,
not related to the ad-specific, but when a device appears to
have been compromised and how do you notify. The framework that
I identified today and outlined is built on that framework of
prevention, detection, notification. So there are parallel
efforts, and I raise that because this is an issue that needs
us to move out of a silo of one industry and look at what other
segments of the industry are doing to solve the problems,
similar problems.
Senator Portman. In the Subcommittee's report, it seems to
me that Senator Levin's team is saying that you guys do not
have the incentive that you would otherwise have because
consumers do not know that the malvertising came from you. How
do you respond to that? I think if you do not know to attribute
to a particular attack, a particular ad network, there might be
a disincentive to address it. There would be a much greater
incentive if they knew this came from their Yahoo! account, the
advertisement that they get on Yahoo!. What is your response to
that?
Mr. Salem. I can actually say something and clear up the
misconception. Just because you visited a site and you
potentially got an ad from Google, because of the anonymity, we
do not necessarily know who you are. So as far as, even being
able to let people know, an ad was served to you that
potentially had malware, we do not know who you are. It is all
anonymous, or pseudo-anonymous, and it is done on purpose that
way. That is one of the reasons why someone cannot target you
specifically with an ad. They can target, potentially, your
gender or your age group based on, you know, some profiling,
but that is about it. We do not necessarily know who you are.
So that is not even possible.
Senator Portman. Mr. Stamos.
Mr. Stamos. As to the motivation, obviously if this kind of
incident happens, it has an impact on our reputation; it has an
impact on the trust our users have in us, and that trust is
absolutely the bedrock of our business. And so maintaining user
trust is essential, which is why we have a security team, a
trust and safety team, an anti-malvertising team, and we are
working on this issue 24/7.
Senator Portman. But you cannot tell your customers that
they got attacked?
Mr. Stamos. We cannot tell advertising customers. As Mr.
Salem said, we do not have that information. We cannot directly
tie Bob Smith to look at this specific advertisement.
Senator Portman. If they could have that connection to a
particular ad, wouldn't that make for a more effective
enforcement regime? They would know where it came from, and you
or the ad networks would then be in a position to respond.
Mr. Stamos. I believe, Senator, that would be a significant
privacy issue that we are also talking about here for us to
track individuals looking at----
Senator Portman. Let me ask you about something that I
found really interesting in some of the material that was sent
to us in advance. It says that some cyber criminals carry out
these attacks on weekends and holidays because they figure your
guard is down. Is your guard down on weekends and holidays?
Mr. Stamos. Absolutely not, Senator. Thank you for the
question. The systems that do this are automated systems, and
you are guilty until proven innocent. So we scan immediately on
upload. We scan before an ad is seen. We scan repeatedly
afterwards. And if anything is strange, that ad gets
immediately pulled, and then our people get paged, and our
security team works 24/7, 365 days----
Senator Portman. So consumers should not be worried on
weekends or on holidays?
Mr. Stamos. No, absolutely not.
Senator Portman. OK. I am glad to hear that.
I also had a question about this TrustInAds.com group that
I think you all support. Mr. Spiezle, I do not know if your
group supports that. But maybe, Mr. Spiezle, you can tell us
what to expect from TrustInAds.com in the near future to
address this malware problem? How can consumers get
information?
Mr. Spiezle. Well, I cannot really speak to the
organization. We have reached out to them. I can only respond
to what is on their website, and it is about educating
policymakers and notifying consumers what to do when they have
been harmed. So the site speaks for itself. I look forward to
finding more information from them as well.
Senator Portman. Mr. Salem, do you think it is going to be
effective?
Mr. Salem. Yes, it actually has been effective. We recently
just released our study on the tech support vertical, and
basically one of the things we were noticing was when Google
started clamping down on this terrible scam, the scammers
started going to other sites. And what we did was we reached
out to our colleagues to make sure that we basically stopped
this from happening for everybody.
Senator Portman. Mr. Stamos.
Mr. Stamos. I totally agree. I think TrustInAds is really
focused on the deceptive advertising and the fraud, and one of
the reasons it has been put together is it is a single place
where you can report those advertisements to make all the
companies that are involved are aware so that we can go take
them down and ban those advertisers.
Senator Portman. Thank you. Thank you, Mr. Chairman.
Senator Levin. Thank you very much, Senator Portman. We
thank our participants in this panel very much for your
testimony. It has been extremely helpful, and we will now move
on to our second panel.
Senator McCain. Mr. Chairman, before you do that--it is a
little disturbing when Mr. Salem and Mr. Stamos dispute facts.
Ronald Reagan used to say that facts are stubborn things.
I am a bit disturbed by sort of it is somebody else's
problem in the testimony today, and it heightens my motivation
to both reinvigorate legislation that we had tried before, but
also try to make Google and Yahoo! understand that this is a
much bigger problem than their testimony indicates they think
it is today. And it is a bit disappointing.
Thank you, Mr. Chairman.
Senator Levin. Thank you very much.
Senator Johnson. Mr. Chairman, just two quick questions?
Senator Levin. We have three or four votes in 5 minutes.
Senator Johnson. These are actually pretty basic questions.
Senator Levin. OK.
Senator Johnson. I just want to ask Yahoo! and Google, the
technical indications scanning, how many scans are you doing?
What percentage of that, if you wanted complete coverage, what
are we talking about? Are you able to scan 1 percent, 100
percent?
Mr. Salem. We scan all ads, so it is 100 percent.
Senator Johnson. But you are doing it all, but you are
rescanning and rescanning. I mean, what would be complete
coverage versus what percent are you--do you understand? Is it
an impossible question to answer?
Mr. Salem. I think that one of the----
Senator Levin. Could you give it a try for the record?
Would that be all right?
Senator Johnson. The other thing I just want to know is how
many people in your organization are devoted to cybersecurity,
number of people, because I want to ask the government how many
they have available.
Mr. Stamos. As to the last question, we scan every single
ad, 100 percent of the ads, and we scan them multiple times,
dozens, hundreds of times based upon different risk metrics.
And as for the number of people, I would say across the
different teams we have over 100 people working on security and
trust and safety.
Senator Johnson. Thank you. Sorry about that.
Senator Levin. That is OK. Mr. Salem, did you want to give
an answer to number of people, quickly.
Mr. Salem. Sure. So Google has over 400 people working
specifically on security. We have over 1,000 when it comes down
to all of our ad policies and basically making sure that our
ads are compliant.
Senator Levin. Very good. Thank you. We again thank this
panel. You all were very helpful to us, and we appreciate it.
Again, I want to thank Senator McCain for bringing us to
this point. I happen to very much agree with his comments and
with the thrust of this report.
Let me now call our second panel. Maneesha Mithal,
Associate Director of the Division of Privacy and Identity
Protection of the Federal Trade Commission in Washington; and
Lou Mastria, Managing Director of the Digital Advertising
Alliance in New York.
We appreciate both you being here this morning, and we look
forward to your testimony. I think you know the rules of the
Subcommittee that all who testify here need to be sworn, so we
would ask that you both please stand and raise your right hand.
Do you swear that the testimony you are about to give to this
Subcommittee will be the truth, the whole truth, and nothing
but the truth, so help you, God?
Ms. Mithal. I do.
Mr. Mastria. I do.
Senator Levin. We are going to get as far as we can into
your testimony before these votes start, and then we are going
to just have to work around the testimony and the questions, I
am afraid. Let us try to do this in 8 minutes each, if you
could, and we will put your statements in the record.
So, Ms. Mithal, please start.
STATEMENT OF MANEESHA MITHAL,\1\ ASSOCIATE DIRECTOR, DIVISION
OF PRIVACY AND IDENTITY PROTECTION, FEDERAL TRADE COMMISSION,
WASHINGTON, DC
Ms. Mithal. Thank you, Chairman Levin, Ranking Member
McCain, and Members of the Subcommittee. I am Maneesha Mithal
from the Federal Trade Commission. I appreciate the opportunity
to present the Commission's testimony on consumer protection
issues related to online advertising.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Mithal appears in the Appendix on
page 79.
---------------------------------------------------------------------------
I also thank the Subcommittee for its report that it issued
yesterday which highlights online threats to consumers. We look
forward to working with you on these important issues.
The Commission is primarily a civil law enforcement agency,
charged with enforcing Section 5 of the FTC Act, which
prohibits unfair or deceptive practices. We are committed to
using this authority to protect consumers in the online
marketplace. For example, we have used Section 5 to take
several actions against online ad networks. We also educate
consumers and businesses about the online environment and
encourage industry self-regulation. In my oral statement, I
will discuss our enforcement and education efforts in three
areas: privacy, malware, and data security.
First, with respect to privacy, we have brought many
enforcement cases against online ad networks. For example,
Chitika is an online ad network that offered consumers the
ability to opt out of receiving targeted ads. According to our
complaint, what they did not tell consumers is that the opt-out
lasted only 10 days. We allege this was deceptive under Section
5. Our order requires Chitika to tell the truth in the future,
provide consumers with an effective opt-out, and destroy the
data they collected while their opt-out was ineffective.
As a more recent example, we obtained a record $22.5
million civil penalty against Google for allegedly making
misrepresentations to consumers using Safari browsers. Google
placed tracking cookies on consumers' computers and gave them a
choice to opt out of these cookies. Google's opt-out
instructions said that Safari users did not need to do anything
because Safari's default setting would automatically ensure
that consumers would be opted out. Despite these instructions,
in many cases we allege that Google circumvented Safari's
default settings and placed cookies on consumers' computers.
Although we generally cannot get civil penalties for violations
of Section 5, we were able to get civil penalties in this case
because we allege that Google violated a prior FTC order.
The second area I would like to highlight is malware. As
you know, malware can cause a range of problems for computer
users, from unwanted pop-up ads to slow performance to
keystroke loggers that can capture consumers' sensitive
information. This is why the Commission has brought several
Section 5 cases against entities that unfairly downloaded
malware onto consumers' computers without their knowledge. One
of these cases, against Innovation Marketing, alleged that the
malware was placed on consumers' computers through online ads.
We have also made consumer education a priority. The
Commission sponsors OnGuard Online, a website designed to
educate consumers about basic computer security. We have
created a number of articles, videos, and games that describe
the threats associated with malware and explain how to avoid
and detect it.
Finally, while going after the purveyors of malware is
important, it is also critical that ad networks and other
companies take reasonable steps to ensure that they are not
inadvertently enabling third parties to place malware on
consumers' computers. To this end, online ad networks should
maintain reasonable safeguards to ensure that they are not
showing ads containing malware.
The Commission has undertaken substantial efforts for over
a decade to promote strong data security practices in the
private sector in order to prevent hackers and purveyors of
malware from harming consumers. We have entered into 53
settlements with online and offline businesses that we charged
with failing to reasonably protect consumers' personal
information. Our data security cases include actions against
Microsoft, Twitter, and more recently Fandango and Snapchat.
In each of our cases, we have made clear that reasonable
security is a continuous process of addressing risks, that
there is no one-size-fits-all data security program, that the
Commission does not require perfect security, and the mere fact
that a breach has occurred does not mean that a company has
violated the law. These principles apply equally to ad
networks. Just because malware has been installed does not mean
that the ad network has violated Section 5. Rather, the
Commission would look to whether the ad network took reasonable
steps to prevent third parties from using online ads to deliver
malware.
In closing, the Commission shares this Subcommittee's
concerns about the use of online ads to deliver malware onto
consumers' computers, which implicates each of the areas
discussed in the Commission's testimony: consumer privacy,
malware, and data security. We encourage several additional
steps to protect consumers in this area, including more
widespread consumer education, continued industry self-
regulation, and the enactment of a strong Federal data security
and breach notification law that would give the Commission the
authority to seek civil penalties for violation.
Thank you, and I would be happy to answer any questions.
Senator Levin. Thank you very much.
Mr. Mastria.
STATEMENT OF LUIGI ``LOU'' MASTRIA,\1\ EXECUTIVE DIRECTOR,
DIGITAL ADVERTISING ALLIANCE, NEW YORK, NEW YORK
Mr. Mastria. Chairman Levin, Ranking Member McCain, and
Members of the Subcommittee, good morning, and thank you for
the opportunity to speak at this important hearing. My name is
Lou Mastria. I am Executive Director of the Digital Advertising
Alliance.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Mastria appears in the Appendix
on page 94.
---------------------------------------------------------------------------
Companies have every interest to protect the privacy of
consumers' data, and I am pleased to report to the Subcommittee
on the continued success of the DAA's Self-Regulatory Program
which provides consumers with privacy-friendly tools for
transparency and control of Web viewing data, all of this
backed by a growing code of enforceable conduct.
The DAA is a cross-industry nonprofit organization founded
by the leading advertising and marketing trade associations.
These include the Association of National Advertisers, the
American Association of Advertising Agencies, the Direct
Marketing Association, the Interactive Advertising Bureau, the
American Advertising Federation, and the Network Advertising
Initiative. These organizations came together in 2008 to
develop the Self-Regulatory Principles for Online Behavioral
Advertising, which were then extended in 2011 to cover the
collection and use of Web viewing data for purposes beyond
advertising. More recently, the DAA provided guidance for the
collection of data in and around mobile environments.
In 2012, the Obama Administration publicly praised the DAA
as a model of success for enforceable codes of conduct,
recognizing the program as ``an example of the value of
industry leadership as a critical part of privacy protection
going forward.'' More recently, Commissioner Ohlhausen of the
Federal Trade Commission was quoted as calling the DAA ``one of
the great success stories in the [privacy] space.''
The DAA administers and promotes these responsible and
comprehensive self-regulatory principles for online data
collection and use. To provide independent accountability for
the DAA, the Council of Better Business Bureaus and the Direct
Marketing Association operate collaborative accountability
mechanisms independent of the DAA.
To date, there have been more than 30 publicly announced
compliance actions through the DAA program. We believe that DAA
is a model example of how interested stakeholders can
collaborate across an ecosystem to provide meaningful and
pragmatic solutions to complex privacy issues, especially in
areas as highly dynamic and evolving as online advertising.
The Internet is a tremendous engine of economic growth, as
was mentioned earlier, supporting the employment of more than 5
million Americans and contributing more than $500 billion, or 3
percent of GDP. A major part of that includes the data-driven
marketing economy which touches every State and contributes
nearly 700,000 jobs as of 2012.
Advertising fuels this powerful economic engine. In 2013,
Internet advertising revenues reached $43 billion. Because of
advertising, consumers access a wealth of online resources at
low or no cost. Revenue from online advertising subsidizes
content and services that consumers value, such as online
newspapers, blogs, social networking sites, mobile
applications, email, and phone services. These advertising-
supported resources truly have transformed all of our daily
lives.
Interest-based advertising is essential to the online
advertising model. Interest-based advertising is delivered
based on consumers' preferences or interests inferred from data
about online activities. Research shows that advertisers pay
several times more for relevant ads, and as a result, this
generate greater revenue to support free content. Consumers
also engage more actively with relevant ads.
Interest-based ads are vital for small businesses as well.
They can stretch their marketing budget to reach likely
consumers. Third-party ad technologies allow small content
providers to sell advertising space to large advertisers,
thereby increasing their revenue.
Preserving an advertising ecosystem that meets the needs of
both small and large businesses and at the same time provides
consumers ways to address their privacy expectations is a
reason why so many companies have publicly committed to the DAA
principles. The DAA provides consumers choice with respect to
collection and use of their Web viewing data, preserving the
ability of companies to responsibly deliver services and
continue to innovate.
Among other things, the DAA principles call for enhanced
notice outside of the privacy policy so that consumers can be
made aware of the companies with which they interact while on
the net; provision of a choice mechanism giving consumers
choice, not companies; education; and strong enforcement
mechanisms.
Together these principles increase consumers' trust and
confidence in how information is gathered online and how it is
used to deliver advertisements based on their interests.
The DAA's multi-site principles, which is one of our three
codes of conduct, sets forth clear prohibitions against certain
practices, including the use of Web viewing data for
eligibility purposes, such as employment, credit, health care
treatment, and insurance.
The DAA has developed a universal icon to give consumers
transparency and control with respect to intra-space data. The
icon provides consumers with notice that information about
their online interests are being gathered to customize the Web
ads they see. Clicking on the icon takes consumers to a
centralized choice tool that enables consumers to opt out of
this advertising by participating companies. The icon is
currently served more than a trillion times each month globally
on or next to ads, websites, digital properties, and tools
covered by the program. This achievement represents an
unprecedented level of industry cooperation and adoption.
Currently, on the desktop version of the DAA Choice
Program, more than 115 third-party platforms participate. The
choice mechanism offers consumers a one-click option to opt out
of interest-based advertising from all participating platforms.
Consumers are directed to the DAA choice page not only from
the DAA icon in and around ads, but also from other forms of
website disclosures. Over 3 million unique visitors have
exercised choice via our choice page.
We are also committed to consumer education. The DAA
launched an educational website at YourAdChoices.com to provide
easy-to-understand messaging and informative videos explaining
the choices available to consumers, the meaning of the icon,
and the benefits derived from online advertising. More than 15
million unique users have visited this site, and to prepare for
the introduction of a DAA mobile choice app for mobile
environments, which we will release later this year, we have
also recently released guidance on how the icons should appear
in mobile environments to ensure a consistent user experience
in that environment as well.
A key feature of the DAA's Self-Regulatory Program is
independent accountability. All of the DAA's self-regulatory
principles are backed by robust enforcements administered by
the Council of Better Business Bureaus and the Direct Marketing
Association. Thirty-three public compliance actions have been
announced in the past 2\1/2\ years and have included both DAA
participants and non-participants alike. We have an obligation
to report noncompliance when it happens and cannot be remedied.
The DAA has championed consumer control that both
accommodates consumers' privacy preferences and supports the
ability of companies to responsibly deliver services desired by
consumers. We appreciate the opportunity to be here today. We
believe that we have a successful model and can continue to
evolve in this area of privacy.
Thank you very much.
Senator Levin. Thank you very much, Mr. Mastria.
Senator McCain.
Senator McCain. I thank the witnesses. I just have a couple
of questions because obviously we have an important vote going
on.
Ms. Mithal, you saw the previous chart? \1\
---------------------------------------------------------------------------
\1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
Ms. Mithal. Yes.
Senator McCain. Do you believe that that is an accurate
depiction of malvertising?
Ms. Mithal. I do, and frankly, no matter what the number
is, I believe that it is a problem. It is a serious problem,
and we are committed to using all of our tools at our disposal
to----
Senator McCain. Why do you think that the Google and Yahoo!
guys would say that it is not accurate?
Ms. Mithal. I do not know, Senator.
Senator McCain. But in your view, this is certainly----
Ms. Mithal. Well, we have not done our own independent
research, but I have no reason to doubt the statistics. And,
regardless, even if it happens to one person, it is a
significant problem for consumers.
Senator McCain. The only other question I have, or comment,
it seems to me that consumers are being harmed, whether it be a
``sliver,'' as the other witnesses testified, or whether it is
more widespread and on the increase. Would you agree that it is
on the increase?
Ms. Mithal. I do not know, but according to the slide, it
looks like it is.
Senator McCain. OK. The person, the consumer that is
harmed, has no place to go for help or compensation, it
appears. Do you agree with that?
Ms. Mithal. I do.
Senator McCain. And so what do we do?
Ms. Mithal. So I think this is a very serious problem, and
it is going to require a multi-pronged solution. I think that,
off the top of my head ,I would say three things:
First, increase consumer education, things like updating
browsers, patching software, having anti-virus, anti-malware
software on their computers.
Second, more robust industry self-regulation. I was
heartened to see the Trust-in-Ads announcement last month, and
I think that needs to continue.
And third is enforcement, both against the purveyors of
malware and against any third parties that are letting these
purveyors of malware get through.
Senator McCain. Well, it seems to me there should be
standards of enforcement, standards of behavior, standards of
scanning, standards to do everything they can to prevent the
consumer being harmed. And then if they do not employ those
practices, they should be held responsible. Does that make
sense?
Ms. Mithal. It does, Senator. Currently, we have the
authority to take action against unfair practices, so the
standard is that if a practice causes consumer injury that is
not outweighed by the benefits of competition and not
reasonably avoidable by consumers, that can be considered a
Section 5 violation. And we have brought over 50 cases against
companies that have failed to maintain reasonable protections
to protect consumers' information. And so that is a tool that
we can use, and if Congress chose to give us further tools, we
would use them.
Senator McCain. Are you familiar with the legislation that
Senator Kerry and I introduced back in 2011?
Ms. Mithal. I am familiar with it, and I appreciate your
leadership.
Senator McCain. Would you do me a favor and look at that
again, and if you believe that we need additional legislative
tools for you, to look at it, review it, and give us
recommendations as to how you think it could be best shaped to
protect the consumer and address this issue? And do you believe
that it would be helpful if you did have legislation?
Ms. Mithal. Absolutely, and in particular in the data
security area, currently we do not have fining authority. So we
have advocated for data security legislation that would give us
the authority to seek civil penalties against companies that do
not maintain reasonable data security practices.
Senator McCain. All right. I would appreciate it if you
would review what we had proposed. It obviously has to be
updated, and I will do everything in my power to see if I can
get Senator Levin to get engaged as well. He is pretty
important in some areas--not others, but some. [Laughter.]
Senator McCain. Thank you.
Senator Levin. I am not a tough sell in this area, I want
you to know.
Ms. Mithal. Thank you.
Senator Levin. And I am glad that you made reference to the
question about whether we need additional strong Federal
policy. Your written testimony says that ``the Commission
continues to reiterate its longstanding, bipartisan call for
enactment of a strong Federal data security and breach
notification law.'' And is that still the position of the
Commission?
Ms. Mithal. Absolutely.
Senator Levin. Mr. Mastria, do you want to comment? Have
you taken a look at the possible--the legislation, for
instance, that Senator McCain made reference to?
Mr. Mastria. I am generally familiar with it, but as a
self-regulatory body, we do not weigh in on legislation. We
leave that to our founding trade associations to do that.
Senator Levin. All right. Are you done? I am going to try
to finish. If not, I will be right back.
Mr. Mastria, the association requires its members to
publish the names of parties that do data collection on or for
their website and to link to their privacy disclosures. Is that
correct? Do you require that of your members?
Mr. Mastria. We do require notice and transparency.
Senator Levin. No. Do you require your members to publish
the names of the parties that do data collection on their
website, publish on their website.
Mr. Mastria. No. We do require disclosure via a website.
Senator Levin. A website.
Mr. Mastria. Yes, that is right.
Senator Levin. OK. Do they identify on that website which
of the parties are not members of your association?
Mr. Mastria. So if you go to our choice tool, all of those
folks participate with the DAA either directly or indirectly,
and so all 115 or 117 that are on there certainly are
affiliated with us.
Senator Levin. But not necessarily members.
Mr. Mastria. We are not a membership organization.
Companies have to certify that they abide by our standards.
Senator Levin. Everybody on that website that is listed is
affiliated.
Mr. Mastria. Yes.
Senator Levin. OK. There is a provision in there, as I
understand it, you have a website called ``AboutAds.info,'' and
consumers can visit the page. Again, with a few clicks, they
can a list of every participating company that is tracking
their browser. Is that correct?
Mr. Mastria. It is a list of all participants that are
affiliated with the DAA as you characterized that do work to be
intermediaries in the advertising space, yes.
Senator Levin. All right. And they can opt out of receiving
advertisements. Is that correct?
Mr. Mastria. There is an opt-out button down at the bottom
there that effectively opts out of everybody.
Senator Levin. OK. Now, the opting out, as I understand it,
prevents consumers from receiving targeted ads based on
existing cookies. Is that correct?
Mr. Mastria. It is based on cookie technology, yes.
Senator Levin. No, but does it prevent consumers from
receiving targeted ads?
Mr. Mastria. Yes.
Senator Levin. Now, when you opt out with one of the
participating companies, the companies still, however, is it
not correct, have the ability to collect future data about you
as you travel the Internet?
Mr. Mastria. So the collection----
Senator Levin. Is that a yes?
Mr. Mastria. So in some cases, yes. But there are
prohibitions against the collection of certain data for
interest-based advertising.
Senator Levin. Well, that is generally true, is it not?
Mr. Mastria. Yes.
Senator Levin. I am not talking about that. In terms of
what is allowed for collection for interest-based advertising,
they can continue to collect future information. Is that
correct?
Mr. Mastria. Yes. I can only speak to what our program
covers.
Senator Levin. Your program does not prohibit the
collection of future information. Is that correct?
Mr. Mastria. It does prohibit the collection of future
information for interest-based advertising but not necessarily
if there is something else going on.
Senator Levin. In other words, if you opt out, those
companies can no longer collect information for interest-based
advertising for you?
Mr. Mastria. That is right.
Senator Levin. All right. Now, do they have to delete the
data that they have already collected on you?
Mr. Mastria. Based on the opt-out--the retention policy
that we have is tied to--they are allowed to keep it as long as
there is a business need, and then that----
Senator Levin. That means they are allowed to keep it.
Mr. Mastria. Until there is no longer a business need.
Senator Levin. Obviously.
Mr. Mastria. Yes.
Senator Levin. But they are not required to eliminate the
data they have already collected----
Mr. Mastria. That is right.
Senator Levin. Is that correct?
Mr. Mastria. But they cannot use it for interest-based ads.
Senator Levin. Now, as I understand it, if a consumer
clears out all the cookies on his browser, then because this is
a cookie-based opt-out, unless an interest-based advertiser
technology sees that cookie on the person's computer, they can
then send an interest-based ad. Am I stating it correctly?
Mr. Mastria. Yes. So the clearing of cookies is an issue,
and in 2012 we actually enabled a suite of browser plug-ins
which actually solved that issue. It effectively----
Senator Levin. So then if you eliminate all your cookies,
nonetheless the opt-out will still function.
Mr. Mastria. That is right.
Senator Levin. All right. So the consumer does not have to
continually worry about opting out. Once they have opted out,
that will continue to be effective.
Mr. Mastria. Using the browser plug-ins effectively creates
a hardened cookie the way we sort of jargonly talk about it.
Yes.
Senator Levin. That is helpful. Thank you.
Have you considered an opt-in approach instead of an opt-
out approach?
Mr. Mastria. So, Senator, there are certain categories of
data for which our codes actually do require opt-in.
Senator Levin. How about the interest-based ads?
Mr. Mastria. So, generally speaking, if you think about
interest-based ads, they work on--as described earlier, there
may be an audience that is more interested in outdoor furniture
versus----
Senator Levin. No, I understand that.
Mr. Mastria [continuing]. Indoor furniture.
Senator Levin. Have you considered an opt-in approach for
interest-based ads?
Mr. Mastria. No. The opt-out model seems to work,
especially when you are putting consumers in control. The opt-
in----
Senator Levin. How about asking consumers, ``Would you
prefer an opt-in or opt-out model?''
Mr. Mastria. We do not ask those questions. What we do is
we do ask consumers whether they----
Senator Levin. Your members, your associates ask a whole
lot of questions.
Mr. Mastria. I am sorry. Who?
Senator Levin. The people associated with your association,
people who you say are not members, they are associated with
you. They ask a lot of questions.
Mr. Mastria. I am not familiar with those, but I can tell
you that----
Senator Levin. Is there any reason why you cannot ask
consumers whether or not they prefer an opt-in or an opt-out
approach to interest-based ads, or why your members could not
do that?
Mr. Mastria. Well, I think that the reality is that what we
give consumers is an ability to opt-out for data that is
generally anonymous. For other categories of data, take, for
instance, health or financial, there are opt-in procedures----
Senator Levin. I am not talking about that other kind of
data. I am talking about the kind of data that there is only an
opt-out provision for. Is there any reason for why that kind of
data could not be subject to a choice, we either want to opt in
or opt out? Why couldn't consumers be given that choice? That
is my question.
Mr. Mastria. Well, it is based on a choice, so----
Senator Levin. The choice is opt out of everything or opt
out of individual approaches to you. I am saying, Why not give
the consumer an opportunity to either opt in or what they
currently have, which is to opt out period or opt our
specifically?
Mr. Mastria. Consumers can, as you noted earlier, decide to
clear their cookies and reset all the opt-outs, but that is not
the program that we run.
Senator Levin. I know that. I guess you are not going to
answer my question.
Mr. Mastria. I apologize, Senator, but as I said earlier--
--
Senator Levin. You do not think the question is clear?
Mr. Mastria. No, no, no. We do not take a position on
policy. We simply run the program as it is effectuated.
Senator Levin. Don't you have a code?
Mr. Mastria. Yes, we have actually three.
Senator Levin. Then why not part of the code, make it part
of the code to give consumers that option?
Mr. Mastria. We do.
Senator Levin. No. The option I have just described.
Mr. Mastria. That is not part of the code. The code is
based on----
Senator Levin. Why not change the code to give people that
option, give people more choices? Everyone says we want to give
consumers choices. I am just adding an important choice.
Mr. Mastria. I think----
Senator Levin. So you are not bombarded, you are not put in
the position you got to go and try to understand what the
privacy policy is of 150 different companies, none of which
privacy policies are even comprehensible, they are so
technical. We are not going to put you in that position. You
can opt out on everything. We are giving you that option. You
can opt out individually on those advertising companies if you
can figure out their advertising policy. Why not give them a
third option, an opt-in option to opt in on the type of special
interest advertising that you might be interested in? Why not
give them that option?
Mr. Mastria. So. Senator, the reality is that we do not
force people to go look at privacy policies.
Senator Levin. OK.
Mr. Mastria. One of the key benefits of the DAA program----
Senator Levin. Why not urge your members to give people
that option in their policy? That is all I am saying.
Mr. Mastria. That is not part of the DAA program.
Senator Levin. OK. Thank you.
Ms. Mithal, would you for the record give us any
suggestions relative to the additional authority which you
would like? In addition to commenting on the legislation that
Senator McCain made reference to, would you give us any
recommendation--we are soliciting recommendations from you as
to any legislation that you would recommend to promote greater
privacy, greater choice in terms of the Internet and
advertising on the Internet? Would you do that?
Ms. Mithal. Sure, Senator. So I would say that, first and
foremost, a Federal----
Senator Levin. No, I do not mean right now. I mean for the
record.
Ms. Mithal. Oh, sure. Yes.
Senator Levin. Because I have to go vote. I think I have
probably missed the first vote already. Thank you both.
Ms. Mithal. Thank you.
Mr. Mastria. Thank you, Senator.
Senator Levin. It has been a very useful hearing, and we
really appreciate it. Thanks for coming.
We will stand adjourned.
[Whereupon, at 11:41 a.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]
�