[Senate Hearing 113-407]
[From the U.S. Government Publishing Office]







                                                        S. Hrg. 113-407

                 ONLINE ADVERTISING AND HIDDEN HAZARDS
                 TO CONSUMER SECURITY AND DATA PRIVACY

=======================================================================

                                HEARING

                               before the

                PERMANENT SUBCOMMITTEE ON INVESTIGATIONS

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS


                             SECOND SESSION

                               __________

                              MAY 15, 2014

                               __________

         Available via the World Wide Web: http://www.fdsys.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                         U.S. GOVERNMENT PRINTING OFFICE 

89-686 PDF                     WASHINGTON : 2014 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001



        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                  THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan                 TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

                   Richard J. Kessler, Staff Director
               Keith B. Ashdown, Minority Staff Director
                     Laura W. Kilbride, Chief Clerk
                   Lauren M. Corcoran, Hearing Clerk


                PERMANENT SUBCOMMITTEE ON INVESTIGATIONS

                     CARL LEVIN, Michigan Chairman
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

            Elise J. Bean, Staff Director and Chief Counsel
                      Daniel J. Goshorn,  Counsel
       Henry J. Kerner, Minority Staff Director and Chief Counsel
                 Jack Thorlin, Counsel to the Minority
             Brad M. Patout, Senior Advisor to the Minority
           Scott Wittmann, Research Assistant to the Minority
                     Mary D. Robertson, Chief Clerk

















                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Levin................................................     1
    Senator McCain...............................................     1
    Senator Johnson..............................................    22
    Senator McCaskill............................................    26
    Senator Portman..............................................    30
Prepared statements:
    Senator Levin................................................    47
    Senator McCain...............................................    49

                               WITNESSES
                         Thursday, May 15, 2014

Alex Stamos, Vice President of Information Security, and Chief 
  Information Security Officer, Yahoo! Inc., Sunnydale, 
  California.....................................................     7
George F. Salem, Senior Product Manager, Google Inc., Mountain 
  View, California...............................................    10
Craig D. Spiezle, Executive Director, Founder, and President, 
  Online Trust Alliance, Washington, DC..........................    12
Maneesha Mithal, Associate Director, Division of Privacy and 
  Identity Protection, Federal Trade Commission, Washington, DC..    35
Luigi ``Lou'' Mastria, Executive Director, Digital Advertising 
  Alliance, New York, New York...................................    37

                     Alphabetical List of Witnesses

Mastria, Luigi ``Lou'':
    Testimony....................................................    37
    Prepared statement...........................................    94
Mithal, Maneesha:
    Testimony....................................................    35
    Prepared statement...........................................    79
Salem, George F.:
    Testimony....................................................    10
    Prepared statement...........................................    59
Spiezle, Craig D.:
    Testimony....................................................    12
    Prepared statement with attachments..........................    67
Stamos, Alex:
    Testimony....................................................     7
    Prepared statement...........................................    55

                                APPENDIX

Report by the Permanent Subcommittee entitled ``Online 
  Advertising and Hidden Hazards to Consumer Security and Data 
  Privacy.''.....................................................   106

                              EXHIBIT LIST

 1. GIncrease Display Malvertising, chart prepared by RiskIQ.....   162
 2. GProliferation & Impact, chart prepared by Online Trust 
  Alliance.......................................................   163
 3. GThird-Party Website Calls on TDBank.com, chart prepared by 
  the Permanent Subcommittee on Investigations' Minority Staff, 
  Source: TDBank.com, Disconnect Private Browsing................   164
 4. GThird-Party Website Calls on TMZ.com, chart prepared by the 
  Permanent Subcommittee on Investigations' Minority Staff, 
  Source: TMZ.com, Disconnect Private Browsing...................   165
 5. GComparison of Third-Party Website Calls, chart prepared by 
  the Permanent Subcommittee on Investigations' Minority Staff, 
  Source: TDBank.com, TMZ.com, Disconnect Private Browsing.......   166
 6. GGood Money Gone Bad, Digital Thieves and the Hijacking of 
  the Online Ad Business, A Report on the Profitability of Ad-
  Support Content Theft, February 2014, report prepared by the 
  Digital Citizens Alliance......................................   167
 7.  a. GResponses of Maneesha Mithal, Federal Trade Commission, 
  to supplemental questions for the record from Senator Carl 
  Levin..........................................................   196
    b. GResponses of Maneesha Mithal, Federal Trade Commission, 
  to supplemental questions for the record from Senator John 
  McCain.........................................................   198
    c. GResponses of Maneesha Mithal, Federal Trade Commission, 
  to supplemental questions for the record from Senator Ron 
  Johnson........................................................   201
    d. GResponses of Maneesha Mithal, Federal Trade Commission, 
  to supplemental questions for the record from Senator Kelly 
  Ayotte.........................................................   202
 8. GResponses of George Salem, Google, Inc., to supplemental 
  questions for the record from Senator Ron Johmson..............   207
 9. GResponses of Alex Stamos, Yahoo! Inc., to supplemental 
  questions for the record from Senator Ron Johnson..............   208
10. GResponses of Craig Spiezle, Online Trust Alliance, to 
  supplemental questions for the record from Senator Ron Johnson.   210

 
                     ONLINE ADVERTISING AND HIDDEN
                      HAZARDS TO CONSUMER SECURITY
                            AND DATA PRIVACY

                              ----------                              


                         THURSDAY, MAY 15, 2014

                                   U.S. Senate,    
              Permanent Subcommittee on Investigations,    
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 9:32 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Carl Levin, 
Chairman of the Subcommittee, presiding.
    Present: Senators Levin, McCaskill, McCain, Johnson, and 
Portman.
    Staff present: Daniel J. Goshorn, Counsel; Mary D. 
Robertson, Chief Clerk; Henry J. Kerner, Staff Director and 
Chief Counsel to the Minority; Jack Thorlin, Counsel to the 
Minority; Brad M. Patout, Senior Advisor to the Minority; Scott 
Wittmann, Research Assistant to the Minority; Samira Ahmed, Law 
Clerk; Rebecca Pskowski, Law Clerk; Kyle Brosnan, Law Clerk to 
the Minority; Nick Choate (Sen. McCaskill); Brooke Erickson and 
Mike Howell (Sen. Johnson); and Derek Lyons (Sen. Portman).

               OPENING STATEMENT OF SENATOR LEVIN

    Senator Levin. Good morning, everybody. For almost a year, 
the Permanent Subcommittee on Investigations has been 
investigating hidden hazards to consumers' data privacy and 
security that results from online advertising. Our Subcommittee 
operates in a very bipartisan way, and our practices and our 
rules provide that the Ranking Minority Member may initiate an 
inquiry, and our tradition is for both sides of the aisle to 
work on investigations together, and our staffs work very 
closely together.
    This investigation was initiated and led by Senator McCain, 
so I would like to call on him to give his opening statement 
first, after which I will add a few additional remarks. But 
first I would like to commend Senator McCain for his leadership 
and his staff for their very hard work in addressing the facts 
and issues that are the subject of today's hearing. Senator 
McCain.

              OPENING STATEMENT OF SENATOR McCAIN

    Senator McCain. Thank you, Mr. Chairman. I appreciate you 
and your staff's cooperation in conducting this important 
bipartisan investigation, which has been the hallmark of our 
relationship together for many years. I believe that consumer 
privacy and safety in the online advertising industry is a 
serious issue and warrants this Subcommittee's examination.
    With the emergence of the Internet and e-commerce, more and 
more commonplace activities are taking place on the Internet, 
which has led to major advances in convenience, consumer 
choice, and economic growth. These advances have also presented 
novel questions concerning whether consumer security and 
privacy can be maintained in the new technology-based world. We 
will examine these issues today specifically in the context of 
online advertising, where vast data is collected and cyber 
criminals exploit vulnerabilities in the system and use malware 
to harm consumers.
    As we discuss this complex subject, it is important to keep 
in mind the following simple idea that I think everyone will 
agree on: Consumers who venture into the online world should 
not have to know more than cyber criminals about technology and 
the Internet in order to stay safe. Instead, sophisticated 
online advertising companies like Google and Yahoo!, whose 
representatives are here with us today, have a responsibility 
to help protect consumers from the potentially harmful effects 
of the advertisements they deliver. Deciding who should bear 
responsibility when an advertisement harms a consumer can be a 
technical and difficult question. But it cannot continue to be 
the case that the consumer alone pays the price when he visits 
a mainstream website, does not even click on anything, but 
still has his computer infected with malware delivered through 
an advertisement.
    At the same time, online advertising has become an 
instrumental part of how companies reach consumers. In 2013, 
online advertising revenue reached a record high of $42.8 
billion, surpassing for the first time revenue from broadcast 
television advertising, which was almost $3 billion less. With 
the continuing boom in mobile devices, online advertising will 
become even more lucrative in years to come.
    With this hearing, we will outline the hazards consumers 
face through online advertisements, how cyber criminals have 
defeated the security efforts of the online advertising 
industry, and what improvements could be made to ensure that 
consumers are protected online and the Internet remains a safe, 
flourishing engine for economic growth.
    Make no mistake. The hazards to consumers from malware in 
online advertising are something even a tech-savvy consumer 
cannot avoid. It is not a matter of simply avoiding shady 
websites or not clicking on advertisements that look 
suspicious. For example, in February of this year, an engineer 
at a security firm discovered that advertisements on YouTube 
served by Google's ad network delivered malware to visitors' 
computers. In that case, the user did not need to click on any 
ads; just going to YouTube and watching a video was enough to 
infect the user's computer with a virus. That virus was 
designed to break into consumers' online bank accounts and 
transfer funds to cyber criminals. A similar attack on Yahoo! 
in December 2013 also did not require a user to click an 
advertisement to have his computer compromised.
    A consumer whose bank account was compromised by the 
YouTube ad attack has little recourse under the law as it 
currently stands. Of course, if an affected consumer managed to 
track down the cyber criminal who placed the virus, he--or 
relevant law enforcement agencies--could take legal action 
against that wrongdoer. But cyber criminals today are normally 
part of sophisticated professional criminal enterprises, often 
overseas. Tracking them down is exceedingly difficult--even for 
professional security specialists. A consumer has essentially 
no chance whatsoever of recovering funds from cyber criminals.
    How can it be that cyber criminals can sneak malware into 
advertisements under the noses of the most technologically 
advanced companies in the world? Cyber criminals employ clever 
tricks to evade the current security procedures used by the 
online advertising industry. One of these key security 
procedures is scanning, essentially having a tester visit a 
website to see if a virus downloads to the test computer. Just 
as normal online advertisers can target their advertisements to 
run only in specific locations, cyber criminals can also target 
by location to avoid scanning. For example, if a cyber criminal 
knows that the facilities responsible for scanning ads are 
clustered around certain cities, they can target the malicious 
advertisement to run in other areas so that the scanners will 
not see it.
    Cyber criminals have used even simpler techniques to bypass 
security. When law enforcement raided the hideout of a Russian 
cyber criminal network, they found calendars marked extensively 
with U.S. Federal holidays and 3-day weekends. These cyber 
criminals were not planning Fourth of July picnics, of course; 
they were planning to initiate malware attacks at times when 
the security staffing at the ad networks and websites would be 
at their lowest ebb. Just this past holiday season, on Friday, 
December 27, 2013--2 days after Christmas and 4 days before New 
Year's Eve--cyber criminals hacked into Yahoo!'s ad network and 
began delivering malware-infected advertisements to consumers' 
computers. The malware seized control of the user's computer 
and used it to generate ``bitcoins,'' a digital currency that 
requires a large amount of computer power to create. 
Independent security firms estimate that around 27,000 
computers were infected through this one malware-laden 
advertisement.
    The result of these cyber criminal tactics has been 
countless attacks against consumers online. One major 
vulnerability in online advertising is that the advertisements 
themselves are not under the direct control of online 
advertising companies like Yahoo! and Google. These companies 
choose not to directly control the advertisements themselves 
because sending out all of those image or video files would be 
more expensive. Instead, online advertising companies have the 
advertiser himself deliver the ad directly to the consumer. 
While it is cheaper for the companies in the online advertising 
industry to operate in this way, it can lead to greater hazards 
for consumers. Malicious advertisers can use their control over 
advertisements to switch out legitimate ads and put in malware 
instead. The tech companies who run the online advertising 
industry frequently do not know when such a switch occurs until 
after the ad is served. Because those companies do not control 
the advertisement, their quality control processes are 
frequently purely reactive, often finding problems after they 
arise instead of before.
    As the online advertising industry grows more and more 
complicated, a single online advertisement for an individual 
consumer routinely goes through five or six companies before 
ultimately reaching the consumer's computer. That fact makes it 
easier for the various companies in the chain to disclaim 
responsibility when things go awry.
    One instance where that issue was apparent was the attack 
on Major League Baseball's website in June 2012. In that case, 
the malicious ad appeared to be for luxury watches and was 
displayed as a banner at the top of the MLB Web page. The ad 
was shown to 300,000 consumers before being taken down. In the 
aftermath of that attack, it was still unclear what entity was 
responsible for delivery of the malware. One security analyst 
noted at the time that ``the lack of transparency and multiple 
indirect relationships'' in online advertising made assigning 
responsibility for the attack virtually impossible.
    One way to get an idea of how complicated the online 
advertising world and online data collection can be is to take 
a look at what happens when a consumer actually visits a 
website where advertisements are served by third-party ad 
companies.
    When a user visits a website, that website instantaneously 
contacts an online advertising company to provide an 
advertisement. That ad company in turn contacts other Internet 
companies who help collect and analyze data on the user for 
purposes of targeting advertisements to him. Each company can, 
in turn, contact other companies that profit from identifying 
users and analyzing those users' online activities. Ultimately, 
hundreds of third parties can be contacted resulting from a 
consumer visiting just a single website.
    Using special software called ``Disconnect,'' the 
Subcommittee was able to detect how many third-party sites were 
contacted when a user visits particular websites. These 
contacts are represented in a chart. In this first example--we 
will go to a video. \1\ We see what happens when a user visits 
the website of an ordinary business that does not depend 
heavily on advertising revenues. In this case, our example is 
TDBank, a company whose website provides online banking 
services for its existing customers and, more importantly, not 
to generate income from people visiting the site. For that 
reason, it does not need to derive a large amount of revenue 
from online traffic and advertisements.
---------------------------------------------------------------------------
    \1\ See Exhibit No. 3, which appears in the Appendix on page 164.
---------------------------------------------------------------------------
    You can see there--it is very difficult to see, but what 
it--a few third parties were contacted. By contrast, when a 
consumer visits a website that depends much more heavily on 
revenue from advertising--based on the number of people who 
visit their website--the number of third parties can be 
enormously higher. For example, this video shows what happens 
when a consumer visits TMZ.com, a celebrity gossip website. \2\
---------------------------------------------------------------------------
    \2\ See Exhibit No. 4, which appears in the Appendix on page 165.
---------------------------------------------------------------------------
    And just to make that point even more clear, here are 
TDBank and TMZ side by side. \3\
---------------------------------------------------------------------------
    \3\ See Exhibit No. 5, which appears in the Appendix on page 166.
---------------------------------------------------------------------------
    Finally, another problem in the current online advertising 
industry is the lack of meaningful standards for security. The 
two primary regulators of online advertising are the Federal 
Trade Commission and self-regulatory groups like the Digital 
Advertising Alliance and Network Advertising Initiative. The 
self-regulatory groups have not been active in generating 
effective guidance or clear standards for online advertising 
security.
    On the government side, the FTC has brought a number of 
enforcement actions against companies involved in online 
advertising for ``deceptive'' practices pursuant to their 
authority under Section 5 of the FTC Act. These cases all 
involve some specific misrepresentation made by a company 
rather than a failure to adhere to any general standards.
    I will just summarize by saying that on the question of 
consumer privacy, there are some guidelines on how much data 
can be generated on Internet users and how that data can be 
used, but these approaches--including verbose privacy notices, 
``do not track'' efforts, and ``notice and choice'' 
procedures--have only been partially effective.
    A new approach to preventing abuses of consumer data and 
privacy may be necessary. A few years ago, Senator Kerry and I 
introduced ``The Commercial Privacy Bill of Rights.'' While 
updates will be necessary, it provides a framework for how to 
think about these issues moving forward--one that includes 
basic rights and expectations consumers should have when it 
comes to the collection, use, and dissemination of their 
personal, private information online, and specifically in 
prohibited practices; a clarified role for the FTC in 
enforcement; and a safe harbor for those companies that choose 
to take effective steps to further consumer security and 
privacy. That legislation also envisions a role for industry, 
self-regulators, and stakeholders to engage with the FTC to 
come up with best practices and effective solutions.
    Consumers deserve to be equipped with the information 
necessary to understand the risks and to make informed 
decisions in connection with their online activities. Today one 
thing is clear. As things currently stand, the consumer is the 
one party involved in online advertising who is simultaneously 
both least capable of taking effective security precautions and 
forced to bear the vast majority of the cost when security 
fails. For the future, such a model is not tenable. There can 
be no doubt that online advertising has played an indispensable 
role in making innovation profitable on the Internet. But the 
value that online advertising adds to the Internet should not 
come at the expense of the consumer.
    I want to thank the Chairman for working with me on this 
important hearing and the witnesses for appearing before the 
Subcommittee. I thank you, Mr. Chairman.
    Senator Levin. Thank you so much, Senator McCain.
    Today's hearing is about the third parties that operate 
behind the scenes as consumers use the Internet. In particular, 
the Subcommittee's report outlines the enormous complexity of 
the online advertising ecosystem. Simply displaying ads that 
consumers see as they browse the Internet can trigger 
interactions with a chain of other companies, and each link in 
that chain is a potential weak point that can be used to invade 
privacy or host malware that can inflict damage. And we have 
seen a very dramatic example of this risk in the visuals that 
Senator McCain presented to us, as well as in the example 
outlined in the report. \1\ Those weak links can be exploited 
although consumers have done nothing other than visit a 
mainstream website.
---------------------------------------------------------------------------
    \1\ See Exhibit Nos. 3-5, which appear in the Appendix on pages 
164-166.
---------------------------------------------------------------------------
    The Subcommittee's report and Senator McCain's opening 
statement also highlight the hundreds of third parties that may 
have access to a consumer's browser information with every Web 
page that they visit. According to a recent White House report, 
more than 500 million photos are uploaded by consumers to the 
Internet each day, along with more than 200 hours of video 
every minute. However, the volume of information that people 
create about themselves pales in comparison to the amount of 
digital information continually created about them. According 
to some estimates, nearly a zettabyte, or 1 trillion gigabytes, 
are transferred on the Internet annually. That is a billion 
trillion bytes of data.
    Against that backdrop, today's hearing will explore what we 
should be doing to protect people against the emerging threats 
to their security and their privacy as consumers. The report 
finds that the industry's self-regulatory efforts are not doing 
enough to protect consumer privacy and safety. Furthermore, we 
need to give the Federal Trade Commission the tools that it 
needs to protect consumers who are using the Internet.
    Finally, as consumers use the Internet, profiles are being 
created based on what they read, what movies they watch, what 
music they listen to, on and on and on. Consumers need more 
effective choices as to what information generated by their 
activities on the Internet is shared and sold to others.
    I want to thank all of today's witnesses for their 
cooperation with the investigation. And I do not know, Senator 
Johnson, do you have an opening statement?
    Senator Johnson. No. Thank you.
    Senator Levin. I will now call our first panel of witnesses 
for this morning's hearing: Alex Stamos, Chief Information 
Security Officer of Yahoo! Inc., Sunnyvale, California; George 
Salem, the Senior Product Manager of Google Inc., Mountain 
View, California; and Craig Spiezle, the Executive Director, 
Founder, and President of Online Trust Alliance, Washington, 
DC. We appreciate all of you being with us this morning, and we 
look forward to your testimony.
    Pursuant to our Rule 6, all witnesses who testify before 
this Subcommittee are required to be sworn, so I would ask each 
of you to please stand and raise your right hand. Do you swear 
that the testimony that you will give to this Subcommittee will 
be the truth, the whole truth, and nothing but the truth, so 
help you, God?
    Mr. Stamos. I do.
    Mr. Salem. I do.
    Mr. Spiezle. I do.
    Senator Levin. We will be using a timing system. About a 
minute before the red light comes on, you are going to see 
lights change from green to yellow, giving you an opportunity 
to conclude your remarks. Your written testimony will be 
printed in the record in its entirety. We would appreciate your 
limiting your oral testimony to no more than 10 minutes. And, 
Mr. Stamos, we will have you go first, followed by Mr. Salem, 
and then Mr. Spiezle. And then after we have heard all of the 
testimony, we will turn to questions.
    Mr. Stamos, please proceed. Again, our thanks.

  STATEMENT OF ALEX STAMOS,\1\ VICE PRESIDENT OF INFORMATION 
 SECURITY AND CHIEF INFORMATION SECURITY OFFICER, YAHOO! INC., 
                     SUNNYVALE, CALIFORNIA

    Mr. Stamos. Good morning.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Stamos appears in the Appendix on 
page 55.
---------------------------------------------------------------------------
    Senator Levin. Good morning.
    Mr. Stamos. Chairman Levin, Ranking Member McCain, and 
distinguished Members of the Subcommittee, thank you for 
convening this hearing and for inviting me to testify today 
about security issues relating to online advertising. I 
appreciate the opportunity to share my thoughts and to discuss 
the user-first approach to security we take at Yahoo!. I 
respectfully request that my full written testimony be 
submitted for the record, Mr. Chairman.
    Senator Levin. It will be.
    Mr. Stamos. Thank you, sir.
    My name is Alex Stamos. I am Yahoo!'s Vice President of 
Information Security and Chief Information Security Officer. I 
joined Yahoo! in March. Prior to that I served as Chief 
Technology Officer of Artemis Internet, and I was a co-founder 
of iSEC Partners. I have spent my career building and improving 
secure, trustworthy systems, and I am very proud to be working 
on security at Yahoo!.
    Yahoo! is a global technology company that provides 
personalized products and services, including search, 
advertising, content, and communications, in more than 45 
languages in 60 countries. As a pioneer of the World Wide Web, 
we enjoy some of the longest lasting customer relationships on 
the Web. It is because we never take these relationships for 
granted that 800 million users each month trust Yahoo! to 
provide them with Internet services across mobile and the Web.
    There are a few key areas I would like to emphasize today.
    First, our users matter to us. Building and maintaining 
user trust through secure products is a critical focus, and by 
default, all of our products need to be secure for all of our 
users around the globe.
    Second, achieving security online is not an end state. It 
is a constantly evolving challenge that we tackle head on.
    Third, malware is an important issue that is a top priority 
for Yahoo!. While preventing the distribution of malware 
through advertising is one part of the equation, it is 
important to address the entire malware ecosystem and to fight 
it at each phase of its lifecycle.
    Fourth, Yahoo! fights for user security on many fronts. We 
partner with other companies to detect and prevent the spread 
of malware via advertising and pioneered the SafeFrame standard 
to assure user privacy in ad serving. We have led the industry 
in combating spam in phishing. We continuously improve our 
product security with the help of the wider research and 
security communities. And we are the largest media publisher to 
enable encryption for our users across the world.
    I would like to thank the Subcommittee for your focus on 
malware and the threat it poses to consumers. Internet 
advertising security and the fight against malware is a top 
priority for Yahoo!. We have built a highly sophisticated ad 
quality pipeline to weed out advertising that does not meet our 
content, privacy, or security standards.
    This January, we became aware of malware distributed on 
Yahoo! sites. We immediately took action to remove the malware, 
investigated how malicious creative copy bypassed our controls, 
and fixed the vulnerabilities we found. The malware impacted 
users on Microsoft Windows with out-of-date versions of Oracle 
Java, a browser plug-in with a history of security issues, and 
was mostly targeted at European IP addresses. Users on Macs, 
mobile devices, and users with up-to-date versions of Java were 
not affected.
    As I mentioned earlier, the malware ecosystem is expansive 
and complex. A large part of the malware problem is all the 
vulnerabilities that allow an attacker to take control of user 
devices through popular Web browsers such as Internet Explorer, 
plug-ins like Java, office software, and operating systems. 
Malware is also spread by tricking users into installing 
software they believe to be harmless but is, in fact, 
malicious.
    We successfully block the vast majority of malicious and 
deceptive advertisements with which bad actors attack our 
network, and we always strive to defeat those who would 
compromise our customers' security. This means we regularly 
improve our systems, including continuously diversifying the 
set of technologies and testing systems to better emulate 
different user behaviors. Every ad running on Yahoo!'s sites 
and on our ad network is inspected using this system, both when 
they are created and regularly afterwards.
    Yahoo! also strives to keep deceptive advertisements from 
ever reaching users. For example, our systems prohibit 
advertisements that look like operating system messages because 
these ads often tout false offers or try to trick users into 
downloading and installing malicious or unnecessary software. 
Preventing deceptive advertising once required extensive human 
intervention, which meant slower response times and 
inconsistent enforcement. Although no system is perfect, we now 
use sophisticated machine learning and image recognition 
algorithms to catch deceptive advertisements. This lets us 
train our systems about the characteristics of deceptive 
creatives, advertisers, and landing sites so that we can detect 
and respond to them immediately.
    We are also the driving force behind the SafeFrame 
standard. The SafeFrame mechanism allows ads to properly 
display on a Web page without exposing a user's private 
information to the advertiser or network. Thanks to growing 
adoption, SafeFrame enhances user privacy and security not only 
in the thriving marketplace of thousands of publishers on 
Yahoo! but around the Internet.
    We also actively work with other companies to create a 
higher level of trust, transparency, quality, and safety in 
interactive advertising. We are members of the Interactive 
Advertising Bureau's Ads Integrity Task Force, and we have 
proudly joined TrustInAds.org.
    We also participate in groups dedicated to preventing the 
spread of malware and disrupting the economic lifecycle of 
cyber criminals, including the Global Forum for Incident 
Response and Security Teams, the Anti-Phishing Working Group, 
the Underground Economy Forum, the Operations Security Trust 
Forum, and the Bay Area Council CSO Forum.
    While preventing the placement of malicious advertisements 
is essential, it is only one part of a larger battle. We fight 
the monetization phase of the malware life cycle by improving 
ways to validate the authenticity of email and by reducing the 
financial incentives to spread malware. Spam is one of the most 
effective ways malicious actors make money, and Yahoo! is 
leading the fight to eradicate that source of income. For 
example, one way spammers act is through ``email spoofing.'' 
The original Internet mail standards did not require that a 
sender use an accurate ``From:'' line in an email. Spammers 
exploit this to send billions of messages a day that pretend to 
be from a friend, family member, or business associate. These 
emails are much more likely to bypass spam filters, as they 
appear to be from trusted correspondents.
    Spoofed e-mails can also be used to trick users into giving 
up user names and passwords, a technique that is generally 
known as ``phishing.'' Here is how Yahoo! is helping the 
Internet industry tackle these issues.
    Yahoo! was the original author of DomainKeys Identified 
Mail, or DKIM, a mechanism that lets mail recipients 
cryptographically verify the real origin of email. Yahoo! 
freely contributed the intellectual property behind DKIM to the 
world, and now the standard protects billions of emails between 
thousands of domains.
    Building upon the success of DKIM, Yahoo! led a coalition 
of Internet companies, financial institutions, and anti-spam 
groups in creating the Domain-based Message Authentication, 
Reporting, and Conformance, or DMARC, standard. DMARC provides 
domains a way to tell the rest of the Internet what security 
mechanisms to expect on email they receive and what actions the 
sender would like to be taken on spoofed messages.
    This April, Yahoo! became the first major email provider to 
publish a strict DMARC reject policy. In essence, we asked the 
rest of the Internet to drop messages that inaccurately claim 
to be from yahoo.com users. Since Yahoo! made this change, 
another major provider has also enabled DMARC to reject. We 
hope that every major email provider will follow our lead and 
implement this commonsense protection against spoofed email.
    DMARC has reduced the spam purported to come from yahoo.com 
accounts by over 90 percent. If used broadly, it would target 
spammers' financial incentives with crippling effectiveness.
    Yahoo! also incentivizes sharing to ensure our products are 
trustworthy and our users' data is secure. To this end, Yahoo! 
operates one of the most progressive bug bounty programs on the 
Internet. Our bug bounty program encourages security 
researchers to report possible flaws in our systems to us via a 
secure Web portal.
    In this portal we engage researchers and discuss their 
findings. If their bug turns out to be real, we swiftly fix it 
and we reward the reporter with up to $15,000. In an age where 
security bugs are often auctioned off and then used 
maliciously, we believe it is critical that we and other 
companies create an ecosystem where both burgeoning and 
established security experts are rewarded for reporting, and 
not exploiting, vulnerabilities.
    Yahoo! invests heavily to ensure the security of our users 
and their data across all of our products. In January, we made 
encrypted browsing the default for Yahoo! Mail. And as of 
March, domestic and international traffic moving between 
Yahoo!'s data centers has been fully encrypted. Our ongoing 
goal is to enable a secure encrypted experience for all of our 
users, no matter what device they use or from what country they 
use Yahoo!.
    In conclusion, I want to restate that security online is 
not and never will be an end state. It is a constantly 
evolving, global challenge that our industry is tackling head 
on. Threats that stem from the ad pipeline, or elsewhere, are 
not unique to any one online company or ad network. And while 
criminals pose real threats, we are strongly dedicated to 
staying ahead of them.
    Yahoo! fights for user security on multiple fronts. We 
partner with multiple companies to detect and prevent the 
spread of malware via advertising. We pioneered the SafeFrame 
standard to assure user privacy in ad serving. We have led the 
industry in combating spam in phishing. We continuously improve 
our product security with the help of the wider research and 
security communities. And, finally, we are the largest media 
publisher to enable encryption for our users across the world.
    Yahoo! will continue to innovate in how we protect our 
users. We will continue to fight cyber criminals who target us 
and our users. And we will continue to view user trust and 
security as our top priorities.
    Thank you very much for the opportunity to testify. I look 
forward to answering any questions you may have. Thank you, 
sir.
    Senator Levin. Thank you very much, Mr. Stamos.
    Mr. Salem.

STATEMENT OF GEORGE F. SALEM,\1\ SENIOR PRODUCT MANAGER, GOOGLE 
                INC., MOUNTAIN VIEW, CALIFORNIA

    Mr. Salem. Chairman Levin, Ranking Member McCain, and 
Members of the Subcommittee, thank you for the opportunity to 
testify on Google's efforts to combat malware on the Web. My 
name is George Salem, and I am a senior product manager. I lead 
the engineering team that fights the delivery of malware 
through advertising, a practice known as ``malvertising.''
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Salem appears in the Appendix on 
page 59.
---------------------------------------------------------------------------
    Ensuring our users' safety and security is one of Google's 
main priorities. We have a team of over 400 full-time security 
experts working around the clock to keep our users safe. One of 
the biggest threats consumers face on the Web is malicious 
software, known as ``malware,'' that can control computers or 
software programs. Malware allows malicious actors to make 
money off of innocent victims in various ways. It may even lead 
to identity theft, which has now topped the list of consumer 
complaints reported to the FTC for 14 years in a row.
    Advertising has had a tremendous role in the evolution of 
the Web, bringing more products, tools, and information to 
consumers, often free of charge. It has allowed the Web economy 
to flourish. In the last quarter, Internet ad revenues surged 
to a landmark $20.1 billion, and the ad-supported Internet 
ecosystem employs a total of 5.1 million Americans.
    Even though only a tiny portion of ads carry malware, 
malvertising undermines users' faith in this ecosystem. Bad ads 
are bad for everyone, including Google and our users. Our 
incentive is to keep our online performance safe for everyone, 
or customers will not continue to use our products. This is why 
we believe in providing the strongest protections against 
harmful or malicious content online.
    Our approach to fighting malware is two-pronged: prevent 
and disable. The first piece is prevention. One of the best 
ways to protect users from malware is by preventing them from 
accessing infected sites altogether. This is why we developed a 
tool called ``safe browsing.'' It checks any page a user visits 
against a list of known bad sites. Malicious sites are then 
clearly identified as dangerous in Google Search results. We 
were the first major search engine to provide such a warning 
for search results back in 2006. Today over a billion people 
use safe browsing.
    Safe browsing is also the default for users on Google 
Chrome, Mozilla Firefox, and Apple Safari browsers, which helps 
to protect tens of millions of users. When a user attempts to 
navigate to one of these malicious sites, they get a clear 
warning advising them to click away.
    We are constantly looking at ways to further disseminate 
safe browsing technology, including by providing public 
interface for anyone to plug in and review identified malware. 
We also provide alerts to Web masters who may not be aware that 
malicious software is hosted on the Web properties.
    A second piece of our effort is disabling bad ads. We have 
always prohibited malware in our ads, and we have a strict 
suspension policy for advertisers that spread malware. We 
proactively scan billions of ads each day across platforms and 
browsers, disabling any we find that have malware.
    Our Internet systems have proven to have a very big proven 
track record. In 2013, we disabled more than 350 million ads. 
Again, this is only a tiny portion of all advertisements in our 
platforms, but our systems are constantly evolving to keep up 
with those bad actors.
    While we may be proactive, we are relatively quiet about 
our technology. Malvertisers are constantly seeking new ways to 
avoid our detection and enforcement systems, and we want to 
stay ahead of them and not tip them off to our efforts.
    We are not the only ones involved in these efforts. These 
efforts are a team endeavor. We collaborate closely with others 
in the Internet community.
    Ten years ago, we issued a set of Software Principles, a 
broad, evolving set of guidelines available online around 
software installation, disclosure to users, and advertiser 
behavior. We are a member of StopBadware.org, an nonprofit that 
offers resources for website owners, security experts, and 
ordinary users. We own and support free websites like 
VirusTotal.com and Anti-Malvertising.com to share best 
practices and investigative resources and to provide checks for 
malicious content on this topic.
    We are in constant communication with other industry 
players, notifying each of us about new malware attacks and new 
trends. Just this month, we, along with Facebook, Twitter, AOL, 
and Yahoo!, co-founded TrustInAds.org, a group that offers 
guidance to consumers on how to avoid online scams.
    Another huge piece is consumer education. A great first 
place to visit are websites like Google's Online Safety Center 
or Anti-Malvertising.org to learn more.
    Of course, users should always up-to-date anti-virus 
software, make sure their operating system and browsers are 
also up to date, and be careful about downloads. If they 
suspect their computer may be infected, they should use a 
reputable product to rid it of malware.
    We can always use more help in generating awareness among 
consumers. Malware is a complex problem, but we are tackling it 
head-on with tools, consumer education, and community 
partnerships. We believe if we all work together to identify 
threats and stamp them out, we can make the Web a safer place.
    Thank you again for your time and consideration.
    Senator Levin. Thank you very much, Mr. Salem.
    Mr. Spiezle.

STATEMENT OF CRAIG D. SPIEZLE,\1\ EXECUTIVE DIRECTOR, FOUNDER, 
      AND PRESIDENT, ONLINE TRUST ALLIANCE, WASHINGTON, DC

    Mr. Spiezle. Good morning, Chairman Levin, Ranking Member 
McCain, and Members of the Committee. Good morning and thank 
you for the opportunity to testify before you today. My name is 
Craig Spiezle. I am the Executive Director and President of the 
Online Trust Alliance. OTA is a 501(c)(3) nonprofit with the 
mission to enhance online trust, empowering users to control 
their data and privacy, while promoting innovation and the 
vitality of the Internet.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Spiezle with attachments appear 
in the Appendix on page 67.
---------------------------------------------------------------------------
    I am testifying here today to provide context to the 
escalating privacy and security threats to consumers which 
result from malicious and fraudulent advertising known as 
``malvertising.''
    As outlined in Exhibit A,\2\ malvertising incidents 
increased over 200 percent in this last year to 209,000 
incidents which generated over 12.4 billion malicious ad 
impressions. The impact on consumers is significant.
---------------------------------------------------------------------------
    \2\ See Exhibit A or Exhibit No. 1, which appears in the Appendix 
on pages 75 and 162.
---------------------------------------------------------------------------
    As referenced, Yahoo! experienced an incident resulting in 
over 300,000 malicious impressions, of which 9 percent or 
27,000 unsuspecting users were compromised. For them, the 
infection rate was 100 percent.
    As noted, this is not an isolated case. Cyber criminals 
have successfully inserted malicious ads on a range of sites 
including Google, Microsoft, Facebook, the Wall Street Journal, 
New York Times, Major League Baseball, and others. The threats 
are significant. As referenced, the majority and an increasing 
number are ``drive-by downloads,'' which have increased 190 
percent this past year. A drive-by incident is one that when a 
user simply visits a website, with no interactions or clicking 
required, is infected.
    This threat is not new. Malvertising was first identified 
over 7 years ago, yet little progress has been made to attack 
this threat.
    The impact ranges from capturing personal information to 
turning a device into a bot where a cyber criminal can take 
over a device and use it in many cases to execute a distributed 
denial-of-service attack, known as a ``DDOS,'' against a bank, 
government agency, or other organization.
    Just as damaging is the deployment of ransomware which 
encrypts a user's hard drive, demanding payment to be unlocked. 
Users' personal data, photos, and health records can be 
destroyed and stolen in just seconds.
    In the absence of secure online advertising, the integrity 
of the entire Internet is at risk. Not unlike pollution in the 
industrial age, in the absence of regulatory oversight and 
meaningful self-regulation, these threats continue to grow.
    For reference, the development of coal mining and the use 
of steam power generated from coal is without doubt the most 
central, binding narrative of the 19th Century. Jobs were 
created and profit soared, but the environment soon felt the 
full impact of industrialization in the form of air and water 
pollution. Today we are at a similar crossroads which are 
undermining the integrity and trust of the Internet.
    So how does malvertising occur? Actually if you would go to 
Exhibit B,\1\ thank you. The most common tactic to run a 
malicious ad is the cyber criminal going directly to an ad 
network, selecting a target audience, and paying for an ad 
campaign. In the absence of any reputational checks or threat 
reporting among the industry, once detected and shut down by 
one ad network, the cyber criminal simply ``water falls'' or 
goes over to another unsuspecting network to repeat the exploit 
over and over.
---------------------------------------------------------------------------
    \1\ See Exhibit B, which appears in the Appendix on page 76.
---------------------------------------------------------------------------
    Now on the left there, you see the different tactics of how 
the malvertising is inserted, and, again, I think it is 
important to note here in this diagram that consumers are 
clearly bearing the brunt of it, but also quality, brands, and 
websites, their image is being tarnished as well.
    The impacts of these threats are increasing significantly. 
Criminals are becoming experts in targeting and timing, taking 
advantage of the powerful tools and data available to Internet 
advertisers. They have become what is known as ``data-driven 
marketers'' with precision to reach vulnerable segments of 
society as well as high-net-worth target audiences. They have 
been able to choose the day and time of the exploits as well as 
the type of device they choose to exploit.
    In the absence of any meaningful policy and traffic quality 
controls, organized crime has recognized malvertising as the 
``exploit of choice'' offering the ability to remain anonymous 
and remain undetected for days.
    Recognizing the threats, in 2007, DoubleClick, which was 
later acquired by Google, established a mailing list which 
today remains one of the primary methods of data sharing. In 
2010, OTA established what is now the Advertising and Content 
Integrity Group, focusing on security and fraud prevention best 
practices. This group of diverse stakeholders leverages a 
proven model of threat mitigation and has since published 
several white papers including a risk evaluation framework and 
remediation guidelines.
    These efforts are a small but first step to combat 
malvertising, reflecting input from leaders including Google, 
Microsoft, PayPal, Symantec, Twitter, and others.
    As you heard before, last June, StopBadware, a nonprofit 
funded by Google and others, launched a parallel effort known 
as the ``Ads Integrity Alliance.'' This past January, this 
initiative disbanded due to its members' ``desire to refocus 
their resources on aggressively defending industry practices to 
policymakers and regulatory bodies.''
    In the wake of this group's demise, recently TrustInAds was 
formed last week. According to the site, its ``focus is public 
policy and raising consumer awareness of the threats and how to 
report them.''
    It is important to note that, unfortunately, no amount of 
consumer education can help when a user visits a trusted 
website that is infected with malvertising. Consumers cannot 
discern good versus malicious ads or how their device was 
compromised. Focusing on education after the fact is like the 
auto industry telling accident victims who to call after an 
accident from a previously known manufacturing defect, instead 
of building security features in the cars they sell and profit 
from.
    Other industry efforts have been focused on click fraud, 
which are fraudulent activities that attempt to generate 
revenue by manipulating ad impressions. Click fraud is focused 
on the monetization and operational issues facing the industry. 
While these efforts are important, please do not be confused: 
Click fraud is not related to malvertising or any impact that 
is harmful to consumers.
    So what is needed? OTA proposes a holistic framework 
addressing five important areas: prevention, detection, 
notification, data sharing, and remediation. Such a framework 
must be the foundation for an enforceable code of conduct or 
possible legislation.
    In parallel, operational and technical solutions must be 
explored. I envision a day when publishers would only allow ads 
from networks that vouch for the authenticity of the ads they 
serve, and Web browsers would only render such ads that have 
been signed and verified from trusted sources. It is recognized 
that such a model would require systemic changes; yet it would 
increase accountability, and it would protect the long-term 
vitality of online advertising and, most importantly, 
consumers.
    In summary, as a wired society and economy, we are 
increasingly dependent on trustworthy, secure, and resilient 
online services. As observed in almost every area of our 
Nation's critical infrastructure, we need to recognize that 
fraudulent businesses, cyber criminals, and State-sponsored 
actors will continue to exploit our systems.
    For some, malvertising remains a ``Black Swan Event,'' 
rarely seen but known to exist. For others it still remains as 
the elephant in the room that no one wants to acknowledge or 
report on. Today companies have no obligation or incentive to 
disclose their role or knowledge of such an event, leaving 
consumers vulnerable and unprotected for potentially months or 
years, during which time untold amounts of damage can occur. 
Failure to address these threats suggest the needs for 
legislation not unlike State data breach laws, requiring 
mandatory notification, data sharing, and remediation to those 
consumers that have been harmed.
    As learned from the Target breach, it is the responsibility 
of a company and its executives to implement safeguards and to 
heed the warnings of the community. I suggest that the same 
standards should apply for the ad industry. We must work 
together, openly disclose and mediate such vulnerabilities, 
even at the expense of short-term profits.
    It is important to recognize that there is no absolute 
defense against a determined cyber criminal. In parallel, OTA 
proposes incentives to companies who have demonstrated that 
they have adopted such best practices and comply with codes of 
conduct. They should be afforded protection from regulatory 
oversight as well as frivolous lawsuits. Perceived antitrust 
and privacy issues which continue to be raised as the reason 
why not sharing data must be resolved to aid in the real-time 
fraud detection and forensics that is required.
    Trust is the foundation of every communication we receive, 
every website we visit, every transaction we make, and every ad 
we respond to. Now is the time for collaboration, moving from 
protective silos of information to multi-stakeholder solutions 
combating cyber crime.
    Thank you, and I look forward to your questions.
    Senator Levin. Thank you very much, Mr. Spiezle.
    Senator McCain.
    Senator McCain. Thank you, Mr. Chairman. I thank the 
witnesses.
    If you put that chart back up about the increase in 
malvertising, \1\ would the witnesses agree that the problem is 
getting worse rather than better? Would you agree, Mr. Salem?
---------------------------------------------------------------------------
    \1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
    Mr. Salem. I do not agree that the problem is getting 
better. One thing that----
    Senator McCain. Is it getting worse?
    Mr. Salem. I am sorry. It is not--I do not believe that it 
is getting worse.
    Senator McCain. You do not believe that chart then?
    Mr. Salem. I have not seen that chart. I saw that from the 
report. Our indication where we actually----
    Senator McCain. So you are saying that chart is not 
accurate?
    Mr. Salem. That is not the chart--that is not the 
information that I have, sir.
    Senator McCain. I see. Maybe you can provide the 
Subcommittee with the information that you have, Mr. Stamos?
    Mr. Stamos. Sir, our data has been pretty much steady on 
the kinds of attempts that we have seen coming inbound.
    Senator McCain. Would you agree that probably the worst 
attacks come from overseas, specifically Russia?
    Mr. Stamos. We see attacks from all around. It is usually 
very difficult to have accurate--to accurately figure out----
    Senator McCain. Oh, so you have no accurate data as to 
where it comes from. That is good.
    Mr. Stamos. We have accurate data as to where the IP 
address----
    Senator McCain. Well, then, where does it come from?
    Mr. Stamos. We see these kinds of attempts from all around 
the world. You are right, we do see a lot from Eastern Europe 
and the former Russian Republics.
    Senator McCain. Well, thank you for that.
    How about you, Mr. Salem?
    Mr. Salem. Yes, we also see a lot of the malware itself 
will come from servers that are also in Russia and also----
    Senator McCain. So this is really an international issue as 
well as a domestic issue, I would argue.
    Suppose that some individual is the victim of malware, Mr. 
Stamos, does Yahoo! have any responsibility for that?
    Mr. Stamos. We absolutely take responsibility for our 
users' safety, which is why we do all the work we do to 
protect----
    Senator McCain. So if someone loses their bank account, you 
reimburse them?
    Mr. Stamos. Senator, I have always believed that the person 
who is responsible for committing the crime is the criminal who 
does it, and it is our responsibility to----
    Senator McCain. Even though it is using you as a vehicle to 
commit that crime?
    Mr. Stamos. Senator, we work very hard to fight these 
criminals, and----
    Senator McCain. Is that person liable--are you liable for 
reimbursement for loss of that individual who used--that your 
services were responsible--were the vehicle for that?
    Mr. Stamos. Senator, we believe that the criminals are 
liable for their actions.
    Senator McCain. I see. And you being the vehicle for it, 
you have no liability, sort of like the automobile that has a 
problem with it, the maker of the automobile is not responsible 
because they are just the person who sold it. Is that right?
    Mr. Stamos. No, Senator. I do not think that is a correct 
analogy.
    Senator McCain. I see.
    Mr. Stamos. We work very vigorously to protect our users. 
Every single user is important to us. If a criminal commits a 
crime, we do everything we can to investigate, figure out how 
they were able to do that, and then to defeat them the next 
time.
    Senator McCain. And you have no liability whatsoever?
    Mr. Stamos. Senator, that is a legal question. I am not a 
lawyer. I am here to talk about the security side.
    Senator McCain. I am asking common sense. I am not asking 
for----
    Mr. Stamos. I think we have a responsibility to our users, 
and we take that responsibility extremely seriously.
    Senator McCain. Thank you.
    Mr. Spiezle, you have the five recommendations that you 
make in your testimony. In prevention, you say, ``Stakeholders 
who fail to adopt reasonable best practices and controls should 
bear the liability and publishers should reject their ads.''
    Are stakeholders adopting reasonable best practices and 
controls in your view?
    Mr. Spiezle. Today that information does not suggest they 
are doing that. One of the challenges is the reluctance to 
share information among each other, and it is very isolated 
right now. Again, recognizing that there is no perfect 
security, in the absence of taking reasonable steps to protect 
the infrastructure and consumers from harm, they should be 
responsible.
    Senator McCain. How many Americans do you think know that 
this problem exists?
    Mr. Spiezle. This information has been kept very quiet. It 
has been suppressed over years. The executives of some of the 
trade organizations have actually denied it even exists 
publicly. So that is a major challenge.
    Senator McCain. We just saw an example of that, disputing 
the malvertising facts. Where did you get those facts, by the 
way, since they do not share your view?
    Mr. Spiezle. Well, actually, we are very fortunate. There 
are many players in the industry that see this as a major 
issue. In fact, just this past week, we had about a dozen 
companies come to us asking for legislation that are actually 
in the ecosystem saying they recognize that the absence of this 
that their businesses are being marginalized and they need 
help.
    Our data comes from multiple sources. It comes from the 
threat intelligence community. It comes from some of the ad 
networks themselves who are willing to share this information 
anonymously. They do not want to be public because of the 
pressure from the industries and the trade organizations. And 
we try to normalize it.
    I would suggest that this data probably underreports it by 
at least 100 percent. We do not know and, again, the lack of 
willingness to share data is impeding the problem today.
    Senator McCain. Mr. Stamos and Mr. Salem, do you both have 
the same best practices standard between your two 
organizations?
    Mr. Stamos. Senator, I believe we use about the same types 
of technologies and tests.
    Senator McCain. Do you have the same best standards 
practices?
    Mr. Stamos. I believe so, yes.
    Senator McCain. You would not know?
    Ms. Stamos. We work actually very closely with our ad 
partners to trade notes, and we share a lot of the same 
technologies.
    Mr. Salem. And I would have to also add that we actually do 
communicate. We actually do discuss different issues that come 
up, different malvertising trends.
    Senator McCain. Do you need liability protection to work 
more closely together?
    Mr. Salem. We work very closely together. I do not see 
any----
    Senator McCain. Then why don't you have the same best 
practices standards?
    Mr. Salem. We are different organizations, we are different 
corporations. We basically----
    Senator McCain. But you are facing the same problem, Mr. 
Salem.
    Mr. Salem. Yes, and we communicate about the threats.
    Senator McCain. I am glad you communicate. I am asking if 
you will adopt the same best practices standards.
    Mr. Stamos. Senator, I believe we already do adopt the same 
practices, but we have diverse implementations. An important 
part of security is to have a diversity of different ways to 
combat a single threat.
    Mr. Spiezle. Senator, if I might add, the OTA has convened 
several multi-stakeholder workshops offering Chatham House 
Rules to facilitate the data sharing. And, unfortunately, the 
response has been--it is being addressed internally. And so, 
again, we have asked Google multiple times, we have asked 
Yahoo!, we have asked the other companies to come to the table. 
And, again, the answer has been, ``It is not a problem. It is 
not one that we really see we need to address.''
    I will go a step further. The chairman and president of 
IAB, Interactive Advertising Bureau, in September 2010 publicly 
stood up and said malvertising is not a problem, it only exists 
because security vendors want it to be a problem.
    Senator McCain. Well, then, I guess we get back to the--Mr. 
Stamos, do you agree that it is a problem?
    Mr. Stamos. I absolutely agree that this is a problem, but 
we need to keep in context--when you look at a graph like that, 
we need to put it next to the overall malware problem, which is 
honestly the numbers are much, much larger, and there are three 
parts to that. There are the authors who create malware, which 
is about creating safe software. There is distribution of which 
advertising is the part that we are responsible for, but it is 
honestly a tiny sliver of the distribution problem of malware. 
And then there is the financial side. And from our perspective, 
we focus a lot on preventing ourselves from being part of the 
distribution problem, but then we also fight the entire life 
cycle, because in the end there is going to be no perfect 
protection each of those places. What we need to do is decrease 
the financial incentives for the criminals to attempt to do 
this in the first place.
    Senator McCain. And how do you do that?
    Mr. Stamos. On the software side, the companies that make 
that software try to make it harder for malware to be created. 
On the distribution side, we build our analysis systems to make 
it harder and harder for them to----
    Senator McCain. Well, I will look forward to your data on 
the malvertising since clearly that indicates you have got a 
lot of work to do. And even though it may be a ``tiny sliver,'' 
I am not sure that is of some comfort to someone who has their 
bank account wiped out. Maybe to you, but it is not to them.
    Mr. Stamos. Excuse me, Senator, but every single user is 
important to us.
    Senator McCain. Well, obviously you are downgrading the 
importance of this issue when you say it is only a tiny sliver. 
If there are two hundred and some thousand, if I read that 
right \1\--what is it, Mr. Spiezle?
---------------------------------------------------------------------------
    \1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
    Mr. Spiezle. That is correct, 209,000 identified unique 
incidents that occurred, that were documented.
    Senator McCain. I would say that sliver is a pretty big 
sliver, Mr. Stamos.
    I thank you, Mr. Chairman.
    Senator Levin. Thank you very much, Senator McCain.
    Let me ask you, Mr. Stamos, we have testimony here from Mr. 
Spiezle on behalf of the Online Trust Alliance that says that, 
``Ideally we will have solutions where publishers would only 
allow ads only from networks who vouch for the authenticity of 
all of the ads they serve, and Web browsers will render only 
such ads that have been signed and verified from trusted 
sources. It is recognized that such a model would require 
systemic changes; yet they would increase accountability, 
protecting the long-term vitality of online advertising and 
most importantly the consumers.''
    Would you support those kind of systemic changes, Mr. 
Stamos?
    Mr. Stamos. Thank you, Senator. So as to the authenticity 
issue for ad networks, I can only speak to how Yahoo! does 
this----
    Senator Levin. No, not how they do it, but would you 
support what Mr. Spiezle is recommending?
    Mr. Stamos. So we definitely support the cryptography side. 
Currently, technology does not exist to sign an ad all the way 
through, but through our efforts to move to HTTPS encryption, 
we have moved a great deal of the ad networks in the world to 
supporting encrypting, and which is really what is supported in 
browsers right now.
    Senator Levin. Is their any reason why we cannot require 
that ads first, before they are put on, be verified that they 
come from trusted sources? Is there any reason you cannot do 
that?
    Mr. Stamos. Well, I think right now, Senator, the browser 
technology does not exist.
    Senator Levin. Does it exist, Mr. Spiezle?
    Mr. Spiezle. The browser technology does not exist. I think 
we are talking about a combination of operational best 
practices and technical. It is a very complex ecosystem, as 
Senator McCain stated in his opening comments, with multiple 
intermediaries. This is a desired state. Again, if we cannot 
vouch for who the advertise is, we should not accept the ads in 
the first place, and that is the first part, and that is in the 
preventative side. But that is operational.
    Senator Levin. Can that be done now?
    Mr. Spiezle. I believe it can be done now.
    Senator Levin. Is it done now?
    Mr. Stamos. Yes, we have agreements with the ad networks we 
work with to have them pass information through, and if we find 
that they are problematic, then we get rid of those networks 
from our----
    Senator Levin. Do they verify before they put on the ad 
that it comes from a----
    Mr. Stamos. Senator, I am not sure exactly what each ad 
network does.
    Senator Levin. Mr. Salem, do you do that?
    Mr. Salem. Our ad networks are verified, but they basically 
can have advertisers that they have direct relationships with, 
and we do not know what those relationships are.
    Senator Levin. But do the people that you do have 
relationships with verify the credibility of their advertisers?
    Mr. Salem. They have a vetting process themselves. I am not 
exactly sure. I will say, however, that many of the 
malvertising that we have seen has come from companies or 
criminals that basically pretend to be legitimate companies. So 
even if you said that, we are going to vet them. We have seen 
problems like with Sears.com, with Crosspen.com, they actually 
may introduce ads with companies that actually appear, create--
they appear to be real. Their vetting process appears to be 
perfect. Yet, again, these criminals have come and made 
specific companies that look real and----
    Senator Levin. OK. So let me ask Mr. Spiezle a question. 
What can be done now practically that is not yet being done by 
companies like Google and Yahoo!?
    Mr. Spiezle. Well, I should note, to help address this very 
specific threat, we held full-day workshops, and in October, we 
published what we call our ``risk evaluation framework,'' which 
I have here and it is referenced in my written testimony. It 
provides a checklist on the onboarding of verifying the 
reputation. So this was an example of an operational step. We 
received a lot of----
    Senator Levin. Has that step been taken by Google and 
Yahoo!, for instance?
    Mr. Spiezle. Again, we make them available to anyone----
    Senator Levin. Do you know whether they have been taken?
    Mr. Spiezle. I do not know.
    Senator Levin. Have they been taken, those specific steps?
    Mr. Salem. I do not know.
    Senator Levin. Do you know, Mr. Stamos?
    Mr. Stamos. I am not sure what exact steps he is talking 
about.
    Senator Levin. OK. Well, if you had gone to that meeting, 
you would have known. How come you did not go to that meeting?
    Mr. Stamos. We are part of a lot of groups that are working 
on this problem.
    Senator Levin. Well, let me change to a different part of 
the testimony here then. ``Companies today have little 
incentive,'' Mr. Spiezle's testimony, ``to disclose their role 
or knowledge of a security event, leaving consumers vulnerable 
and unprotected for potentially months or years, during which 
time untold amounts of damage can occur.'' And then the 
suggestion is that there be legislation adopted similar to 
State data breach laws that require mandatory notification, 
data sharing, and remediation to those who have been harmed.
    Do you support a mandatory notification requirement, Mr. 
Stamos?
    Mr. Stamos. Mr. Chairman, this is a more complicated issue 
than breach notification. In the situation you are talking 
about, malvertising, there is often not a direct relationship 
with the user, and so there would be no information to know how 
to notify them.
    Also, in a situation where malvertising is caught early 
before it has an impact, we have to be careful----
    Senator Levin. Let me get Mr. Spiezle's response to that.
    Mr. Stamos. OK.
    Mr. Spiezle. So in the context of notification, I agree, it 
is more--notification to regulatory authorities of an incident 
occurring, and then obviously depending upon that, in most 
State data breach----
    Senator Levin. Let us talk about regulatory authorities. Is 
there any reason why you should not be required to notify 
regulatory authorities?
    Mr. Stamos. Mr. Chairman, every day we stop malvertising. 
So I think it really comes down to the details of whether you 
talk about an incident. We are talking about two or three 
incidents today over a multi-year period when every--as Google 
pointed out, we are talking about finding 10,000 sites a day. 
They are finding 10,000 sites a day with malware on it.
    Senator Levin. You are talking about where there are 
breaches or attempted breaches?
    Mr. Stamos. The 10,000 a day I believe he was talking about 
are sites that are set up that host malware, and so----
    Senator Levin. How many breaches a day?
    Mr. Stamos. Mr. Chairman, it is really important for us to 
use the right terminology here. When you say ``breach''----
    Senator Levin. So let me ask Mr. Spiezle, please use the 
right terminology.
    Mr. Spiezle. So I think the breach is not perhaps the 
context that I was thinking about. It is more of a confirmed 
malvertising incident where a network or a site has actually 
observed and documented malicious ads going through their site 
and properties and infrastructure. That is what we are 
referring to.
    Senator Levin. OK. There you want mandatory notification to 
the regulator.
    Mr. Spiezle. And in the absence of that, quite frankly, 
that is why there is no good data, and that makes it that much 
harder to go back and find out who is the actually perpetrator.
    Senator Levin. OK. Putting aside the argument for it, which 
sounds sensible to me, is there any reason that you cannot do 
that?
    Mr. Stamos. I would have to get back to you on that, 
Senator. We would have to see the details of what you call a 
``malvertising incident'' and what the reporting looks like.
    Senator Levin. Mr. Salem.
    Mr. Salem. I personally would be very careful about making 
a commitment like that. One of the things that we try to do is 
within a community, discuss what the issues are and make sure 
that it is not public. As soon as you make things public, you 
are basically talking about people that have----
    Senator Levin. I am talking about to the regulator.
    Mr. Salem. But, again, that would be a public document. We 
would rather not make some of this information public so that 
the criminals find out how we are detecting them and how we are 
basically----
    Senator Levin. Everything you tell a regulator is not 
necessarily public, by the way. You can have proprietary 
information, you can have other information that is not made 
public. Putting aside that problem, any reason why you cannot 
notify the regulator?
    Mr. Salem. There is no reason.
    Senator Levin. OK. Would you, Mr. Stamos, get back to us 
after you study what that recommendation is?
    Yahoo!'s privacy policy indicates that you do provide 
information to partners of certain personal information so that 
Yahoo! can communicate with consumers about offers from Yahoo! 
and the marketing partners. Then you say the companies that you 
deal with, however, those partners, do not have any independent 
right to share this information.
    Is the sharing of that information prohibited?
    Mr. Stamos. Mr. Chairman, while privacy and security are 
intertwined, we have a dedicated privacy team. So if you want 
to get into those kinds of details, I will have to take those--
--
    Senator Levin. Do you know offhand?
    Mr. Stamos. I do not, sir.
    Senator Levin. OK. There is a great emphasis here on 
education, but here is the problem. The business partners, for 
instance, of Yahoo!--and you provide a list on your website--of 
these third-party partners, there are over 150 companies that 
do advertising work alone. You note in your privacy policy that 
these companies may be placing cookies or Web bugs on our 
computers as we browse.
    How can consumers possibly educate themselves about each of 
these third parties? There are 150 of them with names like Data 
Zoo, Daltran, Diligent, companies totally unknown to people 
outside of this room probably. Do you think it is feasible--and 
I am going to ask you, Mr. Stamos, and this will be my last 
question--for consumers to evaluate the security policies and 
the privacy policies of each of 150 entities? Is that a 
practical suggestion?
    Mr. Stamos. That is an excellent question, Senator. We are 
not expecting consumers to go and make the decisions one on 
one. That is why we provide privacy options for users, and we 
work with folks like the DAA to provide decisionmaking 
authority for consumers across multiple partners. And I believe 
that is where we have to go, is to have the choices up in one 
place.
    Senator Levin. Well, but you are suggesting that they 
educate themselves about each of those partners of yours.
    Ms. Stamos. I am not suggesting that. I am sorry, Mr. 
Chairman. I am not familiar with the language you are referring 
to.
    Senator Levin. OK. Thank you.
    Senator Johnson.
    Senator Johnson. Thank you, Mr. Chairman. I would kind of 
like to start out just quoting a couple little phrases here to 
certainly underscore my feeling on this. I think as the 
Chairman said this has enormous complexity, and I think the 
Ranking Member said that online Internet advertising plays an 
indispensable role. I think those are pretty powerful 
statements in terms of what we are trying to do here. The 
Internet has been a marvel. It has created all kinds of 
economic activity, certainly improved people's lives. So we 
need to understand how enormously complex this situation is, 
and it is not easy. And the analogy I would use in terms of 
crime--because we are talking about criminal activity and who 
is going to be held liable for it.
    The analogy I would use would be let us say you have a 
criminal, that even though you have safeguards in a taxicab, 
that criminal defeats those safeguards, takes over the cab, and 
kills somebody. Is the cab company to be held liable for that 
criminal activity? I think that is probably a more accurate 
analogy that we are talking about here.
    So I think the purpose of this hearing is what can 
government potentially do to help it, and I think I know who 
Yahoo! is, I think I know who Google is, I think I know how you 
guys obtain revenue and make money. I am not too sure about 
OTA, and there are a couple things that have surprised me in 
terms of the comments you have made.
    So let me first ask you, Mr. Spiezle, who are you? Where do 
you get your funding? How do you obtain revenue?
    Mr. Spiezle. Well, thank you for the opportunity to provide 
clarity. So the OTA, the Online Trust Alliance, got founded, in 
2004, as a working group to address and bring forward the anti-
spam standards that Yahoo! referenced in their original 
testimony there through a collaborative effort. And it was 
recognizing----
    Senator Johnson. Who funded that effort? I mean, it takes 
money to do that.
    Mr. Spiezle. That effort was through companies like 
Symantec, Microsoft, PayPal, lots of companies that came 
together--Cisco.
    Senator Johnson. So do you continue to get funding that way 
or do you get funding in other ways?
    Mr. Spiezle. Our funding actually comes from multiple---
again, we are a 501(c)(3). We are not a trade organization. We 
look across the ecosystem. We have a diverse group of sponsors 
and contributors as well as we receive grants from DHS and 
others.
    So, again, our mission is very clear. We support 
advertising, but, again, our most important part is improving 
consumer trust in the vitality of the Internet.
    Senator Johnson. OK, because here is what sent bells and 
whistles going off in my head, and I am not sure I heard you 
say it, but the Chairman said that you talked about the fact 
that Yahoo! and Google have little incentive--to do what? First 
of all, is that an accurate statement? So what do they have 
little incentive to do?
    Mr. Spiezle. So I think in the context of the question, if 
I can clarify that incentive, it is an incentive of data 
sharing, and it is really an industry issue that we have been 
trying to get people to work on together. And the incentive is 
data sharing----
    Senator Johnson. Do you deny the fact that Google and 
Yahoo! have an enormous free market incentive to make sure that 
this criminal activity does not occur on the networks?
    Mr. Spiezle. I think as dominant market players, there is a 
responsibility in how the lack of data sharing and how it is 
marginalizing the ecosystem and----
    Senator Johnson. No, but answer the question. Doesn't 
Yahoo! and Google, don't they have enormous financial 
incentives to try and police this and prevent malvertising and 
malware?
    Mr. Spiezle. As they have suggested, malvertising is a 
small percent of the overall ad industry, and so to add the 
operational friction and to change it is a major change in how 
they operate today.
    Senator Johnson. You are still not answering the question.
    Mr. Spiezle. I do not think there is----
    Senator Johnson. You really do not think Yahoo! or Google 
have an enormous financial incentive to try and police this 
stuff and prevent it from happening?
    Mr. Spiezle. I think they do. Whether they are----
    Senator Johnson. OK. Good. That is what I wanted to--
because here is the point: What can government do better than 
what these private companies can do to prevent this? I have sat 
through hearing after hearing--for example, just this week, we 
talked about the Defense Department who has been unable to get 
audit ready in 15 to 20 years.
    So my point is: Is there a role the government can play 
that does not actually do more harm than good?
    Now, as I have been investigating this and been involved in 
Commerce Committee hearings, the first step that we need to 
take in terms of cybersecurity is information sharing. And the 
only way we are going to get information sharing is we have to 
provide some liability protection.
    I want to ask all three of you: Is that pretty much the 
first thing the government has to do, we have to enact some 
type of information-sharing piece of legislation that provides 
the kind of liability so that you will actually share 
information? Let me start with Mr. Stamos.
    Mr. Stamos. Thank you, Senator. We are in support of 
information sharing as long as there are strong privacy 
protections for our users, but we are happy to work on the 
details of that, yes.
    Senator Johnson. Do you think that is the first step?
    Mr. Stamos. I think that is an important step. I also think 
something government can do right now is to work on disrupting 
the financial side of these cyber criminal networks.
    Senator Johnson. So you are actually talking about 
enforcement; you are talking about going after criminals and 
enforcing and penalizing the criminals.
    Mr. Stamos. Yes, penalizing the criminals, but also just 
making it hard for them to make money. A lot of these guys are 
actually selling products. They are taking credit cards. They 
are cashing checks. And so even if we cannot arrest them 
because they are in a jurisdiction where that is impossible, we 
can make it difficult for them to profit off of targeting 
American----
    Senator Johnson. So would that require more regulation of 
the banking industry, some targeted actions there?
    Mr. Stamos. Again, I am not a lawyer, so I do not know the 
exact--I think it is all already illegal. It is really just a 
focus issue.
    Senator Johnson. OK. Mr. Salem, again, what can government 
do? What is the first step?
    Mr. Salem. Senator, you had mentioned basically looking at 
being allowed information. To be quite clear, my team is the 
one that does the anti-malvertising, and we are very happy that 
we could actually speak to our colleagues, at least in the 
industry, very openly about the different threats and what we 
can do about it. We actually currently do talk very openly, and 
some of the other threats that have come out, like we have 
spoken recently about TrustInAds.org where you have scams 
basically in the tech support industry. These were terrible for 
consumers. Some of them had malware installed on their 
computers under the guise of giving a credit card number to 
people in India, helping them with their computer.
    We are very happy to discuss----
    Senator Johnson. OK, but that is between companies. What 
about information sharing with the government so that the 
government can disseminate some of that information to other 
people in the industry that you maybe do not have a partnership 
with? And I guess the other thing I want to get to is some sort 
of Federal preemption on data breach, so that we have a data 
breach standard so you are not having to deal with 50 or more, 
potentially hundreds or thousands of jurisdictions. I mean, is 
that something pretty important? Is that something the 
government can do that would be constructive as opposed to 
hampering your activities?
    Mr. Salem. Yes, it would.
    Senator Johnson. Because here is my concern, is that we 
enact some piece of legislation with the best of intentions 
that actually makes it more difficult, takes your eye off the 
ball of actually solving the problem as opposed to complying 
with regulations that are written by people that are not even 
close to, as agile, as flexible, and as knowledgeable as what 
your companies are.
    Mr. Salem. Currently today, we are able to do our scanning, 
look for these bad ads, look for sites, and protect consumers, 
protect our users, talk to other folks in the industry 
currently about malvertising, about the malvertising trends. 
Right now we do not feel like we have problems or that there is 
anything encumbering us with this communication for the issue 
of malvertising.
    Senator Johnson. OK. Part of my concern about some of the 
answers you are providing in the hearing here is you obviously 
do not want to alarm your consumers, and I do not want to put 
words in your mouth, but I am a little concerned that that is--
we all know this is a small slice. I mean, this is a big 
problem, right? And I want you to kind of answer the question I 
asked Mr. Spiezle about the enormous incentives you have. You 
mentioned, I think, in your testimony your top priority is 
users matter, user trust, and user security is a top priority. 
I think that just makes common sense, but I will give you an 
opportunity to underscore that point.
    Mr. Salem. For Google, user privacy, user security is No. 
1. I mean, honestly we are an Internet business. Our users are 
one click away from going to our competition, one click away 
from doing something else. We have to prove that we take this 
seriously, that when they click on any ad that is a safe ad and 
that when we deal with our third-party advertisers, that they 
are vetted partners as well.
    Mr. Stamos. Yes, Senator, we have a huge incentive to 
maintain user trust. The biggest sites that Yahoo! ads run on 
are Yahoo! sites, and so to maintain those 800 million people 
around the world using our sites, we have to maintain the trust 
of our users, and we have to live up to our responsibility.
    Senator Johnson. I come from a manufacturing background, so 
we have gone through ISO certification, which I will have to 
admit, when I first got into it, I am going, ``Well, this is a 
pretty good deal for the consultants that do ISO 
certification.'' But having gone through the process, I became 
a real believer that this is extremely helpful in terms of 
providing, not only my company the tools to get our process 
under control, but to communicate to our customers, to our 
suppliers that we had our process under control across a whole 
host of different parts of that standard.
    From my standpoint, that kind of certification process 
would make sense for this particular--and when we are talking 
about standards, security standards and advertising, is that 
something that Yahoo! and Google would support, some kind of 
third-party certification process that would give consumers the 
comfort that the standards are in place?
    Mr. Stamos. Thank you, Senator. I think we would support 
self-regulation to set guidelines. From the actual technical 
standards, this is something that we change and innovate on 
every single day, so we need to be really careful to not get 
too prescriptive to where we are living up to a rule and we are 
not doing what we need to do to----
    Senator Johnson. Well, that is what I am talking about, a 
private sector alternative.
    Mr. Stamos. Yes.
    Senator Johnson. But I want to make sure it is a 
cooperative one, not potentially somebody who is set up in 
business and is actually hostile to some of the actors in the 
room. You really need to have this very cooperative, very 
flexible, very fast moving, because these standards are going 
to have to change--what? Daily? I mean, literally what are we 
talking about in terms of the level of flexibility we are going 
to need if we are going to have any hope? And all we are going 
to be able to do is minimize this, right? Probably? I mean, the 
criminals are going to be one step ahead of us every time. You 
are going to have to continue to change these standards and 
what we need to do on an on going basis, correct?
    Mr. Salem. Correct. We need to evolve, and we need to 
basically be as nimble as possible to make sure that we are one 
step ahead of those criminals.
    Senator Johnson. I am out of time.
    Mr. Spiezle. I might add that the standards that were 
addressed earlier that industry came together to address spam 
and deceptive email, DMARC and DKIM and SPF, they are examples 
of similar technologies that could be employed, so I would 
actually say that there could be standards that could be 
developed that could help increase the trustworthiness in 
advertising.
    Senator Johnson. Thank you, Mr. Chairman.
    Senator Levin. Senator McCaskill.
    Senator McCaskill. Mr. Spiezle, do you know what percentage 
of all the malware incidents occurred through advertising? I 
think this is your chart, \1\ correct?
---------------------------------------------------------------------------
    \1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
    Mr. Spiezle. Yes, this is a chart----
    Senator McCaskill. And what percentage of malware incidents 
are attributable to advertising in the year 2013?
    Mr. Spiezle. I do not have that specific data.
    Senator McCaskill. Well, how can you not have that data if 
you know how many display malvertising there was? Wouldn't you 
have to know the context of that number?
    Mr. Spiezle. No, this is very specific to documented cases 
where malicious ads were documented and observed. So we are not 
looking at click fraud, we are not looking at search ad or 
fraudulent ad----
    Senator McCaskill. And why not?
    Mr. Spiezle. Because this is the area, again, that is 
coming through the pipeline. The critical infrastructure that 
is impacting us today through malicious advertising where 
consumers do not have the ability to protect themselves.
    Senator McCaskill. Well, if I have malware on my computer, 
frankly it does not matter where it came from, and I am trying 
to get at the whole problem here. This is obviously one small 
piece of it. Do you all know, Mr. Stamos and Mr. Salem, what 
percentage of the malware incidents are attributable to 
advertising?
    Mr. Salem. We do not know that information?
    Senator McCaskill. Does anybody know it?
    Mr. Salem. We do know that the classic way that a consumer 
will get malware is visiting a site, not necessarily the 
advertisement on that site. That is the classic way where 
criminals----
    Senator McCaskill. That is what I am trying to get at. How 
much of this is site-specific versus ad-specific?
    Mr. Stamos. So the numbers we see, Senator, from other 
sources on the number of malware infections are in the tens or 
hundreds of millions. So that is the context in which I would 
put the hundreds of thousands here.
    Senator McCaskill. OK. So we are talking about less than 1 
percent.
    Mr. Stamos. It is real hard to know, Senator, exactly where 
each malware infection comes from. But I do not think that it 
is unlikely that it is less than 1 percent.
    Senator McCaskill. OK. Some of the people in this room have 
heard me say this before--part of the problem here is that 
consumers were not brought along early in this process to 
understand the importance of being educated and understanding 
that what they are getting for free is coming at a price of 
advertising. I do not think you would argue, Mr. Spiezle, that 
we would have a much different Internet if it were not for--in 
fact, the backbone, the foundational backbone of the Internet 
as we know it and the explosion of economic activity and jobs 
is all around behavioral marketing, correct?
    Mr. Spiezle. It is all about advertising, which is great, 
and we fully agree that advertising supports the services that 
society and businesses get today.
    Senator McCaskill. So when consumers hear how unfair it is 
that their data is--that they are seeing ads for outdoor 
furniture when they have been shopping for outdoor furniture, 
when they get creeped out about that, they are not making the 
connection that is why their Internet content is free. You all 
get that, right? They do not get that connection? And that is 
all on you. You have not informed them appropriately about the 
bargain they are striking. And perhaps what would be most 
helpful in this regard is to figure out what the costs would be 
if we were to remove--if we were to clamp down in the 
government on the kind of advertising and the prevalence of 
advertising on the Internet and the ability to behavioral 
market on the Internet by knowing what people are interested in 
as opposed to just like we know that somebody who watches Oprah 
maybe would--they might want to run an ad for Slim-Fast on 
Oprah. I mean, that is what happens in advertising. You try to 
target your audience based on what they are looking at.
    Does anybody know what this would cost for people to have 
an email or to have the search capability they have if it were 
not for advertising? Has anyone ever tried to quantify that so 
consumers would understand the bargain they are getting?
    Mr. Stamos. I just have to say, Senator McCain's number, in 
his opening statement he talked about the overall ecosystem 
being worth around $43 billion. So I guess that would be the 
overall cost.
    Senator McCaskill. OK. What is the one thing the government 
is supposed to do in this space? I think it is catch criminals, 
right?
    Mr. Salem. Yes.
    Senator McCaskill. OK. Mr. Spiezle, why aren't we catching 
more of these criminals? How much time is your organization 
spending on the failure of government, both nationally, 
domestically, Federal, State, local, and internationally, the 
abject failure we have had at going after--and I know it is 
really hard because we are talking about IP addresses that 
disappear in less than that.
    Mr. Spiezle. Thank you for the question. It is clearly a 
problem of epidemic proportions, State-sponsored actors and 
such international here. One of the biggest challenges--and I 
think we have outlined in every area of security best 
practices--is data sharing. And it is not just data sharing to 
government. We also have to remove the barriers and the 
barriers cited by many of the organizations in this room, for 
example, antitrust, of sharing this data with each other. That 
is the first part. In the absence of that, we cannot peel back 
the onion. Working with the FBI and Secret Service, this is a 
very difficult problem to go back to and get----
    Senator McCaskill. So you are saying that the government's 
failure is because Google and Yahoo! and their colleagues are 
not sharing information with law enforcement?
    Mr. Spiezle. I am saying that in general--it is not a 
government failure. It is in general a failure of the industry 
sharing data among ourselves and with law enforcement of when 
these incidents are occurring. But it is a difficult problem. I 
want to underscore, they are also being victimized, their 
infrastructure is being victimized as well, and so I certainly 
recognize that issue that is hurting their businesses. But we 
have to put in place the measures to protect and prevent it and 
also to detect it. And when we detect it, then we can notify. 
But in the absence of data, we cannot notify the other parties 
to bring down the ads as quickly as possible or to look at the 
methodology to prevent it from reoccurring.
    Senator McCaskill. Well, let us try to drill down on that a 
little bit. Mr. Stamos and Mr. Salem, are you all trying to 
work in a cooperative and moment-by-moment fashion with law 
enforcement?
    Mr. Stamos. Yes, Senator, we have a dedicated e-crime team 
that we are actually in the process of beefing up, that when we 
see an incident where we believe there is enough information, 
that we refer that information to law enforcement, that we work 
with them throughout the investigation. And we have actually 
had some success in the disruption of several cyber criminal 
networks.
    As Mr. Spiezle said, there is an international component 
that sometimes make an arrest difficult, but you do not need to 
arrest them to make it economically infeasible for them to be 
committing these crimes.
    Senator McCaskill. Well, I would like more information on 
that, and I would certainly appreciate anything your 
organization could bring to that also. I would like to 
understand why we are not having more robust success in the law 
enforcement space since your companies are being victimized and 
consumers are being victimized by criminals.
    Mr. Salem. I can give you a few anecdotes, if you would 
like, that might help. Google constantly is being asked for 
information by law enforcement to give information about cyber 
criminals, and we do that. The few times that we have actually 
approached law enforcement and said, we have exact IP 
addresses, we know exactly where these servers are, they are in 
the United States, one of the things we are asked to give is, 
``Well, show us the fraud, show who was fraudulent, the amount 
of damages.'' We do not have that information.
    So that is something where, overall, we have actually had 
problems approaching law enforcement to actually take action.
    Senator McCaskill. Do you all feel----
    Senator McCain. For the record, would you provide an 
example of that for us.
    Mr. Salem. I can do that offline, yes.
    Senator McCaskill. One of the things I think there is a 
stress for you all, and that is informing consumers as clearly 
and boldly as many of us believe you should inform them--
because a lot of this can be prevented by consumers, as you 
well know, Mr. Spiezle. If you understand the ecosystem of the 
Internet and if you understand the concept of cookies and if 
you understand what your browser is actually doing, if you 
understand the power of a click, you can avoid a great deal of 
the danger.
    But I am sure some of the stress for your companies is that 
the more you warn consumers, the more they are going to be 
afraid to robustly participate in the Internet in terms of 
accessing ads and doing the things that generate a lot of the 
income for the overall eco-structure.
    So how can you balance this better? I know it is better 
than it was when I started harping on this several years ago 
about informing consumers. But the secret about their power, 
about the individual user's power--I have a great deal of power 
on this thing. But I have to be honest with you. The only 
reason I know it is because I have an amazing staff that helps 
me understand how I can access that power. The average consumer 
does not have a clue.
    It seems to me that is what the organizations that fund 
you, Mr. Spiezle, ought to be more worried about, is how the 
consumer becomes more empowered in this environment, because it 
is the only real way.
    Mr. Spiezle. If I can respond, I clearly agree that 
consumers have a shared responsibility here to make sure that 
they are updating their computers, patching their systems, and 
practicing safe computing practices, absolutely. But, again, 
getting back to--I remain that, again, going to a trusted site 
they know of, they type it in, they do not click on a link, all 
the things that we tell them not to do, and they go to a 
trusted site that unsuspectingly deploys a zero-day exploit, an 
exploit that has never been disclosed to them before, there is 
no amount of consumer education that can solve that problem.
    So we have a shared responsibility across all the 
stakeholders here--consumers, ad networks, publishers alike 
here--and that is why I think we are having this discussion 
today.
    Senator McCaskill. My final question, Mr. Spiezle, is your 
organization--I know that probably a lot of the security--I am 
guessing if I was a company that was selling security projects, 
I would want to invest in you. I would want to make 
contributions to you. So I am assuming a lot of your 
contributors are, in fact, the people who make security 
products for the Internet.
    Mr. Spiezle. Actually, to the contrary. Over 50 percent of 
our funding comes from companies like WebMD, America Greetings 
Comscore Publishers' Clearinghouse, Twitter, eBay websites and 
Web properties that are depending on consumers to trust their 
services. They also include interactive markets including 
Innouyx, Vivaki, Simplifi, Epsulon, and others.
    Senator McCaskill. And do you provide the services to 
these--the workshops you provide, are they free of cost to 
people who come? Or is part of your income that you actually 
need the revenues----
    Mr. Spiezle. Our training workshops are basically at a cost 
recovery basis, and we hold some throughout the U.S. and Europe 
as well on a range of subjects.
    Senator McCaskill. So you do not get any revenue stream 
from your----
    Mr. Spiezle. Like I said, they are designed to cover our 
operating costs of the programs.
    Senator McCaskill. Thank you.
    Senator Levin. Thank you, Senator McCaskill.
    Senator Portman.
    Senator Portman. Thank you, Mr. Chairman, and thanks for 
holding this hearing.
    The chart tells it all. \1\ We have seen this dramatic 
increase in malvertising, so it is appropriate we are talking 
about it.
---------------------------------------------------------------------------
    \1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
    I also agree with what Senator Johnson said earlier about 
how the Internet has really thrived without the heavy hand of 
government. We want to make sure that continues, critical to 
our economy.
    Earlier we talked about a lot of solutions. And I do not 
understand enough about the problem to know what the right 
solutions are, to be frank with you. But verification standards 
certainly seem to make sense. In your testimony, you talk about 
information-sharing protocols. Senator McCain rightly talked 
about the liability protections that are needed to make that 
work well. I know you guys are not lawyers, but we would like 
some more information on that, if you could give it to us for 
the record.
    The accountability measures for the ad networks themselves 
seem to make a lot of sense. We talked about enforcement, and I 
want to ask you about that in a second. But enforcement 
requires the information, which is important to get at what, 
Mr. Stamos, you talked about in terms of the financial 
incentives that are in the system now.
    I have a question just to kind of back up so I maybe 
understand this problem better. Mr. Salem, you are with Google, 
kind of a big company. And I understand that you scan 100 
percent of the ads that enter into your advertising network. Is 
that true?
    Mr. Salem. We scan 100 percent of the ads eventually. Not 
every ad is necessarily scanned unless it is hosted by Google. 
So many of the ads----
    Senator Portman. Unless it is what?
    Mr. Salem. Hosted by Google. So we have third parties, and 
we have Google ads as well. So all of the ads that are Google 
are scanned immediately before served. A few of the third 
parties----
    Senator Portman. OK. Let us focus on the ads that are 
Google-hosted. If you are scanning all of those ads, then how 
did the malvertising that ended up on YouTube earlier this year 
circumvent that scanning process? I mean, it was a major issue. 
Everybody was aware of it. How did that happen?
    Mr. Salem. It happened because ads can go bad. So there are 
a lot of third-party components to ads. There are a lot of Java 
Script calls. There are potentially, tracking or analytics that 
happens along with an ad.
    When we scan an ad, we scan an ad and the ad looks great. 
We continually scan ads based on the risk, how often they are 
shown. These ads went bad before we had a chance to rescan 
them.
    Senator Portman. So the vulnerability was that you did not 
have a continuous ability to analyze that ad, and it went bad. 
So what are you doing to address that vulnerability?
    Mr. Salem. So what we have done is we have looked at our 
risk profile on these ads. We have basically lowered it for 
many of them, and we are scanning more often for all of these.
    Senator Portman. And are you scanning often enough to avoid 
what happened with the YouTube malware happening again?
    Mr. Salem. We believe so. We scan all of the ads that we 
host, and we rescan them quite a bit. We have hundreds of 
thousands of ads we take down continuously. Some of those are 
based on the websites that they go to that are bad, and some of 
them are based on the ads themselves that are going bad.
    Senator Portman. Your prepared testimony focuses a lot on 
preventing, which is what this is, and disabling malware. Of 
course, both are necessary. I get that.
    When prevention fails, as it did with this huge incident, 
what can consumers do to protect themselves from harm inflicted 
by ads on Google's ad network or any other entity's ad network?
    Mr. Salem. Sure. So just on this incident itself, I would 
not necessarily call it huge because the website itself was on 
our safe browsing list. So users that use Chrome, Mozilla, and 
Safari, they were already covered by this. Also, the specifics 
were for an unpatched version of Internet Explorer, so this is 
actually telling you these are the users that actually got the 
malware or were exposed to the malware. We do not even know how 
many of them actually downloaded the malware.
    Senator Portman. So you do not know what the damage was, 
but it was not huge?
    Mr. Salem. We know the potential, and when we look at our 
numbers, we look at what is the potential when an ad goes bad, 
and we look at our last scan. That is when we consider all that 
potentially bad advertising.
    But that basically shows us that what could protect a user 
is knowledge that they need to use anti-virus software, that 
they need to update their browsers, they need to update their 
operating systems. That in general is best practices, not even 
just for malvertising but just for malware in general.
    Senator Portman. Let me ask a question, if I could, to both 
of you, Mr. Stamos and Mr. Salem, about consumers, because you 
talk about how consumers need more information. What can be 
done to inform people that they have been infected so that they 
know it without tipping off the cyber criminals involved? Isn't 
that one area where Senator Johnson was talking about, 
consumers are going to be key to this. It is impossible for 
people to know how to react if they do not know that they have 
been infected. How are you going to let consumers know that?
    Mr. Stamos. Thank you, Senator. As the gentleman from 
Google said, the cyber criminals are choosing users to attack 
based on criteria that are not ours and based upon servers that 
are not ours. So we do not have the exact list of users or even 
IP addresses for which we are attacked, nor do we have a direct 
relationship with those users. So direct notification is a 
difficult issue. That is why we do general notification that we 
post on our blog, that we have discussion through the press of 
what happened, and then we have a safety and security website 
that we refer users back to that gives tips on how they can 
patch their system and free anti-virus tools to check whether 
or not that piece of malware was installed.
    Senator Portman. Mr. Spiezle, any thoughts on that?
    Mr. Spiezle. I agree, it is very hard, again, knowing where 
that ad ran and who it was. There are, obviously, the anti-
virus softwares, I agree, that get data on consumers who get 
notifications from them.
    There has been a related effort that actually has been led 
through the FCC in the CSRIC process with ISP best practices 
where they detect abnormal behavior coming from an IP address 
of a residential computer. So there is progress in that front, 
not related to the ad-specific, but when a device appears to 
have been compromised and how do you notify. The framework that 
I identified today and outlined is built on that framework of 
prevention, detection, notification. So there are parallel 
efforts, and I raise that because this is an issue that needs 
us to move out of a silo of one industry and look at what other 
segments of the industry are doing to solve the problems, 
similar problems.
    Senator Portman. In the Subcommittee's report, it seems to 
me that Senator Levin's team is saying that you guys do not 
have the incentive that you would otherwise have because 
consumers do not know that the malvertising came from you. How 
do you respond to that? I think if you do not know to attribute 
to a particular attack, a particular ad network, there might be 
a disincentive to address it. There would be a much greater 
incentive if they knew this came from their Yahoo! account, the 
advertisement that they get on Yahoo!. What is your response to 
that?
    Mr. Salem. I can actually say something and clear up the 
misconception. Just because you visited a site and you 
potentially got an ad from Google, because of the anonymity, we 
do not necessarily know who you are. So as far as, even being 
able to let people know, an ad was served to you that 
potentially had malware, we do not know who you are. It is all 
anonymous, or pseudo-anonymous, and it is done on purpose that 
way. That is one of the reasons why someone cannot target you 
specifically with an ad. They can target, potentially, your 
gender or your age group based on, you know, some profiling, 
but that is about it. We do not necessarily know who you are. 
So that is not even possible.
    Senator Portman. Mr. Stamos.
    Mr. Stamos. As to the motivation, obviously if this kind of 
incident happens, it has an impact on our reputation; it has an 
impact on the trust our users have in us, and that trust is 
absolutely the bedrock of our business. And so maintaining user 
trust is essential, which is why we have a security team, a 
trust and safety team, an anti-malvertising team, and we are 
working on this issue 24/7.
    Senator Portman. But you cannot tell your customers that 
they got attacked?
    Mr. Stamos. We cannot tell advertising customers. As Mr. 
Salem said, we do not have that information. We cannot directly 
tie Bob Smith to look at this specific advertisement.
    Senator Portman. If they could have that connection to a 
particular ad, wouldn't that make for a more effective 
enforcement regime? They would know where it came from, and you 
or the ad networks would then be in a position to respond.
    Mr. Stamos. I believe, Senator, that would be a significant 
privacy issue that we are also talking about here for us to 
track individuals looking at----
    Senator Portman. Let me ask you about something that I 
found really interesting in some of the material that was sent 
to us in advance. It says that some cyber criminals carry out 
these attacks on weekends and holidays because they figure your 
guard is down. Is your guard down on weekends and holidays?
    Mr. Stamos. Absolutely not, Senator. Thank you for the 
question. The systems that do this are automated systems, and 
you are guilty until proven innocent. So we scan immediately on 
upload. We scan before an ad is seen. We scan repeatedly 
afterwards. And if anything is strange, that ad gets 
immediately pulled, and then our people get paged, and our 
security team works 24/7, 365 days----
    Senator Portman. So consumers should not be worried on 
weekends or on holidays?
    Mr. Stamos. No, absolutely not.
    Senator Portman. OK. I am glad to hear that.
    I also had a question about this TrustInAds.com group that 
I think you all support. Mr. Spiezle, I do not know if your 
group supports that. But maybe, Mr. Spiezle, you can tell us 
what to expect from TrustInAds.com in the near future to 
address this malware problem? How can consumers get 
information?
    Mr. Spiezle. Well, I cannot really speak to the 
organization. We have reached out to them. I can only respond 
to what is on their website, and it is about educating 
policymakers and notifying consumers what to do when they have 
been harmed. So the site speaks for itself. I look forward to 
finding more information from them as well.
    Senator Portman. Mr. Salem, do you think it is going to be 
effective?
    Mr. Salem. Yes, it actually has been effective. We recently 
just released our study on the tech support vertical, and 
basically one of the things we were noticing was when Google 
started clamping down on this terrible scam, the scammers 
started going to other sites. And what we did was we reached 
out to our colleagues to make sure that we basically stopped 
this from happening for everybody.
    Senator Portman. Mr. Stamos.
    Mr. Stamos. I totally agree. I think TrustInAds is really 
focused on the deceptive advertising and the fraud, and one of 
the reasons it has been put together is it is a single place 
where you can report those advertisements to make all the 
companies that are involved are aware so that we can go take 
them down and ban those advertisers.
    Senator Portman. Thank you. Thank you, Mr. Chairman.
    Senator Levin. Thank you very much, Senator Portman. We 
thank our participants in this panel very much for your 
testimony. It has been extremely helpful, and we will now move 
on to our second panel.
    Senator McCain. Mr. Chairman, before you do that--it is a 
little disturbing when Mr. Salem and Mr. Stamos dispute facts. 
Ronald Reagan used to say that facts are stubborn things.
    I am a bit disturbed by sort of it is somebody else's 
problem in the testimony today, and it heightens my motivation 
to both reinvigorate legislation that we had tried before, but 
also try to make Google and Yahoo! understand that this is a 
much bigger problem than their testimony indicates they think 
it is today. And it is a bit disappointing.
    Thank you, Mr. Chairman.
    Senator Levin. Thank you very much.
    Senator Johnson. Mr. Chairman, just two quick questions?
    Senator Levin. We have three or four votes in 5 minutes.
    Senator Johnson. These are actually pretty basic questions.
    Senator Levin. OK.
    Senator Johnson. I just want to ask Yahoo! and Google, the 
technical indications scanning, how many scans are you doing? 
What percentage of that, if you wanted complete coverage, what 
are we talking about? Are you able to scan 1 percent, 100 
percent?
    Mr. Salem. We scan all ads, so it is 100 percent.
    Senator Johnson. But you are doing it all, but you are 
rescanning and rescanning. I mean, what would be complete 
coverage versus what percent are you--do you understand? Is it 
an impossible question to answer?
    Mr. Salem. I think that one of the----
    Senator Levin. Could you give it a try for the record? 
Would that be all right?
    Senator Johnson. The other thing I just want to know is how 
many people in your organization are devoted to cybersecurity, 
number of people, because I want to ask the government how many 
they have available.
    Mr. Stamos. As to the last question, we scan every single 
ad, 100 percent of the ads, and we scan them multiple times, 
dozens, hundreds of times based upon different risk metrics. 
And as for the number of people, I would say across the 
different teams we have over 100 people working on security and 
trust and safety.
    Senator Johnson. Thank you. Sorry about that.
    Senator Levin. That is OK. Mr. Salem, did you want to give 
an answer to number of people, quickly.
    Mr. Salem. Sure. So Google has over 400 people working 
specifically on security. We have over 1,000 when it comes down 
to all of our ad policies and basically making sure that our 
ads are compliant.
    Senator Levin. Very good. Thank you. We again thank this 
panel. You all were very helpful to us, and we appreciate it.
    Again, I want to thank Senator McCain for bringing us to 
this point. I happen to very much agree with his comments and 
with the thrust of this report.
    Let me now call our second panel. Maneesha Mithal, 
Associate Director of the Division of Privacy and Identity 
Protection of the Federal Trade Commission in Washington; and 
Lou Mastria, Managing Director of the Digital Advertising 
Alliance in New York.
    We appreciate both you being here this morning, and we look 
forward to your testimony. I think you know the rules of the 
Subcommittee that all who testify here need to be sworn, so we 
would ask that you both please stand and raise your right hand. 
Do you swear that the testimony you are about to give to this 
Subcommittee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Ms. Mithal. I do.
    Mr. Mastria. I do.
    Senator Levin. We are going to get as far as we can into 
your testimony before these votes start, and then we are going 
to just have to work around the testimony and the questions, I 
am afraid. Let us try to do this in 8 minutes each, if you 
could, and we will put your statements in the record.
    So, Ms. Mithal, please start.

 STATEMENT OF MANEESHA MITHAL,\1\ ASSOCIATE DIRECTOR, DIVISION 
 OF PRIVACY AND IDENTITY PROTECTION, FEDERAL TRADE COMMISSION, 
                         WASHINGTON, DC

    Ms. Mithal. Thank you, Chairman Levin, Ranking Member 
McCain, and Members of the Subcommittee. I am Maneesha Mithal 
from the Federal Trade Commission. I appreciate the opportunity 
to present the Commission's testimony on consumer protection 
issues related to online advertising.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Mithal appears in the Appendix on 
page 79.
---------------------------------------------------------------------------
    I also thank the Subcommittee for its report that it issued 
yesterday which highlights online threats to consumers. We look 
forward to working with you on these important issues.
    The Commission is primarily a civil law enforcement agency, 
charged with enforcing Section 5 of the FTC Act, which 
prohibits unfair or deceptive practices. We are committed to 
using this authority to protect consumers in the online 
marketplace. For example, we have used Section 5 to take 
several actions against online ad networks. We also educate 
consumers and businesses about the online environment and 
encourage industry self-regulation. In my oral statement, I 
will discuss our enforcement and education efforts in three 
areas: privacy, malware, and data security.
    First, with respect to privacy, we have brought many 
enforcement cases against online ad networks. For example, 
Chitika is an online ad network that offered consumers the 
ability to opt out of receiving targeted ads. According to our 
complaint, what they did not tell consumers is that the opt-out 
lasted only 10 days. We allege this was deceptive under Section 
5. Our order requires Chitika to tell the truth in the future, 
provide consumers with an effective opt-out, and destroy the 
data they collected while their opt-out was ineffective.
    As a more recent example, we obtained a record $22.5 
million civil penalty against Google for allegedly making 
misrepresentations to consumers using Safari browsers. Google 
placed tracking cookies on consumers' computers and gave them a 
choice to opt out of these cookies. Google's opt-out 
instructions said that Safari users did not need to do anything 
because Safari's default setting would automatically ensure 
that consumers would be opted out. Despite these instructions, 
in many cases we allege that Google circumvented Safari's 
default settings and placed cookies on consumers' computers. 
Although we generally cannot get civil penalties for violations 
of Section 5, we were able to get civil penalties in this case 
because we allege that Google violated a prior FTC order.
    The second area I would like to highlight is malware. As 
you know, malware can cause a range of problems for computer 
users, from unwanted pop-up ads to slow performance to 
keystroke loggers that can capture consumers' sensitive 
information. This is why the Commission has brought several 
Section 5 cases against entities that unfairly downloaded 
malware onto consumers' computers without their knowledge. One 
of these cases, against Innovation Marketing, alleged that the 
malware was placed on consumers' computers through online ads.
    We have also made consumer education a priority. The 
Commission sponsors OnGuard Online, a website designed to 
educate consumers about basic computer security. We have 
created a number of articles, videos, and games that describe 
the threats associated with malware and explain how to avoid 
and detect it.
    Finally, while going after the purveyors of malware is 
important, it is also critical that ad networks and other 
companies take reasonable steps to ensure that they are not 
inadvertently enabling third parties to place malware on 
consumers' computers. To this end, online ad networks should 
maintain reasonable safeguards to ensure that they are not 
showing ads containing malware.
    The Commission has undertaken substantial efforts for over 
a decade to promote strong data security practices in the 
private sector in order to prevent hackers and purveyors of 
malware from harming consumers. We have entered into 53 
settlements with online and offline businesses that we charged 
with failing to reasonably protect consumers' personal 
information. Our data security cases include actions against 
Microsoft, Twitter, and more recently Fandango and Snapchat.
    In each of our cases, we have made clear that reasonable 
security is a continuous process of addressing risks, that 
there is no one-size-fits-all data security program, that the 
Commission does not require perfect security, and the mere fact 
that a breach has occurred does not mean that a company has 
violated the law. These principles apply equally to ad 
networks. Just because malware has been installed does not mean 
that the ad network has violated Section 5. Rather, the 
Commission would look to whether the ad network took reasonable 
steps to prevent third parties from using online ads to deliver 
malware.
    In closing, the Commission shares this Subcommittee's 
concerns about the use of online ads to deliver malware onto 
consumers' computers, which implicates each of the areas 
discussed in the Commission's testimony: consumer privacy, 
malware, and data security. We encourage several additional 
steps to protect consumers in this area, including more 
widespread consumer education, continued industry self-
regulation, and the enactment of a strong Federal data security 
and breach notification law that would give the Commission the 
authority to seek civil penalties for violation.
    Thank you, and I would be happy to answer any questions.
    Senator Levin. Thank you very much.
    Mr. Mastria.

  STATEMENT OF LUIGI ``LOU'' MASTRIA,\1\ EXECUTIVE DIRECTOR, 
        DIGITAL ADVERTISING ALLIANCE, NEW YORK, NEW YORK

    Mr. Mastria. Chairman Levin, Ranking Member McCain, and 
Members of the Subcommittee, good morning, and thank you for 
the opportunity to speak at this important hearing. My name is 
Lou Mastria. I am Executive Director of the Digital Advertising 
Alliance.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Mastria appears in the Appendix 
on page 94.
---------------------------------------------------------------------------
    Companies have every interest to protect the privacy of 
consumers' data, and I am pleased to report to the Subcommittee 
on the continued success of the DAA's Self-Regulatory Program 
which provides consumers with privacy-friendly tools for 
transparency and control of Web viewing data, all of this 
backed by a growing code of enforceable conduct.
    The DAA is a cross-industry nonprofit organization founded 
by the leading advertising and marketing trade associations. 
These include the Association of National Advertisers, the 
American Association of Advertising Agencies, the Direct 
Marketing Association, the Interactive Advertising Bureau, the 
American Advertising Federation, and the Network Advertising 
Initiative. These organizations came together in 2008 to 
develop the Self-Regulatory Principles for Online Behavioral 
Advertising, which were then extended in 2011 to cover the 
collection and use of Web viewing data for purposes beyond 
advertising. More recently, the DAA provided guidance for the 
collection of data in and around mobile environments.
    In 2012, the Obama Administration publicly praised the DAA 
as a model of success for enforceable codes of conduct, 
recognizing the program as ``an example of the value of 
industry leadership as a critical part of privacy protection 
going forward.'' More recently, Commissioner Ohlhausen of the 
Federal Trade Commission was quoted as calling the DAA ``one of 
the great success stories in the [privacy] space.''
    The DAA administers and promotes these responsible and 
comprehensive self-regulatory principles for online data 
collection and use. To provide independent accountability for 
the DAA, the Council of Better Business Bureaus and the Direct 
Marketing Association operate collaborative accountability 
mechanisms independent of the DAA.
    To date, there have been more than 30 publicly announced 
compliance actions through the DAA program. We believe that DAA 
is a model example of how interested stakeholders can 
collaborate across an ecosystem to provide meaningful and 
pragmatic solutions to complex privacy issues, especially in 
areas as highly dynamic and evolving as online advertising.
    The Internet is a tremendous engine of economic growth, as 
was mentioned earlier, supporting the employment of more than 5 
million Americans and contributing more than $500 billion, or 3 
percent of GDP. A major part of that includes the data-driven 
marketing economy which touches every State and contributes 
nearly 700,000 jobs as of 2012.
    Advertising fuels this powerful economic engine. In 2013, 
Internet advertising revenues reached $43 billion. Because of 
advertising, consumers access a wealth of online resources at 
low or no cost. Revenue from online advertising subsidizes 
content and services that consumers value, such as online 
newspapers, blogs, social networking sites, mobile 
applications, email, and phone services. These advertising-
supported resources truly have transformed all of our daily 
lives.
    Interest-based advertising is essential to the online 
advertising model. Interest-based advertising is delivered 
based on consumers' preferences or interests inferred from data 
about online activities. Research shows that advertisers pay 
several times more for relevant ads, and as a result, this 
generate greater revenue to support free content. Consumers 
also engage more actively with relevant ads.
    Interest-based ads are vital for small businesses as well. 
They can stretch their marketing budget to reach likely 
consumers. Third-party ad technologies allow small content 
providers to sell advertising space to large advertisers, 
thereby increasing their revenue.
    Preserving an advertising ecosystem that meets the needs of 
both small and large businesses and at the same time provides 
consumers ways to address their privacy expectations is a 
reason why so many companies have publicly committed to the DAA 
principles. The DAA provides consumers choice with respect to 
collection and use of their Web viewing data, preserving the 
ability of companies to responsibly deliver services and 
continue to innovate.
    Among other things, the DAA principles call for enhanced 
notice outside of the privacy policy so that consumers can be 
made aware of the companies with which they interact while on 
the net; provision of a choice mechanism giving consumers 
choice, not companies; education; and strong enforcement 
mechanisms.
    Together these principles increase consumers' trust and 
confidence in how information is gathered online and how it is 
used to deliver advertisements based on their interests.
    The DAA's multi-site principles, which is one of our three 
codes of conduct, sets forth clear prohibitions against certain 
practices, including the use of Web viewing data for 
eligibility purposes, such as employment, credit, health care 
treatment, and insurance.
    The DAA has developed a universal icon to give consumers 
transparency and control with respect to intra-space data. The 
icon provides consumers with notice that information about 
their online interests are being gathered to customize the Web 
ads they see. Clicking on the icon takes consumers to a 
centralized choice tool that enables consumers to opt out of 
this advertising by participating companies. The icon is 
currently served more than a trillion times each month globally 
on or next to ads, websites, digital properties, and tools 
covered by the program. This achievement represents an 
unprecedented level of industry cooperation and adoption.
    Currently, on the desktop version of the DAA Choice 
Program, more than 115 third-party platforms participate. The 
choice mechanism offers consumers a one-click option to opt out 
of interest-based advertising from all participating platforms.
    Consumers are directed to the DAA choice page not only from 
the DAA icon in and around ads, but also from other forms of 
website disclosures. Over 3 million unique visitors have 
exercised choice via our choice page.
    We are also committed to consumer education. The DAA 
launched an educational website at YourAdChoices.com to provide 
easy-to-understand messaging and informative videos explaining 
the choices available to consumers, the meaning of the icon, 
and the benefits derived from online advertising. More than 15 
million unique users have visited this site, and to prepare for 
the introduction of a DAA mobile choice app for mobile 
environments, which we will release later this year, we have 
also recently released guidance on how the icons should appear 
in mobile environments to ensure a consistent user experience 
in that environment as well.
    A key feature of the DAA's Self-Regulatory Program is 
independent accountability. All of the DAA's self-regulatory 
principles are backed by robust enforcements administered by 
the Council of Better Business Bureaus and the Direct Marketing 
Association. Thirty-three public compliance actions have been 
announced in the past 2\1/2\ years and have included both DAA 
participants and non-participants alike. We have an obligation 
to report noncompliance when it happens and cannot be remedied.
    The DAA has championed consumer control that both 
accommodates consumers' privacy preferences and supports the 
ability of companies to responsibly deliver services desired by 
consumers. We appreciate the opportunity to be here today. We 
believe that we have a successful model and can continue to 
evolve in this area of privacy.
    Thank you very much.
    Senator Levin. Thank you very much, Mr. Mastria.
    Senator McCain.
    Senator McCain. I thank the witnesses. I just have a couple 
of questions because obviously we have an important vote going 
on.
    Ms. Mithal, you saw the previous chart? \1\
---------------------------------------------------------------------------
    \1\ See Exhibit No. 1, which appears in the Appendix on page 162.
---------------------------------------------------------------------------
    Ms. Mithal. Yes.
    Senator McCain. Do you believe that that is an accurate 
depiction of malvertising?
    Ms. Mithal. I do, and frankly, no matter what the number 
is, I believe that it is a problem. It is a serious problem, 
and we are committed to using all of our tools at our disposal 
to----
    Senator McCain. Why do you think that the Google and Yahoo! 
guys would say that it is not accurate?
    Ms. Mithal. I do not know, Senator.
    Senator McCain. But in your view, this is certainly----
    Ms. Mithal. Well, we have not done our own independent 
research, but I have no reason to doubt the statistics. And, 
regardless, even if it happens to one person, it is a 
significant problem for consumers.
    Senator McCain. The only other question I have, or comment, 
it seems to me that consumers are being harmed, whether it be a 
``sliver,'' as the other witnesses testified, or whether it is 
more widespread and on the increase. Would you agree that it is 
on the increase?
    Ms. Mithal. I do not know, but according to the slide, it 
looks like it is.
    Senator McCain. OK. The person, the consumer that is 
harmed, has no place to go for help or compensation, it 
appears. Do you agree with that?
    Ms. Mithal. I do.
    Senator McCain. And so what do we do?
    Ms. Mithal. So I think this is a very serious problem, and 
it is going to require a multi-pronged solution. I think that, 
off the top of my head ,I would say three things:
    First, increase consumer education, things like updating 
browsers, patching software, having anti-virus, anti-malware 
software on their computers.
    Second, more robust industry self-regulation. I was 
heartened to see the Trust-in-Ads announcement last month, and 
I think that needs to continue.
    And third is enforcement, both against the purveyors of 
malware and against any third parties that are letting these 
purveyors of malware get through.
    Senator McCain. Well, it seems to me there should be 
standards of enforcement, standards of behavior, standards of 
scanning, standards to do everything they can to prevent the 
consumer being harmed. And then if they do not employ those 
practices, they should be held responsible. Does that make 
sense?
    Ms. Mithal. It does, Senator. Currently, we have the 
authority to take action against unfair practices, so the 
standard is that if a practice causes consumer injury that is 
not outweighed by the benefits of competition and not 
reasonably avoidable by consumers, that can be considered a 
Section 5 violation. And we have brought over 50 cases against 
companies that have failed to maintain reasonable protections 
to protect consumers' information. And so that is a tool that 
we can use, and if Congress chose to give us further tools, we 
would use them.
    Senator McCain. Are you familiar with the legislation that 
Senator Kerry and I introduced back in 2011?
    Ms. Mithal. I am familiar with it, and I appreciate your 
leadership.
    Senator McCain. Would you do me a favor and look at that 
again, and if you believe that we need additional legislative 
tools for you, to look at it, review it, and give us 
recommendations as to how you think it could be best shaped to 
protect the consumer and address this issue? And do you believe 
that it would be helpful if you did have legislation?
    Ms. Mithal. Absolutely, and in particular in the data 
security area, currently we do not have fining authority. So we 
have advocated for data security legislation that would give us 
the authority to seek civil penalties against companies that do 
not maintain reasonable data security practices.
    Senator McCain. All right. I would appreciate it if you 
would review what we had proposed. It obviously has to be 
updated, and I will do everything in my power to see if I can 
get Senator Levin to get engaged as well. He is pretty 
important in some areas--not others, but some. [Laughter.]
    Senator McCain. Thank you.
    Senator Levin. I am not a tough sell in this area, I want 
you to know.
    Ms. Mithal. Thank you.
    Senator Levin. And I am glad that you made reference to the 
question about whether we need additional strong Federal 
policy. Your written testimony says that ``the Commission 
continues to reiterate its longstanding, bipartisan call for 
enactment of a strong Federal data security and breach 
notification law.'' And is that still the position of the 
Commission?
    Ms. Mithal. Absolutely.
    Senator Levin. Mr. Mastria, do you want to comment? Have 
you taken a look at the possible--the legislation, for 
instance, that Senator McCain made reference to?
    Mr. Mastria. I am generally familiar with it, but as a 
self-regulatory body, we do not weigh in on legislation. We 
leave that to our founding trade associations to do that.
    Senator Levin. All right. Are you done? I am going to try 
to finish. If not, I will be right back.
    Mr. Mastria, the association requires its members to 
publish the names of parties that do data collection on or for 
their website and to link to their privacy disclosures. Is that 
correct? Do you require that of your members?
    Mr. Mastria. We do require notice and transparency.
    Senator Levin. No. Do you require your members to publish 
the names of the parties that do data collection on their 
website, publish on their website.
    Mr. Mastria. No. We do require disclosure via a website.
    Senator Levin. A website.
    Mr. Mastria. Yes, that is right.
    Senator Levin. OK. Do they identify on that website which 
of the parties are not members of your association?
    Mr. Mastria. So if you go to our choice tool, all of those 
folks participate with the DAA either directly or indirectly, 
and so all 115 or 117 that are on there certainly are 
affiliated with us.
    Senator Levin. But not necessarily members.
    Mr. Mastria. We are not a membership organization. 
Companies have to certify that they abide by our standards.
    Senator Levin. Everybody on that website that is listed is 
affiliated.
    Mr. Mastria. Yes.
    Senator Levin. OK. There is a provision in there, as I 
understand it, you have a website called ``AboutAds.info,'' and 
consumers can visit the page. Again, with a few clicks, they 
can a list of every participating company that is tracking 
their browser. Is that correct?
    Mr. Mastria. It is a list of all participants that are 
affiliated with the DAA as you characterized that do work to be 
intermediaries in the advertising space, yes.
    Senator Levin. All right. And they can opt out of receiving 
advertisements. Is that correct?
    Mr. Mastria. There is an opt-out button down at the bottom 
there that effectively opts out of everybody.
    Senator Levin. OK. Now, the opting out, as I understand it, 
prevents consumers from receiving targeted ads based on 
existing cookies. Is that correct?
    Mr. Mastria. It is based on cookie technology, yes.
    Senator Levin. No, but does it prevent consumers from 
receiving targeted ads?
    Mr. Mastria. Yes.
    Senator Levin. Now, when you opt out with one of the 
participating companies, the companies still, however, is it 
not correct, have the ability to collect future data about you 
as you travel the Internet?
    Mr. Mastria. So the collection----
    Senator Levin. Is that a yes?
    Mr. Mastria. So in some cases, yes. But there are 
prohibitions against the collection of certain data for 
interest-based advertising.
    Senator Levin. Well, that is generally true, is it not?
    Mr. Mastria. Yes.
    Senator Levin. I am not talking about that. In terms of 
what is allowed for collection for interest-based advertising, 
they can continue to collect future information. Is that 
correct?
    Mr. Mastria. Yes. I can only speak to what our program 
covers.
    Senator Levin. Your program does not prohibit the 
collection of future information. Is that correct?
    Mr. Mastria. It does prohibit the collection of future 
information for interest-based advertising but not necessarily 
if there is something else going on.
    Senator Levin. In other words, if you opt out, those 
companies can no longer collect information for interest-based 
advertising for you?
    Mr. Mastria. That is right.
    Senator Levin. All right. Now, do they have to delete the 
data that they have already collected on you?
    Mr. Mastria. Based on the opt-out--the retention policy 
that we have is tied to--they are allowed to keep it as long as 
there is a business need, and then that----
    Senator Levin. That means they are allowed to keep it.
    Mr. Mastria. Until there is no longer a business need.
    Senator Levin. Obviously.
    Mr. Mastria. Yes.
    Senator Levin. But they are not required to eliminate the 
data they have already collected----
    Mr. Mastria. That is right.
    Senator Levin. Is that correct?
    Mr. Mastria. But they cannot use it for interest-based ads.
    Senator Levin. Now, as I understand it, if a consumer 
clears out all the cookies on his browser, then because this is 
a cookie-based opt-out, unless an interest-based advertiser 
technology sees that cookie on the person's computer, they can 
then send an interest-based ad. Am I stating it correctly?
    Mr. Mastria. Yes. So the clearing of cookies is an issue, 
and in 2012 we actually enabled a suite of browser plug-ins 
which actually solved that issue. It effectively----
    Senator Levin. So then if you eliminate all your cookies, 
nonetheless the opt-out will still function.
    Mr. Mastria. That is right.
    Senator Levin. All right. So the consumer does not have to 
continually worry about opting out. Once they have opted out, 
that will continue to be effective.
    Mr. Mastria. Using the browser plug-ins effectively creates 
a hardened cookie the way we sort of jargonly talk about it. 
Yes.
    Senator Levin. That is helpful. Thank you.
    Have you considered an opt-in approach instead of an opt-
out approach?
    Mr. Mastria. So, Senator, there are certain categories of 
data for which our codes actually do require opt-in.
    Senator Levin. How about the interest-based ads?
    Mr. Mastria. So, generally speaking, if you think about 
interest-based ads, they work on--as described earlier, there 
may be an audience that is more interested in outdoor furniture 
versus----
    Senator Levin. No, I understand that.
    Mr. Mastria [continuing]. Indoor furniture.
    Senator Levin. Have you considered an opt-in approach for 
interest-based ads?
    Mr. Mastria. No. The opt-out model seems to work, 
especially when you are putting consumers in control. The opt-
in----
    Senator Levin. How about asking consumers, ``Would you 
prefer an opt-in or opt-out model?''
    Mr. Mastria. We do not ask those questions. What we do is 
we do ask consumers whether they----
    Senator Levin. Your members, your associates ask a whole 
lot of questions.
    Mr. Mastria. I am sorry. Who?
    Senator Levin. The people associated with your association, 
people who you say are not members, they are associated with 
you. They ask a lot of questions.
    Mr. Mastria. I am not familiar with those, but I can tell 
you that----
    Senator Levin. Is there any reason why you cannot ask 
consumers whether or not they prefer an opt-in or an opt-out 
approach to interest-based ads, or why your members could not 
do that?
    Mr. Mastria. Well, I think that the reality is that what we 
give consumers is an ability to opt-out for data that is 
generally anonymous. For other categories of data, take, for 
instance, health or financial, there are opt-in procedures----
    Senator Levin. I am not talking about that other kind of 
data. I am talking about the kind of data that there is only an 
opt-out provision for. Is there any reason for why that kind of 
data could not be subject to a choice, we either want to opt in 
or opt out? Why couldn't consumers be given that choice? That 
is my question.
    Mr. Mastria. Well, it is based on a choice, so----
    Senator Levin. The choice is opt out of everything or opt 
out of individual approaches to you. I am saying, Why not give 
the consumer an opportunity to either opt in or what they 
currently have, which is to opt out period or opt our 
specifically?
    Mr. Mastria. Consumers can, as you noted earlier, decide to 
clear their cookies and reset all the opt-outs, but that is not 
the program that we run.
    Senator Levin. I know that. I guess you are not going to 
answer my question.
    Mr. Mastria. I apologize, Senator, but as I said earlier--
--
    Senator Levin. You do not think the question is clear?
    Mr. Mastria. No, no, no. We do not take a position on 
policy. We simply run the program as it is effectuated.
    Senator Levin. Don't you have a code?
    Mr. Mastria. Yes, we have actually three.
    Senator Levin. Then why not part of the code, make it part 
of the code to give consumers that option?
    Mr. Mastria. We do.
    Senator Levin. No. The option I have just described.
    Mr. Mastria. That is not part of the code. The code is 
based on----
    Senator Levin. Why not change the code to give people that 
option, give people more choices? Everyone says we want to give 
consumers choices. I am just adding an important choice.
    Mr. Mastria. I think----
    Senator Levin. So you are not bombarded, you are not put in 
the position you got to go and try to understand what the 
privacy policy is of 150 different companies, none of which 
privacy policies are even comprehensible, they are so 
technical. We are not going to put you in that position. You 
can opt out on everything. We are giving you that option. You 
can opt out individually on those advertising companies if you 
can figure out their advertising policy. Why not give them a 
third option, an opt-in option to opt in on the type of special 
interest advertising that you might be interested in? Why not 
give them that option?
    Mr. Mastria. So. Senator, the reality is that we do not 
force people to go look at privacy policies.
    Senator Levin. OK.
    Mr. Mastria. One of the key benefits of the DAA program----
    Senator Levin. Why not urge your members to give people 
that option in their policy? That is all I am saying.
    Mr. Mastria. That is not part of the DAA program.
    Senator Levin. OK. Thank you.
    Ms. Mithal, would you for the record give us any 
suggestions relative to the additional authority which you 
would like? In addition to commenting on the legislation that 
Senator McCain made reference to, would you give us any 
recommendation--we are soliciting recommendations from you as 
to any legislation that you would recommend to promote greater 
privacy, greater choice in terms of the Internet and 
advertising on the Internet? Would you do that?
    Ms. Mithal. Sure, Senator. So I would say that, first and 
foremost, a Federal----
    Senator Levin. No, I do not mean right now. I mean for the 
record.
    Ms. Mithal. Oh, sure. Yes.
    Senator Levin. Because I have to go vote. I think I have 
probably missed the first vote already. Thank you both.
    Ms. Mithal. Thank you.
    Mr. Mastria. Thank you, Senator.
    Senator Levin. It has been a very useful hearing, and we 
really appreciate it. Thanks for coming.
    We will stand adjourned.
    [Whereupon, at 11:41 a.m., the Subcommittee was adjourned.]




                            A P P E N D I X

                              ----------                              





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                 [all]
