The $US43 billion online-advertising industry built by companies such as Yahoo and Google is jeopardizing consumer privacy and giving hackers an easy path to infect computers, a US congressional investigation has found.
Now, armed with a better understanding of the opaque mechanics of web ads, Senator Carl Levin and other lawmakers are asking whether stricter rules are needed to protect consumers, setting up a battle with companies that shaped the internet.
The tensions played out at a Senate subcommittee hearing in Washington on Thursday when executives from Yahoo and Google testified before lawmakers leading the investigation.
“Self regulation alone has not been enough,” Levin, a Michigan Democrat and chairman of the investigations subcommittee of the Senate Committee on Homeland Security and Governmental Affairs, told reporters in Washington.
Yahoo’s advertising network was compromised in December by hackers, resulting in a virus being installed on computers of users when they visited ads on legitimate websites, according to a report released by Levin’s panel. In February, cybercriminals carried out a similar attack on Google’s YouTube video service through an ad delivered by the company, the report found.
The US Federal Trade Commission “should consider issuing comprehensive regulations to prohibit deceptive and unfair online advertising practices” if companies fail to abide by their own data-use and privacy policies, according to the Senate subcommittee staff report.
Software is used to collect, store and analyse data about visitors to websites, which could help advertisers know better if someone has a health condition, is pregnant or looking for sporting goods, according to the report. The entire process can play out in less than one second as a web page loads without the consumer’s knowledge or consent.
“Consumers are largely unaware about of the enormous amount of data today being collected about them, how it’s used and where it goes,” Levin said. “Consumers can be exposed to malware through advertisements and this malware can be transmitted directly to a consumer’s computer without additional clicks.”
The staff report found that one visit to TMZ.com, a tabloid news website, triggered interaction with 352 other servers belonging to other companies.
“The sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use,” the staff wrote.
While new regulations generally aren’t favored by conservative politicians, that may be the only way to protect consumers when it comes to internet advertising practices, McCain told reporters. Legislation also may be necessary to give agencies like the Federal Trade Commission the power to enforce new rules and punish companies for violations in using data collected online, he said.
The growth of online advertising also has fueled a rise in online crime, the report found.
Criminals use online advertisements to deliver malicious code to the computers of innocent users, McCain said. There was a 200 per cent increase in advertising with malicious code between 2012 and 2013, he said.
The attack on Yahoo’s advertising network lasted from December 27, to January 3. Yahoo briefed Senate staff on the attack, which was possible because a hacker gained access to an employee’s account and was able to approve a malicious ad.
“The malware in question spread without the need for user interaction,” according to the report. “When a user visited a website with Yahoo ads delivered, the user’s browser, at Yahoo’s direction, contacted the advertiser’s server, which delivered malware to the user’s browser instead of the image of an advertisement.” The malware took control of computers to create bitcoins, a digital currency.
The report found no evidence to suggest Google or Yahoo’s ad network was any more vulnerable to malware attacks than any other major online ad network.
“Yahoo and Google appear to follow standard industry practice,” according to the report. “However, the industry as a whole remains vulnerable to these forms of attack.”
Users didn’t need to click on any ads on YouTube during the February attack on Google’s network. Just watching a video was enough to get infected, according to the report.
The malware was designed to break into online bank accounts and transfer funds to the criminals.
“An unwitting consumer who visited YouTube and encountered this malware would have no opportunity to protect herself from potential financial ruin,” according to the report. “If she suffered an attack, she would have little recourse unless she managed to track down the cybercriminal who launched the attack, an almost impossible task for security professionals and completely beyond the capabilities of an ordinary consumer.”
When law enforcement agents raided a hideout used by Russian cybercriminals, they found a calendar with US holidays and three-day weekends highlighted, McCain said. The criminals highlighted those days because security would be weak for websites they wanted to digitally attack, McCain said. He didn’t provide more details.