Senators want rules to protect consumers from ‘malvertising’

Leaders of a Senate subcommittee on Thursday called for new rules to protect people from malicious software disguised as Internet advertising.

The “malvertising” can infect thousands of computers without users’ knowledge, even if people are being smart online, members of the Homeland Security and Governmental Affairs subcommittee on Investigations said.

ADVERTISEMENT
“As things currently stand, the consumer is the one party involved in online advertising who is simultaneously both least capable of taking effective security precautions and forced to pay the bulk majority of the cost when such security fails,” said Sen. John McCain (R-Ariz.), who led the subcommittee's effort. 

“For the future, such a result is not tenable,” he added. “The value that online advertising has to the Internet should not come at the expense of the consumer.”

On Wednesday, the subcommittee released a report claiming that “hidden hazards” in online ads were “a real and growing problem.”

The Internet surpassed broadcast TV last year as the largest medium for advertisers.

That’s led to new threats from hackers, as websites from Major League Baseball to The New York Times have hosted bad ads that infect people’s computers.  

Every day, companies like Yahoo come across 10,000 websites hosting bad ads, said Alex Stamos, the site’s chief information security officer.

In some cases, called “drive-by downloads,” people don’t even need to click on the ads to insert the bad code into their computers. Merely the presence of browsing through a webpage is enough to infect a computer. 

Online ads are often run by third-party companies and aren’t directly overseen by companies like Google and Yahoo.

While that may make it less expensive for those companies, “it can lead to greater hazards for consumers,” said McCain.

Executives from Yahoo and Google said they supported efforts to allow companies to share threats with each other but rejected the idea that they should be held liable for malware channeled through their networks.   

“We believe that the criminals are liable for their actions,” Stamos said.

That claim is “sort of like the automobile that has a problem, but the maker of the automobile is not responsible because they’re just the person who sold it,” McCain retorted.

In previous years, McCain has backed the Consumer Privacy Bill of Rights Act, which would require companies to be up front about what information they are collecting and how it would be used. The White House has also pushed for similar protections for people's data and searches online.

McCain said on Thursday that he was eyeing the chance to “reinvigorate” that bill or a similar measure to protect Web users.

“It seems to me there should be standards of enforcement, standards of behavior, standards of skin, standards [for companies] to do everything they can to prevent the consumer being harmed,” McCain said. “And then, if they don’t employ those practices, they should be held responsible.”

The Federal Trade Commission can go after companies with “deceptive” ads, but critics said that has not been enough to stop online criminals.

Craig Spiezle, the executive director of the information security working group Online Trust Alliance, said companies have “little incentive” to share information. He said Congress should pass a law requiring companies to notify federal regulators if they come across a case of malvertising.  

Not all members of the subcommittee supported new legislation.

Major Web firms “have enormous financial incentives to try and police this and prevent malvertising and malware,” said Sen. Ron Johnson (R-Wis.).

He said he would support an effort to make it easier for the companies to share information, but opposed other efforts that would further empower regulators.

“Here’s my concern, is if we enact some piece of legislation with the best of intentions, it actually makes it more difficult, takes your eye off the ball of actually solving the problem as opposed to complying with regulations that, I’m sorry, are written by people that aren’t even close to as agile and as flexible and as knowledgeable as your companies are,” he told the Web company executives.