U.S. Senate Paying Attention to Malware Matters: Tighter Regulations May Be Coming

Jun 20, 2014

Article ImageThe government is sitting up and taking notice of what it calls a growing threat to online safety and security: malware attacks. And if the industry isn't more careful, it may be forced to abide by stricter rules and oversight governing online advertisements that could come down the pike.

The U.S. Senate held a hearing and published a report in May that warns of the perils of malicious advertising (malvertising). The report suggests that industry self-regulation and consumer safeguards have been inadequate at curbing these practices and shielding online consumers from exposure to malware and data collection activity. The report further recommends that the Federal Trade Commission push the online advertising industry to implement strict safeguards via regulation to better protect the privacy and security of online users from online ad threats.

According to Ross Buntrock, attorney and head of the Communication, Technology and Mobile Practice Group at Arent Fox LLP, the Senate's findings highlight an incentive problem within the online advertising industry. "As there are no clear regulatory standards governing the security of advertising networks and industry accountability is currently low, companies have less of an incentive to take steps to protect consumers from malware and to monitor for inappropriate data collection practices," Buntrock says. "But if online advertisers, digital publishers and electronic content providers do not take steps to better protect consumers, they run the risk of losing the flexibility to self-regulate in favor of standards set by the FTC."

Laura Moy, staff attorney with the consumer advocacy group Public Knowledge, agrees.

"I think we will see the FTC issue clear guidance related to online advertising in the near future," says Moy. "In fact, in late May the FTC released a report acknowledging that data brokers amass enormous amounts of information about consumers without consumers' knowledge. The FTC has broad authority to regulate to prevent unfair or deceptive trade practices and will likely use that authority in this space."

The Direct Marketing Association disputes some of the findings of both reports and is hopeful that tighter FTC regulation on this issue isn't necessary.

"I'm confident that self-regulation helps combat [the malware] problem in addition to current law," says Senny Boone, general counsel for the DMA, which is asking Congress to pass a national data breach notification law. "It's always important for a government body with oversight to take a look at potential threats, but you don't want to use a hammer when you need a scalpel, and you don't want to harm legitimate businesses and content providers. We've found, when working with legitimate organizations that are taking the correct security measures, that the actual incidence of what they're calling ‘malware' is extremely rare. [The government] is identifying what they're calling potential harm to consumers from targeted advertising, but we're not seeing those bad things happen on our end. In fact, we're seeing a bit of the reverse-that consumers want to receive segmented, relevant advertising."

Buntrock concurred that the self-regulatory framework in place, including the Network Advertising Initiative Code of Conduct and NAI standards, is more than adequate to protect consumers.

"I'm gravely concerned that a ham-handed approach could kill a nascent industry that is providing a number of benefits to consumers," says Buntrock. "The FTC could begin to pursue action against companies for ‘unfair' practices when it comes to online advertising and data collection, rather than for only ‘deceptive' practices."

Jon Nolz, privacy expert and vice president of product management for Hipcricket, says what the Senate report didn't recognize is that the problem is not just about ads.

"Many websites have security flaws, web browsers are susceptible to attacks, and many consumers use machines without firewalls or antivirus programs. All of these issues need to be addressed to make the web safer," says Nolz, who added that he's encouraged by recent efforts from major tech firms to combat the problem, including the new Trust in Ads initiative by Google, Facebook, Yahoo, and AOL. "But the solution is going to need web browsers, web publishers and those that produce content to collaborate and make sure consumers are protected."

Regardless of what future action the government decides to pursue, providers of online ads need to take regulators' and consumer advocates' concerns seriously, say the experts.

"I agree with the Senate report that online advertising participants must enhance transparency and accountability, reduce vulnerabilities in their networks, strengthen security information exchanges within the industry, clarify specific prohibited practices, and introduce checkpoints to ensure that malicious advertisements are caught before being transmitted to consumers," says Moy. "And these actors must also develop a simple and straightforward way for consumers to opt out of data collection."

(Image courtesy of Shutterstock.)