The $43 billion online-advertising network built by companies like Yahoo! Inc. and Google Inc. is jeopardizing consumer privacy and giving hackers an easy path to infect computers, a U.S. congressional investigation found.
Now, armed with a better understanding of the opaque mechanics of Web ads, Senator Carl Levin and other lawmakers are asking whether stricter rules are needed to protect consumers, setting up a battle with companies that shaped the Internet.
The tensions will play out at a Senate subcommittee hearing in Washington today when executives from Yahoo and Google testify before lawmakers leading the investigation.
"Self regulation alone has not been enough," Levin, a Michigan Democrat and chairman of the investigations subcommittee of the Senate Committee on Homeland Security and Governmental Affairs, told reporters in Washington yesterday.
Yahoo's advertising network was compromised in December by hackers, resulting in a virus being installed on computers of users when they visited ads on legitimate websites, according to a report released by Levin's panel. In February, cybercriminals carried out a similar attack on Google's YouTube video service through an ad delivered by the company, the report found.
The Federal Trade Commission "should consider issuing comprehensive regulations to prohibit deceptive and unfair online advertising practices" if companies fail to abide by their own data-use and privacy policies, according to the Senate subcommittee staff report.
A presidential review of online data-collection practices released earlier this month made six recommendations to ensure greater privacy, including a consumer bill of rights and national standards for data-breach notifications.
Scheduled to testify before Levin's panel today is Alex Stamos, Yahoo's chief information security officer, and George Salem, a Google senior product manager. Online advertisers spent $42.8 billion in 2013, surpassing broadcast television as the largest advertising medium in the U.S., according to the report.
The report revealed the behind-the-scenes mechanics that drive online advertising. The host of a website often has no idea what ads will appear or where they come from. Instead, other companies operating advertising exchanges use automated bidding systems in which clients pay to reach a target audience, the report found.
Software is used to collect, store and analyze data about visitors to websites, which could help advertisers know better if someone has a health condition, is pregnant or looking for sporting goods, according to the report. The entire process can play out in less than one second as a Web page loads without the consumer's knowledge or consent.
"Consumers are largely unaware about of the enormous amount of data today being collected about them, how it's used and where it goes," Levin said. "Consumers can be exposed to malware through advertisements and this malware can be transmitted directly to a consumer's computer without additional clicks."
The staff report found that one visit to TMZ.com, a tabloid news website, triggered interaction with 352 other servers belonging to other companies.
"The sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use," the staff wrote.
Senator John McCain, an Arizona Republican, said Internet companies have failed to police themselves when it comes to informing consumers about their advertising policies and how the data they collect is used.
"We're constantly improving our security systems and collaborating with industry partners to protect against malware and other fast-evolving abuses online," a Google spokeswoman, Samantha Smith, said in an e-mail.
Yahoo, based in Sunnyvale, California, is fighting online criminals and protecting users by weeding out malicious advertisements, stopping e-mail spam, paying users who find flaws in software code and working to encrypt all network traffic, Stamos said in written testimony for today's hearing.
"We successfully block the vast majority of malicious or deceptive advertisements with which bad actors attack our network, and we always strive to defeat those who would compromise our customers' security," he said. "Every ad running on Yahoo's sites or on our ad network is inspected using this system, both when they are created and continuously afterward."
The company acted quickly to remove malware found on websites in January and fixed the vulnerabilities, Stamos said.
While new regulations generally aren't favored by conservative politicians, that may be the only way to protect consumers when it comes to Internet advertising practices, McCain told reporters. Legislation also may be necessary to give agencies like the Federal Trade Commission the power to enforce new rules and punish companies for violations in using data collected online, he said.
The growth of online advertising also has fueled a rise in online crime, the report found.
Criminals use online advertisements to deliver malicious code to the computers of innocent users, McCain said. There was a 200 percent increase in advertising with malicious code between 2012 and 2013, he said.
The attack on Yahoo's advertising network lasted from Dec. 27, to Jan. 3. Yahoo briefed Senate staff on the attack, which was possible because a hacker gained access to an employee's account and was able to approve a malicious ad.
"The malware in question spread without the need for user interaction," according to the report. "When a user visited a website with Yahoo ads delivered, the user's browser, at Yahoo's direction, contacted the advertiser's server, which delivered malware to the user's browser instead of the image of an advertisement." The malware took control of computers to create bitcoins, a digital currency.
The report found no evidence to suggest Google or Yahoo's ad network was any more vulnerable to malware attacks than any other major online ad network.
"Yahoo and Google appear to follow standard industry practice," according to the report. "However, the industry as a whole remains vulnerable to these forms of attack."
Users didn't need to click on any ads on YouTube during the February attack on Google's network. Just watching a video was enough to get infected, according to the report.
The malware was designed to break into online bank accounts and transfer funds to the criminals.
"An unwitting consumer who visited YouTube and encountered this malware would have no opportunity to protect herself from potential financial ruin," according to the report. "If she suffered an attack, she would have little recourse unless she managed to track down the cybercriminal who launched the attack, an almost impossible task for security professionals and completely beyond the capabilities of an ordinary consumer."
When law enforcement agents raided a hideout used by Russian cybercriminals, they found a calendar with U.S. holidays and three-day weekends highlighted, McCain said. The criminals highlighted those days because security would be weak for websites they wanted to digitally attack, McCain said. He didn't provide more details.