Terms like “web security” and “data breach” are now familiar to most Americans in light of recent, significant issues with the websites and databases of some large U.S. companies. But web security encompasses more than just protection of consumer data on corporate systems, it is also critical in preventing the widespread introduction of malware directly onto user computers and networks. Most people know they should not open emails from unknown senders or click on strange links, but they may not know that simply visiting a mainstream website could infect a computer or network with malware without a single click. This “malvertising”—which has already become a problem for many popular sites—can deliver viruses with the ability to steal personal information, usernames and passwords. Worse, it can carry viruses that give criminals the ability to take over an infected computer altogether.
Malvertising is so insidious and effective because it can appear on a website and infect a computer system without any warning, and without any action on the victim’s part. The problem is compounded by the difficulty website owners encounter in policing potential malware. Many popular websites use advertising services managed by other companies. This arrangement means website owners often do not have a direct relationship with their advertisers, and may not even know which ads are appearing on their sites. Hidden malware could impact many users before the website owner ever becomes aware of it.
The Senate’s Committee on Homeland Security, Permanent Subcommittee on Investigations recently released a report on malvertisements, entitled “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.” The report, which was released in conjunction with a May 15, 2014, hearing, states the Committee’s view that current regulations do not go far enough to address and prevent hidden malware. Although the report trumpets some of the Federal Trade Commission’s enforcement actions under existing consumer protection laws, the report also acknowledges Congress’s unsuccessful attempts to pass a comprehensive data security bill. In the absence of targeted legislation, the FTC may promulgate additional rules regulating malvertisements. Any new rules will likely go beyond providing consumers with formal notice of the risks of malvertising, and may extend to measures such as uniform consumer education programs and the provision of meaningful recourse for victims.
The size of the online advertising industry (exceeding $40 billion in annual revenue according to some estimates), ensures that prevention of malvertising will be a hot topic at the FTC for the foreseeable future.