How can it be OK that 1,000 PC’s are lost in the malware wars every time a bad ad is served up in ad networks?

I admit a certain hyper sensitivity to all things security when it comes to Internet. I worked at CA and then Comodo – both heavy players in the online security world. I learned about the scary things that can happen if you go online alone. It is not a pretty picture.

So it’s no wonder that I tend to have a zero tolerance to bad online security practices – among my friends, my family, my peers.  I have even less tolerance (is that possible?) for online security industry practices that can allow 1,000 PCs to get infected before an ad is checked for malware.

That’s right! I recently learned that all the ad serving platforms check ads in their networks after it has been served. In the case of Right Media I am told an ad is served 1,000 times before it is checked. If the ad is malware – oh well – 1,000 PCs are likely to get infected. I was shocked TBH. And I was even more shocked to learn that according to all the large ad serving platforms it seemed perfectly OK (at least the 4 large ones) to check ads after they have been served already.  I had the chance to press a rep from Right Media for an explanation about why are ads not checked before they are served. It was explained to me that the sheer tonnage of ads would make checking everything before it ran impractical.

That answer seemed pretty lame actually. And one does not have to look hard to see how this causes problem up and down the ad market value chain. Recently, TechCrunch and The Drudge Report were hit with malware on their sites served up by an ad in the network. http://news.cnet.com/8301-27080_3-20000353-245.html. The backlash was felt by the likes of Michael Arrington who had to explain the issue to his audience. I felt his pain, more keenly felt because I knew there was little he could do to make it better. It is likely to happen again – the only question is when.

Here we see most blatantly the bad things that happen when you detach consequences from accountability as is the case here. The ad server networks are the ones who serve up the ads, good or bad, but if there is fall-out, it is largely felt by the site that delivered the ad. That ruptures the basic laws of accountability and consequence which ultimately leaves at least 1,000 PCs infected with malware every time there is a virus outbreak.

Now I really do not understand the technological limits of checking ads within an ad networks – but how can it be OK to permit ads to be served before they are checked? Could it be that 1,000 is too small a number to worry about? And as the number of ads being served grows, will a higher 10,000 threshold be OK? Then maybe 100,000 will be a tolerable number?

Here is a challenge to the industry. Elinor Mills’ article on this subject mentions Bennie Smith, a vice president of exchange policy at Yahoo’s Right Media who I invite to respond here. Maybe I it got it wrong. Set the record straight – please – I really want to be wrong.

Better yet – I would love to start a dialogue to solve the problem – between agencies, ad networks, advertisers and the security industry. Sometimes talk is not enough. An alternative is needed – an alternating current. But more on that coming…

Judy Shapiro

About these ads

2 Responses

  1. Judy, just found your blog, this is the smartest thing i have read today.

    As a content publisher (http://www.LiveChatConcepts.com) i’m at a loss as to what to do. None of the ad networks we use check ads before they serve them to us and there is no way for our ad server (OpenX) to check them….

    I have no idea apart from turning off ads how to make this right.

  2. It is truly maddening. And it gets worse.

    When I was at Paltalk our software was tested to be safe by Truste. The bad news is that when the bad ads started flying around (Paltalk takes banner ads in their chat rooms), we got delisted by them because we were seen as unsafe!!!!

    We explained it was not our fault. We even turned down all direct advertisers and only ran ads coming from the ad serving platforms.

    None of that mattered – they felt that since it was the site that served up the ad — the software was guilty by association. We lost a lot of time and money — all of which was futile in the end.

    What to do is a problem. I have started an organization called Alternating Current comprising of agencies and brands to figure out some solutions. This requires an industry solution — not a silo’d approach as would be typical.

    This nut is tough to crack :( But I am not throwing in the towel yet :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,193 other followers

%d bloggers like this: