How can it be OK that 1,000 PC’s are lost in the malware wars every time a bad ad is served up in ad networks?

I admit a certain hyper sensitivity to all things security when it comes to Internet. I worked at CA and then Comodo – both heavy players in the online security world. I learned about the scary things that can happen if you go online alone. It is not a pretty picture.

So it’s no wonder that I tend to have a zero tolerance to bad online security practices – among my friends, my family, my peers.  I have even less tolerance (is that possible?) for online security industry practices that can allow 1,000 PCs to get infected before an ad is checked for malware.

That’s right! I recently learned that all the ad serving platforms check ads in their networks after it has been served. In the case of Right Media I am told an ad is served 1,000 times before it is checked. If the ad is malware – oh well – 1,000 PCs are likely to get infected. I was shocked TBH. And I was even more shocked to learn that according to all the large ad serving platforms it seemed perfectly OK (at least the 4 large ones) to check ads after they have been served already.  I had the chance to press a rep from Right Media for an explanation about why are ads not checked before they are served. It was explained to me that the sheer tonnage of ads would make checking everything before it ran impractical.

That answer seemed pretty lame actually. And one does not have to look hard to see how this causes problem up and down the ad market value chain. Recently, TechCrunch and The Drudge Report were hit with malware on their sites served up by an ad in the network. http://news.cnet.com/8301-27080_3-20000353-245.html. The backlash was felt by the likes of Michael Arrington who had to explain the issue to his audience. I felt his pain, more keenly felt because I knew there was little he could do to make it better. It is likely to happen again – the only question is when.

Here we see most blatantly the bad things that happen when you detach consequences from accountability as is the case here. The ad server networks are the ones who serve up the ads, good or bad, but if there is fall-out, it is largely felt by the site that delivered the ad. That ruptures the basic laws of accountability and consequence which ultimately leaves at least 1,000 PCs infected with malware every time there is a virus outbreak.

Now I really do not understand the technological limits of checking ads within an ad networks – but how can it be OK to permit ads to be served before they are checked? Could it be that 1,000 is too small a number to worry about? And as the number of ads being served grows, will a higher 10,000 threshold be OK? Then maybe 100,000 will be a tolerable number?

Here is a challenge to the industry. Elinor Mills’ article on this subject mentions Bennie Smith, a vice president of exchange policy at Yahoo’s Right Media who I invite to respond here. Maybe I it got it wrong. Set the record straight – please – I really want to be wrong.

Better yet – I would love to start a dialogue to solve the problem – between agencies, ad networks, advertisers and the security industry. Sometimes talk is not enough. An alternative is needed – an alternating current. But more on that coming…

Judy Shapiro