subcommittee's report and senator mccain's opening statement also highlight the hundreds of third parties that may have access to a consumer browser and affirmation with every web page of the visit. according to a recent white house report more than 500 million photos are uploaded by consumers to the internet each day along with more than 200 hours of video agreement. however, the volume of information that people create about themselves pales in comparison to the amount of digital information continually created about the. according to some estimates nearly has had a bite or 1 trillion gigabytes are transferred on the internet annually. that is a billion trillion bytes of data. against that backdrop today's hearing will explore what we should be doing to protect

people against the emerging threats to the security and privacy as consumers. the report finds that the industry's self-regulatory efforts are not doing enough to protect consumer privacy. furthermore, we need to give the federal trade commission the tools that it needs to protect consumers who are using the internet. finally, as consumers use the internet profiles are being created based on what they've read, and what movies they watched on music to listen to. consumers did more effective choices as to what the information generated by their activities on the internet is shared and sold to others. i want to thank all of today's witnesses for their cooperation with the investigation. now our first panel of witnesses . alex stammers, the chief

information security officer of young who ain't in sunnyvale, california. george salem, the senior project manager of global eight in mountain view, california, and critics bees will with the executive director, founder and president of on-line trust alliance in washington d.c. we appreciate all of you being with us this morning and look forward to your testimony pursuant to our rules. required to be sworn. i would ask for you to please stand and raise your right hand. >> to swear the testimony will be the truth and of all truth and nothing but the truth. >> using a timing system.

>> the red light comes on from the you will see let's change from green to yellow giving you an opportunity to conclude your remarks. your word and testimony will be put in the record in its entirety. we appreciate you're limiting your testimony to no more than ten minutes. after we have heard of the question, all the testimony real turned the questions. mr. samos. again, our thanks. >> good morning. that morning. >> chairman, ranking member, distinguished members of the subcommittee, thank you for convening this hearing and inviting me to testify today. i respectfully request my full written testimony be submitted for the record. my name is alex summers, the abu vice-president of information

security. i have spent my career building and improving secured trust for the systems, and i'm very proud to be working on security. a global technology company that provides personalized products and services including search, advertising, content, communications and more than 45 languages in 60 countries. as a pioneer of the world wide web we enjoy some of the longest lasting customer relationships. it is because we never take these relationships for granted that 800 users each month just as to provide internet services across mobile and web. there are few key areas i would like to emphasize. our users matter to us. building and maintaining user trust for secure products is a critical focus. by the fall all our products need to be secure for all users around the globe. second, achieving security online is not an end state but a

constantly evolving jealous of we tackle head on. now where is an important issue that is a top priority. law preventing the distribution through one it's important to address the entire ecosystem and to fight it at each phase of its life cycle. young who fights for users security on many fronts partner with other companies to detect and prevent the spread of mahler and pioneer this a-frame standard to assure user privacy. we have led the industry in combating spam. we continuously improve our product security without of water research community. the largest media publisher to unable encryption for users across the world. i would like to thank the subcommittee for your focus on our and the threat it poses to consumers. internet advertising security is a top priority. we have built a highly sophisticated at quality pipeline to weed out advertising that does not need our content, privacy, our security standards.

this january we became aware of mao were distributed on our side and immediately took action to remove its, investigate how it bypassed or controls and fix the vulnerabilities we found. the impact is users or on microsoft windows. a browser plug in with the history of security issues and was mostly targeted at european ip addresses. as i mentioned earlier, the ecosystem is expensive and complex. a large part of the problem is vulnerabilities of allowing a tagger to take control of user devices through a popular web browser plug ins like java. it also spurred by tracking users into installing software the believed to be harmless but is in fact malicious. we successfully blocked the vast majority with which bad actors attacker now work and we always try to defeat those who would

compromise customer security. this means we regularly improve systems including continuously diversifying a set of technologies and testing systems to better amulet different user base your. every ad is suspected, when created and regularly afterwards . these as often tout all software or try to trick users and the downloading and installing ... software. preventing deceptive advertising once required intervention. although no system is perfect, we now use sophisticated machine learning and image recognition of rhythms to cuts deceptive advertisements with what says trainer systems so that we can detect and respond immediately. we are also the driving force.

the mechanism allows that to properly display on the web page without exposing the users private information to the advertiser and that would. thanks to growing adoptions a framing has its user privacy and security not only in a thriving market place a round internet. we also actively the good of the companies to create a higher level of trust, transparency, and safety. we are members of the interactive advertising iran and integrity task force and improbably joined. we also participate in groups ticket to preventing the spread of now were and disrupting the economic life cycle of son of criminals including the global forum for security teams, the underground economy form, the operation security trust for and the council veto form. well preventing the placement of malicious advertising is essential, it is only one part of a larger battle. we fight the modernization phase

by improving waste to validate the of the intensity of the note and reducing financial incentives. spam is one of the most effective ways militias actors make money. guy who is leading the fight. for example, one way to act is through the mails moving. the original internet mail standards did not require that ascender use an accurate from line. stammers exploit this. these animals are much more likely to by pass filters. a technique generally known as fishing. here is dahlia who is helping the internet industry tackle these issues. the original author of domain keys, mechanism that lets recipients cryptographic we verify the origin of the mlb rita of really contributed and now the standard protect billions of the mills.

building upon the success of our who led coalition of internet companies, plans on institutions and anti spanish groups in creating the the main base messages authenticating market standard. it provides a way to tell the rest of the internet what security mechanisms to expect on me know. data begin the first major nl provider to in essence as the rest of the internet to drop messages that inaccurately claimed to be from your home users. says john to make this change another major male provider has also enabled the. we hope that every major gang member water will follow our lead and implement this common-sense protection. we have reduced spam purported to come from young to accounts by over 90 percent. effused broadly it would target stammer financial incentives with crippling effectiveness. young also incentivizes sharing to ensure broad a trustworthy in

user data is secure. young operates one of the most progressive down the systems on the internet which encourages security researchers to report possible flaws. we engage the researcher and discuss the findings. if the board turns out to be real we fix it and reward the reporter with up to petite thousand dollars. in a major security bugs are often auction of we believe it is critical that we and other companies create an ecosystem where boat burgeoning and established security experts are rewarded for it -- reporting and not exploiting. i do invests heavily. in january meeting corrective browsing the default. as of march domestic international traffic moving between young data centers has been fully encrypted. on going goal is to enable a secure encrypted experience for all our users. in conclusion, want to restate

the security online is not and never will be in and state. it is a constantly evolving global challenge that our industry is tackling and on. terence the stem from the and pipeline or elsewhere are not unique to anyone online company. while criminals those real threats we are strongly dedicated this thing head. with partner with companies to proven to. we pioneered this safer and standard. we have led the industry in combating spam and fishing and continuously improve product security with helpful water research and finally, we of the largest media publisher to enable and corruption. yet who will continue to innovate and how we protect our users, continue to fight several terminals the target us and our users and will continue to view user trust and security as a top priority. thank you for the opportunity to testify.

>> chairman, ranking member, senators of the subcommittee, thank you for the opportunity to testify. my norm is george salem. and the engineering team that prides the delivery of now with the advertising. insuring the users safety and security is one of the main priorities. we have a team of to keep users safe. one of the biggest threat is malicious software known as now or that can control computers with software programs. now were allows malicious hackers to make money as the victims in various ways. it may even lead to identity theft which is now a top the list of consumer complaints for 14 years in a row. advertising is a tremendous role in the evolution of the weber in products, tools, information to consumers often free of charge and has allowed the economy to flourish. the last quarter internet an ad

revenue surged $21 billion, and adds supported internet ecosystems, total of 5 million americans. even though a tiny portion of ads count as now where it undermines users faith which is bad for everyone including cool under users. our incentive is to keep or on one performance it for everyone. this is why we're providing the strongest protections against harmful, malicious content. the efforts for fighting now where is two-pronged, prevent and disable the read the first piece is prevention. one of the best ways to protect users from our is preventing them from accessing infected site altogether. this is why we have developed a tool called save browsing with checks a list of known bad sides. malicious sides are then clearly identified as dangers. the first major search engine to provide such a warning for search results back in 2006.

today over a billion people use it browsing. also the default for users on google crone, muzzle fire fox and the apples of our browsers which helped to protect tens of millions of users. when a user attempts to navigate to one of the sites they get a clear warning of verizon and nikolai to be real looking at ways to for the disseminates their present technology including the providing public interface for anyone to plug in and review. we also provide alerts to web masters you may not be aware wallace's so far a second piece of our effort is disabling advance. we have prohibited now where an abacus direct suspension policy for advertisements that spread now where disabling any we find. our internet systems have a very big proven track record. in 2013 we disabled more than 350 million ads. only a tiny portion of advertising, but our systems are

constantly evolving to keep up with those bad actors. while we may be proactive, we are relatively quiet. now where advertisers are always seeking new ways, and we want to stay at a. we are not the only ones involved in these efforts. these efforts are a team in denver. collaborate closely with others. ten years ago we issued a set of software principles, broad, evolving set of guidelines around software installation, disclosure to users, and advertiser behavior. a nonprofit that offers resources for website owners, security experts, and ordinary users leone and support web sites to a show best practices and invest resources in checks for malicious content. we are in constant communication with other industry players notifying each other about new

tracks and trends. just this month we co-founded trusted adds to my group that offers guidance to consumers on how to avoid all one scams. consumer education, a great first place to visit a website like global on-line safety center to learn more. of course users should always use up today anti virus software and make sure their operating system and browsers are up-to-date and be careful about down loans. they suspected computer may be infected issues representative will parks. we can always use more help in generating awareness. now where is a complex problem of we are tackling head-on with tools, consumer education, and community partnership. we can make the web a safer place. thank you for your time and inspiration. >> thank you very much. >> good morning, german, ranking north mccain, members of the committee.

good morning and thank you for the average in the to testify before you today. i and the executive director and president of the online trust clients. of bottle once the three nonprofit with a mission to enhance, and trust, and power users with the control of data and privacy will promoting innovation in my town. i'm testifying here today to provide context of the escalating privacy and security threats to consumers which result from militias and fraudulent advertising and is now returns. as outlined in exit with a now wear ties in incidents increase over 200 percent over this last year to 209,000 incidents which generated over 12 and a half billion militias have impressions. the impact on consumers is significant. as referenced to my guy who experienced instant 300 million impressions of which 9% or

27,000 unsuspecting users with compromised. for them the infection rate was 100 percent. as noted, this is not an isolated case. cyber calls have successfully inserted militias have the range of sites. the threats are significant. as referenced come of a majority and increasing number are brought by down loans which have increased 190 percent this past year. dry by code is one that when a user simply visit the site with no interaction or clicking required is infected. this threat is not in. first identified over seven years ago, and of little progress has been made to attack the strike. the impact ranges from a tax on current information to turning a device into a bond or a suburb, and take over the vice and use it to execute a distributed denial of service attack against

a bank and a government agency, or other organization. encryption of a user's hard drive demanding payment to be unlocked. users' personal data, pau, health records can be stored and stolen in seconds. in the absence of secure online advertising the integrity of the entire and that is a risk. not on like pollution and industrial age, and the absence of regulatory oversight and meaningful self regulation these trends continue to grow. for reference to the development of coal mining in the use of steam powered generator from coal is without a doubt the most central bond and narrative on the 19th century. jobs were created and profits soared, but the environs and felt the full industrialization and impact in the form of air and water pollution. today we are at similar crossroads which are undermining the integrity interested in a.

how does this occur? thinking. in the absence of any reputation of threat reporting among the industry once detected and shut down by one and worked as cyber criminal simply waterfalls are goes over to another on suspect in of want to repeat the export of war and no easy the different tactics of how amortizing is inserted. it is important to note in this diagram, consumers are clearly bearing the brunt of it. call 25 quality brands and web sites having their image tarnished. the impact of these threats are increasing significantly. caramels are becoming experts and targeting and time in taking advantage of the powerful tools and data available three internet advertisers becoming what is known as stated durbin

marketers with precision to regional rebel sections of society as well as high net worth target audiences. faugh in the absence of any meaningful policy matt -- the expert of choice. anonymous and remain undetected. recognizing the prints in 2007 double click which was later acquired by good will established a mailing list. in 2010 and ota established what is now the advertising content integrity group focusing on security and proper mention best practices. this group of divers stakeholders leverage a proven model of threat mitigation and has since published several white papers. these efforts are small but

first step to combating now our ties. last june and nonprofit funding by global launched an effort. aggressively defending practices to policymakers and regulatory bodies. in the wake of this group's demise with some interesting and was formed last week. according to the site it and how to report the. it is important to note that unfortunately no amount of consumer education can help when a user visit the troops and website that is infected with now where. consumers cannot discern good verses malicious or how it of mines is compromised.

focusing on education after factors like the auto industry showing accident victims to the, after an accident, previously known manufacturing defect instead of building security features in the cars and some profit on. other industry efforts of focused on fraudulent activities that attempt to generate revenue by manipulating and impressions. focuses on the modernization and operational issues facing the industry. these efforts are important but please do not be confused. not related to now wear ties and our any impact that is harmful to consumers. what is needed? of ga proposes a realistic framework addressing five important issues, areas. prevention, detection, notification, data sharing and remediation. such a framework must be the foundation of unenforceable code of conduct of possible legislation.

in parallel operational technical solutions must be explored. i can't envision a day were was is only allowed eds for networks to vouch for the authenticity of the ads they serve and would only render such ads that have been signed and verify. it is recognized as such a model would require systemic changes, it would increase accountability and protect the long-term fatality of online advertising and most important to consumers. in summary, has all wired economy and society we are increasingly dependent on trustworthy, secure, and a zillion on-line services. as observed in our nation's critical infrastructure, we need to recognize that fraudulent businesses, of criminals by state-sponsored actors will continue to exporters systems. for some now wear ties and remains a black swan of that rarely seen but known to exist. for others it remains as the elephant and the room that no one wants to a knowledge of the port of. today companies have no

obligation or incentive to disclose the rule leaving consumers vulnerable and unprotected for potential in months or years during which a untold amounts of damage can occur. failure to address these threats suggests the need for legislation not on like they did a brief laws requiring mandatory notification, data sharing command remediation to those consumers have been harmed. aslan from the target breached, it is the responsibility of companies and executives to implement safeguards and to heed the warnings of the community. i suggest the same standards should apply for the ad industry. we must work together to disclose such boehner abilities even at the expense of short-term profits. it is important to recognize there is no absolute defense against a determined son of criminal. in parallel ota propose incentives to companies your demonstrated that they have adopted of best practices and comply with codes of conduct. they should be afforded protection from regulatory

oversight as well as rules lawsuits. perceive antitrust issues and privacy issues which can be addressed as a reason why not sharing data must be resolved to aiding a real time fraud detection and forensics that is required. trusting the foundation of every communication we received more so we visit, and transaction we make and and we respond to. now is the time for collaboration moving from protective silos of information to a multi stakeholders solutions combatants are prime. thank you, and i look forward to your questions. >> thank you very much. >> thank you, mr. chairman. i think the witnesses. if you put that track back about the increased advertising, with the witnesses agree the problem is getting worse rather than better? >> are would not.

>> but your microphone a little closer please. thank you. >> i don't agree that the problem is getting better -- >> getting worse where jobs are. thank you. i don't believe that it's getting worse. >> you don't believe that chart in? >> i have not seen that charge. i saw that from a report. our indication -- lectures and a chart is inaccurate. >> that's not the information that i have. >> i see. maybe you can provide the committee with information that you have to read. >> our, our data has been pretty much steady on the kinds of attempts the we have seen coming inbound. >> would you agree that these -- probably the worst attacks come from overseas, specifically russia? >> we see a tax from all around. it is usually very difficult to have accurate -- to accurately -- >> you have no accurate data as to where it goes from.

that's good. >> we have accurate data as far as -- >> will then when it comes from? >> we see these, and the world. we see a lot from eastern europe >> well, thank you for that. how about you? >> we also see a lot of the now where it's of the will come from servers that are also in russia and also -- >> this is really an international issue as well as a domestic issue, would argue. suppose that some individual is the victim of our, mr. samos, does the who have been in response ability for that? >> we absolutely take responsibility for users safety, which is where we do the work we do. >> someone loses their bank account and you reimburse them? >> senator, i have always believed the person is responsible for committing the crime is the criminal. >> even though it is using you as a vehicle to commit that crime?

>> senator, we work hard to fight these criminals -- >> is that person to five aren't liable for reimbursement for a loss of that individual who use that -- your services were the vehicle for that. >> senator, we believe that the criminals are liable for their actions. >> i see. and you being a vehicle for it have no liability, sort of like the automobile that had a problem with it, the maker of the automobile is not responsible because they are just the person who sold it. is that right? >> no, senator. i don't think that is the correct analogy. >> i see. >> to work vigorously to protect our users. every single user is important to us. if a criminal commits a crime we do everything we can to investigate, figure out how they were able to do that and the feet in the next time. >> and you have no liability. >> that is a legal question. i'm not a lawyer.

>> i'm asking at common sense. i'm not asking for -- >> i think we have responsibilities to our users of the texture and serious. >> thank you. you have a the five recommendations that you make. you say stakeholders to fail to adopt reasonable best practices and controls should bear the liability and publishers should reject their hands. adopting reasonable best practices and controls? >> one of the challenges is a reluctance to share information among each other and a very isolated -- again, recognizing that there is no perfect answer, and the absence of taking reasonable steps to protect the

infrastructure, they should be responsible. >> how many americans do you think now that this problem exists? >> this information has been kept very quiet. has been suppressed during the years. the executives of some of the trade organizations have denied it even exists. >> we just saw an example of that disputing the leyna -- now were ties in fact. oryx we are fortunate. there are many players. just this past week we have about a dozen companies asking us for legislation where in the ecosystem. and recognize that the businesses being marginalized and anyhow. our data, from multiple sources they don't want to the public because of the pressure from

investors. in return normalizer. hours to just that it is under reported. we do not know and a lack of willingness to share data is impeding the problem today. >> to you both have same best practices standard between your two organizations? >> senator, i believe we use about the same type of technology and tests which the same standards or practices? >> i believe so. >> you would not know? >> and work very closely with our partners to trade notes and share of the same technologies. >> i have to add that we do community. we actually do discussed different issues that come of all the different trends. liability protection to work more closer together. we work closely begin. i don't see -- have the same

best practice standards. we are different organizations, corporations. >> facing the same problem. >> yes. and we communicate about the threats. >> and let you communicate. and asking if you adopt this in best practices standards. >> senator, i believe we already do adopt the same practices. we have never supplementation's which is an important part of security. >> senator, it here it convened several stickle the workshops. chapman house rules to facilitate the data sharing. unfortunately the response is being addressed internal. we ask who will, yum, the other companies to come to the table. the answer has been it is not a problem that we see we need to address. i will go a step further.

chairman and president of i a be in september of trojan polk we stood up and said it's not a problem. only exists the security vendors wanted to be a problem. >> gallegus we get back -- to you agree it's a problem? >> absolutely agree, but we need to keep in context. we need to put it next to the overall now where problem which is much larger. there are three parts to that. there is -- of this create now where. there is distribution of which advertising is a part we are responsible for but honestly a tiny sliver. then there is the financial side. from our perspective we focus a lot on preventing ourselves from being part of the distribution problem and then by the entire life cycle. in the and there will be no perfect protection. what we need to do is decrease the financial incentives for

criminals to attempt to do this in the first place. >> how do you do that? >> in the software side, the companies that make them suffer tourniquet harder for now were to be created. we build our analysis systems to make it harder and harder. >> i look forward to your data. clearly that indicates you got a lot of work to do. even though it may be a tiny sliver, and not sure that is of any comfort to someone unless the bank account wiped out. maybe see you, but not to them. >> to rescind the user. >> well, obviously you are downgrade the importance of this issue when you say it's only a tiny sliver if there is some 200 some thousand. >> that's correct. 209,000 identified unique incidents that occurred. i would say that's a pretty big

sliver. at thank you, mr. chairman. >> thank you. let me ask you, we have testimony here on behalf of the on line trust alliance the says that ideally you will have solutions for publishers were only allowed fans, now works in vouch for the awesome to the -- authenticity. signed and verify, trust -- recognize the such a model would require systematic changes that increase accountability or protect the long-term vitality and most importantly the consumers. would you support those kinds of system changes? >> as to the authenticity is she , i can only speak to how young does this. >> would you support is being

recommended. >> we definitely support the could start with your side. we have moved a great deal of the ad networks in the world to support encryption. >> is there any reason why we can't require that as the spurs before they are put on and the verify that the jurors from -- come from trusted sources. >> that does not exist. >> this is? >> it does not. i think we're talking about a combination of operational best practices and technical. it is a very complex ecosystem multiple intermediaries. this is the desired state. we can't vouch for who the advertisers. that's the first part. that's in the preventive side.

that's operational. >> cannot be done? >> i believe it can. >> is it? >> we have agreements. pass information through, and if we find that in a problematic we get rid of them. >> to the verify? >> senator, i'm not sure exactly what each had and what does. >> our ad networks are verified, but they basically are advertisers they have direct relationships with. >> the people you do have relationships will verify the credibility of their advertising >> they have a vetting process. on not exactly sure. i will say that many have come from companies or crumb of the basically pretend to be legitimate companies. even if he said that we will get them, some problems, they actually may produce as with

companies that appear to be real the vetting process appears to be perfect. these criminals of, and in specific companies and look real . >> what can be done now practically that is not yet been done. >> to help address the specific, the full day workshops. in october we post will we call our risk evaluation which i have here and is referenced in my testimony that provides a checklist on the on boarding or verifying his reputation. this was an example of an operational step. >> taken by melinda. >> again, we make them available. >> to know whether they have been taken? >> i do not know.

>> we are part of a lot of groups working on this problem. >> let me show you a different part of the testimony. companies that have to disclose their role our knowledge of the security of it did in consumers vulnerable and unprotected for potential in months or years during which time months of damage can occur and then the suggestion is that there be legislation adopted similar to your state dated reached laws that require mandatory of the commission, data sharing and remediation to those who have been on to be the support of mandatory ratification requirement? >> this is a more complicated issue and breach of vacation. in the situation you're talking about, it's often not a direct relationship. it would be no information to

know how about a fire. also in a situation where now works as is currently before it has an impact -- >> a beginner's bonds. >> so i agree, it's more a notification to regulatory authorities of an incident occurring in an obviously dependent upon that -- >> regulatory authority. any reason why you should not be required to notify regulatory authority? >> this is every day we stop. it comes down to the details of what you talk about. were talking about 213 incidents the day when every -- has cool pointed out, were talking about finding 10,000 sites a day. >> bridges or attempted breaches ? >> i believe he was talking about size that are set up that host now or. >> how many today?

>> please use the right terminology. >> eight confirmed now were to rising incident where a network or so it was observed and documented. what was what we are referring to. >> in the absence of that that is why there is not true data. makes it hard big american find added the actual perpetrators. >> putting aside the argument for it, any reason you can't do that? >> i have to get back to you on that, senator. >> i personally would be careful about making a commitment like that.

make sure it is in public. this is to make things public is basically talking about -- >> a regulator. >> again, that would be a public document. putting aside the problem, and reason why you can notify the regulated? >> no. >> would you give it back to as after yesterday that recommendation? indicate that now provide information to partners of certain personal information so that era who can communicate with consumers about offers from

yahoo and the marketing partners. then you say the companies in you deal with, however, those partners do not have any independent right to share this information. is the sharing of that information for and? >> privacy and security are intertwined. if you want to get into this kind of details -- >> to you know of and? with a do not. >> is a great emphasis on education. here's the problem. the business partners -- and you provide a list on their website of these third-party partners. there are over 130 companies that do advertising will allow. you know in your privacy policy that these companies may be poisoned cookies or web bugs on our computers as the brewers.

i don't know, how can consumers possibly educate themselves about each of these third parties. there's a hundred and 50 of them with names like date is it, downtrend, diligent, companies totally unknown to people lost sight of the strong. do you think it's feasible -- about ask you, and this will be my last question, for consumers to evaluate the policy, security policies will privacy policies of each of 150 entities? is that a practical suggestion? >> that's an excellent question. not expecting consumers to go and make these. that is why we provide privacy option than work with folks like the d.a. to provide decisionmaking authority for consumers across multiple partners. i believe that's where we have to go, to have the choice up in one place. >> but you are suggesting that they educate themselves about each of those partners your's.

>> i am not suggesting that. i am not familiar with the language referring to. >> thank you, senator. >> thank you. i would kind of like to start out just "a couple of phrases to certainly my feeling on this. as the chairman said, this has enormous complexity. i think the ranking members of that online internet advertising has placed an indispensable. pretty powerful statements in terms of what we're trying to do the internet has been a marvel reading all kinds of economic activity and certain improve people's lives. many to understand how enormously complex the situation is, and the analogy that i would use in terms of crime because we're talking about criminal activity into will be held liable, the analogy i would use would be nuts to you have a criminal. even though you have safeguards in a taxicab that crumbled

thieves those safeguards, takes over the cannon kills somebody. as the cab company called itself liable? at think that's partly a more accurate knowledge. so i think the purpose of this hearing is, what can government attention to to help? i think i know whom he often and too long, i know how you guys obtain revenue. and not too sure about the mta. there are a couple of things that surprised me. let me first ask you, who are you? ready it on the? >> thank you for the opportunity to provide clarity. the ota, all my trust alliance of founded in 2003-4 as a working group to address and bring forward the entire spam standards that young referenced in the original testimony through a collaborative effort. recognizing -- >> unfunded that effort?

>> that effort was the companies like semantic, microsoft, paypall, wants of companies that came together. cisco. >> to you defunding the way? >> our funding, we are a 501c3, not a trade organization. we work across the ecosystem with the beverage those sponsors and contributors and receive grants from vhs and others. our mission is very clear. we support advertising, but our most important part is improving consumer trust and the vitality of the internet. >> here is what some bells and whistles going off in my head. the chairman said that you talked about the fact that not been and will have little incentive to do what? is that an accurate statement? >> i think in the context of the

question of back and clarify, it is incentive data sharing, really an industry issue that we have been trying to get people to work on the get a. >> do you deny the fact that go and young who have an enormous free-market incentives to make sure that this criminal acts it is not occur in the network? >> dominant market players, there's a responsibility and how lack of data sharing in alloy is marginalized in the ecosystem -- >> but answer the question. don't they have enormous financial incentives to try and police this and prevent mount advertising and now we're? >> as they suggested, it's a small percent of the overall and industry. and the operational friction and a change, a major change in how they operate today. >> is still not answering the question. you really don't think they have an enormous financial incentive

to trample is the stuff? >> i think they do, whether they are to fund. >> good. here's the point. what can government do better than what these private companies can do to prevent this ? >> we talked about the defense department has been unable to get on it ready in 15 to 20 years. my point, is there will the government can play that -- hear me out, that does not actually do more harm than good. as i have been investigating this, step, information sharing. the only where were going to get information sharing, will provide liability. is the premise the first thing the gunman as the document

provides liability so you will actually share information. >> thank you, senator. we are in support of information sharing. >> to you think that's the first step? >> i think that's an important step. >> you're talking about enforcement, going after criminals and enforcing and penalizing the criminals. >> yes, penalizing the criminals and making it hard for them to make money. a lot of these guys were selling products. even if we can't arrest them, we can make it difficult for them to profit. >> on target is actions. >> i think this is new.

>> what can government it? >> mentioned basically looking at allowing information. to be quite clear my team is the one that disney and time our ties in and grab it weakens the some the industry about the threats. we actually do talked very openly. some of the of the price of, you have scams. these are consumers. the guise of giving a credit-card number. we are very happy. >> what about of the nation sharing with the government. you may not have a partnership with some sort of federal

pre-emption on data breached. we have that data breach standard, so you don't have to deal with 50 more, potentially hundreds of thousands of jurisdictions. is that something pretty important that the government can do to be constructed as opposed to hampering your activity? >> is, it would. >> my concern is the in at some piece of legislation with the best of intentions and actually makes it more difficult, texture of the ball of actually solving the problem as opposed to complying with regulations that, i'm sorry, written by people that are not even close to as agile and flexible and knowledgeable as what your companies are. >> currently today we are able to, you know, do or scanning, look for bees that ads, says that protect consumers, talked of the folks in the industry currently. right now we do not feel like we have problems or that there is

anything in cameron's. >> okay. part of my concern about some of the answers you are providing as you obviously don't want to align your consumers. and i don't want to put words in your mouth, but i'm more concerned. this is a big problem. i want you to answer the question i asked about the enormous incentives to have. you mentioned your top priority is users matter. i think that just makes common sense. >> user privacy and security is number one. internet business, and users of one click away from going to our competition. we have to prove to them that we take this seriously. when they click on any and that it's a safe and and then when we

deal with the third-party advertisers that they are even partners as well. >> we have a huge incentive to maintain user trust. sites that young who adds ron on or yum sides, to maintain those 800 million people around the world map to maintain trust and live up to our responsibility. >> beckham from a manufacturing background. we have gone through certification. when i first got into it, this was a pretty good deal. providing not only my company the tools to their process under control but to communicate them we and our process under control across all whole host of different parts of the standard. from my standpoint that kind of vacation process would make sense. for this particular to trouble me talk about standards,

security standards, and advertising. is that something that you would support, some kind of third parties of vacation process that would give consumers the comfort that standards are in place. >> senator, i think we would support self regulation to set guidelines. from the actual technical standards this is something that we change and innovation on every single day. we need to give careful to not get too prescriptive. someone who set up in business and to some of the actors in the room. you need to have this cooperative, flexible, fast-moving. >> what we talking about in terms of the level of flexibility?

>> probably. the criminals will be one step at a bus. will we need to do one ongoing basis. >> they need to will wall. be as nimble as possible to make sure we're one step ahead. >> an industry came together. there examples of consumer technologies that could be employed. they could help increase the trustworthiness in advertising. >> thank you, send german. >> thank you. to you know what percentage of all of now where incidents occur through advertising? i think this is your chart. >> this is a chart. >> what percentage of now where incidents are attributable the advertising in 2013? >> i don't have that specific

data. >> how can you not? when you have to know the context? >> this is specific to documented cases where militias that were documented and observe we're not looking at search and/or fraudulent. the area that's going through. the critical infrastructure that's impacting as the day. consumers do not have the ability to protect themselves. >> if i have now or on my computer does not matter where it came from. trying to get the whole problem. .. pass the

>> and you know in the commerce committee some people in this room have heard me say this before. part of the problem is consumers were not rot along early in this process to understand the importance of being educated and understanding that what they are getting for free is coming at a price of advertising. i don't think you would argue mr. spiezle we would have a much different internet if it were not for him fact the back bone, the foundational but one of the internet as we know it and explosion of economic and

dignity and jobs is all around marketing. >> it's all about advertising which is great. we fully agree that advertising supports the services that society gets that. is speak and simmers here how unfair it is that their data is that they are seeing ads for outdoor furniture when they have been shopping for outdoor furniture when they get creeped out about that they are not making the connection that's why their internet content is free. you all get that, right? and that's all on you. you have not informed them appropriately about the bargain they are striking and perhaps what may be most helpful in this regard is to figure out what the costs would be if we were to remove, if we were to clamp down on the government to kind of advertising in the prevalence of advertising on the internet and the ability to behavioral marketing on the internet by

knowing what people are interested in as opposed to just like we know somebody who watches oprah may be might want to run and added for slim fast on oprah. that's what happens in advertising. you try to target europe audience based on what they are looking at. does anybody know what it costs for people to have an e-mail or to have the search capability they have if it were not for advertising? has anyone ever tried to qualify that so consumers would understand the bargain they are getting? >> senator i just have to say senator mccain in his opening statement talked about the ecosystem being worth around $43 billion. that would be the overall cost. >> okay what is the one thing the government is supposed to do in this space? i think it's catch criminals, right? mr. spiezle why are we catching more of these criminals? how much time as your organization spending on the failure of government both nationally domestically federal

state local and internationally the abject failure we have had in going after and i know it's really hard because were talking about ip addresses that disappear in less than that. >> thank you for the question. it is clearly a problem and epidemic of portions. one of the biggest problems we have is data-sharing not to government but also remove the barriers and the organizations in this room for example anti-trash airings moving each other. that's the first part. we can't peel back the onion work with the fbi and secret service. this is a very difficult problem to go back to it and get it. >> so you are saying that the government's failure because google and yahoo! and their colleagues are not sharing information with law enforcement? >> i'm saying in general. it's not a governmental failure.

it's a general failure with industry data-sharing but it's a difficult problem. i want to underscore they are also being victimized. there were structures being victimized as well so i certainly recognize the issue that's hurting their businesses but we have to put in place the measures to protect and prevent it and also to detect and when we detect it we can notify them but in the absence of data we can't notify the other parties to bring down the ads as quickly as possible or to look at the methodology to prevent it from reoccurring. >> let's try to drill down on that a little bit. mr. subbot and mr. salem are you all trying to work in a cooperative and moment by moment fashion with law enforcement? >> yes senator we have a dedicated crime team that we are in process of beefing up that when we see an incident where we believe we have enough information we were for the information to law enforcement.

we have had some success in disruption of several cybercriminal networks. you don't need to arrest him to make it economically feasible for them to be committing these crimes. >> i would like more information on that and i would certainly appreciate anything organization to bring to that also. i would like to understand why we are not having more robust success in the law enforcement space since your companies are being victimized and consumers have been victimized by criminals. >> i can give you a few anecdotes that might help. google constantly is being asked for information by law enforcement to give information about cybercriminals and we do that. a few times we have approach law enforcement said we have exact ip addresses and we know exactly where the services are there in the united states one of the things we are asked to give is show us the fraud and show us who is fraudulent. we don't have that information.

that is something where overall we have had problems approaching law enforcement. >> for the record we did provide an example of that for us? >> i can do that. >> can you give -- one of the things i think there's a stress for you all and that is informing consumers as clearly and boldly as many of us believe you should inform them because a lot of this can be prevented to consumers as you well know mr. spiezle. you understand the ecosystem of the internet and if you understand the concept of cookies and if you understand what your browser is actually doing and if you understand the power of a you can avoid a great deal of the danger. i'm sure some the stress for your companies is that the more you warn consumers the more they are going to be afraid to robustly participate in the

internet in terms of accessing ads and doing the things that generate a lot of the income for the overall eco-structure. how can you balance this better? i know it's better than it was when i started harping on the several years ago about informing consumers that the sikh rate about their power about the individual user's power i have a great deal of power on this but i've got to be honest with you the only reason i notice because i have an amazing staff that helps me understand how i can access that power. the average consumer does not have a clue. it seems to me that's what the organizations that fund you mr. spiezle have to be more worried about is how the consumer becomes more empowered in this environment read because it's the only real way. >> it's i respond i clearly agree that consumers have a shared responsibility to make sure they are updating their computers and patching their systems and practicing safe computer practices absolutely

but again going to a trusted sites that they know of any type it in. all the things we tell them not to do and they go to a trusted site unexpectedly exploit has never been disclosed to them before. there's no amount of consumer education that can solve that problem so if a shared responsibility as stakeholders consumers networks and publishers alike care. that is why we are having this discussion today. >> my final question is your organization and a lot of i am guessing it as a company selling security projects i would want to invest in you and make contributions to you so i'm assuming a lot of your contributors are backed the people who make security products. >> actually the contrary to that over 50% of our funding comes from publishers clearinghouse twitter web sites and web properties we are depending on consumers to trust services. >> you provide the services the

workshops you provide are they free of cost to people who come, or is part of your income that you actually need? >> are training workshops are cost recovery basis and we hold some throughout the u.s. and europe as well. >> so you don't get any revenue stream. >> they are designed to cover operating costs. >> thank you. >> thank you senator mccaskill. senator portman. >> thank you for holding this hearing. the chart tells at all. we have seen this dramatic increase and so it's appropriate we are talking about it and i agree with mr. johnson said earlier. we want to make sure that continues is critical to our economy. earlier we talked about a lot of solutions and i don't understand enough about the problem to know what the resolutions are frankly but verification standards certainly seem to make sense.

he talked about information-sharing protocols and the protections needed to make that work well. we would like more information on that if you can give it to us for the record. the networks themselves the measures for them seems to make a lot of sense and we talked some about enforcement. i want to ask you about that in a second but enforcement requires the information which is important to get that what mr. subbot he talked about in the financial system now. i've a question to back up so i can understand this problem better. mr. salem you are with google kind of a big company and i understand that you scanned 100% of the ads in your advertising networks. is that true? >> we scan 100% of the ads initially. not every ad is necessarily scanned unless it's hosted by

google so we have third parties and we have google ads as well so all of the ads for google are scanned before sir. a few of the third-party. >> let's focus on the ads that are google hosted. if you are scanning all of this adds an them out for thai scene that ended up on youtube earlier this year circumvent the scanning process. it was a major issue and everybody was aware of it. how did that happen? >> it happened because there were a lot of third party compliance ads and a lot of javascript calls. there are potentially tracking our analytics along with an ad. when we scan in and we scan the ads and it looks great. we continue to scanned ads based on the risk and how often it shown. these ads went back before we had a chance to rescan them. >> the vulnerability was there that you did have a continuous ability to analyze that ad and

it went bad so what are you doing to address that vulnerability? >> what we have done is go to the risk profile in of these ads. we basic we lowered it and are scanning often. >> are you scanning often enough to avoid what happened with the youtube malware again? >> we believe so. we scan all of the ads that we host and we rescan them quite a bit. we have hundreds of thousands of ads taken down continuously. some of those are based on the web sites they go to their bad in some on the -- the go bad. >> you are focused on preventing which is this it is disabling malware are necessary. when prevention fails as it did with this huge incident what can consumers do to protect themselves from harm inflicted by ads on google's ad network or any of the suthers networks? >> the web site itself is on the

safe browsing list so users that use chrome mozilla or safari or our already covered by this. also the specifics were patched version of internet explorer so this is telling you that these are the users that got the malware or we don't know how many downloaded the malware. >> you don't know what the damages. >> when we look at the numbers we look at what is the potential we look at our last scan and that is where we consider all of that potentially bad advertising but that basically shows us the protected user is knowledge that they need to use two use anti-virus software. that in general is not just from melford rising but malware in general. >> let me ask a question of oath of view about consumers that you talked about consumers needing more information. what can be done to inform

people that they have been infected so they know it without tipping off the cybercriminals involved? is the one area as senator john fund -- johnson was talking about this. it's impossible for people to know how to react if they don't know they have been infected and how we going to look at this? >> thank you senator. as the gentleman from google said cybercriminals are choosing users to attack criteria that are not ours and the servers that are not our so we don't have the exact list of users or ip addresses which were attacked nor do we have a direct relationsrelations hip to those users so direct notification is a difficult issue. that's why we do general notification that we post on her blog and had discussion with the

press in the safety and security web site that gives tips on how they can patch your system and free anti-virus tools to check whether or not the malware is --

this seems to be what senator levin is saying is you guys don't have the incentive you would otherwise have because consumers don't know that them out for thai -- malvertising came from you. how do you respond to that? i think if you don't know a particular ad network there might be a disincentive to address it. otherwise there would be a much greater incentive. this came from my yahoo! account the advertising i thought on yahoo!. what's your response to that? >> i can actually say something and clear up the misconception. just because you've visited a site because of the anonymity we don't necessarily know who you are so as far as even being able

to let people know oh this ad could potentially have malware. we don't know who you are. it's all anonymous and it's done on purpose that way. that's one of the reasons why someone can target you specifically that can target potentially your gender or age group based on the filing but that's about it. we don't necessarily know who you are so that's nearly impossible. >> as to the motivation obviously this kind of incident happens. it has an impact on the trust their users have the mess in that trust is absolutely the bedrock of our business so maintaining user trust is essential which is why we have a security team a trust and safety team and anti-malware team and why we are working on this issue 24/7. >> you can't tell your customers that they were attacked. >> is mr. salem said we don't have that information. we can't directly tie bob smith looked at this advertisement.

>> and it's good to have that connection to a bigger ad. would that make her more effective enforcement regime and you would be in a position to respond or the ad networks would? >> i believe senators that would be significant privacy issue to track individuals. >> i fun and interesting looking through some of the in advance this is some cybercriminals carry out attacks on weekends and holidays because they figure your guard is down. is your guard down on weekends and holidays? >> absolutely not senator. thank you for the question. it is you are guilty until proven incident so we scan before an ad repeatedly afterwards and if anything is strange that ad is immediately pulled and our people are paid schneier security team works 24/7. >> so consumer shouldn't be worried about weekends and holidays? >> absolutely not.

acting trust in ads is focused on deceptive advertising and fraud and one of the reasons we put together is single place you can report advertisements to make sure all the companies involved so we can take them down and then those advertisers. >> thank you. >> thank you very much senator portman. we think our participants on this panel for your testimony. it's been extremely helpful and we will now move onto our next next panel. >> you mr. chairman? it's a little disturbing when mr. salem and mr. subbot dispute the facts. ronald reagan used to say that facts are stubborn things. i also am a bit disturbed by it's somebody else's problem in the testimony and heightens my motivation to reinvigorate

legislation that we tried before but also tried to make google and yahoo! understand that this is a much bigger problem than the testimony your testimony indicates they think it is today and it's a bit disappointing. thank you mr. chairman. >> thank you very much. we have three boats, for votes in five minutes. >> i just want to ask yahoo! and google the locations of scanning how many scans of you doing and if you want complete coverage what are we talking about here? 1%, 100%? >> we scan all this was 100%. >> you where we scanning and rescanning. what would be complete coverage versus what%? at is it an impossiblimpossibl e question to answer? >> i think. >> can you give it a try for the record. the other thing i want to know is how many people in your

organization are devoted to cybersecurity the number of people because i want to ask the government they -- how many they have. >> 100 or send it as we scan hundreds of times based on different metrics and as for the number of people i would say we have over 100 people working on security and trust. >> you want to give an answer to the number of people quickly? >> google has 100 people specifically working on security. we have over one thousand one a come store at policies and making sure that our ads are compliant. >> thank you and we can think this panel. you are all very helpful to us. we appreciated and again i want to thank senator mccain for bringing us to this point. i agree with his comments and the thrust of this report.

[inaudible conversations] >> at my pronouncing your name correctly? >> it's mithal. >> thank you. social director of the division of privacy and identity protection of the federal trade commission in washington and mr. mr. lu mastery of the managing director of the digital advertising alliance of new york we appreciate both of you being here this morning and we look toward to your testimony. i think you know the rules of the subheading that you need to be sworn so we ask that you stand and raise your right hand. do you swear that the testimony will be the truth, the whole truth and nothing but the truth so help you god? we will get as far as we can into your testimony before the vote start and we may have to work around the testimony and the questions i'm afraid.

and let's try to do this at eight minutes each and put your statements in the record. ms. mithal please start. >> thank you chairman levin and ranking member mccain and members of the subcommittee. i'm from the federal federal trade commission. appreciate the opportunity to come% the commission's testimony related to on line advertising. i also think the subcommittee for its report it issued yesterday which highlights on line threats to consumers. we look forward to working with you on these important issues. the commission is primarily a civil law enforcement agency charged with enforcing section 5 of the ftc act which prohibits unfair or deceptive practices. we are committed to using this authority to protect consumers on the on line marketplace. for example we use section 5 to take actions against on line ad networks. we also educate consumers and businesses about the on line environment and encourage

industry self-regulation. in my oral statement i will discuss her enforcement and education efforts in three areas privacy malware and data security. first with respect to privacy we brought many enforcement cases against on line ad networks. for example an on line ad network that offers consumers the ability to opt out against receiving targeted ads. what they didn't tell consumers is the opt out lasted only 10 days. we allege this was deceptive the the -- deceptive under section 5. as a more recent example we obtained a record $22.5 million civil penalty against google for allegedly making misrepresentations to consumers using safari browsers. google place tracking cookies on consumers computers. the opt out instructions that safari users didn't need to do

anything because the setting would ensure consumers would be opted out three despite these instructions in many cases we allege that google circumvented safaris default settings in place cookies on consumers computers. although we generally can't get civil penalties for section 5 are able to get civil penalties in this case because the large google violated the prior ftc board. the second area is like to highlight his malware. she no know where can cause a range of problems from unwanted pop-up ads to slow performance to keystroke bloggers that can capture sensitive information. this is why we brought several section 5 cases against entities that unfairly downloaded nowhere and took consumers computers without their knowledge. one of the cases against innovative marketing allege the malware was placed on consumers computers to on line ads. we have also made consumer education a priority. the commission sponsors on brought on line a web site

designed to educate consumers about basic computer security. we have created a number of articles and videos and games that describe the threats associated with malware and explain how to avoid detection. finally while going after the purveyors of malware is important it's also critical that ad networks and other companies take reasonable steps to ensure they are not inadvertently enabling third parties to place malware on consumers. to this end at the network should obtain reasonable and -- the commissions undertaken substantial efforts over a decade to promote strong data security practices in the private sector in order to prevent hackers and repairs of malware from harming consumers. we have entered into 53 settlements on line and off-line businesses that we charged with failing to reasonably protect consumers personal information. our data security cases include actions against microsoft whether the more recently fandango and snapchat. in each of our cases we have

made clear that reasonable security is a continuous process of addressing risks that there is no one-size-fits-all data security program that the commission doesn't require perfect security in the mere fact that a breach has occurred assuming the company has violated the law. these principles apply it let's you add that works there just because malware's been sold because malware's been sold as a minka ad network is section 5 rather become up to where the ad network took reasonable steps to prevent third parties from using on line ads to deliver malware. in closing the commission shares his committee's concerns about the use of on line ads to deliver malware onto consumers computers which implicates each of the areas discussed. consumer privacy malware and data security. we encourage several steps necessary including more widespread consumer education continued industry self-regulation and the enactment of strong federal data security in breach law that would give the commission the authority to seek civil penalties for violation.

thank you and i'd be happy to answer any questions. >> chairman levin ranking member mccain members of the subcommittee good morning and thank you for the opportunity to speak at this important hearing. my name is --. companies have every interest to protect the privacy of consumers data and i am pleased to report to the committee on the continued success of the self-regulatory program which provides consumers with privacy friendly tools for transparency and control of web viewing data. all of this fact by a growing code of enforcement. the daa is across industry nonprofit organization founded by the leading advertising. associations. these include the association of national advertisers the american association of advertising agencies direct marketing associations the

advertising bureau the american advertising federation and the network advertising initiative. these organizations came together in 2008 to develop the self-regulatory principles for on line behavioral advertising which were then extended in 2011 to cover the collection of the use of web viewing data for purposes beyond advertising. more recently the daa provided guidance for collection of data around in and around mobile environments. in 2012 the obama administration publicly praised the daa as a model of success for enforcing codes of conduct recognizing the program is quote an example of the industry leadership has a critical part of travesty protection going forward" meant. the commissioner of the federal trade commission is quoted as calling the daa one of the great success stories in the privacy space.

the daa ministers and promotes these responsible and conferences so predatory principles for on line data collection and use. to provide independent accountability for the daa the console of better business bureaus and drug marketing association operate collaborative we accountability mechanisms independent the daa. to date there've been more than 30 publicly announce compliance actions the daa program. we believe the daa is a model example of how interested stakeholders can collaborate across the system to provide meaningful and pragmatic solutions to such privacy issues. especially in areas highly dynamic and advertising. the internet is a tremendously and generic economic contributed more than $500 billion or 3% of gdp. a major part of that includes the data-driven marketing

economy which touches every state and contributes nearly 700,000 jobs as of 2012. advertising fuels this powerful economic engine. in 2013 of. advertising revenues reached $43 billion. the cause of advertising consumers access a wealth of on line resources at lower cost. revenue from on line advertising subsidizes content services that consumers value such as on line newspapers blog social networking sites mobile applications e-mail and phone services. these advertising supported resources truly have transformed all of our daily lives. interest-based advertising is essential to the on line advertising model. interest-based advertising is delivered based on consumer preferences or interests inferred from data about on line activities. research shows advertisers pay several times more for ads and as a result of this generates

greater revenue to support free content. consumers also engage more actively. interest-based ads are vital for small businesses as well. they can stretch their marketing budget to reach likely consumers. third-party ad technologist allow small content providers to sell advertising space to large advertisers thereby increasing revenue. preserving and advertising ecosystem that meets the needs of small and large businesses and at the same time provides consumers ways to address the privacy expectations a reason why so many companies have publicly committed to daa principles. the daa provides consumers choice with respect to collection and use of the web viewing data preserving the ability of companies to responsibly deliver services and continue to innovate. among other things the daa principles call for enhanced notice outside privacy policy so consumers can be made aware of the companies with which they interact while on the internet

provision of a choice mechanism given consumers choice not companies education and strong enforcement mechanisms. together these principles increase consumer's trust and confidence in how information is gathered on line and how it is used to deliver advertisements based on their interests. the daa multisite principles which is one of our three codes of conduct sets forth clear prohibitions against certain practices including the use of web viewing data for eligibility purposes such as employment credit health care treatment and insurance. the daa has developed a universal icon to give consumers transparency and control with respect to interest-based data. the icon provides consumers with no information about their on line

we are committed to consumer education. daa launch an educational web site at your addresses.com to provide easy-to-understand informative videos explain the choices available to consumers

the meaning of the icon and the benefits derived from on line ever testing. more than 15 million users have visited the site and to prepare for the introduction of the daa mobile choice app for mobile environments which will release later this year we have also recently released guidance on how the icon should appear in mobile environments to ensure a consistent user experience in that environment as well. the key feature of the daa suffered leisure program is independent accountability. all of the self predatory principles are back to robust enforcements administered by the consul of better business bureaus and marketing association. 33 public compliance actions have been announced and have included taa participants and nonparticipants alike. we have an obligation to rip port noncompliance when it happens. the daa has championed consumer control that accommodates consumers privacy and supports

the ability to responsibly deliver services desired by consumers. we appreciate the opportunity to be here today. we believe they have a successful model and can continue to evolve and pricing. >> thank you very much mr. mastria. senator mccain. >> thank you to the witnesses. we have an important going on. we saw this previous -- do you believe that's an accurate depiction of malvertising? >> i do and frankly no matter what the numbers i believe it's a problem. it's a serious problem and we are using all of our tools at our disposal. >> what you think the google and yahoo! guys would say that it's not accurate? >> i don't know senator. >> in my view this is certainly. >> we haven't done our own independent research but i have

no reason to doubt the statistics. regardless it's a significant problem for consumers. >> the only other question i have her, this seems to me consumers are being harmed whether it be a quote sliver as the witnesses testified or whether it's more widespread and on the increase. would you agree that it's on the increase? >> i don't know but according to this light it looks like it is. >> the person -- make the consumer that is harmed has no place to go for help or compensation it appears. do you agree with that? >> i do. >> so what do we do? >> i think this is a very serious problem that will require a multipronged solution. off the top of my head i would say three things. first increase consumer education things like updating browsers patching software having anti-virus anti-malware software and computers and more

robust enforcement against the purveyors of malware and against any third parties that are letting these purveyors malware get through. >> seems to me there should be standards of enforcement standards of behavior and standards of scanning, standards do everything they can to prevent the consumer from being harmed and then if they don't employ those practices that they should be held responsible. does that make sense? >> it does center and currently we have the authority to take action against unfair practices of the standard is if they practice causes consumer injury that's not outweighed by the benefits of competition and that can be considered a section 5 violation we brought over 50 cases against companies that fail to maintain reason the protection to protect consumer information so that's a tool we can use and if congress shows to

give us for the tools we would choose that. >> are you familiar with the legislation that senator kerry and i introduced back in 2011? >> i am familiar with it and i appreciate it. >> would you do me a favor and look at that again and if you believe that we need additional legislative tools for you to look at it review it and give us recommendations as to how you think it can be best shaped to protect this consumer and to address this issue. do you believe it would be helpful if you did have legislation? >> absolutely and particularly in the data security area. currently we don't have defining authority so we have advocated for legislation that would give us the authority to seek civil penalties against companies that don't maintain these practices. >> i would appreciate it if you would review what we have proposed. obviously they has to be updated and i will do everything in my power to see if i can get senator levin to get engaged as well. he's pretty important in some areas.

not others, but some. >> i am not a tough sell in this area i want you to know. i'm glad you made reference to the question about whether we need additional strong federal policy. your written testimony says the commission continues to reiterate its long-standing bipartisan call for enactment of a strong federal data security and breach notification law. is that still the position of the commission? >> absolutely. >> mr. mastria do you want to comment and have you taken a look at the possible legislation for instance that senator mccain made reference to? >> i am generally familiar with it but as a self-regulatory body we do not weigh in on legislation. we leave that to our funding. associations to do that. >> i'm going to try to finish

and if not i will be right back. mr. subfour -- mr. mastria the association requires its members to publish the names of parties that do data collection for their web site and to link to their privacy disclosures. is that correct? do you require that of the member's? >> we do require notice and transparency. >> do you require your members to publish the names of parties that do data collection on their web site? publish on their their web site?

>> no, beat you required disclosure via a web site. >> a web site. okay. do they identify on that web site which of the parties are not members? >> so if you go to our choice tool all of those folks participate with the daa either directly or indirectly so all 115 or 117 that are on there certainly are affiliated with us. >> and not necessarily members? >> we are not a membership organization. we certify that they abide by our standards. >> everyone on the web site is listed as affiliated. >> yes. >> okay. there's a provision in there as i understand it. you have a web site called about ads.in tow and consumers can visit the page and with a few?

see every participating company that is tracking their browser. is that correct? >> it's a list of all participants affiliated with the daa that you characterize that do work to be intermediaries in the advertising space. >> they can opt out of receiving advertising? >> there is an opt out.net the bottom that effectively opts out of that. >> now the opting out as i understand it prevents consumers from receiving targeted ads based on existing cookies. is that correct? >> it is based on technology yes. >> doesn't prevent consumers from receiving targeted ads? >> yes. >> okay and when you opt out with one of the participating companies still however is it not correct you have the ability to collect future data about you as your travel the internet? is that a yes? >> in some cases guess but there are prohibitions against the collection of certain data for

interest space advertising. >> that's generally true is it not? i'm not talking about in terms of what is allowed for collection of interest space advertising. they can continue to collect future information. >> yes. i can only speak to what our program covers. >> your program does not prohibit the collection of future information? is that correct? >> it does prohibit the collection of future information for interest-based advertising but not certainly if not certainly is there something else going on. >> in other words if you opt out those companies can no longer collect information for interest-based advertising for you? >> that's right. >> okay. now do they have to delete the data that they have already collected on you? >> based on the opt out? the retention policy that we

have is tied to it. they are allowed to keep it as long as there's a business need. >> that means they are allowed to keep it. >> until there is no longer business need. >> they are not required to eliminate the data that they have already collected. is that correct? >> they cannot use it for inches-based ads. >> now this as i understand it if a consumer clears out all the cookies on his internet then because this is a cookie-based opt out that unless an interest-based advertiser technology sees that cookie on the persons computer they can then send an interest-based ads. is that correct? mi stating it crackly? >> the clearing of cookies is an issue and in 2012 we enabled a suite of browser plug-ins which

solve that issue. >> so if you eliminate all your cook these the opt out will still function? >> that's right. >> so the consumer does not have to continually worry about opting out. once they have opted out that will contend should be effective? >> using the browser plug-ins effectively creates a hardened cookie the way we talk about it. yes. >> that's helpful. thank you. have you considered an opt-in approach and set up an opt-out approach? >> so senator there are certain categories of data for which our codes actually do require opt in >> how about the interest-based ads?

>> so generally speaking if you think about interest-based ads they work on as described earlier there may be an audience that is more interested in outdoor furniture versus indoor furniture. >> i understand that but have you considered an opt-in approach for interest-based ads? >> no, the opt out model seems to work especially if you're putting consumers in control. >> would you prefer an opt in or an opt out model? >> we don't ask us questions. do as consumers --. >> your associates asked a whole lot of questions. your association, the people that are not members but associated. they ask a lot of questions. >> i'm not familiar with those. >> is there any reason why you can't ask consumers whether or not they prefer an opt in or opt in out approach and

interest-based ads in wired members could not do that? >> i think the reality is that what we give consumers is an ability to opt out for data that is generally anonymous. further categories of data take for instance health or financial there are opt in procedures. >> i'm not talking about the other kind of data. i'm not talking about that. the kind of data that there's only an opt out provision. is there any reason why that kind of data could not be subject to a choice? you either want to opt in or opt out. why couldn't consumers be given that choice choices my question. >> it is a choice. >> the choices opt out of opt-in of individual approaches. i'm saying why not give the consumer an opportunity to either opt-in or what they currently have which is to opt

out period or opt out specifically. >> consumers can as you noted earlier decide to clear their cookies in reset felt the opt-outs -- reset all the opt-outs. >> you are not going to answer my question. >> i apologize senator. >> the question is clear. >> we don't take a position on policy. we simply when bun the program as its effectuated. >> don't you have a code? >> yes, we have three. >> why not make it part of the code to give consumers that option? >> we do. >> the option i just described.

that is not part of the program. >> thank you. ms. mithal bug you for the record give us any suggestions relative to the additional authority that you would like in addition to commenting on the legislation that senator mccain made reference to? would you give us any soliciting

recommendations from you as to any legislation that you would recommend to promote greater policy and greater choice in terms of the internet and advertising on the internet? would you do that? >> sure senator. i would say first and foremost foremost. >> i don't mean right now because i have got to go. i think i probably missed the first vote already. thank you for oath. it's been useful hearing and we appreciated. we thank you for coming and we stand adjourned. [inaudible conversations]

>> the wonderful thing about the gulf coast is its underappreciated and that's good because it gives us a lot to write about. if we were in new york or san francisco or chicago those cities and places are also well-known and course new york is the capital but here on the gulf coast we need to think of that from texas to the florida panhandle.

the release of pan pin golf sensibility. we have a similar environment and similar types of trees live oaks long leaf pines sandy soil salts in the air the gulf of mexico of course nurses and supplies us with wonderful seafood. estuaries and rivers in places like mobile bay that are wonderfully rich in tradition and culture and there have been books and so forth in and around all these things for hundreds of years so it's an extraordinarily rich subject to take and then of course along comes the oil spill in 2010 were all of a sudden we are at center stage and people are beginning to look at the gulf coast and think about wow what's it like there or what moves them or we didn't know we got so much of our oil and gas from them. the nation really became kind of tuned in to how important the gulf is.

>> we are sitting here today in a city designed by frenchman. l'enfant the french engineer and architect. the great symbolic work of the sculpture in the gateway to the country of new york the statue of liberty given to us by france by a french sculptor. countless rivers and towns and universities and colleges all over the country with french names. we don't pronounce them the way they do but the influence of

france on this country is greater than most americans appreciate. >> the president and first lady michele obama toured the national september 11 memorial and museum. the president along with new york governor andrew cuomo former new york mayor michael bloomberg and new jersey governor chris christie spoke at this one-hour event. ♪ ♪

♪ ♪ ♪ ♪

♪ ♪ ♪ ♪

♪ ♪ ♪

♪ ♪ ♪ ♪ ♪ thro' the perilous fight ♪ ♪ o'er the ramparts we watched ♪ ♪ were so gallantly streaming ♪ and the rocket's red glare ♪ ♪ the bombs bursting in air