finishing up this conversation on syria, iraq and isis, we expect more discussion during today's pentagon briefing. the decision to send additional troops to iraq. admiral john kirby will take questions starting 2:00 p.m. eastern live on c-span. looking at our primetime lineup on cspan3, american history tv and a look at u.s. foreign policy. we'll examine america's response to totalitarianism, being al qaeda and rwanda genocide. on c-span2, booktv with a focus on best sellers.

and consumer drones. author alan huffman shares the tales of two mississippis in jackson. >> isaac hill was founded by isaac ross. when he realized he was going to die and the slaves would be sold or become common slaves, he wrote in his will at the time of his daughter's death the time the plantation would be sold and money used to pave the way for slaves to immigrate to iberia where a free slave colony had been established. they call it repatriation and talk about them going back to africa. you have to understand these people, most of them were

americans. they had been here for three, four, five generations. it wasn't like they were just going home. they were going back to the continent their ancestors originally inhabited. it was quite the risk so they took their culture, what they knew here, there. some took the bad aspects, too, the slavery, but that's all they had ever known. they built houses like this one. after all, they are the ones who built this house. there were a lot of basically greek revival houses the free slaves built. across the river was louisiana in lieberia. there was a georgia, a virginia, a kentucky, maryland county, and all those people came from those states in the u.s.

>> explore the history and literary life of jackson saturday at noon eastern on c-span2's booktv. representatives from google and yahoo say they are committed protecting data from malware. the federal trade commission's privacy and associate director testified. senator carless ivan chairs this 2:11 hearing. good morning, everybody. for almost a year the permanent subcommittee on investigations has been investigating hidden hazards to consumers' data privacy and security that results from online advertising. our subcommittee operates in a

very bipartisan way, and our practices and our rules provide that the ranking minority member may initiate an inquiry, and our tradition is for both sides of the aisle to work on investigations together and our staffs work very, very closely together. this investigation was initiated and led by senator mccain, so i'd like to call on him to give his opening statement first after which i'll add a few additional remarks, but first i'd like to commend senator mccain for his leadership and his staff for their very hard work in addressing the facts and the issues that are the subject of today's hearing. senator mccain. >> thank you, mr. chairman, i appreciate you and your staff's cooperation in conducting this important bipartisan investigation which has been the hallmark of our relationship together for many years. i believe that consumer privacy

and safety in the online advertising agency is a serious issue and warrants this subcommittee's examination. the emergence of the internet and e-commerce, more and more commonplace activities are taking place on the internet which has led to major advances and convenience consumer choice and economic growth. these advances have also presented novel questions concerning whether consumer security and privacy can be maintained in the new technology-based world. we will examine these issues today specifically in the context of online advertising where vast data is collected and cyber criminals exploit vulnerabilities in the system and use malware to harm consumers. as we discuss this complex subject, it's important to keep in mind the following simple idea that i think everyone will agree on. consumers who venture into the on-line world should not have to know more than cyber criminals about technology and the internet in order to stay safe.

instead sophisticated online advertising companies like google and yahoo, which representatives are here with us today, have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver. deciding who should bear responsibility when an advertisement harms a consumer can be a technical and difficult question, but it can't continue to be the case that the consumer loan pays the price when he visits the mainstream website, doesn't even click on anything but still has his computer infected with malware delivered through an advertisement. at the same time, online advertising has become an instrumental part of how companies reach consumers. in 2003, online advertising revenue reached a record high of $42.8 billion, surpassing for the first time, revenue from broadcast television advertising, which was almost $3 billion less. with a continuing boom in mobile devices, on-line advertising will become even more lucrative

in years to come. this hearing will outline the hazards consumers face through online advertisements, how cyber criminals have defeated the security efforts of the on-line security efforts of the online advertising industry, and what improvements could be made to ensure that consumers are protected on line and the internet remains a safe, flourishing engine for economic growth. make no mistake, the hazards for online advertising are something that even a tech-savvy consumer can't avoid. it's more than just avoiding shady web sites or clicking on advertisements that look suspicious. for example, in february of this year, an engineer at a security firm discovered that advertisements on youtube served by google's ad network delivered malware to visitors' computers. in that case the user didn't need to click on any ads. just going to youtube and watching a video was enough to infect the user's computer with a virus.

that virus was designed to break into consumers' online bank accounts and transfer funds to cyber criminals. a similar attack on yahoo in december 2013 also did not require a user to click an advertisement to have his computer compromised. a consumer whose bank account was compromised by the youtube ad attack has little recourse under the laws that currently stand. of course, if an infected consumer managed to track down the cyber criminal who placed the virus, he or relevant law enforcement agencies could take legal action against that wrongdoer. but cyber criminals today are normal part of sophisticated enterprises often overseas. tracking them down is exceedingly difficult, even for professional security specialists. a consumer has essentially no chance whatsoever of recovering funds from cyber criminals. how can it be that cyber criminals can sneak malware into advertisements under the noses

of some of the most technologically advanced companies in the world? cyber criminals enjoy clever tricks to avoid the security procedures used by the online advertising industry. one of these key security procedures is scanning, essentially having a tester visit a website to see if a virus downloads to the test computer. just as normal online advertisers can target their advertisements to run only in specific locations, cyber criminals can also target by location to avoid scanning. for example, if a cyber criminal knows that the facility is responsible for scanning ads or are clustered around certain cities, they can target the malicious advertisement to run in other areas so the scanners will not see it. they have used even simpler techniques to block out security. when law enforcement raided the hideout of a russian criminal

network, they found calendars marked extensively with u.s. federal holidays and three-day weekends. these cyber criminals were not planning fourth of july picnics, they were planning to initiate malware attacks when security staffing at the ad networks and website would be at their lowest ebb. just this past holiday season on friday, december 27, 2013, two days after christmas and four days before new year's eve, cyber criminals hacked into yahoo's ad network and began delivering malware-infected advertisements to consumers' computers. the malware seized control of the users' computer and used it to generate bitcoins, a digital currency that requires a large amount of computer power to create. independent security firms estimate that around 27,000 computers were infected with this one malware-laden advertisement. the result of these cyber criminal tactics has been

countless attacks against consumers online. one major vulnerability in online advertising is that the advertisement themselves are not under the direct control of online advertising companies like yahoo and google. these companies choose not to directly control the advertisements themselves, because sending out all those image and video files would be expensive. instead, online advertising companies have the advertiser himself deliver the ad directly to the consumer. while it's cheaper for companies in the online advertising industry to operate this way, it can lead to greater hazards for consumers. malicious advertisers can use their control over advertisements to switch out legitimate ads to put in malware instead. the tech companies who run the online companies do not know until the ad is served. because the companies don't control the advertisement, their quality control processes are completely purely reactive, only

finding problems after they arise instead of before. as the online advertising industry grows more and more complicated, a single online advertisement for an vidcon sumer routinely goes through five or six companyies before ultimately reaching the consumer's computer. that fact makes it easier for the various companies and the chain to disclaim responsibility when things go awry. one instance where that issue was apparent was the attack on major league baseball's website in june 2012. in that case the malicious ad appeared to be for luxury watches and was displayed as a banner at the top of the mlb web page. that ad was shown to 300,000 consumers before being taken down. in the aftermath of that attack, it was still unclear what entity was responsible for delivery of the malware. one security analyst noted at the time, quote the lack of transparency and relationships in online advertising made

assigning responsibility for the attack virtually impossible. one way to get an idea how complicated the online advertising world and online data connection can be is to take a look at what happens when a consumer actually visits a website where advertisements are served by third party ad companies. when a person visits that website, they instantaneously contacts an advertisement company to provide an advertisement. they contact other internet companies who analyze data on the user for purpose of targeting advertisements to him. each company can contact other companies who profit from identifying users and analyze their online activities. ultimately hundreds of third parties can be contacted resulting from a consumer visiting just a single website. using special software called disconnect, the subcommittee was

able to determine how many sites were contacted when a user uses a particular website. these are represented in a chart. in this first example -- the chart -- we'll go to the video. we see what happens when a user visits the website of an ordinary business that does not depend heavily on advertising revenues. in this case, our company was td bank, a company whose website provides online banking services for its existing customers, and more importantly not to generate income from people visiting the site. for that reason, it does not need to derive a large amount of revenue from online traffic and advertisements. you can see there -- it's very difficult to see, but a few third parties were contacted. by contrast, when a consumer visits a website, it depends much more heavily on revenue by advertising based on the number

of people who visit their website. the number of third parties can be enormously higher. for example -- do we have a technical -- okay. this video shows what happens when a consumer visits tmz.com, a celebrity gossip website. just to make that point even more clear, here are td bank and tmz side by side. another follower in the current

online industry is the lack of meaningful standards for security. the two primary regulators like digital advertising alliance and network advertising initiative. self-regulatory groups have not been active in generating effective guidance or clear standards for online advertising security. on the government side, the ftc has brought a number of an enforcement actions for companies for online advertising for deceptive practices pursuant to their authority under section 5 of the ftc act. these cases all involve some specific misrepresentation made by a company rather than failure to adhere to any general standards. i will just summarize by saying on the question of consumer privacy, there are some guidelines how much data can be generated on internet users and

how much that data can be used. but these approaches do not track efforts and notice in choice procedures, have only been partially effective. a new choice of preventing abusers and consumer data privacy may be necessary. a few years ago, senator kerry and i introduced a commercial privacy bill of rights. while updates will be necessary, it provides a framework of how to think about these issues moving forward. one that includes basic rights and expectations consumers should have when it comes to the collection, use and dissemination of their personal and private information on line and specifically in prohibited practices, a clarified role for the ftc and enforcement, and a safe harbor where those companies choose to take effective steps to further consumer security and privacy. that also envisions a role for industry, self-regulators and stake holders to engage with the ftc to come up with best practices and effective solutions. consumers deserve to be equipped

with the information necessary to understand the risks and to make informed decisions in connection with their online activities. today one thing is clear. as things currently stand, the consumer is the one party who is involved in online advertising who is scientifically capable of taking security precautions ask forced to bear the vast majority of the costs when security fails. for the future, such a model is not tenable. there can be no doubt that online advertising has played an indispensable role in making innovation profitable on the internet. but that should not come at the expense of the consumer. i would like to thank everyone working with me on this and the witnesses coming before the subcommittee. thank you, mr. chairman. >> thank you so much, senator mccain. today's hearing is about the third parties that operate

behind the scenes as consumers use the internet. particularly the subcommittee's report outlines the complexity of the online advertising ecosystem. simply displaying ads that consumers see while browsing the internet can trigger interactions with a chain with other companies, and each link in that chain is a potential weak point that can be used to invade privacy or host malware that can inflict damage. we've seen a dramatic example in the visuals that senator mccain presented to us, as well as outlined in the report. those weak links can be exploited through -- although consumers have done nothing other than visit a mainstream website. the subcommittee's report in senator mccain's opening statement also highlight the hundreds of third parties that may have access to a consumer's

browser information with every web page that they visit. according to a recent white house report, more than 500 million photos are uploaded by consumers to the internet each day, along with more than 200 hours of video every minute. however, the volume of information that people create about themselves pales in comparison to the amount of digital information created about them. according to some evidence, nearly a zetabyte or 1 trillion gigabytes are transferred on the internet annually. that's a billion trillion bytes of data. against that backdrop, today's hearing are will explore what we should be doing to protect people against emerging threats to their security and privacy as consumers. the report finds the industry self-regulatory efforts aren't doing enough to protect consumer privacy and safety.

furthermore, we need to give the federal trade commission the tools it needs to protect consumers who are using the internet. finally, as consumers use the internet, profiles are being created based on what today read, what movies they watch, what music they listen to, on and on. consumers need more effective choices as to what information generated by their activities on the internet is shared and sold to others. i want to thank all of today's witnesses for their cooperation with the investigation. i don't know if senator -- has a statement. i will now call our first panel of witnesses for the this morning's hearing. alex stamos, chief security information officer of yahoo! inc. in sunnyvale, california. george salem of google inc. in mountain view, california, and

craig spezol, the executive director, founder and president of online trust alliance in washington, d.c.izol, the execu director, founder and president of online trust alliance in washington, d.ezol, the executi director, founder and president of online trust alliance in washington, d.el, the executive director, founder and president of online trust alliance in washington, d.c. we appreciate you being with us. we look forward to your testimony pursuant to our rules all witnesses who testify before the this subcommittee can are required to be sworn. i would ask you each to stand and raise your right hand. do you swear that the testimony that you will give to subcommittee will be the truth, the whole truth and nothing but the truth so help you god? >> i do. >> we'll use a timing system today. about a minute before the red light comes on, you are going to see lights change from green to yellow, giving you an opportunity to conclude your remarks. your written testimony will be

printed in the record in its entirety. we would appreciate you limiting your oral testimony to no more than ten minutes. mr. stamos first and then mr. salem and mr. spiezel. then after we heard all the testimony, we'll turn to questions. please proceed. again, our thanks. >> good morning. >> good morning. >> chairman levin, ranking member mccain and distinguished members of the subcommittee, thank you for convening the hearing and inviting me. i appreciate the opportunity to share my thoughts and discuss the user first approach to security at yahoo!. i respectfully request my full written testimony be submitted for the record. >> it will be. >> thank you, sir. my name is alex stamos, yahoo's chief information security officer. i joined in march. prior to that i served as the chief technology officer of artemis internet and was a cofounder of isec partners. i have spent my career building

and improving secure, trustworthy systems and i am very proud to be working on security at yahoo. it is a global technology company that provides services including search, content and communications in 60 countries. as a pioneer of the web we enjoy some of the longest lasting consumer relationships on the web. it is because we never take these relationships for granted, that 800 million users each month trust yahoo to provide them with internet services across mobile and web. there are a few key areas i would like to emphasize. first, our users matter to us. building and maintaining user trust through secure products is a critical focus. by default, all of our products need to be secure for our users around the globe. second, achieving security online is not an end statement it is a constantly evolving challenge we tackle head on. third, malware is a top priority for yahoo! while preventing malware is

one part of the equation, it's important it is important to fight it at each phase of its lifecycle. fourth, yahoo fights for security on many fronts well. we partner with other companies to detect and prevent the spread of malware advertising and pioneered the safe frame standard to assure user privacy. we have led the industry in combating spam and phishing. we improve our product security with the help of the wider research communities and we are the largest media publisher to enable encryption for users across the world. i'd like to thank the subcommittee for focusing on malware and the threat to users. it is a top priority for yahoo. we have built a sophisticated ad quality pipeline to weed out advertising that doesn't meet our content, privacy or security standards. this january, we became aware of malware distributed on yahoo sites. we took action to remove it, investigated how the copy bypassed our controls and fixed vulnerabilities we found.

the malware impacted users on microsoft windows with out of date versions of oracle java, and was mostly targeted at european ip addresses. users on macs, mobile devices and up-to-date java were not affected. the system is expansive and complex. a large part of the problem is the vulnerabilities that allow an attacker to control user devices through popular web browsers like internet explorers, plug-ins like java, office software and operating systems. malware tricks users into installing software they believe to be harmless but is malicious. we blocked the vast majority with which bad actors attack the network. we always strive to defeat those who would compromise customer security. this means we regularly improve our systems, including continuously diversifying the set of technologies and testing systems to better emulate different user behaviors. every ad running on yahoo! sites

and our ad network is inspected using the system, both when they are created and regularly afterwards. yahoo strives to keep deceptive advertisements from ever reaching users. our systems prohibit advertisements that look like operating system messages because the ads often tout false offers or try to trick users into downloading and installing malicious or unnecessary software. preventing deceptive advertising once required human intervention which meant slower response times and inconsistent an enforcement. though no system is perfect, we use sophisticated machine learning to catch advertisements. this lets us train the systems about advertisers and landing sites to detect and respond to them immediately. we are also the driving force behind the safe frames standard. the safe frame mechanism allows ads to properly display on a web page without exposing private information to the advertiser or network. thanks to growing adoption, safe frame enhances user privacy and

security not only in the thriving marketplace of thousands of publishers on yahoo but around the internet. we actively work with other companies to create a higher level of trust, transparency, quality, safety in advertising. we are members of the interactive advertising p bureau ad integrity task force and we have joined trust in ads.org. we participate in groups dedicated to preventing the spread of malware and disrupting the economic lifecycle of cyber criminals. including the global forum for teams, the under ground economy forum, operations security trust forum and the bay area council forum. while preventing the placement of malicious advertisements is essential it is only one part of a larger battle. we fight the monetization phase by improving ways to validate authenticity of e-mail and reducing the financial incentives to spread malware. spam is one of the most effective ways malicious actors make money.

yahoo! is leading the fight to eradicate that income. one way spammers act is through e-mail spoofing. the original internet mail standards didn't require an accurate from line in an e-mail. spammers exploit this to send billions of messages a day that pretend to be from a friend, family member or business associate. these e-mails are much more likely to bypass spam folders as they appear to be from trusted correspondents. spoofed e-mails can be used to trick users into giving up user names and pass words known as phishing. here is how yahoo! is helping the industry tackle the issues. yahoo! was the author of domain keys identified mail which lets mail recipients identify the real origin of e-mails. yahoo freely contributed the intellectual property to the free world and now the standard protects billions of e-mails between thousands of domains. building upon the success, yahoo! led internet companies, financial institutions and anti-spam groups in many creating the message authentication or dmark standard

which tells the rest are of the internet what security mechanisms on e-mail they received and what action the sender would like to have taken on spoofed messages. in april yahoo! became the first provider to have a strict reject policy. in essence we asked the rest of the internet to drop messages that inaccurately claimed to be from yahoo!.com users. since yahoo! made the change another mail providers also has used reject. we hope every major e-mail provider will follow our lead and implement this protect against spoof e-mail. dmark reduced the spam purported to reduce this from over 90%. if used broadly it would target financial incentives. yahoo incentivizes sharing for our user data secure. to this end yahoo! has one of the most progressive bug bounty programs which encourages researchers to report flaws in the system via a secure web portal. we engaged the researchers and

discussed findings. if the bug is real we fix it and reward the reporter with up to $15,000. in an age where security bugs are auctioned off and used maliciously we believe it is critical that we and other companies create an eco-system where burgeoning and established security experts are rewarded for reporting and not exploiting vulnerabilities. yahoo! invests to ensure security of uses and data across products. in january, we made encrypted browsing the default for yahoo! mail. in march, domestic international traffic moving between yahoo's data centers has been fully encrypted. our goal is to enable a fully encrypted experience for users no matter what device they use or from what country they use yahoo!. in conclusion i want to restate that security online is not and never are will be an end state. it is a constantly evolving global challenge that our industry is tackling head on. threats that stem from the ad pipeline or elsewhere are not unique to any one company or ad network.

while criminals pose real threats we are dedicated to staying ahead of them. yahoo! fights on multiple fronts. we partner with multiple companies to detect and prevent the spread of malware. we pioneered the safe frame standard. to assure user privacy. we have led the industry the in combating spam and phishing. we improve our product security with the help of the wider research and security communities and we are the largest media publisher to enable encryption for users across the world. yahoo! will continue to innovate in protecting users. we will continue to fight criminals who target us and our users and continue to view user trust and security as a top priority. thank you very much for the opportunity to testify. i look forward to answer any questions you may have. >> thank you very much. mr. salem? >> chairman levin, ranking member mccain and senators of the subcommittee, thank you for the opportunity to testify on google's efforts to combat malware on the web.

my name is george salem and i'm senior product manager. ensuring our user safety and security is one of google's main priorities. we have a team of 400 full time security experts working around the clock to keep users safe. one of the big threats faced is malicious of software that can control computers or software programs. malware allows them to make money and may lead to identity theft which is top of the list of consumer complaints atop the ftc for four years in a row. we bring more products, tools, information to consumers often free of charge. it allowed the web economy to flourish. in the last quarter internet and ad revenues surged to 21 billion dollars. ad supported internet eco-system employs 5.1 million americans. only a tiny portion of ads have

malware, it undermines users' faith in the echo systeo system. our incentive is to keep the online performance safe or consumers won't continue to use the products. we'll provide the strongest protections against harmful and malicious content online. our approach to fighting malware is two prong. prevent and disable. the first piece is prevention. one of the best ways to protect users from malware is preventing them from accessing infected sites all together. this is why we developed a tool called safe browsing that checks any page against bad sides. malicious sites are identified as dangerous in search results. we are the first major search engine to provide such a warning. for search results back in 2006. today over a billion people use safe browsing. safe browsing is also a default for users on google chrome, firefox and apple safari

browsers which protects tens of millions of users. when a user attempts to navigate to a malicious site they get a clear warning advising them to click away. we are looking for ways to disseminate safe browsing technology, including we provide public interface for anyone to plug in and identify reviewed malware. we have alerts to web masters who may not be aware malicious software is on the property. a second piece is disabling bad ads. we have prohibited malware in our ads. we have a strict suspension policy for advertisers that spread malware. we proactively scan billions of ads each day across platforms and browsers, disables any we find that have malware. our systems have a proven track record. in 2013 we disabled more than 350 million ads. it is only a tiny portion of of the advertisement on our platforms but the systems are evolving to keep up with bad actors. while we may be proactive we are quiet about our technology. malware advertisers look for any new ways to avoid detection and

an enforcement systems and we want to stay ahead of them and not tip them off to our efforts. we are not the only ones involved. these efforts are a team endeavor. we collaborate closely with others in the community. ten years ago we had software principles, a broad set of guidelines available online around software installation, disclosure to years and advertiser behavior. we are a member of stop malware.org which is for security experts and ordinary users. we own and support free websites to share best practices, investigative resources and provide checks for malicious content on the topic. we are in communication with other industry players notifying each of us about new malware tacks and new trends. just the this month we and facebook, twitter, aol and yahoo co-founded trust in ads.org, which offers guidance

to consumers to avoid online scams. another huge piece is consumer education. a great first place to visit websites like google's online safety center. of course always use up to date virus software, make sure the operating system and browser is up to date. they should use a reputable product to rid it of malware. we can always use more help. malware is a complex problem. we are tackling it with tools, consumer education and community partnerships. if we all work to identify threats and stamp them out we can make the web a safer place. thank you again for your time and consideration. >> thank you very much. mr. spiezel? >> good morning, chairman levin, ranking member mccain and members of the committee. good morning and thank you for the opportunity to testify before you today. my name is craig spiezle, executive director of the online trust alliance. it is a 501-c-3 nonprofit with a

mission to enhance online trust, empower users with control of data and privacy while promoting innovation and vitality of the internet. i'm testifying today to provide context to the escalating privacy and security threats to consumers which result from malicious and fraudulent advertising known as malvertising. as outlined in exhibit a, these incidents increased over 200% over the last year to 209,000 incidents which generated over 12.4 billion malicious ad impressions. the impact is significant on consumers. yahoo! experienced over 300 malicious impressions, of which 9% or 20,000 -- 27,000 unsuspecting users were compromised. for them the infection rate was 100%. as noted this is not an isolated case. cyber criminals successfully inserted malicious ads on a range of sites including google,

microsoft, facebook, the wall street journal, new york times, major league baseball and others. the threats are significant. the majority and increasing number are from down loads which increased 190% this past year. a drive by code is one that when a user visits a site with no clicking required or interaction is infected. the threat isn't new. it was identified over seven years ago but little progress has been made to attack the threat. the impact ranges from capturing personal information to turn a device into a bot where a cyber criminal takes over a device to use it, in many cases, to execute a distributed denial of service attack against a bank, government agency or other organization. just as damaging is the deployment of ransom ware which encrypts a hard drive demanding payment to be unlocked.

user's personal data, photos, health records can be destroyed and stolen in seconds. in the absence of secure online advertising the integrity of the internet is at risk. not unlike pollution in the industrial age in the absence of regulatory oversight and meaningful self-regulation the threats continue to grow. for reference the development of coal mining and the use of steam powered generated from coal is without a doubt the most central bonding narrative of the 19th century. jobs were created and profits soared but the environment felt the impact of the industrialization in the form of air and water pollution. today we are at a similar crossroads which are undermining the integrity and trust of the internet. so how does malvertising occur? the most common tactic is a cyber criminal are going directly to an ad network, selecting the target audience and paying for an ad campaign.

in the absence of reputation checks or threat reporting once detected and shut down by one network the cyber criminal waterfalls or goes to another network to repeat the exploit over and over. on the left you see the different tactics of how it is inserted and, again, it is important to note in this diagram the consumers are bearing the brunt of it. also quality brands and websites, their images are being tarnished as well. the impact on the threats are increasing significantly. criminals are becoming experts in targeting and timing, taking advantage of the powerful tools and data available to internet advertisers. they have become what's known as data driven marketers with precision to reach vulnerable segments of the society as well as high net worth target audiences. they have been able to choose day and time of the exploits and the type of device to exploit. in the absence of meaningful

policy and traffic quality controls, organizers recognize malvertising as the exploit of choice often remaining undetected for days. recognizing the threats, in 2007 double click established a mailing list which remains one of the primary methods of data sharing. in 2010 ota established the advertising content integrity group focused on security and fraud prevention best practices. this group, a diverse stake holders leveraged a proving model of threat mitigation and published several white papers including risk evaluation and remediation guidelines. the efforts are small but first step to combat malvertising. reflecting input from leaders including google, microsoft, paypal, twitter and others.

as you heard before last june, stop ad ware funded by google and others launched the ad integrity alliance. this january the initiative disbanded due to the members', quote desire to focus on aggressively defending practices to policy makers and regulatory bodies. in the wake of the group's demise, recently trust in ads was formed last week. according to the this site its focus is public policy and raising awareness of the threats and how to report them. it's important to note that unfortunately no amount of consumer education can help when a user visits a trusted website that is infected with malvertising. consumers cannot discern good versus malicious ads or how the device was compromised. focusing on education after the fact is like an auto industry telling accident victims who to call after an accident present a

previously known manufacturing defect instead of building security features in the cars they sell and profit from. other industries' efforts to focused on click-fraud, fraudulent activities which attempt to generate revenue by manipulating ad impressions. it is focused on operational issues facing the industry. while the efforts are important, please do not be confused. click fraud isn't related to malvertising or any impact that's harmful to consumers. so what is needed? ota proposes addressing five important areas. prevention, detection, notification, data sharing, and remediation. such a framework must be the foundation of an enforceable code of conduct or possible legislation. in parallel, operational technical solutions must be explored. i envision a day where publishers would only allow ads from network that is vouch for their ads and which browsers

would only render such ads signed and verified from trusted sources. it is recognized that such a model would require systemic changes but would increase accountability and protect the long-term vitality of online advertising and most importantly, consumers. in summary, as a wired society we are dependent on trustworthy online services. as observed in almost every area of the nation's infrastructure we need to recognize that fraudulent businesses, cyber criminals and state sponsored actors will continue to exploit our systems. for some, malvertising is a black swan event. rarely seen but known to exist. for others, it still remains as the elephant in the room nobody wants to acknowledge or report on. today companies have no obligation or incentive to disclose their role or knowledge of an event leaving consumers vulnerable and unprotected for months or years during this which untold amounts of damage can occur. failure to address the threats

suggests the need for legislation not unlike state data breach laws requiring mandatory notification, data sharing and remediation to consumers that have been harmed. as learned from the target breach it is the responsibility of companies and executives to implement safe guards and to heed warnings of the community. i suggest the same standards should apply for the ad industry. we must work together openly disclose immediate vulnerabilities, even at the expense of short-term profits. it is important to recognize there is no absolute defense against a determined cyber criminal. in parallel, ota proposes incentives to companies who demonstrated that they have adopted such best practices and comply with codes of conduct. they should be afforded protection from regulatory oversight and frivolous lawsuits. perceived anti-trust issues and privacy issues which continually addressed as a reason why not sharing data must be resolved to

aid in the realtime fraud detention and forensics that are required. trust is the foundation of every communication we receive. every website we visit, and every transaction we make and every ad we respond to. now is the time for collaboration moving from protective silos of information to multistakeholder solutions combatting cyber crime. thank you and i look forward to your questions. >> thank you very much. senator mccain. >> thank you very much, mr. chairman. i thank the witnesses. if you put the chart back up about the increase in malvertising. would the witnesses agree that the problem is getting worse rather than better? would you agree, mr. salem? >> could you put your microphone closer, please? >> thank you. >> i don't agree that the problem is getting better. >> is it getting worse?

>> thank you. i don't believe it is getting worse. >> you don't believe that chart then? >> i have not seen that chart. i saw it from the report. our indication where we -- >> so you're saying the chart is inaccurate? >> that's not the information that i have. sir. >> i see. maybe you can provide the committee with the information you have. mr. stamos. >> sir, our data has been steady on the kinds of attempts we've seen coming inbound. >> would you agree probably the worst attacks come from overseas specifically russia? >> we see attacks from all around. it's usually very difficult to accurately -- >> so you have no accurate data as to where it comes from? that's good. >> we have accurate data as to -- >> where does it come from? >> we sees these kinds of attempts from all around the world. you're right. we see a lot from eastern europe and the former russian republic.

>> well, thank you for that. mr. salem? >> yes. we also see a lot of the malware itself will come from servers also in russia and also -- >> so this this is an international issue as well as a domestic issue, i would argue. suppose some individual is the victim of malware. mr. stamos, does yahoo! have any responsibility for that? >> we absolutely take responsibility for user safety which is why we do the work we do. >> so someone loses their bank account, you reimburse them? >> senator, i have always believed the person who is responsible for committing a crime is the criminal. it's our responsibility -- >> even though it's using you as a vehicle to commit the crime? >> senator, we work hard to fight these criminals. >> is that person liable? are you liable for reimbursement for a loss of that individual who used -- that your services

were the vehicle for that? >> senator, we believe that the criminals are liable for their actions. >> i see. and you being the vehicle for it, you have no liability. has a problem with it. the maker of the automobile is not responsible because they are just the person who sold it. is that right? >> no, senator. i don't think that's a correct analogy. >> i see. >> we work vigorously to protect users. every single user is important to us. if a criminal commits as crime we do everything we can to investigate, figure out how they are able the oh to do it and defeat them next time. >> you have no liability whatsoever? >> senator, that's a legal question. i'm not a lawyer. i'm here to talk about security. >> i'm asking a common sense -- i'm not asking -- >> i think we have a responsibility to users and we take the responsibility extremely seriously. >> thank you.

mr. spiezle, you have the five recommendations that you make. in prevention you say stake holders who fail to adopt reasonable best practices and controls should bear the liability and publishers should reject their ads. are stake holders adopting reasonable best practices and controls in your view? >> today that information does not suggest they are doing that. one of the challenges is reluctance to share information among each other. it is isolated now. again, are recognizing that there is no perfect security in the absence of taking reasonable steps to protect the infrastructure and consumers from arm they should be responsible. >> how many americans do you think foe that this problem exists? >> this information has been kept very quiet. it's been suppressed over years. the executives of some trade organizations have defied it exists publically. >> we just saw an example of that disputing the malvertising

facts. where did you get them since they don't share your view? >> we are fortunate. this week we had a dozen companies come asking for legislation in the eco-system saying they recognize that the absence of this, that the business is marginalized and they need help. the data comes from multiple sources. the threat intelligence community, ad networks willing to sar information anonymously. today don't want to be public from the trade organizations. we try to normalize it. i would suggest this data underreports it by at least 100%. we do not know and the lack of

willingness to share data is impeding that problem today. >> mr. stamos and mr. salem, do you have the same best practices standard between your two organizations? >> senator, we use about the same technologies and tests. >> do you have the same best standards practices? >> i believe so so, yes. >> you wouldn't know. >> we work with our ad partners to trade notes and share a lot of the same technologies. >> we actually do communicate. we do discuss different issues that come up. different malvertising trends. >> do you need liability protection to work more closely together? >> we work very closely together. i don't see -- >> why don't you have the same best practices standards? >> we are different organizations, different corporations. >> but you are facing the same problem, mr. salem.

>> yes. we communicate about the threats. >> i'm glad you communicate. i'm asking if you will adopt the same best practices standards. >> senator, i believe we already do adopt the same practices but we have diverse implementations which is an important part of security is to have diversity of ways to combat a single threat. >> senator, if i may add, the ota has several multi stake holder workshops offering chapman house rules to facilitate data sharing. unfortunately on the response has been addressed internally. we have asked google multiple times, yahoo! the other companies to come to the table. again, the answer has been it's not a problem, it's not one we see we need to address. >> i will go a step further. the chairman and president of interactive advertising bureau in september of 2010 publically stood up and said malvertising is not a problem. it only exists because security vendors want it to be a problem. >> well, then i guess we get back. stamos, do you agree it is a problem?

>> absolutely. when you look at a graph like that we have to put it next to the malware problem which the numbers are much larger. there are three parts to it. there is the authors create malware which is about creating safe software. there is distribution of which advertising is the part we are responsible for but is a tiny sliver of the distribution problem of malware. then there is the financial side. from our perspective, we focus a lot on preventing ourselves from being part of the distribution problem but then we fight the entire lifecycle. in the end there is no perfect protection in each of the places. we need to decrease the financial incentives for criminals to attempt to do this in the first praise. >> how do you do that? >> in the software side, the companies that make the software try to make it harder for malware to be created. in distribution we build the

analysis systems to make it harder for them to mix up. >> i will look forward to your data on malvertising since clearly that indicates you've got a lot of work to do. even though it may be a, quote, tiny sliver, i'm not sure that's of comfort to someone who has their bank account wiped out. maybe to you, but it's not to them. >> excuse me, senator. every user -- >> well, obviously you are downgrading the importance of this issue when you say it is a tiny sliver if there is some 200,000 -- >> that's correct. 209,000 identified unique incidents that occurred that were documented. >> i would say that sliver is a pretty big sliver, mr. stamos. thank you. >> we have testimony here from mr. spiezle from the online trust alliance that says ideally we'll have have solution where is publishers would only allow

ads from networks who vouch for the authenticity of the ads they serve and web browsers will render only such ads signed and verified from trusted sources. it is recognized that such a model would require systemic changes yet they would increase accountability, protect the long-term vitality of online advertising and most importantly the consumers. would you support those kind of systemic changes, mr. stamos? >> thank you, senator. as to the authenticity issue for ad networks, i can only speak to how yahoo! does this. >> would you support what mr. spiezle is recommending? >> we support cryptography. currently technology doesn't exist to sign an ad all the way through but to move to encryption we have moved a great deal of the ad networks in the world to supporting encryption

end to end which is what's supported in browsers now. >> is there a reason we can't require that ads before they are put on be verified that they come from trusted sources? is there a reason you can't do that? >> right now the browser technology doesn't exist. >> does it exist, mr. spiezle? >> the browser technology doesn't exist. we are talking about a combination of operational best practices and technical. it is a complex eco-system with as senator mccain stated with multiple intermediaries. this is a desired state. if we can't vouch for who the advertiser is we shouldn't accept the ads in the first place. that's in the preventative side. it's operational. >> can it be done? >> pardon me? >> can it be done? >> i believe it is.

>> is it done now? >> we have agreements with the ad networks to have them pass information through. if we find they are a problem we work with them. >> do they verify? >>. >> i'm not sure. >> mr. salem, do you? >> our ad networks are verified, but they can have advertisers they have direct relationships with. we don't know what they are. >> do the people you have relationships with verify the credibility of advertisers. >> they have a vetting process themselves. i'm not sure. many of the advertisements come from criminals that pretend to be legitimate companies. even if you vet them. we have seen problems with sears.com, crosspen.com. they produce ads with companies that are real. the vetting process appears to be perfect but the criminals have made specific companies that look real. >> what can be done now practically that's not yet being done by companies like google and yahoo!? >> to help address the specific threat we held a four-day

workshop. in october we published what we call a risk evaluation framework. it's referenced in my testimony. it provides a checklist on the on boarding or verifying who the reputation. it was an operational step. >> has that step been take bin yahoo! and googlele for instance? >> we make them available. >> have they been taken? those specific steps. >> i don't know. >> i'm not sure what mr. spiezle's steps he's talking about. >> if you had gone to the meeting, you would have known. how come you didn't go? >> we are part of a lot of groups working on the problem. >> let me change to a different part of the testimony here. companies today have little

incentive to disclose their knowledge of a security event leaving consumers vulnerable and unprotected during which damage can occur. the suggestion is there be legislation adopted. similar to state data breach laws that require mandatory notification, data sharing and are remediation the to those who have been harmed. do you support a mandatory notification requirement, mr. stamos? >> this is more complicated than breach notification. you are talking about malvertising. there is often not a direct relationship with the user. there would be no information to know how to notify them. also in a situation where malvertising is caught early before it has an impact --

>> let me get mr. spiezle's response. >> in the context of notification, i agree it is an incident occurring. then depending upon that -- >> let's talk about regulatory authorities. any reason you shouldn't be required to notify regulatory authorities? >> every day we stop malvertising. we are talking about two or three incidents today over a multi year period when, you know, as google pointed out we are talking about finding 10,000 sites a day. they are finding --

>> breaches or attempted breaches? >> 10,000 a day he was talking about i believe are sites that host malware. >> how many breaches a day? >> mr. chairman, it's important for us to use the right terminology here. >> mr. spiezle, please use the right terminology. >> breach isn't perhaps the context i was thinking about. it is a confirmed malvertising incident where a network or a site is put away for malicious ads going through the site and properties and infrastructure. that's what we are referring to. >> okay. >> in the absence of that that's why there is not good data which makes it harder to go back and find the actual perpetrator. >> any reason you can't do that? >> we have to see what the reporting looks like. >> mr. salem. >> i would be careful about making a commitment like that. one thing we try to do is within a community discuss the issues and make sure it isn't public. as soon as you make things public you are talking about -- >> talking about a regulator. >> that would be a public document. we would not make the information pub p lick so

criminals found out how we are detecting them. >> everything you tell a regulator isn't necessarily public. you can have proprietary information and other information not made public. putting aside that, any reason you can't notify the regulator? >> no reason. >> would you get back to us after you study what that recommendation is, mr. stamos? yahoo!'s privacy policy indicates that you do provide information to partners of certain personal information so that yahoo! can communicate with consumers about offers from yahoo! and the marketing partners. then you say the companies you deal with, the partners do not have any independent right to share the information. is the sharing of the information prohibited? >> mr. chairman, while privacy

and security are intertwined we have a dedicated privacy team. to get into those details -- >> do you know offhand? >> i do not, sir. >> there is a great emphasis here on education. here's the problem. the business partners of yahoo! and you provide a list of the third party partners. over 150 companies do advertising work. you note in the privacy policy that the companies may be placing cookies or web bugs on our computers as we browse. i don't know. how can consumers educate thelss about each of the third parties? there are 150 of them with names like data zoo, deltran,

diligent, companies totally unknown to people outside of this room. do you think it's feasible, mr. stamos -- the this is my last question -- for consumers to evaluate the security policies and privacy policies of each of 150 entities? is that a practical suggestion? >> that's an excellent question, senator. we are not expecting consumers to make the decisions one on one. we provide privacy options for users and work with folks like the d.a.a. to provide decision-making authority for consumers across multiple partners. i believe that's where we have to go to have the choices up in one place. >> but you're suggesting they educate themselves about each of the partners of yours? >> i am not suggesting that. i'm sorry, i'm not familiar with the language you are referring to. >> thank you.

senator johnson? >> thank you, mr. chairman. i would like to start out quoting a couple phrases here to the underscore my feeling on this. i think as the chairman said this has enormous complexity. i think the ranking member said online internet advertising plays an indispensable role. those are powerful statements in terms of what we are trying to do here. the internet is a marvel. it's created economic activity. certainly improved lives. we feed to understand how complex the situation is. it's not easy. the analogy i would use because we are talking about criminal activity and who will be held liable. say you have a criminal that even though you have safe guards in a taxicab, the criminal defeats that, takes over the cab and kills somebody. is the cab company to be held liable for that activity? i think that's a more accurate analogy here. the purpose of the hearing is what can government potentially do to help.

i think i know who yahoo! is, google is, i think i know how you make money. i'm not sure about ota and a couple of things surprised me in terms of the comments you have made. are let me first ask you, mr. spiezle. who are you? where do you get your funding? how do you obtain revenue? >> thank you for the opportunity to provide clarity. the ota, online trust alliance was founded in 2003-2004 as a working group to address and bring forward the anti-spam standards yahoo! referenced in original testimony through a collaborative effort. in recognizing -- >> who funded that effort is it? it takes money. who funded it? >> the effort was through companies like semantic, microsoft, paypal, lots of companies that came together, sisco. >> do you get funding that way?

>> we are a 501-c-3. not a trade organization. we have a diverse group of oh sponsors and contributors as well as grants from dhs and others. our mission is clear. we support advertising. but our most important part is improving consumer trust and the vitality of the internet. >> here is what set off bells and whistles in my head. the chairman said you talked about the fact that yahoo! and google have little incentive to do what? >> the point -- >> is that accurate? what do they have little incentive to do? >> in the context of the question which it's incentive data sharing. it's an industry issue that we have been trying to get people to work on together. the incentive is data sharing. >> do you deny that google and yahoo! have an enormous free

market incentive to make sure this criminal activity doesn't occur on their networks? >> as dominant marx players there is a responsibility in the lack of data sharing and how it is marginalized. >> answer the question. doesn't yahoo! and google have enormous financial incentives to try and police the this and prevent malvertising and malware? >> malvertising is a small percent of the overall ad industry. to add the operational friction and to change it is a major change in how they operate today. >> you're still not answering the question. >> i don't think there is. >> you don't think i can't oo or google have an enormous financial incentive to police this and prevent it? >> i think they do.

whether they are -- >> okay. here's the point. what can government do bert than what these private companies can do? i have sat through hearing after hearing. for example, just this week we talked about the defense department who has bye-bye unable to get audit ready in 15 to 20 years. is there a role the government can play that doesn't actually do more harm than good? as i have been investigating the this and been involved in commerce committee hearings, the first step we need to take in terms of cyber security is information sharing. and the only way we'll get information sharing is to provide liability protection. is that pretty much the first thing the government has to do? we have to have information so you have liability to share information.

>> we are in support of information sharing with strong privacy protections for users. we are happy to work on the details, yes. >> do you think it's the first step? >> i think it is an important step. i think something government can do now is work on disrupting the financial side of the cyber criminal networks. >> you are talking about enforcement? going after the criminal ares and enforcing and penalizing the criminals? >> yes. penalizing criminals and also just making it hard for them to make money. a lot of the guys are selling products, taking credit cards, cashing checks. so even if we can't arrest them because they are under jurisdiction where it's impossible we can make it difficult for them to profit off targeting americans. >> does that require more regulation of the banking industry? targeted actions there? >> i'm not a lawyerment i think it's already illegal. it's a focus issue. >> mr. salem, again, what can government do? what's the first step? >> you mentioned -- my company does anti-malware advertising and we are happy to speak to our

colleagues openly about the different threats and what we can do about it. we talk openly and some of the other threats that we have spoken about trust in ads.org where you have scams basically in tech support. these were terrible for consumers. some had malware under the guise of giving a credit card number to people in india helping them on their computer. we are happy to discuss -- >> that's between companies. what about information sharing with the government so the government can disseminate the information to other people in the industry you maybe don't have a partnership with? the other thing i want to get to is some sort of federal preempls and data beach so you don't deal with 50 or more, hundreds of thousands of jurisdictions. is that important? is that something the government can do to be constructive as opposed to hampering activities? >>yes, it would.

>> here is my concern. we enact legislation with the best of intentions that actually makes it more difficult. takes your eye off the ball of solving the problem as opposed to complying with regulations that, i'm sorry, are written by people that aren't even close to as agile, flexible and knowledgeable as your companies. >> we are able to do our scanning, look for bad ads, sites and protect our users, talk to other folks in the industry currently about the malvertising trends. we do not feel now we have problems or there is anything encumbering us for malvertising. >> part of my concern about the answers you are are providing here in the hearing is you don't want to alarm consumers. i don't want to put words in your mouth, but i'm concerned that this is a small slice.

this is a big problem. i want you to answer the question i asked mr. spiezle about the enormous incentives you have. you mentioned a top priority is users matter, user trust, user security is a top priority. i think that makes common sense. i will give you the opportunity to underscore the point. >> for google, user privacy, user security is number one. we are an internet business. our users are one click away from going to the competition, one click away from doing something else. we have to prove to them that we take this seriously, that when they click on any ad it is a safe ad and when we deal with third party advertisers they are vetted partners as well. >> yes, senator, we have a huge incentive to maintain user trust. the biggest sites are yahoo! sites.

to maintain those 800 million people around the world we have to maintain the trust of our users and live up to the responsibility. >> i come from a manufacturing background. we have gone through iso certification which when i first got into it i thought it was a good deal for consultants to do iso certification. going through the process i became a believer that this is helpful in terms of providing not only my company the tools to get products under control but to communicate to customers and suppliers that we have the processes under control across a host of different parts of the standard. from my standpoint that makes sense. for this particular -- talking about security standards and advertising. is that something yahoo! google would support? some kind of third party certification process that gives consumers the comfort that standards are in place? >> i think we would support self-regulation to set

guidelines. from the actual technical standards this is something we innovate on every day. we have to be careful not to get too prescriptive to where we are living up to a rule and not doing with a we need to. >> that's why i'm talking about a private sector alternative. i want to make sure it is cooperative, not somebody who is set up in business and is hostile to some of the actors ps if the room. you need a cooperative, flexible, fast moving. these standards have to change, what, daily? >> yes. >> literally, what are we talking about in terms of the level of flexibility we need to have a hope -- and all we can do is minimize this, right? probably? the criminal will be one step ahead every time. you have to change the standards on an ongoing basis. >> correct. we need to evolve and be as

nimble as possible to make sure we are a step ahead of the criminals. >> i'm out of time. >> the standards that were addressed earlier that industry came together to address spam and deceptive e-mail dmark, dkim and spf, they are technologies that can be employed. i would say there could be standards developed that could help increase a trustworthiness in advertising. >> thank you. >> senator mccaskill. >> thank you. mr. spiezle, do you know what percentage of the malware incidents occurred through advertising? i think this is your chart, correct? >> yes. this is a chart -- >> what percentage of malware incidents are attributable to advertising in the year 2013? >> i don't have that specific data. >> how can you not have the data if you know how many display malvertising there was? wouldn't you know the context of the number? >> no. it is case where is malicious ads were documented and observed.

we are not looking at click fraud, not looking at search ad or -- >> why not? >> because this is the area that's coming through the pipeline. the critical infrastructure impacting us today through malicious advertising where consumers do not have the ability to protect themselves. >> if i have malware on my computer it doesn't matter where it came from. i'm trying to get at the problem here. this is one small piece of it. do you know mr. stamos and mr. salem? is it salem? >> salem. >> what percentage are attributable to advertising? >> we do not know that information. >> does anybody know it? >> we do know the classic way that a consumer gets malware is visiting a site. not the malware on the site. >> how much is site-specific versus ad-specific? >> the numbers we see from other sources on the number of malware infections are in the tens or hundreds of millions. that's the context in which i put hundreds of thousands here.

>> okay. we are talking about less than 1%? >> it's hard to know, senator, exactly where each malware infection comes from. i don't think it's unlikely that it is less than 1%. >> okay. you know, in the commerce committee some of the people in this room have heard me say this before. part of the problem here is that consumers were not brought along early in the process to understand the importance of being educated and understanding that what they are getting for free is coming at a price of advertising. >> right. >> i don't think you'd argue that we would have a much different internet if it were not for -- if in fact the foundational backbone and the explosion of economic activity and jobs is all around behavioral marketing, is that correct? >> all about advertising. advertising supports services that society and businesses get today. >> consumers hear how unfair it is that their data is -- that they are seeing ads for outdoor furniture when they get creeped

out about that, they are not making the connection that's why their internet content is free. they don't get that connection. that's all on you. you have not informed them appropriately about the bargain they are striking. and perhaps what the most helpful in this regard is to figure out what the cost would be. if we were to remove -- if we were to clamp down on government the kind of advertising and pref lance of advertising on the internet and ability to market on the internet by knowing what people are interested in as opposed to like we know somebody who watches oprah maybe would -- they might want to run an ad for slimfast on oprah. you try to target your audience based on what they are looking at. you know, does anybody know what this would cost for people to have an e-mail or have a search capability they have if this were not for advertising? has anyone tried to kron fi that so consumers would understand the bargain they are getting? >> senator mccain's number in his opening statement, he talked about the overall eco system being worth $43 billion so that

would be the overall cost. >> what is the one thing the government is supposed to do in this space? i think it's catch criminals, right. >> yes. >> why aren't we catching more of these criminals? how much time is your organization spending on the failure of government both nationally, domestically, federally and local and internationally, the failure we've had going after -- and i know it's hard because we're talking about ip addresses that disappear in less than that. >> thank you for the question. it is clearly a problem of epidemic proportions, one of the failures is data sharing, not just data sharing to government. we have to remove barriers cited by the organizations in this room, antitrust of sharing this

data within each other. that's the first part. in the absence of that we can't peel back the onion, working with the fbi and secret service, this is a very difficult problem to go back to and get -- >> you're saying that the government's failure is because google and yahoo! and their colleagues are not sharing information with law enforcement? >> i'm saying it's a general failure of the industry sharing data among ourselves and with law enforcement of when these incidents are occurring. i want to underscore, they are being victimized and infrastructure being victimized as well. i recognize that issue that's hurting their businesses. but we have to put in place the measures to protect and prevent it and also to detect it.

when we detect it, we can notify. in the absence of data, we can't notify the other parts to bring down the ads as quick as possible or to look at the methodology to prevent it from recurring. >> let's try to drill down on that a little bit. are you all trying to work in a cooperative and moment by moment fashion with law enforcement? >> yes, senator, we have dedicated e crime team we're in the process of beefing up. when we see an incident where we believe there's enough information, we work with them throughout the investigation and we've had some success in the disruption of several cyber criminal networks, there's an interactional component that makes arrest difficult. i would like more information on that. i would like to understand why we are not having more robust success in the law enforcement space since your companies are being victimized and consumers are being victimized by

criminals. >> i can give you a few anecdotes that might help. google constantly being asked for information by law enforcement and we do that. the few times we've actually approached law enforcement and said we have exact ip addresses, they are in the united states, one of the things we're asked to give is show us the fraud and show who was fraudulent, the amount of damages, we don't have that information. that is something where overall we've actually had problems approaching law enforcement to take action. >> for the record would you provide an example of that for us? >> i can do that offline, yes.

>> can you give one of things -- there's a stress for you all and that is that informing consumer as clearly and broaddy as you would inform them, a lot of this can be prevented by consumers as you well know. if you understand the eco system of the internet and the concept of cookies and what your browser is doing. if you understand the power of a click, you can avoid a great deal of danger. but i'm sure some of the stress for your companies is that the more you warn consumers, the more they are going to be afraid to robustly participate in the internet in terms of accessing ads and doing the things that generate a lot of income for the overall eco structure. how can you balance this better? i know it's better than it was when i started harping on this several years ago about informing consumers but the secret about their power, about the individual user's power, i have a great deal of power on this thing. but i got to be honest with you, the only reason i know it

because i have an amazing staff that helps me understand. the average consumer doesn't have a clue. the organizations that fund you ought to be more worried about, how the consumer becomes more empowered in this environment. it's the only real way. >> if i can respond, i clearly agree consumers have a shared responsibility to make sure that they are updating their computers and patching their systems and practicing safe computing practices, absolutely. getting back to -- i remain going to a trusted site they know of and type it in, they don't click on a link, all of things we tell them not to do and go to a trusted light is a unexpectedly gives an exploit never exposed before, we have a shared information across all of

shake holders here, consumers and networks and publishers alike here. that's why we're having this discussion today. >> my final question, is your organization, i know that a lot of security i'm guessing if i was a company selling security projects, i would want to invest in you. i would want to make contributions to you. i'm assuming a lot of your contributors are in fact the people who make security products for the internet. >> to the contrary, 50% of funding comes from companies like web md, twitter, websites and web properties depending on consumers to trust services. >> do you provide the services to workshops you provide, are they free of cost or is part of your income that you actually need the revenue -- >> our training workshops are on a cost recovery basis and we hold some throughout the u.s. as well -- >> you don't get any revenue stream -- >> they are designed to cover

operating costs of the programs. >> thank you. senator portman. >> thank you for holding this hearing. it's appropriate we're talking about it and i agree with what senator johnson has said that internet has thrived without the heavy handed government and we want to make sure that continues. earl yerl we talked about a lot of solutions and i don't understand enough to be frank with you, but verification standards seems to make sense. you talk about information sharing protocols and talk about liability protections needed to make that work well. i know you aren't lawyers but

we'd like more information on that if you can give it to us for the record. the ad networks themselves, makes a lot of sense. we talk some about enforcement and we'll ask about that in a second. enforcement requires the information, which is important to get at what you talked about in terms of the financial systems right now. i have a question to kind of backup so i understand. mr. salem, you're with google, kind of a big company and you scan 100% of the ads that enter into your advertising network? >> we scan 100% of the ads eventually, not every ad is necessarily scanned unless it's hosted by google. >> unless it's what? >> we have third parties and google ads as well. all of the ads that are google are scanned before served. a few of the third party --

>> let's focus on the ads that are google hosted. if you are scanning all of the ads then how did the malver tiesing circumvent the scanning process? it was a major issue. everybody was aware of it. how did that happen? >> it happen because ads can go bad. there are a lot of third party components to ads and java script calls and tracking or analytics that happens with an ad. we scan an ad and it looks great. we continually scan ads based on risk and these ads went ba bad before we had a chance to rescan them. >> the vulnerability was you didn't have a continuous ability to analyze that ad and it went back. so what are you doing to address that vulnerability? >> what we have done is lookedty risk profile and lowered it for many of them and scanning often through these. >> and are you scanning often

enough to avoid what happened with the youtube malware happening again? >> we believe so. we scan all of the ads we host and rescan them quite a bit. we have hundreds and thousands of ads we take down continuous i didn't, some are based on websites go back or the ad themselves. >> your prepared testimony focuses on preventing disabling malware, both are necessary, i get this. when it fails, what can consumers do to protect themselves from harm inflicted by harm's on google's ad network? >> on this incident itself, i wouldn't call it huge. the website itself was on our safe browsing list. users that use chrome and safari were covered by this. it was for an unpatched version of internet explorer. we don't even know how many of them actually downloaded the malware. >> you don't know what the damage was --

>> we know the potential. when we look at what is the potential when the ad goes back and look at the last scan, we consider all of that potentially bad advertising. but that shows us that what can protect a user is knowledge that they need to use anti-virus software and need to update browsers and operating systems. that in general is best practices not even just for malvertising but malware in general. >> let me ask you a question about consumers because you talk about how they need more information. what can be done to inform people that they have been infected so that they know it, without tipping off the cyber

criminals involved? isn't that one area wherefore consumers as senator johnson was talking about, it's impossible for people to know how to react if they don't know they've been infected. how are you going to let consumers know that? >> thank you, senator. as the gentleman from google said, the cyber criminals are choosing users to attack based on criteria that aren't ours and servers that aren't ours. we don't have the exact list of users or ip addresses which were attacked nor do we have a direct relationship so direct notification is a difficult issue. that's why we do general notification we post on our blog and we had discussion through the press of what happened and then we have a safety and security website we refer users back to to give tips on how they can patch their system and what free anti-virus tools. >> your thoughts on that?

>> i agree. it's very hard knowing where that ad ran and who it was. there are obviously the comments of consumers and get notifications from there, there has been a related effort led through the fcc with isp best practices where this detect abnormal behavior coming from an ip address of a residential computer. there's progress in that front, not related to the ad specific but when a device appears to have been compromised and how do you notify. the framework i identify today and outline is built on that framework of prevention, detention notification. there are parallel efforts and i raise that because this is an issue that needs us to move out of the silo of one industry and look what other segments are doing to solve the problems, similar problems. >> in the subcommittee's report

it seems to me what senator levin's team is saying, is that you guys don't have incentive you would otherwise have because consumers don't know that the malvertising came from you. i think if you don't know to attribute to a particular ad network, there might be a disincentive to address it, otherwise there would be a much greater incentive if they knew this came from mya hoo account. what's your response to that? >> i can say something and clear up misconception. just because you visited a site and got an ad from google, we don't necessarily know who you are. as far as even being able to let people know, oh, this ad was served to you and potentially had malware, we don't know who you are, it is all anonymous and done on purpose that way. that's one of the reasons why someone can't target you specifically with an ad. they can target your gender or

age group based on profiling but that's about it. we don't necessarily know who you are. that's not even possible. >> mr. stamos. >> as to the motivation, this kind of incident happens and it has an impact on our reputation and that trust is absolutely the bedrock of our business. so maintaining user trust is essential which is why we have a security team and trust and safety team and we're working on this issue 24/7. >> but you can't tell your customers that they got attacked. >> we can't actual advertising customers, we don't have that information. we can't directly tie bob smith looked at the specific advertisement. >> and if they could have that connection to a particular ad, wouldn't that make for more effective regime and you would

be in a position to respond or the ad networks would? >> i believe that would be a significant privacy issue. we're talking about here for us to track individuals looking at. >> something i found really interesting in looking through the material sent in advance, some cyber criminals carry out attacks on weekends and holidays because they figure your guard is down. is your guard down on weekends and holidays? >> absolutely not, senator, thank you for the question. the systems that do this are automated systems and you're guilty until proven innocent. we scan immediately on upload, before an ad is seen and scan repeatedly afterwards. if anything strange, that ad gets immediately pulled and people get paged and -- >> consumers shouldn't -- if you're worried on weekends and holidays. >> absolutely not. >> glad to hear that. i guess one question i also had was the trust in ads.com group that you all support. mr. spiezel but maybe you can

tell us, what can we expect from them? how can consumers get information. >> i can't speak to the organization. we have reached out to them. i can only respond to the website, it's about educating policy makers and notifying consumers what to do when they've been harmed. so the site speaks for itself. i look forward to finding more information for them as well. >> you think it's going to be effective? >> yes, it has been effective. we've recently just released our study on the tech support vertical and basically one of things we're noticing was when google started clamping down on this terrible scam, they started to go to other sites. we reached out to colleagues to make sure we stopped this to happening for everybody. >> i totally agree. trust in ads is focused on deceptive advertising sean fraud. one of the reasons it's been put together a single place where

you can report the advertisements to make sure to all of the companies involved to take them down and ban the advertisers. >> thank you, sir. >> thank you very much. we thank our participants in this panel very much for your testimony. it's been extremely helpful. >> mr. chairman, it's a little disturbing when mr. salem and mr. stamos dispute facts. ronald reagan used to say facts are stubborn things. i also am not -- i'm a bit disturbed by sort of it's somebody else's problem in the testimony today and it heightens my motivation to both reinvigorate legislation that we tried before but also try make google and yahoo! understand that this is a much bigger problem than the testimony -- their testimony indicates they think it is today. and it's a bit disappointing.

>> thank you very much. >> two quick questions. >> we have three votes, four votes in five minutes. >> i just want to ask yahoo! and google, how many scans are you doing? what percentage of that -- if you want complete coverage, what we talking about? are you able to scan 1%, 100%? >> we scan all ads, 100%. >> you scan them and rescan them. what would be complete coverage versus what percent -- is it impossible question to answer? >> i think -- >> give it a try for the record. >> the other thing i want to now, how many people in your organization are devoted to cyber security? number of people. i want to ask the government how many they have available. >> we xan every single ad. multiple times based on different risk metrics. as for the number of people, i would say across the different

teams we have 100 people working on trust and safety and security. >> mr. salem, do you want to give an answer to number of people, quickly? >> sure. google has over 400 people working specifically on security. we have over 1,000 when it comes to our ad policies and making sure the ads are compliant. >> very good. thank you. we again thank this panel. you all were very, very helpful to us. we appreciate it. i want to thank senator mccain for bringing us to this point. i happen to agree with his comments and with this thrust of this report. miss malisha mythle. am i pronouncing your name correctly?

>> it's mythle. >> thank you. miss malisha mythle. associate director of the division of privacy and identity protection of the federal trade commission in washington and mr. lou mastria. managing director of the digital advertising alliance in new york. we appreciate both of you being here this morning, and we look forward to your testimony. i think you know the rules of the subcommittee, that all who testify here need to be sworn. so we would ask you both please stand and raise your right hand. do you swear the testimony you're about to give to the subcommittee will be the truth, the whole truth, and nothing butt truth so help you god? >> i do. >> i do. >> we'll get as far as we can until the votes start and we'll have to work around the testimony and the questions i'm afraid. and let's try to do this in eight minutes each if you could and we'll put your statements in the record. please start. >> thank you chairman levin and

ranking member mccain. i'm maneesha mithal, i appreciate the opportunity. i also thank the subcommittee for its report that it issued yesterday which highlights online threats to consumers. we look forward to working with you on these important issues. the commission is primarily a civil law enforcement agency charged with enforcing section 5 of the ftc act. which prohibits unfair or deceptive practices. we're committed to using this authority to protect consumers in the online marketplace. for example, we've use ed secti five to take several actions against online networks and educate consumers and businesses about the online environment and encourage self-regulation. i'll discuss the enforcement in three areas, privacy, malware and data security. first, with respect to privacy, we brought many enforcement cases against online ad networks.

for example, chitika is an online ad company that offered consumers the ability to opt out receiving targeted ads. what they didn't say is it only lasted ten days. we alleged this was deceptive and our order requires them to tell the truth in the future and destroy the data while it was ineffective. we on -- obtained a civil penalty against google for allegedly making misrepresentations to users with safari browsers. it was told the default setting would automatic defer that would be opted out. in many cases we allege that google circumvented the default settings and placed cookies on consumers' computers.

we generally can't get civil penalties for violations of section 5. we were able to get civil penalties because we allege google violated a prior ftc order. the second area is malware, it can cause a range of problems for computer users from unwanted pop-up ads to slow performance to key stroke loggers that can capture consumers' sensitive information. this is why the commission has brought several section five cases against entities that unfairly downloaded malware on to consumers' computers without their knowledge. one of these cases against innovative markets alleged that the malware was placed on consumers' computers through online ads. we've also made consumer education a priority. the commission sponsors onguard online, a website designed to educate consumers about base click computer security. we've created a number of articles, videos, and games that describe the threats associated with malware and explain how to avoid and detect it. finally, while going after the per va yours of malware is

important, it's also critical that ad networks and other companies take reasonable steps to ensure that they're not inadvertently enabling third parties to place malware on consumers' computers. to this end, online ad networks should maintain reasonable safeguards to ensure they're not showing ads containing malware. the commission has undertaken substantial efforts over a decade to promote strong security data practices in the private sector in order to prevent hackers and purveyors of malware from harming consumers. we've entered into 53 settlements that we charged with failing to reasonable bli protect consumers' personal information. our data security cases include actions against microsoft, twitter, and more recently fandango and snapchat. we've made clear reasonable security is a continuous process of addressing risks, that there's no one size fits all data security program, that the commission doesn't require perfect security, and the mere fact that a breach has occurred

doesn't mean the company has violated a law. these principles apply equally to ad networks. rather, the commission would look to whether the ad network took reasonable steps to prevent third parties from using online ads to deliver malware. in closing, the commission shares this committee's concerns about the use of online ads to deliver malware on to consumers' computers, which implicates each of the areas discussed in the commission's testimony. consumer privacy, malware, and data security. we encourage several additional steps to protect consumers in this area, including more widespread consumer education, continued industry self-regulation, and the enactment of a strong federal data security and breach notification law that would give the commission the authority to seek civic penalties. thank you. and i'd be happy to answer any questions. >> chairman levin, ranking member mccain, members of the subcommittee, good morning and thank you for the opportunity to speak at this important hearing.

my name is lou mastria. i'm the executive director of the digital advertising alliance. companies have every interest to protect the privacy of consumers' data, and i'm pleased to report to the committee on the continued success of the self-regulatory program, which provides consumers with privacy friendly tools for transparency and control of web viewing data. all of this backed by a growing code of enforceable conduct. the da is a cross industry organization founded by the leading advertising and trade associations, these include the association of national advertisers and american association of advertising act -- agencies and direct marketing association and interactive advertising bureau and american advertising federation and the network advertising initiative. these organizations came together in 2008 to develop the self-regulatory principles for online behavioral advertising,

which were then extended in 2011 to cover the collection of the use of web viewing data for purposes beyond advertising. more recently, the data in and around mobile environments. in 2012, the obama administration publicly praised the d.a. as a model of success for successful enforcement codes of conduct, recognizing the program has, quote, an example of the value of industry leadership as a critical part of privacy protection going forward. more recently, commissioner was quoted as calling the d.a. one of the great success stories in privacy space. the da administers and promotes these self-regulatory principles for online data collection and use to provide independent accountability for the da, the council of better business

bureaus and direct marketing association operate collaborative accountability mechanisms independent of the da. to date there have been more than 30 publicly announced compliance actions through the d.a. program. we believe the da is a model example of how interested stake holders can collaborate across an ecosystem to provide meaningful and pragmatic solutions to complex privacy issues, especially in areas as highly dynamic and evolving as online advertising. the internet is a tremendous engine of economic growth as was mentioned earlier supporting the employment of more than 5 million americans and contributing more than $500 billion or 3% of gdp. a major part of that includes the data driven marketing economy which touches every state and contributes nearly 700,000 jobs as of 2012. advertising fuels this powerful economic engine.

in 2013 internet advertising revenues reached $43 billion. consumers access a wealth of online resources that lower no cost. revenue subsidize consent and services that consumers value such as online newspapers and blogs and social networking sites and mobile applications and e-mail and phone services. these advertising supported resources truly have transformed all of our daily lives. >> interest based advertising is essential to the online advertising model. interest based advertising is delivered based on consumers interests inferred from data about online activities. research shows that advertisers pay several times more for relevant ads and as a result this generates greater revenue to support free content. consumers also engage more actively with relevant ads. interest based ads are vital for small businesses as well.

they can stretch the marketing budgets to reach likely consumers. third party ad technologies allow small content providers to sell to large advertisers thereby increasing revenue. preserving an advertising eco system that meets the needs of small and large businesses and at the same time provides consumers ways to address the privacy expectations is a reason why so many companies have publicly committed to the da principles. the da provides consumers choice with respect to collection and use of web feed and data preserving the ability of companies to responsibly deliver services and continue to innovate. among other things, daa calls for enhanced notice outside of the privacy policy so consumers can be made aware of the companies with which they interact while on the net, provision of a choice mechanism giving consumers choice, not companies. education and strong enforcement mechanisms. together these principles increase consumers trust and

confidence in how it was gathered online and how it was used to deliver advertising based on their interests. the daa multisite principles one of our three codes of conduct sets forth clear prohibitions against certain practices including use of eligibility purposes, such as employment, credit, health care treatment and insurance. the daa has developed a universal icon to give consumers transparency and control with respect to interest-based data. the icon provides consumers with notice that information about the online interests are being gathered to customize the web ads they see. clicking on the icon takes consumers to a centralized choice tool that enables consumers to opt out by participating companies. the icon served more than 1 electrical times globally, on ads, websites, digital properties and tools covered by the program. this achievement represents an unprecedented level of industry corporation and adoption.

currently on the desk top version of the daa choice program, more than 150 third party platforms participate. the choice mechanism offers consumers a one click option to opt out of advertising from all participating platforms. consumers are directed to the today. aa choice page not only from the daa icon in and around ads but also from other forms of website disclosures. over $3 million unique visitors exercise choice. also committed to consumer education. the daa launched educational website at daachoices.com to provide easy to understand videos explaining choices available to consumers. the meaning of the icon and benefits deriveded from online advertising. more than 15 million unique users have visited this site. and to prepare for the introduction of a daa mobile choice app for mobile environments, which we'll release later this year, we've

also recently released guidance on how the icons should appear in mobile environments to ensure a consistent user experience in that environment as well. a key feature of the self-regulatory program is independent accountability. all of the da self-regulatory principles are backed by robust enforcements administered by the counsel silg of better business bureaus. 33 public compliance actions have been announced in the past three years and included da participants and nonparticipants alike. we have an obligation to report noncompliance when it happens and cannot be remedied. the daa has championed control that accommodates consumers privacy preferences and supports the ability of companies to responsibly deliver services disird desired by consumers. we appreciate the opportunity to be here today. we believe we have a successful model and can continue to evolve in this area of privacy. thank you very much.

>> thank you very much. senator mccain. >> thank you, the witnesses. i just have a couple of questions because obviously we have an important vote going on. miss mithal, you saw the previous -- do you believe that's an accurate depiction of malware advertising? >> i do. i believe it's a problem, serious problem and we're committed to using all tools -- at our disposal. >> why do you think google and yahoo! guys would say that it's not accurate? >> i don't know, senator. >> in your view, this is certainly -- >> we haven't done our own independent research but i have no reason to doubt the statistics. regardless, even if it happens to one person, it's a significant problem for consumers. >> the only other question i have for comment, it seems to me that consumers are being harmed,

whether it be a, quote, sliver as are the witnesses testified or whether it's more widespread and on the increase, would you agree it's on the increase? >> i don't know but according to the slide it looks like it is. >> there's no -- the person -- consumer that's harmed has no place to go for help or compensation it appears. do you agree with that? >> i do. >> what do we do? >> so i think this is a very serious problem and it's going to require a multiprong solution. i think that -- off the top of my head say three things. first, increase consumer education, things like updating browsers and patching software and having anti-virus and anti-malware software on their computers. second, more robust industry self-regulation. i was heartened to see the truth in ads announcement, and i think that needs to continue. and third is enforcement, against purveyors of malware and third parties allowing them to

go through. >> seems to be there should be standards of ffrsment, standards of behavior, standards of scanning, standards to do everything they can to prevent the consumer from being harmed. then if they don't employ those practices, they should be held responsible. does that make sense? >> it does, senator. currently we have the authority to take action against unfair practices so the standard is that if a practice causes consumer injury, that's not outweighed by the benefits to competition and not reasonable avoidable by consumers, that can be considered a section 5 violation. we brought over 50 cases against companies that failed to maintain reasonable protections to protect consumer's information. that's a tool we can use if congress chose to give us other tools -- >> are you familiar with the legislation senator kerry and i >> i am familiar with it, and i appreciate your leadership. >> would you do me a favor and

look at that again. if you believe we need additional legislative tools for you, to look at it, review it, give us recommendations as to how you think it could be best shaped to protect consumer and address this issue. do you believe that it would be helpful if you did have legislation? >> absolutely. in particular in the data security area, currently we don't have fining authority. we have advocated for data security legislation that would give us the authority to seek civil penalties against companies that don't maintain reasonable data security practices. >> i would appreciate if you review what we had proposed. obviously it has to be updated. i'll do everything in my power to see if i can get senator levin to get engaged as well. he's pretty important in some areas, not others, but some. >> i'm not a tough sell in this area, i want you to know. >> thank you. >> i'm glad you made reference to the question about whether we need additional strong federal policy.