Id like to commend senator mccain for his leadership, and his staff for the very hard work in addressing facts and issues that are the subject of todays hearing. Senator mccain. This has been the hallmark of our relationship together for many years. I believe that Consumer Privacy and safety in the Online Advertising industry is a serious issue and warrants the subcommittees examination. Ecommerceergence of , more activities are taking place on the internet, which is led to major advantages inconvenience, consumer choice, and economic growth. These have also presented questions concerning security and privacy in the new technologybased world. It is important to keep in mind the following idea. Into the who venture online world should not have to know more than cyber criminals about technology and the internet in order to stay safe. Sophisticated Advertising Companies like have aand yahoo responsibility to help protect consumers from the potentially harmful effects of the advertising they deliver. Casent continue to be the that the consumer alone pays the price when he visits a mainstream website, doesnt even hask on anything, but still his computer infected with malware delivered through an advertisement. The same time, Online Advertising has become an instrumental part of how Companies Reach consumers. In 2003, Online Advertising revenue reached a record high of 42. 8 billion, surpassing for the first time revenue from broadcast television advertising, which was almost 3 with theess very at continuing boom in mobile devices, Online Advertising will become even more lucrative. His hearing will outline the hazards consumers face through online advertisements, how cyber criminals have defeated the security efforts of the Online Advertising industry, and what improvements could be made to ensure that consumers are protected online and the internet remains a safe, flourishing engine for economic growth. Make a mistake, the hazards to andumers from malware Online Advertising or something that the tech savvy consumer cannot avoid. It is not enough to avoid shady websites and advertisements that look suspicious. An engineer at a consumer firm discovered that an advertiser on youtube delivered malware to visitors computers. In that case, the user did not need to click on any ads, just going to youtube and watching a video was enough to infect the users computer with a virus. That virus was designed to break into consumers online Bank Accounts and transfer funds to cyber criminals. Alsoilar attack on yahoo did not require a user to click an advertisement to have his computer optimized. A consumer whose bank account was compromised by the youtube ad attack has little recourse under the law as it stands. If an affected consumer managed to track down the cyber criminal who placed the virus, he, or relevant lawenforcement agencies could take steps against the wrongdoer. Tracking these criminals down is security, even for specialists. It be that cyber criminals can sneak malware into advertisements under the noses of the most technologically advanced companies in the world . Cyber criminals enjoy clever tricks to avoid the current security procedures used by the. Nline Advertising Industry one of these procedures is scanning, essentially having a test or visit a website to see if a virus downloads to the test computer, just as normal advertisers can target their advertisements to run only in specific locations, cyber criminals can also target our location to avoid scanning. Knowsample, if a criminal that a facility responsible for scanning an ad is clustered around certain cities, they can target the malicious advertisement to run in other areas so that the scanners will not see it. Cyber criminals have used even simpler techniques to bypass security. When Law Enforcement raided the network,f a russian they found a calendar with u. S. Holidays and federal weekends. Were planning to initiate Malware Attacks at times when the Security Staffing and ad networks would be at their lowest ebb. ,ust this past Holiday Season on friday, december 27, two thousand 13, 2 days after christmas and 40s before new years eve, cyber criminals hacked into yahoos ad network and began delivering malware infected advertisements to consumers computers. The malware seized control of users computers and use it to generate it coins, a Digital Currency that requires a large amount of computer power to create. Independent security firms estimate that around 27,000 computers were infected through this one malware laden advertisement. The results of these tactics has been countless attacks against consumers online. One major vulnerability in Online Advertising is at the advertisements themselves are not under the direct control of Online Advertising companies and google. These Companies Choose not to directly control the advertisements themselves because sending out all of those image or video files would be more expensive. Instead, Online Advertising have the advertiser himself deliver the adjective to the consumer. While it is cheaper for the companies in the Online Advertising industry to operate in this way, it can lead to greater hazards for consumers. Malicious advertisers can use their control over advertisements to switch out legitimate ads and put in malware instead. The Tech Companies who run the Online Advertising industry frequently do not know when such a switch occurs until after the ad is served. Because those companies do not control the advertisement, their Quality Control processes are frequently eerily reactive, often finding problems after they arrive instead of before. As a Online Advertising industry grows more and more complicated, a single advertisement for an individual consumer routinely goes through five or Six Companies before ultimately reaching the consumers computer. That fact makes it easier for oneious companies to issuer that is apparent was in was an attack on the Major League Baseball site on june 12. The ad appeared to be for luxury watches. T was displayed as a banner that ad was shown to 300,000 consumers before being taken down. In the aftermath of that attack, it was till unclear what entity was responsible for delivery of the malware. One analyst noted that the lack of transparency in multiple and direct relationships in online assigningg made responsibility virtually impossible. One way to get an idea of how complicated the Online Advertising world and online data connection can be, is to take a look at what happens when a consumer visits a website where advertisements are served by third artie ad companies. When a user visits a website, that website instantaneously contacts and Online Advertising company to provide an advertisement. That ad company intern contacts other Internet Companies who help collect and analyze that user for purposes of targeting advertisements to him. Each company can in turn contact other companies that profit from identifying users and analyzing those usersonline activities. Ultimately, hundreds of third Artie A Panisse can be contacted resulting from a consumer visiting a single website. Using a special software called disconnect, the subcommittee was able to do to detect how many sites were contacted when a user visits a particular website. These contacts are represented in a chart. We goirst example to video we see what happens when a user visits the website of an ordinary business that does not depend heavily on advertising revenues. In this case, our example is td , a bank that provides Online Banking services for its existing customers. It does not need to derive a large amount of revenue from online traffic and advertisements. It is a very difficult thing to see, but a few third parties were contacted. By contrast, when a consumer visits a website that depends much more heavily on revenue from advertising based on the number of people who visit their website, a number of third parties can be enormously higher. Do we have a technical . This video shows what happens tmz. Com,nsumer visits a celebrity gossip website. Just to make that point even more clear, here are td bank and tmz sidebyside. Finally, another problem in the current Online Advertising industry is a lack of meaningful standards for security. The two riemer regulators of Online Advertising are the federal trade commission and other groups. Selfregulatory groups have not been active in generating effective guidance for clear standards for Online Advertising security. On the government side, the ftc has brought a number of Enforcement Actions against Companies Involved in Online Advertising for deceptive practices. These cases all involve some specific misrepresentation made by a Company Rather than a failure to adhere to any general standards. I will summarize by saying on the question of Consumer Privacy, there are some guidelines on how much data can be generated on Internet Users and how that data can be used. Notice and choice procedures have only been partially affected. A few years ago, senator kerry and i introduced a commercial privacy bill of rights. It provides a framework for how to think about these issues moving forward. Basic rightsudes and expectations consumer should have when it comes to the collection, use, and dissemination of the personal and private information online, and specifically in prohibited practices, a clarified role for the ftc enforcement and a safe harbor for those companies that choose to take effective steps to further Consumer Security and privacy. That legislation also envisions a role for industry, self regulators and stakeholders to engage with the ftc to come up with best practices and effective solutions. Consumers deserve to be equipped with the information necessary to understand the risks and to make informed decisions in connection with their online activities. Today, one thing is clear. As things currently stand, the consumer is the one party involved in Online Advertising who is simultaneously both least capable of taking Effective Security precautions and forced to bear the vast majority of the cost when security fails. A model isure, such not tenable. There can be no doubt that Online Advertising has played an indispensable role in making innovation profitable on the internet. The value that Online Advertising as to the internet should not come at the expense of the consumer. Fornt to thank the chairman working with me on this important hearing and the witnesses appearing before the subcommittee. I thank you, mr. Chairman. Thank you, senator mccain. Theys hearing is about third parties that operate behind the scenes as consumers use the internet. Thearticular, subcommittees report outlines the enormous complexity of the. Nline advertising ecosystem simply displaying at the consumer see as a browse internet can trigger interactions with the chain of other companies and each link in the chain is a potential weak point that can be used to revert privacy or host malware that can inflict damage. Exampleseen a dramatic in the visuals that senator mccain presented to us, as well as his outlined in the report. Is outlined in the report. Report andittees senator mccains Opening Statement highlight the hundreds of third parties that may have access to a consumers browser information with every webpage that they visit. According to a recent white house report, more than 500 million photos are uploaded by consumers to the internet each day, along with over 200 hours of video every minute. The volume if information that people create about themselves pales in comparison to the amount of Digital Information continually created about them. According to some estimates, byteing a nearly a zeta is transferred annually. That is a billion trillion bytes of data. Todays hearing will explore what we should be doing to protect people against emerging threats to their security and privacy as consumers. The report finds that the industries selfregulatory efforts are not doing enough to protect Consumer Privacy and safety. Furthermore, we need to give the federal trade commission the tools it needs to protect consumers who are using the internet. Finally, as consumers use the internet, or files are being created based on what they read, what movies they watch, what music they listen to. Consumers need more effective choices as to what information generated by their activities on the internet is shared and sold to others. I want to thank all of todays witnesses for their cooperation with the investigation. I now call our first panel of witnesses for this mornings mos. Ing, alex stay , and craig spizal. We appreciate all of you being with us this morning. We look forward to your. Estimony pursuant to our rules all witness who testified before the subcommittee are required to be sworn. I would ask each of you to stand and raise your right hand. Do you swear that the testimony you a gift to the subcommittee will be the truth, the whole truth, nothing but the truth, so help you god . We will be using a timing system. About a minute before the red light comes on, you will see lights change from green to yellow, giving you an opportunity to conclude your remarks are your written testimony will be rented in the record in its entirety. We would appreciate you limiting your oral testimony to know more than 10 minutes. Go stamos, we will have you first. After we have heard all the testimony, we will turn to questions. Please proceed. Chairman levin, Ranking Member mccain, and distinguished members. Tonk you for allowing me testify. I appreciate the opportunity to share my thoughts. Respectfully request that my full written testimony be submitted for the record. Yahoo s Vice President of Information Security and chief Information Security officer. I joined yahoo in march. Prior to that is served as a artemis. Im of very proud to be working on security at yahoo . It is a Global Technology company that provides personalized products and Services Including search, advertising, content and communications in more than 45 languages in 60 countries. We enjoy some of the longest lasting customer relationships on the web. It is because we never take these relationships for granted that 800 million users trust yahoo to provide them with Internet Services across mobile and web. There are a few key areas i would like to emphasize. First, our users matter to us. Building and maintaining user. Rust is a critical focus all of products need to be secure for all our users around the globe. Security is a consummate evolving challenge that we tackle headon. Malware is an important issue that is a top priority for yahoo . It is one part of the equation. It is important to address the entire malware ecosystem and to fight it at each phase of its lifecycle. We partner with other companies to detect and prevent the spread of malware via advertising and standards. Improve oursly security with the help of the Wider Research and security committees. Where the largest media publisher to enable encryption for our users around the world. Internet advertising security and the fight against malware is a top priority for yahoo . Securityuilt a top pipeline to weed out malware. This january, we became aware of malware distributed on yahoo sites. We immediately took action to rove malware, investigated users on mac, mobile devices and users with updated versions were not affected. A large part of the malware problem is a vulnerability that allows an attacker to control user devices through popular web browsers such as internet explorer, plugins like job are, Office Software and java systems. Malware is spread by tricking users into installing hardware that users think is harmless. We always strive to defeat those who would compromise our security. we regularly improve our systems. Every ad running on yahoo sites on our network is inspected using this system, both when theyre created, and regularly afterwards. For example, our systems prohibit advertising said look like operating system messages. Preventing deceptive advertising once required extensive human slowerntion, which meant response times and inconsistent enforcement. Although no system is perfect, we now use algorithms to catch deceptive advertisements. We are also the driving force behind the safe frame standard. Allows ads to properly display without exposing user information to the advertiser or network. Is used not only in the thriving marketplace, but around the internet. We actively work with other companies to create a highe