Stegano, Part 2: Who Is Responsible For Malicious Ads?

One of the fun consequences of the current adtech system is the possibility of malicious ads: ads that come with hidden code designed to do nefarious things. Often, these “malvertisements” are user-friendly: they can get to work with literally no action whatsoever by the poor fellow who gets them.

Malvertising is a tough thing to protect against - mostly because advertisers and publishers choose to maintain a system without commercial oversight.

ELI5 version:

A company wants to advertise online.

To do this, the company will need to arrange to distribute its ads through websites where its ads can be inserted next to the normal website content.  

Sometimes the company goes directly to the website (publisher) it wants to advertise on and makes a direct deal.

Other times, the company may go through the massive, multilayer, complicated adtech ecosystem. In this adtech ecosystem, ad networks use fancy tools and formulas to match up all the ads that companies want to show people with all the ad spots that publishers want to fill with ads.

Naturally, the “adtech ecosystem” approach is the more popular option for most companies and publishers. The direct approach, of going directly to the website to place ads, is slow, old-fashioned, and doesn’t give marketers any opportunity to use sexy adtech jargon.  

The ad networks are like the wild west - good luck regulating or monitoring anything.

They're often black-boxy by nature. They generate tens of billions of ad impressions each day, and they'll take ads (money) from anyone. In all of this automated “taking ads and sticking them on a webpage,” there are endless possibilities to slip in something malicious along with an ad.

Ad networks, of course, check for malicious code in ads they serve - they have a strong interest in not letting that through. But that only means that people trying to slip in malicious code have to be extra crafty.

That's exactly what Stegano did - Stegano was expertly designed to slip past these "security checks" and cover its tracks.

When that happens, who's responsible?

Publishers would argue that they're not responsible - "oh, no, it wasn't OUR fault that you got malware from something on our website - we used Blah Blah Blah Corp to deliver those ads."  

ESET, the security firm that reported on Stegano, agrees. It didn't release the names of publishers who served the malicious ads because "the firm didn’t want to inflict reputational harm to the websites given that they had no clue or control over displaying the ads."

The publisher didn't let the malicious ad in; the ad network let the malicious ad in, they claim.

But ad networks don’t just operate wherever they want… they have to be invited to place ads on a website. So who let the ad network in?

If the ad network let in the bad ad, then whoever let in the ad network is ultimately responsible for the bad ad.

No One Takes Malvertising Seriously – They Profit From It

But publishers don't take this seriously - the publisher’s position is that they’re not responsible, it’s those darn ad networks.

The legitimate advertisers don't take this seriously. Their ads don’t contain any malicious code.  It's not their problem if the ad networks get in trouble.

And the ad networks don't really take this seriously - consumers don't even know they exist. Consumers harmed by malvertisements are EXTREMELY unlikely to figure out exactly how they got infected and which ad network was responsible, and even less likely to pursue legal action.

Thus, the very system that creates the malvertising problem also shields its participants from any liability for that problem.

They don't just avoid liability, they profit from malvertising: the ad network gets paid for delivering the malicious ad, and the publisher gets paid for letting them deliver the malicious ad.

That's great - malvertisements are officially no one's problem. Except, of course, the unlucky consumer's problem.

But (they apparently think) the consumer is stupid and poor! A consumer who is harmed by malicious ads won't be able to figure out who's responsible, much less take action to collect damages.

The Problem Of Malicious Ads Should Fall On Anyone BUT The Consumer

The current system effectively requires consumers to bear the costs of the malvertising problem.

This is an excellent way to make sure the problem persists: when the actors who create and perpetuate a problem are allowed to profit from it and not required to pay the costs of it, they have no incentive to fix it. In fact, the associated profits and costs of fixing it may incentivize them to NOT fix it.

Between consumers, publishers, advertisers, and ad networks, consumers are both:

(1) the least able to solve/mitigate the problem of malvertising, and

(2) the least able to afford the damage inflicted by malvertising.

So, as consumers, it doesn't really matter which industry is technically most to blame; they all contribute to creating and perpetuating the problem, and they all profit from it. As far as the consumer is concerned, they're all responsible.

Therefore, it's right of consumers to adopt a position of "I don't care who fixes the problem or how you do it, but you'd better fix it; until you do, I'm not playing ball."

That's literally the only way that consumers can protect themselves from malicious ads - anyone who claims that's unfair or immoral is just plain wrong.


Next: Dear Content Owners: Broadcast Ads Pay You Exactly What They Should

Latest: Dear Content Owners: Broadcast Ads Will Never Pay You Better Than They Already Do

Previous: Stegano (Ad Blocking Is The Right Thing To Do)

Return to Index