third-partyy from apps. members were examining how consumers can breach privacy and data. this is two hours and 10 minutes.

>> i'd like to commend senator mccain for his leadership, and his staff for the very hard work in addressing facts and issues that are the subject of today's hearing. senator mccain. >> this has been the hallmark of our relationship together for many years. i believe that consumer privacy and safety in the online advertising industry is a serious issue and warrants the subcommittee's examination. e-commerceergence of , more activities are taking place on the internet, which is led to major advantages inconvenience, consumer choice,

and economic growth. these have also presented questions concerning security and privacy in the new technology-based world. it is important to keep in mind the following idea. into the who venture online world should not have to know more than cyber criminals about technology and the internet in order to stay safe. sophisticated advertising companies like have aand yahoo! responsibility to help protect consumers from the potentially harmful effects of the advertising they deliver.

casen't continue to be the that the consumer alone pays the price when he visits a mainstream website, doesn't even hask on anything, but still his computer infected with malware delivered through an advertisement. the same time, online advertising has become an instrumental part of how companies reach consumers. in 2003, online advertising revenue reached a record high of $42.8 billion, surpassing for the first time revenue from broadcast television advertising, which was almost $3 with theess very at continuing boom in mobile devices, online advertising will become even more lucrative. his hearing will outline the hazards consumers face through online advertisements, how cyber criminals have defeated the security efforts of the online advertising industry, and what

improvements could be made to ensure that consumers are protected online and the internet remains a safe, flourishing engine for economic growth. make a mistake, the hazards to andumers from malware online advertising or something that the tech savvy consumer cannot avoid. it is not enough to avoid shady websites and advertisements that look suspicious. an engineer at a consumer firm discovered that an advertiser on youtube delivered malware to visitors computers. in that case, the user did not need to click on any ads, just going to youtube and watching a video was enough to infect the user's computer with a virus. that virus was designed to break into consumers online bank accounts and transfer funds to cyber criminals. alsoilar attack on yahoo! did not require a user to click

an advertisement to have his computer optimized. a consumer whose bank account was compromised by the youtube ad attack has little recourse under the law as it stands. if an affected consumer managed to track down the cyber criminal who placed the virus, he, or relevant law-enforcement agencies could take steps against the wrongdoer. tracking these criminals down is security, even for specialists. it be that cyber criminals can sneak malware into advertisements under the noses of the most technologically advanced companies in the world? cyber criminals enjoy clever tricks to avoid the current security procedures used by the .nline advertising industry one of these procedures is scanning, essentially having a

test or visit a website to see if a virus downloads to the test computer, just as normal advertisers can target their advertisements to run only in specific locations, cyber criminals can also target our location to avoid scanning. knowsample, if a criminal that a facility responsible for scanning an ad is clustered around certain cities, they can target the malicious advertisement to run in other areas so that the scanners will not see it. cyber criminals have used even simpler techniques to bypass security. when law enforcement raided the network,f a russian they found a calendar with u.s. holidays and federal weekends. were planning to initiate malware attacks at times when the security staffing and ad networks would be at their lowest ebb. ,ust this past holiday season

on friday, december 27, two thousand 13, 2 days after christmas and 40's before new year's eve, cyber criminals hacked into yahoos ad network and began delivering malware infected advertisements to consumers computers. the malware seized control of users computers and use it to generate it coins, a digital currency that requires a large amount of computer power to create. independent security firms estimate that around 27,000 computers were infected through this one malware laden advertisement. the results of these tactics has been countless attacks against consumers online. one major vulnerability in online advertising is at the advertisements themselves are not under the direct control of online advertising companies and google. these companies choose not to directly control the advertisements themselves because sending out all of those image or video files would be

more expensive. instead, online advertising have the advertiser himself deliver the adjective to the consumer. while it is cheaper for the companies in the online advertising industry to operate in this way, it can lead to greater hazards for consumers. malicious advertisers can use their control over advertisements to switch out legitimate ads and put in malware instead. the tech companies who run the online advertising industry frequently do not know when such a switch occurs until after the ad is served. because those companies do not control the advertisement, their quality control processes are frequently eerily reactive, often finding problems after they arrive instead of before. as a online advertising industry grows more and more complicated, a single advertisement for an individual consumer routinely goes through five or six companies before ultimately reaching the consumer's computer

. that fact makes it easier for -- oneious companies to issuer that is apparent was in -- was an attack on the major league baseball site on june 12. the ad appeared to be for luxury watches. .t was displayed as a banner that ad was shown to 300,000 consumers before being taken down. in the aftermath of that attack, it was till unclear what entity was responsible for delivery of the malware. one analyst noted that the lack of transparency in multiple and direct relationships in online assigningg made responsibility virtually impossible. one way to get an idea of how complicated the online advertising world and online data connection can be, is to take a look at what happens when a consumer visits a website where advertisements are served by third artie ad companies.

when a user visits a website, that website instantaneously contacts and online advertising company to provide an advertisement. that ad company intern contacts other internet companies who help collect and analyze that user for purposes of targeting advertisements to him. each company can in turn contact other companies that profit from identifying users and analyzing those users'online activities. ultimately, hundreds of third artie a panisse can be contacted resulting from a consumer visiting a single website. using a special software called disconnect, the subcommittee was able to do -- to detect how many sites were contacted when a user visits a particular website. these contacts are represented in a chart. -- we goirst example to video -- we see what happens when a user visits the website

of an ordinary business that does not depend heavily on advertising revenues. in this case, our example is td , a bank that provides online banking services for its existing customers. it does not need to derive a large amount of revenue from online traffic and advertisements. it is a very difficult thing to see, but a few third parties were contacted. by contrast, when a consumer visits a website that depends much more heavily on revenue from advertising based on the number of people who visit their website, a number of third parties can be enormously higher. -- do we have a technical?

this video shows what happens tmz.com,nsumer visits a celebrity gossip website. just to make that point even more clear, here are td bank and tmz side-by-side. finally, another problem in the current online advertising industry is a lack of meaningful standards for security. the two riemer regulators of online advertising are the federal trade commission and other groups. self-regulatory groups have not

been active in generating effective guidance for clear standards for online advertising security. on the government side, the ftc has brought a number of enforcement actions against companies involved in online advertising for deceptive practices. these cases all involve some specific misrepresentation made by a company rather than a failure to adhere to any general standards. i will summarize by saying on the question of consumer privacy, there are some guidelines on how much data can be generated on internet users and how that data can be used. notice and choice procedures have only been partially affected. a few years ago, senator kerry and i introduced a commercial

privacy bill of rights. it provides a framework for how to think about these issues moving forward. basic rightsudes and expectations consumer should have when it comes to the collection, use, and dissemination of the personal and private information online, and specifically in prohibited practices, a clarified role for the ftc enforcement and a safe harbor for those companies that choose to take effective steps to further consumer security and privacy. that legislation also envisions a role for industry, self regulators and stakeholders to engage with the ftc to come up with best practices and effective solutions. consumers deserve to be equipped with the information necessary to understand the risks and to make informed decisions in connection with their online activities. today, one thing is clear. as things currently stand, the consumer is the one party involved in online advertising

who is simultaneously both least capable of taking effective security precautions and forced to bear the vast majority of the cost when security fails. a model isure, such not tenable. there can be no doubt that online advertising has played an indispensable role in making innovation profitable on the internet. the value that online advertising as to the internet should not come at the expense of the consumer. fornt to thank the chairman working with me on this important hearing and the witnesses appearing before the subcommittee. i thank you, mr. chairman. >> thank you, senator mccain. they's hearing is about third parties that operate behind the scenes as consumers use the internet. thearticular, subcommittee's report outlines the enormous complexity of the .nline advertising ecosystem simply displaying at the

consumer see as a browse internet can trigger interactions with the chain of other companies and each link in the chain is a potential weak point that can be used to revert privacy or host malware that can inflict damage. exampleseen a dramatic in the visuals that senator mccain presented to us, as well as his outlined in the report. is outlined in the report. report andittee's senator mccain's opening statement highlight the hundreds of third parties that may have access to a consumer's browser information with every webpage that they visit. according to a recent white house report, more than 500 million photos are uploaded by consumers to the internet each day, along with over 200 hours of video every minute.

the volume if information that people create about themselves pales in comparison to the amount of digital information continually created about them. according to some estimates, byteing a -- nearly a zeta is transferred annually. that is a billion trillion bytes of data. today's hearing will explore what we should be doing to protect people against emerging threats to their security and privacy as consumers. the report finds that the industries self-regulatory efforts are not doing enough to protect consumer privacy and safety. furthermore, we need to give the federal trade commission the tools it needs to protect consumers who are using the internet. finally, as consumers use the internet, or files are being created based on what they read, what movies they watch, what

music they listen to. consumers need more effective choices as to what information generated by their activities on the internet is shared and sold to others. i want to thank all of today's witnesses for their cooperation with the investigation. i now call our first panel of witnesses for this morning's mos.ing, alex stay , and craig spizal. we appreciate all of you being with us this morning. we look forward to your .estimony pursuant to our rules

all witness who testified before the subcommittee are required to be sworn. i would ask each of you to stand and raise your right hand. do you swear that the testimony you a gift to the subcommittee will be the truth, the whole truth, nothing but the truth, so help you god? we will be using a timing system. about a minute before the red light comes on, you will see lights change from green to yellow, giving you an opportunity to conclude your remarks are your written testimony will be rented in the record in its entirety. we would appreciate you limiting your oral testimony to know more than 10 minutes. go stamos, we will have you first. after we have heard all the testimony, we will turn to questions. please proceed.

>> chairman levin, ranking member mccain, and distinguished members. tonk you for allowing me testify. i appreciate the opportunity to share my thoughts. respectfully request that my full written testimony be submitted for the record. yahoo!'s vice president of information security and chief information security officer. i joined yahoo! in march. prior to that is served as a artemis. i'm of very proud to be working on security at yahoo!. it is a global technology company that provides personalized products and services including search, advertising, content and communications in more than 45 languages in 60 countries.

we enjoy some of the longest lasting customer relationships on the web. it is because we never take these relationships for granted that 800 million users trust yahoo! to provide them with internet services across mobile and web. there are a few key areas i would like to emphasize. first, our users matter to us. building and maintaining user .rust is a critical focus all of products need to be secure for all our users around the globe. security is a consummate evolving challenge that we tackle head-on. malware is an important issue that is a top priority for yahoo!. it is one part of the equation. it is important to address the entire malware ecosystem and to fight it at each phase of its lifecycle. we partner with other companies to detect and prevent the spread of malware via advertising and standards.

improve oursly security with the help of the wider research and security committees. where the largest media publisher to enable encryption for our users around the world. internet advertising security and the fight against malware is a top priority for yahoo!. securityuilt a top pipeline to weed out malware. this january, we became aware of malware distributed on yahoo! sites. we immediately took action to --rove malware, investigated users on mac, mobile devices and users with updated versions were not affected.

a large part of the malware problem is a vulnerability that allows an attacker to control user devices through popular web browsers such as internet explorer, plug-ins like job are, office software and java systems. malware is spread by tricking users into installing hardware that users think is harmless. we always strive to defeat those who would compromise our security.' we regularly improve our systems. every ad running on yahoo! sites on our network is inspected using this system, both when they're created, and regularly afterwards. for example, our systems prohibit advertising said look like operating system messages.

preventing deceptive advertising once required extensive human slowerntion, which meant response times and inconsistent enforcement. although no system is perfect, we now use algorithms to catch deceptive advertisements. we are also the driving force behind the safe frame standard. allows ads to properly display without exposing user information to the advertiser or network. is used not only in the thriving marketplace, but around the internet. we actively work with other companies to create a higher level of trust, transparency, quality and safety. we are members of the interactive advertising bureau's

alsoforce and we participate in groups dedicated to preventing malware. while preventing malicious advertisement, it is only one part of a larger battle area we fight the monetization phase of the lifecycle by improving ways to validate the authenticity of e-mail. spam is one of the most effective ways malicious actors make money. yahoo! is leading the fight to eliminate that source of income. the original internet mail standards did not require that senders use and accurate from line in an e-mail.

these e-mails are much more likely to bypass spam folders as it appeared to be from trusted correspondence. here is how yahoo! is helping the internet tackle these issues. yahoo! is original author of domain key identified male. it is a mechanism that lets recipients crypt of five the origin of e-mail. cryptify the origin of e-mail. d mark provides a way to revive -- this april, yahoo! became the first e-mail provider to publish a strict reject policy. in essence, we asked the rest of

the internet to drop messages than in accurately claim to be from yahoo.com users. since you made this change, another major provider has also enabled the project. we hope that every major provider will follow our lead and implement protection against spoofed e-mail. target broadly, it would spammers financial incentives. yahoo! incentivizes sharing to prove that our products are trustworthy. auerbach on the program encourages security researchers to report flaws in our systems to a secure web portal. we engage researchers and discuss her findings. if it turns out to be real, we fix it and reward the reporter was up to $15,000. -- weage were security that peopletical

are rewarded for reporting and not exploiting. invests have it -- invests heavily. we made encrypted browsing the default for e-mail. our ongoing goal is to enable a secure experience for all our users, no matter what device they use or from what country they use yahoo!. in conclusion, i want to restate that security online is not and never will be an end state. it is a constantly evolving challenge. threats that stem from the ad pipeline or elsewhere are not unique to any online company or ad network. we are strongly dedicated to staying ahead of criminals. we partner with multiple companies to detect and prevent the spread of malware via advertising.

we have led the industry in combating spam and phishing. finally, we are the largest media publisher to enable encryption for our users across the world. yahoo! will continue to innovate in how we protect our users. we will continue to battle tartars who use us. thank you very much for the opportunity to testify. i look forward to answering any questions you may have. mr. stamos. >> >> my name is george salem. i'm a senior product manager. ensuring our user safety and security is one of google's main priorities. over 400 full-time security experts working around the clock.

can control computers or software programs. it allows vicious actors to profit from helpless victims. advertising is a tremendous role in the evolution of the web. it has allowed the web economy to flourish. in the last quarter, internet and ad revenues surged to $21 billion. and ad supported echo system covers a total of 5.1 million americans. bad ads are bad for everyone, including google and our users. is to keep our online site safe or people will not use it.

our approach to fighting malware is two-pronged. the first is prevention. one of the best ways to protect users is by preventing them from accessing suspected sites altogether. this is why we developed a tool. sites are clearly identified as dangerous in google search results. were the first search engine to provide such a warning. billion people use safe browsing. is default for users on google chrome and apple safari browsers, which helps to protect tens of millions of users. users get a clear warning that advises them to click away. we're looking at ways to further improve rousing. we provide alerts to webmasters who may not be aware of

malicious software. the second piece of our effort is disabling bad ads. we have a strict policy for advertisers who spread malware. he proactively scan billions of ads -- millions of ads a day. our systems are proven to have a good track record. this is only a tiny portion of our advertising. we are costly evolving to keep up with those bad actors. we relatively quiet about our technology. malmö titers are costly finding new ways to avoid detection. we want to stay ahead of them and not tipped them off to her efforts. we are not the only ones involved in these efforts. these efforts are a team endeavor. we collaborate closely with others in the internet community. 10 years ago we issues a set of software principles. a broad set of guidelines

available online. we own and support free websites to share best practices investigator resources and supply checks for malicious content. we always use up-to-date antivirus software to make sure that operating systems and browsers are up to date. computer ised

infected, they should use a rip your product to remove malware. we can always use more help in generating support for consumers. we should all work together to identify threats and stamp them out. thank you for your time and consideration. morning, chairman levin, ranking member mccain and numbers of the committee. good morning and thank you for the opportunity to testify before you today. greg -- craig spi ezle. i'm testifying today to provide context to the escalating privacy and security threats to consumers which result from malicious and

fraudulent advertising known as malvern sizing. ertising. the impact on consumers is significant. -- 27,000enced unsuspecting users were compromised. for them, the infection rate was 100%. as noted, this is not an isolated case. cyber criminals have inserted malicious ads on a range of sites, including google, microsoft, facebook, the wall street journal, new york times, major-league is paul and others. thethreats are significant. increase in number are driven by downloads which have increased 190% this past year. one that whene is

a user visits a site with no thataction or clicking and still infects. malmö testing was first identified over seven years ago, yet little progress has been made to attack this threat. the impact ranges from capturing personal information to turning a device into a pot, where cyber criminal can take over device and use it to execute a service attack against the bank, government agency or other organization. users personal data and health records can be stolen or destroyed in seconds. in the absence of secure online advertising, the integrity of the entire internet is at risk. continues toion

grow. for reference, the development of coal mining and the use of steam power generated from coal is without doubt the most biting narrative of the 19th century. the environment soon felt the full industrialization impact in the form of air and water pollution. today, we are at a similar crossroads which are undermining the integrity and trust of the internet. does malvertising occur? audience.d target in the absence of any threat reporting, once detected and shut down by one network, the criminal simply waterfalls, or goes over to another unsuspecting network to repeat the exploit over and over.

on the left, you see the different tactics of how the malvern typing is inserted -- lvertising is inserted. the impact of these threats are increasing significantly. criminals have become experts in targeting and timing. they have become what is known as stated -- as data driven marketers. they have been able to choose the date and time of the exploits. in the absence of any meaningful policy and traffic quality controls, organizers recognize -- of choice. the recognizing the threats in 2007

, in 2010, this group leveraged a proven model. it has since published several white papers. small, but a are first step to combat malv ertising. as you heard before, an effort was launched known as the ad integrity alliance. past january, this initiative disbanded due to its members desire to reform this -- to refocus defensive practices.

in the wake of this group's demise, trust in ads was formed last week. .ts focus is public policy note that nont to amount of consumer education can help when a user visits a trusted website that is infected with malvern ties with -- with tising. instead of building security features and the cars they sell and profit from. other industries efforts focus on click fraud, fraudulent that attempt to generate revenue by manipulating ad impressions.

they focus on operational issues that face industry. while these efforts are important, please do not be confused. what is needed? ota proposes a holistic framework addressing five notification,s -- data sharing, remediation. in parallel, operational solutions must be explored. i envision a day where publishers will only allow ads from networks. what browsers would only render those as set up and verified from trusted sources. it is recognized that such a model would require systemic changes, yet it would increase accountability and protect the long-term vitality of online advertising, and most importantly consumers. in summary, as a wired economy

and society, we're increasingly dependent on online services. need to recognize that fraudulent businesses and cyber criminals and state-sponsored actors will continue to exploit our systems. for some, it remains a black swan event, rarely seen but known to exist. for others, it remains as the elephant in the room that no one wants to knowledge. today, companies have no acknowledge these problems. of damage can occur. failure to address these threats suggests the need for .egislation has learned from the target breach is a responsibility of companies and executives to

implement safeguards and achieve the warnings of the community. these standards must also apply for the ad industry. the expense of short-term profits. it is important to recognize there is no absolute defense. in parallel, ota proposes incentives to companies who have demonstrated that they comply with codes of conduct. perceived antitrust issues and privacy issues which can be addressed as a reason why not sharing data must be resolved to aid in the real-time fraud detection required. every website we visit and every transaction we make in every website we respond to.

thank you. i look forward to your questions. witnesses.the if you put the chart back up about the increase in mouth .dvertising >> i don't think the problem is getting better. i don't believe it is getting worse. >> you don't believe that chart, then? >> i saw that on the report. -- >>dication where you're saying that chart is inaccurate? >> that is not the information i have.

maybe you can provide the committee with information that . would you agree that the worst of which come from overseas, particularly russia? >> we see attacks from all around. it is usually very difficult to -- >> so you have no accurate data about where it comes from. that is good. where does it come from? >> we see these attempts from all around the world. you're right, we do see a lot from eastern europe and the former russian republics. >> well, thank you for that. a lot of thee malware itself will come from .ervers that are in russia >> is really an international issue as well as a domestic issue, i would argue. suppose that some individual is

the victim of malware. have anyo! responsibility for that? >> we absolutely take responsibility for our users' safety. >> of someone who loses her bank account, you reimburse them? >> i believe the person that is responsible is a criminal who does it. >> even if they use you as a vehicle for the crime? >> we work very hard to fight this criminals. >> are you liable for reimbursement for the loss of that individual that your with a vehicle for? >> we believe that the criminals are liable for their actions. >> i see. you being the vehicle, you have no liability? thatof like the automobile

has a problem with the maker of automobile is not responsible to the person who uses it? >> no. every user is important to us. if a criminal commits a crime, we do everything we can to figure out how they were able to do that and then defeat in the next time. >> you have no liability whatsoever? >> senator, that is a legal question. talk about the security side. >> i am asking a commonsense question. that as very seriously. >> thank you. you have the five recommendations that you make in your prevention. you say stakeholders who fail to adopt reasonable best practices and controls should bear the

liability, and publishers should reject the ads. -- arekeholders stakeholders using reasonable controls in your view? >> the information does not suggest they are. it is a very isolated setting right now. recognizing there is no perfect security, and the absence of taking reasonable steps to protect infrastructure and -- froms from arm, harm, they should be held responsible. this information is then kept required. it has been suppressed over the years. executives of some of the trade organizations deny it even exists. >> we decide example of that is giving the mallet advertising. , by the get those facts

way? they do not share your view. click start many players in the industry. this past week we had about a dozen companies come to us asking for legislation that are in the ecosystem. they recognize that the absence of this marginalizes their business and they need help. from the intelligence community and the networks themselves. they don't to be public because of the pressure from the industries and the trade organizations. we try to normalize it hurt i data suggest that this under reports it by at least 100%. we do not know, and their lack of willingness to share data and pizza problem. have the same best practices standard between your two organizations? >> senator, i believe we use about the same types of technologies and tests.

bestu have the same standards practices? >> i believe so, yes. with our adclosely partners to trade notes and we share a lot of the same technologies. >> i have to also add that we do communicate. we do discuss different issues that come up, different now advertising trends. >> you need liability protection to work more closely together? >> we were very closely together. >> why don't you have the same best practices standards? >> we are different organizations, where different corporations. >> but you is facing the same problems -- you are facing the same problems. i'm asking if you adopt the same best practices standards. adopt theve ready to same practices, but we have diverse implementations, which is an important part of security.

the ota have several workshops offering house rules to facilitate a to sharing. isortunately, the response being addressed internally. we have asked google multiple times, we have asked yahoo! and the other companies to come to the table. again, the answer has been that it is not a problem. >> in september of 2010, the publicly stood up and said mal ware is not a problem. tothen i guess we get back s, to your agree that this is a problem? >> absolutely agree. we have to put it in context. the numbers are much larger.

there are three parts to that. ishors create malware, which about creating safe software caters there's just a vision, of which advertising is the part we are responsible form, but is a tiny sliver of the distribution problem. then there's the financial side. from our perspective, we focus a lot on preventing ourselves from becoming part of the distribution problem. we also fight the entire lifecycle. in the end, there will be no perfect reduction in each of those places. what we need to do is decrease the financial incentives for the criminals to attempt to do this in the first place. >> how do you do that? >> from the software side, the companies that make that softer treader make it harder for mauer to be created. in the distribution side, we build our analysis systems to make it harder for them. >> i will look forward to your lvertising. you

have a lot of work to do. >> every single user -- quite obviously, you're downgrading the importance of this issue when you say it is only a tiny there 200,000 if or so -- >> 200-9000 identified unique incidents that occurred that were documented. >> i would say that sliver is a os. ty big sliver, mr. stam >> we have testimony here from iezle that says that ideally, you have solutions where publishers would only allow ads from networks who vouch for the authenticity of all the ads they serve. web browsers would render only

such ads which have been signed and verified from trusted sources. it is recognized that such a model would require systemic increaseyet they would accountability, protect the long-term vitality of online advertising, and most importantly the consumers. would you support those kinds of os? emic changes, mr. stam >> as to the authenticity for ad networks, i can only speak to how yahoo! does this. mr. spd you support what iezle is recommending? >> current technology does not exist to sign in at all the way through. we have moved a great deal of the ad networks in the world to supporting encryption. it is really what is supported the browse for it now. >> is any reason why we can't require that as the verified that they come from trusted sources? is a reason you can't do that?

>> i believe now that browser technology does not exist. >> i think were talking what a combination of operational best practices and technical. with,a conflict ecosystem as senator mccain stated, multiple intermediaries. this is a desired state. if we can't thought from the advertiser is, we should not accept the ads in the first place. that is the first part. that is operational. now?n that be done >> i believe it can. thee have agreements with networks we work with to have them pass information through. if we find it there problematic, we get rid of those networks. >> to the verified before they put on the ad? >> senator, i'm not sure exactly does.ach had >> our ad networks are verified, but they basically can have

genetic relationships. we do not know what those relationships are. would verify the identities of their advertisers. criminalses and pretend to be legitimate companies. some companies use ads that appear to create -- they appear to be real. the vetting process appears to be perfect, yet again, these criminals have come made specific companies that look real. >> what can be done now practically that cannot be done by companies like google and yahoo!? >> to help address this very threeic threat, we held four-day workshops. in october we publish what we call a risk evaluation

framework, which i have here, and is referenced in my testimony. it provides a checklist on the on boarding or verifying. this is an example of an operational step. >> to know whether they been taken? >> i do not know. >> those specific steps? >> i do not know. >> if you got to that meeting, you would know. how do come you did not go to that meeting? >> we are part of a lot of groups working on the problem. >> let me change the testimony here. companies that today have little incentive to disclose their role or knowledge of the security event leave consumers unprotected for months or years during which time untold amounts of damage can occur.

it is suggested that there be legislation adopted similar to state breach laws that require mandatory notification, data sharing, under mediation to those who have been harmed. to support a mandatory notification requirement, mr. mos? >> this is a more complicated issue than breach notification. information to know how to notify them. also, any situation where malvo ties in where mal advertising is agree, there is more notification to regular that advertising occurring. chairman, every day we

stop mal advertising. i think it comes down to the details of an incident very we are talking about two or three incidents today over. about findingking 10,000 sites today. sites that are set up that host malware. >> how many breaches a day? mr. chairman is important for us to use right terminology. i think the breach is not the context are thinking about. it is more than a confirmed a site ishere observed and documented. malicious ads go through the site and properties and infrastructure. that is what we are referring to.

>> in the absence of that, that is why there is not good data. that is what makes us much harder to go back and find the original perpetrator. >> i personally would be careful about making a commitment like that. one of the things we try to do community discuss what the issues are and make sure it isn't public. things as you make public, you're basically talking about -- >> regulator. >> again, that is would be a public document. we would rather not make some of this information public so the criminals find out how we're detecting them. >> everything you tell the regulators is not necessarily public. you can have other information not made public. putting aside that problem, any theon why you can't notify

?egulator yahoo's privacy policy indicates that you provide partners ofto informationonal to -- so that yahoo can abouticate with consumers offers about yahoo and the marketing partners. didn't you say the partners do not have any independent right this information? of thesharing information prohibited? >> mr. chairman, privacy and are intertwined, we have a dedicated pr privacy tea. you know offhand? sir.do not,

great -- there is a emphasis here on education. here's the problem, the business instance of yahoo, you provide a list on your of these third-party partners. there are over 150 companies that do advertising work alone. policye in your privacy that these companies may be placing cookies or web bug on as we browse. how can consumers possibly each ofthemselves about these third parties? of them, companies unknown to people outside of probably. do you think it is feasible, i'm going to ask you and this will my last question, for consumers to evaluate the policy -- the security policy and the privacy policies of each the 150 entities.

suggestion?actical >> we're not expecting consumers this one-on-one. that is why we provide privacy options. work with the d.e.a. to make decision-making authority for multiple across partner's. that is where we have to go to have the choices up in one place. >> well, but you're suggesting they educate themselves about partners of yours? >> i am not suggesting that. familiar with the language you're referring to. >> thank you, senator johnson. you, mr. charm. -- chairman. haschairman said this enormous complexity. i think the ranking member said the online internet advertising indies pinsible role.

improved people's lives. we need to understand how complex this situation is. the analogy i would use, because talking about criminal activity and who is liable for it. let's say you have a criminal safeguards in a overab, the criminal takes the cab and kills someone. the taxicab company liable? i think for the purpose of this can government potentially do to help it? yahoo is.know who i think i know who google is. you obtainnow how revenue and make money. i'm not sure about o.t.a. and about coupleouple

of things that surprised me in terms of comments made. you?re where do you get your funding? revenue?u obtain your >> thank you for the opportunity to provide clarity. founded in 2003-2004 as a for thegroup to address spam standards that yahoo referenced in their original to amony there collaborative effort. >> who funded that effort? take money to do that. >> that was through companies like microsoft, paypal, lots of came together, cisco. >> do you continue to get way or in other ways? >> our funding comes from a ways.le 501c3.a we have contributors and we receive grants. very clear.is

we support advertising but again is most important part improving consumer trust and the vitality of the internet. what sends bells and whistles going off in my head. talkedirman said you about the fact that yahoo and little incentive to do what? anst of all, is that accurate statement? little they have incentive to do? >> it is incentive of data sharing. issue thatdustry we've been trying to get people together. >> you deny the fact that google enormous free an market incentive to make sure this criminal activity does not occur in the networks? >> there is a responsibility and sharing and of data in theis marginalized

system. >> answer the question. doesn't yahoo and google have enormous financial incentives to preventolice this and mal advertising and malware. to add it and change it is a how they operate today. not answeredt have the question. you do not think a yay highway an enormouse incentive? >> i think they are. >> here's the point. what can government do better than what these private companies can do to prevent this? i sat through hearing after hearing. for example, just this week, we talked about the defense department who was unable to get years.it ready in 15-20 my point is there is a role that the government can play that is me out --ve -- hear

that does not do more harm than good? i've been investigating this and involved in commerce committee hearings. first -- the first step we need to take in terms of cyber sharing.is information and the only way we're going to get information sharing is we provide some liability protection. is that the first thing the do?rnment has to we have to enact some type of information sharing piece of provideson that liability so you will share information? you, senator. we're in support of information sharing. we're happy to work on the details of that, yes. >> do you think that is the step? >> i think that is an important step. i also think the government can work on disrupting the financial side. talking about enforcement, going after the criminals and penalizing the

criminals? >> yes, making it hard for them to make money. are sellingse guys products, they are taking credit cards, they are cashing checks. can't arrest them because they are not in our jurisdiction, we can make it to profit.or them >> would that require more regulation in the banking industry? maybe some targeted actions there? i don'tot a lawyer so know the exact. i think it is already illegal, i issue.t is a focus >> what can government do? what is the first step? >> senator, you mentioned, basically, looking at being able to allow information. clear, my team does the anti-malware advertising. to ourappy to speak colleagues openly about the different threats and what we it.do about we do talk openly about some of other threats that come out. trust.poken about

or where you have scams, basically, in the tech support industry. these are terrible consumers. installed onare their computers. they were giving their credit in india.r to people >> that is between companies. what about information sharing the the government so government can send that information to other people in the industry that you don't have with?nership the other thing i want to get to of federalt breach.tion on data so you don't have to deal with 50 or more, hundreds of of jurisdiction. is that something that is pretty important? is that something that the that isnt can do constructive? >> yes, it would. we enacts my concern, some piece of legislation with the best of intentions that more delft, it take -- difficult. your eye off the ball.

>> currently today, we are able scanning,ow, do our look for the bad ads, look for users,es that protect our talk to other folks in the maltising.out the >> part of my concern is some of the answer you're providing in the hearing here is you obviously don't want to alarm your consumers and i don't want in your mouth. we all know it is a small slice. big problem, right? i want you to answer the question that i asked him about the enormous incentives you have. you mentioned it in your

testimony, a top priority, users matter. is atrust, user securities top priority. i think it makes common sense to underscore that point. >> for google, user privacy, security is number one. we're an internet business. users one click away from going to our competition. takeve to prove that we this seriously. when we click on any ad, it is a we deal withhen our third-appeared advertisers, are better as well. >> we have a huge incentive to maintain trust. 800 millionthe people around the world we have to maintain the trust of our users and we have to live up our responsibility. >> i come from manufacturing background. when i first got into it, i was deal fors is a good

consultants but going through became a believer in terms of providing, not only to get ourthe tools price under control but to our customers and supply theirs we had it under host ofacross a whole that standard. from my standpoint, that sort of certification process would make sense for this particular -- when we're talking about standards, standards in advertising. andhat something that yahoo google would support, a process the would give consumers comfort that standards are in place? >> senator, i think we would support self-regulation to set guidelines. from the technical standards, is something that we change and innovate on every single day. have to be careful that we're not being descriptive that went not living up to a rule.

>> that is why i'm talking about a private sector alternative. is at to make sure it cooperative one and not one that and isup in business hostile to the actors in the room. thisave to have cooperative, fast moving because these standards have to change, what, daily? need, if we're going to have any hope, all able to do is be minimize this, right? the criminal will be one step of us all the time we have to continue to change these standards, correct? >> correct, we have to evolve to ahead.re we're one step >> i might add that the standards that were addressed earlier. the spam e-mail, there are examples that similar that could be

employed. there are standards that could increase trust worthiness in advertising. >> thank you. you know what percentage of all of the malware incidents advertising?ugh i think this is your chart, correct? >> yeah, this is a chart. >> what percentage of malware incidents are attributable to advertising in the year 2013? >> i don't have that specific data. >> how can you not have that data? thet you have to know context of that number? >> this is specific to document malicious ads were documented and observed. we're not looking at click at searchre not look ad. >> why not? >> because this is the area, again, that is coming through the pipeline. critical infrastructure is where the consumers don't have the ability to protect

themselves. >> if i have malware on my xrrks it does not matter writ came from. this is one small piece of it. know what percentage of aremalware incidents attributed to advertising? >> we do not know that information. know it?nybody >> we know the classic way that malware isgets visiting a site. that is the classic away. i'm getting at, how much is site specific to ad specific? see numbers from other sources in the tens of hundreds of millions. that is where i put the hundreds of thousands here. >> so we're talking about less 1%? >> it is hard to know, senator, where each malware infection comes from. i don't think that is unlikely 1%. it is less than thisme of the people in

room have heard me say this before. part of the problem is consumers brought along early in this process to understand the importance of being educated and they areding what getting for free is coming at a advertising. i don't think you would argue differentuld have a internet if it were not for the backbone, the foundational backbone as we know it and the of jobs is around behavioral marketing, correct? >> we fully agree that advertising supports services that society and businesses get today. hear how unfair it is that their data -- they are ads for outdoor furniture. out aboutget creeped it, they are not making the theirtion, that is why internet is free. you.is on

you have not informed them bargainately about the they are striking. perhaps what would be most whatul is to figure out, the costs would be if we were to remove, if we were to clamp down the advertising and the of behavior ability on the market by knowing what people are interested in. know that someone who watches oprah may want to ad for slim fast on oprah. you try to target your audience on what they are looking at. does anybody know what this people to have an e-mail or to have the search if itlity they would have were not for advertising? fie thaty to quantity so consumers try to understand getting.in they are

>> senator mccain's number in his opening statement when he ecosystem being around $43 billion. that would be the overall cost. is the one thing the government is supposed to do in this space? criminals,is catch right? >> yes. >> why are we not catching more criminals? how much time is your organization spending on the failure of government, domesticically, federal, state, and internationally. the abject failure we've had i know it is- and hard. the i.p. addresses disappear in that.han >> thanks for your question. it is a problem of epidemic proportion. one of the biggest challenges, i outlined in every areas is data sharing. sharing toust data government. we have to remove the barriers and the barriers site by the room.zations in this

for example, sharing the data within each other. that is the first part. absence of that we can't peel back the onion. working with the f.b.i. and is at service, this difficult problem to go back to and get them. saying there government's failure is because google and yahoo and their sharinges are not information with law enforcement? >> i'm saying in germ it is not failure.ent it is in general failure among ourselves and law enforcement of of these incidents are occurring. it is a difficult problem. also being victimized. their infrastructure is being victimized as well. recognize that issue is businesses.r we have to put measures in it to detect it.and in absence of data, we can't the others to bring it down as fast as possible.

>> let's try to drill down on that. to work in arying cooperative and moment by moment with law enforcement? >> yes, senator, we have a dedicated team that we're in the process of beefing up that when where we incident believe there is enough information, we refer that information to law enforcement. with them throughout the investigation. we had some success in the of several networks. there is a component that makes don'ts difficult but you have to arrest them to make it economically feasible for them commit these crimes. >> i would like more information on that. anything youriate organization could bring to that, also. understand why we're not having more robust success in the law enforcement you're companies are being victimizes and consumers criminals.zed by

is being constantly asked for information by law enforcement. that. the few times we approached law enforcement and said we have i.p. addresses, we know where the servers are, they are in the united states. things worst asked to fraud, thew us the amount of damages. we don't have that information. overall, we have problems approaching law enforcement to take action. record, would you provide an example for that. do that offline, yes. >> can you give -- one of the things i think there is a stress for you all and that is clearlyg consumers as and boldly as many of us belief you should inform them. of this can be prevented know.sumers, as you well

you understand the ecosystem of the internet. you understand the concept of cookies and if you understand and ife browser is doing you understand the power of a a great deal avoid of the danger. consumers, thern more they are going to be afraid robustly participate in the internet in terms of accessing and doing the things that generate a lot of income for the ecostructure. i know it was better than it was harping on this years ago. the secret about their power, individual's users power. i've a great deal of power on this thing but the only reason i know it is because i have an amazing staff that helps me understand how i can access that power.

the average consumer does not have a clue. that is what the organizations fund you ought to be worried about is how the consumer becomes more empowered in this environment. it is the only real way. >> if i can respond. the consumerse on has a shared responsibility to make sure they are updating their computers, patching their practicing safe practice, absolutely. trusted siteg to a they know of, today type it in, link.on't click on an they go to a trusted site that exploitan exploit, an that has never been disclosed to not enough, there is education that can solve this problem. we have a shared reponlt through stakeholders here, networks, publishers here and i think that having this discussion today. >> your organization, i know a of the security -- i guess

selling a company security projects, i would want to sell to you. yourssuming a lot of throughtors make it internet. come from web m.d. and other services. >> do you provide the services -- the workshops that you provide? of cost as part of your income that you actually need the rch? workshops is a cost recovery basis. we hold them throughout the u.s. and europe as well in a range of subjects. revenueu don't get stream? >> they are designed to cover operating costs for the programs. >> thank you, senator. andhank you, mr. chairman thank you for holding this hearing. dramaticeen this

increase. it is appropriate that we're talking about. senatorgree with what johnson said that the internet has thrived and we want to make it continues. it is critical to our economy. we talked about a lot of solutions. i don't understand enough about problem to understand what the solutions are. verification standards, senator mccain talked about the youility procedures, i know are not lawyers but we would like more information on that. accountability measures for them makes sense. we talked about enforcement. to ask you about that in a second. the enforcement requires the information, which is important get at what you talked about in terms of the financial

incentives. i have a question to back up so understand this problem better. you're with google, kind of a company, i understand that enteran 100% of ads that into your advertising network, is that true? 100% of the ads eventually. we have third parts and we have ads as well. all of ads that are google are served.before >> let's focus on the ones that are google hosted. >> yes. you are scanning all of did the malhen how youtube end up? it was a major issue? how did it happen? >> it happened because of there

were third component ads, there calls.a script they are tracking analytics that ad.long with when we scan an ad, ad looks great. on how muchased they are shown. aese went bad before we had chance to rescan them. >> so you don't have a continue to analyze ad so it went bad. what are you doing to address that vulnerability? >> we looked at our risk profile on these ads. themwered it for many of and we're scanning for often for a lot of them. >> are you scanning enough to malwareth the youtube happening again? >> we believe so. we hostall of ads that and we rescan them quite a bit. we take town ads continuously. websitesbased on the

are going bad and some are ads bad.elves are going >> this is disabling malware. when prevention fails as it did with this incident, what can consumers do to protect themselves from harm inflicted google ad network or any other network? >> i wouldn't call it huge. it was on our safe browsing list. mozillao use chrome, mow still were already safe from this. these are the users who got the exposed to malware. we don't know how many downloaded the malware. don't know how much the damage was? >> we look at the potential. ad goes bad and we look at the last scan, that is when badonsider all of that

advertising. that shows us what can protect to user is the knowledge antimalware, they need to update browsers. >> let me ask you a question if you about conh of consumers. what can be done to inform people that they have been infected so they know it without tipping off the cyber criminals involved? area fort one consumers as senator johnson was talking about consumers going to this? to it is impossible for them to they don't react if know they have been infected. how do you let consumers know that? you, senator. as the gentleman from google

said, cyber criminals are basedng users to attack on criteria that aren't ours and aren'tn servers that ours. we don't have the exact list of users or i.p. addresses that attacked nor do we have a direct relationship with the users. direct notification is an issue. do notification on our blog and we have a safety that refery website users back to that gives tips on system. can patch their >> any thoughts on that? >> i agree. again, knowing where that ad ran and who it was. thee are, obviously, antivirus software, i agree the consumers gete notifications. related efforta with i.s.p. best practice where detect abnormal behavior

coming from an i.p. address from a residential computer. there is progress in that front, not related to ads specific but device has been compromised and how do you notify? the framework that i identify today and outline is based on the framework based on prevention, detection efforts. i raise that because this is an us to move outs industry andf one siste look to see what the industry is doing to solve similar problems. the report, it seems to me that what senator levin's team is saying you don't have the incentive you would otherwise don'tecause consumers know that the mal advertising came from you. how do you respond to that? tohink if you don't know contribute it to a particular ad atwork, there might be

disincentive to address it. otherwise, there would be a incentive on the advertising that i got from yahoo. that?s your response to >> i can say something to the misconception. because you visited a site, we don't necessarily know who you are. far as being able to let this adnow, you know, potentially had malware. we don't know who you are. anonymous and it is done on purpose that way. that is why someone can target specifically with an ad. they can target your gender or your age group based phone profile -- based on profiling. we don't know who you are so that is not possible. >> as to the motivation, obviously, this kind of incident happens. it has an impact on our reputation it. impact on the trust that

users have in us. for ourthe bedrock business. we have a security team, a trust team, an antimalware team. >> you can't tell your customers attacked. >> we can't tell advertising customer as mr. salem said we don't have that information. tie that bobctly smith looked at this advertisement. wouldn't thatld, make for more effective enforcement regime then you be in a position to respond? >> i believe, senator, that privacy issue that we're talking about here for us to track. >> what i found interesting look through the material that was sent to us in advance. cyber criminals carry out attacks on weekends and holidays because they figure guard is down. is your guard down on weekends and holidays?

>> absolutely not, senator, thank you for the question. the systems that do this are automated systems. you are guilty until proven innocent. an upload, we scan before ad is seen, we scan afterwards. anything strange ad gets pulled and our people get page. >> so consumers should not be weekends or holidays?s >> absolutely not. >> thank you for that. i don't know if your group supports it but you can tell us, and ads we expect trust address this problem? how can consumers get information? what is only respond to on the website and it is about educating policymakers and notifying consumers on what they can do when they have been

harmed. i look forward to find more information from them. >> do you think it is going to be effective? >> yes, it has been effective. our studyy released on the support vertical. what we noticed is when google clamped down on this scammersscam, the started going to other sites. we reached out to our colleagues stop thisre that we from happening for everybody. >> i totally agree. think we're focused on the deceptive advertising and the fraud. put together was because it is a single way to advertisements so all the companies are involved so we can take them down and ban those advertisers. >> thank you very much. we thank our participants in testimony.for your it has been extremely helpful and we'll move on to the second panel. >> mr. chairman, it is a little when dispute facts.

mr. reagan used to say facts are things. that it is someone else's problem and it heightens motivation to reinvigorate legislation that we tried before but also try to make google and yahoo understand that this is a much bigger problem than the testimony -- their testimony indicates they think it is today. a bit disappointing. thank you, mr. chairman. votes.ave four >> i just want to ask yahoo and scanning.e how many scans are you doing? that you arege

doing if you want complete coverage? scanning 1%, 100%? 100%.scan all ads, >> but you're scanning and rescanning them. coverageomplete versus -- is it an impossible question to answer? >> give it a try for the record. right?hat be all >> the other thing i want to know how many people in your organization are devoted to security? the number of people because i want to ask the government how have available. 100% of ads. as for the number of people, i would say across the different people. have over 100 >> do you want to give an answer to the number of people? has 400 people working on security. over 1,000 when it comes

make sure ours to ads are compliant. >> you all were helpful. i want to thank senator mccain bringing this to us and i agree with his comments and the this report. associate director of the thesion of privacy and federal trade commission in washington and the managing of the digital advertising alliance in new york. we appreciate both of you being here this morning. i think you know the rules of subcommittee. all testifying today need to be sworn so we