For Better User Experience Please Use Portrait Mode.

Worried about GDPR and CCPA? Don’t Overlook the Malvertising Threat.

Posted by John Murphy

December 23, 2019

Are you’re a publisher who’s made major changes in the wake of new regulations and new anxieties about data privacy? Good work, but I have unfortunate news to share. You may not be doing enough.

Why? Because even as publishers have gone full throttle in tackling data privacy, many have ignored another massive threat their visitors face: malvertising.

Malvertising—hijacking digital ads to launch malicious operations—is one of the most pervasive security threats consumers face today. It’s capable of hitting hundreds of millions of browser sessions in two days and impacts close to one out of every 250 programmatic ads. That’s no surprise, given that it’s incredibly lucrative for criminals who master it—and it costs the ad industry upwards of $1 billion annually. It’s a vast threat that’s poised to expand.

Yet as publishers (rightly) put massive efforts behind becoming GDPR and CCPA compliant, many are far less diligent when it comes to protecting visitors against the malvertising threat. That imbalance is shortsighted. Given the similarities between the threats of compromised privacy and malvertising, it’s only a matter of time before the public shifts its attention over to malvertising, and legislators follow suit. Publishers must get ahead of that moment before it happens.

If you’re not convinced, consider three ways data privacy and malvertising are variations on the same theme.

All Digital Abuse is Abuse

Often, malvertising isn’t just like a data privacy concern. It’s a data privacy violation, plain and simple. After all, malvertising delivers malware and phishing campaigns that are specifically designed to steal user’s data. That’s true of trojans that siphon information of machines, illegal geolocation requests that stalk users’ location while offering no value in return, and phishing-focused ad redirects— which bring visitors to pages that trick them into sharing personal information.

Even when malvertising doesn’t steal data, it can still be a close cousin to data abuse. Take one of the more common malvertiser abuses: launching “zombie network” hubs. These programs run in the background of users’ machines, committing online fraud without the users’ knowledge. Like data abuse, their core violation is a user’s digital self. Inevitably the public, legislators, or prosecutors will pick up on the similarity.

Not that the public needs to make such a nuanced connection. At the end of the day, concerns over digital privacy are an acknowledgement that all digital users deserve a safe environment, digital abuse is real abuse, and that companies are responsible for consumers’ digital safety. Malvertising is abuse too, and as a result it’s positioned to be the next subject of outrage.

When the Third Party is the Publisher’s Responsibility

To be clear: publishers aren’t the ones behind malvertising. Rather, malvertisers sneak their ads into the complex supply chain that feeds programmatic ads into publisher’s sites. As a result, publishers can argue that the malvertising problem isn’t really their fault.

If the digital privacy backlash is any precedent, the public won’t buy that argument. GDPR, for instance, holds companies at least partially responsible for problems in their supply chains. That law reflects a common sentiment amongst digital consumers—a sentiment Facebook learned well after users bolted on the heels of the Cambridge Analytica scandal. And as supply chains become more complex, more users will lump front-end providers with back-end suppliers (including legislators who appear to conflate  Google apps with Apple hardware).

Of course, the front end of the business has long been blamed for supply chain failures—sometimes legitimately. If you get food poisoning from a restaurant, you likely won’t care whether the contamination came from the kitchen or from a food distributor. Either way, you’ll likely think twice before going back.

Malvertising is the same. Even if supply chain problems are the real accomplices in bad ads on websites, it’s publishers who get the blame. And when there’s blame, repercussions are soon to follow.

Trust Will Win the Day

In the quest for better consumer data security, privacy-forward brands are emerging as champions. (See, for instance, Apple vs. Google.) 

When it comes to malvertising, the story can be the same. If users are attacked by malvertising on sites they love, they inevitably lose trust in those sites. But the most security-forward publishers can emerge as safe harbors in a dangerous digital world. That’s why protecting visitors from malvertising is a golden opportunity for publishers to reclaim the public trust.

Publishers should seize that opportunity before it becomes a crisis. And to take advantage, publishers must first make sure the malvertising threat doesn’t get lost in data privacy’s shadow. Ultimately, there’s no end to threats that users can face in a digital world. It’s the publishers who step forward to protect consumers – not just from the threat that are top of mind, but from the ones lurking in the shadows too – that emerge as heroes.

Written By: John Murphy
Chief Strategy Officer