Malvertising: How the ad model makes crime pay

In September: Tits and ads: Malware-riddled banners stiff X-rated websites

Revenue and liability

Advertising expenditure has consistently averaged between one and two per cent of GDP in the US over the last century, and it's a figure you'll see in many of the world's wealthiest countries.

The advertising industry is enormously valuable globally, and the number of business parties involved in the online advertising ecology –including publishers, the advertising networks themselves, through to inventory resellers and the customers ultimately purchasing that inventory – means that the liability would be extremely difficult to pursue in a malvertising incident.

Talking to The Register, Mark Taylor, a technology and outsourcing lawyer and partner at Osborne Clarke, said the business chain could throw up difficulties during the civil process of assigning liability.

"There may be some claims of negligence, but this would require showing that the party involved failed to take reasonable care," and whether every party along the chain would be good for it would likely prove an enormous hassle, especially when some of the companies involved were very small.

Taylor noted the EU's Electronic Commerce Directive (ECD) which gives a blanket exemption to those merely hosting or caching (those who are a 'mere conduit') any tortious content. While there have been a few cases n which the ECD's exemption has been used, none have been related to malvertising - "it has mostly featured in defamation and libel cases," stated Taylor.

This may be attributable to the way that the "exemptions of the ECD are crafted" suggested Taylor, who noted that the ECD's "mere conduit" exemption "doesn't really fit with a malvertising scenario. This is not to say it doesn't apply to malvertising incidents, but a closer look at the purpose of Directive would be necessary for anyone looking at liability in malvertising."

"One of the most interesting things in the pipeline, however, is the Network and Information Security Directive. Although it has been 'close to finalisation' for a while, it will place general obligations on adequate security on 'market operators' - although who such market operators would be isn't clear," he added.

Look away, megacorps at work

If the adequate security obligation is extended to those operating within advertising, the Directive could provide some incentive to cut down on the growing attack vector in making inadequate security grounds for a statutory tort. It would, for the first time outside of data protection law, establish that particular security failures may be negligent.

The EU is also currently finalising the General Data Protection Regulation (GDPR), which as a Regulation rather than a Directive will immediately become law in all EU member states (without those states' legislatures needing to pass enabling legislation).

Among the GDPR's more sensational inclusions is a touted liability sanction for data breaches, with certain notoriously extraterritorial megacorps looking set to struggle to escape their fines as such fines will be calculated on the basis of annual turnover to reach as high as five per cent of global turnover or €100m, depending on which is higher. Malvertising and data breaches are quite different issues, however, even if the former may ostensibly lead to the latter.

Taylor told The Register that he doubted it would be through such regulation that malvertising is addressed, though. Rather it would be through market factors, including a reaction to greater user uptake in ad-blockers. The notion of bottom line sovereignty is one Segura agreed with, and considered part of the existing issue.

"Malvertising has often been viewed as a 'manageable' or cost of doing business problem," he explained to The Register. "The reason why I use the term 'manageable' when I talk about malvertising is because this problem has existed for a number of years and very little has been done structurally to address the problem. To put it bluntly, ad networks are still playing the same whack-a-mole game they were doing in 2010."

There are many reasons for this, suggested Segura, but ultimately ad-networks haven't redeveloped their structural models because "it is easier to address an issue when it arises than to rebuild an entire business model/ecosystem from the ground up. In many ways, the industry is afraid to reform itself and finds it easier to apply temporary patches."

Segura stated: "In addition, most malvertising attacks go undetected and attribution remains difficult. The saying 'what you don't know can't hurt you' is actually quite true. If nobody complains about a malvertising incident, then what is the negative impact on publishers, ad networks, and advertisers? This is why it is important to publicly disclose incidents and hold whoever is involved accountable."

"Ignorance is a defence as it protects against liability," added Taylor, as an ignorant party is likely not to be found negligent. Ignorance is an increasingly easy option suggested Segura, as ironically it is the web's security protocols which are best enabling malvertisers to evade detection.