Third Party Risk

Third Party Risk

Duke Researchers Continue to Observe the Undesired Third-Party Code on the Duke Network
Duke Researchers Observe Dramatic Changes in Undesired Third-Party Code on Duke Network

Since the beginning of July, a team of Duke researchers has been collaborating with The Media Trust, a private cybersecurity company, to investigate an under-researched area of cybersecurity risk: the impacts of undesired third-party code on internet users. The study involves analyzing two evolving datasets: one collected by The Media Trust, and the other by a security team at Duke’s Office of Information Technology (OIT). 

A group of Duke researchers at Sanford School of Public Policy and the Duke Office of Information Technology (OIT) are collaborating on a project with The Media Trust (TMT), a private company that scans websites to determine what malicious third party content those websites deliver to their visitors. This third party content includes any code delivered by a domain other than the domain the individual expected they were visiting, such as by online advertisers or trackers.

Our digital world is held together by "code" – the software that creates everything from operating systems (OS) that run our computers, mobile devices and virtually every other piece of hardware to smart watches to Amazon's Alexa. But on top of that code is more software, which builds the apps that run on top of it.

Last year, experts expected great things from 2020: thanks to the upcoming Summer Olympics, developments in AdTech, and the election cycle, digital advertising was projected to grow by 6.6% this year, raking in higher revenue and more customers than ever before. But for most people, this has not been a good year, and - four months on from January 1st - we have witnessed an average 10% decline in ad revenue across industries.

Talking about web security with executives is difficult: to many, it's an abstract subject mired in Greek. Cross-Site Scripting, SQL Injection, third-party code – who knows what that is and who cares? But it’s hard to be flippant when you realize how much a modern organization’s revenue depends on the security of its website. After all, more than 80% of consumers research a business online before they’ll pay for a product or service.

Mobile apps have become a ubiquitous feature of the modern lifestyle: whether they’re keeping up with friends and family throughout the day, pausing for a round of Candy Crush, or obsessively tapping social media notifications from dawn til dusk, Americans now spend 90% of their online life within the confines of an app. However, very few users or developers are aware of the dangers that this mobile activity regularly exposes them to.

Every election cycle, a news storm breaks out about the possibility of mass voting fraud. We hear that the poll machines are broken, or sabotaged, or too confusing, or all of these things at once.


During the 2016 election, fake news, bots and foreign meddling drew out problems in the digital ecosystem which the Big Five (Facebook, Google, etc.) have rushed to address. But in spite of significant progress, the fundamental issue remains untouched: the Web is specifically designed to deliver information to users using personalization features.

2018 was not a year that inspired confidence in our digital ecosystem. In spite of a worldwide effort to promote Internet safety exemplified by GDPR, we saw a 400% increase in global data breaches which no doubt testifies to the growing black market for personal information, the increased availability of tools for attackers and an ever-expanding list of potential attack vectors.