Imagine how differently things would have turned out in Europe during the Black Death – a medieval plague that killed two out of every three persons – if they could have been warned ahead of time? If only they had the tools we have in the 21st Century. As we deal with a pandemic in our time, critical information can be disseminated in seconds. That’s thanks, in part, to the World Wide Web.
Because of the Web, legislators are able to communicate directly with the public, businesses can continue functioning in the face of lockdown, and citizens can act on the basis of accurate information. But COVID-19 has also revealed serious flaws with the web that challenge our ability to keep the public safe from malvertising, misinformation, and cybercrime.
Most of us realize that the Internet is now driven by advertising-supported content which allows media publishers the ability to offer free information in exchange for accepting advertisements. We are exposed to this reality everywhere, from mobile pop-up ads, to paywalls across media websites, to the sale of our data by companies who track us across the Internet. While this is the new status quo, sometimes the status quo must be disrupted.
Early in the COVID-19 crisis, it became clear that these routine monetization strategies could represent a dangerous obstacle to an informed public. To their credit, many digital advertising industry participants adapted: for the extent of public lockdowns, publications like the Los Angeles Times, the Boston Globe and The Atlantic made all their coronavirus-related coverage free and ad tech providers identified fraudulent and/or scam ads. Initially, advertisers blocked keywords like “coronavirus” to prevent exploitative price-gouging until they were able to adjust their messaging to better reflect the new world we live in.
From an optimistic point of view, these were all noteworthy measures that show humanity during times of crisis. Unfortunately, the problems with our digital ecosystem have become bigger than the digital advertising ecosystem: third-party code (3PC) exploits the delivery mechanism behind digital advertising, and is consistently used to mislead, defraud and harm web users.
Today, most of the Internet is a black box. With increased demand for customizing features like content recommendation algorithms, social widgets, image galleries and subscription and/or shopping cart management, almost every media website or mobile app owner relies on third parties to provide critical functionality to their websites. The consequence? 85 – 90% of the code across consumer-friendly media digital properties is not owned and operated (O&O) by the publisher.
This leaves giant gaps that malicious third parties use to attack web visitors through redirects, pop-ups, forced software downloads and even identity theft. For the most, publisher technology and operations teams are often unaware of the extent of the third-party code presence and how it can be compromised to harm consumers. The tactics of 3PC tend to reflect current events, and – right now – that means fake ads related to coronavirus products, services, and cures.
According to one study, 60% of all coronavirus related ads over the past few months have sent users to “health sites” selling fake testing kits, overpriced hand sanitizer, face masks and other commodities that users will never receive if they were to enter their credit card details. The incidence of these attacks has increased 400% since February, proving that phishing threats can originate from the web as often as they originate from email.
Naturally, the work of attackers does not end at fake health products: amid the economic recession, every category of cyberattack and online fraud increases. Malicious 3PC endangers an already fragile economy by leading to mass data breaches and threatens national security through hacked government websites.
To put this risk in perspective: if the CDC’s site were to be compromised in the next 12 months, millions of Americans could suffer as a result of not being able to access credible information. In the midst of a global epidemic, we should be able to guarantee that those who are most at-risk of infection won’t be targeted by misinformation – unfortunately we can’t, and responsibility to change that must begin with those who control the digital asset.
While the Internet can serve as a powerful tool to beat back a real-world disease, it remains in the hands of billion-dollar corporations who shoulder the responsibility for mass media, news and entertainment. Moving forward, they must be the agents of change who regulate what passes through their digital properties. They can see what the government cannot see, and they can respond faster than law enforcement can respond.
By itself, digital marketing and targeting can be valuable tools: they have generated opportunities for content creators and traditional media companies to find an audience and monetize their work. But in order to keep this valuable industry alive and free from burdensome regulations, the companies who own Advertising/Marketing Technology platforms, as well as websites and mobile apps, must stave off malicious third parties who use this technology to endanger the public. Ultimately, people make the Internet profitable, and protecting people is the only way to keep it that way.
by ROB BEELER
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.