U.S. Senate: Self-regulation of online ad networks isn't working
The U.S. Senate report on the hazards of ads to consumer security and data privacy describes how criminals use ads to deliver malware without requiring any clicking or other action by the viewer. The report states that "a visit to even a reputable website can now result in thousands of dollars in damage to the consumer and the compromise of private information at the hands of actors most consumers don’t know are present."
What the report refers to as "host websites" often don't know anything about the ads that appear alongside their own content, and they certainly can't predict what type of ad will be delivered by the third-party ad network.
The ad networks are often easy to fool. Criminals will appear to be legitimate when they initially apply to the ad network, and once they are accepted to the network they switch to malware delivery, according to the report.
Web services constantly scan for the presence of malware on their servers, but as the Senate report points out, "the ad networks and exchanges do not control the server that ultimately delivers the advertisement to the host website."
The Federal Trade Commission enforces against "deceptive practices." However, this requires that the company break a promise it made previously not to do something. The FTC has statutory authority to enforce under "unfair" practices, although services claim to have no understanding of which specific practices the FTC considers unfair.
The Senate report notes that the FTC's statutory enforcement of deceptive and unfair practices by online ad networks is narrowly focused. The statutes include the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, the Cable Television Consumer Protection and Competition Act, and the Health Information Technology for Economic and Clinical Health Act.
The report concludes that consumers are out of luck:
"[E]ven the most sophisticated advertisers have difficulty guaranteeing consumer security due in part to numerous structural vulnerabilities in the online advertising model. The current state of law and regulation addressing online advertising is sparse, focusing mainly on criminal actors rather than the responsibilities of intermediaries. While still pursuing criminal actors, the responsibility of industry and private stakeholders to implement precautionary measures should be clarified. The current structure leaves consumers with no recourse when they are victim of a malware attack."
 Pub. L. No. 105-277, 112 Stat. 2581-728, codified at 15 U.S.C. § 6501  Pub. L. No. 108-159, 117 Stat. 1953, codified at 15 U.S.C. § 1681  Pub. L. No. 106-102, 113 Stat. 1338, codified at 15 U.S.C. § 6801  Pub. L. No. 104-91, codified at 45 U.S.C. § 1320d  Pub. L. No. 102-385, 106 Stat. 1460, codified at 42 U.S.C. § 551  Pub. L. No. 111-5, 123 Stat 115, codified at 42 U.S.C. § 17921