This article originally appeared in Digital Content Next on July 31, 2019.
It’s hard to remember a time before the Internet. But many would still be surprised to learn that the first online news publication was launched in 1979, on CompuServe’s dial-up service. This September, it will turn 40, and its memory is kept alive by news organizations that took part in CompuServe’s historical experiment on the potential of online papers: The New York Times, Washington Post, San Francisco Chronicler, Atlanta Journal-Constitution, Virginian Pilot, and many others.
All of them are still online, proving that the spirit of innovation—and braving what was then a largely unknown new world—they all shared may be key to their longevity. However, times have changed. At the dawn of digitalization, publishers still owned the code that ran their online platforms. Decades later, a shift to third-party assets has changed the balance of power and introduced risks that the media is still struggling to control.
First in digital, last in security
Thanks to digitalization, publishers now have access to a global audience. Not only is it possible to communicate with readers in real-time, but new revenue models fundamentally change the way that they pay for it. From ad-supported content to metered paywalls, the digital ecosystem boosts a publisher’s reach while offering long-term profitability.
At times, however, the race for revenue and new markets has turned hectic. Bells and whistles like programmatically targeted ads, content recommendation, online chat, and video offer a competitive advantage. They can improve user experience, extend the possibility of content generation and raise profits. But to keep the show going, publishers need code. And today, most of that code comes from third parties.
Unfortunately, third-parties reduce the amount of direct control that media can exercise over its properties. Left unmonitored, they can lead to latency, data breaches, and fake news—all of which can threaten revenue streams. Add to the mix new regulations being introduced across the country, the pressure on publishers to regain control of their digital ecosystem and pressure continues to mount. Now, the industry that pioneered digitalization must also embrace programmatic monitoring, and that begins by understanding where many of these problems come from.
The risks of third-party code
Today, 60-95% of the code across digital platforms is owned and operated by third-party vendors, with online media averaging 90-95%. Given that there are over 7,000 digital vendors to choose from, publishers can make some bad partnership choices—ranging from one with poor controls that open it to compromise to one with explicit nefarious intent. Whatever the case, AdTech is abused to steal or resell user data, spread malware, and redirect users to malicious domains.
The methods used by attackers have also increased in complexity, easily bypassing traditional security measures used by Ad Ops to block them. In recent history, we have witnessed:
- ICEPick-3PC – injected code into Javascript libraries used across thousands of websites
- PayLeak-3PC – infected seemingly secure iOS devices by disguising itself as an update
- JuiceChecker-3PC – evaded detection by conducting checks on user motion, battery level, user agent, and screen size
- CartThief-3PC – injected formjacking scripts to steal payment card details from e-commerce sites
- Stegoware-3PC – hid in seemingly innocuous PNG files and conducted various checks to ID and infect iOS devices
These are not isolated incidents. Over the past three years, the number of malvertising attacks has steadily risen, with major consequences for online publishers. In a span of 24 hours, The Media Trust manages an average of 1,500 active malware incidents. Each month, we detect more than over 6,000 new malicious domains responsible for malvertising and redirect attacks.
Self-regulation threatened
In 2018, billions of consumers around the world were impacted by data scandals. The EU’s General Data Protection Regulation (GDPR) has placed extensive restrictions on how publishers may legally use consumer data, resulting – already – in record penalties and active investigations.
In the United States, the California Consumer Privacy Act (CCPA) threatens to follow in GDPR’s footsteps. Meanwhile, U.S agencies including the FTC and DOJ have begun to levy unprecedented penalties on digital brands accused of data mishandling.
Where governments aren’t trying to contain cybercrime and privacy violations, browsers and hardware manufacturers are filling the gap.
Cookieless world emerging
In an attempt to curb data leakage and malware spread, periodic cookie audits are mandated by the GDPR in Europe and by the Privacy and Electronic Communications Regulations in the United States. But as third-party cookies are projected to become less important to the digital ecosystem, this effort becomes increasingly fruitless.
Attackers now have multiple routes for tracking users from fingerprinting to device IDs and limited browser tracking functions. As time goes by, yesterday’s malware vectors disappear, leaving behind only one common denominator: the attackers themselves. Producing a safer digital ecosystem begins by eliminating them.
Steps to reclaim user experience
After Cambridge Analytica, a global userbasecares what happens to their data, and – whether through regulations or ad blockers – they are holding publishers accountable.
The best way for publishers to respond is by retaking control of the code that operates outside their jurisdiction, and they can do it in five steps:
- Decide the rules. Publishers must know who they want to work with before they enter into any agreements. They must also know what counts as “unacceptable” behavior across their digital properties. These policies should be decided in tandem with all relevant parties, including IT, marketing, and privacy executives.
- Know who is running code on your site. Before allowing digital code and assets onto their domains, publishers must identify and vet the creators. Doing otherwise is sacrificing a basic level of control that accumulates with time.
- Communicate policies. Not all data breaches happen because of malicious third parties. Some vendors are just careless or forgetful. To avoid preventable violations, publishers must clearly and specifically communicate their security rules to their partners.
- Monitor compliance. Aside from communicating the rules, publishers must also enforce them. And to enforce them, they must continually monitor their partners by scanning their domains, so they will be aware when violations occur.
- Terminate and report bad partners. Publishers must take action against the partners who violate their rules and communicate these violations to upstream partners, helping to permanently remove repeat offenders from the digital ecosystem.
By following these rules, online media would experience an immediate, noticeable improvement in ad quality and UX. As data breaches decreased, AdTech Tax and other penalties would become a dwindling threat to revenue, leaving publishers exactly where they belong: as leaders of digital commerce and security.