W3C Workshop on Digital Marketing
Statement of Interest
Brad Hill, Security Engineer <hillbrad[at]fb.com>
Chris Clark, Security Engineer <chriscla[at]fb.com>
Digital advertising with rich content has long been recognized as an
ideal vector for malicious actors to quickly and affordably deliver
code to an audience of victims, either broadly or in a highly targeted
manner. Recent examples (e.g.
1,
2)
of advertising being used to deliver exploits
highlight the need to solve this problem.
Because malvertising destroys the ability to meaningfully distinguish
reputable from non-reputable sites from a threat perspective,
enterprises and end users may begin to regard ad blocking as a necessary
security service if the digital marketing industry cannot credibly
self-remediate this vector.
Given the complexity of the open web platform, attempting to classify
creative content as malicious or benign is a difficult problem - and an
ultimately intractable one without the ability to place constraints on
the capabilities of such content. Without systematic approaches rooted
in capabilities of the platform and tools, we risk falling into the
failed "arms race" paradigm that has characterized the anti-virus
industry's approach to previous generations of malicious code threats.
A variety of approaches to this problem exist, including
AdSafe,
Caja,
HTML5 iframe sandboxing, and the
IAB SafeFrame. Although
promising starting points, none seems to have yet gained widespread
acceptance in the market.
Competition and innovation is a good thing, but in the interconnected
commercial advertising market, fragmentation of the expectations for
secure creative content creates difficulties and
market barriers, and solutions created without the input of all
stakeholders are unlikely to either find broad adoption or adequately
solve the problem.
The needs of relevant stakeholders include:
Advertisers
- Advertisers need to be able to build rich creative content that meets the security requirements
for placement, without further customization, across multiple ad
networks, exchanges and publishers.
- Small-scale advertisers do not have in-house security experts.
They must be able to use tools that understand these security
requirements and allow transparent authoring of compliant
content by non-experts.
- Security sandboxing must not preclude rich and engaging content, including with dynamic
interactivity.
- Advertisers do not inherently trust publishers, so also desire to
include 3rd-party content in placements
to provide utility functions and “sources of truth” for measurement,
analytics, viewability, anti-fraud, etc.
Publishers
- Publishers do not trust advertisers, and desire confidence that the
advertising content they deliver through to their audience is safe
and secure.
- Despite wanting secure advertisements, the extent to which publishers can
and will trade off revenue to enforce security is
limited.
- The long tail of publishers has essentially zero market power to
demand more secure advertising content.
- Solutions must be high performance and ideally can be managed
entirely by the ad networks and exchanges they use, without requiring any changes
to their content.
- Publishers must be able to share selected content and metrics with hosted advertisements and
measurement tools without exposing private site content.
Ad Networks and Exchanges
- Although neither the originators or targets of potentially malicious
advertising, ad networks are in the best position and with the most
incentive to field security solutions.
- Security may be a differentiator in acquiring premium publisher
inventory.
- As a bottleneck in a many-to-many relationship between advertisers
and publishers (both with long-tail distributions), ad networks are
one of the only players with the scale and position to develop or
acquire security solutions and apply them.
- Any solutions must be low-friction for both advertisers and
publishers.
- Solutions must be highly scalable and low latency.
Tool Support is also necessary to meet the goal of
scalable security.
- Authoring Tools should make it simple to transparently
build creative
content that works within well-defined security rules and
restrictions.
- Web Browsers may be able to provide security guarantees
(e.g. with technologies like the HTML5 iframe sandbox and Content
Security Policy) that reduce complex and expensive analysis tasks
to simple configuration tasks.
- Automated Analysis Tools will likely require advertising
to be built with an enforceable, constrained subset of all the
features available to the Open Web Platform to meet their goals of
performance and reliability.
This workshop, and the W3C generally, represents an ideal place to gather
representative stakeholders and collaborate on voluntarily adoptable
solutions that meet these diverse requirements.