W3C Workshop on Digital Marketing

Statement of Interest

Brad Hill, Security Engineer <hillbrad[at]fb.com>
Chris Clark, Security Engineer <chriscla[at]fb.com>

Digital advertising with rich content has long been recognized as an ideal vector for malicious actors to quickly and affordably deliver code to an audience of victims, either broadly or in a highly targeted manner. Recent examples (e.g. 1, 2) of advertising being used to deliver exploits highlight the need to solve this problem. Because malvertising destroys the ability to meaningfully distinguish reputable from non-reputable sites from a threat perspective, enterprises and end users may begin to regard ad blocking as a necessary security service if the digital marketing industry cannot credibly self-remediate this vector.

Given the complexity of the open web platform, attempting to classify creative content as malicious or benign is a difficult problem - and an ultimately intractable one without the ability to place constraints on the capabilities of such content. Without systematic approaches rooted in capabilities of the platform and tools, we risk falling into the failed "arms race" paradigm that has characterized the anti-virus industry's approach to previous generations of malicious code threats.

A variety of approaches to this problem exist, including AdSafe, Caja, HTML5 iframe sandboxing, and the IAB SafeFrame. Although promising starting points, none seems to have yet gained widespread acceptance in the market.

Competition and innovation is a good thing, but in the interconnected commercial advertising market, fragmentation of the expectations for secure creative content creates difficulties and market barriers, and solutions created without the input of all stakeholders are unlikely to either find broad adoption or adequately solve the problem.

The needs of relevant stakeholders include:

Advertisers

Publishers

Ad Networks and Exchanges

Tool Support is also necessary to meet the goal of scalable security.

This workshop, and the W3C generally, represents an ideal place to gather representative stakeholders and collaborate on voluntarily adoptable solutions that meet these diverse requirements.