WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and a member of the Banking Committee, wrote a letter to the Federal Trade Commission (FTC) Chairman Joseph Simons expressing concern following a report published by Buzzfeed detailing continued prevalence of digital advertising fraud and inaction by Google to curb these efforts. According Buzzfeed, this scheme has generated hundreds of millions of dollars in fraudulent advertising revenues, with operations spanning more than 125 Android apps and websites.
In July 2016, Sen. Warner and Sen. Chuck Schumer (D-NY) wrote to FTC Chairwoman Ramirez calling on the agency to protect consumers from the growing digital ad fraud phenomenon. Since then, reports have estimated that digital ad fraud has only grown to $7.4 billion in 2017 – and projected to rise to $10.9 billion by 2021.
At the center of Buzzfeed’s report is Google, the only tech company absent for the Senate Intelligence Committee’s September hearing on social media’s role in protecting elections from misinformation and disinformation. The extent to which many popular online communications technologies have been exploited – and their providers caught repeatedly flat-footed – has been continuously highlighted in the course of investigating Russia’s unprecedented inference in the 2016 election. In the same way that bots, trolls, click-farms, fake pages and groups, ads, and algorithm-gaming can be used to propagate political disinformation, these same tools can – and have – been used to assist click fraud in digital advertising markets and efforts to convince large numbers of users to download malicious apps on their phones.
The full text of the letter can be found here and below.
The Honorable Joseph J. Simons
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20530
Dear Chairman Simons,
I am writing to express my continued concern with the prevalence of digital advertising fraud, and in particular the inaction of major industry stakeholders in curbing these abuses. In 2016, Senator Schumer and I wrote Chairwoman Ramirez to express frustration with the growing phenomenon of digital ad fraud. Digital ad fraud has only grown since that time, rising to $7.4 billion in 2017 – and projected to rise to $10.9 billion by 2021. I am greatly concerned with recent reporting from Buzzfeed, detailing a massive digital advertising fraud scheme that depends, in large part, on a network of compromised Android apps. As Buzzfeed reports, this scheme generated hundreds of millions of dollars in fraudulent advertising revenues, with operations spanning more than 125 Android apps and websites.
In the course of investigating Russia’s unprecedented interference in the 2016 election, the extent to which many popular online communications technologies have been exploited – and their providers caught repeatedly flat-footed – has been unmistakable. More than illuminating the capacity of these technologies to be exploited by bad actors, the revelations of the last year have revealed the dark underbelly of an entire ecosystem. In the same way that bots, trolls, click-farms, fake pages and groups, ads, and algorithm-gaming can be used to propagate political disinformation, these same tools can – and have – been used to assist financial frauds such as stock-pumping schemes, click fraud in digital advertising markets, schemes to sell counterfeit prescription drugs, and efforts to convince large numbers of users to download malicious apps on their phones.
According to Buzzfeed, a recent ad fraud ring vividly illustrates this problem, with potentially millions of consumers unwittingly downloading and engaging with apps that captured the behavior of app users in order to program a network of bots mimicking user activity to engage in multi-million dollar ad fraud. While these techniques continue to grow more sophisticated, none of this is new for industry stakeholders. Sophisticated, user-mimicking bots have been widely publicized for a number of years now. According to leading researchers, one in five ad-serving websites is visited exclusively by bots engaged in ad fraud. Digital ad fraud thrives because of the opaqueness of the programmatic ad market, where user data is bought and sold in ways users are unwitting to, in order to target advertisements in ever more sophisticated ways.
At the center of this scheme was a strategy of buying moderately popular, legitimate Android apps – seemingly innocuous products like mobile games, a flashlight app, and a healthy eating app – and using the installed user base as both a source of fake traffic and behavioral data to model fraudulent bot behavior. Google’s inattention to misconduct within its app store has been a growing concern. In November of 2017, researchers found that over 1 million users had downloaded a spoofed version of WhatsApp. Researchers also routinely find banking Trojans and other malware in the Google Play store. While Google made an estimated $20 billion last year from the Google Play store, its mobile app ecosystem features considerably more malware and fraudulent activity than that of its mobile operating system competitors.
Google’s inattention to misconduct within its app store also enabled the extensive fraud involved here. In addition to failing to notify users of the change in ownership, Google failed to detect changes in the apps that facilitated extensive user tracking subsequently used for bot behavior. Nor did it detect the myriad indicators of coordinated fraudulent activity between the apps – including overlaps in app content, source code, IP addresses, SDKs, and common traffic patterns. Despite being approached by researchers in June with evidence of part of this scheme, Google failed to dig deeper to reveal the full scope of this fraudulent activity. While there is no evidence Google had direct knowledge, Google’s ad network and ad exchanges were also implicated in these schemes. At the very least, it seems that across a number of its products Google may have engaged in willful blindness, all while profiting from this fraudulent activity.
I encourage you to look closely at these reports, including the extent to which major ecosystem stakeholders engage in willful blindness to fraudulent activity in the online ad market.