Online advertising service providers Sunlight Media and Datablocks have been fined $150,000 and $100,000, respectively for facilitating the delivery of online ads by malicious actors, who used the ads to upload malware to end user devices. Specifically, the CRTC claimed the parties allowed ads to be served that used the Angler exploit kit (that used a vulnerability in Adobe Flash to infect devices).
Sunlight Media (as Ad Network) allegedly not only accepted unverified, anonymous clients, but also encouraged a high degree of anonymity by allowing clients to use unverified aliases and accepting cryptocurrency payments. Datablocks (as DSP) provided Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the delivery of the aforementioned malware. Since Sunlight Media operated as a pay-per-click service, it got paid (and Datablocks got a percentage) every time a computer was infected (i.e., an ad was clicked).
The CRTC further alleged that neither Sunlight Media nor Datablocks had written contracts in place with their clients, and thus no mechanism to require compliance with CASL (or any other law or industry standard). Additionally, neither had monitoring in place to detect misuse of their services. Moreover, neither had internal policies or procedures in place to ensure compliance with CASL.
Finally, the CRTC stated that both Sunlight Media and Datablocks were alerted in 2015 by the Canadian Cyber-Incident Response Centre (CCIRC) that their services were used to disseminate malware. The CRTC made them further aware of the misuse in 2016, but neither took action.
The companies have 30 days to respond or pay the penalties.
jbho: fraud is pervasive in the programmatic environment, and service providers are often victims like the rest of us. Pixalate provides great summaries on the state of the industry.
Industry is working to address. For example, IAB Tech Lab has introduced the Ads.txt initiative, so advertisers can be assured they are buying inventory from legitimate sellers. And the Coalition for Better Ads is working to improve the online advertising experience for consumers – and block the annoying types of ads preferred by malvertisers. In fact, Chrome started blocking “failing status” ads back in February.
If Datablocks and Sunlight weren’t up to speed on these developments, that is unfortunate. If they really were doing business with clients not bound by contract, that’s just stupid.
Also interesting that the CRTC pointed out accepting cryptocurrency payments as a ‘red flag.’ A good indicator that if you are going to accept non-traditional payments, you better have a robust compliance program behind that.
A final thought – I believe this enforcement may be the end result of the warrant issued back in January of 2016, since the summary states the violations occurred between February 8, 2016 to May 31, 2016. So not sure if I should count this as CASL enforcement #17, or add detail to #6 on my CASL Tacker.