TAG,​ ​You’re​ ​It:​ ​Beyond​ ​TAG​ ​Malware​ ​Scanning​ ​Guidelines

Making Malware Prevention Actionable

When​ ​the​​ ​​Trustworthy​ ​Accountability​ ​Group​ ​(TAG)​ ​released​ ​its​ best practices​ ​for​ ​malware scanning​​ ​in​ ​October,​ ​anyone​ ​seeking​ ​a​ ​more secure advertising supply chain would have been eager to read through the first-of-its kind, 16-page document. ​In a quest to outline basic malware scanning processes,​TAG​ ​delivered ​plenty​ ​of​ ​suggestions​ ​about​ ​when​ ​to scan,​ noting that in some ​environments​ publishers and their providers​ ​might​ ​want​ ​to​ ​scan​ ​more​ ​or​ ​less​ ​often—but​ ​it​ ​didn’t​ ​offer hard​ ​numbers​ ​or​ ​strict​ ​parameters.

Instead ​TAG​ ​lays​ ​out​ ​a​ ​number​ ​of​ ​scenarios​ ​and circumstances,​ ​and​ ​weighs​ ​them​ ​more​ ​or​ ​less​ ​relative​ ​to​ ​each​ ​other.​ ​As a publisher, where​ ​your​ ​own​ ​zero point​ ​might​ ​be​ ​depends​ ​on​ ​factors​ ​like​ ​the​ ​scale​ ​of​ ​your​ ​digital​ ​properties​ ​and served​ ​impressions,​ ​and​ ​the​ ​sources​ ​of​ ​your​ ​ad​ ​creative.

Continuous insight and security for the digital ecosystem

Ad​ ​tech​ ​people​ ​love​ ​talking​ ​about​ ​how​ ​digital​ ​media​ ​is​ ​a​ ​“self-regulating​ ​industry,”​ ​but​ ​in​ ​order for​ ​that​ ​to​ ​be​ ​true,​ ​it​ ​needs​ ​to​ ​actively​ ​keep​ ​itself​ ​in​ ​check…​ And this is now more important than ever as the​ ​ever-present threat​ ​of​ ​full-on government​ ​regulation ​begins to take shape.​ ​In​ ​September,​​ ​​FTC​ ​Chairwoman​ ​Edith​ ​Ramirez addressed​ ​the​ ​ongoing consumer-targeting​ ​ransomware​ ​epidemic​​ ​and confirmed ​60-plus​ enforcement actions against companies that​ ​didn’t​ ​offer​ ​reasonable​ ​consumer​ ​security​ ​controls.​ ​Rumor has it that several​ad​ ​tech​ ​companies​ ​and publishers have been and continue to be on the hit​ ​list.

While​ ​there’s​ ​more​ ​to​ ​the​ ​TAG​ ​guidelines​ ​than​ ​simply​ ​saying,​ ​“Use​ ​your​ ​best​ ​judgment,”​ ​the document​ ​does​ ​frequently​ ​ask​ ​everyone​ ​along​ ​the​ ​ad​ ​supply​ ​chain—not​ ​just​ ​publishers,​ ​but  exchanges,​ ​DSPs​ ​and​ ​SSPs,​ ​trading​ ​desks,​ ​and​ ​various​ ​tech​ ​solution​ ​providers—to​ ​use​ ​their best​ ​judgment.​ ​

Digital​ ​publishers,​ ​as​ ​the​ ​point​ ​of​ ​contact​ ​with​ ​consumers,​ ​often​ ​end​ ​up​ ​getting​ ​shamed​ ​when malware​ ​appears.​ ​So​ ​when​ ​something​ ​like​ ​the​ ​TAG​ ​guidelines​ ​comes​ ​along,​ ​it’s​ ​natural​ ​for publishers​ ​to​ ​ask​ ​whether​ ​this​ ​is​ ​one​ ​more​ ​thing​ ​for which they’re​ ​going​ ​to​ ​be​ ​held​ ​accountable,​ ​or whether​ ​the​ ​guidelines​ ​can​ ​help​ ​them​ ​share​ ​​the​ “malware prevention” ​burden​ ​with other​ ​players​ ​from​ ​one​ ​end​ ​of​ ​the​ ​ad​ ​supply​ ​chain​ ​to​ ​the​ ​other.

Don’t​ ​Kick​ ​the​ ​Scan​ ​Down​ ​the​ ​Road    

TAG​ ​does​ ​indeed​ ​address​ ​the​ ​whole​ ​supply​ ​chain,​ ​explicitly​ ​stating​ ​that​ ​its​ ​guidelines​ ​are meant​ ​to​ ​be​ ​put​ ​into​ ​action​ ​by​ ​everyone​ ​involved​ ​in​ ​distributing​ ​digital​ ​ads.​ ​In​ ​short,​ ​the guidelines​ ​call​ ​for​ ​scanning​ ​all​ ​ads​ ​and​ ​landing​ ​pages,​ ​either​ ​using​ ​in-house​ ​or​ ​third-party solutions,​ ​prior​ ​to​ ​any​ ​ad’s​ ​first​ ​exposure​ ​to​ ​the​ ​user.

As a best practice, ads (creative and ad tags) require​ ​frequent​ ​scanning​ ​and​ ​re-scanning. ​TAG points out scanning​ ​once​ ​is​ ​“likely​ ​insufficient” and​ ​that​ ​the​ ​number​ ​of​ ​scans​ ​should​ ​be​ ​“mathematically​ ​appropriate”​ ​to​ ​the​ ​factors​ ​involved​ ​in a​ ​particular​ ​environment​ ​or​ ​user​ ​experience.​ ​(As TAG suggested,​ ​ads​ ​with​ ​100​ ​impressions​ ​per​ ​day might​ ​require​, say, ​ ​weekly​ ​scanning,​ ​but​ ​ads​ ​with​ ​millions​ ​of​ ​impressions​ ​per​ ​day​ ​might​ ​require hourly​ ​scanning. Those scan frequencies per size are just suggestions, by the way, not across-the-board prescriptions.)​ ​All​ ​players​ ​along​ ​the​ ​chain​ ​should​ ​employ​ ​“commercially​ ​reasonable​ ​and best​ ​efforts.”

To​ ​determine​ ​suitable​ ​frequency​ ​of​ ​scanning,​ ​look​ ​at​ ​the​ ​total​ ​number​ ​of​ ​impressions, mid-campaign​ ​changes​ ​in​ ​impressions​ ​or​ ​spend,​ ​changes​ ​in​ ​targeting,​ ​or​ ​changes​ ​in​ ​tech.​ ​To know​ ​when​ ​to​ ​re-scan​ ​previously​ ​scanned​ ​ads,​ ​consider​ ​data​ ​from​ ​initial​ ​results,​ ​errors, physical​ ​domain​ ​location,​ ​domain​ ​and​ ​IP​ ​ownership,​ ​and​ ​confidence​ ​in​ ​partnerships.​ ​Proof​ ​of scanning​ ​is​ ​generally​ ​recommended,​ ​and​ ​ads​ ​that​ ​have​ ​already​ ​been​ ​contaminated​ ​need​ ​to​ ​be rescanned​ ​more​ ​frequently.

Getting​ ​Buyers​ ​to​ ​Play​ ​Ball    

Ideally,​ ​these​ ​guidelines​ ​offer​ ​publishers​ ​the​ ​incentive​ ​to​ ​put​ ​the​ ​heat​ ​on​ ​demand​ ​partners​ ​and other​ ​vendors:​ ​Monitor​ ​your​ ​goods,​ ​send​ ​us​ ​uncompromised​ ​ads​ ​whenever​ ​possible,​ ​show​ ​us documentation​ ​of​ ​your​ ​efforts,​ ​or​ ​we’ll​ ​cut​ ​you​ ​off​ ​and​ ​you​ ​won’t​ ​reach​ ​the​ ​audience​ ​you​ ​want. Adding to teeth to the effort, TAG announced a “Certified Against Malware” program, which will certify a company’s compliance with industry-driven malware best practices.

The​ ​question​ ​is​ ​whether​ ​that​ ​gambit​ ​will​ ​work.​ ​Plenty​ ​of​ ​publishers​ ​will​ ​look​ ​at​ ​the​ ​TAG guidelines​ ​and​ ​say​ ​they’re​ ​already​ ​following​ ​these​ ​recommendations​ ​on​ ​their​ ​end.​ In many instances, some​ ​will say​ ​their scanning processes are​ ​currently​ ​more​ ​stringent.​ However, being​ ​particularly​ ​stringent​ ​won’t​ ​keep​ ​your​ ​nose​ ​entirely clean​ ​in​ ​programmatic:​ ​TAG​ ​believes​ ​the​ ​most​ ​risk-prone​ ​ads​ ​are​ ​those​ ​that​ ​have​ ​active​ ​creative and​ ​are​ ​hosted​ ​remotely,​ ​unavoidable​ ​factors​ ​when​ ​you’re​ ​transacting​ ​at​ ​scale. Alex Calic, The Media Trust’s Chief Revenue Officer, calls TAG’s best practices and ensuing certification program “a starting point,” and says they at least set the stage for ensuring all key players involved in an ad’s execution understand scanning is essential.

“The final buy-in has to be at the agency side of things, which for the longest time has said, ‘Not my problem,’” he says. “Once an agency understands their role, their downstream partners can start tightening the acceptable parameters.”

That said, advertising is only worth something when it reaches an audience, and publishers ultimately deliver the audience. Publishers have a strong incentive to influence what happens with vendors and platforms that have a lower profile to the public.

“If you’re adopting TAG’s best practices, you’re going to get preferential treatment from the entire digital ecosystem,” Calic says. “As an advertiser, I’m going to do everything I can to comply, so users start seeing my ads. If every player supports the standards, no single provider or entity has to maximize the scanning on their end and bear the full brunt of the cost.”

Best Practices Make Perfect… Or at Least They Make Better  

At the most basic level, a publisher’s business relies on earning revenue by monetizing ad inventory. One of the problems with preventing malware—and otherwise upholding user security—is that a lot of the time, resources are limited, and it’s prohibitive to look very far past the complexity involved in managing the expectations of demand partners. Malware prevention is its own set of issues. Scanning isn’t free.

But publishers now have more robust strategies than ever for driving yield, and Calic is hopeful that ostensibly democratizing developments such as header bidding can buy them some time to re-evaluate relationships with demand sources.

“Publishers are going to be more savvy and say, ‘It’s fine that my revenue is going up, but quality can mean many different things.’” he says. “It can mean malware; it can mean the creative is too big and freezes the site. As revenue starts increasing, publishers can be a bit more picky when it comes to how they treat different partners.”

Ideally, premium publishers can use context as a bargaining chip for driving partner compliance. But that assumes everyone on either the buy side or sell side will be motivated by best practices, which is too much to take for granted.

Quality publishers typically don’t need to be reminded to work with partners who exhibit good behaviors. But it’s much harder on the pub side to ensure agencies engage only with publishers that exhibit good behaviors themselves.

When agencies are motivated to go forth into the marketplace and buy the cheapest inventory they can—even when they know that inventory isn’t in a quality environment—they’re putting their business at risk. And they’re potentially encouraging bad actors who might already be present in those low-quality environments.

One publisher we spoke with told us about a situation a publisher peer recently experienced with a buyer. The publisher in question had gone through the arduous process of scrubbing bots off their site. The buyer reached out and said there was a problem with their campaigns—clicks through to the advertiser’s site had dropped precipitously. The pub explained how the site was, in reality, delivering more value with a fully human audience at the same CPM. The buyer didn’t care: His compensation was based on per-site visits, and it didn’t make a difference to him whether the click-through traffic was human or bot.

This story underlines the critical need to change industry attitudes. Correcting this thinking means key players can’t look at the TAG guidelines and ignore them because their bottom line is more important.

“How do you build the right incentive structure?” asks Calic. “It starts at the top. If you need more people to visit your website and you’re going to pay for it, that’s not a problem for you. The ad tech industry is awesome at solving for exactly what you want and not worrying how you get there.

“The goals of TAG’s best practices are twofold: clean up the issues that can be fixed because they’re unintentional and make it harder for bad guys to enter the ecosystem who are trying to do things intentionally.”

Who Are the Deciders?  

The TAG malware guide may not be the be-all and end-all for malware prevention, but it is a statement of purpose with room for case-by-case interpretation. And it’s worth it to nudge all parties along the ad supply chain toward compliance which will also demonstrate to government regulators that the industry is taking tangible steps to keep its house clean.

If TAG doesn’t go far enough, it reminds us we’re not just preaching to the choir when we talk about best practices for malware prevention—malware is an ongoing problem in part because some decision-makers are still making decisions that open the door to malware.

Frequent scanning can help prevent malware for parties who care about it. For the rest, the industry will need to maintain a longer conversation about priorities.