Google network displayed ads on sanctioned websites, report shows

Avatar

Google served ads for several Fortune 500 companies and U.S. federal agencies on the website of an Iranian company “specially designated” for sanctions, a new report says.

In some cases, ads for these organizations — as well as major political figures and government agencies — also appeared on several hardcore porn websites, according to screenshots included in the report by Adalytics, a company that helps brands track where their ads appear online.

Some of the advertisements also reached the website of a sanctioned Russian company, the report shows.

All the advertisements cited by Adalytics were placed through the Google Search Partners (GSP) network, which collaborates with third-party sites to display ads and free product listings. According to Google, the network extends the reach of Google Search ads to “hundreds of non-Google websites, as well as YouTube and other Google sites.”

The report shows the potentially serious reputational risks advertisers face when trusting their ad dollars to the Search Partners network, experts said. GSP does not divulge where ads run to the companies that use it. Overall, Google earns more revenue from ads than any other online business site worldwide.

Adalytics said the ads it documented on the sanctioned Iranian and Russian sites were removed about two weeks ago.

Google did not deny the ads appeared on the sites in question. However, in a statement, Dan Taylor, Google’s vice president of global ads, said there is no evidence of “revenue being shared with a single sanctioned entity.”

The Iranian business, the Iran Alloy Steel Company, has been sanctioned by the U.S. Treasury’s Office of Foreign Assets Control, which prohibits most trade and transactions with Iran. The Russian site belongs to AO Institute Giprostroymost Saint-Petersburg, a bridge-design company that OFAC said assisted in the occupation of Ukraine’s Crimean peninsula.

According to Adalytics and in some cases Recorded Future News’ own review, ads for government agencies, political groups, major newspapers and Fortune 500 companies were served on hardcore porn websites, sanctioned Russian and Iranian websites, and sometimes all three areas.

The affected advertisers include:

The National Security Agency, the FBI, U.S. Army and Coast Guard and the U.S. Treasury.
The European Commission, the EU’s administrative body.
AT&T, Amazon, Apple, Facebook, Microsoft, Verizon and Samsung, among other major corporations.
Political fundraising committees for House Speaker Mike Johnson (R-LA), Rep. Matt Gaetz (R-FL), House Minority Leader Hakeem Jeffries (D-NY), and Sen. Amy Klobuchar, (D-MN), among others.
The Republican National Committee and the Democratic Congressional Campaign Committee.
The New York Times, the Washington Post and the Wall Street Journal.

The advertisers appear to face minimal legal risk. The only sanctions exposure for the organizations involved would be if “listed entities tried to avail themselves of those services and the companies violated sanctions by engaging in transactions with them,” Keith Preble, an assistant professor at Miami University who has done extensive work on sanctions, said via email.

How does Google place ads?

Ads Google said it reviewed for this story were all placed via a GSP product known as Programmable Search Engine (ProSE), Taylor said, calling ProSe a “free search tool we offer to small websites so that they can present a search experience directly on their sites.” He said ProSe ads are a “miniscule” part of the overall Search Partners offering.

ProSe ads may appear based on the user’s specific search query, but are “not targeted to, or based on, the website they appear on,” Taylor said.

Websites that “merely implement” ProSe do not get any “ad revenue from those ads,” he added.

Adalytics has previously published what Taylor called “inaccurate reports that misrepresents our products and make wildly exaggerated claims.” One of those, covered in the New York Times, showed that YouTube’s advertising practices on kids’ channels could allow companies to track children across the internet.

GSP is a go-to distributor for advertisers in part because of the reach and power of the overall Google ad network. However, experts said, it also gets a lot of business because brands must actively choose to opt out — as opposed to opting in — from placing ads via Search Partners’ roster of third-party websites when signing up for a larger Google ad package. Many advertisers don’t know that Google ad packages default to include Search Partners’ placements, they said.

Google’s website discloses that advertisers cannot track ad placements on the GSP network.

Google said it welcomes research on how its products work and swiftly corrects policy violations. However, the company said that Adalytics did not make its report available to it ahead of time or ask for clarifications on its findings.

Public officials weigh in

Most of the advertisers named in this story either failed to respond or declined to comment, however, the FBI and a European Parliament member offered brief statements.

The FBI referred questions to Google “regarding their platform and systems.”

European Parliament Member Paul Tang, who is co-founder of the European Union’s Tracking-free Ads Coalition, emailed a statement condemning Google. Ads for the European Commission appeared on Iranian and Russian websites, according to Adalytics and Tang.

“By having the European Commission’s ads displayed on websites of sanctioned Russian and Iranian companies, the Commission may be defying the very sanctions it has proposed,” Tang said.

He added that the practice is not only “a potential breach of EU law; it may be an act of funding Russia and Iran. The Commission must investigate whether and how much money is changing hands alongside these ad placements.”

Public officials whose ads were not featured on the porn and sanctioned Russian and Iranian websites also expressed concern.

In an emailed statement to Recorded Future News, Senate Intelligence Committee Chairman Mark Warner, (D-VA), said he has spent eight years pushing the Federal Trade Commission and Department of Justice to investigate “the extent to which digital advertising intermediaries maintain a concentrated ecosystem rife with fraud.”

Warner added that “the apparent monetization of sanctioned entities‘ websites should be the final straw for the government to take action to clean up this market.”

Lou Paskalis, a longtime media buyer and brand safety executive at Bank of America and American Express, described Google distributing ads on sanctioned foreign websites as akin to “driving by a police officer in a car going 100 miles an hour in a 35 mile an hour zone while brandishing a weapon.”

“My hypothesis is that most advertisers who are using GSP don’t know they’re using GSP and don’t know that the terms of service state very clearly that Google will not divulge who they’re doing business with,” said Paskalis, who also previously served as the president and chief operating officer of MMA Global, a marketing trade association made up of 800 companies.

The fact that Google will not tell GSP advertisers where their ads run is a “pretty big indication that they’re aware that some problem exists,” he added.

Distribution for the ads documented by Adalytics suggests that in some cases Google may not know where it places GSP ads. For example. ads for Google itself were included on some of the porn sites identified by Adalytics.

In some instances, ads were placed in direct opposition to advertisers’ prior direction on where Google could distribute them. The automaker BMW had requested Google stop placing its ads on the politically right-wing site Breitbart.com, according to a spokesman responding to screenshots of the company advertising there.

Asked for comment on the Breitbart distribution, BMW provided a statement saying it “does not tolerate racist, discriminatory, or hateful speech of any kind.”

The automaker noted that it does not “directly advertise on the website in question and have previously blocked even third-party advertisements from appearing there.” It said it will investigate what went wrong.

A moral failing?

Arielle Garcia, who recently resigned after 10 years from her role as chief privacy officer at the global media and advertising agency Universal McCann, said Google’s actions are an “ethical failure” and are “potentially funneling money to those sanctioned states.”

“Google is doing all of this in their own commercial interest at the expense of also exposing advertisers not only to useless inventory and wasting their money, but also exposing them to brand risk,” said Garcia, who quit her job in part because she was disillusioned by digital advertising practices.

Google has historically been highly regarded for its advertising due-diligence, experts said. But they expressed shock over Adalytic’s findings and other recent developments.

“There’s some kind of enormous hole that all different kinds of websites that shouldn’t be an advertising partner are slipping through,” said Laura Edelson, a computer scientist whose doctorate work focused on large platform advertising campaigns. Edelson is also a former chief technologist for the Justice Department’s antitrust division.

The problem shouldn’t be difficult for a company with Google’s resources to fix, she said.

“It’s something that would take some engineering time to implement, it absolutely would, but this is not a hard computer science problem that we don’t know how to solve,” said Edelson, who is now a computer science professor at Northeastern University.

She said that if Google can track in a “tiny fraction of a second” that someone has loaded a page to see an ad, it should also be able to track what website someone saw that ad on, particularly since they use the information to bill advertisers.

“Clearly, something has gone very wrong because the failures are so broad,” she said. “It’s a problem for Americans if our use of the internet which is subsidized by advertisers is sending money to Iran.”

TechnologyNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

Okta security breach affected all customer support system users

Next Post

Experts warn of critical ownCloud vulnerability being exploited

Related Posts

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

A novel side-channel attack has been found to leverage radio signals emanated by a device's random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks. The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of
Avatar
Read More