Because most of the ad companies are small, independent security researchers have not dedicated much time to analyse the industry and the many companies of the industry. Because the information security practices of the industry are virtually free of any regulation or oversight, bugs and abuse are not too uncommon in the ad industry. This creates a real need to attract more independent researchers to develop interest on the many flaws of the digital media supply-chain. What we cannot do is use various ways to quiet down genuine concerns. This is especially true for referencing to the arm of law to quiet down genuine concerns.
While many more reasons exist, there are six primary points to why an ad company should never use a tool like ‘cease and desist’ order to shut down legit research about malpractices.
- Ad companies do not have bounty programs nor do they understand information security, which is why we have to attract researchers and not try to make them go away
- When an ad platform company does something, it looks like its actions are representative of how large advertisers think and behave, which could not be further from the truth
- It is the opposite of transparency to stop someone from saying a truthful thing, and advertisers, internet users and trade associations want transparency
- It prevents the industry from having conversations about important topics, such as ad fraud or tracking payloads
- It makes your company look like it has something to hide, and neither investors or clients like companies that have something to hide
- The counter measure for companies using litigation against individuals, is for individuals to use government regulators against companies
