Amazon, Google among platforms under fire for ads on child-abuse sites

US Senators have launched a fierce inquiry into Amazon and Google, demanding explanations for why their ad platforms are reportedly funnelling advertising revenue to websites known to host child sexual abuse material (CSAM). The move follows a report by research firm Adalytics that linked ads from major brands, including Sony, Pepsi and the NFL, to image-sharing sites ibb.co and imgbb.com. Both these sites have been flagged by one of child-protection organisation National Center for Missing & Exploited Children (NCMEC) for hosting CSAM.

In letters addressed to Amazon CEO Andy Jassy and Alphabet CEO Sundar Pichai, US senators Marsha Blackburn and Richard Blumenthal demand why their ad businesses fund websites hosting CSAM and allow government ads to appear on sites with illegal imagery.

The letter to Pichai specifically cited research indicating that Google facilitated ad placements on imgbb.com as recently as March 2024. According to NCMEC transparency reports, the site has been flagged for hosting CSAM since at least 2021.

The senators didn't hold back, noting that "just as concerning are reports that the US government’s own advertising has appeared on this website”, highlighting the potential for public funds to inadvertently support illegal activities.

"Recent research indicates that Google, as recently as recently as March 2024, has facilitated the placement of advertising on imgbb.com, a website that has been known to host CSAM since at least 2021, according to transparency reports released by NCMEC," the letter to Pichai says.

In response, Amazon released a statement: “We regret that this occurred and have swiftly taken action to block these websites from showing our ads. We have strict policies in place against serving ads on content of this nature, and we are taking additional steps to help ensure this does not happen in the future.”

The senators have asked Trustworthy Accountability Group (TAG) and the Media Rating Council (MRC) about the oversight of ad verification vendors. The enquiry focuses on whether any vendors have previously reported CSAM content, as well as documentation of past certifications revoked or suspended for noncompliance. TAG and MRC are also asked to detail the specific criteria they will consider in the case of DoubleVerify (DV) and Integral Ad Science (IAS), and to share “what specific audits, monitoring or oversight mechanisms” are used to ensure compliance with their standards.

DV and IAS themselves haven't escaped scrutiny, and have been asked to provide URL-level transparency and to disclose whether they have ever reported instances of CSAM content online.

DV issued a response on its website, saying, “While the impression volume for our customers on this site was very small, we take this issue seriously. The vast majority of these ads appeared alongside neutral content, in large part due to the pre-bid controls used by many of DV’s customers. Concurrently, DV has blocked tens of thousands of ads from serving on imgbb.com, enabling clients who choose to run on this site to avoid unsafe or unsuitable content through our classification and enforcement.”

It further reads, “Importantly, there is no data in the Adalytics report that explicitly indicates DV client ads appeared alongside CSAM.”

The background

Adalytics was working on an unrelated project involving web scans when it uncovered examples of these hurtful programmatic ads on two free file-sharing platforms: imgbb.com and ibb.co.  

These websites allow users to anonymously host photos and videos via user-generated links, offering features that enable users to prevent links from being indexed by search crawlers and to set timers for automatic link deletion. Disturbingly, imgbb.com and ibb.co were already known to the NCMEC, which had, according to Adalytics, sent dozens of notifications to imgbb.com in recent years regarding hosted links containing CSAM.

The CSAM content and related ads documented by Adalytics originated between 2021 and 2023, with some links set to auto-delete and others removed following takedown orders from US and Canadian authorities.

Adalytics’s report titled "Are ad tech vendors facilitating or monitoring ads on a website that hosts Child Sexual Abuse Material?" delivers a scathing indictment of the industry's failures. The report concluded that "many major advertisers appeared to have had their ads placed on a website which has been known—since at least 2021—to host some amounts of CSAM. These advertisers may have inadvertently contributed funding to a website that is known to host and/or distribute CSAM."

The report also talks about a critical lack of transparency, that "multiple major brand advertisers whose ads were served on explicit content on imgbb.com reported that their ad tech vendors, such as Amazon, do not provide the advertisers with page URL-level reporting that would allow the brands to investigate exactly on what page URLs their ads served."

Adalytics also found that "multiple major advertisers reported…that their brand safety vendors had marked 100% of measured ad impressions served on ibb.co and imgbb.com as 'brand safe' and/or 'brand suitable'."

Adalytics' research methodology, which relies on generating ad impressions to study ad placements in real time, has faced scrutiny in the past. Prior reports, such as a 2023 analysis of the Google Search Partner Network, showed ads appearing on unexpected sites like Iranian or pornographic ones through Google, even for normal searches. While Adalytics showed screenshots for proof, it couldn’t really say how often real people actually saw these ads.

Effectiveness of current brand safety measures

The industry's response has been met with scepticism. Ramakrishnan Raja, principal at Resonant, tells Campaign Asia-Pacific that "brand safety today is still more of a reaction than a strategy—problems only get addressed after they blow up."

He minces no words, stating that "the industry relies too much on automated solutions and vendor promises that don’t hold up against bad actors who move faster than the systems meant to stop them." Raja also highlights the uncomfortable truth that brand safety "doesn’t get the same priority as ROI or efficiency," warning that "as long as ad safety remains a secondary concern, these major lapses will keep happening." He urges advertisers to "demand full URL-level transparency from ad tech partners" and calls for "real consequences" for ad tech vendors when brand safety tools fail.

Arielle Garcia, COO of Check My Ads, echoes a similar sentiment, arguing that incidents like this expose one of the key problems with digital advertising: "The systems running these ads are so impenetrably complicated that it's difficult for anyone to figure out what's actually going on, especially from the outside."

On DoubleVerify's claim that imgbb.com has a 'small advertising footprint', Garcia adds, "I would love to understand DV’s position on how much child sexual abuse is enough for them to take action on."

Photo: (left) Arielle Garcia and (right) Ramakrishnan Raja

Garcia further talks about the industry's tendency to "weaponise complexity," explaining that "the opacity of the convoluted adtech supply chain makes this next-to-impossible to discern, and all of the intermediaries between the advertiser and the publisher typically have some vested interest in keeping it that way."

She comes heavily on the industry's failure to self-regulate, stating that "industry bodies have allowed themselves and their standards to largely be co-opted by the very vendors they purport to govern." And calls for radical change, advocating for ‘Know Your Customer rules’ and transparency-related requirements that obligate vendors to supply brands with readily accessible page URL-level data.

How should marketers respond to DV's justification that imgbb.com has a 'small advertising footprint’?

Garcia advises, "Marketers should respond by first acknowledging the sobering realisation that their TAG-certified and MRC-accredited vendors can and will continue to transact their ads on CASM, US treasury sanctioned websites, piracy, animal abuse, and hate speech. As it stands, this is what it means to be TAG certified and MRC accredited today.

“Only once they have accepted that this is not the ‘exception’ or ‘edge case’, they’re told to believe that it was, will they begin to move forward and take back control. Marketers should demand their URL-level data, audit their campaigns, and demand refunds from their agencies, verification partners, and adtech vendors where their ad placements or services rendered did not meet the standards their suppliers committed to.

“They should file complaints with TAG, which can be done by non-members, and demand that KYC requirements and URL-level transparency become part of the standard. Brands that are MRC members—or whose agencies are MRC members—should similarly push for new standards that mandate transparency from verification vendors. They should demand that IAS and DV face investigation and suspension of accreditation pending the completion of a new, transparent, and robust independent audit."