Reston, VA. – October 8, 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy best practices that build consumer confidence in the Internet, today announced the results of its 2020 U.S. Presidential Campaign Audit, a study analyzing the 23 current presidential campaigns and their commitment to online consumer protection, data security and responsible privacy practices.
An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards – potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. There was no gray area in the Audit results – either campaigns made the Honor Roll, or they failed in at least one category.
OTA conducted a similar Audit in 2016, reviewing website security and privacy standards for the 2016 presidential election campaigns. Surprisingly, campaign performance this year actually worsened in some areas compared to the 2016 results, despite an increased focus on privacy and security over the last four years.
Overall performance only very slightly improved for 2020 with 70% of the campaigns failing in at least one Audit category, compared to 74% in 2016. All campaigns with a failure had failing scores related to their privacy statements, mainly due to lack of restrictions in sharing data. Surprisingly, email authentication protections have worsened. In 2016, 100 percent of the campaigns employed some type of email authentication, while two failed to employ any email protections in 2020.
Online Trust Audit Results – 2020 U.S. Presidential Campaigns |
||
Honor Roll |
Had a Failure |
|
Pete Buttigieg (D) |
Michael Bennett (D) |
Tim Ryan (D) |
Kamala Harris (D) |
Joe Biden (D) |
Mark Sanford (R) |
Amy Klobuchar (D) |
Cory Booker (D) |
Joe Sestak (D) |
Beto O’Rourke (D) |
Steve Bullock (D) |
Tom Steyer (D) |
Bernie Sanders (I) |
Julian Castro (D) |
Joe Walsh (R) |
Donald Trump (R) |
John Delaney (D) |
Elizabeth Warren (D) |
Marianne Williamson (D) |
Tulsi Gabbard (D) |
Bill Weld (R) |
|
Wayne Messam (D) |
Andrew Yang (D) |
Privacy Failures
The Audit examined three main categories including privacy, which assessed data sharing and retention language in campaign website privacy statements. The Audit also analyzed third-party tracking on the site. While none of the websites showed major issues with third-party tracking, the majority either had a privacy statement that allowed free sharing of data or had no privacy statement at all. This “no limits” sharing policy means that personal data might be shared among “like-minded organizations” (a phrase present in many of the privacy statements), which may be counter to user expectations.
Lack of Consumer Protection
The consumer protection category scored email authentication and associated technologies to help protect consumers from phishing and other security issues. Campaigns actually took a step back from the 2016 Presidential Audit in this sector, with two of the 2020 campaigns employing no email authentication at all (whereas all campaigns had email authentication in 2016).
As for email authentication technology employed, support for Sender Policy Framework (SPF) at top-level domains dropped for 2020 campaigns, at 87%, down from 91% in 2016. Support for Domain Keys Identified Mail (DKIM) grew to 91% from 78%. SPF and DKIM help protect consumers from forged/spoofed emails. One improvement in the findings was adoption of Domain-based Message Authentication, Reporting & Conformance (DMARC), growing from 4% in 2016 to 61% in 2020 and DMARC records with “enforcement” growing from 0% to 30%. DMARC provides instruction on how to handle messages that fail authentication.
Site Security is Bright Spot
Site security results for the campaigns were comparable to the highest scoring sectors in the recent OTA Online Trust Audit. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. Significant growth was seen in support of “always-on SSL” (100 percent adoption) and the use of a web application firewall (58%, up from 35% in 2016).
“The number of campaigns that failed to pass the 2020 Presidential Campaign Trust Audit is alarming given the increased attention to privacy and security issues over the last four years,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance. “The campaigns should make proper handling of their visitors’ information a priority.”
For more information on the methodology used, please see: https://www.internetsociety.org/campaignaudit
Download the full report now here.
About OTA
The Internet Society’s Online Trust Alliance (OTA) identifies and promotes security and privacy best practices that build consumer confidence in the Internet. Leading public and private organizations, vendors, researchers, and policymakers contribute to and follow OTA’s guidance to help make online transactions safer and better protect users’ data. The Internet Society is a global nonprofit dedicated to ensuring an open, globally connected, trustworthy, and secure Internet for everyone.
Contact:
Ashley Mann
Voxus PR (for OTA)
253-444-5955
[email protected]