The 2014 Online Trust Audit includes a composite analysis focusing on three major categories; a company’s data protection, security and privacy practices, including over two-dozen criteria. Sites were eligible to receive 300 total base points, including up to 100 points in each category and up to 30 bonus points. The audit evaluated over 800 websites across multiple sectors including; the Internet Retailer 500, the FDIC Top 100 Banks, the Top 50 Federal Government sites, the Top 50 Social Networking sites, the Top 50 News/ Media sites, and OTA Members. (Each sector evaluated on same criteria including OTA Members.) Each sector was scored in three categories:
- Domain, Brand & Consumer Protection (Data used for the 2014 Email Integrity Report)
- Site, Server & Infrastructure Security
- Data Protection, Privacy & Transparency
The 2014 scoring has been expanded and enhanced with additional weight and granularity to key practices. To qualify for the Honor Roll sites had to receive composite score of 80% or better and a score of at least 55 in each of the three categories.
Data sampling of survey sites, their DNS, email and privacy policies were completed between April 15 and May 15, 2014. In total, more than 500 million emails were examined and approximately 10,000 web pages reviewed. It is important to note a sites practices may have changed since the sampling and the data only reflects findings based on this period of time.
Addressing the ever changing security and privacy landscape as well as regulatory requirements, criteria continues to evolve with the bar raising in all areas. This year as in years past, criteria that were previously considered bonus points are now part of baseline requirements. Examples include adoption of DMARC, increased SSL granularity, as well as upgrading to 2048 bit SSL certificate.
With the goal to drive adoption of best practices allowing all companies the ability to access their status and optimize their scores, OTA published the 2014 criteria in early January 2014 on the OTA website and external facing newsletters. Additionally webinars were hosted. Since the release of the 2014 criteria, several dozen companies including leading banks, retailers and OTA members have contacted OTA asking for guidance. Such support was provided to any party at no-charge.
It should be noted that this research is based on a “slice of time” and individual companies may have since adopted or changed their security and privacy practices. We also recognize that the sites examined might be using other technologies (which our tools or research did not detect) to authenticate domains or subdomains, secure their infrastructures, track users on their sites, etc. Due to the sensitivity of this data and risk of disclosing vulnerabilities, individual organization’s scores and data are not publicly available. Information will be provided to site owners upon written request and verification. For details, including reporting fees, please send an email to admin @ otalliance.org.
COMPONENTS OF THE COMPOSITE SCORES
DOMAIN, BRAND & CONSUMER PROTECTION
- Email Authentication (SPF & DKIM) – The report analyzed more than 500 million emails and the respective DNS infrastructure of leading sites and subdomains. Email authentication assesses efforts to protect users from domain and email spoofing via the adoption of two industry leading protocols, Sender Policy Framework (SPF) and Domain-Keys Identified Mail (DKIM). Sites received maximum scores by implementing both SPF and DKIM authentication at the top level domain (i.e. yourdomain.com) as well as on their respective delegated subdomains (i.e. email.youremail.com). Verification of DKIM-signed email required review of the email headers of individual emails via sampling providing by Agari and Return Path. Augmenting previous year’s methodology, OTA subscribed to marketing email newsletters and / or submitted inquiries to sites, to review responses providing for increased granularity of email data. Results were integrated into the composite scoring and factored as a component of the baseline points required to qualify for the Honor Roll. Verification of SPF records was completed using the OTA DNS record lookup tool. (Data used for the 2014 Email Integrity Report)
- Domain-based Message Authentication, Reporting & Conformance (DMARC) – DMARC standardizes how email receivers perform email authentication using the SPF and DKIM mechanisms. Sites that have published DMARC records receive a positive score. This year publishing a “reject” or “quarantine” policy is part of the baseline scoring for email authentication. Due to growing adoption and success, additional weighting was given to sites publishing a DMARC record this year. DMARC Information. Verification was completed using the OTA query tool. (Data used for the 2014 Email Integrity Report)
- Domain Locking – Domain locking is a security enhancement offered by most registrars to help prevent unauthorized transfers of your domain to another registrar or web host by locking your domain name servers. When your domain is locked, you’ll be substantially protected from unauthorized third parties who might try to redirect your name servers or transfer your domain without your permission. Sites receive negative points if their domain is not locked.
SITE, SERVER & INFRASTRUCTURE SECURITY
- Server and SSL Configuration – Sites were evaluated using a combination of data and tools from DigiCert, GlobalSign, High-Tech Bridge SA, Qualys Labs, RiskIQ, RiskIQ, SiteLock and Symantec. These tools provide visibility into the server architecture, configuration and digital certificate. In addition sites were evaluated for iFrame exploits, XSS scripting as well as for the presence of malware or malicious links. Testing evaluated for weak keys, protocols, algorithms, and server misconfigurations that can enable attackers to exploit system vulnerabilities and compromise SSL communications. SSL Labs tool increased security requirements and added new grading options in January 2014.
- Extended Validation SSL Certificates (EV SSL) – EV SSL offers trust mechanisms visibly confirming the identity of the site to the user. The 2014 analysis focused on all sites with SSL connections, not limiting the evaluation to consumer facing e-commerce or banking sites. Cybercriminal target business-to-business, social networking and government sector sites with non-EV Certificates. Acquiring an Extended Validation certificate requires extensive verification by the certificate authority. Sites that have implemented EV SSL Certificates received bonus points.
- Always On SSL (AOSSL) – Sites were evaluated for the adoption of AOSSL and /or HTTP Strict Transport Security (HTTP) as best practices to secure sensitive data between a user’s device and a web site. With the advent of widely available tools, criminals can “sidejack” cookies and data packets from unsuspecting users. Sitejacking allows hackers to intercept cookies (typically used to retain user-specific information such as username, password and session data) when they are transmitted without the protection of SSL encryption. Sites supporting AOSSL receive additional points, with added weight from previous years. This capability was measured using the Qualys SSL Server Test and other tools to look for Strict Transport Security and verified by auditors accessing the sites.
- Domain Name System Security Extension (DNSSEC) – Testing for DNSSEC was completed by Internet Identity which queried the DNSSEC records. Sites adopting DNSSEC receive bonus points.
DATA PROTECTION, PRIVACY & TRANSPARENCY
- Privacy Policy & Tracking Score – Using third-party data from PrivacyFix a service of AVG Technologies, TRUSTe and additional OTA criteria, sites were analyzed for their privacy policy and data collection practices. A Privacy score evaluates privacy risk based on a website’s published policies about protection of personal data and the privacy qualifications of third-parties seen to be collecting data on the site. Website privacy policies regarding sharing, deletion, disclosure notices and vendor confidentiality were reviewed by analysts. Scoring for third-party tracking companies (reflecting policies on anonymity, boundaries, choice, retention and oversight) were weighted based on their prevalence in site scans. Sites were crawled for a period of over 96 hours to observe data collection and onsite tracking. It is important to note scores are dynamic and can change based on the mix of third-party tracking and revisions to privacy policies. Results were integrated into the composite scoring and factored as a component of the baseline points required to qualify for the Honor Roll.
- Do Not Track Browser Settings (DNT) – In response to the State of California disclosure requirement for a site regarding Do Not Track, Websites privacy policies were evaluated for compliance. In addition sites which publicly disclose they are honoring the browser-based DNT setting received bonus points. Such an assertion would be in addition to any such notice a user is presented when visiting a site and does not preempt any such notice. A DNT signal asserts a user’s request to not collect and share their online data. Composite scores for sites with no assertion to support or ignore the DNT signal will not be impacted. As the standard is evolving with the W3C, it is recognized that many sites are reviewing their position. Currently, proposed support of DNT by a site is voluntary. Sites that Honor the DNT signal receive additional bonus points. For additional information see the updated California Guidelines.
- Public vs. Private WHOIS registration – Sites that are registered by proxy or private registration received a negative score, reflecting a lack of transparency. While it is recognized that sites may choose to opt-in for private domain name registration, public facing sites are discouraged from doing so and consumers should exercise caution when interacting with sites that have made their domain information private. Results were integrated into the composite scoring as a negative score for sites with private registrations and factored as a component of the baseline points required to qualify for the Honor Roll.
- Tag Management System or Privacy Solution – Sites that implement a tag management system or a standalone privacy solution receive bonus points. A tag management system provides a site operator visibility of data collection practices and how to proactively manage third party activities. A standalone privacy solution monitors third party activity site for the site operator. They enhance the ability to manage analytics tools, marketing tags, and other tag-based technologies that may collect and share data. Websites were scanned using tools from Ensighten and InfoTrust LLC.
- Data Breach & Loss Incidents – Companies who have experienced a data breach or a data loss incident since April 2012 received negative points. See 2014 OTA Data Protection & Breach Readiness Guide
- FTC / State Settlements – Companies which have been in violation of the FTC Act including settlements and judgments since April, 2012 receive negative points. The FTC Act focuses on consumer protection, including but not limited to deceptive advertising, privacy and data security practices.
SECTORS EVALUATED
- IR100 & IR 500 (Interent Retailer 100 & Internet Retailer 500). Ranking based on revenue as reported by Internet Retailer Magazine, produced by Vertical Web Media. Ranking as of May 1, 2014. http://www.internetretailer.com/top500/.
- FDIC top 100 banks (FDIC 100). Based on net assets as reported by the Federal Deposit Insured Corporation. Ranking as of December, 31, 2013. http://www.managingmoney.com/fdic.php.
- Top 50 Federal Government sites (Fed 50). Based on a combination of consumer traffic and recent cybercriminal targeting of Federal Government sites including forged email campaigns and phishing sites. Includes Cabinet level agencies at risk of such exploits.
- Top 50 Social Networking and sharing sites (Social 50). Includes social networking, dating entertainment, gaming, document storage, photo and collaboration sites..
- Top 50 News and Media sites (News 50). Includes top ranked news, content and media sites, (non-ecommerce or social).
- OTA Member Companies (OTA Members). Includes commercial members including consumer and business to business sites. Does not include academia, law enforcement, professional members, public sector, non-profits or members companies who joined since May 1, 2014. https://otalliance.org/about-us/members.
ACKNOWLEDGEMENTS
Data and analysis has been provided in part by: Agari, AVG Technologies, Bounce.IO, comScore, DigiCert, Ensighten, GlobalSign, High-Tech Bridge SA, IID, InfoTrust LLC, Microsoft, Qualys, Return Path, SiteLock, SSLLabs, Symantec and TRUSTe. Special thanks to OTA members and staff for their strategic input including: David Ader, Tom Bartel, Mark Goldstein, Mike Hammer, Mike Jones, Lauren Millslagle, Ivan Ristic, Liz Shambaugh, Craig Spiezle, Joe St. Sauver, Jeff Wilbur and Ben Wilson.