Privacy 24 September 2019

2019 Online Trust Audit Methodology 

The 2019 Online Trust Audit will represent the 11th independent analysis and benchmark report of the adoption of security standards and responsible privacy practices. This methodology reflects comments received in response to the Internet Society’s Online Trust Alliance methodology feedback meetings, consultations with industry and government experts, commonly accepted best practices and emerging threat vectors. 

The Audit will analyze more than 1,000 consumer-facing websites including top online retailers, banks, consumer service sites, U.S. federal government agencies, news and media companies, ISP/hosters and healthcare organizations. New in 2019 will be an audit of top retailers in three additional regions – Asia, Europe, and Latin America. 

Sites are eligible to receive 300 total base points, including up to 100 points in each of three major categories: 

  • Domain, Brand & Consumer Protection 
  • Site, Server & Infrastructure Security 
  • Privacy, Transparency & Disclosures 

Bonus points are available for implementation of emerging best practices and penalties are assessed for vulnerabilities, breaches, and regulatory settlements. The 2019 scoring has been expanded and enhanced with additional weight and granularity given to key practices. To qualify for Honor Roll status, sites need to receive a composite score of 80% or better and a score of at least 60 in each of the three separate categories.   

Data collection for the Audit is planned to be completed between late October and the end of November 2019. It should be noted that this research is based on a “slice of time” and individual companies may have adopted or change their security and privacy practices after the Audit. OTA recognizes that the sites examined might be using other technologies (which our tools or research did not detect) to authenticate domains or subdomains, secure their infrastructures, track users on their sites, etc. 

Due to the sensitivity of this data and risk of disclosing vulnerabilities, individual organizations scores and data will not be publicly available. Information will be provided to site owners upon written request and verification.  

Domain, Brand, & Consumer Protection

Baseline Scoring 

Email Authentication (SPF, DKIM & DMARC) – The report will analyze emails and the respective DNS infrastructure of leading sites and subdomains. Email authentication assesses efforts to protect users from domain and email spoofing via the adoption of three industry leading protocols – Sender Policy Framework (SPF)Domain-Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).  

Sites receive maximum points by 1) implementing both SPF and DKIM authentication at the toplevel domain (e.g., yourdomain.com) as well as on their respective subdomains (e.g., email.yourdomain.com), and 2) implementing a DMARC record with a “reject” policy at the toplevel domain. Partial credit is given for support of SPF, DKIM and DMARC at the subdomain level.  

Depending on the specifics, SPF and DMARC records containing errors receive either no credit or a scoring reduction. Likewise, ”naked” DMARC records (a policy of “none” with no reporting) do not receive credit. For the 2019 Audit, additional weight will be given to use of DMARC. 

Transport Layer Security (TLS) for Email – After being a bonus point element for many years, “Opportunistic TLS” will shift to baseline scoring in 2019. Just as TLS can be used to secure web communications (HTTPS), it helps prevent eavesdropping on email as it moves between email servers. TLS adoption will be assessed using TLS databases provided by Twitter, Google and others as well as examination of email received from audited entities. 

Bonus and Penalties 

Domain Locking – Domain locking is a security enhancement offered by most registrars to help prevent unauthorized transfers of your domain to another registrar or web host. When your domain is locked, you’ll be substantially protected from unauthorized third parties who might try to redirect your name servers or transfer your domain without your permission. Organizations receive a penalty if their domain is not locked. 

IPv6 & Domain Name System Security Extension (DNSSEC) – Testing will be completed using public tools and browser plug-ins. Sites adopting IPv6 and/or DNSSEC will receive bonus points. 

Site, Server, & Infrastructure Security

Baseline Scoring 

Server and TLS/SSL Configuration – Sites will be evaluated using a combination of data and tools which provide visibility into the server architecture, configuration, and digital certificates. These tools check for weak keys, protocols, algorithms and server misconfigurations that can enable attackers to exploit system vulnerabilities and compromise TLS/SSL communications.  

Web Security Headers – Using public tools, sites are assessed for their implementation of web security headers, which can limit vulnerabilities introduced by cross-site scripting (XSS) or third-party content. 

Additional Security Assessments – Using various tools, sites are also examined for application and network security, IP reputation and updated softwareThese findings are blended into the overall baseline score.  

Always On SSL (AOSSL) – Sites are evaluated for the adoption of AOSSL, “HTTPs everywhere” and/or HTTP Strict Transport Security (HSTS) as best practices to secure sensitive data between a user’s device and a web site. This capability is assessed using the tools listed above and is verified by auditors accessing the sites. AOSSL became part of baseline scoring in 2018 and its weight will be increased in the 2019 Audit. 

Bonus and Penalties 

Extended Validation SSL Certificates (EV SSL) – Acquiring an Extended Validation certificate requires extensive verification by the certificate authority, and EV SSL offers visible confirmation of site identity to the user, though it’s distinction in web and mobile browsers has been deprecated in recent years. Sites with EV SSL Certificates receive bonus points, though the bonus points will be reduced in the 2019 Audit. 

Certificate Authority Authorization (CAA) – CAA is a security measure that allows domain owners to specify in their Domain Name Servers (DNS) which certificate authorities are authorized to issue certificates for that domain. Sites supporting CAA, as determined by the server configuration tools mentioned above, will receive bonus points. 

Malware, Malicious Links & Cross-Site Scripting – Sites will be scanned for malware and malicious links. Cross-site scripting will be assessed via public databases logging reported vulnerabilities. Sites with vulnerabilities receive penalty points. 

Web Application Firewall – Sites which have a web application firewall receive bonus points. Web Application Firewalls monitor HTTP conversations and block common attacks such as cross-site scripting (XSS) and SQL injections. 

Vulnerability Reporting Mechanisms – Recognizing the importance of having a vehicle for responsible reporting of site vulnerabilities, a search using common keywords will be conducted on audited sites and on third-party sites to look for the presence of a vulnerability reporting mechanism. Terms will include but are not limited to “bug reports,” “bug bounty,” “site vulnerabilities” and “vulnerability disclosures.” Sites supporting a vulnerability reporting mechanism will receive bonus points, which will be increased in the 2019 Audit. 

Privacy, Transparency, & Disclosures

Baseline Scoring 

Privacy Statement – Organizations’ privacy statements will be analyzed for language regarding data sharing, deletion, retention policies, disclosure notices and vendor compliance. Up to 100 baseline points will be awarded based on direct review of privacy statements by analysts (in 2018, the privacy statement score accounted for only 55 of the 100 baseline points). Specific components assessed in the privacy statement score include:  

  • Privacy statement link discoverable on home page 
  • Data sharing language (including sharing with “affiliates”) 
  • Data sharing with third parties  
  • Data retention language 
  • Layered notices  
  • Mention of applicability to children 
  • Date stamp at the top of the privacy statement 
  • Access to previous versions  

Third-party Trackers – Points will be deducted from the baseline score for third-party trackers known to freely share data that are seen on a site. In 2018, the third-party tracking score represented 45 of the 100 baseline points.  

Do Not Track Browser Settings (DNT) – After many years as both a baseline scoring element (for disclosing whether DNT is honored) and a bonus item (for actually honoring the DNT signal), DNT is being removed from the scoring for the 2019 Audit. This is due to the fact that the W3C project was shut down in early 2019 and the new California Consumer Privacy Act (CCPA) does not include it as a requirement (prior California law did require disclosure whether a site supported DNT).  

Bonus and Penalties 

Privacy Statements with Icons – Building on layered notices, sites which use consumer friendly icons receive bonus points.  

Multi-Lingual Privacy Statement – Offering the privacy statement in multiple languages provides critical information to a broader audience. Sites offering their privacy statement in multiple languages receive bonus points. 

Cross-device Tracking Disclosure – Cross-device tracking can have benefits, including an enhanced user experience when moving between devices, and security benefits for users logging in from other devices or IP addresses, but it also raises privacy concerns. Privacy statements that include disclosure of tracking across various devices (e.g. desktop, phone, tablet, etc.) receive bonus points.  

Tag Management Systems or Privacy Solutions – Sites supporting multiple trackers often utilize tag management systems or privacy solutions to inventory and manage those trackers, since without such oversight sites often end up with old trackers that are active, but no longer have a business purpose. Sites supporting such systems receive bonus points. 

Private WHOIS – To support transparency and allow consumers to see who owns a domain, WHOIS records of top sites should be public. Sites with a private WHOIS record receive penalty points. 

FTC/FCC/State Settlements & Data Breaches – Organizations which have received a settlement or experienced a data breach since January 1, 2019 will receive penalty points. Breach related penalties are scaled to the size of the breach. 

Alignment with Global Privacy Regulations – Many new privacy regulations have already gone into effect, or will in 2020, in various regions/countries around the world (e.g., the EU and Brazil) as well as in many U.S. states (e.g, the California Consumer Privacy Act – CCPA). In the 2018 Audit, bonus points were awarded if privacy statements addressed various key elements of the General Data Protection Regulation (GDPR). For 2019, this will be broadened to incorporate common concepts present in the new privacy regulations worldwide. Bonus points will be awarded for language that addresses issues such as identification of a Data Protection Officer (DPO), identifying the process for a user to access or delete data an organization has about them, the types of third parties data is shared with, and the readability of the privacy statement. 

Related Resources

Internet of Things (IoT) 19 September 2019

Policy Brief: IoT Privacy for Policymakers

Introduction The Internet of Things, or IoT, is the latest wave of integration of technology into our lives and...

Building Trust 16 September 2019

Are Organizations Ready for New Privacy Regulations?

Based on 1,200 privacy statements, many are not prepared for coming regulations.

Privacy 2 July 2019

Policy Brief: Principles for Responsible Data Handling

Introduction More and more of our activities generate data which is collected and used in ways we don’t see...