Presidential campaign websites fail at privacy, new study shows

Majority of campaign websites get a failing grade despite good scores for security.

Presidential campaign websites get a failing grade for privacy, according to a new study by the non-partisan Online Trust Alliance, an initiative of the Internet Society. The study analyzed campaign websites of 23 presidential campaigns websites, including 19 Democrat and four Republican, for correct Transport Layer Security (TLS) deployment, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for campaign email, domain locking, as well as privacy policies and data sharing practices.

"Overall, we found that campaigns have strong website security, reasonable email and domain protections, and poor privacy scores," the report concludes. "Privacy statements are the biggest concern, causing failure for 70% of the campaigns."

cso 2020 campaign privacy failures online trust audit overall privacy failing grades by sector 1200 Online Trust Alliance

Not all is doom and gloom, however. A few bright spots stand out in the Internet Society report. Here's the rundown on the good, the bad and the ugly.

Web security

Test all candidate campaign websites through SSL Labs and you'll find strong, modern ciphers and solid TLS configuration. "Using public assessment tools from Qualys SSL Labs and ImmuniWeb, all sites earned an “A” or “A+” in this area," the report says, and had trusted certificates as well as certificate transparency. As a nice bonus, 58% of campaign websites support TLS 1.3, significantly higher than any other sector.

With two exceptions, all campaign have enabled domain locking to prevent unauthorized transfer of domain ownership. (That's probably two too many, to be honest.) One fun detail the report uncovered is that 74% of campaign sites are available over IPv6, compared to 12% in other sectors.

Email security

Given that phishing and poor email security played a key role in the 2016 presidential campaign, one would hope that campaigns would take the issue more seriously this time around. Some do, but not all.

Use of SPF and DKIM to prevent email spoofing was a bright spot. Eighty-seven percent of campaign domains have deployed both SPF and DKIM, although two campaigns had no email authentication at all.

Sixty-one percent of campaigns had a Domain-Based Message Authentication, Reporting and Conformance (DMARC) record and 30% use DMARC enforcement, which quarantines or rejects emails that messages that fail authentication. A DMARC policy "allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message," the DMARC FAQ explains.

"Given that campaigns are using current email services and the significant concern about phishing in the political realm," the report says, "all should be using DMARC."

Privacy and data use

The collection and use of site visitor data, however, is a Wild West with most campaign sites offering no real data privacy, a cause for concern, the report notes. At a time when enterprise sites are moving toward greater data privacy in compliance with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), it is striking that presidential campaign sites have largely ignored visitor privacy.

The problem begins with a lack of transparency and gets worse from there. "Five campaigns had no discoverable privacy statement," the report notes. "This yields...an automatic failure. This may be an oversight but is inexcusable since every campaign website is collecting data." The five campaign sites without a privacy statement were Wayne Messam (D), Tim Ryan (D), Mark Sanford (R), Joe Sestak (D), and Joe Walsh (R).

Others had an inadequate privacy statement that failed to disclose data sharing and retention practices, or effectively put no limits on the use of visitor data, permitting unlimited data sharing with "like-minded entities," which is counter to both established norms in the US in other sectors and violates the principles of both the GDPR and the CCPA.

"To remedy the low privacy scores," the report says, "campaigns should implement a privacy statement (if absent), openly state their data sharing practices (if silent), restrict data sharing to only the third parties necessary for the proper operation of their site and services, and require those third parties to adhere to the same restrictions and protections as the campaign itself."

cso 2020 campaign privacy failures online trust audit results 1200x832 Online Trust Alliance

Overall the lack of transparency regarding what campaigns collect and how it is used is troublesome. Not all of that data collection is necessarily bad, but it ought to be disclosed, the report argues. For instance, campaigns must disclose to the Federal Election Commission (FEC) data about campaign donations.

Data retention is also a problem, the report notes. Campaigns are short and data should be disposed of when no longer needed. However, only three of the 23 campaigns examined have any language at all disclosed how long data is kept. Nor did candidate websites offer voters any clear way to contact the campaigns to discover what data is being collected and shared--"Just 8% of campaigns had language about what information users could request about their data, and none had language about users being able to request their data be deleted."

Time for campaign "privacy best practices"?

As industry after industry has discovered to their pain, if you don't do the right thing, eventually the government is going to step in and regulate, sometimes badly. Better to establish strong norms than roll the dice on regulation you might not like.

Presidential campaigns should consider developing privacy best practices and agree to follow them, the report suggests. Campaigning maybe a cutthroat affair, but while candidates may come and go, political parties remain. The onus is on them to push campaigns to stick to better privacy norms or face the consequences.          

Show Comments