Presidential campaign websites fail on privacy says new study
The Internet Society’s Online Trust Alliance (OTA) has announced the results of its 2020 US Presidential Campaign Audit, revealing that an alarming 70% of the campaign websites reviewed in the audit failed to meet their privacy and security standards – potentially exposing visitors to unnecessary risks.
The OTA, which identifies and promotes security and privacy best practices to build consumer confidence in the Internet, also reported that their study, analyzing the 23 current presidential campaigns and their commitment to online consumer protection, data security and responsible privacy practices, revealed that only seven (30%) of the analyzed campaigns made the ‘Honor Roll’, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information.
To qualify, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined.
The OTA conducted the same audit for the 2016 presidential election campaigns, reviewing website security and privacy standards. Surprisingly, campaign performance this year actually worsened in some areas compared to the 2016 results, despite an increased focus on privacy and security.
Overall performance improved for 2020 with 70% of the campaigns failing in at least one audit category, compared to 74% in 2016.
All campaigns with a failure had failing scores related to their privacy statements, mainly due to lack of restrictions in sharing data. The study also revealed that, perhaps surprisingly, email authentication protections had worsened. In 2016, 100% of the campaigns employed some type of email authentication, while two failed to employ any email protections in 2020.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, the company behind one of the tools used for the study’s research, said: “This research is a great and timely idea to raise web security and privacy awareness. The research thoroughly probes the fundamentals of cybersecurity and IT hygiene, however, one should not underestimate the sophistication of nation-state hacking actors. They will likely leverage a wide spectrum of attack vectors, including getting the data via careless third-party providers and negligent vendors.
“Importantly, the main websites tested within the research, is just the tip of the external-attack-surface-iceberg. Skilled attackers will persistently search for abandoned subdomains, forgotten databases and unprotected cloud storage. Probably, the attackers have already implemented continuous monitoring of [these] presidential websites to get instant alerts once a software or its component becomes vulnerable, akin to recent critical vulnerabilities in vBulletin or Drupal. Unfortunately, attackers frequently act faster than security teams and manage to get in within minutes after a security flaw is publicly disclosed or sold on the Dark Web.”