An alarming 70% of the campaign websites reviewed in the OTA 2020 U.S. Presidential Campaign Audit failed to meet OTA’s privacy and security standards – potentially exposing visitors to unnecessary risks.
Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information.
To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. There was no gray area in the Audit results – either campaigns made the Honor Roll, or they failed in at least one category.
OTA conducted a similar Audit in 2016, reviewing website security and privacy standards for the 2016 presidential election campaigns. Surprisingly, campaign performance this year actually worsened in some areas compared to the 2016 results, despite an increased focus on privacy and security over the last four years.
Overall performance only very slightly improved for 2020 with 70% of the campaigns failing in at least one Audit category, compared to 74% in 2016. All campaigns with a failure had failing scores related to their privacy statements, mainly due to lack of restrictions in sharing data.
Surprisingly, email authentication protections have worsened. In 2016, 100 percent of the campaigns employed some type of email authentication, while two failed to employ any email protections in 2020.
The Audit examined three main categories including privacy, which assessed data sharing and retention language in campaign website privacy statements. The Audit also analyzed third-party tracking on the site.
While none of the websites showed major issues with third-party tracking, the majority either had a privacy statement that allowed free sharing of data or had no privacy statement at all.
This “no limits” sharing policy means that personal data might be shared among “like-minded organizations” (a phrase present in many of the privacy statements), which may be counter to user expectations.
Lack of consumer protection
The consumer protection category scored email authentication and associated technologies to help protect consumers from phishing and other security issues. Campaigns actually took a step back from the 2016 Presidential Audit in this sector, with two of the 2020 campaigns employing no email authentication at all (whereas all campaigns had email authentication in 2016).
As for email authentication technology employed, support for Sender Policy Framework (SPF) at top-level domains dropped for 2020 campaigns, at 87%, down from 91% in 2016. Support for Domain Keys Identified Mail (DKIM) grew to 91% from 78%.
SPF and DKIM help protect consumers from forged/spoofed emails. One improvement in the findings was adoption of Domain-based Message Authentication, Reporting & Conformance (DMARC), growing from 4% in 2016 to 61% in 2020 and DMARC records with “enforcement” growing from 0% to 30%. DMARC provides instruction on how to handle messages that fail authentication.
Site security is bright spot
Site security results for the campaigns were comparable to the highest scoring sectors in the recent OTA Online Trust Audit. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms.
Significant growth was seen in support of “always-on SSL” (100 percent adoption) and the use of a web application firewall (58%, up from 35% in 2016).
“The number of campaigns that failed to pass the 2020 Presidential Campaign Trust Audit is alarming given the increased attention to privacy and security issues over the last four years,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance. “The campaigns should make proper handling of their visitors’ information a priority.”