Despite good scores for security, the majority of presidential campaign websites get a failing grade for data privacy according to a new study by the non-partisan Online Trust Alliance, an initiative of the Internet Society.
The websites of 23 presidential campaigns were analyzed for Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) for campaign email, correct Transport Layer Security (TLS) deployment, domain locking, privacy policies, and data sharing practices.
Campaign sites offer no real data privacy
While the Online Trust Audit report found that most campaigns have strong website security and email and domain protections, about 70% were lacking privacy statements. This is striking given that enterprise sites are moving toward greater data privacy in compliance with the EU’s General Data Protection Regulation (GDPR).
The report states that “five campaigns had no discoverable privacy statement” which “yields…an automatic failure.” Other campaigns had an inadequate privacy statement that failed to disclose data sharing and retention practices.
Developing campaign privacy best practices
In order to boost low data privacy scores, the report recommends that “campaigns should implement a privacy statement, openly state their data-sharing practices, restrict data sharing to only the third parties necessary for the proper operation of their site and services, and require third parties to adhere to the same restrictions and protections as the campaign itself.”
The report further suggests that presidential campaigns should consider developing privacy best practices and agree to follow them. As candidates come and go, political parties need to push campaigns to stick to better data privacy best practices or deal with the consequences.
Overall, the Online Trust Audit report shows that the collection and use of campaign site visitor data are still a Wild West. Most websites don’t offer real data privacy and effectively put no limits on the use of visitor data.
This runs counter to established norms in the US and the principles of GDPR. After the 2016 presidential campaign, most candidates are taking the issue of security more seriously but they’re not applying equal effort to data privacy practices.