2017 Online Trust Audit Released – What Did We Learn? Thumbnail
Building Trust 20 June 2017

2017 Online Trust Audit Released – What Did We Learn?

By Jeff WilburSenior Director, Online Trust

Today the OTA released the 9th annual Online Trust Audit and Honor Roll. This year’s Audit is our most comprehensive ever, assessing more than 1000 consumer-facing sites for their adoption of best practices in consumer/brand protection, site security and responsible privacy practices. Each year the audit raises the bar, using criteria that reflect the latest regulatory environment, attack vectors and commonly accepted practices providing users with notice and control regarding their data. The goal is to provide practical advice to organizations to help them move beyond compliance to stewardship, thus protecting their customers and their brand while improving trust in the Internet itself. The audit also recognizes excellence in adherence to these practices by naming organizations to the Honor Roll, and this year to the “Top of Class” (top 50 scoring sites).

The results of the 2017 Audit were a mix of the expected and unexpected. Some pleasant surprises:

  • Despite raising the bar in the criteria and scoring, a record 52% of sites assessed made the Honor Roll, led by the Consumer services sector with 76% Honor Roll achievement.
  • The News/Media sector dramatically improved their Privacy scores (rising an average of 20%), and thus cut their Privacy failure rate to only 19%, less than one quarter of last year’s 58%. This helped lead them to an Honor Roll achievement of 48%, their highest ever, and a meteoric rise from 4% three years ago.
  • Adoption of some fundamental technology practices all doubled since last year – as a response to both security and privacy concerns, use of full-time encryption on sites (also known as “https everywhere”) passed the tipping point, reaching 52%. Use of IPv6 grew to 14%, setting the stage for future growth and IoT, and use of DNSSEC grew to 12% thanks to banks and continued heavy use by government sites.
  • Use of DKIM (an email authentication standard) at the top-level (corporate) domain grew substantially, from 44% to 56%. This is the second straight year of 12% absolute growth.
  • The audit assessed “cross device tracking” disclosure for the first time this year (where a site correlates your use of multiple devices to access their site), and found that 44% are disclosing this practice, most commonly for consumer services, retailers and news sites. Such disclosure is good news, though it needs to be backed up by restricted data sharing and use by third parties to truly benefit consumers.

However, there were also some unexpected, unpleasant results:

  • 65% of the Top 100 banks had a failure in one or more categories, dropping banks’ Honor Roll achievement in half – from 54% last year to 27% this year. This is less about doing worse, and more about not keeping pace. Many of them use a standardized privacy policy that’s “compliant”, but doesn’t cover the OTA practices aimed at stewardship. This caused a Privacy failure rate of 34% vs. 5% last year. Consumer Protection also dragged down banks’ achievement since more emphasis was placed on use of certain email authentication practices. Since many banks were on the edge of the failure bar in previous years, failure to keep pace caused failing scores.
  • To a lesser extent Federal government sites also dropped this year, with 60% of sites having one or more failures and only 39% reaching Honor Roll status. This can be almost entirely attributed to lack of thorough email authentication for these sites, leaving many of them open to be spoofed.
  • Through the inclusion of additional data providers and better telemetry, many of the criteria got a deeper look this year, resulting in significant negative shifts in results from previous years. Breach incidents more than doubled to nearly 12%, with some sectors (banks and consumer sites) at 24%. Sites with cross-site scripting (XSS) nearly doubled to 50%. Close examination of SPF and DMARC records revealed that 7-8% of them were actually invalid, likely giving site owners a false sense of security.

So what can we glean from all this? Security and privacy are not resolved with a one-time action. It takes vigilance to keep pace with implementation of new technologies, protect from new attacks, and address new privacy issues (think GDPR). That’s why the audit includes a handy checklist of best practices and resources in the Appendix as well as sample privacy language to address many of the evolving criteria.

The goal is to help all sites achieve “Honor Roll” status, whether they’re part of the OTA Audit or not. By applying these best practices, we can collectively deliver a safer, more trustworthy Internet to our customers, clients and citizens. As we look to 2018, we intend to extend the Audit with additional criteria and examine additional industry segments. Please share your thoughts and recommendations.

Read more about OTA and the Internet Society.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...