Donate
2017 Online Trust Audit Released – What Did We Learn? Thumbnail
‹ Back
Security 20 June 2017

2017 Online Trust Audit Released – What Did We Learn?

By Jeff Wilbur Director, Online Trust Alliance

Today the OTA released the 9th annual Online Trust Audit and Honor Roll. This year’s Audit is our most comprehensive ever, assessing more than 1000 consumer-facing sites for their adoption of best practices in consumer/brand protection, site security and responsible privacy practices. Each year the audit raises the bar, using criteria that reflect the latest regulatory environment, attack vectors and commonly accepted practices providing users with notice and control regarding their data. The goal is to provide practical advice to organizations to help them move beyond compliance to stewardship, thus protecting their customers and their brand while improving trust in the Internet itself. The audit also recognizes excellence in adherence to these practices by naming organizations to the Honor Roll, and this year to the “Top of Class” (top 50 scoring sites).

The results of the 2017 Audit were a mix of the expected and unexpected. Some pleasant surprises:

  • Despite raising the bar in the criteria and scoring, a record 52% of sites assessed made the Honor Roll, led by the Consumer services sector with 76% Honor Roll achievement.
  • The News/Media sector dramatically improved their Privacy scores (rising an average of 20%), and thus cut their Privacy failure rate to only 19%, less than one quarter of last year’s 58%. This helped lead them to an Honor Roll achievement of 48%, their highest ever, and a meteoric rise from 4% three years ago.
  • Adoption of some fundamental technology practices all doubled since last year – as a response to both security and privacy concerns, use of full-time encryption on sites (also known as “https everywhere”) passed the tipping point, reaching 52%. Use of IPv6 grew to 14%, setting the stage for future growth and IoT, and use of DNSSEC grew to 12% thanks to banks and continued heavy use by government sites.
  • Use of DKIM (an email authentication standard) at the top-level (corporate) domain grew substantially, from 44% to 56%. This is the second straight year of 12% absolute growth.
  • The audit assessed “cross device tracking” disclosure for the first time this year (where a site correlates your use of multiple devices to access their site), and found that 44% are disclosing this practice, most commonly for consumer services, retailers and news sites. Such disclosure is good news, though it needs to be backed up by restricted data sharing and use by third parties to truly benefit consumers.

However, there were also some unexpected, unpleasant results:

  • 65% of the Top 100 banks had a failure in one or more categories, dropping banks’ Honor Roll achievement in half – from 54% last year to 27% this year. This is less about doing worse, and more about not keeping pace. Many of them use a standardized privacy policy that’s “compliant”, but doesn’t cover the OTA practices aimed at stewardship. This caused a Privacy failure rate of 34% vs. 5% last year. Consumer Protection also dragged down banks’ achievement since more emphasis was placed on use of certain email authentication practices. Since many banks were on the edge of the failure bar in previous years, failure to keep pace caused failing scores.
  • To a lesser extent Federal government sites also dropped this year, with 60% of sites having one or more failures and only 39% reaching Honor Roll status. This can be almost entirely attributed to lack of thorough email authentication for these sites, leaving many of them open to be spoofed.
  • Through the inclusion of additional data providers and better telemetry, many of the criteria got a deeper look this year, resulting in significant negative shifts in results from previous years. Breach incidents more than doubled to nearly 12%, with some sectors (banks and consumer sites) at 24%. Sites with cross-site scripting (XSS) nearly doubled to 50%. Close examination of SPF and DMARC records revealed that 7-8% of them were actually invalid, likely giving site owners a false sense of security.

So what can we glean from all this? Security and privacy are not resolved with a one-time action. It takes vigilance to keep pace with implementation of new technologies, protect from new attacks, and address new privacy issues (think GDPR). That’s why the audit includes a handy checklist of best practices and resources in the Appendix as well as sample privacy language to address many of the evolving criteria.

The goal is to help all sites achieve “Honor Roll” status, whether they’re part of the OTA Audit or not. By applying these best practices, we can collectively deliver a safer, more trustworthy Internet to our customers, clients and citizens. As we look to 2018, we intend to extend the Audit with additional criteria and examine additional industry segments. Please share your thoughts and recommendations.

Read more about OTA and the Internet Society.

‹ Back

Related articles

Reaching the next level for Online Trust
Reaching the next level for Online Trust
Internet of Things (IoT)4 April 2017

Reaching the next level for Online Trust

Online trust and the fundamental need to collaborate to address its challenges is an issue I care about deeply. Today...

NLnet Labs Releases Helpful DNSSEC Infrastructure Audit Framework
Deploy3604 February 2014

NLnet Labs Releases Helpful DNSSEC Infrastructure Audit Framework

How secure is your DNSSEC infrastructure? If you operate a registry for a top-level domain (TLD) or if you are...

New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information
New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information
Privacy21 December 2016

New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information

The Wandera 2017 Mobile Leak Report, a global analysis of almost 4 billion requests across hundreds of thousands of corporate...

Join the conversation with Internet Society members around the world