Announcing the 2020 U.S. Presidential Campaign Audit Thumbnail
Building Trust 8 October 2019

Announcing the 2020 U.S. Presidential Campaign Audit

By Megan KruseFormer Director, Advocacy and Communications

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

  • Pete Buttigieg
  • Kamala Harris
  • Amy Klobuchar
  • Beto O’Rourke
  • Bernie Sanders
  • Donald Trump
  • Marianne Williamson

Website security scores are high. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. The lack of email authentication for two of the campaigns is a surprise, since these are long-established best practices and modern infrastructure should support SPF, DKIM, and DMARC.

Privacy is a major problem for campaigns, causing failure for 70% of them. There were a variety of reasons for failure, including:

  • Lack of Privacy Statement – Four campaigns had no discoverable privacy statement. This yields a statement score of 0 and is an automatic failure. This may be an oversight, but is inexcusable since every campaign website is collecting data. Fortunately, it can be remedied quickly by adding a privacy statement.
  • Inadequate Statement – Many campaign privacy statements were silent on the issue of data sharing, retention, etc. so they did not give clear notice and transparency about their practices. Such disclosures are generally accepted best practice.
  • Freely Sharing Data – Several privacy statements said they could share data with “like-minded entities” or unidentified third parties, effectively putting no limits on the use of personal data.

We encourage all campaigns to remain vigilant regarding security, and to revisit their privacy statements. Disclosing that data may be shared with “like-minded” organizations may be a common practice for campaigns, but is still concerning in light of the depth of demographic and financial information being collected. Since even campaigns who made the Honor Roll had poor privacy scores, OTA calls on all campaigns to consider updating their statement and practices to better reflect consumer concerns pertaining to the collection, use, retention, and sharing of their personal information.

We reached out to each campaign the week of 30 September, prompting some campaigns to make updates, which we re-evaluated on 7 October. We are committed to helping campaigns improve their efforts to keep both people and information safe online by providing tailored best practice recommendations upon request. We will reassess active presidential campaigns in mid-November and provide a short supplement to this report, highlighting any improvements.

We encourage you to read the report, and to make sure your organization (of any kind) is following the best practices outlined in Appendix C – Best Practices Checklist.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...