In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.
In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)
ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.
The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.
Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.
Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.
Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.
Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.
ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.
ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.
How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!