Based on the results of the latest Online Trust Audit & Honor Roll conducted by The Internet Society’s Online Trust Alliance (OTA), it finally appears as though companies are getting the message about improved security and privacy for their websites. The OTA found dramatic increases in overall website security across all sectors, as well as a modest improvement in privacy practices by many companies. In an era when data breaches are mainstream, and when consumers are starting to lose faith in the ability of major companies to respect their right to privacy, the OTA findings come as a welcome relief.
Key findings from the Online Trust Alliance report
In this 10th annual audit from the Online Trust Alliance, over 1200 consumer-facing websites were examined for their adherence to best-in-class security and privacy principles. Those that scored the highest were added to the Honor Roll, which is a list of companies that place a premium on security and privacy. This year, 70% of websites qualified for the Honor Roll, up from just 52% in 2018.
The OTA’s Online Trust Audit scored consumer-facing U.S. government websites highest in security and privacy. In fact, 91% of federal government websites qualified for the Honor Roll in 2018, up from just 39% a year ago. Coming in second place was the Consumer Services sector (which is a broad catch-all category for everything from social media to online dating), with 85% of websites examined qualifying for the Honor Roll. Rounding out the Top 5 were News & Media, FDIC 100 Banks, and Internet Retailers. The Healthcare sector came in last place this year.
Thus, as surprising as it might sound, the U.S. federal government is actually leading the charge when it comes to privacy and security. Generally speaking, U.S. federal agencies are doing a better job of protecting your data than Internet retailers or your local hospital. OTA Technical Director Jeff Wilbur commented on the improved showing by the government sector: “Both the government sector and bank sector did have large turnarounds this year. For the government sector, the improvement was directly tied to better email authentication – the failure rate in that area dropped from 55% to 6%, and that corresponds directly to the level of Honor Roll improvement.” As Wilbur points out, “Much of that improvement was driven by Directive 18-01 issued in October 2017 by the Department of Homeland Security, and which mandated adoption of email security technologies.”
Methodology for the Online Trust Alliance report
In order to come up with these findings, the Online Trust Alliance assigned scores based on three primary factors: consumer protection, site security and responsible privacy practices. In order to make the Honor Roll, companies needed to score 80% or higher overall, and not have any distinguishing problems or issues within any of these three key areas. Data was collected and examined during the period from December 2018 to January 2019.
This year’s report added several new categories – such as payment services, video streaming, sports and healthcare. Collectively, then, it is possible to say that the review of the 1200+ consumer-facing websites represents a thorough review of what’s currently out there on the Internet.
Privacy trends from the Online Trust Alliance report
While security scores were dramatically on the rise, led primarily by improvement in email authentication and session encryption practices, the same cannot be said for privacy scores. In fact, due to more stringent scoring rules, the average privacy score actually dropped from 73 in 2017 to 70 in 2018. And, when it came to a specific score handed out for privacy statements, the scores fell from 31 in 2017 to 27 in 2018. So it’s clear that this is one area where more work still needs to be done.
The Online Trust Audit report also looked at the date stamps on the privacy statements, in order to determine how often – or if – they had been updated recently. What the Online Trust Audit report found was that nearly one-half (47%) had a date stamp newer than January 1, 2018. Here is one area where the Consumer Services sector (ranked No. 2 overall) really stood out: 71% had a date stamp for the privacy statement newer than January 1, 2018.
In coming up with an overall privacy score, the Online Trust Alliance gave out “bonus points” for those companies that were adhering to new GDPR-related principles for the privacy statement. For example, one key tenet of the GDPR is that all privacy statement language should be consumer facing and relatively easy to read (i.e. you shouldn’t have to be a lawyer to figure out what a privacy statement actually says or means). According to the Online Trust Alliance, only 32% of privacy statements were deemed “easy to read.” The Online Trust Alliance also gave out bonus points to companies that provided multi-lingual support for their privacy statements.
Overall, says the Online Trust Alliance, there were “modest” increases in transparency and readability of published privacy statements. While many companies were taking care of the basic items – such as providing a link to the privacy statement on the home page that is easily discoverable, or by clearly labeling the revision date at the top of the page – they still were not making their privacy statements truly consumer-friendly.
The potential gap between theory and practice for privacy
Of course, one big caveat about the OTA’s Online Trust Audit report is that it only attempted to assess what the privacy statements actually said, and not the organization’s actual practices. This is a point that the Online Trust Alliance clearly notes within the report. So, while a company like Facebook might have a privacy statement that might, on the surface, appear to conform to all GDPR principles, is that really the reality for web users?
OTA Technical Director Jeff Wilbur explains that, while 70% of organizations earned Honor Roll status, there is still much work to be done: “It is true that 2018 was not a good year for privacy and data protection. Overall, nearly 15% of the organizations assessed had a breach of some size, up from 12% in the last Audit. In addition, privacy scores were lower overall this year. The reason so many more organizations made the Honor Roll this time was mainly due to improvements in email authentication and site security, which more than compensated for the increase in breaches and lower privacy scores. One of our main concerns coming out of this Audit is that even with the increased scrutiny on privacy, the practices reflected in the privacy statements have not improved. We expect this to be a key focus area for the next Audit.”
Going forward, then, companies still have a bit of work to do in getting their privacy statements up to standard and ensuring that their day-to-day practices follow these statements. The good news, though, is that companies finally seem to be getting the message. After years of data breaches and privacy scandals, they are realizing that consumers might turn away from them entirely if they do not pay attention to privacy and security issues.