According to a new report (“2020 U.S. Presidential Campaign Audit”) from The Internet Society’s Online Trust Alliance (OTA), a staggering 70% of the 23 U.S. presidential candidates are failing at consumer privacy. For several years, these presidential candidates have heard about privacy violations, data breaches and assorted consumer privacy issues in both the private and public sector. Yet, a clear majority of them don’t seem to have learned any consumer privacy lessons. When the OTA did a routine audit of their online privacy and security protections, only 7 presidential candidates – Pete Buttigieg, Kamala Harris, Amy Klobuchar, Beto O’Rourke, Bernie Sanders, Donald Trump and Marianne Williamson – made the Honor Roll.
Details of the OTA audit of the presidential candidates
In compiling this audit of the 23 U.S. presidential candidates, the Online Trust Alliance used the same methodology that it used to create its April 2019 Honor Roll of top companies in the private sector with best-in-class security and privacy practices. The OTA focused on three main areas – consumer privacy, website security and consumer protection – in order to come up with an overall score for the different presidential campaigns. In order to make the Honor Roll, a presidential campaign needed to score 80% or higher overall, with no failures in any of the three areas assessed. In other words, a failure in a single area – such as consumer privacy – would be enough to disqualify a presidential campaign from the Honor Roll.
It is only when you compare the success/failure rate of the different 2020 presidential campaigns with companies in the private sector that you can begin to grasp just how far from the mark many of the U.S. presidential candidates are. For example, while only 30% of the U.S. presidential candidates made the Honor Roll, 61% of retailers, 73% of banks and 78% of news organizations made the Honor Roll in April 2019. Even the healthcare sector, which the OTA identified as the weakest overall sector in terms of privacy and security, still saw more than half (57%) of its companies make the Honor Roll.
Consumer privacy weaknesses
According to the OTA, the primary reason why so many U.S. presidential campaigns turned in such dubious performances in the audit was deficiencies related to consumer privacy. When it came to their privacy statements, for example, five of the U.S. presidential candidates failed to include any privacy statement whatsoever, automatically giving them a failing grade.
And many more of the top presidential candidates had glaring weaknesses within their consumer privacy statements. For example, many of the candidates had inadequate consumer privacy policies in terms of data sharing and data retention. In some cases, in fact, candidates seemed to embrace the free sharing data with just about any “like-minded entity,” which presumably, might include political consultants, pollsters or political action committees (PACs).
Website security and consumer protections
The good news, if you can call it that, is that the U.S. presidential candidates scored much higher in terms of website security and other consumer protections. For example, many of the recommended best practices – such as using encrypted servers for web sessions – are now being used by the candidates. And, nearly all of the candidates scored highly in terms of protecting email communication via authentication or encryption.
However, the OTA is somewhat dismissive of these efforts, suggesting that most of the campaigns are still very new (less than two years old), and simply deployed current solutions available in the marketplace, where basic protections are now built-in. In other words, it’s not like any of the presidential candidates are going the extra mile to really make their websites and online communication platforms ironclad safe.
Recommendations for boosting consumer privacy protections
Interestingly, the Online Trust Alliance conducted the same type of audit back in 2015, when it looked at the top 2016 U.S. presidential candidates. In 2016, an even higher percentage of candidates (74%) failed the audit. However, that was in an era before the Facebook/Cambridge Analytica scandal, or before data breaches and massive consumer privacy violations began to make front-page news. Four years ago, it might have been possible to excuse any failures or weaknesses, but not any longer.
As Jeff Wilbur, Technical Director of the OTA, points out, “The number of campaigns that failed to pass the 2020 presidential campaign audit is alarming given the increased attention to privacy and security issues over the last four years.”
To help U.S. presidential candidates beef up their privacy and security protections, the OTA has included an entire appendix (“Appendix A”) of best practices. When it comes to the privacy statement, for example, the OTA divides its recommendations for best practices into three different sub-categories. There are six recommendations, for example, for “basic notice and disclosure.” At a very minimum, says the OTA, campaigns should make their privacy notices easily discoverable, preferably by including a link to them on the front page of their campaign website. There are also three recommendations for better privacy compliance policies, and five more recommendations for stronger privacy protections.
Consumer privacy lessons for 2020
If there’s one big takeaway lesson from the OTA report, it’s that political campaigns need to do a lot better job buttoning up their approach to third-party data sharing. The OTA says that there is “significant room for improvement” when it comes to telling website visitors what personal data is being collected, for what purpose, who it will be shared with and why, and how long it will be retained. When a website visitor comes to a 2020 campaign website, for example, this visitor should have a reasonable expectation that he or she won’t be tracked all over the web, and that information about his or her browsing activity won’t be shared with a bunch of shadowy political operators.
If these basic consumer privacy protections are not put into place, we could see Cambridge Analytica Part 2, in which shadowy campaign operatives collect as much data as they can about individuals in order to track them, monitor their behavior and preferences, and then show them targeted ads for a specific candidate. And that scenario would once again have us questioning the very foundations of American democracy and the modern political system.