Presidential campaign websites fail at privacy, new study shows

Presidential campaign websites get a failing grade for privacy, according to a new study by the non-partisan Online Trust Alliance, an initiative of the Internet Society. The study analyzed campaign websites of 23 presidential campaigns websites, including 19 Democrat and four Republican, for correct Transport Layer Security (TLS) deployment, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for campaign email, domain locking, as well as privacy policies and data sharing practices.

“Overall, we found that campaigns have strong website security, reasonable email and domain protections, and poor privacy scores,” the report concludes. “Privacy statements are the biggest concern, causing failure for 70% of the campaigns.”

cso 2020 campaign privacy failures online trust audit overall privacy failing grades by sector 1200 Online Trust Alliance

Not all is doom and gloom, however. A few bright spots stand out in the Internet Society report. Here’s the rundown on the good, the bad and the ugly.

Web security

Test all candidate campaign websites through SSL Labs and you’ll find strong, modern ciphers and solid TLS configuration. “Using public assessment tools from Qualys SSL Labs and ImmuniWeb, all sites earned an “A” or “A+” in this area,” the report says, and had trusted certificates as well as certificate transparency. As a nice bonus, 58% of campaign websites support TLS 1.3, significantly higher than any other sector.

With two exceptions, all campaign have enabled domain locking to prevent unauthorized transfer of domain ownership. (That’s probably two too many, to be honest.) One fun detail the report uncovered is that 74% of campaign sites are available over IPv6, compared to 12% in other sectors.

Email security

Given that phishing and poor email security played a key role in the 2016 presidential campaign, one would hope that campaigns would take the issue more seriously this time around. Some do, but not all.

Use of SPF and DKIM to prevent email spoofing was a bright spot. Eighty-seven percent of campaign domains have deployed both SPF and DKIM, although two campaigns had no email authentication at all.

Sixty-one percent of campaigns had a Domain-Based Message Authentication, Reporting and Conformance (DMARC) record and 30% use DMARC enforcement, which quarantines or rejects emails that messages that fail authentication. A DMARC policy “allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message,” the DMARC FAQ explains.