Categories
Encryption Strengthening the Internet

Now Is Not the Time to Put Everyone’s Security on the Line

This opinion piece was originally published in SC Magazine.

With social distancing the norm, we’re spending more time on the Internet doing more important things than ever – eg, working, learning, banking, trading, shopping, seeing the doctor and having family time – as well as streaming, gaming and interacting with our connected speakers.

Shouldn’t we be certain, especially now, that no one is eavesdropping, stealing or modifying our data?

Encryption is the primary means of accomplishing that goal. Using encryption, data is scrambled so that only the intended people can see the data. It’s right there under the covers most of the time when you’re on Wi-Fi, Bluetooth, 4G and browsing most websites.

Unfortunately, most online services today still do encryption in a piecemeal manner. Sections along the path are encrypted, but typically there are points along the way where the data is unencrypted and processed in some way before being re-encrypted and sent along.

The good news is that many messaging services – eg, WhatsApp, Telegram and Signal – offer end-to-end encryption, where only the sender and intended recipient can “see” the message. Everyone else along the path – even the company providing the service – can’t see inside. The more this happens, the better our data is protected.

But, consumers’ data protection is nonetheless being threatened, mostly by governments who want access to the data for law enforcement or intelligence purposes, but also by businesses that want to monetise their data. The request goes something like this: “We strongly believe in encryption to safeguard everyone’s data. Hey, we even rely on it in the government. And we don’t want any backdoors that would let criminals break in. We just need to see the data of specific individuals using your service. And we’ll only ask for it when there’s a serious crime involved and we have a warrant.”

Creating a dangerous master password

At first glance, this seems like a reasonable request. It’s only the data of one individual, there’s a good reason to want it, and the request comes with proper authority. And who doesn’t want to stop horrific crimes or to catch their perpetrators? But, this is what goes unsaid – the mechanism to provide access for any one individual’s data on that service puts everyone on that service at risk. It’s like creating a master password for the entire system. Sure, that password will be long and complex and nearly impossible to guess and only a few people will have access to it, and it will only be used in the most extreme circumstances.

But do you want this master password to exist? People at the company could abuse it, and governments could also abuse it; but even if you trust their intentions, look at their data security track record over the last few years – tens of thousands of data breaches involving billions of records (and by the way, why weren’t those databases better encrypted, which would have protected individuals’ personal data from being exposed?). Or even more importantly, do you trust that bad guys across the globe won’t figure out or find or steal that master password? If they do, all bets are off for everyone on the service. If users can’t trust that their communications are adequately protected, they will limit their use of the Internet.

Debates on this topic are happening across the globe.

Most arguments for this so-called “exceptional access” revolve around child exploitation and terrorism or other serious crimes. For instance, in the US the EARN IT Act, which was introduced to the US Congress in March doesn’t even mention encryption – it just implies that companies providing the services we all count on need to provide access to the pertinent data in an unencrypted form or face fines and prosecution. Yet, these are the same services that protect vulnerable communities like domestic abuse victims, journalists, and activists right alongside our families, military and law enforcement.

What you can do

Curbing criminal activity is an important task, but we can’t do so by weakening the security of virtually everyone online. Make sure your MP protects your right to strong encryption. Be aware of the variety of dangerous approaches governments are taking to get access to the data they want. They range from scanning unencrypted data at the sending or receiving end, forcing decryption somewhere along the path, to even tapping into the flow as a silent third party. All of these approaches represent mechanisms that jeopardise security by breaking the concept of end-to-end protection.

Let’s all join together to protect encryption. Let’s fight for our right to keep our communications secure. While governments may insist that they are sacrificing one person’s security for the greater good, in reality they are forcing the sacrifice of security for us all.

Take these six actions to protect encryption and protect yourself.

Categories
Encryption Strengthening the Internet

A Backdoor Is a Backdoor Is a Backdoor

Beware of false promises and threats to encryption security online.

It’s easy to understand why United States Federal Bureau of Investigation (FBI) Director Christopher Wray would ask companies to provide a means for law enforcement to access private data and communications.

“We’re all for strong encryption and… we are not advocating for ‘backdoors,'” he said at recent cyber security conference. “We’ve been asking for providers to make sure that they, themselves, maintain some kind of access to the encrypted data we need, so that they can still provide it in response to a court order.”

We all want to thwart criminals from using the Internet for harm. But here’s the catch: despite Wray’s claims, there is no way to comply with his request without breaking the security we all rely on to keep people, communications, and data safe online.

No matter what you call it, a backdoor is a backdoor. Any method that gives a third-party access to encrypted data creates a major vulnerability that weakens the security of law-abiding citizens and the Internet at large.

Encryption is essential to security online.

Consider how it contributes to the global effort to contain the COVID-19 pandemic. Encryption protects the electricity grids and secures the IT infrastructure of our hospitals. It protects the financial transactions of those forced to do online banking and shopping in self-isolation. It also enables billions of people around the world to work safely from home.

For some people, encryption is always especially critical to personal safety. This includes members of the LGBTQ+ community and active military personnel. End-to-end encryption can help protect them from bodily harm or even death.

Don’t be fooled by false promises. We must be wary when people point to ‘new’ ways to access confidential information online.[1] Threats to encryption – our most effective way to secure private data and communications online – go by many names.

To help you get your facts straight, we’ve developed some fact sheets explaining commonly-used weasel terms for proposed techniques to access private data and communications that threaten our safety online:

We explain what they are, how they threaten encryption, and the potential unintended consequences for digital security and the global Internet.

It’s important to remember that strong encryption is a critical part of keeping people and data safe online, and making sure the Internet can continue to evolve as a force for good.

Part of championing a strong Internet is about understanding its greatest threats and challenges; the other is acting to defend it. Join the global movement working to promote #strongencryption as our strongest digital tool to keep people and information safe online.

Become an Internet Society member today.


[1] https://arstechnica.com/information-technology/2018/04/why-ray-ozzies-plan-for-unlocking-encrypted-phones-wont-solve-the-crypto-wars/; https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate

Categories
Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.

Conclusion

The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.

Categories
Building Trust Privacy

How “Fresh” is That Privacy Statement?

One of the best practices we advocate and measure in our Online Trust Audit is that privacy statements should have a date stamp visible at the top of the page. This is an issue of transparency and lets readers know when the statement was last updated. Combined with another advocated best practice – access to prior versions of the privacy statement, which unfortunately is offered by only 3% of sites – readers get a sense of what changed between versions and when those changes happened.

For the first time this year, we captured the actual date stamps of more than 1,000 privacy statements across the audited sectors, and though we made some high level comments in the Audit, we thought it would be insightful to show another layer of detail. One of the reasons we captured specific dates was the fact that many privacy statements were updated in the months prior to (or shortly after) May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Union.

The graph below shows the date stamps from most to least recent (ending with those that have no date stamp) across the audited sectors. The green bars represent privacy statements with date stamps since the beginning of 2018, the blue bars represent date stamps prior to 2018, and the gray bar shows those with no date stamp. Note that this data was collected in February, 2019 so privacy statements could have been updated since then. Overall, nearly 70% of sites have a privacy statement date stamp – 46% at the top of the page, 22% at the bottom and 2% at both top and bottom.

There is significant variation in the “currency” of privacy statements. Consumer sites led with more than 70% of statements date stamped on or after January 1, 2018. By contrast, less than 20% of healthcare sites had similar date stamps. There is a parallel result in the percentage of sites with no date stamp on the privacy statement – consumer sites are the highest performing with only 10% lacking a date stamp, while more than 50% of healthcare privacy statements lack a date stamp, significantly lagging all other sectors.

It’s important to note that a recent date stamp does not equate to a better privacy statement, and we certainly do not advocate that privacy statements should be updated on a regular basis just to make them look more current. However, changing regulations around the world and in many US states (e.g, GDPR and the California Consumer Privacy Act, which goes into effect January 1, 2020) are forcing changes in most privacy statements, so older date stamps become increasingly conspicuous. Likewise, privacy statements with no date stamp leave the reader wondering whether recent changes in the privacy world have been incorporated into the statement. In either case, you can be certain that regulators are watching.

We urge organizations to take a disciplined approach to their privacy statements – regularly review them for necessary updates, update the date stamp when changes are made, and provide a means for readers to figure out what changed. This transparency keeps everyone – fellow employees, consumers, and regulators – in sync and helps all of us better navigate the rapidly changing world of privacy.

How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.

Categories
Building Trust Internet of Things (IoT) Privacy Security

Accessible, Clear, and Appropriate: An Open Letter to Amazon on Privacy Policies

With great power comes great responsibility.

Online marketplaces, such as Amazon, are becoming increasingly common. But can consumers count on these marketplaces to help safeguard their privacy? On Monday, coinciding with Amazon Prime Day, the Internet Society partnered with Mozilla and other organizations to publish An Open Letter to Amazon about Privacy.

We call for Amazon to require vendors of connected devices to have “a privacy policy that is easily accessible, written in language that is easily understood, and appropriate for the person using the device or service.”

This is one of the five minimum guidelines we called for in a joint statement with Mozilla and Consumers International during the 2018 holiday buying season: “Minimum Standards for Tackling IoT Security.” The other guidelines cover strong passwords, software upgradability, ability to manage reported vulnerabilities, and encryption of data. However, these five guidelines are just baseline recommendations. A full set of principles addressing security, privacy, and lifecycle issues is outlined in our IoT Trust Framework.

We urge everyone involved in the production and sales of connected products to step up and help protect their customers by ensuring that trust by design – making privacy and security the default – becomes a common practice. An Open Letter to Amazon about Privacy starts with the premise that it’s essential for vendors to have a public privacy policy. As security and privacy levels rise, so will consumer confidence. Which means we all benefit.

Categories
Building Trust Internet of Things (IoT)

Nest Alert: Protection From Pwned* Passwords

A colleague just received an “Urgent Security Alert – Action Requested” email from Nest. At first glance it looked like either a phishing attempt or one of the way-too-often breach notifications we all receive these days. Instead, it was a real alert notifying him that the password he uses for his Nest account had been compromised in a data breach – not at Nest but somewhere else. Nest encouraged him to update to a unique password and enable two-step verification (additional authentication beyond a password, usually referred to as multi-factor authentication).

While it’s not clear exactly how Nest determined that the password was compromised, it could have come from security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site). Via this service, you can enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing. (“Pwned” is video gamer talk for “utterly defeated,” as in “Last time we played, I pwned him.”)

Hunt created this service in response to the National Institute of Standards and Technology (NIST) Digital Identity Guidelines. Released in June 2017, these guidelines recommend that user passwords be compared against known breached passwords so that users can be encouraged to create unique passwords not already known to bad actors (see section 5.1.1, “Memorized Secrets”).

Nest does the right thing

The Internet Society commends this action by Nest for several reasons. Though Nest is known for their IoT products and its actions track several principles in the Online Trust Alliance initiative’s IoT Trust Framework, this situation highlights best practices that any organization providing online accounts should follow. Last week, Twitter made similar recommendations to its users, though for a different reason (they were concerned that internal un-hashed log files might have exposed users’ passwords).

Some key takeaways for companies offering Internet-based services:

  • Protect your customers. It appears Nest proactively compared their customers’ passwords to a list of known compromised passwords and sent an alert, even going so far as to suggest that the account might be disabled if the password is not changed. This helps stop the spread of illicit access related to compromised passwords while protecting Nest and its customers.
  • Protect the Internet. By limiting the impact of compromised passwords, this action also helps prevent traditional computers, and mobile and IoT devices from being used to spread malware or as part of a botnet to attack Internet sites or infrastructure.
  • Raise the bar. Not only did Nest demand that the password be changed, they also used this “teachable moment” to remind customers about the availability of two-factor authentication, which makes it even harder for bad actors to compromise an account.

And if you’re a user of Internet-based services, here are some recommended actions that the Nest situation surfaced:

  • Check your passwords. Visit the Pwned Passwords site and see if the passwords you use are “on the list.” If so, change them to strong, unique passwords. As always, be careful to make sure you’re on the right site since malicious actors are always trying to create lookalike sites to extract sensitive information.
  • Enable multi-factor authentication. This additional authentication beyond a password comes in a variety of forms but today is most often a code sent by text that must be entered for access to the relevant service. Many services today offer this option and it will help prevent bad guys from infiltrating your accounts even if they acquire your password.
  • Be wary. Phishing is still a real danger and not all alerts will be legitimate, so be careful when responding to them. Nest’s use of “nest-email.com” for the sending domain adds to the suspicion factor (something like “email.nest.com” would be better since many phishers use lookalike domains). Regardless of the domain used for email, a best practice is to visit the known site directly vs clicking a link in the message.

By following Nest’s lead – conducting proactive password hygiene and utilizing multi-factor authentication – we can all limit ongoing damage caused by passwords compromised in breaches.

Read the Online Trust Alliance (OTA) IoT Framework.

Categories
Building Trust Internet of Things (IoT)

Space Invaders – Consumer Grade IoT in the Enterprise

I used to love the old Space Invaders arcade game – waves of enemy attackers came in faster and faster while you tried to defend your base. With experience you could learn their tactics and get pretty adept at stopping them. For today’s enterprise IT staff, consumer-grade IoT devices must certainly feel like those space invaders of old.

There’s good news and bad news about these new creatures in the enterprise. The good news is that they don’t start with mal-intent and can be profiled well enough to confine their activity. The bad news is that they’re coming in waves, often slipping under the radar, and the consequences can be much bigger than getting blasted and placing a few more quarters in the slot.

To help enterprise IT staff deal with this new wave we released “The Enterprise IoT Security Checklist: Best Practices for Securing Consumer-Grade IoT in the Enterprise” today, outlining best practices for securing consumer-grade IoT in the enterprise. The Checklist includes ten actions, based roughly in chronological order from purchase, through installation, to ongoing support, meant to raise awareness of the common vulnerabilities presented by these devices and how to address them.

Many of these devices show up without much fanfare – smart TVs in conference rooms, smart speakers in conference rooms or at employee’s desks, fitness trackers connected to smartphones that may then access the corporate network, and networked-printers with age-old software vulnerabilities.

The consequences of ignoring these new devices range from annoying to board-level critical. Intruders might be able to access these devices and pull off some mischief like changing channels or flipping things on and off. But they might also be able to monitor audio, video or data generated by these devices. In extreme cases, they may be able to use that access and surveillance to hop over to critical systems on the network, ultimately gaining access to important data – just ask the Las Vegas casino that lost 10 GB of information to a site in Finland via a hacked smart fish tank last year. Finally, these devices can be recruited to form an army to attack others on the network or the Internet a la the Mirai botnet attack.

The checklist walks through practical steps to minimize the attack surface created by these devices and the impact if they were to be compromised, but the high-level approach is to give them their own isolated network, lock down “open doors” such as default passwords, old software, open software ports, automatic connectivity and audio/video inputs, and enable encryption where possible. And the attention doesn’t stop at just the devices themselves – the controlling applications and backend services also need to be well understood to reduce risk.

Ideally, IT staff can set a policy that allows these devices to be reasonably incorporated into the enterprise without restricting use so much that it prompts “shadow IoT” efforts by employees. For more comprehensive guidelines on security, privacy and lifecycle best practices for consumer-grade IoT products, see OTA’s IoT Trust Framework.

Ultimately, it’s good news – with proper attention you can reign in the risks associated with these new invaders and keep your base of operation safe.

Explore The Enterprise IoT Security  Checklist: Best Practices for Securing Consumer-Grade IoT in the Enterprise.

Categories
Building Trust

The Cyber Incident Tsunami – Time to Get Ready

In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not.

Originally we just looked at the number of reported breaches, but last year we broadened the definition to “cyber incidents,” which includes ransomware infections, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and infiltrations caused by connected devices. This broader definition paints a more realistic picture of the threats and associated impact facing organizations today.

This year we found that the number of cyber incidents nearly doubled to 159,700 globally, and given that most incidents are not reported, this number could easily exceed 350,000. This is more than 30 times the number of breaches alone, so provides a very different perspective on the threat landscape. As in previous years we also assessed the “avoidability” of breaches by analyzing their cause and found that 93% were avoidable, consistent with our previous findings. While the rise in the number of incidents was primarily driven by a doubling in ransomware infections, there was growth in all facets, indicating that organizations must take a comprehensive view of their defenses.

So, what were the major trends seen in 2017 and what can be done about them? The report provides more context and detail, but here is a summary of the key findings:

  • Rise in Ransom-Based Attacks. This attack vector far outweighs the others, at least in terms of numbers. Ransom-based attacks can come in the form of ransomware entering the organization through malvertising and malicious email, but also via the threat of a DDoS attack if ransom is not paid. There are a variety of best practices to help block such attacks, but one new suggestion is to be prepared in case a ransom payment is deemed necessary by setting up a cryptocurrency wallet ahead of time.
  • Patching Pace is Critical. While the Equifax breach was probably the most public example of the impact of slow patching, lack of timely patching is the cause of many breaches and incidents. Recent news about vulnerabilities in some of the most foundational system elements – KRACK, BlueBorne, Spectre and Meltdown – makes timely patching more critical than ever. Organizations need to take a disciplined approach here, including provision for vulnerability reporting, and test and deploy patches as quickly as possible.
  • Closely Monitor Cloud Conversion. The transition to third-party, cloud-based services continues for organizations of all sizes, and while it has advantages in convenience and efficiency, it also introduces new risks since your data is now in someone else’s hands. This risk can be offset via thorough auditing of cloud providers, contractual commitments related to security processes and extra diligence regarding configuration (publicly accessible AWS S3 containers, anyone?)
  • User-Enabled Attacks. With all the technology, it’s easy to forget that users are the most important gatekeepers to your systems and data. Equipping them to make good decisions and instilling a culture of security (whether via training or technology tools), providing an extra ring of defense (through mechanisms such as multi-factor authentication and limiting access levels appropriate to the role) and monitoring systems for anomalous behavior can go a long way toward securing your systems.
  • Increase in IoT Devices. There’s a lot of buzz in this area, and use of IoT devices is expected to triple in the next several years, but the “shadow” element of this trend – presence of consumer-grade connected devices such as smart TVs or even employees’ wearables – doesn’t get much attention. These devices need to be viewed as a threat vector, and as such, steps need to be taken to reduce their risk. This includes items such as research into the security capabilities of the IoT devices, policies regarding their use in the enterprise, and setting up compartmentalized networks to limit their access.
  • Regulatory Shifts. Led by the EU’s General Data Protection Regulation (GDPR), which goes into effect this May, there have been many recent and significant shifts in data privacy/protection and data breach regulation throughout the world. Even if you are not based in those countries, you are likely subject to these regulations if you have customers there, so a thorough understanding of these new regulations and their impact on your data collection and storage practices as well as on your breach readiness and notification plans is critical.

Though there are a number of key trends that bubbled to the surface in 2017, there are also a number of foundational principles organizations should follow to be good stewards of their data and minimize the impact of attacks or incidents. Broadly defined, these principles fall into two categories:

  1. Implement strong data stewardship (including security, privacy and risk reduction) through all phases of the data lifecycle, recognizing the global regulatory landscape and its impact on breach readiness (e.g., GDPR enforcement beginning in May 2018)
  2. Prepare strong, well-practiced incident response measures (including a well-designed plan, appropriate team, predetermined action steps, regular training and testing)

As OTA has advocated for many years, this is not a “once and done” proposition. By establishing a culture of stewardship (vs just compliance) and implementing policies that take a proactive approach to proper handling and safeguarding of data, organizations can minimize exposure to the cyber incident tsunami and actually thrive by building and maintaining trust with their customers.

Read the Cyber Incident & Breach Trends Report

Categories
Building Trust Improving Technical Security

2017 Online Trust Audit Released – What Did We Learn?

Today the OTA released the 9th annual Online Trust Audit and Honor Roll. This year’s Audit is our most comprehensive ever, assessing more than 1000 consumer-facing sites for their adoption of best practices in consumer/brand protection, site security and responsible privacy practices. Each year the audit raises the bar, using criteria that reflect the latest regulatory environment, attack vectors and commonly accepted practices providing users with notice and control regarding their data. The goal is to provide practical advice to organizations to help them move beyond compliance to stewardship, thus protecting their customers and their brand while improving trust in the Internet itself. The audit also recognizes excellence in adherence to these practices by naming organizations to the Honor Roll, and this year to the “Top of Class” (top 50 scoring sites).

The results of the 2017 Audit were a mix of the expected and unexpected. Some pleasant surprises:

  • Despite raising the bar in the criteria and scoring, a record 52% of sites assessed made the Honor Roll, led by the Consumer services sector with 76% Honor Roll achievement.
  • The News/Media sector dramatically improved their Privacy scores (rising an average of 20%), and thus cut their Privacy failure rate to only 19%, less than one quarter of last year’s 58%. This helped lead them to an Honor Roll achievement of 48%, their highest ever, and a meteoric rise from 4% three years ago.
  • Adoption of some fundamental technology practices all doubled since last year – as a response to both security and privacy concerns, use of full-time encryption on sites (also known as “https everywhere”) passed the tipping point, reaching 52%. Use of IPv6 grew to 14%, setting the stage for future growth and IoT, and use of DNSSEC grew to 12% thanks to banks and continued heavy use by government sites.
  • Use of DKIM (an email authentication standard) at the top-level (corporate) domain grew substantially, from 44% to 56%. This is the second straight year of 12% absolute growth.
  • The audit assessed “cross device tracking” disclosure for the first time this year (where a site correlates your use of multiple devices to access their site), and found that 44% are disclosing this practice, most commonly for consumer services, retailers and news sites. Such disclosure is good news, though it needs to be backed up by restricted data sharing and use by third parties to truly benefit consumers.

However, there were also some unexpected, unpleasant results:

  • 65% of the Top 100 banks had a failure in one or more categories, dropping banks’ Honor Roll achievement in half – from 54% last year to 27% this year. This is less about doing worse, and more about not keeping pace. Many of them use a standardized privacy policy that’s “compliant”, but doesn’t cover the OTA practices aimed at stewardship. This caused a Privacy failure rate of 34% vs. 5% last year. Consumer Protection also dragged down banks’ achievement since more emphasis was placed on use of certain email authentication practices. Since many banks were on the edge of the failure bar in previous years, failure to keep pace caused failing scores.
  • To a lesser extent Federal government sites also dropped this year, with 60% of sites having one or more failures and only 39% reaching Honor Roll status. This can be almost entirely attributed to lack of thorough email authentication for these sites, leaving many of them open to be spoofed.
  • Through the inclusion of additional data providers and better telemetry, many of the criteria got a deeper look this year, resulting in significant negative shifts in results from previous years. Breach incidents more than doubled to nearly 12%, with some sectors (banks and consumer sites) at 24%. Sites with cross-site scripting (XSS) nearly doubled to 50%. Close examination of SPF and DMARC records revealed that 7-8% of them were actually invalid, likely giving site owners a false sense of security.

So what can we glean from all this? Security and privacy are not resolved with a one-time action. It takes vigilance to keep pace with implementation of new technologies, protect from new attacks, and address new privacy issues (think GDPR). That’s why the audit includes a handy checklist of best practices and resources in the Appendix as well as sample privacy language to address many of the evolving criteria.

The goal is to help all sites achieve “Honor Roll” status, whether they’re part of the OTA Audit or not. By applying these best practices, we can collectively deliver a safer, more trustworthy Internet to our customers, clients and citizens. As we look to 2018, we intend to extend the Audit with additional criteria and examine additional industry segments. Please share your thoughts and recommendations.

Read more about OTA and the Internet Society.

Categories
Building Trust

Don’t Be a Tool – Verifying Subscriptions and Honoring Unsubscribes

Author: Jeff Wilbur

This summer the email marketing industry suffered a setback due to “list bomb” attacks in which thousands of targeted users were unknowingly subscribed to tens of thousands of mailings. In these attacks, ESP infrastructure and highly-reputed brands were used as a means to effectively create a “denial of service” against user inboxes, and email originating from many ESPs and brands was blocked by Spamhaus until the situation was better understood. Could this have been prevented?

Investigation into the list bomb attacks pointed to two key points – the bulk of the subscriptions were automated and few used “confirmed opt-in” (COI) to verify the subscriptions. This put users on the defensive, forcing them to unsubscribe from each bogus subscription to stop the inbox barrage.

As part of its recently released 3rd annual Email Marketing and Unsubscribe Audit report , OTA looked at the signup and verification practices of the top 200 online retailers. Only 3% of retailers used a CAPTCHA to prevent automated signups and only 6% used COI to confirm subscriptions. While use of such methods does increase signup friction, it also prevents bad actors from using the email marketing infrastructure as an attack tool. OTA encourages marketers to examine their use of CAPTCHA and COI to protect themselves and consumers from attack, and even offer verbiage on signup pages to explain how these practices help protect all involved.

Other key findings in the report were mixed – on the whole, retailers are honoring unsubscribes faster than ever (86% stopped sending immediately), yet 6% did not stop sending at all (up from 2% last year), violating CAN-SPAM and CASL. Of the ten best practices scored in the Audit, adoption rose for five – use of the unsubscribe header, ability to opt out of all email, use of a confirmation web page, use of a branded unsubscribe page and immediately stopping the subscription. Adoption dropped for the other five criteria – clear and conspicuous presentation of the unsubscribe link, text that is easy to read, use of commonly understood “unsubscribe” language, use of preference centers or opt-down choices during the unsubscribe process and solicitation of customer feedback on why they are unsubscribing. Surprisingly, 6% of retailers either never responded to the subscription or sent a confirmation but then never sent a newsletter or promotion email, thereby wasting the opportunity.

OTA encourages marketers to review the Audit results and take a close look at their own practices in light of the recent list bomb attacks, the practices of other retailers, and shifts in the regulatory environment. By making conscious choices about the entire process – from signup to mailing to unsubscribes – potential attacks and associated disruptions will be reduced and consumers will be better engaged. The resulting benefits are broad, not only to users and your brand, but also to the integrity of the email channel and the resiliency of the internet itself.