Categories
Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: How Does the Consumer Sector Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to government sites. In this post we will take a deeper dive into the Consumer section of the Audit. The Consumer section is a diverse set of sites including travel sites, hotels, and dating sites (see the methodology of the report for the full list).

In 2018 the Consumer section improved its standings with 85% making the honor roll, up from 76% in 2017. This was largely due to improvements in email security. Despite these gains in overall email security, TLS 1.3 adoption was actually down in 2018 (largely due to a change in the list of retail sites). Despite this OTA advocates the adoption of TLS 1.3.

Where these sites did stand out, compared to other sectors, was in privacy scores. Overall, the Consumer sector scored 43 out of 55 on their privacy tracker score, among the highest of any sector, and 33 out of 55 on their privacy statement, also among the highest.

The Consumer section privacy statements were exemplary in a few ways. First, the Consumer section had the highest score in the use of archives for their privacy statements, 12% of consumer sites had archives, the highest of any sector in the Audit.

OTA advocates this practice so users can see what changes were made to the privacy statement over time, without having to compare past statements on their own. This is a transparency issue. Privacy statements change constantly and it helps the organization to give users an easy way to see those changes.

Second, the Consumer section also stood out in data sharing language. 68% of Consumer sites had language they do not share data with third parties, among the highest of any sector. In addition, only 39% had language that they share data with “affiliates.”

“Affiliate” language is about sharing data within a corporate family, as opposed to entirely third parties. While obviously common practice, OTA advocates that organizations be more open about their data sharing practices, even among the corporate family.

Finally, the Consumers section scored among the highest with language explicitly saying that they hold their vendors to the same standards as themselves. In short, this is about holding any vendor that might hold data to the same data privacy standards as an organization would hold itself.

Overall, 74% of Consumer sites had language indicating they held their vendors to their own standards. This compares to 50% overall, well above the average for the entire sample. OTA advocates language like this because often data breaches happen with third party vendors, as opposed to the main organization itself, and therefore it is important that any organization make it clear that they hold all of their partners to the same standards they hold themselves.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: How the News and Media Sector Scores on Security and Privacy

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites in various sectors. The news and and media sector, comprised of the top 100 news and media sites according to US traffic to their websites, improved its privacy practices in 2018. Like most sites, however, there is still room for improvement in privacy statements.

In 2017 less than half (48%) of news and media sites made the Honor Roll. In 2018 that number went up significantly to 78%, largely due to improvements in privacy statements. Privacy is scored in two ways in the Audit, we look at trackers on each site and we score the privacy statements across over 30 criteria.

One area where news sites did not improve was in the use of trackers on their site. Out of all the sectors news and media scored the lowest in trackers with a score of 39 (out of 45). Part of the reason for this is the news and media sector relies on advertising revenue, which often requires the use of trackers to serve ads.

On the positive side, news and media fared well in the use of tag management systems and privacy solutions, with 69% of news and media sites using these technologies. Tag management systems and privacy solutions help manage third-party data collection and data sharing in real time.

On the bright side, however, news and media sites did improve their privacy statements. On statements, news and and media scored near the top with a score of 32 out of 55, second only to the consumer section.

First, news and media sites improved the readability of their statements, with 71% using layered notices up from 42% in 2017. A layered notice can be anything from a simple table of contents to a summary version of the longer privacy policy. OTA advocates the use of layered statements to help users understand the privacy statements and find information they may be looking more for easily.

One area for improvement, however, is in the use of icons and multilingual policies. Just 1% of news and media sites used icons to indicate what information is being conveyed in a section of the privacy policy. OTA advocates the use of icons to help users of various reading comprehension levels understand the information in the statement. In addition, only 5% had privacy statements in multiple languages. To be fair this is not unique to news and media. Few sites in the Audit use either icons or have multilingual policies.

Second, news and media sites improved their sharing language. Overall, 60% of news and media sites had language that they do not share user data with third parties, up from 53% in 2017. In addition, most (85%) news and media sites indicated that they hold those they do share data with to the same standards they hold themselves.

Finally, this year’s Audit tracked some aspects of GDPR (which went into effect in spring 2018) in order to gauge adoption of certain GDPR principles. To be clear, at the time of this Audit’s data collection many of the sites were not required to follow GDPR as they are largely U.S.-based organizations.

Since this Audit’s data collection period, more regulations have been put in place around the world, such as the California Consumer Privacy Act (CCPA), that mirror many of the principles OTA measured. Here news and media did not fare as well. For example, one GDPR requirement is that privacy statements be easy for most consumers to read and understand. Here the news and media sector fared the worst with just 8% being easy to read. On the plus side 70% of news and media sites offered a direct contact for users to address their privacy concerns. (In GDPR parlance this is a Data Protection Officer, but in the U.S. one is not required at the moment.)

It is encouraging to see improvement in the news and media sector’s privacy statements. It is also true, however, that given the shifting privacy regulations around the world these improvements will need to continue if news and media sites want to stay ahead of regulatory changes.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.

Conclusion

The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.

Categories
Building Trust

Deep Dive: A Look at Top Retailers’ Security Practices

In April 2019 the Internet Society’s Online Trust Audit released its 10th Online Trust Audit and Honor Roll. One of the longest-running sectors covered in the Audit is online retailers. In this blog post we will look at the top 500 online retailers in the US based on online sales and how they fare in security best practices advocated by OTA.

Overall 65% of online retailers in the top 500 made the honor roll this year, a marked improvement over 2017 when just over half (51%) did. With the upcoming holidays many consumers will be doing much of their shopping online, therefore it is more important than ever that any online retailer practices good email and site security. After all, consumers are sending highly-sensitive data like credit cards and addresses at a much higher rate during the holidays.

In site security retailers fared well, as did most sites. Fully 92% of the top 500 online retailers has AOSSL/HSTS on their sites (virtually the same as 91% of sites overall). The good news this year is that this is a significant increase over the the 38% that had AOSSL/HSTS in 2017. The bad news is that the fact that this is not 100% of these top online retailers is still concerning given the information consumers enter into these sites when they shop.

In email-security most retailers also did well. Two technologies, SPF and DKIM, help ensure that users’ are not receiving forged or spoofed emails from a retailer. Fully 86% of retailers implemented SPF (compared to 89% of organizations overall). Here again the trend is positive, in 2018 75% of online retailers had SPF. In another positive trend, DKIM adoption also rose in 2018. In 2018 83% had DKIM, up significantly from 53% in 2017. Where retailers did not do well in email security, however, was DMARC.

DMARC adds on to SPF and DKIM telling email servers what to do when an email fails to be authenticated. Just 34% of online retailers implemented DMARC, well below the 50% of sites overall. In addition there was little improvement over 2017 when 33% had implemented this technology. This lack of improvement in DMARC is disappointing for online retailers given they have improved in other areas.

It is no longer the case that only tech companies need to be concerned about data security. All companies run on data, retailers more so than ever. Not securing your consumer facing site with SSL is unacceptable in 2019, as is not using proper email authentication technology. No business is immune from breaches and users need know their information is safe when making online purchases.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

  • Pete Buttigieg
  • Kamala Harris
  • Amy Klobuchar
  • Beto O’Rourke
  • Bernie Sanders
  • Donald Trump
  • Marianne Williamson

Website security scores are high. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. The lack of email authentication for two of the campaigns is a surprise, since these are long-established best practices and modern infrastructure should support SPF, DKIM, and DMARC.

Privacy is a major problem for campaigns, causing failure for 70% of them. There were a variety of reasons for failure, including:

  • Lack of Privacy Statement – Four campaigns had no discoverable privacy statement. This yields a statement score of 0 and is an automatic failure. This may be an oversight, but is inexcusable since every campaign website is collecting data. Fortunately, it can be remedied quickly by adding a privacy statement.
  • Inadequate Statement – Many campaign privacy statements were silent on the issue of data sharing, retention, etc. so they did not give clear notice and transparency about their practices. Such disclosures are generally accepted best practice.
  • Freely Sharing Data – Several privacy statements said they could share data with “like-minded entities” or unidentified third parties, effectively putting no limits on the use of personal data.

We encourage all campaigns to remain vigilant regarding security, and to revisit their privacy statements. Disclosing that data may be shared with “like-minded” organizations may be a common practice for campaigns, but is still concerning in light of the depth of demographic and financial information being collected. Since even campaigns who made the Honor Roll had poor privacy scores, OTA calls on all campaigns to consider updating their statement and practices to better reflect consumer concerns pertaining to the collection, use, retention, and sharing of their personal information.

We reached out to each campaign the week of 30 September, prompting some campaigns to make updates, which we re-evaluated on 7 October. We are committed to helping campaigns improve their efforts to keep both people and information safe online by providing tailored best practice recommendations upon request. We will reassess active presidential campaigns in mid-November and provide a short supplement to this report, highlighting any improvements.

We encourage you to read the report, and to make sure your organization (of any kind) is following the best practices outlined in Appendix C – Best Practices Checklist.

Categories
Building Trust Encryption Improving Technical Security Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS) Privacy Security

Celebrating National Cybersecurity Awareness Month

Every October, we mark National Cybersecurity Awareness Month. From the U.S. Department of Homeland Security website, “Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.”

We believe in an Internet that is open, globally connected, secure, and trustworthy. Our work includes improving the security posture of producers of Internet of Things (IoT) devices, ensuring encryption is available for everyone and is deployed as the default, working on time security, routing security through the MANRS initiative, and fostering collaborative security.

The Online Trust Alliance’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers, and policymakers need to understand, assess, and embrace for effective security and privacy as part of the Internet of Things. Also check out our Get IoT Smart pages for get more consumer-friendly advice on IoT devices.

Much of OTA’s work culminates in the Online Trust Audit & Honor Roll, which recognizes excellence in online consumer protection, data security, and responsible privacy practices. Since that report’s release in April 2019, we’ve done a couple of “deep dives” into specific sectors, including Healthcare and Banks, with more sectors on the way. We’ve also done a deep dive specifically into privacy statements, finding that most organizations do not comply with existing global privacy regulations and are not ready for additional regulations going into effect in 2020.

In addition, our Cyber Incident & Breach Trends Report analyzes events to extract key learnings and provide guidance to help organizations of all sizes raise the bar on trust through enhanced data protection and increased defense against evolving threats.

Check out our Best Practices to learn more, and make October the month you work to improve your organization’s overall cybersecurity stance!

Categories
Building Trust Privacy Security

Deep Dive: How Do Banks Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.

Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.

Email 

Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.

DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).

Site Security

Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.

Privacy

Like most sectors, banks did not fare well in privacy. The Audit tracks privacy in two ways: by the number of trackers on a site, and by analyzing the site’s privacy statement. In terms of trackers, banks did well. They were among the top scorers with 44 of 45 available points. (The score is derived using publicly available software to analyze how many trackers each site uses, the fewer bad trackers, the higher the score.) Though there was marked improvement from the prior Audit, banks still lagged, like most sites, in their privacy statements. Banks had a privacy statement score of only 25 out of 55, towards the low end of the spectrum.

The primary cause of failures was in sharing and data retention language. Only 22% of banks had language about data sharing, lower than the overall average across sectors. While most sites fared poorly in data retention language, banks were particularly bad. No banks had satisfactory data retention language in their privacy statement. Given the sensitivity of data that banks have, it is important that there be some kind of data retention language.

Learn More

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy. Then read the report, view the infographic, or watch the recap video to learn more!

Categories
Building Trust Privacy

Privacy Regulations Are Evolving: Are Organizations Ready?

Privacy statements are both a point of contact to inform users about their data and a way to show governments the organization is committed to following regulations. On September 17, the Internet Society’s Online Trust Alliance (OTA) released Are Organizations Ready for New Privacy Regulations? The report, using data collected from the 2018 Online Trust Audit, analyzes the privacy statements of 1,200 organizations using 29 variables and then maps them to overarching principles from three privacy laws around the world: General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States, and Personal Information Protection and Electronics Document Act (PIPEDA) in Canada. 

In many cases, organizations lack key concepts covering data sharing in their statements. Just 1% of organizations in our Audit disclose the types of third parties they share data with. This is a common requirement across privacy legislation. It is not as onerous as having to list all of the organizations; simply listing broad categories like “payment vendors” would suffice. 

Data retention is another area where many organizations are lacking. Just 2% had language about how long and why they would retain data. Many organizations have statements like, “we retain user data for as long as it is needed.” This type of statement is not specific enough for many regulations. 

Other concepts cover users’ ability to interact with their data. Two relative bright spots are that 70% of organizations did include contact information and 50% included information on how users could get information about their data. However, virtually none included this information to the level of detail often required by laws like GDPR. 

For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col

Finally, OTA advocates, and many privacy laws require, that statements meet certain standards of readability. One simple practice, advocated by the OTA, that can help users navigate complex privacy statements is “layering.” This can be achieved in many ways, from a table of contents to a summary of the principles in the longer statement. Just under half (47%) of companies used layered statements. 

Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.

Categories
Building Trust Privacy Security

Deep Dive: How Healthcare Organizations Practice Privacy and Security

In April, the Online Trust Alliance published the 11th annual Online Trust Audit assessing the security and privacy of 1,200 top organizations across several industry sectors. For the first time, this year’s Audit covered 100 of the top healthcare organizations, including lab testing companies, pharmacies, hospital chains, and insurance providers. 

How did they do?

Since this is the first year these organizations were included, we do not have historical comparisons, but we can compare how healthcare sites fared against the other audited sectors. Overall, 57% of healthcare sites made this year’s Honor Roll, the lowest of all the sectors we studied. By far the most common reason for failure in the healthcare sector was weak email security (35%, nearly triple the overall average). Failure due to privacy was better than average, while failure due to site security was slightly worse than average. 

Email Security

SPF and DKIM help protect against forged email. Overall 87% of healthcare organizations had SPF on their top-level domain and 67% had DKIM (the lowest of any sector, and the main source of healthcare’s failing scores).  DMARC builds on SPF and DKIM results, provides a means for feedback reports, and adds visibility for receivers on how to process messages that fail authentication. Forty-eight percent of healthcare organizations had a DMARC record, which was slightly below the overall average.

To learn more, check out our email authentication and security resources

Site Security

Here, healthcare sites did better, but still scored the lowest of all sectors. Healthcare sites averaged 86 points on site security (out of a possible 100 points, tied for lowest), with 82% forcing all sessions to be encrypted (the lowest of all sectors). 

Some site security highlights for healthcare organizations were their higher-than-average adoption of TLS1.3, the latest encryption protocol, and the low reported rate of cross-site scripting vulnerabilities (8% versus an overall average of 21%). Lowlights were use of a web application firewall (the lowest by far at 30% versus an overall average of 71%), and lack of a vulnerability reporting mechanism (3% versus an overall average of 11%).

Privacy Statements

Healthcare sites had an above average score for both their overall privacy assessment (73 points out of 100), and their privacy statements themselves (29 of the available 55). Though these are not impressive scores, they are still better than many other sectors. For the other half of the overall privacy score – trackers – healthcare organizations scored well (44 of the available 45 points), slightly higher than the overall average. Finally, 80% of the sites had tag management systems, which is well above the overall average of 71%. 

The most important aspect of any privacy statement is conveying to users how their data is collected and if it is shared with other organizations. 95% of healthcare sites had language saying that they do not share data with third parties, among the highest of any sector. In addition, 5% had language explicitly stating that they do not share with affiliates. 

Another important aspect of data sharing is ensuring that an enterprise holds its third-party vendors to the same standards it holds itself. This is important because data breaches or unauthorized access to data often begin with a third party – 61% of healthcare sites had language conveying this, which is slightly above the overall average. A related concept to data sharing is data retention. Ideally any enterprise should have language indicating how long and for what purpose it retains any data it collects – 4% of healthcare sites had this statement, which is among the highest across sectors. 

Some of the variables we track ensure that a privacy statement is easily readable by consumers. The first is if the statement is “layered,” which 44% of healthcare sites had. There are many ways to layer a statement, from a simple table of contents to a fully interactive statement with several layers. Using icons to indicate to consumers the information being conveyed in a non-text based way is another practice we advocate to help all consumers understand what they are reading; only 4% of healthcare sites used some kind of icon in their privacy statements (though only 6% of sites overall did this). Finally, we advocate that sites have the privacy statement available in multiple languages – 6% of healthcare sites had this option, slightly higher than sites overall (4%).  

We also encourage some simple practices that can ensure consumers know the information on the privacy statement is up to date, and what has changed. Sites should have a date stamp, ideally at the top of the privacy statement page, which 29% of healthcare sites had. In addition there should be an archive to indicate somehow changes made to the privacy statement – just 2% of healthcare sites had this, among the lowest of any sector. 

Room for Improvement

Healthcare sites did better than average in some areas, but there is room for improvement. Email authentication is one area where healthcare organizations lagged significantly, and adopting more of the Online Trust Alliance’s best practices would help improve this area. Another, though clearly healthcare is not unique in this, is improved privacy statements. Given the sensitivity of the data that healthcare organizations deal with, being both rigorous and open about their privacy practices is strongly encouraged. 

Categories
About Internet Society Building Trust Privacy

How the Internet Society’s Privacy Statement Stacks Up

For ten years, the Internet Society’s Online Trust Alliance (OTA) has published an annual comprehensive survey of 1,200 sites’ security and privacy practices. The 10th edition of this Audit has been released and can be found here. As part of the Audit, we score each site’s privacy statement against 29 criteria, ranging from whether it is linked to on the site’s homepage, to whether it states how the site handles children’s data.

For this blog post, we decided to use the Internet Society’s current privacy statement as an example, to illustrate the criteria used, and to show how a privacy statement fits into the bigger picture of an organization’s privacy practices. A privacy statement is only one piece of an organization’s overall privacy practices – although, as the public-facing piece, it is of course important. Other aspects (which are not included in the OTA survey) include:

  • expressing and committing to a set of overall privacy principles
  • having internal policies and practices that put the public-facing privacy statement into practice
  • internal and external enforcement of the commitments expressed in the privacy statement

There are myriad ways to structure a privacy statement and, to be frank, many privacy statements are written with different goals in mind. As a result, our survey sees a wide range of privacy statements, from single paragraphs to dozens of pages. Where a privacy statement is long, the Audit will score it more favorably if it uses a “layered” approach to improve readability – and this is the approach adopted by the Internet Society’s statement.

A privacy statement can be “layered” in a number of ways, but the usual approach is through something that looks like a table of contents: an introductory section of the statement summarizes its purpose and contents and lists the sections to come. This approach works even better if the list has internal hyperlinks to each corresponding section. In the sites studied, 47% layered their privacy policy in some way. The Internet Society’s statement is relatively unusual in opening with a set of over-arching principles that set out its commitment to respect the privacy of individuals whose personal data it collects.

Other formatting/presentation choices can also make a policy score higher in the survey: for instance, including the date the statement was last updated at the top or bottom of the page and linking clearly to the privacy statement from the organization’s home page. The Internet Society’s statement met both of these criteria (compared with 47% of sites with a date stamp on top and 24% having one at the bottom), and was comparatively rare in its inclusion of links to previous versions of the organization’s privacy statements.

Another presentation-related criterion the Audit checks is the use of icons to tell users about certain functions or kinds of data. For example, some sites use a megaphone icon to indicate that the section is about sharing user data, or a symbol of a fingerprint to represent biometric data. In general privacy advocates suggest using icons because it can improve clarity and helps with comprehension for users at different reading levels. It can also simplify the policy by making it more visually appealing, as opposed to just pages of text. The icon approach suffers from a lack of standard icons to represent specific functions or data types. The Internet Society’s privacy statement does not currently use icons, and could improve by doing so. Icons are comparatively rare among the sites studied, being used by only 2%.

Some presentation-related criteria in the Audit are more subjective. For example, the EU’s General Data Protection Regulation (GDPR) says that privacy policies should be easy for most users to read. Applying some online analysis tools to the Internet Society’s privacy statement suggests that it has a “fog index” of around 17 – in other words, it can be readily understood by someone educated up to that age. That is probably high for text that is aimed at a general public audience, and therefore an area where some improvement is possible.

We should note, though, that some laws require legal text to be present in the statement, and this can mean including language which is more formal and less easy to read. For example, two parts of the statement are legally required in the United States. The first states whether the site collects data on children under 13 (to comply with the Children Online Privacy Protection Act). The Internet Society does fulfill this, along with 67% of sites.

The second relates to Do Not Track. Under current California law the site must notify users of how it responds, technically, to a “Do Not Track” signal from a web browser – though the site is not legally required to honor such a signal (only to say how it responds).  The Internet Society’s statement does reference Do Not Track, along with 40% of sites. It does not, however, honor Do Not Track requests. None of the sites in the Audit honor Do Not Track either. We will be publishing a number of blog posts over the coming weeks to explain the steps the Internet Society has taken to minimize the privacy impact of tracking technologies on its sites.

A crucial aspect of any privacy statement is what it says about data sharing, and several of the survey criteria address this concept. In this regard, we look at three main areas.

First, legal obligations to share data. We test against two criteria, here. Is the privacy statement clear about cases where the Internet Society may be legally obliged to disclose users’ data? Here, we check whether the statement says that data may be shared with legal authorities if requested. The Internet Society’s statement, along with 90% of sites, does satisfy this test.

The other check is whether the statement says that users will be notified in case of a law enforcement request for data. The Internet Society’s statement does not make this commitment, but that is not unusual. Virtually none of the sites surveyed make such a commitment, and in some jurisdictions there may be cases where the law prevents a data controller from notifying users if a law enforcement access request is made.

Second, data sharing other than as required by law. The Internet Society’s statement does specify the instances where data might be shared with third parties, and it states what purposes such sharing is intended to achieve. Overall, the statement does reflect a clear set of principles and a policy of minimizing data sharing, confining it to stated practical purposes. However, different parts of the statement can be confusing in this area, and there is scope for improvement.

Third, data monetization. The Internet Society’s statement is clear in this regard, stating from the outset that “we will not sell or rent your personal data to others.”

A privacy statement is the main opportunity an organization has to tell all its users, visitors and stakeholders how their data is used, and how that use is governed by their rights. It is also an important part of ensuring that what the organization does with personal data is fair and legal. However, legal requirements and users’ expectations can all evolve over time, so privacy statements are dealing with a moving target and can always be improved. Privacy isn’t a state – it’s a process – and the same goes for privacy statements. They’re never done; they should always be subject to review, refinement, and improvement.

How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.