Despite everything that has happened over the last four years, the security posture of the 2020 presidential candidates’ campaign websites is little better and often worse than it was in 2016.
An Online Trust Audit, from the Online Trust Alliance (OTA — part of the Internet Society), examined the visible privacy, website security and consumer protection postures of the current 23 candidates’ campaign sites. Only seven candidates achieved the OTA Honor Roll (that is, with no failures in any of the three areas), but none with flying colors. These seven include Donald Trump and Bernie Sanders, but current Democratic frontrunners Elizabeth Warren and Joe Biden both fail.
Interestingly, the OTA forewarned all the candidates about the publication of this audit, giving them seven days to update their sites. Only one candidate site took up this option — but the update was insufficient to alter its ‘fail’ result.
One worrying aspect of the survey is the extent to which the candidates, treated as a ‘sector’, lag behind a similar 2018 audit of other industry sectors — by a ratio of more than 2:1 in achieving the Honor Roll. For example, 91% of the federal sector and 73% of the financial sector gained the Honor Roll; compared to just 30% of the candidates sector.
The biggest area of failure was in user privacy. Every one of the candidates that did not achieve the Honor Roll failed here. Putting this in context, the average score was 56 with a failure bar set at 60. In the 2018 audit of other sectors, the average score was 70.
The three primary areas of concern over privacy were the lack of a privacy statement (five campaigns had no discoverable statement); an inadequate statement; and too freely sharing user data.
Only one of the sites explicitly said it does not share visitor data with other parties. Many, notes the OTA, said they could share data “…with candidates, organizations, campaigns, groups or causes that we believe have similar political viewpoints, principles or objectives.” This effectively means that the candidates feel able to share visitor data with anyone. This is compounded with a low score on any statement regarding data retention (just 13% of the sites have one) and a zero score on any indication that third parties receiving the data are held to any specific privacy requirement.
The best area was in website security, with no failures. In this area, the candidates outscored (93) all other sectors other than the federal score (94). The financial sector scored 89. This better posture is likely down to the nature of the sites being only recently developed and using providers with the latest technology. So, for example, 100% of the campaigns use AOSSL, while 58% of the campaigns use the latest TLS 1.3 (more than five times the rate of any other sector.
Nevertheless, despite there being no outright failures in this category, there is still room for improvement. Only 58% of the sites have implemented a web application firewall. “Given that these sites are new, adoption should be higher,” comments the Internet Society. None of the sites provide a means for reporting vulnerabilities, which makes it harder for security researchers to help improve the sites’ security.
Nine percent of the candidates failed in consumer protection. Given the nature and purpose of presidential campaign websites, this really should be none. There is a high adoption of SPF (87%) and DKIM (91%); but two of the websites provide no email authentication at all.
Sixty-one percent of the campaigns have a DMARC record, but only 30% employ ‘enforcement’ (the policy that rejects or quarantines messages that fail authentication). While this compares favorably with other sectors, the simplicity of campaign websites, their recent development, and the nature of their function (collecting funds) means that all should be employing every means possible to protect users from phishing attacks.
The results of this survey should concern everyone. “The number of campaigns that failed to pass the 2020 Presidential Campaign Trust Audit is alarming given the increased attention to privacy and security issues over the last four years,” commented Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance. “The campaigns should make proper handling of their visitors’ information a priority.”
Campaign websites collect personal data from many millions of visitors. Visiting a particular campaign is likely to provide an indication of political affiliation. The combination of personal information and political intentions makes the content of the campaign websites valuable to any party wishing or intending to interfere in the 2020 elections — and that is likely to include a range of nation states.
“One should not underestimate the sophistication of nation-state hacking actors,” said Ilia Kolochenko, CEO of web security firm ImmuniWeb, about the analysis. “They will likely leverage a wide spectrum of attack vectors, including getting the data via careless third-party providers and negligent vendors.” Probably, he added, “attackers have already implemented continuous monitoring of [these] presidential websites to get instant alerts once a software or its component becomes vulnerable… Unfortunately, attackers frequently act faster than security teams and manage to get in within minutes after a security flaw is publicly disclosed or sold on the Dark Web.”
There is another potential concern for the candidates. Many of the sites are likely to be in contravention of the California Consumer Protection Act (CCPA) coming into force in January 2020.