This story is part of CoinDesk’s 2020 election series exploring questions of information integrity, the rights of digital citizens, the power of centralized platforms, and the future of money.
The 2020 campaigns are largely focused on Trump, the progressive versus centrist wing of the Democratic party, and, apparently according to the New York Times, identifying who broke each candidate’s heart.
Meanwhile, foreign states are known to be targeting our election infrastructure, voters are increasingly concerned about the privacy of their data, and talking points about data and big tech have been rallying cries on the campaign trail for everyone from Yang to Sanders and Biden. Whether campaigns are living up to their own talking points is another question entirely. A recent report has found that while the cybersecurity practices of campaign websites hold up to scrutiny, a close reading of privacy policies (or lack thereof) show some campaigns paying the idea of privacy lip service, while simultaneously employing privacy statements that allow for widespread sharing of supporters data.
The Online Trust Audit for 2020 Presidential Campaigns, conducted by the Internet Society’s Online Trust Association (OTA), examined all the presidential candidates’ campaign websites for cybersecurity, consumer protections, and privacy. The report found several campaigns were lacking in key areas, particularly when it came to privacy.
Campaigns either failed, or were placed on the “Honor Roll status.” The latter scored 80 percent or higher on the report’s assessment, with no failure in website security, consumer protections, or privacy. In its initial report, released in October of 2019, the OTA found that 30 percent of the campaigns made the honor roll, while 70 percent did not. That’s worse than nearly every other sector the OTA examined in previous reports, including retailers, banks, and the federal government. The next lowest industry was the health sector, but even there, 57 percent of entities audited made the honor roll.
In that initial report, all the campaigns that failed to make the honor roll had a failure in the privacy category while two of the campaigns also had consumer protection failures.
“Overall, we found that campaigns have strong website security, reasonable email and domain protections, and poor privacy scores,” concluded the report. “Privacy statements are the biggest concern, causing failure for 70 percent of the campaigns.”
The report found that two campaigns had no email authentication at all, which helps recipients verify the sender of a message. But by far the biggest issue was with privacy statements. Four campaigns had no identifiable privacy statement at all, which the report called “inexcusable,” while a number of others included no mention of data sharing (limits or otherwise) or included language that said they’d share data like “like minded entities” or third parties that were not identified (like, say, the Democratic National Committee).
After this initial report, the OTA contacted individual campaigns and offered to explain their scores as well as how to improve it. Several, such as the Warren, Castro, and Delaney campaigns, took them up on this. Others (Biden, Gabbard, Yang) did not.
The result is that when the OTA re-released their scores in December of 2019, the honor roll to failure ratio had shifted from 30-70 to 50-50.
They removed the campaigns that dropped out and bolded the names of those campaigns that had graduated from the failure tier.
“Their data sharing language is either absent or very, very broad,” says Jeff Wilbur, Technical Director of the OTA.
Almost all the privacy statements have a line saying they don’t sell, rent or share your data, he says. And then they go on in several paragraphs to explain all the exceptions to that. In the political realm, this may seem understandable, but Wilbur says it’s still a concern.
“Just because I show an interest in one presidential candidate doesn’t mean that I’m opting in automatically to all the rest of that stuff,” he says. “It seems to be like it’s all or nothing.”
If you were wondering why you randomly started getting urgent emails for fundraising purposes from the RNC or DCCC, it’s likely because you gave money to a campaign, or signed up for email updates from one, and thereby launched your data into a rotating crop of of third party vendors and political organizations who will use it for years to come.
“There is a lot of power and value in the data that’s being collected,” says Maurice Turner, Deputy Director of the Internet Architecture Project at the Center for Democracy and Technology, an advocacy organization ensuring the internet remains open, innovative and free. “Because of the prevalence of opportunities to micro-target, there is a great incentive to collect more data about visitors about donors, and then be able to share those with other networks.”
Multiple campaigns
Turner says voters might just want to support a single candidate, or issue, rather than the Democratic ticket writ large. But by supporting one campaign that has data sharing stipulations in their privacy statements, their information is shared across so many other organizations that they start getting emails and messages from folks they’ve never even heard of before.
Privacy statements like these tend to be boilerplate, according to Turner. Party members are likely to see the same statements over and over again. Campaigns hire a company to run their website, without looking into the details of what the privacy policies entail.
Eftekhari says campaigns need to have a higher level of integrity when it comes to these types of efforts, and people should be given an option to opt out of these information sharing practices.
“I believe these campaigns have an ethical, and in some terms moral obligation to do everything in their power to reasonably defend the privacy and the protection of the data they’re collecting,” says Eftekhari.
There is a tension between achieving the political outcomes people want and maintaining control of personal data and privacy. Putting together a multifaceted political coalition, full of sometimes disparate actors who come from a variety of socioeconomic and demographic, is a big ask. Personal data allows campaigns, PACs, and others effectively to pursue ad campaigns, fundraising, and get out the vote actions. But the lack of clarity or asterisks identified by the OTA in campaigns’ privacy statements show that engaging with even one campaign can open your personal data up to a bevy of other actors, whether you want them to have it or not.
Disclosure Read More
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.