Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: How Does the Consumer Sector Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to government sites. In this post we will take a deeper dive into the Consumer section of the Audit. The Consumer section is a diverse set of sites including travel sites, hotels, and dating sites (see the methodology of the report for the full list).

In 2018 the Consumer section improved its standings with 85% making the honor roll, up from 76% in 2017. This was largely due to improvements in email security. Despite these gains in overall email security, TLS 1.3 adoption was actually down in 2018 (largely due to a change in the list of retail sites). Despite this OTA advocates the adoption of TLS 1.3.

Where these sites did stand out, compared to other sectors, was in privacy scores. Overall, the Consumer sector scored 43 out of 55 on their privacy tracker score, among the highest of any sector, and 33 out of 55 on their privacy statement, also among the highest.

The Consumer section privacy statements were exemplary in a few ways. First, the Consumer section had the highest score in the use of archives for their privacy statements, 12% of consumer sites had archives, the highest of any sector in the Audit.

OTA advocates this practice so users can see what changes were made to the privacy statement over time, without having to compare past statements on their own. This is a transparency issue. Privacy statements change constantly and it helps the organization to give users an easy way to see those changes.

Second, the Consumer section also stood out in data sharing language. 68% of Consumer sites had language they do not share data with third parties, among the highest of any sector. In addition, only 39% had language that they share data with “affiliates.”

“Affiliate” language is about sharing data within a corporate family, as opposed to entirely third parties. While obviously common practice, OTA advocates that organizations be more open about their data sharing practices, even among the corporate family.

Finally, the Consumers section scored among the highest with language explicitly saying that they hold their vendors to the same standards as themselves. In short, this is about holding any vendor that might hold data to the same data privacy standards as an organization would hold itself.

Overall, 74% of Consumer sites had language indicating they held their vendors to their own standards. This compares to 50% overall, well above the average for the entire sample. OTA advocates language like this because often data breaches happen with third party vendors, as opposed to the main organization itself, and therefore it is important that any organization make it clear that they hold all of their partners to the same standards they hold themselves.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: How the News and Media Sector Scores on Security and Privacy

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites in various sectors. The news and and media sector, comprised of the top 100 news and media sites according to US traffic to their websites, improved its privacy practices in 2018. Like most sites, however, there is still room for improvement in privacy statements.

In 2017 less than half (48%) of news and media sites made the Honor Roll. In 2018 that number went up significantly to 78%, largely due to improvements in privacy statements. Privacy is scored in two ways in the Audit, we look at trackers on each site and we score the privacy statements across over 30 criteria.

One area where news sites did not improve was in the use of trackers on their site. Out of all the sectors news and media scored the lowest in trackers with a score of 39 (out of 45). Part of the reason for this is the news and media sector relies on advertising revenue, which often requires the use of trackers to serve ads.

On the positive side, news and media fared well in the use of tag management systems and privacy solutions, with 69% of news and media sites using these technologies. Tag management systems and privacy solutions help manage third-party data collection and data sharing in real time.

On the bright side, however, news and media sites did improve their privacy statements. On statements, news and and media scored near the top with a score of 32 out of 55, second only to the consumer section.

First, news and media sites improved the readability of their statements, with 71% using layered notices up from 42% in 2017. A layered notice can be anything from a simple table of contents to a summary version of the longer privacy policy. OTA advocates the use of layered statements to help users understand the privacy statements and find information they may be looking more for easily.

One area for improvement, however, is in the use of icons and multilingual policies. Just 1% of news and media sites used icons to indicate what information is being conveyed in a section of the privacy policy. OTA advocates the use of icons to help users of various reading comprehension levels understand the information in the statement. In addition, only 5% had privacy statements in multiple languages. To be fair this is not unique to news and media. Few sites in the Audit use either icons or have multilingual policies.

Second, news and media sites improved their sharing language. Overall, 60% of news and media sites had language that they do not share user data with third parties, up from 53% in 2017. In addition, most (85%) news and media sites indicated that they hold those they do share data with to the same standards they hold themselves.

Finally, this year’s Audit tracked some aspects of GDPR (which went into effect in spring 2018) in order to gauge adoption of certain GDPR principles. To be clear, at the time of this Audit’s data collection many of the sites were not required to follow GDPR as they are largely U.S.-based organizations.

Since this Audit’s data collection period, more regulations have been put in place around the world, such as the California Consumer Privacy Act (CCPA), that mirror many of the principles OTA measured. Here news and media did not fare as well. For example, one GDPR requirement is that privacy statements be easy for most consumers to read and understand. Here the news and media sector fared the worst with just 8% being easy to read. On the plus side 70% of news and media sites offered a direct contact for users to address their privacy concerns. (In GDPR parlance this is a Data Protection Officer, but in the U.S. one is not required at the moment.)

It is encouraging to see improvement in the news and media sector’s privacy statements. It is also true, however, that given the shifting privacy regulations around the world these improvements will need to continue if news and media sites want to stay ahead of regulatory changes.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust

Deep Dive: A Look at Top Retailers’ Security Practices

In April 2019 the Internet Society’s Online Trust Audit released its 10th Online Trust Audit and Honor Roll. One of the longest-running sectors covered in the Audit is online retailers. In this blog post we will look at the top 500 online retailers in the US based on online sales and how they fare in security best practices advocated by OTA.

Overall 65% of online retailers in the top 500 made the honor roll this year, a marked improvement over 2017 when just over half (51%) did. With the upcoming holidays many consumers will be doing much of their shopping online, therefore it is more important than ever that any online retailer practices good email and site security. After all, consumers are sending highly-sensitive data like credit cards and addresses at a much higher rate during the holidays.

In site security retailers fared well, as did most sites. Fully 92% of the top 500 online retailers has AOSSL/HSTS on their sites (virtually the same as 91% of sites overall). The good news this year is that this is a significant increase over the the 38% that had AOSSL/HSTS in 2017. The bad news is that the fact that this is not 100% of these top online retailers is still concerning given the information consumers enter into these sites when they shop.

In email-security most retailers also did well. Two technologies, SPF and DKIM, help ensure that users’ are not receiving forged or spoofed emails from a retailer. Fully 86% of retailers implemented SPF (compared to 89% of organizations overall). Here again the trend is positive, in 2018 75% of online retailers had SPF. In another positive trend, DKIM adoption also rose in 2018. In 2018 83% had DKIM, up significantly from 53% in 2017. Where retailers did not do well in email security, however, was DMARC.

DMARC adds on to SPF and DKIM telling email servers what to do when an email fails to be authenticated. Just 34% of online retailers implemented DMARC, well below the 50% of sites overall. In addition there was little improvement over 2017 when 33% had implemented this technology. This lack of improvement in DMARC is disappointing for online retailers given they have improved in other areas.

It is no longer the case that only tech companies need to be concerned about data security. All companies run on data, retailers more so than ever. Not securing your consumer facing site with SSL is unacceptable in 2019, as is not using proper email authentication technology. No business is immune from breaches and users need know their information is safe when making online purchases.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: How Do Banks Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.

Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.


Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.

DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).

Site Security

Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.


Like most sectors, banks did not fare well in privacy. The Audit tracks privacy in two ways: by the number of trackers on a site, and by analyzing the site’s privacy statement. In terms of trackers, banks did well. They were among the top scorers with 44 of 45 available points. (The score is derived using publicly available software to analyze how many trackers each site uses, the fewer bad trackers, the higher the score.) Though there was marked improvement from the prior Audit, banks still lagged, like most sites, in their privacy statements. Banks had a privacy statement score of only 25 out of 55, towards the low end of the spectrum.

The primary cause of failures was in sharing and data retention language. Only 22% of banks had language about data sharing, lower than the overall average across sectors. While most sites fared poorly in data retention language, banks were particularly bad. No banks had satisfactory data retention language in their privacy statement. Given the sensitivity of data that banks have, it is important that there be some kind of data retention language.

Learn More

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy. Then read the report, view the infographic, or watch the recap video to learn more!

Building Trust Privacy

Privacy Regulations Are Evolving: Are Organizations Ready?

Privacy statements are both a point of contact to inform users about their data and a way to show governments the organization is committed to following regulations. On September 17, the Internet Society’s Online Trust Alliance (OTA) released Are Organizations Ready for New Privacy Regulations? The report, using data collected from the 2018 Online Trust Audit, analyzes the privacy statements of 1,200 organizations using 29 variables and then maps them to overarching principles from three privacy laws around the world: General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States, and Personal Information Protection and Electronics Document Act (PIPEDA) in Canada. 

In many cases, organizations lack key concepts covering data sharing in their statements. Just 1% of organizations in our Audit disclose the types of third parties they share data with. This is a common requirement across privacy legislation. It is not as onerous as having to list all of the organizations; simply listing broad categories like “payment vendors” would suffice. 

Data retention is another area where many organizations are lacking. Just 2% had language about how long and why they would retain data. Many organizations have statements like, “we retain user data for as long as it is needed.” This type of statement is not specific enough for many regulations. 

Other concepts cover users’ ability to interact with their data. Two relative bright spots are that 70% of organizations did include contact information and 50% included information on how users could get information about their data. However, virtually none included this information to the level of detail often required by laws like GDPR. 

For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col

Finally, OTA advocates, and many privacy laws require, that statements meet certain standards of readability. One simple practice, advocated by the OTA, that can help users navigate complex privacy statements is “layering.” This can be achieved in many ways, from a table of contents to a summary of the principles in the longer statement. Just under half (47%) of companies used layered statements. 

Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.

Building Trust Privacy Security

Deep Dive: How Healthcare Organizations Practice Privacy and Security

In April, the Online Trust Alliance published the 11th annual Online Trust Audit assessing the security and privacy of 1,200 top organizations across several industry sectors. For the first time, this year’s Audit covered 100 of the top healthcare organizations, including lab testing companies, pharmacies, hospital chains, and insurance providers. 

How did they do?

Since this is the first year these organizations were included, we do not have historical comparisons, but we can compare how healthcare sites fared against the other audited sectors. Overall, 57% of healthcare sites made this year’s Honor Roll, the lowest of all the sectors we studied. By far the most common reason for failure in the healthcare sector was weak email security (35%, nearly triple the overall average). Failure due to privacy was better than average, while failure due to site security was slightly worse than average. 

Email Security

SPF and DKIM help protect against forged email. Overall 87% of healthcare organizations had SPF on their top-level domain and 67% had DKIM (the lowest of any sector, and the main source of healthcare’s failing scores).  DMARC builds on SPF and DKIM results, provides a means for feedback reports, and adds visibility for receivers on how to process messages that fail authentication. Forty-eight percent of healthcare organizations had a DMARC record, which was slightly below the overall average.

To learn more, check out our email authentication and security resources

Site Security

Here, healthcare sites did better, but still scored the lowest of all sectors. Healthcare sites averaged 86 points on site security (out of a possible 100 points, tied for lowest), with 82% forcing all sessions to be encrypted (the lowest of all sectors). 

Some site security highlights for healthcare organizations were their higher-than-average adoption of TLS1.3, the latest encryption protocol, and the low reported rate of cross-site scripting vulnerabilities (8% versus an overall average of 21%). Lowlights were use of a web application firewall (the lowest by far at 30% versus an overall average of 71%), and lack of a vulnerability reporting mechanism (3% versus an overall average of 11%).

Privacy Statements

Healthcare sites had an above average score for both their overall privacy assessment (73 points out of 100), and their privacy statements themselves (29 of the available 55). Though these are not impressive scores, they are still better than many other sectors. For the other half of the overall privacy score – trackers – healthcare organizations scored well (44 of the available 45 points), slightly higher than the overall average. Finally, 80% of the sites had tag management systems, which is well above the overall average of 71%. 

The most important aspect of any privacy statement is conveying to users how their data is collected and if it is shared with other organizations. 95% of healthcare sites had language saying that they do not share data with third parties, among the highest of any sector. In addition, 5% had language explicitly stating that they do not share with affiliates. 

Another important aspect of data sharing is ensuring that an enterprise holds its third-party vendors to the same standards it holds itself. This is important because data breaches or unauthorized access to data often begin with a third party – 61% of healthcare sites had language conveying this, which is slightly above the overall average. A related concept to data sharing is data retention. Ideally any enterprise should have language indicating how long and for what purpose it retains any data it collects – 4% of healthcare sites had this statement, which is among the highest across sectors. 

Some of the variables we track ensure that a privacy statement is easily readable by consumers. The first is if the statement is “layered,” which 44% of healthcare sites had. There are many ways to layer a statement, from a simple table of contents to a fully interactive statement with several layers. Using icons to indicate to consumers the information being conveyed in a non-text based way is another practice we advocate to help all consumers understand what they are reading; only 4% of healthcare sites used some kind of icon in their privacy statements (though only 6% of sites overall did this). Finally, we advocate that sites have the privacy statement available in multiple languages – 6% of healthcare sites had this option, slightly higher than sites overall (4%).  

We also encourage some simple practices that can ensure consumers know the information on the privacy statement is up to date, and what has changed. Sites should have a date stamp, ideally at the top of the privacy statement page, which 29% of healthcare sites had. In addition there should be an archive to indicate somehow changes made to the privacy statement – just 2% of healthcare sites had this, among the lowest of any sector. 

Room for Improvement

Healthcare sites did better than average in some areas, but there is room for improvement. Email authentication is one area where healthcare organizations lagged significantly, and adopting more of the Online Trust Alliance’s best practices would help improve this area. Another, though clearly healthcare is not unique in this, is improved privacy statements. Given the sensitivity of the data that healthcare organizations deal with, being both rigorous and open about their privacy practices is strongly encouraged. 

Building Trust

Internet Society’s Online Trust Alliance 2018 Cyber Incidents & Breach Trends Report

On Tuesday July 9, 2019 the Internet Society’s Online Trust Alliance (OTA) released its 11th Cyber Incident & Breach Trends report, which provides an overview of cyber incidents – and offers steps organizations can take to prevent and mitigate the potential damage. This year’s report found a shifting landscape of cyber incidents. As the growth of some attack types levels off, others increase.

Adding it all up, OTA estimates that there were more than 2 million cyber incidents in 2018, and it is likely that even this number significantly underestimates the actual problem. OTA estimates an overall financial impact of at least $45 billion worldwide. The lead categories of attacks are cryptojacking (1.3 million) and ransomware (500,000), followed by breaches (60,000), supply chain (at least 60,000 infected websites), and Business Email Compromise (20,000).

There are many organizations that track data breaches overall. For example, Risk Based Security Reported the highest number at 6,515 breaches and 5 billion exposed records, both down from 2017. These estimates vary depending on their methodologies – see our full report for all of the breach estimates and our methodology.

One well-established attack type, ransomware, saw a decline in 2018. However, the total dollar value of these attacks continues to grow. Another well-known attack is Distributed Denial of Service (DDoS). Examples of successful DDoS attacks in 2018 range from banking (ABN AMRO) to education (Infinite Campus) to email services (ProtonMail) to software services (GitHub).

Business Email Compromise, where employees are deceived into sending funds to attackers posing as employees of a firm, also grew. The FBI’s 2018 Internet Crime Report reported more than 20,000 incidents in the U.S., resulting in nearly $1.3 billion in losses (an increase from approximately 16,000 incidents and $677 million in losses in 2017).

New to this year’s report is cryptojacking, which saw a marked increase in 2018. Trend Micro detected more than 1.3 million instances of cryptojacking code in 2018, a greater than three-fold increase from 2017. Supply chain attacks, also new to the report, grew as well. Symantec’s Internet Security Threat Report reported a 78% growth in supply chain attacks.

Other attack categories are based on the shifting infrastructure of the Internet. Many businesses rely on cloud services for some or all of their operations and as a result have become a target for attacks. One estimate by research firm Digital Shadows found that in 2018 there were 1.5 billion files exposed around the world solely due to misconfigurations in cloud services.

IoT devices are increasingly becoming tools to carry out various types of attacks, from DDoS to cryptojacking. Kaspersky Labs reported that in the first half of 2018 they saw a three-fold increase in the number of malware variations used to attack IoT devices.

But the report offers advice on how organizations can better prevent and mitigate cyber incidents. Organizations can use the OTA IoT Trust Framework to help make the entire IoT ecosystem safer. They can also follow the recommendations in the Cyber Incident & Breach Trends report.

While the landscape of cyber incidents is both vast and shifting – and may include new attack types – the guidance offered in the report remains largely unchanged. Organizations must remain vigilant and assume that at some point they will have to deal with a cyber incident. Following the recommendations in the Cyber Incident & Breach Trends report is a good first step.

About Internet Society Building Trust Privacy

How the Internet Society’s Privacy Statement Stacks Up

For ten years, the Internet Society’s Online Trust Alliance (OTA) has published an annual comprehensive survey of 1,200 sites’ security and privacy practices. The 10th edition of this Audit has been released and can be found here. As part of the Audit, we score each site’s privacy statement against 29 criteria, ranging from whether it is linked to on the site’s homepage, to whether it states how the site handles children’s data.

For this blog post, we decided to use the Internet Society’s current privacy statement as an example, to illustrate the criteria used, and to show how a privacy statement fits into the bigger picture of an organization’s privacy practices. A privacy statement is only one piece of an organization’s overall privacy practices – although, as the public-facing piece, it is of course important. Other aspects (which are not included in the OTA survey) include:

  • expressing and committing to a set of overall privacy principles
  • having internal policies and practices that put the public-facing privacy statement into practice
  • internal and external enforcement of the commitments expressed in the privacy statement

There are myriad ways to structure a privacy statement and, to be frank, many privacy statements are written with different goals in mind. As a result, our survey sees a wide range of privacy statements, from single paragraphs to dozens of pages. Where a privacy statement is long, the Audit will score it more favorably if it uses a “layered” approach to improve readability – and this is the approach adopted by the Internet Society’s statement.

A privacy statement can be “layered” in a number of ways, but the usual approach is through something that looks like a table of contents: an introductory section of the statement summarizes its purpose and contents and lists the sections to come. This approach works even better if the list has internal hyperlinks to each corresponding section. In the sites studied, 47% layered their privacy policy in some way. The Internet Society’s statement is relatively unusual in opening with a set of over-arching principles that set out its commitment to respect the privacy of individuals whose personal data it collects.

Other formatting/presentation choices can also make a policy score higher in the survey: for instance, including the date the statement was last updated at the top or bottom of the page and linking clearly to the privacy statement from the organization’s home page. The Internet Society’s statement met both of these criteria (compared with 47% of sites with a date stamp on top and 24% having one at the bottom), and was comparatively rare in its inclusion of links to previous versions of the organization’s privacy statements.

Another presentation-related criterion the Audit checks is the use of icons to tell users about certain functions or kinds of data. For example, some sites use a megaphone icon to indicate that the section is about sharing user data, or a symbol of a fingerprint to represent biometric data. In general privacy advocates suggest using icons because it can improve clarity and helps with comprehension for users at different reading levels. It can also simplify the policy by making it more visually appealing, as opposed to just pages of text. The icon approach suffers from a lack of standard icons to represent specific functions or data types. The Internet Society’s privacy statement does not currently use icons, and could improve by doing so. Icons are comparatively rare among the sites studied, being used by only 2%.

Some presentation-related criteria in the Audit are more subjective. For example, the EU’s General Data Protection Regulation (GDPR) says that privacy policies should be easy for most users to read. Applying some online analysis tools to the Internet Society’s privacy statement suggests that it has a “fog index” of around 17 – in other words, it can be readily understood by someone educated up to that age. That is probably high for text that is aimed at a general public audience, and therefore an area where some improvement is possible.

We should note, though, that some laws require legal text to be present in the statement, and this can mean including language which is more formal and less easy to read. For example, two parts of the statement are legally required in the United States. The first states whether the site collects data on children under 13 (to comply with the Children Online Privacy Protection Act). The Internet Society does fulfill this, along with 67% of sites.

The second relates to Do Not Track. Under current California law the site must notify users of how it responds, technically, to a “Do Not Track” signal from a web browser – though the site is not legally required to honor such a signal (only to say how it responds).  The Internet Society’s statement does reference Do Not Track, along with 40% of sites. It does not, however, honor Do Not Track requests. None of the sites in the Audit honor Do Not Track either. We will be publishing a number of blog posts over the coming weeks to explain the steps the Internet Society has taken to minimize the privacy impact of tracking technologies on its sites.

A crucial aspect of any privacy statement is what it says about data sharing, and several of the survey criteria address this concept. In this regard, we look at three main areas.

First, legal obligations to share data. We test against two criteria, here. Is the privacy statement clear about cases where the Internet Society may be legally obliged to disclose users’ data? Here, we check whether the statement says that data may be shared with legal authorities if requested. The Internet Society’s statement, along with 90% of sites, does satisfy this test.

The other check is whether the statement says that users will be notified in case of a law enforcement request for data. The Internet Society’s statement does not make this commitment, but that is not unusual. Virtually none of the sites surveyed make such a commitment, and in some jurisdictions there may be cases where the law prevents a data controller from notifying users if a law enforcement access request is made.

Second, data sharing other than as required by law. The Internet Society’s statement does specify the instances where data might be shared with third parties, and it states what purposes such sharing is intended to achieve. Overall, the statement does reflect a clear set of principles and a policy of minimizing data sharing, confining it to stated practical purposes. However, different parts of the statement can be confusing in this area, and there is scope for improvement.

Third, data monetization. The Internet Society’s statement is clear in this regard, stating from the outset that “we will not sell or rent your personal data to others.”

A privacy statement is the main opportunity an organization has to tell all its users, visitors and stakeholders how their data is used, and how that use is governed by their rights. It is also an important part of ensuring that what the organization does with personal data is fair and legal. However, legal requirements and users’ expectations can all evolve over time, so privacy statements are dealing with a moving target and can always be improved. Privacy isn’t a state – it’s a process – and the same goes for privacy statements. They’re never done; they should always be subject to review, refinement, and improvement.

How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.

Building Trust Events Privacy

Privacy First for Security Companies

Privacy has become a major issue around the world. Hopeful presidential candidates, such as Elizabeth Warren, have proposed privacy legislation and European countries are beginning to issue their first judgements based on GDPR violations. Given this evolving environment, the Internet Society participated in a panel on data privacy at the ISC-West conference on 11 April 2019.

The conference was sponsored by ADT, one of the largest home security companies and an Internet Society organizational member. The panel included Frank Cona from ADT, Dylan Gilbert from Public Knowledge, Brandon Board from Resideo, and Kenneth Olmstead from the Internet Society.

The discussion focused on two main themes. The first was that in the data-driven economy, user agency is more important than ever. Users must be able to ask companies what data they have about them and be able to update or delete that data. The second was that companies must put privacy at the forefront of their business practices. Privacy cannot be an afterthought, but must be the starting point.

There was not consensus among panelists regarding whether there will be Federal privacy legislation at some point, but it was clear that the security industry should do its best to implement privacy practices, regardless of regulation. All panelists agreed that privacy can be a market differentiator – it is in companies’ interest to protect their users’ data.

Home security companies, like ADT, are in an interesting position given that the data they can collect is unique. Security systems can monitor who is in the home, when they come and go, and even where they are in the home (among many other data points). The panelists from the industry made it clear that their companies are keenly aware of this and that protecting user privacy given the sensitivity of this data is paramount.

An interesting question from the audience was whether there is a company or organization that offers a “trustmark” of sorts to help companies show that their privacy practices are robust. Here again the consensus of the panel was that no such mark exists at the moment, but it would be helpful to both consumers and companies if it did. It would, in effect, give users information about which companies to trust with their data and help companies communicate to their users that their data privacy practices are effective.

The Internet Society’s position on these issues is clear. Data privacy is extremely important to ensuring trust in the Internet itself. The home security industry relies on the Internet to provide  service, and as a result has a vested interest in protecting user data and ensuring that users can be confident their data is safe.

We encourage manufacturers and service providers in the home security industry to follow the principles in our IoT Trust Framework, which outlines security and privacy best practices for devices, mobile apps, and backend services comprising today’s IoT solutions.  Working with Consumers International and Mozilla, we recently called on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices. In addition, tomorrow (16 April), we’re releasing our 10th annual Online Trust Audit & Honor Roll, which assesses 1,200 organizations and recognizes excellence in consumer protection, data security and responsible privacy practices. Read more about it tomorrow.

Building Trust

New Report: Major Online Retailers Increase Email Marketing Trustworthiness and Follow Unsubscribe Best Practices

Author: Kenneth Olmstead

Today, the Internet Society’s Online Trust Alliance released its fifth annual Email Marketing & Unsubscribe Audit. OTA researchers analyzed the email marketing practices of 200 of North America’s top online retailers and, based on this analysis, offered prescriptive advice to help marketers provide consumers with choice and control over when and what messages they receive. The Audit assesses the end-to-end user experience from signing up for emails, to receiving emails, to the unsubscribe process and its results.

In the 2018 Audit, seventy-four percent of the top online retailers received “Best of Class” designation, meaning they scored eighty percent or higher in OTA’s analysis of their email marketing. In addition, ten retailers received perfect scores, meaning they adopted all twelve of OTA’s best practices. They are: Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots, and Walgreens.

In the subscribe process there were several positive findings. The percentage of sites that had subscribe forms that were easy for the user to find was 94% in 2018, up from 85% in 2017. In addition, one-quarter of sites offered incentives such as free shipping to entice users to subscribe, down slightly from 28% in 2018.

Another positive note from this year’s audit was email security. The use of Sender Policy Framework (SPF), a technology used to detect forged email addresses and prevent malicious emails such as phishing attempts, was used by 100% of the sites audited. DomainKeys Identified Mail (DKIM), a similar technology used to help authenticate the sender of an email, also reached 100%. Adoption of similar security technologies such as DMARC and TLS also improved significantly in 2018. All of these technologies help protect users when subscribing to retailers’ emails.

An area for concern in the signup process, however, is the low percentage of retailers asking users to provide geographic information (just 14% of sites). Collecting geographic information is important as regulations evolve around the world, such as GDPR in the EU. It is in retailers’ interest to collect geographic information to properly segment their users depending on the regulatory regime where each user resides.

In the unsubscribe process the vast majority of retailers not only adhered to most of OTA’s unsubscribe best practices, but went well beyond the requirements laid out in regulations such as CAN-SPAM or CASL. Fully eighty-four percent of retailers had unsubscribe links in their emails that were clear and easy to find, a significant increase from 76% in 2017. In addition, the vast majority of sites (89%) immediately honor unsubscribe requests, i.e. the user receives no further emails after unsubscribing.

The full report and an infographic are available at We encourage you to read the report and, if you are involved in email marketing or retail, apply the OTA’s unsubscribe best practices for your organization.