Categories
Building Trust Encryption Privacy Security Strengthening the Internet

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data, and enable trust.

Let’s face it, protecting your privacy can feel overwhelming. It can seem like we conduct our entire lives online and it’s hard not to notice headlines about our privacy being undermined, like law enforcement trying to gain access to encrypted data. But whether you know it or not, you’re making choices about what you share and how you share it each day. These seemingly-small actions can make a big impact.

You might already be doing some of these, but here are six actions you can take to protect your privacy:

  • Use end-to-end encrypted messaging apps. Switch to using messaging apps that offer end-to-end encryption, such as WhatsApp, Signal, Threema, and Telegram. Some are better than others, so make sure to read the reviews.
  • Turn on encryption on your devices or services. Some devices or services will offer encryption, but not set it as the default. Make sure to turn on encryption.
  • Use strong passwords. Do not just use a default password, a simple guessable password, or a password that uses personal information, such as your pet’s name. No matter how strongly your device or application is encrypted, if someone can figure out your password – they can access your data.
  • Keep up with updates. No system is perfectly secure. Security vulnerabilities are always being discovered and fixed with updates. That’s why it is so important to keep up with updates to your applications, devices and services. The update could be fixing a vulnerability and making you safer!
  • Turn on two-factor log-in (2FA). Two-factor log-in adds another factor (like a bank security fob) to your usual log-in process (e.g. a username and password). Adding another factor makes it even harder for criminals to access your data.
  • Turn on erase-data options. Some smartphones and services have an option that will erase your data after 3 or 10 failed attempts. Turn this on to protect yourself from thieves or if you lose your phone.

This Data Privacy Day, join the global community of people who are taking steps to secure our data. Your small actions can make a big difference!


Image by Vlad Tchompalov via Unsplash

Categories
Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: How Does the Consumer Sector Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to government sites. In this post we will take a deeper dive into the Consumer section of the Audit. The Consumer section is a diverse set of sites including travel sites, hotels, and dating sites (see the methodology of the report for the full list).

In 2018 the Consumer section improved its standings with 85% making the honor roll, up from 76% in 2017. This was largely due to improvements in email security. Despite these gains in overall email security, TLS 1.3 adoption was actually down in 2018 (largely due to a change in the list of retail sites). Despite this OTA advocates the adoption of TLS 1.3.

Where these sites did stand out, compared to other sectors, was in privacy scores. Overall, the Consumer sector scored 43 out of 55 on their privacy tracker score, among the highest of any sector, and 33 out of 55 on their privacy statement, also among the highest.

The Consumer section privacy statements were exemplary in a few ways. First, the Consumer section had the highest score in the use of archives for their privacy statements, 12% of consumer sites had archives, the highest of any sector in the Audit.

OTA advocates this practice so users can see what changes were made to the privacy statement over time, without having to compare past statements on their own. This is a transparency issue. Privacy statements change constantly and it helps the organization to give users an easy way to see those changes.

Second, the Consumer section also stood out in data sharing language. 68% of Consumer sites had language they do not share data with third parties, among the highest of any sector. In addition, only 39% had language that they share data with “affiliates.”

“Affiliate” language is about sharing data within a corporate family, as opposed to entirely third parties. While obviously common practice, OTA advocates that organizations be more open about their data sharing practices, even among the corporate family.

Finally, the Consumers section scored among the highest with language explicitly saying that they hold their vendors to the same standards as themselves. In short, this is about holding any vendor that might hold data to the same data privacy standards as an organization would hold itself.

Overall, 74% of Consumer sites had language indicating they held their vendors to their own standards. This compares to 50% overall, well above the average for the entire sample. OTA advocates language like this because often data breaches happen with third party vendors, as opposed to the main organization itself, and therefore it is important that any organization make it clear that they hold all of their partners to the same standards they hold themselves.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: How the News and Media Sector Scores on Security and Privacy

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites in various sectors. The news and and media sector, comprised of the top 100 news and media sites according to US traffic to their websites, improved its privacy practices in 2018. Like most sites, however, there is still room for improvement in privacy statements.

In 2017 less than half (48%) of news and media sites made the Honor Roll. In 2018 that number went up significantly to 78%, largely due to improvements in privacy statements. Privacy is scored in two ways in the Audit, we look at trackers on each site and we score the privacy statements across over 30 criteria.

One area where news sites did not improve was in the use of trackers on their site. Out of all the sectors news and media scored the lowest in trackers with a score of 39 (out of 45). Part of the reason for this is the news and media sector relies on advertising revenue, which often requires the use of trackers to serve ads.

On the positive side, news and media fared well in the use of tag management systems and privacy solutions, with 69% of news and media sites using these technologies. Tag management systems and privacy solutions help manage third-party data collection and data sharing in real time.

On the bright side, however, news and media sites did improve their privacy statements. On statements, news and and media scored near the top with a score of 32 out of 55, second only to the consumer section.

First, news and media sites improved the readability of their statements, with 71% using layered notices up from 42% in 2017. A layered notice can be anything from a simple table of contents to a summary version of the longer privacy policy. OTA advocates the use of layered statements to help users understand the privacy statements and find information they may be looking more for easily.

One area for improvement, however, is in the use of icons and multilingual policies. Just 1% of news and media sites used icons to indicate what information is being conveyed in a section of the privacy policy. OTA advocates the use of icons to help users of various reading comprehension levels understand the information in the statement. In addition, only 5% had privacy statements in multiple languages. To be fair this is not unique to news and media. Few sites in the Audit use either icons or have multilingual policies.

Second, news and media sites improved their sharing language. Overall, 60% of news and media sites had language that they do not share user data with third parties, up from 53% in 2017. In addition, most (85%) news and media sites indicated that they hold those they do share data with to the same standards they hold themselves.

Finally, this year’s Audit tracked some aspects of GDPR (which went into effect in spring 2018) in order to gauge adoption of certain GDPR principles. To be clear, at the time of this Audit’s data collection many of the sites were not required to follow GDPR as they are largely U.S.-based organizations.

Since this Audit’s data collection period, more regulations have been put in place around the world, such as the California Consumer Privacy Act (CCPA), that mirror many of the principles OTA measured. Here news and media did not fare as well. For example, one GDPR requirement is that privacy statements be easy for most consumers to read and understand. Here the news and media sector fared the worst with just 8% being easy to read. On the plus side 70% of news and media sites offered a direct contact for users to address their privacy concerns. (In GDPR parlance this is a Data Protection Officer, but in the U.S. one is not required at the moment.)

It is encouraging to see improvement in the news and media sector’s privacy statements. It is also true, however, that given the shifting privacy regulations around the world these improvements will need to continue if news and media sites want to stay ahead of regulatory changes.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.

Conclusion

The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.

Categories
Building Trust Encryption Privacy Security

What Scary Movies Can Teach Us About Internet Trust

Mad geniuses. Evil dolls. Slow zombies. This Halloween, we’ll see all of these horror film clichés come to life. Sure they’re fun, but are there lessons we can learn from them? What if they could teach us what not to do? We looked at seven scary tropes and what they might teach us about Internet trust.

The call is coming from inside the house.

The phone calls keep coming, each one scarier than the last. Ring. “Are you home alone?” Ring. “Have you locked the doors?” Ring. “Look in the basement.” It’s only then you realize the stalker has been in the house all along.

We lock our doors to make our homes more secure, but we don’t always think about the security of the things we connect to our home networks. An insecure connected device can put your whole network and the devices on it at risk. Meaning, yes, the cybersecurity threat could be coming from inside the house. By protecting your home network, you limit your devices’ exposure to online threats and help mitigate the risk they may pose to others. You can make your network more secure by using encryption, a strong password, and firewall for your home WiFi network.

Sometimes your car won’t start when you really, really need it to.

You’ve escaped the abandoned hospital, you’ve made it to your car, and now you’re hunched over the steering wheel, hand shaking as you turn the ignition. There’s just one problem. The car won’t start. That’s when you spot the sticker in the window. The last maintenance call was over a year ago.

Maintain your devices and apps so you’re not stuck in a sticky situation. If a device or app has an auto-update feature, turn it on! No system is perfectly secure, and security vulnerabilities are always being discovered and fixed with updates. Anything that’s Internet connected, from your light bulbs to your thermostat, should be updated.

Build a strong barricade.

The zombies are coming. They’ve chased you into the last room of the house. You push the chair against the door, hoping it will buy you enough time to get away. But when you hear the splinter of particle board and see the door slam open, you curse your decision to buy from the IKEA clearance rack.

You wouldn’t try to secure a door with flimsy furniture, so why would you trust a weak password, such as “letme1n,” to secure your email, devices, and everything else you rely upon? No matter how strongly your device or application is encrypted, if someone can figure out your password, they can access your data. Make sure to use strong passwords, stop reusing passwords, and turn on two factor authentication (2FA) for your applications and services. Taking these steps makes it harder for the bad guys to access your data.

There are clues in that old book that might help you.

The book looks out of place with the others. It’s heavy, covered in dust, and written in arcane language. At first you ignore it. But when you start to see ghostly apparitions, you realize you should have paid attention to it from the start.

We often ignore the fine print, mindlessly scrolling through user agreements and privacy policies before clicking “Accept.” But they often contain information about what data is being collected and how that data is shared. When we are armed with this information, we can make smarter choices about which apps and devices we use, how much information we share with them, and how we set our permissions and privacy settings.

Seemingly ordinary objects can hide secrets.

It’s just a mirror, right? Certainly not a portal to a sinister underworld. Chanting a nursery rhyme in front of one won’t invoke haunted demons. And when you glance in it to check your hair, you won’t see a ghost standing behind you searching for her lost betrothed.

From credit cards to smart TVs, we use lots of everyday objects without thinking they might bring us harm by putting our privacy and security at risk. But we can protect ourselves from these ordinary objects by using encryption. Some devices and services have the capability to use encryption, but don’t turn it on by default. Take a few minutes to see if your devices or services are already using encryption or if you need to turn it on. You can also switch to messaging apps that offer end-to-end encryption.

Denial is a good way to get yourself in trouble.

That character who refuses to believe there’s any danger? The one who ignores the tapping on the window? They usually don’t make it past the first scene.

You don’t have to be that person. By taking steps to protect security and privacy, you can become the hero of your own film.

Finally, never go off on your own.

You’re camping with five of your closest, most photogenic friends, when mysterious things start to happen. Funny, you don’t remember leaving your car’s headlights on. And what is that shrieking coming from the woods? You decide to investigate. You’re about ten feet into the abandoned trail when you realize you should have stayed with your friends.

Whether it’s making Internet routing stronger, helping close the global digital divide, or shaping its future, we make the Internet a better place when we work together.

Join us! Let’s work together to help build an open, globally-connected, secure, and trustworthy Internet for everyone.

Categories
Privacy Security Technology

What to Look for When Choosing a VPN

We welcome this guest post from Top10VPN.com, an Organization Member of the Internet Society.

The search for online privacy has driven a quarter of the world’s Internet users to download a Virtual Private Network (VPN). VPN services are now an important tool for anyone concerned about security and privacy on public networks.

There’s a world of difference between VPNs, though. Without clear and unbiased information many users are forced to navigate their choice of VPN without much clarity.

Why is choosing the right VPN provider so important?

Whenever you switch on a VPN you are entrusting its provider with your personal data, browsing activity, and sometimes even your security. For this reason, VPN providers must be held to a higher standard than most products. It’s important you do your due diligence when making a decision.

What should I look out for? 

A good VPN will ensure that no one – even the VPN itself – can see what the user is doing online. Consider the following qualities:

Technical Security

The most secure VPN services will be transparent about the measures they have in place to safeguard their users and their business.

Any VPN worth its salt will offer the latest and most secure levels of encryption, a wide selection of strong protocols, and a range of additional security features including kill-switches, split-tunneling, and Tor compatibility.

Look for features like AES-256 encryption, OpenVPN functionality, and products that are independently audited by a respected third party. You should also look for VPNs that accept anonymous payments, incorporate open source software where appropriate, and have a clear policy for disclosing vulnerabilities.

Some VPNs can suffer from IP and DNS leaks. These leaks can be seen and collected by your ISP or any other entity that’s able to access your network. Needless to say, this renders the VPN effectively useless in terms of protecting your privacy.

Ultimately, a secure service will have several measures in place to protect user data and will actively offer the most sophisticated security standards available. Be sure to test your provider for leaks and ensure that respected third-parties have validated your provider’s claims of security.

Privacy Policy

Evaluating the privacy policy is one of the most important stages in assessing a VPN. Unfortunately, there are some products on the market with policies that leave room for improvement.

The best VPNs have ‘zero logs’ policies which, if implemented properly, will not store any identifying data. However, many providers use this term with very little substantiating evidence, and it can be difficult to know with complete certainty whether a provider is logging or not.

Secure VPNs will only log a minimal amount of basic connection data like bandwidth usage, server load, or server location. This is used to optimize provision of the service, and can’t be used to identify a user. Some VPNs, by contrast, have been found to log activity data including the originating IP address, DNS requests, and even a user’s entire online history – websites visited, files downloaded, and message contents included.

To make matters worse, the logging policies of some providers are often vague or unnecessarily complicated. It’s not uncommon for some VPN services to avoid directly stating whether their policy applies to connection logs, activity logs, or both. A provider might advertise ‘zero-logs’ or ‘minimal logs’ for one type of data, but continue to record the other.

It should be clear exactly what type of data your VPN creates and stores during or after a session. Look for VPNs that explain clearly what their logging policy is and VPNs that have a demonstrated history of inability to cooperate with legal data requests for this reason.

Make sure you read your provider’s privacy policy in full, or consult a third party who can do this research for you. 

Location and Jurisdiction

Jurisdiction is an important issue that’s often overlooked. Every VPN provider is bound to local laws and regulations. It’s crucial that you are aware of these laws and how they might affect your privacy.

In theory, if a provider’s logging policy is watertight, its jurisdiction shouldn’t matter. That being said, any legitimate VPN provider will have clear procedures for responding to requests from law enforcement regardless of its logging policy. These procedures, including a warrant canary, should be publicly available along with any measures in place to protect user data if a third party were to gain access to their servers.

It’s wise to check the country your VPN is based in, the laws of that country, and the company’s history in terms of cooperation with law enforcement.

Ownership and Business Model

VPN services can monetize your data in unexpected ways. It’s expensive to develop and operate a reliable VPN, and many services choose to subsidize these costs with income from other channels.

It’s possible that some form of data collection, sharing, or sale is occurring in order to cover the cost of the product. Many services also rely heavily on advertising, which is less than ideal for privacy.

Providers should clearly explain how they make money and how your financial details are processed. You should be able to easily tell whether a service runs on user subscriptions alone or if it also profits from the processing of personal data.

Before buying a subscription or reading a review, make sure you understand who ultimately owns the VPN service and whether or not it can be trusted.

You should be able to find the company’s legal name if it differs from its brand name, along with information on any other entities that control or invest in the provider’s services. Be sure to find out if these groups have financial stakes in other VPN products, and if so, whether they share information between them.

Determining your standards 

People use VPNs for many different reasons. Whether you’re picking a service for streaming, torrenting, censorship circumvention, or strictly for privacy purposes, it’s important to understand whether your chosen provider offers all the necessary features you need.

Once you have an idea of how your VPN stands up in terms of technical security, privacy, and business model, it’s worth considering broader qualities like customer support, speed, and device compatibility.

Some VPNs offer dedicated servers for specific streaming platforms, while others can give you a connection specifically optimized for torrenting. Check the company’s website and third-party reviews to see if your provider will work with the platforms you need and provide speeds that are sufficient for your purposes. You can also find out whether its servers will work in heavily-censored countries.

Check to see if your provider has dedicated apps for each of your devices. A lack of native support for your tablet, smartphone, or streaming device means you could risk partial protection and a suboptimal user experience.

Can you trust your VPN?

At the most basic level, a trustworthy VPN will never collect, share, or sell user data without appropriate legal precedent. Make sure to consider its business model, location, technical security and privacy policy. If it’s unable to provide clear answers to all of these questions, it’s probably not worth your time.

Common sense can save you a lot of trouble. Review your provider’s reputation and never use a VPN you’re not fully comfortable with. Just like you wouldn’t give a stranger unrestricted access to your home, you shouldn’t give unfamiliar applications access to your personal data.

Ultimately, if you’re really concerned about security and performance, you should be using a VPN that’s independently tested and well-reviewed by unbiased experts.

A good VPN can be seen as an investment in your security, privacy, and freedom – to prevent costly data loss, open up your browsing capabilities, and protect your right to privacy.

Ready to do more? Read The Lazy Person’s Guide to Better Online Privacy.

Categories
Building Trust Privacy Security

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

  • Pete Buttigieg
  • Kamala Harris
  • Amy Klobuchar
  • Beto O’Rourke
  • Bernie Sanders
  • Donald Trump
  • Marianne Williamson

Website security scores are high. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. The lack of email authentication for two of the campaigns is a surprise, since these are long-established best practices and modern infrastructure should support SPF, DKIM, and DMARC.

Privacy is a major problem for campaigns, causing failure for 70% of them. There were a variety of reasons for failure, including:

  • Lack of Privacy Statement – Four campaigns had no discoverable privacy statement. This yields a statement score of 0 and is an automatic failure. This may be an oversight, but is inexcusable since every campaign website is collecting data. Fortunately, it can be remedied quickly by adding a privacy statement.
  • Inadequate Statement – Many campaign privacy statements were silent on the issue of data sharing, retention, etc. so they did not give clear notice and transparency about their practices. Such disclosures are generally accepted best practice.
  • Freely Sharing Data – Several privacy statements said they could share data with “like-minded entities” or unidentified third parties, effectively putting no limits on the use of personal data.

We encourage all campaigns to remain vigilant regarding security, and to revisit their privacy statements. Disclosing that data may be shared with “like-minded” organizations may be a common practice for campaigns, but is still concerning in light of the depth of demographic and financial information being collected. Since even campaigns who made the Honor Roll had poor privacy scores, OTA calls on all campaigns to consider updating their statement and practices to better reflect consumer concerns pertaining to the collection, use, retention, and sharing of their personal information.

We reached out to each campaign the week of 30 September, prompting some campaigns to make updates, which we re-evaluated on 7 October. We are committed to helping campaigns improve their efforts to keep both people and information safe online by providing tailored best practice recommendations upon request. We will reassess active presidential campaigns in mid-November and provide a short supplement to this report, highlighting any improvements.

We encourage you to read the report, and to make sure your organization (of any kind) is following the best practices outlined in Appendix C – Best Practices Checklist.

Categories
Building Trust Encryption Improving Technical Security Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS) Privacy Security

Celebrating National Cybersecurity Awareness Month

Every October, we mark National Cybersecurity Awareness Month. From the U.S. Department of Homeland Security website, “Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.”

We believe in an Internet that is open, globally connected, secure, and trustworthy. Our work includes improving the security posture of producers of Internet of Things (IoT) devices, ensuring encryption is available for everyone and is deployed as the default, working on time security, routing security through the MANRS initiative, and fostering collaborative security.

The Online Trust Alliance’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers, and policymakers need to understand, assess, and embrace for effective security and privacy as part of the Internet of Things. Also check out our Get IoT Smart pages for get more consumer-friendly advice on IoT devices.

Much of OTA’s work culminates in the Online Trust Audit & Honor Roll, which recognizes excellence in online consumer protection, data security, and responsible privacy practices. Since that report’s release in April 2019, we’ve done a couple of “deep dives” into specific sectors, including Healthcare and Banks, with more sectors on the way. We’ve also done a deep dive specifically into privacy statements, finding that most organizations do not comply with existing global privacy regulations and are not ready for additional regulations going into effect in 2020.

In addition, our Cyber Incident & Breach Trends Report analyzes events to extract key learnings and provide guidance to help organizations of all sizes raise the bar on trust through enhanced data protection and increased defense against evolving threats.

Check out our Best Practices to learn more, and make October the month you work to improve your organization’s overall cybersecurity stance!

Categories
Building Trust Privacy Security

Deep Dive: How Do Banks Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.

Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.

Email 

Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.

DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).

Site Security

Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.

Privacy

Like most sectors, banks did not fare well in privacy. The Audit tracks privacy in two ways: by the number of trackers on a site, and by analyzing the site’s privacy statement. In terms of trackers, banks did well. They were among the top scorers with 44 of 45 available points. (The score is derived using publicly available software to analyze how many trackers each site uses, the fewer bad trackers, the higher the score.) Though there was marked improvement from the prior Audit, banks still lagged, like most sites, in their privacy statements. Banks had a privacy statement score of only 25 out of 55, towards the low end of the spectrum.

The primary cause of failures was in sharing and data retention language. Only 22% of banks had language about data sharing, lower than the overall average across sectors. While most sites fared poorly in data retention language, banks were particularly bad. No banks had satisfactory data retention language in their privacy statement. Given the sensitivity of data that banks have, it is important that there be some kind of data retention language.

Learn More

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy. Then read the report, view the infographic, or watch the recap video to learn more!

Categories
Building Trust Privacy

Privacy Regulations Are Evolving: Are Organizations Ready?

Privacy statements are both a point of contact to inform users about their data and a way to show governments the organization is committed to following regulations. On September 17, the Internet Society’s Online Trust Alliance (OTA) released Are Organizations Ready for New Privacy Regulations? The report, using data collected from the 2018 Online Trust Audit, analyzes the privacy statements of 1,200 organizations using 29 variables and then maps them to overarching principles from three privacy laws around the world: General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States, and Personal Information Protection and Electronics Document Act (PIPEDA) in Canada. 

In many cases, organizations lack key concepts covering data sharing in their statements. Just 1% of organizations in our Audit disclose the types of third parties they share data with. This is a common requirement across privacy legislation. It is not as onerous as having to list all of the organizations; simply listing broad categories like “payment vendors” would suffice. 

Data retention is another area where many organizations are lacking. Just 2% had language about how long and why they would retain data. Many organizations have statements like, “we retain user data for as long as it is needed.” This type of statement is not specific enough for many regulations. 

Other concepts cover users’ ability to interact with their data. Two relative bright spots are that 70% of organizations did include contact information and 50% included information on how users could get information about their data. However, virtually none included this information to the level of detail often required by laws like GDPR. 

For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col

Finally, OTA advocates, and many privacy laws require, that statements meet certain standards of readability. One simple practice, advocated by the OTA, that can help users navigate complex privacy statements is “layering.” This can be achieved in many ways, from a table of contents to a summary of the principles in the longer statement. Just under half (47%) of companies used layered statements. 

Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.