Political campaign websites are designed to raise money and collect personal information, such as email addresses, for future solicitations. The sites may also ask for your age, sex, education and ethnicity in order to better target this follow-up marketing.
Ever wonder how well these campaign sites protect that information or if they share it?
The nonprofit, nonpartisan Online Trust Alliance (OTA) recently audited the websites for 23 presidential candidates (including those of so-called third-party White House wannabes) to examine their security, consumer protection and privacy practices. This was done anonymously and without the sites’ participation.
The OTA report (2016 Presidential Candidates Online Trust Audit) noted that since the infrastructure for these websites is new and for limited purposes, "the adoption of security and privacy best practices should be relatively straightforward."
"We naively felt that they would have been more in tune with privacy principles, but based on the results, we were wrong," said Craig Spiezle, OTA’s executive director. "The vast majority of these sites fail to adhere to fair information privacy practices (FIPPS), which ironically one of the candidates will have to uphold if they become president."
The six sites making OTA’s Honor Roll are those of Republicans Jeb Bush, Chris Christie, Rick Santorum and Scott Walker, who has ended his campaign, and Democrats Lincoln Chafee and Martin O’Malley.
Christie had the only site that made it possible for supporters to opt out of having their personal information sold or shared, the report noted.
Spiezle told NBC News that OTA contacted all 23 presidential campaigns to ask for a comment and offer its help. Only one responded: the campaign of Republican candidate Bobby Jindahl — with a threat to take legal action, according to Spiezle.
NBC News emailed all of the major candidates whose sites received failing grade but did not receive any responses.
Security is good, but…
The report found that on the whole, the sites audited have "excellent security configurations," but it advised the campaigns not to be complacent.
It warned the campaign sites that they are "breaches waiting to happen" as they are "prime targets for people motivated by the commercial value of the data, politics or hactivism."
One area singled out for improvement: campaign email. The majority of the candidates’ email systems "are still exposed to the possibility of email being spoofed or forged," the report concluded. This could result in scams or malware being delivered to their supporters.
Privacy experts compare presidential primary campaigns to start-ups. Everyone is in a rush to get it done now and they may cut corners because they know they may not be around in a few months.
"This is an incredibly temporary infrastructure for most, being thrown together as quickly as possible," said Chris Babel, CEO of TRUSTe, an online privacy management service. "When you reach out to 20 venders to assemble a campaign and you want it up and running in a matter of months, some of these things get dropped."
"On the Site, you may wish to participate in contests and other promotions that we may offer from time to time," it says. "Through these promotions, you may choose to participate in activities such as sharing information found on the Site with others and sending e-mail invitations. In connection with any contests and other promotions that we may offer from time to time via the Site, we use the information you provide to administer the contests and other promotions."
"If this were any major site, it would be quite a cause for alarm," he said.
Information sharing is routine
The OTA audit found that most campaigns stated in their privacy policies that they might share any personal information collected from supporters with any "like-minded" organizations.
"With vendors, consultants and other service providers or volunteers who need access to such information to carry out work on our behalf," it says. "With candidates, organizations, campaigns, groups or causes that we believe have similar goals and with organizations that facilitate communications and information sharing among such groups."
So, if you share your personal information with a candidate, you should expect to receive solicitations from other candidates in that party, and maybe from the party itself.
"It shouldn’t be a surprise that candidates share information," said Jules Polonetsky, executive director of the Future of Privacy Forum.
But would they ever sell this information?
"Carly for President may provide or sell your email address or other personal information to third parties for fundraising or other purposes," it says. "Additionally, we may share your personal information with select third parties who offer goods or services we think may be of interest to you."
The Clinton website also says it might sell personal information collected, but only in certain situations, such as reorganization or formation of a new or successor organization. It does not explain who it could sell the data to in those circumstances.
Very few people read privacy policies. So it's best to assume that if you provide your personal information to a political candidate or party it's going to be shared. If this concerns you and you still want to help the campaign, you might consider using a disposable email address when you sign up on the website and limit the information you provide.
Privacy experts would like to see the candidates take this issue more seriously. In an "Open Letter to the Presidential Candidates" OTA’s Craig Spiezle calls on the parties and the candidates to make respect for privacy a part of their political platforms.
It's a candidate's "duty to protect and be a steward of the data and personally identifiable information voters entrust to them," he wrote.