Campaign Privacy Statements Open Voters to Data Sharing

This story is part of CoinDesk’s 2020 election series exploring questions of information integrity, the rights of digital citizens, the power of centralized platforms, and the future of money.

The 2020 presidential campaign is largely focused on President Trump, the progressive versus centrist wing of the Democratic party and, apparently, according to the New York Times, identifying who broke each candidate’s heart.

Meanwhile, foreign states are known to be targeting our election infrastructure, voters are increasingly concerned about the privacy of their data, and talking points about data and big tech have been rallying cries on the campaign trail for everyone from Andrew Yang to Bernie Sanders and Joe Biden. Whether campaigns are living up to their own talking points is another question entirely. A recent report has found that while the cybersecurity practices of campaign websites hold up to scrutiny, a close reading of privacy policies (or lack thereof) shows some campaigns paying the idea of privacy lip service while simultaneously employing privacy statements that allow for widespread sharing of supporters' data.

The Online Trust Audit for 2020 Presidential Campaigns, conducted by the Internet Society’s Online Trust Association (OTA), examined all the presidential candidates’ campaign websites for cybersecurity, consumer protections and privacy. The report found several campaigns were lacking in key areas, particularly when it came to privacy.

Campaigns either failed or were placed on “Honor Roll status.” The latter scored 80 percent or higher in the report’s assessment, with no failure in website security, consumer protections or privacy. In its initial report, released in October 2019, the OTA found 30 percent of the campaigns made the honor roll, while 70 percent did not. That’s worse than nearly every other sector the OTA examined in previous reports, including retailers, banks and the federal government. The next-lowest industry was the health sector, but even there, 57 percent of entities audited made the honor roll.

That’s worse than nearly every other sector the OTA examined in previous reports.

In the initial version of the report, all the campaigns that didn't make the honor roll failed in the privacy category while two campaigns also had consumer protection failures.

“Overall, we found that campaigns have strong website security, reasonable email and domain protections and poor privacy scores,” concluded the report. “Privacy statements are the biggest concern, causing failure for 70 percent of the campaigns.”

The report found two campaigns had no email authentication, the process that helps recipients verify the sender of a message. But by far the biggest issue was with privacy statements. Four campaigns had no identifiable privacy statement, which the report called “inexcusable;” others included no mention of data sharing (limits or otherwise) or included language that said they’d share data with “like minded entities” or third parties that were not identified (such as the Democratic National Committee).

After this initial report, the OTA contacted individual campaigns and offered to explain their scores as well as how to improve them. Several, including the campaigns of Elizabeth Warren, Julian Castro and John Kevin Delaney, took OTA up on this. Others, including Biden, Tulsi Gabbard and Yang, did not.

The result is that when the OTA re-released the scores in December, the honor roll to failure ratio had shifted from 30-70 to 50-50.

OTA removed the campaigns that dropped out from the data and bolded the names of those campaigns that had graduated from the failure tier. However, improvement was limited.

“Their data-sharing language is either absent or very, very broad,” says Jeff Wilbur, OTA technical director.

Almost all the privacy statements have a line saying the campaigns don't sell, rent or share your data, he says. Then they go on in several paragraphs to explain all the exceptions . In the political realm this may seem understandable, but Wilbur says it's still a concern.

“Just because I show an interest in one presidential candidate doesn't mean that I'm opting in automatically to all the rest of that stuff,” he says. “It seems to be like it's all or nothing.”

If you were wondering why you randomly started getting urgent emails for fundraising purposes from the Republican or Democratic national committees, it’s likely because you gave money to a campaign or signed up for email updates, thereby launching your data into a rotating crop of third-party vendors and political organizations that will use your information for years to come.

“There is a lot of power and value in the data that's being collected,” says Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy and Technology, an advocacy organization ensuring the internet remains open, innovative and free. “Because of the prevalence of opportunities to micro-target, there is a great incentive to collect more data about visitors about donors, and then be able to share those with other networks.”

Multiple campaigns

Turner says voters might just want to support a single candidate or issue rather than the Democratic ticket writ large. But by supporting one campaign that has data-sharing stipulations in its privacy statements, voters' information is shared across so many other organizations that they start getting emails and messages from folks they've never heard of before.

Campaign privacy statements tend to be boilerplate, according to Turner. Party members are likely to see the same statements over and over again. Campaigns hire a company to run their websites without looking into the details of what the privacy policies entail.

Parham Eftekhari, executive director for the Institute for Critical Infrastructure Technology, a cyber security think tank based in Washington, D.C., says campaigns need to have a higher level of integrity when it comes to these types of efforts, and people should be given an option to opt out of these information sharing practices.

“I believe these campaigns have an ethical, and in some terms moral obligation to do everything in their power to reasonably defend the privacy and the protection of the data they're collecting,” says Eftekhari.

There is a tension between achieving the political outcomes people want and maintaining control of personal data and privacy. Putting together a multifaceted political coalition, full of sometimes disparate actors who come from a variety of socioeconomic and demographic backgrounds, is a big ask. Personal data allows campaigns, PACs, and others effectively to pursue ad campaigns, fundraising, and get out the vote actions. But the lack of clarity or asterisks identified by the OTA in campaigns’ privacy statements show that engaging with even one campaign can open your personal data up to a bevy of other actors, whether you want them to have it or not.