fb-pixel Skip to main content
Hiawatha Bray | Tech Lab

Most presidential candidates’ websites don’t do enough to protect visitors’ privacy, report says

Supporters of Elizabeth Warren waited for her to appear during a town hall in Austin, Texas last month. Nick Wagner/Austin American-Statesman/Associated Press/Austin American-Statesman via AP

Even as political operatives prepare for the most tech-focused presidential campaign yet, an online watchdog group is warning that most candidates’ websites don’t do nearly enough to protect the privacy of visitors.

The Online Trust Alliance, which develops privacy and security standards for Internet sites, tested the sites of 23 presidential candidates and found major problems with the privacy policies of six campaign sites, including that of Massachusetts Senator Elizabeth Warren and former vice president Joe Biden.

Only seven campaigns made it to the organization’s “honor roll” of sites with adequate privacy policies. These include the Internet sites of President Trump and Vermont Senator Bernie Sanders. Candidates Pete Buttigieg, Senator Kamala Harris, Senator Amy Klobuchar, Beto O’Rourke, and Marianne Williamson also made the cut. But “even those that passed, barely passed,” said Jeff Wilbur, the OTA’s technical director.


Few people read the privacy policies that are part of most major websites. But they amount to a contract, promising visitors that the site will set reasonable limits on how it will use personal data.

In a survey of 1,200 commercial and government sites, the OTA found that 70 percent of them had privacy policies that met alliance standards, compared with just 30 percent of the politicians’ websites. Four candidates for president — Wayne Messam, Tim Ryan, Mark Sanford, and Joe Walsh — didn’t even have a privacy statement on their websites.

Even sites with passing grades had plenty of room for improvement, said Wilbur. For instance, many commercial sites promise to share data only with other organizations that also have strong privacy policies. There’s no such promise on the Trump website, Wilbur said, so even if the campaign does not abuse visitor data, it might share the information with less trustworthy organizations.

On the other hand, the Trump site explicitly promises to comply with a federal law that forbids the collection of personal information from anyone under age 13. Wilbur said that more than half of the candidate sites don’t include such a pledge. The Warren website, for instance, doesn’t mention the child privacy law.


The Warren campaign declined to comment.

Wilbur said that political operatives aren’t used to thinking about data privacy. “I believe it has to do with the traditional way data is shared within political parties,” he said. “I would hope that they could re-evaluate how that’s done.”

But there also was some more encouraging news in the OTA report. All of the campaigns scored high on website security. For instance, they all use SSL encryption at all times, to ensure communications aren’t intercepted. In addition, all but two use e-mail services with “antispoofing” technology, to prevent cybercriminals from issuing fake e-mail messages using a candidate’s e-mail address. But there was some backsliding — in 2016, all the candidates used spoof-proof e-mail.

The OTA report arrives in the midst of a political campaign in which GOP and Democratic officials are gearing up to apply the most advanced techniques of data science in an effort to seize control of the White House and Congress.

Civis Analytics, a company run by veterans of the Barack Obama campaigns, is providing digital support to Democratic candidates in 30 Senate races, 100 House races, and thousands of state legislative contests.

“We’re doing pretty advanced stuff around deep learning and neural networks,” said David Shor, head of Civis’s political data science business. “We’re now trying to predict a very large number of things at once.”


Companies such as Civis begin with publicly available lists of registered voters, and combine them with census data, as well as information purchased from giant data brokers like Equifax and Acxiom. These companies collect sensitive information about nearly everyone in the US, including our shopping habits, auto ownership, and places we’ve lived or worked.

Such data science techniques have been around for years. But during this election cycle, candidates are using them to aggressively hone their messages. For instance, Shor said, until recently data science wasn’t used to test the effectiveness of political ads.

This time, Civis is assembling groups of voters selected by its data scientists, and shows them ads for Democratic candidates. A week later, those participants are asked who they will vote for. The results are often surprising.

“Amazingly, 20 percent of the ads we tested make people want to vote for Republicans,” Shor said.

On the GOP side, Mike Shields, former chief of staff of the Republican National Committee, said that the next big thing is a more efficient fund-raising platform.

In 2004, a company called ActBlue offered an easier way for Democratic candidates to raise huge sums of money online by collecting millions of small donations. “Last cycle, it helped process more than $1.6 billion that was put into Democratic campaigns,” said Shields, who credits ActBlue with a major role in winning a Democratic majority in the 2018 House elections.


“It’s the one advantage they have over us,” said Shields. “We had no answer for that.”

Now they think they do — it’s called WinRed, and, like ActBlue, it’s supposed to provide a one-stop online fund-raising center where citizens can easily make small donations to GOP candidates. Launched three months ago, WinRed has already raised more than $30 million for Republican candidates, from 639,000 donors. Shields credits WinRed for the GOP’s success in last month’s special congressional election in North Carolina’s Ninth District.

WinRed has also been embroiled in controversy. On Monday, the Republican National Committee sought to quash rumors that WinRed officials may seek to personally profit from the service, and that they might use the money and the sensitive personal data collected by WinRed to undermine critics of President Trump.

Hiawatha Bray can be reached at hiawatha.bray@globe.com.