OTA: Most Top Websites Don’t Follow Best Security, Privacy Practices

Craig Spiezle, executive director of the Online Trust Alliance, sees online data breeches and privacy fumbles in much the same way an environmentalist might view chemical leaks or oil spills.

There are the headline-grabbing catastrophes: last year’s theft of credit and debit card information from Target; this year’s Heartbleed vulnerability, for example. Then there are the smaller breaches that don’t get much attention, but which still cause cumulative harm.

“It’s this aggregate effect that may be kind of like pollution,” Spiezle says. “You have a little bit of it and it’s acceptable or people look the other way. [But] at what point does the Internet become like another Love Canal or another Lake Erie that’s so polluted that it can’t be used? I really believe that the business community needs to look at the long-term impact here.”

The latest ratings from the Online Trust Alliance (OTA) found that 70 percent of the 800 leading consumer Websites evaluated were not following the best practices for privacy, data protection, and domain protection.

Spiezle’s organization has for nine years been helping businesses understand and adapt to the constantly evolving landscape of online threats. Those range from the annoying—OTA originally focused on combating spam, back when anti-spam capabilities were a competitive differentiator—to the dangerous: This year’s audit criteria includes a website’s susceptibility to the Heartbleed vulnerability. The alliance is turning its attention to mobile apps next, an area that other online data privacy watchers—such as San Francisco-based for-profit company Truste—also focus on.

The Bellevue, WA,-based, member-funded nonprofit group—which emerged from efforts Spiezle initiated to unite competitors on these issues while working at Microsoft and now has members including Symantec, Constant Contact, PwC, Twitter and many more—helps develop best practices for online data privacy and security. One of its primary tools for disseminating these practices is an annual Online Trust Audit and honor roll, both of which are being released today.

Spiezle
Spiezle

The alliance evaluates almost 800 of the largest websites in retail, financial services, government, social media and gaming, and, new this year, news and media—which fared poorly. More on why in a minute.

The audit scrutinizes the sites in three broad categories: domain and brand protection, privacy, and security. It evaluates more than 50 criteria, from e-mail authentication practices to privacy policy language to use of encryption technology like Secure Sockets Layer (SSL). The criteria are weighted and adjusted each year to keep up with changing threats and new government regulations, adhering to the most stringent of these, such as California’s new disclosure requirements for handling of “do not track” signals from Web browsers.  The Online Trust Alliance develops and publicizes the criteria and methodology in an effort to get companies to adopt best practices.

“Our goal is to provide that prescriptive advice,” Spiezle says, adding: “We want companies to make the honor roll.”

This year, just over 30 percent of companies across all sectors evaluated made the honor roll, meaning they had a composite score of at least 80 percent of available points, and no less than 55 percent in any of the three broad categories.

Twitter stood out in the social media group, which had the highest percentage of companies make the honor roll, but also the highest rate of data breaches over the last year.

Among Internet retailers, American Greetings was deemed most trustworthy, followed by Netflix, Christian Book Distributors, Sony Electronics, Ancestry.com, Big Fish, Walmart, Newegg, Books-A-Million, and JackThreads and Zulily, which tied. (Spiezle proudly notes the presence of two Seattle-area companies—Big Fish and Zulily—among the top 10.) The OTA does not name and shame the least trustworthy companies.

I asked Spiezle for his read on consumer engagement with online security and privacy issues today.

“On one hand you have people that are very tuned in and they’ve gone to the no-script mentality, Adblock Plus. They don’t trust anything,” he says. “There are others who say, ‘I’m just immune to it at this point. It’s the breach of the day.’ Either one of those I think are really bad.”

It’s up to businesses to protect users, even those who may be lackadaisical about their online security, and to earn back the trust—or at least stop losing it—of those who block everything, he says.

For the first time, the audit looked at the top news and media sites. Only two of the 50 evaluated—Google News and The New York Times—made the honor roll. Spiezle says many of these sites were not built on secure platforms, since they ask for little information from consumers beyond registering with a user name and password.

“They haven’t felt the need of encryption, because it was only a user name and a password for access to the site,” he says. But today, that qualifies as personally identifiable information (PII), which California requires businesses to take reasonable steps to protect, and for good reason.

“The challenge is all too often [consumers] use that same user name and password on other sites, and if it gets compromised on the [media site], where else can it be compromised?,” Spiezle says. “I think that’s another call to action. We need to think about how we encrypt that data and that secure transaction.”

The Online Trust Alliance is now turning its attention to mobile apps, an area rife with security and privacy concerns.

“Consumers, somewhat naively, are downloading apps willy-nilly today,” he says. “They’re going to the [app] stores, and not recognizing how these apps may be collecting their data from their mobile lifestyle….There’s a tremendous amount of innovation and ease of getting a product in a marketplace or in a store, but today there’s little security vetting of those apps or verification of how they’re collecting data on you as a user.”

As an initial step, the alliance plans a report in September comparing Internet retailers’ apps on iOS versus Android. “Our belief is a consumer should have consistent security and privacy experience independent of the way they interact with a commerce site,” Spiezle says, acknowledging the inherent challenge in testing this.

He says app developers need to be clear about what data they’re collecting from users, and that it’s consistent with the function of their application.

“There was a solitaire game—I play solitaire—and it wanted my physical location,” Spiezle says. “Really? That’s not consistent with playing a game by yourself. They’re doing it for data mining purposes and there’s nothing wrong, as long as the consumer has full and clear disclosure and understands that tradeoff.”

Here, too, the industry risks alienating consumers if it doesn’t take steps to improve.

“In the absence of self-regulation, in the absence of these best practices, we can run into this breakdown, a tragedy-of-the-commons type scenario where consumer trust becomes diminished,” Spiezle says.

The Online Trust Audit report can be downloaded here.

Author: Benjamin Romano

Benjamin is the former Editor of Xconomy Seattle. He has covered the intersections of business, technology and the environment in the Pacific Northwest and beyond for more than a decade. At The Seattle Times he was the lead beat reporter covering Microsoft during Bill Gates’ transition from business to philanthropy. He also covered Seattle venture capital and biotech. Most recently, Benjamin followed the technology, finance and policies driving renewable energy development in the Western US for Recharge, a global trade publication. He has a bachelor’s degree from the University of Oregon School of Journalism and Communication.