Evaluating the security and data protection risks candidate websites present to consumers
The fallout of the 2016 U.S. Presidential election raised questions regarding voting fraud and distribution of misinformation. From fake accounts and digital platforms to bots and foreign influence, today’s election process is riddled with vulnerabilities. The 2020 federal election promises more of the same.
Instead of looking at digital advertising spend, physical voting issues, website spoofing or general security posture, The Media Trust wanted to understand the extent to which candidates’ digital properties (websites) provide a safe and secure user experience to consumers.
Candidate websites rely on unmanaged, third-party code
In September and December 2019, The Media Trust scanned the primary campaign websites of the incumbent U.S. President and 10 leading Presidential candidates to capture and analyze the code involved in rendering the consumer experience. Using The Media Trust’s extensive insights into digital risk management, the goal was to discover how well the candidates’ campaign websites met industry best practices for security and data privacy with an emphasis on the presence of unmanaged third-party digital code.
- 81% executing code is from digital third-party vendors, which are entities unmanaged by the website operator, i.e., candidate teams
- 6% of all executing domains, on average, present an unmitigated risk to consumers due to malicious and/or suspect activity
- 1 website directed consumers to media websites that served adware
- 11 candidate websites (all) allow tracking of consumers for at least 2 years, 8 candidates track consumers for at least 10 years
- 71% of executing code on a payment page has zero relevance to the purchase transaction, leaving the door open for compromise. 95% of executing code on Booker’s donation page is not relevant to payment processing.
- Campaign websites continue to collect consumer information even after the candidate dropped out of the race.
Remaining contenders: Consumer data is being harvested
The Presidential candidate field has sharply narrowed in the past few weeks. Let’s focus on the three remaining candidates–Donald Trump, Joe Biden and Bernie Sanders–and compare their websites to the broader candidate slate.
Donald Trump: A more controlled digital environment
As the incumbent candidate, Donald Trump’s campaign website uses a range of cookies and domains to render the user experience. Approximately 69% of the executing code is from third parties, lower than the 81% average used by other campaign websites. However, 5 of the domains do not disclose their provenance and can’t be verified as legitimate.
In general, cookies noticeably declined 23% from September to December. During the donation process, 79% executing domains on the payment page had no relevance to the transaction but only 6 cookies were detected. Compared to the other candidates, the Trump campaign website is more controlled with less reliance on third-party code and minimal tracking of users.
Joe Biden: Consumer tracking on the rise
A centrist Democratic candidate, Joe Biden’s campaign website paints a different picture. This website relies on 78% code from third parties, closer to the 81% average.
Reflecting a need to expand consumer reach, this website experienced a large, 1142% increase in cookies present, detecting 24 cookies in September and 298 in December. The donation page continues this variability. The payment page records 71% of the executing domains are third parties and drops 15 cookies, more than double the Trump website. Overall, the Biden website presents more risk to the consumers in the form of unauthorized data collection.
Bernie Sanders: Moderate consumer tracking
The campaign website of Bernie Sanders, a candidate from the populist left of the Democratic party, falls in between the other two candidate websites. Approximately 73% of the executing code is from third parties, of which 5 domains are suspect.
Cookie tracking activity on Sander’s campaign website did increase 45% from September to December, but nowhere near as steeply as Biden’s. The donation process recorded 72% of executing domains from third parties with 15 cookie drops. In comparison to the other two candidate websites, the Sander website exhibits more moderate risk to the average visitor.
The Conclusion: A political minefield no one is navigating
Regardless of political affiliations, candidate websites present a host of risks to consumers, from unwanted code execution to unauthorized data tracking. The primary culprit is the amount of code unmanaged—and frequently unknown—by the candidates and their teams. Uncontrolled third-party code can be used to surreptitiously collect consumer information to target individuals with misinformation or distribute malware and bots for future attacks. The large-scale use of third-party code at the heart of our elections and its ability to influence voter intentions and harvest payment information signals a threat to the overall democratic process. Candidates must act fast to bring their digital assets under full control.