HomeBlog2017 Online Trust Audit Released - What Did We Learn?

2017 Online Trust Audit Released - What Did We Learn?

Today we released the 9th annual Online Trust Audit and Honor Roll. This year’s Audit is our most comprehensive ever, assessing more than 1000 consumer-facing sites for their adoption of best practices in consumer/brand protection, site security and responsible privacy practices. Each year we raise the bar, using criteria that reflect the latest regulatory environment, attack vectors and commonly accepted practices providing users with notice and control regarding their data. Our goal is to provide practical advice to organizations to help them move beyond compliance to stewardship, thus protecting their customers and their brand while improving trust in the Internet itself. We also recognize excellence in adherence to these practices by naming organizations to the Honor Roll, and this year to the “Top of Class” (top 50 scoring sites).

The results of the 2017 Audit were a mix of the expected and unexpected. Some pleasant surprises:

  • Despite raising the bar in the criteria and scoring, a record 52% of sites assessed made the Honor Roll, led by the Consumer services sector with 76% Honor Roll achievement.
  • The News/Media sector dramatically improved their Privacy scores (rising an average of 20%), and thus cut their Privacy failure rate to only 19%, less than one quarter of last year’s 58%. This helped lead them to an Honor Roll achievement of 48%, their highest ever, and a meteoric rise from 4% three years ago.
  • Adoption of some fundamental technology practices all doubled since last year – as a response to both security and privacy concerns, use of full-time encryption on sites (also known as “https everywhere”) passed the tipping point, reaching 52%. Use of IPv6 grew to 14%, setting the stage for future growth and IoT, and use of DNSSEC grew to 12% thanks to banks and continued heavy use by government sites.
  • Use of DKIM (an email authentication standard) at the top-level (corporate) domain grew substantially, from 44% to 56%. This is the second straight year of 12% absolute growth.
  • We assessed “cross device tracking” disclosure for the first time this year (where a site correlates your use of multiple devices to access their site), and found that 44% are disclosing this practice, most commonly for consumer services, retailers and news sites. Such disclosure is good news, though it needs to be backed up by restricted data sharing and use by third parties to truly benefit consumers.

However, there were also some unexpected, unpleasant results:

  • 65% of the Top 100 banks had a failure in one or more categories, dropping banks’ Honor Roll achievement in half – from 54% last year to 27% this year. This is less about doing worse, and more about not keeping pace. Many of them use a standardized privacy policy that’s “compliant”, but doesn’t cover the OTA practices aimed at stewardship. This caused a Privacy failure rate of 34% vs. 5% last year. Consumer Protection also dragged down banks’ achievement since more emphasis was placed on use of certain email authentication practices. Since many banks were on the edge of the failure bar in previous years, failure to keep pace caused failing scores.
  • To a lesser extent Federal government sites also dropped this year, with 60% of sites having one or more failures and only 39% reaching Honor Roll status. This can be almost entirely attributed to lack of thorough email authentication for these sites, leaving many of them open to be spoofed.
  • Through the inclusion of additional data providers and better telemetry, many of the criteria got a deeper look this year, resulting in significant negative shifts in results from previous years. Breach incidents more than doubled to nearly 12%, with some sectors (banks and consumer sites) at 24%. Sites with cross-site scripting (XSS) nearly doubled to 50%. Close examination of SPF and DMARC records revealed that 7-8% of them were actually invalid, likely giving site owners a false sense of security.

So what can we glean from all this? Security and privacy are not resolved with a one-time action. It takes vigilance to keep pace with implementation of new technologies, protect from new attacks, and address new privacy issues (think GDPR). That’s why we included a handy checklist of best practices and resources in the Appendix of this year’s report as well as sample privacy language to address many of the evolving criteria.

Our goal is to help all sites achieve “Honor Roll” status, whether they’re part of the OTA Audit or not. By applying these best practices, we can collectively deliver a safer, more trustworthy Internet to our customers, clients and citizens. As we look to 2018, we intend to extend the Audit with additional criteria and examine additional industry segments. Please share your thoughts and recommendations.