In
April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual
Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over
1,000 of the top sites on the Internet, from retailers to government sites. In
this post we will take a deeper dive into the U.S. Federal Government sector of
the Audit. The Government sector is defined as the top 100 sites in the U.S.
Federal Government by traffic (based on Alexa ranking). Given the nature of the
U.S. Government compared to companies, this sample has some unique properties, namely
site security.
The
most obvious place the government excels is in the area of encryption. The
reason for this is largely due to a mandate from the Homeland Security
Department that all U.S. Government sites be encrypted, but the standard should
still be the same for any site. Put another way, the other sectors in the Audit
do not have an excuse for lagging in security.
In
site security the Government sector fared the best with 100% adoption of
“Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security”
(HSTS), compared to 91% of sites overall. The health sector fared the worst
with 82% of sites using these technologies. Both technologies ensure that
traffic on the website is encrypted.
Most
sites in the Audit fared well in these areas, but the Government sector was the
only one to achieve 100% adoption of these technologies. From OTA’s perspective
all sites should be adopting these technologies and while it is encouraging
that the U.S. Federal Government (or at least the top 100 sites) have, it is
discouraging that all of the other sectors are not reaching the 100% adoption
rate.
In
addition, the Government sector saw improvement over time. All sectors improved
somewhat, but the Federal Government was the only one to cross the finish line.
Here again it is important to note that the Federal Government is unique in
some ways. Homeland Security can simply mandate encryption and it happens.
Companies and other types of organizations may not be as straightforward, but
that is not an excuse not to work towards full encryption.
In
2017, 91% of Federal Government sites were encrypted, up to 100% this year as
noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in
2017 to 91% in 2018. Banks, a sector where encrypting website traffic is
particularly important given the types of data sent over those sites, also saw
a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018
that number jumped to 91%.
Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.
How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!
The post Deep Dive: U.S. Federal Government’s Security and Privacy Practices appeared first on Internet Society.