Online Trust Audit Finds Better Email Authentication and Encryption; Worse Privacy Statement Scores

Do you know how – or even if – your favorite retailer, or your bank, or your ISP is working to protect you? The Online Trust Alliance recognizes excellence in consumer protection, data security and responsible privacy practices. Today, we released the 10th annual Online Trust Audit & Honor Roll, covering more than 1,200 predominantly consumer-facing websites, and found that 70% of the websites we analyzed qualified for the Honor Roll. That’s the highest proportion ever, driven primarily by improvements in email authentication and session encryption.

Highlights

Overall, we found a strong move toward encryption, with 93% of
sites encrypting all web sessions. Email authentication is also at record
highs; 76% use both SPF and DKIM (which prevent spoofed/forged emails) and 50% have
a DMARC record (which provides instruction on how to handle messages that fail
authentication).

It’s not all
good news, though. We also found that only 11% of organizations use mechanisms
for vulnerability reporting, which allows users to report bugs and security
problems. Only 6% use Certificate Authority Authorization, which limits
certificate abuse. And overall privacy scores dropped compared to last year,
primarily due to more stringent scoring in light of the E.U.’s General Data
Protection Regulation and the California Consumer Privacy Act. In addition, 15%
of organizations had at least one data loss or cyber breach incident.

The U.S. Federal
government sector surged to the front with 91% of sites placing on the honor
roll, a dramatic turnaround from 2017 when they had bottomed out at 39%. Consumer
services (including social media, payment services, video streaming, file sharing,
and dating) finished second this year at 85%. News & Media and then Banks
came in at 78% and 73%, respectively. Internet Retailers came in at 65%, barely
edging out ISPs, carriers, hosters and email providers at 63%. Healthcare, a
new sector this year, had the lowest overall honor roll placement at 57%.

Top
Scorers

The Top 50 (Appendix C) shine bright with the
best overall scores across all 1,200 sites we analyzed. They are:

  • Top Overall: Google Play
  • Top Bank: First National Bank
    of Omaha
  • Top Consumer: Paypal
  • Top Healthcare: 23andMe
  • Top ISP/Host: Google Cloud
    Platform
  • Top News: Google News
  • Top Retailer: Google Play
  • Top U.S. Federal: Federal
    Emergency Management Agency (FEMA)

Audit Resources

Too many numbers in here? We have some resources
to help distill down the highlights, including:

Webinar

We’re hosting a webinar to discuss the Audit results on 24 April, from 1PM-2PM EDT (17:00 UTC) for the ISOC community webinar. See https://www.internetsociety.org/events/ota-honor-roll-webinar/ for more information.

Improve Your Security & Privacy

How would your organization
do in the Audit? Check out Appendix E – the Best Practice Checklist – to see
how you’d stack up, and use it to improve your site’s security and privacy.

We hope you’ll read the report, view the infographic, watch the video, share the news, and/or join us on the webinar. And be sure to watch OTA on Twitter, Facebook, and LinkedIn and share using #OTATrustAuditHonorRoll!

The post Online Trust Audit Finds Better Email Authentication and Encryption; Worse Privacy Statement Scores appeared first on Internet Society.