Voicemod

Voicemod

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
iMyFone LockWiper

iMyFone LockWiper

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Flvto Youtube Downloader

Flvto Youtube Downloader

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
Logic Pro X

Logic Pro X

A fully-featured recoding studio that provides a complete set of tools for musicians who need to write, record, edit and mix music

FULL VERSION + CRACK
Internet Download Manager (IDM)

Internet Download Manager (IDM)

Push your Internet connection to the limits and cleverly organize or synchronize download processes with this powerful application

FULL VERSION + CRACK

IT News

Oct 17
Seven of the founding members of the Libra Association, Facebook's non-profit governing council for its planned cryptocurrency, have jumped ship amid increasing scrutiny by U.S. and European regulators.
Oct 17
Graboid is the first known instance of a cryptomining worm used to create botnets spread using containers.
Oct 16
Without properly configured remote-access VPNs, IPv6 traffic from remote devices can escape corporate security controls.
Oct 16
Exploiting a newly discovered sudo flaw in Linux can enable certain users with to run commands as root despite restrictions against it.
Oct 16
Beamforming uses the science of electromagnetic interference to make Wi-Fi and 5G connections more precise.
Oct 15
Chinese hackers and intelligence agencies coordinated cyberattacks to gather intellectual property of aerospace firms to gain competitive advantage.
Oct 15
The newly renamed 'Windows 10 November 2019 Update' is nearing release. But given the company's past naming conventions, it might not show up until November.

Categories

Presidential campaign websites fail at privacy, new study shows

Presidential campaign websites get a failing grade for privacy, according to a new study by the non-partisan Online Trust Alliance, an initiative of the Internet Society. The study analyzed campaign websites of 23 presidential campaigns websites, including 19 Democrat and four Republican, for correct Transport Layer Security (TLS) deployment, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for campaign email, domain locking, as well as privacy policies and data sharing practices.

"Overall, we found that campaigns have strong website security, reasonable email and domain protections, and poor privacy scores," the report concludes. "Privacy statements are the biggest concern, causing failure for 70% of the campaigns."

Not all is doom and gloom, however. A few bright spots stand out in the Internet Society report. Here's the rundown on the good, the bad and the ugly.

Web security

Test all candidate campaign websites through SSL Labs and you'll find strong, modern ciphers and solid TLS configuration. "Using public assessment tools from Qualys SSL Labs and ImmuniWeb, all sites earned an "A" or "A+" in this area," the report says, and had trusted certificates as well as certificate transparency. As a nice bonus, 58% of campaign websites support TLS 1.3, significantly higher than any other sector.

With two exceptions, all campaign have enabled domain locking to prevent unauthorized transfer of domain ownership. (That's probably two too many, to be honest.) One fun detail the report uncovered is that 74% of campaign sites are available over IPv6, compared to 12% in other sectors.

Email security

Given that phishing and poor email security played a key role in the 2016 presidential campaign, one would hope that campaigns would take the issue more seriously this time around. Some do, but not all.

Use of SPF and DKIM to prevent email spoofing was a bright spot. Eighty-seven percent of campaign domains have deployed both SPF and DKIM, although two campaigns had no email authentication at all.

Sixty-one percent of campaigns had a Domain-Based Message Authentication, Reporting and Conformance (DMARC) record and 30% use DMARC enforcement, which quarantines or rejects emails that messages that fail authentication. A DMARC policy "allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message," the DMARC FAQ explains.

"Given that campaigns are using current email services and the significant concern about phishing in the political realm," the report says, "all should be using DMARC."

Privacy and data use

The collection and use of site visitor data, however, is a Wild West with most campaign sites offering no real data privacy, a cause for concern, the report notes. At a time when enterprise sites are moving toward greater data privacy in compliance with the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), it is striking that presidential campaign sites have largely ignored visitor privacy.

The problem begins with a lack of transparency and gets worse from there. "Five campaigns had no discoverable privacy statement," the report notes. "This yields...an automatic failure. This may be an oversight but is inexcusable since every campaign website is collecting data." The five campaign sites without a privacy statement were Wayne Messam (D), Tim Ryan (D), Mark Sanford (R), Joe Sestak (D), and Joe Walsh (R).

Others had an inadequate privacy statement that failed to disclose data sharing and retention practices, or effectively put no limits on the use of visitor data, permitting unlimited data sharing with "like-minded entities," which is counter to both established norms in the US in other sectors and violates the principles of both the GDPR and the CCPA.

"To remedy the low privacy scores," the report says, "campaigns should implement a privacy statement (if absent), openly state their data sharing practices (if silent), restrict data sharing to only the third parties necessary for the proper operation of their site and services, and require those third parties to adhere to the same restrictions and protections as the campaign itself."

Overall the lack of transparency regarding what campaigns collect and how it is used is troublesome. Not all of that data collection is necessarily bad, but it ought to be disclosed, the report argues. For instance, campaigns must disclose to the Federal Election Commission (FEC) data about campaign donations.

Data retention is also a problem, the report notes. Campaigns are short and data should be disposed of when no longer needed. However, only three of the 23 campaigns examined have any language at all disclosed how long data is kept. Nor did candidate websites offer voters any clear way to contact the campaigns to discover what data is being collected and shared--"Just 8% of campaigns had language about what information users could request about their data, and none had language about users being able to request their data be deleted."

Time for campaign "privacy best practices"?

As industry after industry has discovered to their pain, if you don't do the right thing, eventually the government is going to step in and regulate, sometimes badly. Better to establish strong norms than roll the dice on regulation you might not like.

Presidential campaigns should consider developing privacy best practices and agree to follow them, the report suggests. Campaigning maybe a cutthroat affair, but while candidates may come and go, political parties remain. The onus is on them to push campaigns to stick to better privacy norms or face the consequences.

This story, "Presidential campaign websites fail at privacy, new study shows" was originally published by CSO.