Federal agencies led all other sectors in the Online Trust Alliance’s annual audit of websites for consumer protection, data security and privacy practices.
A subsidiary of the global nonprofit Internet Society, OTA analyzed more than 1,200 mostly consumer-facing websites and found federal agencies’ most improved with 91 percent making its honor roll. The average for all sectors was 70 percent qualification, the highest proportion in the audit’s 10-year history driven by improvements in email authentication and session encryption.
On the flip side, privacy statements improved little with most organizations scoring below 50 percent — often due to undefined data sharing with third parties.
“Looking forward, there are many opportunities for organizations to limit the impact of massive data breaches and stop questionable data collection and tracking practices,” reads OTA’s report. “Many site owners now prevent users from using known breached username/password pairs and are implementing multi-factor authentication to limit the impact of breached passwords. Similar capabilities are also being incorporated into browsers.”
Most browsers also now incorporate ad and tracker blocking of some kind, filling a void left by many sites, according to the report.
Among federal agencies, the Federal Emergency Management Agency’s website received the top score for the sector and was among 11 other agencies whose sites placed in OPA’s top 50: the Department of Agriculture’s Food Safety and Inspection Service site; the Department of Health and Human Services’ Medicare and Healthcare.gov sites; the Department of Treasury; Federal Communications Commission; Federal Trade Commission; General Services Administration; National Oceanic and Atmospheric Administration; Office of Personnel Management; Securities and Exchange Commission; and U.S. Coast Guard.
For the third year running, federal sites’ security scores led all other sectors. The federal sector led in internet protocol version 6 adoption at 46 percent of sites.
But federal agencies and internet service providers were least likely to articulate what data they collect on their sites and why at 90 percent, and only 38 percent of federal sites included a way to contact the agencies’ data protection officers.