William & Mary researchers find flaws in privacy practices of political campaign websites

*Kaushal Kafle presented research pertaining to campaign website security at the CCI Symposium 2023, Apr. 17-18. (Photo courtesy of the Commonwealth Cyber Initiative)*

WILLIAMSBURG, VA – If your inbox has ever been flooded with unwanted emails from a political campaign, you may have suspected that your personal information was somehow compromised.

Such scenarios are all too common, according to William & Mary researchers who recently conducted an investigation into campaign website privacy concerns.

Now, as Americans gear up to cast their ballots in the highly-anticipated 2024 General Election, information technology experts are sounding the alarm about flaws in the security practices of some political campaign websites.

According to a recent study published in the IEEE Symposium on Security and Privacy (S&P) by a team of researchers from William & Mary, Google and IBM, campaign websites routinely fail to protect the privacy of their users.

Among the report’s co-authors are two William & Mary doctoral students in computer science, Kaushal Kafle and Prianka Mandal, along with Associate

Professor of Computer Science and Secure Platforms Lab Adwait Nadkarni. The underlying research had previously been presented at last year’s Commonwealth Cyber Initiative.

A total of 2,060 House, Senate and presidential campaigns from the 2020 United States election cycle were examined for the study. It represents the first-ever large scale analysis of the privacy practices of political campaign websites.

The findings showed that campaigns on both sides of the aisle frequently retained extensive private data for an unknown amount of time and usually provided no or incomplete privacy disclosures.

Campaigns were also likely to share data with other political organizations or even sell user information following the election.

“The only thing users can really do to keep their data safe is to not provide it in the first place,” Nadkarni explained.

*William & Mary researcher Adwait Nadkarni says data privacy is a bipartisan issue and legislation is needed to prevent political campaigns from misusing user data. (Photo by Rokas via Adobe Images)*

Particularly concerning is that campaign websites often not only collected contact information but also highly private data, allowing them to secretly build user profiles without the person’s consent.

By using trackers, often without disclosures, campaigns gained access to users’ browsing habits, which exposed them to microtargeted political ads that were frequently manipulative.

Political campaigns are subjected to less scrutiny than commercial enterprises because they are classified as nonprofit, Nadkarni explained. Even though they collect important data, they are not bound to the same regulations that apply to businesses.

Among the more than 2,000 campaigns analyzed, over two-thirds had collected personal information through their website. Email addresses were collected from 99% of those campaigns, and phone numbers from 62%.

Some of the websites also gained access to details about users’ political opinions and social media use. In rare cases, data defined as “highly sensitive” was collected, including union status and race.

Two additional studies conducted by the researchers found that nearly a third of the campaigns shared users’ email information with other political groups, even though some of them failed to mention data sharing as part of their privacy policy.

Over sixty percent of campaigns that used fundraising platforms did not disclose a privacy policy at all.

Additionally, none of the websites that were analyzed revealed how long they would retain user data. According to Kafle, that means users should accept that after the campaign ends, their data “is going to remain there in perpetuity.”

The researchers stressed that the problem is not confined to any one party or affiliation.

“Privacy really is a bipartisan issue,” said Nadkarni. “We didn’t want the message to become ‘this particular party isn’t doing privacy right,’ but rather ‘there needs to be a legislation to actually make everybody follow best-practice guidelines.’”

The lack of data privacy was not always intentional. Among the campaigns the researchers reached out to, many said they did not have the technical expertise to protect the data because they are grassroots-run.

Still, Nadkarni stressed that when it comes to political campaign websites, users are not in control. The best course of action, he said, is to share the bare minimum of data required when donating to them.

“What users can do in the long term is ask their lawmakers to make regulations to prevent campaigns from misusing data,” Nadkarni said. “Just like there have been movements to rein in for-profits and their use of information, there needs to be a similar push for regulating political campaigns.”

One recent example of an effort in that direction is the Voter Privacy Act, which was introduced in the Senate in 2019. The bill would establish protections “regarding the use of personal information for political purposes.”

So far, however, it has not advanced.

The William & Mary researchers say their work is not done yet. They have already analyzed campaigns from the 2023 Virginia elections and plan to review campaigns from the 2024 federal elections, as well.

Further research will involve identifying examples of “good” campaign websites to provide a blueprint for safeguarding privacy in the political campaign space, they say.

“We intend to increase public attention and awareness on this topic as one the key outcomes of this study,” Kafle said.