Report: Most Government Sites Fail Security Audit

dencg/Shutterstock.com

About 60 percent of federal sites failed the Online Trust Alliance's trustworthiness test.

Most federal websites failed a security and privacy assessment by the Online Trust Alliance, a nonprofit advocacy group.

Consumer sites including Airbnb, Pinterest, Twitter and YouTube made the OTA’s Honor Roll, a benchmark score incorporating a company’s data security and privacy practices, such as email authentication and web app firewalls. While about 76 percent of the 100 consumer sites analyzed passed OTA’s assessment—identity protection site LifeLock was the top performer—about 60 percent of government sites failed it, according to OTA.

Many federal sites didn’t have adequate email authentication processes for users, a major factor in the failure of about 55 percent of the 100 federal sites OTA benchmarked. Within those sites, Healthcare.gov was the top performer and Census Bureau, the Grants & Aids part of the Education Department, and the Postal Service also passed the assessment. Sites making the Honor Roll had a composite score of 80 percent overall.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

OTA’s audit involved a complex analysis of a site’s consumer protection elements, site, server and infrastructure security, and privacy and transparency disclosures. The alliance also dinged sites for past data breaches and vulnerabilities. It analyzed the sites anonymously without their active knowledge or participation.

Consumer services constituted the most trustworthy online industry, OTA concluded while banking was the least. Federal sites constituted the second least trustworthy sector.

Across industries, OTA found that adoption of web security protocols that protect online interactions from redirection—HTTP Strict Transport Security, Always on SSL or HTTPS Everywhere—jumped from 29.8 percent of sites to 52.2 percent.

The operators of several sites attributed that growth to “increased concerns of third party and government spying on web activities,” the report said.

About 11.7 percent of sites adopted the IPv6 protocol—networks that can accommodate more addresses than the older IPv4-based protocol—compared to 7.4 percent last year.

Adoption of web app firewalls jumped to about 68.1 percent of sites OTA analyzed, compared to 35.8 percent last year.