Internet Society’s Online Trust Alliance (OTA)2TABLE OF CONTENTSOverview & Background. 3Executive Summary & Highlights . 4Best Practices Highlights . 9Consumer Protection . 9Site Security . 9Privacy Trends . 10Domain, Brand & Consumer Protection. 12Email Authentication . 12Domain-based Message Authentication, Reporting & Conformance (DMARC) . 14Opportunistic Transport Layer Security (TLS) for Email . 15Domain Locking . 15Domain Name System Security Extensions (DNSSEC) . 15Internet Protocol Version 6 (IPv6). 15Multi-Factor Authentication (MFA). 15Site, Server & Infrastructure Security . 16Server Implementation & Vulnerability Analysis . 17SSL/TLS Certificate Types . 19DDoS Mitigation . 20Vulnerability Reporting Mechanisms . 20Malvertising . 20Privacy, Transparency & Disclosures. 21Transparency . 23Readability & Disclosures . 24Data Handling . 24GDPR Compliance . 25Cross-Device Tracking. 26WHOIS Registrations . 26Data Loss Incidents & Regulatory Settlements . 26Conclusion . 28Appendix A – Audit Results Infographic . 29Appendix B – Methodology & Scoring . 32Appendix C – 2018 Top 50 Honor Roll . 35Appendix D – 2018 Honor Roll Recipients. 36Appendix E – Best Practice Checklist . 45Appendix F – Implementation Resources . 46Acknowledgements. 472018 Online Trust Audit & Honor RollCC BY-NC-SA 4.0

Internet Society’s Online Trust Alliance (OTA)3Endnotes. 48Overview & BackgroundThis 2018 Online Trust Audit and Honor Roll, which takes asnapshot of best practice adoption as of the end of 2018,represents the 10th year the Online Trust Alliance (OTA) hasconducted benchmark research to promote security best practices,data stewardship and responsible privacy practices. The primarygoals of this work include raising the level of data security andprivacy, and recognizing organizations that have demonstratedsecurity and privacy excellence. In addition to the Honor Roll status(Appendix D), this Audit includes a “Top of Class” list representingthe top 50 organizations based on their total score (Appendix C).Recent headline news regarding business email compromise ( 123M extracted from Facebook andGoogle), large breaches (383 million records from Marriott) and questionable handling of users’ data(series of revelations regarding Facebook), as well as the commencement of the EU’s General DataProtection Regulation (GDPR), reinforce the need for organizations to embrace best practices in all areas– email security, site security and privacy practices. The 2018 CIGI-Ipsos Global Survey on InternetSecurity and Trust continues to paint a bleak picture of the state of online trust. More than half of thosesurveyed are more concerned about privacy than the year before, and the majority have a high level ofdistrust of social media platforms, search engines and Internet technology companies.1 2 3 4 5In many areas, business practices are moving out of alignment with consumer expectations. Leftunchecked, mistrust in the privacy and security offered by organizations may have chilling effects. Forthe Internet economy to prosper, users need to be able to trust that their personal information will besecure, their preferences respected and their privacy protected.The OTA recommendations and best practices evaluated in this Audit apply not only to email, websitesand mobile applications, but increasingly to the expanded universe of Internet of Things (IoT) offerings.In addition to this Audit, IoT manufacturers should review OTA’s IoT Trust Framework forrecommendations specific to IoT offerings.6 The 2018 Audit has been enhanced in several areas –additional subsectors, one major new sector (healthcare), and expanded criteria in each major category,which now totals more than 100 data attributes (Appendix B) – thus providing a more comprehensiveview of online trust across a wider range of relevant organizations. New criteria have been added andweighting has been updated to reflect the evolving threat landscape, regulatory environment andglobally accepted practices. In addition, high-level GDPR-related principles were captured to create abaseline for future Audits. To assist organizations, this report includes a Best Practices Checklist(Appendix E) and Implementation Resources (Appendix F).It is important to note that the Audit is limited to a slice of time. Based on the dynamic nature ofwebsite and application configurations, organizations’ scores may have changed since the Audit wascompleted. All analysis was done without the active participation of the sites being analyzed. Sites wereselected based on their ranking within their individual sectors or public lists (or organizationalmembership in the Internet Society). In instances where a significant vulnerability was identified, OTA2018 Online Trust Audit & Honor RollCC BY-NC-SA 4.0

Internet Society’s Online Trust Alliance (OTA)4abided by coordinated disclosure practices and attempted to contact the “at-risk” entity providing thema chance to remedy the observed issue and be rescored before publication of this report.Executive Summary & HighlightsThe 2018 Online Trust Audit & Honor Roll assesses nearly 1,200 organizations, examining consumerprotection, security and privacy protection practices.7 Enhancements to the Audit include additions ofnew subsectors in the News/Media and Consumer sectors (sports news, video streaming and paymentservices) as well as a new sector – Healthcare. This sector includestop medical insurance companies, pharmacies, medical testinglabs and hospital chains. The sectors examined and the associated “We are pleased to see moreand more organizations satisfytop-ranked organizations include:the criteria for the Online Trust§ 2018 Internet Retailer Top 500 (IR 100 & IR 500) 8Alliance Honor Roll over time as§ Top 100 Federal Reserve Banks (Bank 100) 9they rise to meet society’s§ Top 100 U.S. Federal government organizationsgrowing demand for a safer(Federal 100)Internet.” – Neil Daswani, Senior§ Top 100 Consumer Services companies (Consumer 100) 10Vice President, Consumer Chief§ Top 100 News and Media organizations (News 100)Information Security Officer,§ Top 100 ISPs, Carriers & Hosters (ISP/Hosts 100)Norton LifeLock§ Top 100 Healthcare organizations (Health 100)§ OTA (Internet Society) Member organizations (OTA) 11While the majority of segments remain the same, the actual list of organizations audited each yearchanges based on revenue/traffic ranking and market consolidation. This year, with the addition of theHealthcare sector and additions or shifts in organizations on the ranked lists, approximately 30% oforganizations are new to the Audit.As in previous years, 100 baseline points can be earned in each of the three major assessmentcategories (consumer protection, site security and privacy). Bonus points are applied for emerging bestpractices and penalty points are applied for breaches, legal settlements and observed vulnerabilities. Aminimum score of 60 is required in each of the three categories. Bonus points are limited to a maximumof 20% of the baseline score. Sites qualify for the Honor Roll by achieving a score of 80% or higheroverall with no failures in any one of the three core categories.2018 has seen record achievement, with 70% of organizations earning Honor Roll status (the previoushigh was 52% in the 2017 Audit). Given that the methodology was updated to “raise the bar” in all threescoring categories, this is impressive. Scores of former OTA members are not incorporated in the results(except the overall top scores) since they would skew the results (98% achieved Honor Roll status).2018 Online Trust Audit & Honor RollCC BY-NC-SA 4.0

Internet Society’s Online Trust Alliance (OTA)5OVERALL 2018 HONOR ROLL ACHIEVEMENT44%50%52%20152016201770%2018Figure 1 – Overall Honor Roll Achievement by Year, 2015-2018As illustrated in Figure 2, Honor Roll achievement grew in all sectors despite more stringent criteria inthis year’s Audit.12 The Federal 100 outscored all sectors with 91% achievement, overtaking theConsumer 100, which has been the top sector for six consecutive years. U.S. federal government entitieswere also most improved, followed closely by the Bank 100 and News 100. The newly added Healthcaresector had 57% Honor Roll achievement, lagging all other sectors.HONOR ROLL ACHIEVEMENT BY 8%IR 100IR 500BANKSCONSUMERNEWSFEDISP/HOSTSHEALTHFigure 2 – Percent Achieving Honor Roll Status by Sector, 2015-2018As in previous years, results were nearly bi-modal, with a majority of sites either qualifying for the HonorRoll or failing in one or more areas. As illustrated in Figure 3, only 3% overall neither failed nor qualifiedfor the Honor Roll, ranging from 0% to 7% for individual sectors.2018 Online Trust Audit & Honor RollCC BY-NC-SA 4.0

Internet Society’s Online Trust Alliance (OTA)6HONOR ROLL VS. FAILURESHONOR 2%31%27%1%8%6%9%19%IR 100IR TH3%27%OVERALLFigure 3 – Distribution of Honor Roll vs. Failures by SectorIn the 2017 Audit a “Top of Class” category was created, representing the top 50 (Top 50) overall scores.This year all sectors are represented in the Top 50, as shown in the table below (note that becauseseveral organizations are in multiple sectors, the total exceeds 100%). The biggest shift in the Top 50was the Federal sector, which doubled from 12% in 2017 to 26% this year. The Bank sector, which hadno presence in 2017, had three organizations in the Top 50 this year. A full listing of the Top 50 scoringorganizations can be found in Appendix C.TOP 50 SECTOR PERFORMANCECodeSector% of Top 50CFROBHINConsumer ServicesUS Federal GovernmentInternet RetailersOTA (Internet Society) MembersBanksHealthcareISPs, Carriers & HostersNews/Media40%26%14%12%6%4%4%4%Figure 4 – Top 50 Performance by SectorThe top overall score in the Audit was earned by Google News,