Only 12% of federal sites make online safety honor roll

Craig Spiezle

A safety analysis of Internet domains performed by a privacy advocacy group found that only 12 percent of federal websites have adopted key technologies to help protect their visitors' privacy and identity from abuse.

Moreover, 74 percent of all sites analyzed by the Online Trust Alliance for its third annual Online Safety Honor Roll failed to meet the criteria to make the list and remain vulnerable to increased levels of cyber crime and online fraud.

The criteria for making the Honor Roll are acknowledged as industry best practices and support the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC), according to the alliance. Those criteria include implementation of email authentication, Extended Validation SSL Certificates and testing for malware and known site vulnerabilities.

An additional criterion for federal websites was support of DNSSEC. DNSSEC, or Domain Name System Security, is a standard designed to protect Internet users from getting misdirected to unintended Net destinations by ensuring domain names remain unchanged in transit. It's in its early adoption stages and still misunderstood by many IT professionals.

The Honor Roll was based on an examination of 1112 domains, their published DNS records and more than 500 million outbound email messages attributed to them. It includes an evaluation of best practices to help protect visitors from forged email, phishing sites and malware.

Although only 26 percent of all the sites analyzed made the distinguished list, that's more than a 200 percent increase over last year, when only eight percent of websites made the list.

The top sector in this year's survey was the FDIC, with 27 percent of its websites making the Honor Roll; followed by the Fortune 500, with 24 percent; and the Internet Retail 500, with 22 percent.

A key principle in the report, email authentication, is recognized as a best practice by the Federal Trade Commission, Federal Communications Commission, Department of Homeland Security, U.S. Postal Inspection Service, U.S. Senate, and leading industry trade organizations including the Email Sender & Provider Coalition (ESPC), Direct Marketing Association, Anti-Phishing Working Group (APWG), BITS (a division of the Financial Services Roundtable), and the Messaging Anti-Abuse Working Group (MAAWG).

"Domain level email authentication is a potent weapon in the fight against spam and phishing attacks," David Vladeck, director of the FTC's Bureau of Consumer Protection, said in a statement. "But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages."

Across all surveyed sectors, more than 56 percent have adopted either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM), two proven standards to help identify and block deceptive email.

Recognizing the business value of email authentication, adoption has been led by 92 percent of the top social media sites, followed by 84 percent of the Internet Retail 100, and nearly 59 percent of the largest FDIC banks. Comparatively, only 38 percent of leading government sites have adopted email authentication, although that's an 18.8 percent increase over 2010.

"While the level of adoption is failing to adequately protect consumers, the commitment and growth within the public and private sectors is encouraging," stated the alliances's executive director Craig Spiezle. "Government and business leaders need to commit to these guidelines to help prevent a consumer trust meltdown and protect the vitality of the U.S. economy."

For their demonstrated commitment to best practices, industry collaboration and consumer education, the alliance gave special recognition to a number of organizations. They the Internal Revenue Service, the Social Security Administration, Apple Computer, Citibank, Bank of America, PayPal, Publishers Clearing House, Microsoft, and the White House (whitehouse.gov).