Throughout the 2020 election, campaign apps and websites transmitted extensive amounts of personal information about users to third parties, sometimes without disclosure, a new report from a nonprofit Internet watchdog reported today.
The International Digital Accountability Council (IDAC) conducted a two-month investigation during the 2020 general election in the United States to evaluate the data collection and third party data-sharing practices of election apps and websites, including the apps and websites of President Trump, President-Elect Biden, and more than a hundred other leading 2020 senatorial, gubernatorial, and U.S. House of Representatives campaigns.
“Our report showed that some campaigns collect sensitive information from users of campaign apps and websites, and in some cases share that information with undisclosed third parties,” said IDAC President Quentin Palfrey. “Based on the results of this investigation, we have developed a series of recommendations for how campaigns can improve their practices in collecting and sharing user information.”
“In many cases, even users who comb through the fine print of app and website privacy policies have no way of knowing what personal data campaigns collect from them, what they share with third parties, and how that data is later used,” Palfrey said. “Despite the scrutiny around how campaigns use data that arose in the wake of the Cambridge Analytica matter, our investigation reveals that there is much more work to be done to ensure that the data practices of campaigns align with reasonable user expectations.”
The IDAC investigation found that the Official 2020 Trump App, with 1.4 million combined installs on Apple/iOS and Android, collected users’ geolocation and persistent identifiers and shared this information without disclosure with a third party called Phunware. The report also found campaign apps engaging in a practice known as ID-bridging, a violation of both Google and Apple’s Developer policies that facilitates circumvention of privacy-preserving measures within the device. Additionally, the report raises concerns about campaign apps requesting potentially invasive permissions including location, read contacts, access microphone, and read content of USB storage.
Overall, the investigation revealed five main areas for suggested improvement in campaign app and website practices.
- Privacy Policies: Campaign apps should be explicit and forthcoming in their privacy policies so that users have clear information about which third parties, if any, may get access to their data. In addition to identifying third parties, campaigns should explain what those third parties do with user data. For example, our report shows the Trump App sharing geolocation data and persistent identifiers with a third party called Phunware. In our view, this kind of data-sharing should be disclosed explicitly if it is occurring.
- ID Bridging: Campaign apps should not engage in “ID bridging.” Our research suggests that the current version of the Trump App transmits a resettable advertising identifier and a persistent identifier simultaneously, raising concerns about possible circumvention of privacy protocols and platform terms and conditions. Our research also showed that an earlier version of the Biden App previously may have engaged in this practice as well.
- Permissions: Campaign apps should refrain from requesting permissions characterized in the relevant terms of service as “dangerous,” or should do so in ways that have rigorous privacy protections. In particular, apps’ requests for access to a user’s phone’s address book generally should be avoided, particularly in light of previous concerns about “contact-mapping” that emerged in recent elections.
- Geolocation Data: Campaign apps should not collect geolocation data and persistent identifiers beyond what is absolutely necessary for user functionality. The Trump App seems to be collecting more geolocation data and persistent identifiers than is necessary to accomplish the purposes articulated in their privacy policy, which states that user location is collected “in order to provide certain location-based services, such as DJTFP promotional offers, merchandise offers, or event information or other DJTFP-related content that may be of interest to you.”
- Third Party Sharing: The overall number of third parties to which user data is sent should be kept to a minimum in the spirit of privacy by design and data minimization. For example, our research shows that Lindsey Graham’s official campaign website shares user data with 64 third parties, a much higher number than peer websites (more than double the number of third parties receiving data from the Biden and Trump websites, for instance)
You can read the full investigation here or download the report below.