Slate and the Industry Standard join forces to examine the effect of the Internet on Campaign 2000.
The Bush and Gore campaigns will absolutely, definitely protect your privacy when you visit their Web sites.
How do you know? Because they say so.
Privacy has become a burning issue on the Internet, forcing consumer and commerce sites to refine privacy policies and requiring major Internet advertising firms such as DoubleClick to retool their entire strategies. For political Web sites, however, privacy is trickier, and their definitions of privacy are by no means uniform. In September, the Center for Democracy & Technology, an advocacy group, graded the Web sites of 11 candidates on whether they had clearly accessible privacy policies. Sen. John McCain, R-Ariz., and Vice President Al Gore received “A” grades. Texas Gov. George W. Bush’s site “flunked”—it had no privacy policy. Former New Jersey Sen. Bill Bradley received a “C+.”
Ari Schwartz, a CDT policy analyst, says that after those initial ratings, all four of the major candidates “were very receptive” about posting privacy statements, and the Bush site now prominently posts a privacy policy that closely resembles Gore’s.
Still, there is enough information exchanged on these sites to raise doubts about whether “private” means private. The availability of data that, from a political transparency perspective, might seem like a virtue can also seem like an invasion of privacy. For example, if you make an online donation of $200 or more, the Gore campaign, by law, will transfer that data to the Federal Election Commission, where your donation becomes a matter of public record.
Because Bush does not abide by voluntary federal election limits and therefore isn’t required to reveal donations, his campaign says it bends over backward to disclose donations online. Hence, every contribution also is theoretically available on the Bush site. By searching through the database, you can find the names and home addresses of donors who have given Bush as little as a dollar. That is information that many donors might prefer to keep confidential.
Both Gore and Bush also collect information online about campaign volunteers (home address, phone number, etc.) and later allow those who sign up to remove their names from volunteer lists. Both sites say they don’t reveal such lists. (It’s impossible to verify those claims because neither side submits to a third-party audit.)
Bush uses “cookies,” text files stored on the Web browser that reveal a great deal about an individual’s Internet use. Gore doesn’t use cookies but will soon. Both “may” share contributor lists with other organizations unless the visitor “opts out.”
And what happens to information collected by defunct campaigns? “Any Web site that collects identifiable data from visitors does so voluntarily,” says Tim Kane of Enonymous.com, which rated candidate sites for privacy in March. “The key issue for us is if the data collected is then sold or shared outside the campaign.”
“The Internet has raised the privacy issue far beyond where it has ever been,” says Michael Cornfield, Democracy Online Project professor at George Washington University in Washington, D.C. “It’s one celebrity scandal away from making it to the top tier. … It has to happen to somebody everyone is familiar with so they can imagine it happening to them,” says Cornfield.
Even if the candidates’ sites have the best intentions, they are also theoretically susceptible to hackers. Marc Maiffret of eEye Digital Security, a division of eCompany, visited the Bush and Gore sites and noted that the credit-card information the candidates collect from donors could be vulnerable to theft.
“Both sites were broken into,” Maiffret says. “On Oct. 19, Bush’s was broken into and linked to the International Communist site. In April 1999, it happened to Gore—whoever broke into it replaced it with a joke page.”
Both those attacks were harmless pranks, but Maiffret warns, “A more malicious person could change the Web site without letting anyone know. They could have stolen information.”
Greg Sedberry, Bush’s e-campaign manager, downplays the Bush site’s vulnerability. “An FTP on one of the machines in our cluster was left open, which allowed something to be uploaded. In no way were the other machines vulnerable. Since then, we’ve employed a firewall and a 24/7 monitoring service.”
Todd Webster, Gore’s deputy communications director, denies that Gore’s site has ever been hacked since it debuted on April 6, 1999. “We’ve got extremely good security measures,” which he declined to discuss in detail. The campaign’s privacy policy, however, touts a secure sockets layer that protects data transmission. “Our server is located in a locked, secure environment, with a guard posted 24 hours a day.”
“SSL is a buzzword,” Maiffret scoffs. “That doesn’t mean the information is secure. It may be encrypted en route, but once it’s there, it sits there. Being in a locked room doesn’t make it any more secure at all.”
Tim Dick of Grassroots.com, a political-action Web site, says sites should be audited by third parties such as TRUSTe, an Internet oversight organization that uses its symbol as a kind of Good Housekeeping seal of approved privacy practices.
Dave Speer of TRUSTe adds, “In my experience, the No. 1 reason why some Web sites might say they don’t use third-party oversight, because they do it themselves, is that they made a business decision to avoid third-party oversight.”
Can political consumers protect their privacy? “I’d say they should read the privacy policy,” says Kane of Enonymous.com. “But I can’t with a straight face. We all know privacy policies are god-awful, legalistic documents.” He recommends free software from PrivacyRatings.org, which rates Web sites’ privacy as you surf.
Speer doesn’t expect this issue to die. “Privacy is going to be an issue in this campaign, and in four years, it’s going to be the No. 1 issue,” he says.
