Comparing the Privacy Policies of the Presidential Campaign Websites

Romney Word Cloud

Many elected officials are in favor of more online privacy…except when it comes to how they use data to target voters and raise money. While neither presidential candidate has made online privacy issues a part of his campaign, the debate over privacy is certainly a hot topic in Washington. In addition, both the Obama and Romney campaigns have released mobile apps, and transparency of mobile apps have been the focus of the initial multistakeholder processes for privacy initiated by the NTIA. With that in mind, I decided to investigate the privacy practices of the two presidential campaign websites.

There are some clear differences between the privacy policies on the campaign websites. For example, the Obama for America website has much more detailed disclosure of its practices and uses of information. Perhaps this is not surprising since transparency is one of the key principles in the Obama Administration’s proposed Consumer Privacy Bill of Rights. The Obama for America campaign also appears to be using more services that collect and use data on its website.

In contrast, the Romney for President campaign website has fewer cookies and a shorter, less-detailed privacy policy. However, it is not entirely clear that the privacy policy on the Romney for President website is accurate or up-to-date. Notably, how data are collected and used in the recently announced Romney for President mobile app does not appear to be described in the privacy policy. In addition, there appears to be a contradictory statement in its policy about what data are collected.

The principle shortcoming of both privacy policies is in how they deal with PII shared by a third-party, such as a friend or family member. Both privacy policies are largely silent on this issue, and I would like to see more detailed information from both campaigns on how this information is handled.

Below is a summary of what I found, along with a few notes. All of this is based on the privacy policies available on the respective campaign websites as of August 1, 2012. The Obama for America privacy policy can be found here; the Romney for President privacy policy can be found here. Corrections, comments and feedback are welcome.

Length

The first major difference between the two campaigns is obvious: the privacy policy for the Obama for America website is approximately three times the size of the Romney for President website.

Romney: 821 words

Word cloud of Romney privacy policy
Obama: 2,569 words

Word cloud of Obama privacy policy

Readability

Both privacy policies score about the same on the Flesch Reading Ease test. The higher the score, the easier a document is to read, and neither privacy policy does particularly well on this metric. (A high score, e.g., above 60, would indicate that the policy is easily understood by a 13-year-old student.) Both websites seem to make some effort to use plain language to make their policies understandable to a non-technical audience. Neither are particularly good models of how to write a privacy policy, although the privacy policy for Obama for America is better organized with headings and sub-headings to make it a bit easier to understand.

Romney: 35.5
Obama: 34.9

Date of Privacy Policy

The privacy policy for the Obama for America website was last updated in February 2012. The Romney for President website does not provide any date for its current privacy policy or state when it was last revised. Not including the date of last revision is a bad practice because users cannot tell when the policy has been updated.

Romney: No information available
Obama: Last revised February 3, 2012

Information Collected

Both campaign websites encourage users to share similar types of information, including their names and addresses. However, the Romney for President website appears to have a misleading statement in its privacy policy about the type of information it collects. Of note, both sites encourage visitors to use tools on their websites to reach out to friends and family to raise money and awareness. The Romney for President privacy policy has an extremely broad policy on how it can use this information. The policy states, “We reserve the right to store any information about the people you contact through our website.” The Obama for America privacy policy does not address how, or if, this data is stored and used.

Romney: The Romney for President website privacy policy does not clearly state what kind of personally identifiable information (PII) is collected by the site. The privacy policy also includes a statement which seems to claim that no PII is collected. The policy states: “Information collected by Romney for President is Non-Personally Identifiable (“Non-PII”) which includes IP host address, browser type, computer operation system, date and time of an ad request, and Internet Service Provider details.”  This statement appears to be false. The website collects PII for various activities, such as when a user registers on the site, donates to the campaign, or volunteers to contact other voters. The collection and use of this information is not addressed in the privacy policy.

Obama: The Obama for America privacy policy clear indicates that both PII and non-PII is collected by the campaign including when individuals create a profile on the site, donate to the campaign, participate in surveys, or use the voter registration tool. The policy states that non-PII, such as IP addresses, operating system, browser type, and referrer, are treated as PII when it is linked to other identifying information.

Methods of Tracking

Organizations routinely use information to track how users interact with a website or other digital media. The Romney for President privacy policy only references the use of cookies to track users. The Obama for America privacy policy notes that it users both browser cookies and local shared objects (i.e., flash cookies) on its site.  It also uses web beacons (e.g. clear graphic files) to track usage of the website and campaign emails.  I find it unusual that the Romney for President campaign is not using web beacons or similar technology to track the effectiveness of campaign emails. This suggests to me that either it is running a less sophisticated social media operation than the Obama for America campaign or that its privacy policy is inaccurate.

Cookies

The Obama for America website has 16 third-party cookies compared to 11 on the Romney for President website. More (or less) use of cookies should not be interpreted positively or negatively. Four of these third-party cookies are used on both campaign websites. The cookies are for the following domain names: adnxs.com, atdmt.com, beacon-1.newrelic.com, and doubleclick.net.  Adnxs.com is for AppNexus, an online advertising platform; atdmt.com is Atlas Solutions, part of Microsoft Advertising; newrelic.com is for New Relic, a website performance tool; and doubleclick.net is for the Google AdSense network.

Romney: 11 third-party cookies, 12 cookies total

  • adap.tv
  • adnxs.com
  • atdmt.com
  • beacon-1.newrelic.com
  • cn.clickable.net
  • crwdcntrl.net
  • doubleclick.net
  • gigya.com
  • log3.optimizely.com
  • mittromney.com
  • scorecardresearch.com
  • sharethis.com

Obama: 16 third-party cookies, 20 cookies total

  • ad.yieldmanager.com
  • adnxs.com
  • adsonar.com
  • atdmt.com
  • barackobama.com
  • beacon-1.newrelic.com
  • d.adroll.com
  • donate.barackobama.com
  • doubleclick.net
  • fastclick.net
  • interclick.net
  • invitemedia.com
  • login.barackobama.com
  • lucidmedia.com
  • my.barackobama.com
  • netmng.com
  • s.thebrighttag.com
  • tribalfusion.com
  • twitter.com
  • youtube.com

Information Sharing

Neither campaign imposes much of a restriction in its privacy policy on how data are shared with third parties. Both campaigns disclose certain information sharing, such as that campaign donations are reported to the Federal Election Commission.

Romney: The Romney for President privacy policy states, “Information may be shared with our third-party service providers, as well as with unaffiliated third parties including, but not limited to, instances where the information is not personally identifiable, or if the host site feels reasonable obligation by law.” That seems like a convoluted way of saying that the campaign may share any information it has with any third-party.

Obama: The Obama for America privacy is not much different. While the policy states “It is our policy not to share the personal information we collect from you through our Sites with third parties, except as described in this Policy or as otherwise disclosed on the Sites,” the policy then lists exceptions such as “with candidates, organizations, groups or causes that we believe have similar political viewpoints, principles or objectives.”  Such broad exemptions in its policy basically make any form of data sharing permissible under this policy.

Mobile Apps

Romney for President has a mobile app for iOS (i.e., iPhones and iPads) and Android. Obama for America only has a mobile app for iOS. The Obama for America website has details about how data from mobile devices is used in its apps and on its site. Similar information is not included in the privacy policy on the Romney for President website. Neither does the privacy policy explain why the Android app has the capability to collect location data. If this data is being collected and used by the campaign, it should be mentioned in the privacy policy. The privacy policy for the iOS app should also be indicated on the iTunes App Store.

One interesting note is that the Romney for President app (“Mitt’s VP”) is a whopping 25 megabytes compared to 4.1 megabytes for the Obama for America app. It is unclear why the Romney for President app is so large, given its relatively limited functionality.

Romney: There is no privacy policy or additional terms or conditions for the campaign’s iOS app in the iTunes store. The privacy policy for the Android app in the Google Play store links to the main privacy policy on the campaign website; however, the privacy policy on the campaign website makes no mention of the app, mobile devices, or data collected by the app. Also, the Google Play store indicates that the app has access to geo-location data, however, the collection and use of this information is not mentioned in the privacy policy.

Obama: The privacy policy on the Obama for America websites covers both the website and the mobile app. The privacy policy on the campaign website specifies that the mobile app collects geo-location data from mobile devices. The iTunes App Store includes also includes a link to a license agreement for the Obama for America app that includes additional privacy details.

 

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.