Senators Booker, Harris, and Warren’s presidential campaign websites’ privacy policies say that they will only “share aggregated or de-identified information that cannot reasonably be used by those third parties to identify you.”
However, that’s not necessarily true.
In fact, the presidential campaigns of Senators Booker, Harris, and Warren are failing to meet data security best practices and are exposing the personally identifiable data of their email subscribers to all of their digital partners—not to mention anyone who purchases web browsing data from those partners or collects it through other means.
How is this happening? These Senators’ campaigns are including the personally identifiable information of their email list subscribers and campaign contributors in the website URLs that the links in their emails drive to.
Each of these presidential candidates have partnered with digital marketing and social media companies for various services, such as Facebook, Twitter, Snapchat, and Google, as well as lesser-known companies like AddThis, AB Tasty, Appnexus, and Heap. When you reach their campaign or fundraising websites, each of those partners has little lines of code called pixels or tags that retrieve and store information about your visit—from the type of device that you’re using, to the exact time you visited the website, to your location.
Ideally, all this information would be de-identified, encrypted and securely stored. But, one piece of information that every one of the companies will receive through their code is the full URL of the webpage.
Most of the companies receiving your name or email address aren’t going to sell the raw URL data they collect. Rather, they will aggregate the information they have to provide insights and high-level analytics to their clients. But that doesn’t mean that the practice of putting your information into a URL is inconsequential. When you surf the web, you produce a browsing history of every webpage (or URL) you visit, also called “clickstream data.” Clickstream data is highly valuable to some marketers, so even though it may seem like an invasion of privacy, companies keep finding ways to collect and sell it.
For instance, a company called Nacho Analytics used Google Chrome extensions to collect and sell clickstream data to its clients. While the company thought they were selling anonymized data, personally identifiable and other sensitive information was included in the URLs, just as it is included by these campaign websites. The sensitive data collected by Nacho Analytics included patients’ lab results as well as issues in Tesla’s project management. The company is no longer selling data, thanks to Arstechnica’s coverage of their practices. However, this instance is not unique. Healthcare.gov also shared user information in URL queries. In 2017, German researchers purchased clickstream data and found it disturbingly easy to identify individual users from the URLs and learn more information about their personal habits.
When it comes to data privacy online, US citizens don’t have much. Since we lack comprehensive federal data privacy protections, what few rules there are to secure our data are primarily governed by the terms and conditions and published privacy policies of the companies whose services we use. The Federal Trade Commission has cracked down on companies that don’t comply with their own policies (PDF), but data breaches and problematic practices still abound. If anyone would act against these presidential campaigns, it would likely be the platforms whose privacy policies they are violating rather than any government administration.
Campaigns following website development and digital marketing best practices won’t solve larger online data privacy concerns, and significant research shows that even without your name or email, your clickstream and social media data still make you easily identified. But failure to follow these basic standards can only exacerbate the problem. Each of these candidates are looking to be the next President of the United States of America —their campaigns should at least be expected to follow their own privacy policies.
Editor’s note: As of the publishing of this article, we had not received a response from any of the 3 campaigns. If/When we do, we will update the article below.