Why the security of the 2016 presidential candidates' websites matters

If you want to run a secure country, you should know how to run a secure website.

After analyzing the technology powering the 2016 presidential candidates’ websites, Paul Schreiber, a web developer for FiveThirtyEight, compared the approaches taken by the teams behind HillaryClinton.com, RandPaul.com, MarcoRubio.com and TedCruz.org. Here’s how they fared on web security:

Hillary Clinton and Republican candidate Marco Rubio scored points with the security crowd for using HTTPS by default. That means that those sites’ traffic is encrypted—so that when you go to check out Clinton’s bio page, for example, a network observer (like your Internet service provider, or a hacker at the same coffee shop as you) can’t see what you’re doing, and can’t easily intercept information you send through the site (such as your email address).

Clinton’s website developers went the extra geeky mile and put in an Easter Egg in the site’s source code: her campaign logo.

Republican ticket seeker Rand Paul has professed to care about preventing Internet spying—even going so far as to sell campaign-branded “NSA spy cam blockers“—but he’s not taking the technical measures he should to protect supporters who visit his website. He has the HTTPS lock on his donations page and campaign store by default, but not on the rest of his website. So if you’re at work and you head over to his volunteer page and click the issues you’re interested in—such as “Sanctity of Life” or “Second Amendment”—the fact that you are anti-abortion and pro-gun could be visible to your IT department.

Rand Paul is great at throwing shade—he’s got a “Hillary hard drive” for sale in his campaign store which has been “wiped clean” in reference to the personal server Clinton was using for her State Department emails—but when it comes to walking the tech-privacy walk, he’s got some work to do.

On Paul’s site, you can at least put a “https” into the url and protect yourself from prying eyes. Not so on Republican Ted Cruz’s .org site. His site only switches to https on the “Donate” page. All of the candidates know they shouldn’t send your credit card numbers in the clear, but Cruz give you no other option than to send all of your contact information (for volunteering purposes) unencrypted, meaning that any malicious attacker observing your web activity—say if you’re cruising Cruz in a coffee shop on a shared Wi-Fi network—could nab your name, address, email, phone number and Twitter handle while it’s in transit.

When it comes to making their sites load quickly and protecting themselves from denial-of-service attacks, Cloudflare has three out of four presidential candidates’ votes. Democratic nomination seeker Hillary Clinton alone went with Fastly.

While Hillary Clinton’s site has a great security profile, it’s got lots of third-party trackers collecting information about visitors. According to tracker-detector Ghostery, only Ted Cruz’s website does more tracking of visitors.

Fusion reached out to the Clinton, Cruz and Paul campaigns for comment and will update if they respond. Meanwhile, privacy-focused site PogoWasRight took a look at the Clinton, Paul and Cruz’s permissive policies when it comes to passing visitors’ information along to third parties. In PogoWasRight’s analysis, Clinton and Paul’s sites “passively collect a lot of information on site visitors—and their mobile devices—from numerous sources… [and] share your information widely with third parties,” including, according to their policies, “vendors, consultants, and other service providers or volunteers.” Cruz’s site also collects this type of information, but its privacy policy isn’t explicit about what will be done with it.

The tech-savvy commenters on HackerNews were a little skeptical of using the candidates’ websites to judge how they’d do in office: “I think it’s a stretch to assume that the way a presidential candidate’s campaign webmaster chooses to configure a website will be any indication of how the candidate would lead the executive branch of government,” wrote one. “Ah, but their sites are using encryption,” wrote another who went on to refer to government debate over consumer encryption. “What’s more important is what they think about everyone else using encryption—and whether they should be using ‘golden split key front doors’ or not. Do a chart for that next.”