Would you trust a random political canvasser to do whatever they wanted with your resume, your friends' email addresses—and perhaps your profile pictures?

That's precisely what you may be doing when interacting with political campaign websites, according to a new study published in the IEEE Symposium on Security and Privacy (SP) by researchers from William & Mary, Google, and IBM. Two W&M doctoral students in computer science—Kaushal Kafle and Prianka Mandal—respectively served as first and second authors.

The underlying research has already been presented at many events—including the 2023 Commonwealth Cyber Initiative Symposium, where it won the Best Poster Award.

"The only thing users can really do to keep their data safe is to not provide it in the first place," said co-author Adwait Nadkarni, Class of 1953 Associate Professor of Computer Science and Secure Platforms Lab lead at William & Mary.

The study examined 2,060 House, Senate, and presidential campaigns from the 2020 United States election cycle, representing the first large-scale analysis of the privacy practices of political campaign websites. Those campaigns, the study revealed, often retained extensive private data for an unspecified amount of time, generally provided incomplete or no privacy disclosures, and were likely to share data with other campaigns or sell them post-election.

Highly private data was often collected alongside contact information, the study found, allowing campaigns to build user profiles without their explicit consent. The often undisclosed use of trackers gave campaigns access to user browsing habits, exposing them to microtargeted political ads that have often been defined as manipulative and as a potential danger to democracy.

Nadkarni remarked that this work "just happened to fit" with the data and democracy initiatives from the university's Vision 2026 strategic plan, as well as the proposed new school in Computer Science, Data Science, Applied Science, and Physics. The research process also highlights another Vision 2026 pillar—careers.

"This paper came out of an existing collaboration with IBM Research," said Nadkarni. "The way these collaborations usually work is having students intern with collaborators, working on collaborative research as part of their internship project."

What data are we surrendering?

Political campaigns, Nadkarni explained, are classed as nonprofit, receiving less scrutiny than commercial enterprises. They collect data of significant value but still aren't subject to the same regulations applying to businesses.

Over two-thirds of the 2,060 campaigns examined were found to collect personal information through their websites, with the most collected data being email addresses (99%) and phone numbers (62%). Other data types ranged from political opinions to social media information and, in rare cases, data such as union status and race, defined as "highly sensitive" by the researchers.

A few campaigns also obtained information about people other than the user—thus without consent.

The researchers performed two additional studies to understand data-sharing implications. Thirty-one percent of campaigns shared email information with other political entities, but over one-third of these didn't mention data sharing in their privacy policy. Sixty-one percent of campaigns using fundraising platforms did not have a privacy policy at all.

None of the campaigns disclosed how long they would retain user data. "So, what happens to that data after the campaign ends? You should accept that it is going to remain there in perpetuity," said Kafle.

Researchers also conducted a security risk analysis and found out that campaign websites were generally secure, although a small number included malicious outbound links that weren't adequately vetted. Seventy-three percent of campaigns used trackers. Of these, almost two-thirds didn't have a privacy policy; among those that did, one in four did not mention trackers.