We monitored candidate websites in the lead-up to the primaries and recorded all third-party cookies set by each site, along with any server requests to third-party domains. We also observed browser activity when visitors left each candidate site and browsed other sites.
We analyzed tens of thousands of HTTP requests, focusing on those made to third parties, to allow us to identify to which advertising and marketing companies the election candidates are passing data from their campaign sites.
We also reviewed every third-party cookie set to identify which were used to track users for advertising and marketing purposes.
We also sifted through the request headers to see whether personally identifiable information (PII) was being shared.
We found that the websites of the Democrat candidates set an average of 23 third-party tracking cookies from advertising and marketing companies.
This is almost four times as many as the six such cookies set on average by the sites of the Republican candidates, including President Donald Trump’s campaign website.
Why did we use Trump’s site as the benchmark for comparison?
Given the president’s poor record on digital privacy since taking office, it feels reasonable to expect the Democrat hopeful’s sites to perform better, especially given how high-profile candidates, such as front-runner Bernie Sanders position themselves on consumer privacy issues.
The Democrat sites passed data to an average of 16 advertising and marketing companies, many of whom trumpet their ability to target people based on their interests and behavior. This was three times as many as the Republican candidate sites.
Former Vice-President Joe Biden has the most aggressive implementation of advertising technology on his campaign website. Biden’s site sets over 10 times as many third-party ad tracking cookies as Trump’s for example.
What’s perhaps most surprising given Bernie Sanders’ progressive platform and combative public stance against Facebook’s privacy incursions is that his website passes more personal data points to Facebook (email, ZIP Code, phone and first name) than any other candidate’s site.
After Biden, Sanders also has the site that most aggressively tracks its users for marketing purposes.
Facebook’s public reputation may well be in tatters on Capitol Hill but that hasn’t prompted even a single candidate to remove Facebook integrations from their campaign sites. We found 100% of sites we tested passed data to Facebook, and to Google also.
All but three candidates shared personal information submitted on their sites with Facebook. While this personal data was hashed, a one-way encryption process that can’t be directly decrypted, it was shared in such a way that it would be simple for Facebook to match the hashed data with its own user data to indirectly identify individuals.
During our investigation, the field of candidates thinned from 16 to 10. An interesting trend to observe was that the drop-outs had campaign websites that were very much at the lower end of the scale in terms of how they tracked users.
This suggests an uncomfortable reality, that candidates who avoid intruding on user privacy simply fail to get their message across to potential supporters. However if, as privacy advocates, we accept this trade-off, an important question remains:
Where do we the draw the line in terms of how much intrusion by political hopefuls is acceptable?
Unless we have an informed public debate on this issue, we can expect the candidates for 2024 and beyond to continue to sacrifice our privacy in their pursuit of office.