For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.
And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.
But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.
That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.
I once ran a vulnerability scan at an industrial company that completely disabled their employees ability to clock in and out. I didnt believe it had anything to do with my scanner at first, but it ran on a schedule and the scanners schedule matched their outages eaxctly.
Eventually it turned out the timecard system had these IOT badge readers with a poorly written tcp stack. It would ACK every SYN, and worse the half open connections never closed, so during a port scan every port was left open until it exhausted the memory on the little buggers.
My point is... you cant know in advance what damage you'll do with this sort of testing. That's kind of the entire reason we have to actually perform the real world tests instead of assuming or emulating them.
It's also the reason that real world scanning without authorization is probably already a crime in most jurisdictions, whether it's enforced or not.
This laws, while i wanne say have a good intention, just do the opposite...
I myself, residing in germany, developed a recon/vuln/scanning tool that im legally forbidden to publish cuz of the laws you just mentioned.
And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.
It seems weird that a system would eventually settle on just full stops and commas, yet not settle on where to put them. If your system is going to converge strongly on two symbols, finish the job!
Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.
(Only noticed because I have a tiny indie search engine that can only index English right now, and the "nl-NL" is causing the page to be misclassified.)
Weird niche bug report aside though - love to see this project, congratulations for working on this. I think it's a great idea.
I'd personally love to see a closer look on government sites that drop cookies before the consent banner has asked permission to do so. I'm not worried about cookies, but if we're going to ignore the consent banner anyway, why waste everyone's time with asking in the first place.
In the USA the government often excludes itself from privacy and other similar laws, did the EU fail to make that distinction?
there are quite a few like this, that on close inspection, are just fine
The data was removed, and tomorrow's reports will reflect that.
A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.
Something like this? https://livenson.github.io/mxmap/
A few countries have those, here's a Github repo of the Swiss one (has a list of forks in there too): https://github.com/davidhuser/mxmap
We already have some privacy metrics in addition to tracking cookies, and there will be more. All are important at the same time.
When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to."
Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing.
Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.
In what way is GDPR focused on cookies?
In my experience, developers in online discussions make it seem all about cookies, pretending other ways of tracking don't exist, while the law does not. But it has been a while since I looked into it and I might remember that wrong.
> There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app).
A lot of games provide opt-in screens, as they heavily rely on ad networks.
> If you read the actual law, it barely mention cookies at all
Now I am confused, didn't you just say it was focused on cookies?
Because these requests would be 100% ignored. And the law gave people the power they wanted.
I'm mentally and legally far from Germany and I'm not a big supporter of GDPR, but this law is indeed a step in the right direction.
> Germany is pretty hopelessly behind on everything except GDPR enforcement.
https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf
VirusTotal claims the PDF file is clean, but I don't think I'd fully trust it anyway. If you do find malicious content, could be worth submitting the URLs to VirusTotal so that the domain is flagged by browsers (eg Google SafeBrowsing) and people can't accidentally visit ec.europa.eu domains until it has been cleaned.
Just to be safe, couldn't we globally disable BGP and internet transit in general in the meantime? In case someone tries to visit it by other means?
But for real, Italian public administration digitalization isn’t as bad as people think when compared to other big countries. SPID (an electronic identity system, now deprecated) was years ahead of many other European countries (and easily, the US), and PEC (a certified email standard for official communications established in 2005, that can be used with standard email clients) is still more advanced than the often more complicated and closed systems used in many other places. The Italian standard also deeply influenced the EU standard: https://dl.acm.org/doi/fullHtml/10.1145/3560107.3560256
I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.)
But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.
Perhaps a freedom of information request might also work, but that will take a lot of time to write correctly and does not scale across all governments.
Given the fact lots of sites like that have Wordpress 'databases' of form submissions full of people's personal data, absolutely definitely emphatically yes.
1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)
2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!)
3. Countries FAR BEHIND in e-government practices rank LOW (...good?)
Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...
I don't see how such thing could go out in the public calling out government security when they didn't do the bare minimum of checking if the sites they "monitor" are truly governmental sites.
It has 3 HIGH RISK issues because
- DNSSEC is not configured
- Few cookies are send and (ALERT!) Google marketing cookie
- Missing ROA
I get it, it's aggregator but showing red maps is at leals sensationalists
Seems that results are taken from internet.nl, which has WAY better UI than page posted.
GDPR was adopted more than a decade ago and our governments still can't do it right, yet they expect everyone else to get it right. Amazing regulation.