HN
Today

SecurityBaseline.eu

A new initiative, SecurityBaseline.eu, has launched to publicly shame European governments into better cybersecurity, revealing that 99% of their email is poorly encrypted and thousands of sites use illegal tracking cookies. This transparency effort sparked a lively Hacker News debate on data accuracy, legal hurdles for security research, and the inherent challenges of government IT. Commenters are alternately shocked by the findings and critical of the methodology, while also pondering deeper issues of state-level tech literacy and accountability.

158
Score
74
Comments
#1
Highest Rank
4h
on Front Page
First Seen
May 13, 8:00 AM
Last Seen
May 13, 11:00 AM
Rank Over Time
1778

The Lowdown

SecurityBaseline.eu, a spin-off from a decade-old Dutch government security monitoring program, has gone live to publicly report on the cybersecurity posture of European government websites. The platform aims to foster transparency and improvement by revealing widespread vulnerabilities and non-compliance across 32 countries, including EU and EEA members.

Key findings highlighted by the report include:

  • Illegal Tracking Cookies: Over 3,000 governmental sites are using tracking cookies without informed consent, violating GDPR. Major culprits include YouTube and Google Ads, suggesting a lack of privacy-by-design in government web development.
  • Exposed Admin Panels: More than 1,000 database management interfaces, primarily phpMyAdmin, are publicly reachable, including instances for two Computer Security Incident Response Teams (CSIRTs). This exposure significantly increases the attack surface for critical government systems.
  • Poor Email Encryption: A staggering 99% of governmental email systems fail to meet modern security standards for encryption, making them susceptible to eavesdropping and tampering. Only the Netherlands and Denmark show slightly better, though still suboptimal, performance.

The project monitors 67,000 government entities and 200,000 sites, visualizing risks with daily updated 'traffic light' maps across 21 metrics. The Internet Cleanup Foundation, behind SecurityBaseline.eu, stresses that these issues require continuous process improvements and investment, rather than one-off fixes, and encourages governments to engage with their public data to enhance online security for citizens.

The Gossip

Data Doubt & Domain Discrepancies

Commenters quickly scrutinized the project's data, with some claiming that many sites flagged as governmental were not, or that critical issues were assigned to defunct informational pages. There was also debate over the relative severity of different security flaws, such as the significance of DNSSEC compared to email hosted by foreign corporations. The project's author engaged to clarify their methodology for identifying government domains and acknowledged ongoing improvements.

Legal Barriers to Security Scrutiny

A prominent theme revolved around the legal and practical challenges of conducting independent security research on government systems, particularly in Germany. Commenters highlighted strict laws that could criminalize even passive observation or testing, creating a chilling effect. This suggests that governments might be inadvertently protected from external security assessments, forcing reliance on internal processes that may be less effective or slower to react.

Governmental Gaffes & Growth Gaps

Many participants viewed the findings as symptomatic of broader issues in government IT, including a perceived lack of accountability, insufficient funding, and a resistance to adopting modern practices. Observers noted patterns correlating countries' e-government maturity with their security scores, and questioned the justification for not hardening less critical 'project' websites, which can still handle sensitive personal data. This suggests a systemic issue rather than isolated technical failures.

GDPR Grievances & Cookie Complexity

The discussion delved into the effectiveness and often frustrating implementation of GDPR, particularly concerning cookie consent. While some were astonished by government non-compliance over a decade after the regulation's adoption, others expressed disdain for intrusive cookie banners and argued that the law's focus has been misdirected from core data handling principles to superficial cookie notices. There was a general sentiment that the spirit of GDPR is being undermined by its practical application.