Internet Cleanup Foundation launches SecurityBaseline.eu, mapping 21 security metrics across 67,000 European governments and 200,000 domains daily.
Key Takeaways
3,081 EU government sites place tracking cookies without consent, violating GDPR; YouTube (2,077), Google Ads (842), and Facebook (293) are top sources.
1,070 publicly reachable phpMyAdmin portals found across 3,529 government domains, including two on CSIRT addresses; no EU government contributes financially to the project.
99% of governmental email is poorly encrypted; the platform measures STARTTLS, DMARC, SPF, and related standards.
1,827 traffic-light maps rebuild nightly across 32 countries and 87 regional breakdowns; France leads phpMyAdmin exposure with 513 instances, Slovakia leads tracking cookies at ~10%.
The site pre-notified tens of thousands of EU government addresses three months before launch, giving time to remediate before public disclosure.
Hacker News Comment Review
Commenters questioned dataset accuracy, with one noting Hungarian entries included decommissioned sites and local news outlets with no actual government connection.
Legal barriers to voluntary security research came up, particularly Germany’s §202c/§202a StGB, which can criminalize even passive probing and deters independent pentesting of government infrastructure.
A commenter flagged that measuring email security while ignoring that most domains route through outlook.com may obscure a larger sovereignty risk than DNSSEC gaps.
Notable Comments
@nodar86: Flags that at least Hungarian entries mix decommissioned archives and private local news sites, raising data-quality concerns before governments act on findings.
@elric: Argues red-flagging missing DNSSEC is excessive and that widespread outlook.com email hosting is a bigger unmeasured privacy risk.
