European Governments Operate 3,000+ Tracking Sites With Weak

Global Encryption Coalition Warns Against Online Safety Bill

The UK’s Online Safety Bill risks eroding end-to-end encryption protections for private messaging, according to a coalition of 70 civil society groups, companies, and cybersecurity experts. The letter, addressed to Prime Minister Rishi Sunak, highlights the bill’s clauses that could compel internet services to scan private messages for content, introducing vulnerabilities that threaten both privacy and national security.

The letter notes that weakening encryption would leave UK businesses and citizens more vulnerable to cyberattacks while undermining trust in the country’s tech sector. The Global Encryption Coalition, which includes the Open Rights Group, warns this could replicate Australia’s 2018 experience, where a similar law led to an estimated $1 billion in lost sales for the digital industry. The coalition argues that mass surveillance provisions in the bill “create serious security and privacy risks for all society” while offering “problematic” benefits to law enforcement.

Encryption Standards in Question

SecurityBaseline.eu’s latest report amplifies these concerns with empirical data. The study found European governments operate over 3,000 tracking sites, with 99% of email traffic from these domains using either no encryption or weak protocols like SSLv3 and TLS 1.0. This includes 1,000+ instances of phpMyAdmin portals, a tool often exploited by attackers to access unsecured databases. The report’s authors describe the scale as “systemic” and “unprecedented” in the EU’s public sector digital infrastructure.

The technical risks are clear: outdated encryption standards are routinely bypassed by cybercriminals. In 2023, researchers demonstrated how TLS 1.0 vulnerabilities allowed passive observers to decrypt 85% of traffic from legacy government systems. For the 99% of poorly encrypted email systems identified, the exposure spans sensitive data including personal identifiers, financial records, and classified communications.

Industry Implications and Market Trust

The UK’s proposed legislation risks placing British tech firms at a competitive disadvantage against US and EU counterparts. Current EU regulations enforce strict encryption requirements under the GDPR and ePrivacy Directive, creating a regulatory divergence with the UK. This shift could deter foreign investment and harm export revenue, particularly in sectors like fintech and healthcare, where encryption is a baseline expectation.

The letter to Sunak cites Australia’s post-2018 legislative changes as a cautionary case study. The Australian cybersecurity agency reported a 37% increase in data breaches among local firms within two years of the law’s passage. Meanwhile, foreign buyers expressed reduced confidence in Australian software, citing concerns about potential backdoors in messaging platforms. The UK government’s own National Cyber Security Centre has not provided cost-benefit analyses for the proposed scanning requirements, despite repeated calls from industry groups for such data.

Technical and Legal Friction Points

The proposed scanning framework in the Online Safety Bill creates a technical paradox. While proponents claim message scanning can flag child exploitation material, cybersecurity experts argue this approach requires decrypting messages at scale — a practice that fundamentally contradicts end-to-end encryption’s design principles. The bill’s requirement for “accredited technologies” to perform this scanning lacks clear technical definitions, leaving implementation open to interpretation and potential abuse.

Legal scholars have also criticized the bill’s lack of statutory safeguards. The Open Rights Group points out that the framework grants authorities broad powers without judicial oversight, violating the UK Human Rights Act’s protections. This divergence from the EU’s stricter data governance models could strain cross-border collaborations in law enforcement and intelligence sharing.

What to Watch

The UK Parliament’s next scheduled review of the Online Safety Bill in July 2026 will determine whether encryption protections remain intact or if scanning provisions are implemented. SecurityBaseline.eu plans to release a follow-up report in Q3 2026, tracking whether European governments address the 3,000+ vulnerable tracking sites identified in their study. Meanwhile, the Global Encryption Coalition will continue pressuring the government to align the bill with international cybersecurity standards.