Privacy Flag

Threat Observatory / Early Warning System

The PrivacyFlag Observatory is focused on providing a holistic overview of the privacy landscape in the modern Internet. The basic idea is to inform users, developers, stakeholders and researchers on the level of adoption of best practices as well as how prevalent insecure, obsolete and deprecated technologies are. Furthermore, interested parties can observe the rate of commitment to privacy related technologies for the most important web sites, since PrivacyFlag is based on active and live crowdsourcing.

PrivacyFlag Observatory is organized in three distinct categories, Confidentiality, Security and Privacy of Data. All of them are related to the Privacy of your Data in a direct or indirect way. Find why:


Confidentiality means that unauthorized access to information is not permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs, passwords and encryption. Data encryption is the basic mechanism to protect the confidentiality of your information to remain private. It is absolutely necessary to encrypt sensitive data such as passwords, credit card numbers etc. but it is even better to encrypt everything. Modern web sites provide various encryption mechanisms. In PrivacyFlag we check whether a website respects a user’s privacy by encrypting his/her data. The following information helps you to be aware of common confidentiality mechanisms next time you visit a website!

Percentage of websites that provide data encryption (SSL/TLS).

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are standard security technologies for establishing an encrypted link between a server and a client—typically a web server and a browser. When a website uses either of these mechanisms, you will notice that the "http" in the address line is replaced with "https" and you should see a small padlock in the status bar at the bottom of the browser window. [for more information read How Encryption Works]

Percentage of websites that provide HSTS.

“https” is the standard way of securing web traffic, and providing confidence to users that are on a website through the padlock icon. However, the default for most of the web is still “http”: if you type in a URL without specifying “https” (e.g. ) then the browser will default this to “http”. Being on an “http” channel will make you vulnerable to loss of information by an attacker. For example, in a public wifi and hotel wifi, a hacker can eavesdrop on all of the connections going over this insecure, wireless network. [for more information read What is HSTS and how do I implement it?]

Percentage of websites that use a trustworthy certification chain.

Digital certificates are electronic credentials that are used to assert the online identities of individuals, computers, and other entities on a network. Digital certificates function similarly to identification cards such as passports and driver’s licenses. They are issued by certification authorities (CAs) that are trusted by the connecting client (web browser). The root certificate is generated by a CA and is embedded into browsers. The list of digital (SSL) certificates, from the root certificate to the website certificate, represents the certificate chain. [for more information read Certificates for dummies]

Public Key Pinning: Experimental feature for additional security installations.

HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or fraudulent certificates. For example, attackers might compromise a certificate authority (i.e., the entity that issues soft authentication certificates for websites) and then mis-issue certificates for any domain. To combat this risk, the webserver can provide a list of “pinned” public key hashes; on subsequent connections web browsers will expect that server to use one or more of those public keys in its certificate chain.

Privacy Policy