Over the last 4 years, I've onboarded 28 national government CERTs onto Have I Been Pwned (HIBP) and given them free and open access to APIs that enable them to query and monitor their gov domains. This doesn't give them access to any information they can't already access via the free public domain search feature, but it makes their lives easier. Much easier.
As interest from govs has grown, it's caused me to ponder: who am I willing to give access to? Who am I unwilling to give access to? Those questions prompted a tweet earlier today:
If I was to define metrics for which governments I accepted onto @haveibeenpwned, what should they look like? Human rights? Other? And as defined by who? I need something empirical, consistent and repeatable for govs that "feel" uncomfortable. Context: https://t.co/gxwBfdOdBl
— Troy Hunt (@troyhunt) March 10, 2022
There are 2 primary factors that caused me to pose this question and I want to explain my thinking on both clearly here:
The first is the current situation with Russia and Ukraine and more specifically, the sanctions levelled at the former in recent weeks. It's not just sanctions, it's everything from McDonald's closing stores to my tweet this morning about Universal Audio blocking traffic from Russia and Belarus:
Strong stance by @UAudio against the invasion of Ukraine. Which other services are blocking traffic form Russia and Belarus? How does everyone feel about this approach, and should we see more of it? pic.twitter.com/hAWPW1WbW3
— Troy Hunt (@troyhunt) March 10, 2022
You may or may not agree with the stance these organisations have taken, but what this has highlighted is that there is a valid discussion to be had about which countries services are provided to and if there is a threshold beneath which you choose not to do business there.
The second factor is that the requests I've had from some governments simply don't "feel" right. To be clear, these requests are no different to, say, New Zealand's (just to pick the most recent one), but my own subjective view on these countries is that they fall short on many of the values that I (and probably you), hold dear. Democracy. Freedom of press and speech. The ability to choose religion, sexuality and other basic rights I take for granted in a place like Australia. But just a "feel" is insufficient and per my earlier tweet, not at all empirical, consistent or repeatable.
Of all the responses I received, this one really stood out:
There are a number of country rankings that you could consider using. Here's one
— Jeff Barnes (@mani2jeff) March 10, 2022
https://t.co/kA61z7NCn9
Jeff pointed me to the World Population Review website and in particular, the democracy ranking by country. Let me repeat the list here with the 28 governments already onboard HIBP highlighted in green:
Edit: I'll keep updating this table as more governments come on board, so the number will exceed the original 28:
Country | Category | Score | Elec Process | Function of Gov | Polit Partici | Polit Culture | Civil Liberties |
---|---|---|---|---|---|---|---|
Norway | Full Democracy | 9.81 | 10 | 9.64 | 10 | 10 | 9.41 |
Iceland | Full Democracy | 9.37 | 10 | 8.57 | 8 | 10 | 9.41 |
Sweden | Full Democracy | 9.26 | 9 | 9.29 | 8 | 10 | 9.12 |
New Zealand | Full Democracy | 9.25 | 10 | 8.93 | 8 | 8 | 9.71 |
Canada | Full Democracy | 9.24 | 9 | 8.93 | 8 | 9 | 9.41 |
Finland | Full Democracy | 9.2 | 10 | 8.93 | 8 | 8 | 9.41 |
Denmark | Full Democracy | 9.15 | 10 | 8.93 | 8 | 9 | 9.12 |
Ireland | Full Democracy | 9.05 | 10 | 7.86 | 8 | 9 | 9.71 |
Netherlands | Full Democracy | 8.96 | 9 | 9.29 | 8 | 8 | 8.82 |
Australia | Full Democracy | 8.96 | 10 | 8.57 | 7 | 8 | 9.71 |
Taiwan | Full Democracy | 8.94 | 10 | 9.64 | 7 | 8 | 9.71 |
Switzerland | Full Democracy | 8.83 | 9 | 8.57 | 7 | 9 | 8.82 |
Luxembourg | Full Democracy | 8.68 | 10 | 8.57 | 6 | 8 | 9.41 |
Germany | Full Democracy | 8.67 | 9 | 8.21 | 8 | 8 | 9.12 |
Uruguay | Full Democracy | 8.61 | 10 | 8.57 | 6 | 8 | 9.71 |
United Kingdom | Full Democracy | 8.54 | 10 | 7.5 | 8 | 7 | 8.82 |
Chile | Full Democracy | 8.28 | 9 | 8.21 | 6 | 8 | 8.82 |
Costa Rica | Full Democracy | 8.16 | 9 | 6.79 | 7 | 7 | 9.71 |
Austria | Full Democracy | 8.16 | 9 | 7.5 | 8 | 6 | 8.53 |
Mauritius | Full Democracy | 8.14 | 9 | 7.86 | 6 | 8 | 8.82 |
Japan | Full Democracy | 8.13 | 8 | 8.57 | 6 | 8 | 8.53 |
Spain | Full Democracy | 8.12 | 9 | 7.14 | 7 | 8 | 8.53 |
South Korea | Full Democracy | 8.01 | 9 | 8.21 | 7 | 7 | 7.94 |
France | Flawed Democracy | 7.99 | 9 | 7.5 | 7 | 6 | 8.24 |
United States | Flawed Democracy | 7.92 | 9 | 6.79 | 8 | 6 | 8.53 |
Portugal | Flawed Democracy | 7.9 | 9 | 7.5 | 6 | 7 | 8.82 |
Estonia | Flawed Democracy | 7.84 | 9 | 7.86 | 6 | 6 | 8.24 |
Israel | Flawed Democracy | 7.84 | 9 | 7.5 | 9 | 7 | 5.59 |
Italy | Flawed Democracy | 7.74 | 9 | 6.43 | 7 | 7 | 7.94 |
Malta | Flawed Democracy | 7.68 | 9 | 6.79 | 6 | 8 | 8.24 |
Czech Republic | Flawed Democracy | 7.67 | 9 | 6.07 | 6 | 7 | 8.53 |
Botswana | Flawed Democracy | 7.62 | 9 | 6.79 | 6 | 7 | 8.53 |
Cyprus | Flawed Democracy | 7.56 | 9 | 5.36 | 7 | 7 | 8.53 |
Slovenia | Flawed Democracy | 7.54 | 9 | 6.43 | 7 | 6 | 8.24 |
Belgium | Flawed Democracy | 7.51 | 9 | 7.86 | 5 | 6 | 8.24 |
Greece | Flawed Democracy | 7.39 | 9 | 5.21 | 6 | 7 | 8.53 |
Latvia | Flawed Democracy | 7.24 | 9 | 6.07 | 6 | 5 | 8.24 |
Malaysia | Flawed Democracy | 7.19 | 9 | 7.86 | 6 | 6 | 5.59 |
Panama | Flawed Democracy | 7.18 | 9 | 6.43 | 7 | 5 | 7.65 |
Trinidad and Tobago | Flawed Democracy | 7.16 | 9 | 7.14 | 6 | 5 | 7.35 |
Lithuania | Flawed Democracy | 7.13 | 9 | 6.07 | 5 | 5 | 8.82 |
Jamaica | Flawed Democracy | 7.13 | 8 | 7.14 | 5 | 6 | 8.53 |
Timor-Leste | Flawed Democracy | 7.06 | 9 | 5.93 | 5 | 6 | 7.35 |
South Africa | Flawed Democracy | 7.05 | 7 | 7.14 | 8 | 5 | 7.35 |
Colombia | Flawed Democracy | 7.04 | 9 | 6.43 | 6 | 5 | 7.94 |
Slovakia | Flawed Democracy | 6.97 | 9 | 6.43 | 5 | 5 | 7.65 |
Argentina | Flawed Democracy | 6.95 | 9 | 5.36 | 6 | 5 | 7.94 |
Brazil | Flawed Democracy | 6.92 | 9 | 5.36 | 6 | 5 | 7.94 |
Poland | Flawed Democracy | 6.85 | 9 | 5.71 | 6 | 5 | 7.06 |
Suriname | Flawed Democracy | 6.82 | 9 | 6.07 | 6 | 5 | 7.35 |
Bulgaria | Flawed Democracy | 6.71 | 9 | 5.71 | 7 | 4 | 7.06 |
India | Flawed Democracy | 6.61 | 8 | 7.14 | 6 | 5 | 5.59 |
Tunisia | Flawed Democracy | 6.59 | 9 | 5.36 | 7 | 5 | 5.59 |
Hungary | Flawed Democracy | 6.56 | 8 | 6.43 | 5 | 6 | 6.76 |
Philippines | Flawed Democracy | 6.56 | 9 | 5 | 7 | 4 | 6.47 |
Peru | Flawed Democracy | 6.53 | 8 | 5.36 | 5 | 5 | 7.35 |
Namibia | Flawed Democracy | 6.52 | 7 | 5.36 | 6 | 5 | 7.94 |
Croatia | Flawed Democracy | 6.5 | 9 | 6.07 | 6 | 4 | 6.76 |
Ghana | Flawed Democracy | 6.5 | 8 | 5.36 | 6 | 6 | 5.88 |
Mongolia | Flawed Democracy | 6.48 | 8 | 5.71 | 5 | 5 | 6.76 |
Romania | Flawed Democracy | 6.4 | 9 | 5.36 | 6 | 3 | 7.06 |
Dominican Republic | Flawed Democracy | 6.32 | 9 | 4.29 | 6 | 5 | 7.06 |
Lesotho | Flawed Democracy | 6.3 | 9 | 4.14 | 6 | 5 | 6.47 |
Indonesia | Flawed Democracy | 6.3 | 7 | 7.5 | 6 | 4 | 5.59 |
Serbia | Flawed Democracy | 6.22 | 8 | 5.36 | 6 | 3 | 7.06 |
Paraguay | Flawed Democracy | 6.18 | 8 | 5.71 | 5 | 4 | 7.06 |
Sri Lanka | Flawed Democracy | 6.14 | 7 | 5.71 | 5 | 6 | 6.18 |
Ecuador | Flawed Democracy | 6.13 | 8 | 5 | 6 | 3 | 6.47 |
Papua New Guinea | Flawed Democracy | 6.1 | 6 | 6.07 | 3 | 6 | 7.94 |
Albania | Flawed Democracy | 6.08 | 7 | 5.36 | 4 | 6 | 7.35 |
Mexico | Flawed Democracy | 6.07 | 7 | 5.71 | 7 | 3 | 5.88 |
Thailand | Flawed Democracy | 6.04 | 7 | 5 | 6 | 6 | 5.29 |
Singapore | Flawed Democracy | 6.03 | 4 | 7.86 | 4 | 6 | 6.76 |
Guyana | Flawed Democracy | 6.01 | 6 | 5.36 | 6 | 5 | 7.06 |
Bangladesh | Hybrid Regime | 5.99 | 7 | 6.07 | 6 | 5 | 4.71 |
El Salvador | Hybrid Regime | 5.9 | 9 | 4.29 | 6 | 3 | 6.18 |
North Macedonia | Hybrid Regime | 5.89 | 7 | 5.71 | 6 | 3 | 7.06 |
Ukraine | Hybrid Regime | 5.81 | 8 | 2.71 | 7 | 5 | 5.88 |
Moldova | Hybrid Regime | 5.78 | 7 | 4.64 | 6 | 4 | 6.76 |
Montenegro | Hybrid Regime | 5.77 | 7 | 5.71 | 6 | 3 | 6.47 |
Malawi | Hybrid Regime | 5.74 | 7 | 4.29 | 5 | 6 | 6.18 |
Fiji | Hybrid Regime | 5.72 | 6 | 5 | 6 | 5 | 5.29 |
Bhutan | Hybrid Regime | 5.71 | 8 | 6.79 | 3 | 5 | 4.71 |
Madagascar | Hybrid Regime | 5.7 | 7 | 3.57 | 6 | 5 | 4.71 |
Senegal | Hybrid Regime | 5.67 | 6 | 5.71 | 4 | 6 | 5.88 |
Hong Kong | Hybrid Regime | 5.57 | 3 | 3.64 | 5 | 7 | 8.53 |
Honduras | Hybrid Regime | 5.36 | 7 | 4.29 | 4 | 4 | 5.88 |
Armenia | Hybrid Regime | 5.35 | 7 | 5 | 6 | 3 | 5 |
Liberia | Hybrid Regime | 5.32 | 7 | 2.71 | 5 | 5 | 5.29 |
Georgia | Hybrid Regime | 5.31 | 7 | 3.57 | 6 | 3 | 5.29 |
Nepal | Hybrid Regime | 5.22 | 4 | 5.36 | 5 | 5 | 5.29 |
Tanzania | Hybrid Regime | 5.1 | 4 | 5 | 5 | 6 | 4.41 |
Bolivia | Hybrid Regime | 5.08 | 6 | 3.57 | 6 | 3 | 5.88 |
Kenya | Hybrid Regime | 5.05 | 3 | 5.36 | 6 | 5 | 4.12 |
Morocco | Hybrid Regime | 5.04 | 5 | 4.64 | 5 | 5 | 4.12 |
Guatemala | Hybrid Regime | 4.97 | 6 | 3.93 | 5 | 3 | 5.88 |
Uganda | Hybrid Regime | 4.94 | 4 | 3.21 | 5 | 6 | 5.29 |
Sierra Leone | Hybrid Regime | 4.86 | 6 | 2.86 | 3 | 6 | 5.29 |
Zambia | Hybrid Regime | 4.86 | 4 | 2.93 | 3 | 6 | 5.88 |
Benin | Hybrid Regime | 4.58 | 3 | 5.36 | 3 | 5 | 4.71 |
Gambia | Hybrid Regime | 4.49 | 4 | 4.29 | 4 | 5 | 4.12 |
Turkey | Hybrid Regime | 4.48 | 3 | 5.36 | 5 | 5 | 2.35 |
Pakistan | Hybrid Regime | 4.31 | 5 | 5.36 | 3 | 2 | 4.71 |
Haiti | Hybrid Regime | 4.22 | 4 | 1.71 | 2 | 6 | 5.59 |
Kyrgyzstan | Hybrid Regime | 4.21 | 4 | 2.93 | 5 | 3 | 4.71 |
Lebanon | Hybrid Regime | 4.16 | 3 | 1.5 | 6 | 5 | 4.12 |
Ivory Coast | Hybrid Regime | 4.11 | 4 | 2.86 | 3 | 5 | 3.82 |
Nigeria | Hybrid Regime | 4.1 | 5 | 3.57 | 3 | 3 | 4.12 |
Mali | Authoritarian Regime | 3.93 | 5 | 0 | 4 | 5 | 4.41 |
Mauritania | Authoritarian Regime | 3.92 | 3 | 3.57 | 5 | 3 | 4.41 |
Palestine | Authoritarian Regime | 3.83 | 3 | 0.14 | 7 | 4 | 3.53 |
Kuwait | Authoritarian Regime | 3.8 | 3 | 3.93 | 3 | 4 | 3.24 |
Algeria | Authoritarian Regime | 3.77 | 3 | 2.5 | 4 | 5 | 3.82 |
Burkina Faso | Authoritarian Regime | 3.73 | 3 | 2.36 | 4 | 5 | 3.82 |
Angola | Authoritarian Regime | 3.66 | 2 | 2.86 | 5 | 5 | 2.65 |
Jordan | Authoritarian Regime | 3.62 | 2 | 3.93 | 3 | 4 | 3.24 |
Iraq | Authoritarian Regime | 3.62 | 5 | 0 | 6 | 5 | 1.18 |
Nicaragua | Authoritarian Regime | 3.6 | 0 | 2.86 | 5 | 5 | 4.12 |
Gabon | Authoritarian Regime | 3.54 | 2 | 1.86 | 4 | 5 | 3.82 |
Mozambique | Authoritarian Regime | 3.51 | 2 | 1.43 | 5 | 5 | 3.53 |
Ethiopia | Authoritarian Regime | 3.38 | 0 | 3.57 | 5 | 5 | 2.35 |
Russia | Authoritarian Regime | 3.31 | 2 | 2.14 | 5 | 3 | 4.12 |
Niger | Authoritarian Regime | 3.29 | 2 | 1.14 | 3 | 4 | 4.71 |
Qatar | Authoritarian Regime | 3.24 | 0 | 4.29 | 2 | 5 | 3.53 |
Zimbabwe | Authoritarian Regime | 3.16 | 0 | 2.5 | 4 | 5 | 3.24 |
Kazakhstan | Authoritarian Regime | 3.14 | 0 | 3.21 | 5 | 3 | 3.24 |
Republic of the Congo | Authoritarian Regime | 3.11 | 2 | 2.5 | 3 | 3 | 3.24 |
Rwanda | Authoritarian Regime | 3.1 | 1 | 4.29 | 2 | 4 | 2.65 |
Cambodia | Authoritarian Regime | 3.1 | 0 | 3.93 | 3 | 5 | 2.06 |
Comoros | Authoritarian Regime | 3.09 | 2 | 2.21 | 3 | 3 | 3.53 |
eSwatini | Authoritarian Regime | 3.08 | 0 | 2.86 | 2 | 5 | 3.24 |
Guinea | Authoritarian Regime | 3.08 | 3 | 0.43 | 4 | 4 | 2.65 |
Myanmar | Authoritarian Regime | 3.04 | 1 | 3.93 | 2 | 4 | 2.35 |
Oman | Authoritarian Regime | 3 | 0 | 3.93 | 2 | 4 | 3.82 |
Vietnam | Authoritarian Regime | 2.94 | 0 | 2.86 | 3 | 5 | 2.35 |
Egypt | Authoritarian Regime | 2.93 | 1 | 3.21 | 3 | 5 | 1.76 |
Afghanistan | Authoritarian Regime | 2.85 | 3 | 0.64 | 3 | 2 | 3.82 |
Cuba | Authoritarian Regime | 2.84 | 0 | 3.57 | 3 | 4 | 2.94 |
Togo | Authoritarian Regime | 2.8 | 0 | 1.79 | 3 | 5 | 2.94 |
Cameroon | Authoritarian Regime | 2.77 | 1 | 2.14 | 3 | 4 | 2.35 |
Venezuela | Authoritarian Regime | 2.76 | 0 | 1.79 | 5 | 4 | 2.65 |
Djibouti | Authoritarian Regime | 2.71 | 0 | 1.29 | 3 | 5 | 2.35 |
United Arab Emirates | Authoritarian Regime | 2.7 | 0 | 3.93 | 2 | 5 | 2.35 |
Azerbaijan | Authoritarian Regime | 2.68 | 0 | 2.86 | 3 | 3 | 2.94 |
Guinea-Bissau | Authoritarian Regime | 2.63 | 4 | 0 | 2 | 3 | 2.35 |
Belarus | Authoritarian Regime | 2.59 | 0 | 2 | 3 | 5 | 2.06 |
Sudan | Authoritarian Regime | 2.54 | 0 | 1.79 | 4 | 5 | 1.47 |
Bahrain | Authoritarian Regime | 2.49 | 0 | 2.71 | 2 | 4 | 1.76 |
China | Authoritarian Regime | 2.27 | 0 | 4.29 | 2 | 3 | 1.18 |
Iran | Authoritarian Regime | 2.2 | 0 | 2.5 | 3 | 3 | 1.47 |
Eritrea | Authoritarian Regime | 2.15 | 0 | 2.14 | 0 | 6 | 1.18 |
Burundi | Authoritarian Regime | 2.14 | 0 | 0 | 3 | 5 | 2.35 |
Uzbekistan | Authoritarian Regime | 2.12 | 0 | 1.86 | 2 | 5 | 0.88 |
Saudi Arabia | Authoritarian Regime | 2.08 | 0 | 3.57 | 2 | 3 | 1.47 |
Libya | Authoritarian Regime | 1.95 | 0 | 0 | 3 | 3 | 2.65 |
Yemen | Authoritarian Regime | 1.95 | 0 | 0 | 3 | 5 | 0.88 |
Tajikistan | Authoritarian Regime | 1.94 | 0 | 2.21 | 2 | 4 | 0.88 |
Equatorial Guinea | Authoritarian Regime | 1.92 | 0 | 0.43 | 3 | 4 | 1.47 |
Laos | Authoritarian Regime | 1.77 | 0 | 2.86 | 1 | 3 | 0.59 |
Turkmenistan | Authoritarian Regime | 1.72 | 0 | 0.79 | 2 | 5 | 0.59 |
Chad | Authoritarian Regime | 1.55 | 0 | 0 | 1 | 3 | 2.35 |
Syria | Authoritarian Regime | 1.43 | 0 | 0 | 2 | 4 | 0 |
Central African Republic | Authoritarian Regime | 1.32 | 1 | 0 | 1 | 1 | 2.35 |
DR Congo | Authoritarian Regime | 1.13 | 0 | 0 | 1 | 3 | 0.88 |
North Korea | Authoritarian Regime | 1.08 | 0 | 2.5 | 1 | 1 | 0 |
Of those 28 govs, all are classified as "Full Democracy" (Norway and Australia), "Flawed Democracy" (the US and Belgium) or "Hybrid Regime" (Ukraine and Turkey). The govs I mentioned as not feeling right are all well below the highlighted ones, with each classified as an "Authoritarian Regime" and as such, I've decided to reject those governments. I won't say where the cut-off is nor will I commit to a single, easily definable threshold, but I will say that they each rated well below every highlighted gov on every measurable metric. My "feel" is amply reflected by the data.
I'm sure there will be those who feel this approach is insufficient, too much, missing appropriate data, using the wrong metrics and all sorts of other reasons. I don't expect it to be perfect nor does it need to be, what's important to me here is to describe the problem, explain my logic and have a resource I can direct both current and future requests to when I feel the gov is not a suitable fit for the offering I've made available.
Time and time again over the last 8 years, I've needed to make ethical decisions on how I alone run this service. This is just one more of those decisions and I hope I've done a good job of explaining my logic here.