Writing

I scanned 15 Italian citizenship agencies for basic security. 14 scored F.

Giuseppe Giona·

I ran beacon against 15 Italian citizenship agencies. Law firms, document services, full-service shops. The first 15 results Google returned for "jure sanguinis service" and "Italian dual citizenship agency."

14 scored F. One scored D. None scored above D.

These are the companies people trust with their grandparents' birth certificates.

The email problem

87% have no effective DMARC. That means anyone can send an email that looks like it comes from their domain. An invoice, a document request, a payment reminder. The client's email provider has no policy to block it.

7 had no DMARC record at all. 6 had it set to p=none— monitoring mode. Logs the failure, delivers the email anyway. Only 2 out of 15 would actually reject a spoofed message.

The FBI's IC3 puts it at $55 billion in BEC losses between 2013 and 2023. $2.7 billion in 2024 alone.

No CSP on 87% of sites

13 out of 15 have no Content-Security-Policy. The browser has zero restrictions on which scripts run.

This is what enabled the British Airways breach. A Magecart script was injected into BA's payment page. 380,000 cards skimmed over 15 days. £20 million ICO fine. Root cause: no CSP.

Same weakness. Different industry. Same risk.

Tracking

12 of the 15 load Google Analytics. Before a visitor submits a single form, Google knows they're looking at Italian citizenship services, from which IP, with which browser.

One runs Hotjar. Session recording. Every mouse movement, every click, every keystroke in a form field. A Princeton study found session replay scripts on 482 sites capturing passwords and credit card numbers in recordings accessible to third-party employees.

The rest

0 out of 15 have a security.txt. If a researcher finds a vulnerability, there's no way to report it. 5 disclose their exact server software version in response headers. 4 expose WordPress admin login pages to the public internet.

GradeCount
F14
D1
Figure 1 — Pass / fail per check, N = 15 agencies (March 2026)14 F · 1 D
checkof 15 agenciesDMARC enforces rejection7 had no record · 6 set p=none21313% pass95% CI [4, 38]%Content-Security-Policy13 had no CSP header at all21313% pass95% CI [4, 38]%security.txt present0 of 15 — no disclosure path150% pass95% CI [0, 20]%no third-party trackers12 of 15 load Google Analytics31220% pass95% CI [7, 45]%no session-recording1 of 15 runs Hotjar14193% pass95% CI [70, 99]%server version hidden5 of 15 disclose exact version10567% pass95% CI [42, 85]%WP admin not exposed4 of 15 expose /wp-admin to public11473% pass95% CI [48, 89]%03691215number of agencies (out of 15)passfail95% Wilson CIs reflect the small-N (15) bound
Pass rate per check, with Wilson 95% intervals to make the small sample size visible — at N=15 the confidence band on most rates is wide (≈ 15–20 points). The structural finding survives anyway: DMARC, CSP, and security.txt cluster at the bottom of the band; only the session-recording check passes for most agencies. Scan run on 23 March 2026 using beacon; sample = first 15 Google results for “jure sanguinis service” / “Italian dual citizenship agency”.

A website's security is a proxy. An agency that hasn't configured DMARC probably hasn't configured anything behind the login either.

The tool is open source. beacon checks TLS, headers, email authentication, exposed files, third-party tracking, forms, and cookies. Run it on any domain.

Passive analysis of public information. No exploitation, no authentication bypass, no payload injection. Each finding is the result of an unauthenticated request a normal browser would make against the same host. The agencies are not named or individually identified in this post. Scans were conducted on 23 March 2026. The full methodology — sample selection, grading thresholds, anonymisation reasoning, and public-interest justification under section 4 of the Defamation Act 2013 — is set out in detail at /writing/immigration-agency-security/methodology.