Italy’s fixed-broadband penetration rate is 27.84 percent,1 while its mobile broadband penetration rate is 88.86 percent,2 according to 2018 data from the European Commission. 2Data for 2018 provided to the ITU gives Italy a slighter higher fixed-broadband penetration rate--28.03 percent--and a much higher mobile broadband penetration rate--94.53 percent.3

Several factors have impacted Italy’s relatively low penetration rates, including infrastructural limitations. According to the EU’s 2019 Digital Economy and Society Index, ultrafast broadband connections are only available to 24 percent of households (compared to the EU average of 60 percent).4 While 4G mobile coverage extends to 97 percent of households, Italy only ranks 13 of 28 member states along this metric.5

Some 77 percent of Italians connected to the internet in 2018, and 72 percent surfed the web on a daily basis.6 The number of households accessing the internet via broadband grew to 73 percent in 2018.7

Italy’s Digital Agenda initiative (based on the Europe 2020 Digital Agenda) intends to expand broadband access and e-government functions.8 The government approved a decree in February 2016 to reduce costs for laying cables and established the Networks Register for Infrastructure (SINFI), a dedicated instrument for implementing its broadband strategy, managed by the Ministry of Economic Development.9 5G testing began in 2017,10 and the first 5G networks were debuted after this report’s coverage period.11

In 2016, a “digital transformation team” was formed to lead the digital transformation process of Italian public administration, among other goals.12 The team, whose mandate ends in 2019, announced a “Three-Year Plan for Information Technology in the Public Administration.”13

Internet connections are relatively affordable in Italy. In 2019, the Economist Intelligence Unit ranked Italy 26 out of 100 country surveyed in terms of the affordability of prices for fixed and mobile connections.14 The 2019 Digital Society and Economic Index noted that “broadband prices in Italy are lower than the EU average.”15

Significant geographical differences in internet penetration persist across the country, with southern regions such as Calabria lagging behind. An ambitious infrastructural plan called Growth 2.0 was launched in 2012 to close Italy’s digital divide between areas that are served by high-speed connections and those that are not, but the plan was plagued by delays.16 In 2017, only around 40 percent of Italians living in rural areas had access to high-speed broadband connections (of 30 Mbps or more).17 As part of its 2015 plan to expand ultrafast broadband (known as SNBUL), the government has assigned tenders to roll out networks in underserved regions.18

The internet is particularly popular among young people, with over 94 percent of people between 15 and 24 surfing the web.19 Unfamiliarity with the internet among older people also contributes to Italy’s relatively low penetration rate.

The government does not impose restrictions on connectivity, nor does it centralize control over ICT infrastructure.

Telecom Italia (TIM), the former state telecommunications monopoly that owns much of Italy’s physical networks, has continued the process of “externalizing” its infrastructure since May 2013, as required by EU legislation, to provide fair access to competitors.20 TIM was privatized in 1997. Cassa Depositi e Prestiti, controlled by the Ministry of Economy and Finance, holds a nine percent stake in TIM.21 However, under a 2012 decree-law, the state enjoys “golden power” over TIM and other companies in strategic sectors of the economy, including telecommunications.22

In 2019, the government has approved a decree-law allowing the state to use its “golden power” to veto the purchase and deployment of Chinese 5G technology.23

Access to the internet for private users is offered by a range of internet service providers (ISPs), all of which must be authorized by the Ministry of Economic Development.24 TIM has the largest share of the fixed broadband market (49.2 percent as of March 2019), followed by Vodafone (14.5 percent), Wind Tre (13.3 percent), Fastweb (13.2 percent), and others.25

TIM, Vodafone, Wind Tre, and Iliad are the major mobile carriers,26 and all of them operate 3G and 4G networks.27 In December 2016, Wind and 3 Italia (Tre) merged under the name of Wind Tre, although they still operate separately. In May 2018, the French operator Iliad entered the mobile market, offering a low-cost option for consumers.28 Later in 2018, Kena Mobile,29 operated by TIM, and Ho. Mobile., managed by Vodafone, entered the low-cost mobile market to compete with Iliad.30

In the spring of 2018, the Italian Antitrust Authority fined TIM EUR 4.8 million ($5.6 million) for misleading advertising regarding its broadband service in underserved areas. According to the authority, TIM omitted relevant information about its plans and their limitations.31 In a statement, the company called the decision “groundless” and stated that it intends to file an appeal with the Regional Administrative Court of Lazio.32

In February 2018, the police and authorities from the Italian Antitrust Agency searched the offices of Telecom Italia, Vodafone, Fastweb, Wind Tre, and industry lobbying firm Asstel, as part of a probe over the pricing of fixed and mobile services.33 Regulators suspect that companies had overcharged their clients by billing them for their services every four weeks instead of once a month. In late 2017, parliament passed a law requiring monthly billing for all telephone operators.34 This law followed a new regulation by AGCOM, the telecommunications regulator, introduced in March 2017 requiring fixed-line operators to move to monthly billing. Several companies, including Vodafone, Fastweb, and Wind Tre, were subsequently fined by AGCOM for noncompliance.35

The main regulatory body for telecommunications is AGCOM, an independent agency that is accountable to parliament. Its responsibilities also include protecting intellectual property rights, regulating advertisements, and overseeing public broadcasting. The majority party in parliament appoints AGCOM’s president.

Another important player governing the ICT sector is the Data Protection Authority (DPA). Established in 1997, the DPA is tasked with supervising compliance with data protection laws by both governmental and nongovernmental entities. It also has the authority to ban or block “processing operations that are liable to cause serious harm to individuals.”36 It is generally viewed as professional and fair in carrying out its duties. The DPA is the supervisory authority responsible for monitoring application of the General Data Protection Regulation (GDPR), and between May 2018 and March 2019 has actively managed more than 7,000 GDPR complaints and reports37

Italy does not typically block or filter content of a political, social, or religious nature; all major websites and platforms are freely available. According to data gathered by Open Observatory of Network Interference (OONI), developed by the Tor Project, Italy’s blocking and filtering of the internet is limited and is primarily implemented by means of DNS tampering.38

Websites are frequently blocked for hosting copyright-violating content. AGCOM has issued 723 blocking orders since 2013, according the latest (August 2019) data.39 These orders are publicly available on AGCOM’s website.40 Illegal gambling websites are also frequently blocked by the Agenzia delle Dogane e dei Monopoli, an administrative body under the Ministry of Finance. Italy’s public blacklist contains over 7,000 such websites.41 Additionally, websites hosting content related to terrorism or child sexual abuse images may be subject to blocking.

Authorities sometimes request the removal of specific content.

According to Facebook, from July to December 2018, 562 pieces of content were reported and removed.42 According to Facebook, the removed items included content related to gambling; hate speech, including Holocaust denial; and private reports of defamation.43 Twitter’s transparency report for 2018 lists six requests for content removal, including one court order, between June and December, but no content was ultimately withheld.44 However, Twitter did remove a single tweet that violated Italy’s Mancino Law after receiving “a report from an Italian NGO … regarding racial hatred toward Romani people” on its platform.45 (The Mancino Law, which penalizes speech and acts motivated by racial, sex/gender, ethnic, national, or religious bias, does not mandate the blocking or removal of such speech online.) According to Google’s transparency report, the government sent 179 content removal requests between January and June 2018, including 87 for defamatory content, 53 for privacy and security reasons, and 17 for hate speech.46

Italian courts have ruled in favor of the so-called right to be forgotten (RBTF) since a Court of Justice of the European Union (CJEU) ruling in May 2014. On December 3, 2015, a civil court in Rome upheld the CJEU’s reasoning on the right to be forgotten but rejected the plaintiff’s request, in a case that sought to balance such a right with the right to information in the public interest.47 In a problematic move in 2016, the Supreme Court upheld a 2013 court decision ordering the removal of an article that damaged a restaurant’s reputation from a website’s archives after two years, deeming that the time elapsed between the publication date and the request for removal “sufficed to satisfy the public interest as far as its right to be informed was concerned.”48 Google reported that, between September 2018 and June 2019, the company removed some 22,000 URLs in Italy (39 percent of the total requested) following RBTF complaints from users.49

Websites related to child sexual abuse images, copyright infringement, illegal gambling, and terrorism may be subject to blocking or targeted by content removal orders. Generally, blocking or takedown orders are issued by the courts. An antiterrorism decree-law passed by parliament in 2015 allows the public prosecutor to order the blocking or removal of websites affiliated with terrorist groups.50 Similar to systems used to block child sexual abuse images and illegal gambling, the Ministry of the Interior compiles a blacklist of terrorist websites for ISPs to block.51

A controversial resolution on online copyright enforcement enacted in March 2014 enables AGCOM to issue administrative blocking orders to ISPs for specific websites that infringe on copyright, even those that only contain links for downloading copyright-protected content. The regulation also gives AGCOM the power to remove content upon review by an internal panel, but without prior judicial approval if a copyright violation is detected.52

The debate about the EU Copyright Directive has been lively in Italy, where political parties have expressed strong and diverging opinions. The former government, led by the Five Star Movement and Lega coalition, expressed opposition to the new directive, while the formerly opposition Democratic Party favored it. Italy was ultimately among the six EU member states that voted against the directive in the Council of the EU after the European Parliament approved it.53 As the directive is now in force, Italy must transpose it into national legislation.54

In May 2017, parliament approved a new cyberbullying law after several high-profile cases of cyberbullying came to light.55 Minors over the age of 14 or their parents can demand content-hosting sites to remove damaging content within 48 hours.56 If no action is taken, victims can refer their case to the DPA, which can order damaging content to be blocked or taken down.57 The bill had raised some concerns among critics who said it gave users too much latitude to force the removal of content from social media sites.58

In the past, Italian lawmakers and regulators have proposed measures allowing for the blocking or removal of “fake news” websites (see C3). These proposals have not, to date, amounted to anything.

ISPs are not generally liability for illegal third-party content, but they must inform authorities of such content should they become aware of it, and they face civil penalties if they do not comply with official requests to restrict access to it.59

Content creators and hosts may exercise some self-censorship regarding content that could prove controversial or create friction with powerful entities or individuals. Online writers also exercise caution to avoid libel suits by public officials, whose litigation—even when unsuccessful—can take a significant financial toll. Individuals writing about the activities of organized crime in some parts of the country may be especially at risk of reprisals.

In March 2018, the magazine Famiglia Cristiana deleted an article about the seizure of a Spanish ship carrying refugees by the Italian Navy, possibly in violation of international law on asylum.60 After 24 hours, an altered version of the article was published online,61 and the original author withdrew his name from it. The mention of the Italian Navy was dropped from the title, and mentions of its involvement were modified.

During the coverage period, political parties in Italy occasionally manipulated online content.

In May 2019, ahead of EU parliamentary elections, Facebook removed 23 accounts with a total of 2.46 million followers, which, according to a spokesperson, “violated [the company’s] authenticity policy” as well as several pages.62 This decision followed an investigation by the activist group Avaaz. According to Avaaz, more than half the accounts taken down supported either the Five Star Movement or the Lega, the two parties that governed the country in coalition from to May 2018 to August 2019.

In November 2018, AGCOM released a report analyzing the quality of information in Italy which found that the volume of disinformation peaked in relation to the March 2018 general election campaign but has since subsided.63 This disinformation took the form of fabricated opinion polls, manipulated pictures, and fake news. Bot activity was also detected in the days running up to the 2018 vote.64 A February 2018 Reuters Institute for the Study of Journalism report observed that fake news websites have a much smaller reach among Italian readers compared to legacy news outlets and that the time readers spent on their pages is limited compared to their mainstream counterparts. On the other hand, interactions on Facebook with fake news content matched or exceeded those produced by legitimate journalism.65

Earlier, in January 2018, then interior minister Marco Minniti announced a new Postal Police initiative to fight the spread of fake news.66 The project, named “Red Button,” offered citizens the opportunity to report “fake news” using a portal on the police’s website. The National Anti-Crime Information Center for Critical Infrastructure Protection (CNAIPIC) was tasked with analyzing the reported content. The police then published fact-checks based on these analyses. David Kaye, the UN special rapporteur on freedom of opinion and expression, expressed concerns about the initiative, citing its vague definition of fake news. In a formal communication, he urged the government to reconsider it.67 The government later confirmed that the initiative concluded within a few days of Italy’s March 4, 2018 vote.68 It is unclear how many reports the police received, how many instances of alleged fake news were assessed, and whether any content was removed.69 According to Wired, published responses to citizens’ reports were generally vague, short, and not published in a timely manner.70

A December 2018 analysis71 of the use of Facebook by Matteo Salvini and Luigi Di Maio, both populist leaders and deputy ministers of Italy's government, showed that the two used Facebook's video and live broadcasting services to bypass the mainstream media and “foment discord” during the March 2018 Italian general election. In April 2019, ahead of the EU elections, the DPA issued guidelines on the use of voter data by parties and other political actors in compliance with the GDPR. According to the DPA website, the guidelines focuses in particular on the use of political and propaganda messages sent to social network users (such as Facebook and Linkedin) or on other messaging platforms (such as Skype, Whatsapp , Messenger), reiterating that such use must comply with data protection rules. As shown by recent cases of massive voter profiling, it is essential to protect the electoral process and avoid risks of external interference and disturbances.”72

The Cambridge Analytica scandal also had an impact on Italy. The DPA conducted an inquiry into the case in order to establish how Italians’ data could have been misused and met with Facebook representatives in April 2018.73 The inquiry was closed in February 2019, when the DPA announced that Italians’ data were processed unlawfully. As a consequence, the DPA “reserved the right to issue administrative fines due to the unlawful processing activities at issue.”74

In practice, Italians do not face special economic or regulatory obstacles to publishing content online.

Italy’s Declaration of Internet Rights (see C1) commits the country to abide by the net neutrality principle. However, the declaration is nonbinding and net neutrality is not enshrined in national law, though a 2015 EU-level regulation empowers AGCOM to supervise and enforce the principle.75

The online information landscape in Italy is diverse, representative, and relatively unrestricted. Blogging is popular in Italy, though television remains a leading medium for obtaining news. Most policymakers, popular journalists, and figures in the entertainment industry have their own blogs, as do many ordinary citizens. In addition, social media platforms are popular fora for online expression. Facebook and YouTube in particular are among the most-visited websites in the country.76

In Italy, social media platforms, especially Facebook, have emerged as crucial tools for organizing protests and other mass gatherings such as parties or political rallies. There are no restrictions on their use.

In 2017, as the #MeToo movement gained momentum, Italy had, to a smaller extent, its own reckoning with pervasive sexism. Italy’s movement used the hashtag #quellavoltache (“That time when”). While the campaign stirred conversation online and in public forums,77 it did not lead to a sustained debate in parliament or the country’s other institutions.

Hashtag activism was also visible in relation to the Aquarius vessel controversy. The boat, carrying 629 migrants rescued in the Mediterranean Sea, was banned from entering Italian harbors in June 2018 when Interior Minister Matteo Salvini announced on Twitter that the harbors were closed via the hashtag #chiudiamoiporti (“Let’s close the harbors”). Users on Twitter reacted using the hashtag #umanitàperta (“Open humanity”), protesting the government’s decision. The campaign was started by the Italian online news outlet Valigia Blu.78

As a signatory to the European Convention on Human Rights and other relevant international treaties, freedoms of speech and the press, as well as the confidentiality of correspondence, are constitutionally guaranteed in Italy79 and supported by an independent judiciary. Italy was the first European country to adopt a crowdsourced Declaration of Internet Rights in July 2015.80 The nonbinding document includes provisions that promote net neutrality and establish internet access as a fundamental right. While generally seen as a positive development, the text has also raised some criticism for failing to outline adequate protections for anonymity, encryption, and data retention.81

Some restrictions on journalism, including online journalism, that are uncommon in other EU Member States remain in place in Italy. Drawing on a 1948 law against the “clandestine press,” a regulation issued in 2001 holds that anyone providing a news service must be a “chartered” journalist with the Communication Workers’ Registry (ROC) and hold membership in the Italian National Press Federation.82 With the exception of one case from the late 2000s, these rules have generally not been applied to bloggers and, in practice, millions of blogs are published in Italy without repercussions. Nonetheless, many people who create content on a range of issues (including scholarly research) still collaborate with registered journalists to protect themselves from potential legal action.

Several laws present a threat to internet freedom in the country. Italy passed an antiterrorism law in April 2015 that broadened language in the criminal code on terrorist recruitment, as well as the endorsement or incitement of terrorism, to include online activities.83 Critics argued that the law could be applied broadly and would sanction legitimate instances of free expression that fall within international norms of protected speech.84

Defamation is a criminal offense in Italy: according to the criminal code, “aggravated defamation” is punishable by prison terms ranging from six months to three years and a minimum fine of €516 (about $580). In cases of libel through the press, television, or other public means, there is no prescribed maximum fine.85 Though these provisions are rarely applied, civil libel suits against journalists, including by public officials and politicians, are a common occurrence, and the financial burden of lengthy legal proceedings may have chilling effects on journalists and their editors. In March 2017, the UN Human Rights Committee expressed renewed concerns that “forms of expression including defamation, libel and blasphemy remain criminalized, including with punishment of imprisonment, and that Article 13 of the Press Law and that Article 595 of the Criminal Code imposes harsher punishment for defaming public officials, including the head of state.”86

In early 2017, a widely criticized bill intended to tackle the spread of fake news and hate speech was presented for parliamentary discussion. According to this bill, online news organizations could be fined up to €5,000 (about $5,820) for publishing "false, exaggerated or biased" news reports and failing to remove them within 24 hours. If fake news is deemed to damage the public interest or to seek to undermine the democratic process, publishers would face heftier fines and prison sentences.87 The bill was officially presented in February 2017 but was not ultimately passed.88

Defamation suits against journalists, including those operating online, are a common occurrence. The financial burden of lengthy legal proceedings may have chilling effects on journalists and their editors. Ossigeno per l’Informazione, an organization that tracks threats to journalists in Italy, has reported 562 “frivolous defamation suits” against media since 2011, which includes cases against online media.89 In a representative incident circa April 2019, the online news outlet Estense was presented with a €100,000 ($111,000) lawsuit by a regional Lega politician after publishing a story in which interviewees accused him of stopping suspected immigrants and asking for their residency papers.90

The government places few restrictions on anonymous communication or encryption. Italian law does require mobile service providers to obtain customers’ personal and identification data in order to register a SIM card, citing counterterrorism purposes.91

In May 2019, lawmaker Andrea Ruggieri advanced a bill to fight anonymous trolling on social media. The proposal would require social media companies to record users’ identification cards and personal tax codes upon registration92 in order to track their identities. The proposal has been harshly criticized by experts of the field, who highlighted the potential for civil rights violations.93

Despite the Snowden revelations, Italy has not engaged in a thorough public debate on surveillance. Authorities are widely perceived to be engaged in regular wiretapping, and the news media regularly publicizes wiretap information that is leaked to them. In 2017, it was revealed that Lorenzo Tondo, an Italian journalist at the Guardian, was secretly wiretapped by prosecutors while investigating Medhanie Yehdego Mered, a human trafficker. Tondo condemned the wiretapping as “a clear violation of my rights as a professional journalist.”94 The case sparked extensive debate.

The use of hacking by Italian law enforcement agencies has also been documented, and in May 2017, the UN Human Rights Committee raised concerns that “intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse.”95 In July 2016, however, the Supreme Court of Italy had ruled that hacking was constitutional and in accordance with human rights law.96

Italian lawmakers have made several attempts to regulate hacking in recent years.97 Approved in June 2017, a criminal justice reform law mandates that the government regulate hacking for the purpose of criminal investigations.98 Organizations such as Privacy International have contended that the law fails to meet the standard of legality, necessity, and proportionality, and does not establish sufficient minimization procedures, effective oversight, or safeguards from abuse.99 Another proposal known as the “Trojan Bill” sought to establish a more robust system for authorizing remote and covert hacking.100 The bill was ultimately withdrawn in the aftermath of the March 2018 general elections.

A November 2018 ruling by Italy’s Supreme Court is expected to effectively place limits on authorities’ ability to conduct hacking as part of a criminal investigation. The case involved the installation of malware on a suspect’s mobile phone; as a result of the court ruling, a lower court must re-examine whether police practices had been consistent with articles of the European Convention of Human Rights and the Italian Constitution that protect the freedom and confidentiality of correspondence and other forms of communication.101 According to the NGO Privacy International, “It is the latest in a series of judgments addressing government hacking and comes amidst changes to the Italian law regulating the interception of communications, which addresses government hacking in the surveillance context. The ruling points to the need for Italy and other states to thoroughly review their practices of hacking for surveillance purposes and stop these activities until and unless they can be demonstrated to be in full compliance with applicable international human rights law.” 102

Under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorism organizations,” service providers are required to comply with law enforcement requests for user data.103

Although the Court of Justice of the European Union struck down the 2006 EU directive on the retention of data, Italy has extended the period in which ISPs must keep users’ traffic records (metadata). In November 2017, Italy’s parliament swiftly approved a regulation on data retention requiring telecommunications operators to store telephone and internet data for up to six years. The provision had been added into a transposition law following a European Council directive on the “safety of lifts” in July 2017. There was virtually no public or parliamentary debate on the bill, despite civil society protests.104 The Italian Data Protection Authority expressed its objection to the bill, citing its incompatibility with EU law and case law.105 European Data Protection Supervisor Giovanni Buttarelli commented that the newly approved regulation does not reflect the European approach to data retention: “The European Court of Justice has said that we can no longer collect anything that concerns us all just to have it ’in case.’ This is a type of approach that is not part of the European legal system.”106

Cases of intimidation or physical violence in response to online activity are reported sporadically, although individuals who expose organized crime activities in some parts of the country may especially be at risk of reprisals. For example, in May 2019, journalist Gaetano Scariolo’s car was set on fire by unknown assailants. Scariolo, who covers criminal justice and whose work appears online, said, “I am sure that intimidation has to do with my professional activity.”107

In 2018, Ossigeno per l’Informazione found that 11 percent of all threats against journalists were issued online.108

The Italian internet continues to grapple with an endemic hate speech problem.109 In particular, women journalists and politicians are often subject to virulent online harassment. In the summer of 2018, journalist Annalisa Camilli received derogatory and threatening anonymous emails after publishing an online story about a migrant rescued at sea by the NGO Open Arms.110 Other female journalists have reported experiencing similar harassment, particularly for their work covering the migration crisis.111 Meanwhile, independent lawmaker Laura Boldrini was harassed throughout the coverage period, including by Salvini, whose posts about her elicited death and rape threats from his online fans.112

Cyberattacks constitute a growing problem in Italy. Defacement or distributed denial-of-service (DDoS) attacks against websites as forms of political protest are commonplace, as are hacks of government and private institutions.

In March 2019, Vice reported113 that hackers working for an Italian surveillance company had infected hundreds of people with several malicious Android apps that were hosted on the official Google Play store for months. Experts told Vice’s Motherboard that the operation may have ensnared innocent victims, as the spyware appears to have been faulty and poorly targeted. The DPA announced an investigation into the matter, with the head of the authority declaring, ''what is emerging with unequivocal evidence is the considerable danger of tools, such as Trojans, which, however useful for investigative purposes they risk, if used without the necessary guarantees even on the technical level only, can determine unacceptable violations of citizens' freedom…It is essential to draw, from this story, the determination necessary to prevent further violations in the future, in the knowledge of how errors in such a sensitive field cannot be tolerated.”114 Soon after, Italian prosecutors launched an investigation115 into eSurv, the company that made the spyware, seizing its computers and shutting down the malware's infrastructure.

In its annual report, the Italian Association on Cybersecurity (CLUSIT) called 2018 the “worst year ever” when it comes to the evolution of cybercrimes and attacks, both quantitatively and qualitatively.116 The 2018 general election campaign in particular was characterized by several “public-interest hacks.” In February 2018, the Florence section of the Democratic Party was hacked, and personal information, including former prime minister Matteo Renzi’s mobile phone number, was posted on Twitter by the hackers.117 In the same week, two of Matteo Salvini’s campaign websites were hacked, and some internal Lega party data was subsequently released on Twitter by the hackers. The AnonPlus collective claimed responsibility for both hacks.118

Earlier, during the summer of 2017, the Five Star Movement was hacked by a black hat hacker named @r0gue_0. The hacker infiltrated Rousseau, the party’s online organizing platform, and leaked internal data, including the password used by the staff to access the platform.119 The same hacker allegedly infiltrated the platform again in 2018, leaking phone numbers of two Five Star Movement ministers.120 In September 2018, the DPA opened an investigation121 on the platform’s security flaws (and on various websites connected to the Five Star Movement), and then on April 4, 2019, fined Rousseau €50,000 ($56,000)122 for various data protection failures.

In May 2019, the hacktivist groups Anonymous and LulzSec Italia breached the database of Rome’s Bar Association, exposing the email accounts of 30,000 registered lawyers. Allegedly, the breach includes the account of the current mayor of Rome, a registered lawyer.123 Earlier, in November 2018, hacktivist groups LulzSec Italia and AntiSec Italia had conducted some attacks, targeting the websites of, the Ministry of Economic Development, the State Police, the Brothers of Italy party, and some local branches of other political parties.124

A major data breach occurred in Italy occurred when 1.4 million users’ data was stolen from Italian email services provider Italiaonline. Popular services Libero Mail and Virgilio Mail were affected. A 24-year-old hacker was arrested and charged for the attack in April 2019, but not before selling the data to an unidentified party. The hacker entered Italiaonline’s network by cracking its Wi-Fi network from a bar near the company’s headquarters.125

Awareness regarding Italian involvement in the cyber-weapons market has grown, and companies have faced growing scrutiny over surveillance software sales to government agencies and repressive regimes. In July 2015, a leak of internal documents from the Milan-based surveillance technology firm Hacking Team revealed details about some of the company’s clients across the world, including countries with poor human rights records.126 The company had been criticized in the past for cooperating with undemocratic regimes and lacking sufficient considerations of users’ privacy.127 In April 2016, the Italian government suspended its “global” authorization to export its software, requiring it to seek approval from Italian authorities to request individual licenses for countries outside of the EU.128

According to a study from the NGO Privacy International in August 2016, three other companies based in Italy market intrusion technology.129 In 2017, the Italian Coalition for Civil Liberties and Rights, Privacy International and the Hermes Center for Transparency and Digital Human Rights wrote a public letter to the Italian Ministry for Economic Development asking to reconsider the export authorization for Italian company, AREA, which had been investigated after selling their products in Syria and Egypt.130 The ministry issued a press release stating that the company’s export authorization to Egypt had been suspended and would be revoked.131 However, civil society organizations have continued to demand greater transparency on export licensing and the countries involved.132