SecurityBaseline.eu Reveals Widespread Government Security Failures
On May 13, 2026, the Internet Cleanup Foundation launched SecurityBaseline.eu, a spin-off of the Dutch "Basisbeveiliging" project that has monitored baseline security for over a decade. The site scans over 200,000 government domains across 32 European countries, covering 67,000 local governments, and updates 1,827 maps daily with 21 security metrics. Three findings stand out: 3,081 sites use tracking cookies without consent (illegal under GDPR), 1,070 phpMyAdmin database panels are publicly reachable, and 99% of government email is poorly encrypted.
3,000+ Sites Use Tracking Cookies Illegally
Tracking cookies without consent violate GDPR Article 7, which requires informed, unambiguous consent. SecurityBaseline found 3,081 sites placing tracking cookies, with a total of 3,232 cookie placements (some sites have multiple). The biggest culprits: YouTube (2,077 cookies), Google Ads (842), Facebook (293), and TikTok (20). These are often side effects of integrating third-party analytics or embedded videos. The researchers note that at least 30% of cookie banners are ineffective and still leak tracking data.
Country breakdown shows Slovakia leading with nearly 10% of its government sites affected, followed by Greece (8%) and Portugal (7.6%). Only Cyprus and Liechtenstein have zero tracking cookies. The report highlights that project sites (tourism, housing, festivals) are especially prone but often missed in scans.
Over 1,000 phpMyAdmin Panels Exposed
The most alarming finding for DevOps: 1,070 phpMyAdmin installations are accessible over the public internet on government domains. phpMyAdmin is a database management tool; exposing it is like leaving the back door to your database wide open. The report notes that many domains share the same panel (e.g., via shared hosting), but two are on CSIRT (Computer Security Incident Response Team) domains, which is a double offense. Example URLs provided:
These panels are prone to vulnerabilities; on April 30, 2026, a similar tool (cPanel) had a severe vulnerability. The report urges governments to not expose admin panels and to financially contribute to open-source tools like phpMyAdmin, as they found no financial contributions from European governments to the project.
99% of Government Email Poorly Encrypted
While the article doesn't dive deep into email metrics, it states that 99% of government email is poorly encrypted, likely referring to missing or weak STARTTLS/DANE configurations. This means email in transit can be intercepted or tampered with.
Methodology and Maps
SecurityBaseline uses traffic-light maps (red=issue, orange=warning, green=ok) for each of the 32 countries, divided into 87 region types (municipalities, provinces, etc.). Maps are updated nightly from scans of 200,000 domains. The tool uses established quality tools like internet.nl and Zonemaster for measurements. The project is open to change requests; users can sign up to submit corrections.
What This Means for Developers
If you work on government or enterprise sites, consider this a wake-up call. Audit your cookie usage: replace third-party tracking with first-party analytics (e.g., Plausible, Matomo). Never expose admin panels like phpMyAdmin to the public internet; use VPNs or SSH tunnels. Enforce email encryption with DANE and MTA-STS. The report emphasizes that security is a continuous process, not a one-time fix.
Next Steps
Check your own domains against SecurityBaseline.eu. The site allows change requests for corrections. For governments: implement a security baseline policy like the Dutch "Basisbeveiliging" and mandate regular scans. For developers: contribute to open-source tools you depend on; the report found zero contributions from EU governments to phpMyAdmin.
