SecurityBaseline.eu: A Transparency Tool for European Government Security
On May 13, 2026, the Internet Cleanup Foundation launched SecurityBaseline.eu, a spin-off from the Dutch "Basisbeveiliging" that has monitored baseline security for over a decade. The site measures 21 security metrics across 200,000 internet domains belonging to 67,000 local governments in 32 European countries (EU member states plus EEA countries; the UK is excluded). The data is updated nightly, generating 1,827 maps. The project sent tens of thousands of emails to governments three months before launch, giving them time to review results.
Three Worrisome Metrics
The article highlights three metrics of particular concern: illegal tracking cookies, exposed database admin panels, and poor email encryption.
3,000+ Government Sites Use Tracking Cookies Illegally
SecurityBaseline found 3,081 European government sites placing tracking cookies without consent, violating GDPR. The law requires "freely given, specific, informed and unambiguous" consent. The largest source of tracking cookies is YouTube (2,077 cookies), followed by Google Ads (842), Facebook (293), and TikTok (20). Some sites have multiple trackers, totaling 3,232 placements across 3,081 unique sites.
Country-level differences are stark: Slovakia leads with nearly 10% of its government domains tracking, followed by Greece (8%) and Portugal (7.6%). Cyprus and Liechtenstein have zero tracking cookies. The metric ignores cookie banners; prior research shows at least 30% of banners are ineffective. The project also notes that these numbers exclude project websites (tourism, construction, etc.), which are "particularly prone to tracking technologies."
Over 1,000 Publicly Reachable phpMyAdmin Panels
SecurityBaseline detected 1,070 phpMyAdmin portals across 3,529 different government domains (many domains share the same panel, e.g., via a shared hosting provider). phpMyAdmin is a database management tool that should never be exposed to the public internet. The project points out that on April 30, 2026, a similar tool (cPanel) had a severe vulnerability, underscoring the risk. Two of these panels are on Computer Security Incident Response Team (CSIRT) domains:
https://codsustenabilitate.gov.ro:443/phpmyadmin/
https://nkc.nukib.gov.cz:8443/phpMyAdmin/
These are considered a "double offense" — CSIRTs should be exemplars.
99% of Governmental Email is Poorly Encrypted
While the article doesn't dive deep into the email metric, it notes that 99% of government email is poorly encrypted. This likely refers to lack of STARTTLS or weak TLS configurations. The project uses internet.nl for email security measurements.
How the Maps Work
Maps use traffic light coloring: red = security issue, orange = warning, green = no issues, gray = no data found. Only one issue turns a region orange or red. The default map for each country combines all 21 metrics. Examples: Denmark's municipalities are mostly orange (policy in effect), Italy has many green municipalities (their sites are subdomains, shifting security issues upward), EU CSIRTs are all red (the project connects the most important governmental website to each CSIRT, leveling the playing field).
The Bigger Picture
The project emphasizes that these issues require continuous improvement processes, not one-time fixes. "Fixing it once does not lead to resilience" — future challenges include stronger encryption, quantum cryptography, and additional metrics. The Internet Cleanup Foundation already monitors over 80,000 organizations and 500,000 addresses.
Technical Details for Developers
- Measurement tools: Uses internet.nl and Zonemaster, well-established quality tools.
- Cookie detection: Finds tracking cookies without consent; ignores banners. Detected 357,000 total cookies, with only a fraction being tracking cookies from 10 distinct vendors.
- phpMyAdmin detection: Scans for exposed panels; future plans include cPanel and other admin panels.
- Data freshness: All 1,827 maps rebuilt nightly.
- Open source funding: The project notes that European governments have made no financial contributions to phpMyAdmin, despite relying on it.
Actionable Takeaways for Developers
- If you work on government sites, audit your cookie usage immediately. Replace YouTube embeds with privacy-friendly alternatives (e.g., Invidious).
- Never expose phpMyAdmin (or any admin panel) to the public internet. Use VPNs or SSH tunnels.
- Implement proper email encryption (STARTTLS, MTA-STS, TLS-RPT) for all government domains.
- Contribute financially to open-source projects your organization depends on.
- Use SecurityBaseline.eu to check your own government's compliance and pressure them to fix issues.
