All but three of the European Union member states' government websites are littered with undisclosed adtech trackers from Google and other firms, with many piggy-backing on third-party scripts, according to an analysis of almost 200,000 webpages.

The report (PDF), published today by Cookiebot in collaboration with civil rights association European Digital Rights (EDRi), scanned 184,683 EU government webpages on 11 and 12 March to assess the cookies on each.

It found that there were 112 companies slurping up information on EU citizens' browsing habits on the webpages of the governments supposedly fighting the good fight against excess stalking of netizens.

Adtech trackers were found on 25 of the 28 member states' sites, with only Spain, Germany and the Netherlands clean of commercial cookies. There were 52 companies identified on France's government sites, 27 on Latvia's and 19 on Belgium's. Twenty cookies were identified on GOV.UK, of which 12 were marketing, and all belonged to one company – Google.

Indeed, the search giant is described as the "kingpin of tracking" within the report, present on 82 per cent of all the sites and accounting for three of the top five trackers: YouTube, DoubleClick and Google.

The report authors said this was of "special concern" because Google can cross-reference trackers with its first-party account details via its widely used consumer services such as Mail, Search and Android apps.

Separately, the work assessed public health service sites, again finding that cookies were widespread, with 52 per cent of those tested having commercial trackers.

And again, Google was right up there, making up two of the top five, with the others being Adobe's eversttech.net, AppNexus' adnxs.com and Mediamath's Mathtag.com.

For this assessment, the researchers chose six EU countries and carried out 15 health-related search queries – such as "How do I know if I have HIV?", "Signs of being an alcoholic" and "I want to terminate my pregnancy" – from IP addresses in each country to identify the relevant landing pages on each nation's health service.

In the UK, some 60 per cent of these landing pages had such ad trackers, less only than Irish sites, where trackers appeared on 73 per cent of landing pages. A single German website about maternity leave was monitored by 63 companies, while a French page about abortion was tracked by 21 firms.

The group said this could be used to "infer sensitive facts about [users'] health condition and life situation" and be resold to target ads. "These citizens have no clear way to prevent this leakage, understand where their data is sent, or to correct or delete the data," it said.

The extent of tracking on these sites is even more alarming, the report argued, because they don't rely on ad revenue. In some cases, governments will want to use companies' services, but in others the firms gained access to these non-commercial sites through "free" third-party JavaScript tech services, like share buttons or plugins.

"These scripts can act as Trojan horses, opening backdoors to the website code through which ad tech companies can silently insert their trackers," the report said.

It urged website owners to be more careful when including third-party components on their sites; to make sure they had a detailed overview of the current trackers; and to remove any unwanted ones from the source code.

Visitors should also be offered full transparency and control over trackers on the site – but it shouldn't just be up to users to lock down their browsing habits. Stronger regulations need to be in force, and adhered to.

"How can any organisation live up to its [European General Data Protection Regulation] GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?" asked Cookiebot founder Daniel Johannsen.

"Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites."

Diego Naranjo at EDRi used the opportunity to lament the delay to the long-awaited ePrivacy Regulation, which was initially meant to be enforced as the yin to the GDPR's yang, covering communications data rather than personal data.

However, it has been stuck in discussions between member states for more than a year, and privacy activists fear it is being watered down as a result of lobbying from adtech industry and concerns among member states.

If it does lose ground, Naranjo warned, it will "open a Pandora's box of more and more sharing, merging and reselling of personal data in huge online commercial surveillance networks, in which citizens are being unwittingly tracked and micro-targeted with commercial and political manipulation."

Their calls for progress echo those made by the European Data Protection Board last week. The group – made up of the bloc's data protection watchdogs and EU data protection supervisor – issued a statement urging legislators to "intensify efforts" to adopt it.

"The future ePrivacy Regulation should under no circumstance lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for all types of electronic communications," it said. ®