Kosovo Journalists Protest After Govt Suspends TV Station’s Permit

Hundreds of journalists and civil society activists marched on Monday to Pristina’s main square to protest against the decision by the Kosovo government to suspend Klan Kosova TV’s business certificate, calling it as an attempt to curb the freedom of media.

Carrying a banner with the slogan “Democracy dies in darkness”, protesters called on the Ministry of Industry, Entrepreneurship and Trade to reconsider the decision.

“We see this decision as political and an interference in freedom of expression and freedom of the media in Kosovo,” said Nain Sadiku, a board member of the Association of Journalists of Kosovo.

“We ask the court to address Klan Kosova’s case in with right way, not being influenced by politics,” Sadiku said.

Klan Kosova has said it will take its case to court after the Ministry of Industry, Entrepreneurship and Trade three days ago rejected its complaint about the suspension of its business certificate last month.

But the ministry said that its commission, which reviewed the case, acted in accordance with the law when it suspended the certificate.

“The commission decision closes this case within the ministry while the complaining entity has the right to take the case to the court,” the ministry said in a statement.

The dispute started in June when news website Kosovanews published an investigation that suggested irregularities in Klan Kosova’s registration in Kosovo’s business registry.

The ministry then suspended Klan Kosova’s business certificate and initiated a criminal complaint against the company, its managers and officials from the Business Registration Agency on suspicion of misuse of office.

According to the decision, which was made public by the Association of Journalists of Kosovo, the ministry suspended Klan Kosova’s business certificate because the owners’ residential address is allegedly registered as “Peje-Serbia and Gjakove-Serbia… [which is] in violation with the basic principles of the constitution of the Republic of Kosovo”. Both towns are in Kosovo, not Serbia.

The Independent Media Commission, the institution responsible for the regulation, management and oversight of broadcasters in Kosovo, gave TV channel a month to correct the documentation, but on the final day, July 28, the ministry said that Klan Kosova failed to comply with the request.

Klan Kosova insisted on Monday however that it has corrected all the data in the business registry and accused the ministry of “fraudulently presenting a situation that does not exist”.

While Klan Kosova remains on air, the issue will be decided by a court after the TV channel announced it will file a legal complaint.

On Sunday, Prime Minister Albin Kurti intervened in the dispute, writing on Twitter that “following registration rules is a legal duty, not a ‘technicality’”.

“Enforcing such rules against a single violator does nothing to threaten media pluralism,” Kurti said.

“Media freedoms are vital: an attack on them is an attack on democracy. But democracy is also assaulted when powerful businesspeople break the law for financial gain. And enforcing the law against such people’s violations does not – in any way – constitute an attack on media freedom,” he added.

However, the Pristina embassies of the US, Germany, Britain, France and Italy in Kosovo – known collectively as the Quint – have expressed “deep concern” about the ministry’s decision.

“We are especially concerned that revoking Klan Kosova’s business licence is a disproportionate decision that will have repercussions on media plurality in Kosovo. The revocation of any media outlet’s license is a significant step requiring rigorous consideration,” the Quint said in a statement on Friday.

Turkey Fines Major Digital Platforms for ‘Challenging’ Family Values

Turkey’s Radio and Television Supreme Council, RTUK, which monitors and sanctions radio and television broadcasts, fined various big digital streaming platforms on Wednesday for productions addressing LGBT issues and “normalising obscenity”.

“Not recognizing the boundaries of gender, sexuality and relationships, constructing an alternative ideal world based on gender, changing the universal family form, showing scenes of intense obscenity in detail, and normalizing all these and even defining them as ‘healthy’ were considered contrary to the principle of protecting the family,” RTUK said in its decision to fine Netflix over its series called “Anne”.

Other digital platforms fined by the RTUK are Amazon Prime, Disney+, MUBI, BluTV and Radio Virgin, again for productions promoting LGBT stories. RTUK has not yet specified the amount of the fines.

In the case of Disney+’s series “Love, Victor,” an administrative fine at the upper limit was applied due to the presence of “disturbing and morally objectionable behaviours” in one of its episodes.

The production “Modern Love,” aired on Amazon Prime, also received an administrative fine at the upper limit for containing scenes contrary to “the moral values of society and the principle of protecting the family”.

In August 2019, RTUK was given authority to oversee digital streaming platforms with a regulation change that increased government control. Following this, several fines were imposed on digital platforms in parallel with the government’s increased pressure and censorship of media and the internet.

RTUK plans an extraordinary meeting with the representative of digital streaming platforms in September. At the meeting, “the values of the Turkish family, national and moral values and the indivisible integrity of Turkey” will be explained to the platforms, RTUK announced.

‘For the Right Price’: Email Credentials from Serbian State Bodies Sold Online

Late last year, reports surfaced in the online forum ‘Bezbedan Balkan’ [Secure Balkan] concerning the black market sale of email account credentials associated with a number of Serbian state institutions and public companies.

“Multiple sources” reported the phenomenon, said Ivan Markovic, a cybersecurity expert and co-founder of the forum.

“This means that someone, for the right price, was able to read through the official communication of the public enterprise Elektroprivreda Srbije [Serbia’s power utility] or [main gas distributor] Srbijagas, or send a message pretending to be from the National Employment Service,” Markovic told BIRN.

When Markovic and his colleagues dug deeper, they found that the email credentials of several public enterprises and state institutions had been compromised for more than a year and offered for sale for $100 or less.

The email accounts contained information on contracts, redundancy notices, bank statements, public procurement, and union meetings. Sale ads included screenshots of open email inboxes as proof for potential buyers.

Yet almost all of the bodies concerned told BIRN the reports were false.

According to Markovic and other cybersecurity experts, their failure to act only makes things worse.

“Black market platforms depend on their credibility and usually don’t sell fake data; those sellers who do quickly get sanctioned,” he said. “What’s more dangerous is that this data is sold multiple times to different malicious groups.”


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads selling addresses linked to public enterprise Beogradski vodovod i kanalizacija were the first to appear online. Since January 2022, at least four ads were posted, with their total value at $367,5. BIRN inquired about the incidents, but “Beogradski vodovod i kanalizacija” did not respond to our questions.


Ads for email accounts for Elektroprivreda Srbije appeared alongside other compromised addresses – Bezbedan Balkan (Screenshot)
First two ads offering access to email accounts related to Elektroprivreda Srbije, Serbia’s power utility, are posted on an online market. This, along with information on breaches for other public and private companies, was revealed in November on the Bezbedan Balkan forum, which analyses cybersecurity incidents.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads continued to pop up throughout the summer. In September, at least seven ads were published, the most of any previous month. Their total value was almost $700. The screenshots of inboxes posted by the sellers indicated the legitimacy of the ads. They contained information on bank statements, public procurement plans, and union meetings.


Cybersecurity site detects malicious activity – Bezbedan Balkan (Screenshot)
Spam messages were sent from an IP address linked to Elektroprivreda Srbije. The same IP address was reportedly abused again several months later, for other malicious activities. At the time,the National CERT, the state body dealing with the prevention of cybersecurity incidents, said it had informed the institutions whose email accounts were suspected of having been compromised


Four new ads appeared between January and March 2023 – Bezbedan Balkan (Screenshot)
Ads selling access to email accounts of Elektroprivreda Srbije continued appearing online. In total, at least fifteen ads were posted since they were first published in March last year, which is more than for any other public company whose email accounts were compromised.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Since December 2022, at least two ads offering accounts connected with state-owned Telekom were posted online. Their total value was $129. Telekom told BIRN it ran internal checks after information appeared online, but determined no accounts were compromised.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address linked to public utility company Infostan appeared. BIRN inquired about the incidents, but Infostan did not respond to our questions.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address related to the National Employment Service, was posted on the internet. The Service told BIRN it was not aware of email accounts being offered online, nor that it identified any incidents related to this. However, they said that email accounts of private citizens, not employees, on their platform did get compromised in the past.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $85, selling accounts related to grid operator Elektromreža Srbije was posted online. Previously, another ad appeared in January 2023, offering data for $14. Elektromreža Srbije told BIRN they identified the incident, which was a result of a phishing campaign. It received information on this from the National CERT.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
An ad, worth $10, selling email account linked to public gas company Srbijagas surfaced online. BIRN inquired about the incidents, but Srbijagas did not respond to our questions.


Conclusion in the Commissioner’s report on the oversight – Bezbedan Balkan (Screenshot)
After being informed of the incidents in early April, the Commissioner for Information of Public Importance and Personal Data Protection initiated a review of Elektroprivreda’s information security and safety protocols. Taking into consideration the technical limitations of the review, as well as measures the public enterprise has in place, the Commissioner was not able to identify any harm related to personal data handled by the company. Responding to BIRN, Elektroprivreda Srbije dismissed the claims concerning the breaches as inaccurate.

Reluctant to report

Since January last year, according to Markovic, email accounts related to Elektroprivreda Srbija, EPS, have been compromised at least 15 times.

But EPS told BIRN this was untrue.

State-owned telecoms provider Telekom Srbije also said the email accounts of its employees were secure, as did the National Employment Service. Srbijagas did not respond to a request for comment for this story.

Only grid operator Elektromreza Srbije confirmed an incident involving a compromised corporate email account.

Alerted by the state CERT – the regulatory authority for electronic communications and postal services – to a case of phishing, Elektromreza Srbije said it “blocked the account, examined the activities on the system of the compromised user, changed the passwords and initiated additional training on information security and potential threats”.

CERT, however, has no authority to monitor the implementation of such security measures. That rests with the Ministry of Information and Telecommunications, which has just one inspector dedicated to the task.

Last year, leading cybersecurity firm Kaspersky tracked posts on the dark net offering access to compromised corporate data and found some 260,000 passwords, PIN numbers and other biometric data belonging to users in Serbia, though without identifying specific companies.

According to Kaspersky, the mere appearance of a corporate email address on the dark net, even without a password, already puts the security of the organisation in question at risk.

“The attack surface within its infrastructure increases as the number of potentially vulnerable targets grows,” Kaspersky told BIRN. “The public availability of corporate email addresses can pique the interest of cybercriminals and trigger discussions on dark net resources such as forums, messengers, onion sites, and more, regarding potential attacks on the organisation. Additionally, a corporate email address is more likely to be used for phishing and social engineering purposes.”

Kaspersky’s investigation also revealed a worrying lack of corporate preparedness and a tendency to deny claims that their protections have been breached.

This was also documented by the Serbian State Audit, which reported in xxxx that public enterprises and the state administration are reluctant to report incidents to CERT. A lack of awareness about whom to turn to and a fear of the hit to a company’s reputation are among the reasons why.

This is worrying, said Bojan Perkov, digital policy coordinator at SHARE Foundation, which works to promote and protect digital rights.

“Unauthorised access to email accounts and their abuse can be an entry point for other, far more serious attacks,” Perkov told BIRN.

“If the same combination of credentials – let’s say email, username or password – was used for multiple accounts, of which some contain highly sensitive information such as a large database with the details of private citizens, this can be quite damaging. The attacker can also continue to abuse the email address for phishing schemes and social engineering in order to gain further access to the system.”

Phishing for employees

It’s not only companies that are reluctant to admit to cybersecurity breaches. Employees are also often unwilling to admit they may have unwittingly compromised their employer.

“A member of staff said that she received an email, but did not click on it. But her computer was blinking,” an employee in the IT department of a Serbian public company told BIRN, speaking on condition of anonymity.

The case in question was phishing. A bot introduced itself as an administrator to a staff member, and the email she received contained a link which allegedly led the person to change the password.

“It took us a month to solve the problem,” the IT employee said. “First, the Outlook file, where the emails were stored, started duplicating her emails. Once that was fixed, suddenly she couldn’t receive any emails, then the ports would get mixed up, the configuration I set up would turn off. I thought we could just repair the file, but ended up taking down the entire system of her computer.”

The use of an official email address for private purposes is one of the most common mistakes made by employees in public companies and institutions, CERT told BIRN.

“This leaves them particularly vulnerable to phishing attacks and social engineering. Also, sending sensitive and private data via instant messaging apps, such as Viber and WhatsApp, can have similar undesirable consequences.”

Most email accounts of Serbian public enterprises sold on the black market used Outlook’s Web App.

“The problem with this, or any other webmail app accessed through a browser, arises when the user chooses the option for remembering the password,” said another IT employee at a Serbian public institution, who also spoke on condition of anonymity.

“The browser on the computer or laptop doesn’t have any additional protection when someone accesses their account through remembered credentials,” he said. “Once the computer is infected with a virus, the data will become available. And since most institutions attempt to network all their computers, the virus spreads really fast within the system and can collect their accounts.”

In the case of EPS, Markovic informed authorities about the compromised emails, but only the Commissioner for Information of Public Importance and Personal Data Protection took any action, he said. Limited in the degree it can inspect, the Commissioner also failed to find any issue.

“Given this outcome, we can only say that this problem is being ignored,” Markovic said.

Turkish Journalists’ Detention for Reporting Judicial Couple’s Transfer Condemned

Turkish and international media organisations condemned the arrest of a journalist for reportng the new posting of a married judge and prosecutor couple who had previously jailed dozens of journalists.

Four other journalists were also taken into police custody for retweeting the news report. They have since been released.

“Raids and the detention/arrest of five journalists are unacceptable. This is an assault on media freedom and society’s right to access information. Journalists cannot be subjected to judicial harassment because of their work and become the target of investigations and raids for uncovering something wrong,” said the Coordinator of Media Freedom Rapid Response at the European Centre for Press and Media Freedom, a nonprofit that promotes and defends media freedom.

Evrim Kepenek, the last of five journalists taken into police custody in Istanbul, was released by a court on Wednesday with a judicial review measure and a travel ban, due to her retweet of a news report about the new posting of the married judge and prosecutor couple who had previously jailed dozens of journalists.

“You cannot prosecute Kepenek and other detained journalists. Journalism is not a crime,” the Journalists’ Union of Turkey, TGS, said on Wednesday.

The prosecutors’ office said the five journalists had targeted the couple and pressed charges of “marking counter-terrorism officials as a target”.

The arrested journalist, Fırat Can Arslan, a reporter for Mezopotamya Agency, MA, had covered a separate case involving 18 Kurdish journalists accused of “terrorism.”

He was arrested on Tuesday after he reported on the issue of the married judge and a prosecutor and having their work locations changed.

The other four detained for retweeting Arslan’s report and later released by the courts were: T24 news website reporter Sibel Yukler, MA reporter Delal Akyuz, journalist Evrim Deniz and Bia.net’s editor Kepenek.

Except for Arslan, all the journalists are banned from travelling abroad and have to visit police station on a regular basis.

Ozturan, of the Media Freedom Rapid Response, told BIRN that the detentions and arrests were no surprise.

“This comes as no surprise considering the long-term pressure targeting media freedom in Turkey which has been escalating especially since the beginning of the year. This pressure needs to stop and journalists need to fulfil their duties as witnesses of the time they are living in,” Ozturan said.

Media organisations and rights groups say that Turkey under President Recep Tayyip Erdogan has become one of the world’s worst jailers of journalists, also exerting pressure on the media through court cases, fines and prison sentences.

Turkey ranked 165th out of 180 countries in 2023 in the latest press freedom index issued by the watchdog organisation Reporters Without Borders, RSF.

Turkish Fraudster Seeks to Delete BIRN Investigation Into Citizenship Acquisition

A representative of Turkish businessman Yasam Ayavefe – a convicted fraudster who was revealed in an investigation by BIRN and Greek media partner Solomon to have acquired honorary Greek citizenship via his political ties – has asked BIRN to delete its report.

He also urged BIRN to delete articles about cyberattacks that targeted the Balkan Insight website after the publication of the investigation.

“These kinds of posts affect the business life of my client [Ayavefe]. He has invested in so many countries and posts like this cause my client material and moral damage,” Bener Ljutviovski, who introduced himself as Ayavefe’s representative, told BIRN in an email.

His request for the removal of BIRN’s reports came after Turkish courts, in two separate judgments in Istanbul and Ankara, ruled that Turkish online media articles about based Ayavefe’s activities in gambling, crime and business in Cyprus, Greece and Turkey should be removed.

The Turkish court rulings said that Ayavefe’s rights had been violated by the articles, citing “the presumption of innocence”.

BIRN has confirmed that at least 114 news pieces about Ayavefe have been removed from Turkish websites as a result.

Ljutviovski also said that a case had been launched in Greece to ask websites to remove articles about Ayavefe, but after checking with judicial authorities in Greece, BIRN could not verify this.

Ljutviovski further claimed that Ayavefe won a case in Greece to have arrests removed from his criminal record.

He said that all this proved that Ayavefe “has nothing to do with these accusations” and that he was being accused “without any proof” of being connected to the DDoS attacks on BIRN’s Balkan Insight website and Solomon’s site after the publication of the investigation.

He called on BIRN to take down the articles in line with the Turkish court rulings although one of the judgments clearly stated that domestic courts cannot remove content of “foreign origin”.

“Please help us in this situation and let’s fix this without prolonging… We are open to suggestions from your side,” Ljutviovski wrote.

He appeared to offer BIRN financial incentives in return for compliance: “My client Dr. Yasam Ayavefe has advertising company, if you help us in this case we can provide advertising service to your organisation, so you can grow to bigger organisation. We would love to cooperate with you,” he wrote.

BIRN declined Ljutviovski’s offer and rejected his repeated demands to remove the articles about Ayavefe.

Ljutviovski sent a series of requests to BIRN, initially from an email address under his own name but then from an email address under the name Igor Stefanov.

BIRN and its Greek partner media outlet Solomon’s websites came under DDoS attack by hackers in 2022 following the publication of the investigation into Ayavefe and how he acquired honorary Greek citizenship.

Solomon said on Twitter at the time that honorary citizenship is “a state honour long reserved for those who have significantly promoted Greek culture”, but has been “turned into a golden visa scheme for those with deep pockets”.

The investigative outlet Inside Story first broke the honorary citizenship story in July 2022, triggering a fierce debate over Ayavefe’s suitability for such an honour. Inside Story also came under DDoS attack after publishing its report on Ayavefe.

Chatty Machines: Can AI Language Models Pass the Turing Test?

As artificial intelligence, AI, continues its rapid advancement, language models are becoming increasingly sophisticated, capable of producing text that closely resembles human conversation.

Take the impressive GPT-3.5 architecture, which features models like ChatGPT, developed by OpenAI in San Francisco. However, as these models become more human-like, questions arise about their ability to pass the famed Turing test, proposed by the visionary mathematician Alan Turing, often hailed as the father of modern computer science.

Let us delve into the concept of applying the Turing test to Language Learning Models, LLMs, and explore the potential implications of this endeavor.

The Turing test, conceived in 1950, initially known as the “Imitation Game” serves as the gold standard for estimating a machine’s capacity for intelligent behaviour. In this evaluation, a human judge engages in a natural language conversation with both a machine and another human. If the judge is unable to reliably differentiate between the machine and the human, the machine is deemed to have passed the test.  The emergence of language models like GPT-3.5 has sparked discussions about their potential to pass the Turing test.


Photo: Pexels

On a hot summer day, in the Centre for the Promotion of Science in Belgrade, we applied the Turing test. Guided by Danica Despotovic, a data scientist, and an expert from the Serbian AI Society (SAIS), our experiment involved 14 participants who were tasked to determine whether the answers to specific questions were provided by a human or a machine.

Evaluating LLMs using the Turing test requires careful preparation. Models like ChatGPT are trained on vast amounts of (our) internet data labeled by workers in low-income countries to generate text that mimics human conversation, but they supposedly lack genuine understanding and consciousness. Instead, they rely on patterns and statistical associations. Assessing their performance on the Turing test demands a comprehensive examination of their contextual comprehension, empathetic capabilities, and proficiency in engaging in nuanced, natural conversations. We must evaluate not only the quality of their responses but also their capacity to exhibit authentic human-like understanding.

To put ChatGPT to the test, Danica, our SAIS expert, provided the guidance to participants with selected prompts designed to challenge its capabilities.  The following limitations that surround ChatGPT were considered:

  1. Time-sensitive information: ChatGPT’s knowledge is limited to data available up until September 2021. Therefore, questions concerning events or developments after that time are beyond its reach. For instance, it cannot answer questions about the winner of the 2022 Wimbledon tournament.
  2. Personal and subjective experiences: ChatGPT lacks personal experiences and emotions. It struggles to respond convincingly to questions asking for subjective opinions or personal perspectives. Questions like “How are you?” or “How does vanilla taste” or profound philosophical inquiries about the meaning of life or the nature of consciousness are challenging for ChatGPT.
  3. Highly specialized or technical knowledge: While ChatGPT is well-versed in a wide range of topics, there are specialized domains where its knowledge may be limited. Complex scientific, medical, or technical questions might require expertise beyond its capacity.
  4. Predictions and speculative questions: While ChatGPT can offer plausible outcomes based on available information, questions regarding future transportation dominance, the impact of AI on the job market, interstellar travel possibilities, and the outcome of conflicts and political disputes receive generalized responses. In all honesty, neither can humans provide better answers, but still…
  5. Time-related questions: Queries about future weather forecasts (What will the weather be like next week?) or the specific timing of job application responses are beyond ChatGPT’s abilities..
  6. Context: asking ChatGPT a question that requires it to be aware it is a part of the “imitation game” might lead to the chatbot to “hallucinate” in order to provide some answer.


Photo: Pexels

Armed with these and similar questions, the 14 human participants prepared for a tough battle. Amazingly, humanity emerged victorious –at least in that moment! In over 70 per cent of cases, our observing team members successfully distinguished between human and machine answers. Maybe it was a stroke of luck, but we had indeed equipped ourselves with every possible strategy to outsmart ChatGPT.

Now, let’s imagine a different scenario. What if we had asked less biased questions? Perhaps, in that case, ChatGPT would have passed the Turing test with flying colours. The implications of such an achievement are profound. It would blur the line between human and machine interactions, impacting fields such as customer service, journalism, and even interpersonal relationships. It will give rise to trust issues and ethical dilemmas, necessitating careful regulation and ethical considerations. Moreover, the widespread use of advanced language models will lead to the dissemination of misinformation and deepen societal divisions if not handled responsibly.

The application of the Turing test to language models opens up captivating discussions about the boundaries of machine intelligence and its potential impact on society. However, it is crucial to view the test as one evaluation metric among many, and a passing score should not be seen as an absolute measure of machine (non)intelligence.

As we navigate this technological frontier, we must approach the evaluation of LLMs with care, recognizing the complexities involved and placing ethical considerations at the forefront. By working toward responsible and ethical AI deployment, we can ensure that these powerful tools are developed and employed in ways that truly benefit society as a whole.

Branka Andjelkovic is co-founder and Programme Director of the Public Policy Research Center, a Belgrade-based think tank.

The opinions expressed are those of the author and do not necessarily reflect the views of BIRN.

‘Like Swiss Cheese’: North Macedonia’s Institutions Face Uphill Battle Plugging Online Defences

From targeted DDoS attacks blocking access to key sites and data to the hijacking of entire websites and suspected theft of sensitive data, North Macedonia has experienced it all in the past few years.

The government and the Interior Ministry say they are hard at work strengthening defence mechanisms against such malevolent online players. The US and EU have jumped in to help as well, providing both technical and training assistance.

And, in late June, Interior Minister Oliver Spasovski said they had raised the salaries of employees in the ministry’s department of telecommunications and informatics and in the digital forensics section by 30 per cent.

“These people are really needed,” the minister said, admitting that the country as a whole must invest much more in boosting cyber security.

But while at central level the Interior, Defence and Information Society Ministries seem busy boosting security teams and shaping more capable teams of experts ready to offer competent response to threats, the more than 1,000 state or local government-run institutions, public enterprises and agencies, who are often the targets of such attacks, remain wide open.

“There, the situation is dire and harder to fix. For a long time, the issue of cyber security has been neglected in these institutions so their online presence and especially the issue of safeguarding it, have been an afterthought for the many heads and directors who often did not, and do not, understand the matter,” said Dejan Sokoloski, an IT expert and author of the IT.mk website.

As BIRN found out, some of these institutions lack any specialized IT security personnel and rely on just a few staffers to maintain their sites. Some have offloaded this work to private companies that often do not satisfy their needs.

“These institutions are often the first line of defence when it comes to preventing or intercepting cyber-attacks. If they had a secure and competently maintained web presences, we could say half of the job is done. But they don’t, so they are the weakest link – a ‘Swiss cheese’ of vulnerabilities and holes that need to be plugged,” Sokoloski added.


Photo by EPA/RITCHIE B. TONGO

Late realization of the threats

The Public Transportation Utility, JSP Skopje, is a public utility company under the City of Skopje that operates commuter bus services in the capital.

Among others, it provides online services to their commuters like buying tickets, and a GPS system tracks all the buses and informs users when the next bus will arrive at their station.

With just one successful attack, the transport system in the capital of more than half-a-million people could suffer greatly. However, the company told BIRN that while it has experts to maintain the system, it lacks specialized cyber security experts.

“We are constantly striving to upgrade our cyber security and the quality of our online services … and we hope that in the next city budget [for 2024] there will be funds to hire dedicated experts in IT security. So far, we’ve relied on help and instructions from the central authorities,” JSP told BIRN in a written response.

The National Information Agency, MIA, is in a similarly vulnerable position. This agency, which receives central government funds and was formed by a decision of parliament, was targeted by a DDoS attack in 2020 during the last parliamentary elections. Together with the Central Electoral Commission, its website was not functional for almost two days after voting day.

The agency still relies on a skeleton team of two general IT experts employed simply to maintain the website.


Photo by EPA-EFE/SASCHA STEINBACH

USB stick is all you need

Vladimir Stajovic, a cyber security expert who has been engaged in a private IT company from North Macedonia that offers its services to public enterprises and agencies, says such a qualified workforce that would answer needs does not exist yet in North Macedonia.

“The general population thinks all IT experts are the same and that they know everything, when in reality security experts are highly focused and skilled on this area alone – and are hard to find,” he said.

“We have many people employed in the IT sector, and that is our advantage if we want to invest in specializing some of them for security, but when it comes to existing security experts, they are mostly working abroad because the salaries there are much higher,” he explained.

Stajovic said a common misconception among clients is that they can quickly fix breaches and vulnerabilities after an attack has already happened.

“We’re not plumbers. We cannot fix a leaking faucet in five minutes in an apartment that has been neglected for decades and where the entire plumbing is rusty.

“The solution is much more regular maintainance of the entire system and updating and migrating the vulnerable files onto more secure and up-to-date platforms and servers. That needs a lot of programming, work, money and testing, and even then, nothing is 100-per-cent secure when it comes to cyber space,” he noted.

Stajovic says that, from his experience, many institutions in North Macedonia are so vulnerable that even a group of high school students could breach defences and wreak havoc in important organisations that employ hundreds of people.

Stressing the need to keep a constant guard and keep up with the latest threats, he mentioned the recent appearance of a USB stick available online for just over $100 US.

It sounds like something straight out of a spy movie.

“All it takes is for someone to physically enter an institution and put this stick in any USB port on any PC. The system falsely recognizes it as a normal peripheral, like a mouse or a keyboard, and then its malicious software, that may be programed for various activities like gathering data, deleting files or doing something else, starts working and can spread undetected,” he said.


North Macedonia’s Digital Society Ministry presented this year a plan for better and safer digitization of the administration. Photo by Information Society Ministry of North Macedonia

Not a hypothetical threat

North Macedonia is no stranger to cyber attacks.

To name just a few, in July 2020 a DDoS attack rendered the site of the State Electoral Commission useless for several days.

The attack delayed the announcement of the official results of tightly contested parliamentary elections, so the Commission had to improvise by releasing partial results through YouTube clips instead.

To make matters worse, the country’s most popular news aggregator, TIME.mk, experienced a similar attack at the same time.

Later that month hackers took down the sites of the Health and Education ministries.

In September 2021, a population headcount was marred by a slew of technical problems that forced many of the census takers to sit idle for days. Initially, authorities suspected a cyber attack but later said they had been misinterpreted. However, this only revealed the many weaknesses of all-too important systems.

In August 2022, the government’s site for public services, uslugi.gov.mk, was downed for almost two days.

Earlier, in February 2022, the Education Ministry reported another attack – but insisted that a video published on Twitter by a notorious group calling itself “Powerful Greek Army”, purportedly recorded by the ministry’s security cameras, was a fake.


Skopje. Photo by EPA-EFE/GEORGI LICOVSKI

Solutions must come ‘step by step’

North Macedonia has a total of almost 1,300 public institutions, data from the Information Society Ministry show. Most are in the area of education, healthcare, state administration, communal enterprises and culture.

Slightly more than half of these institutions are at a local municipal level while the rest come under the central authorities.

By time of publication, BIRN was not able to determine how many of them have permanently employed dedicated IT security stuff, or how many rely on private companies to do the work for them.

“We are at the forefront, so to speak, in this effort to boost cyber security across all of our state apparatus. We are aware of the acuteness of the problem but the solutions will come step by step,” said the Information Society Ministry.

It added that along with other government ministries they have already formed so-called quick response teams of IT security experts and that such teams are especially present within the Interior and Defence Ministries.

“Our particular part of the job is to also provide training and help to the many institutions you mentioned and that is underway,” the ministry informed.

“Trainings and communication for them are available, we are working on standardizing the platforms they are using in the online sphere.”

The Ministry also sees potential to speed up the process as many people employed in the country’s IT sector, if motivated correctly, could be trained in security.

So far, though, there is no projection about how much it would cost to train these new experts and motivate them to stay in the country for a better salary, or how long that could take.

Turkey Bans Adverts on Twitter in Row Over Company Representative

Turkey’s Information and Communication Technologies Authority, BTK, on Friday banned Turkish citizens and companies from placings advertisements on Twitter after the social media giant failed to obey a new digital law and appoint an official representative.

“It has been decided to prohibit the placing of new advertisements by natural and legal persons on X Corp. (Twitter) formerly known as Twitter, Inc, which failed to fulfil its obligation to designate … representatives,” the BTK wrote in its decision published in the Official Gazette.

Turkey’s new digital law, adopted in 2022, was widely condemned by rights groups, experts and the opposition, which said it would increase government control and censorship on social media platforms.

Any persons or companies who place advertisements on Twitter will now be fined.

The new law requires social media companies to appoint official representatives in Turkey who will be responsible for handling government demands and notifications, such as for content removal.

If Twitter continues to fail to appoint a representative in Turkey, the next step will be halving the bandwidth for Twitter, according to the law.

President Recep Tayyip Erdogan’s government has passed a number of draconian laws and regulations concerning social media, digital rights and internet freedoms in recent years.

Opening the Black Box of Govt Data Protection Practices in Serbia

Every now and then, I check a tweet posted in June 2020 just to see if it’s still online. It is. Featuring a 15-second video, its caption in Srebian reads: ‘Accident in front of the government of Serbia’.In the clip, a speeding passenger car crashes into a minivan, causing, it later emerged, multiple fatalities.

We should be used to attention-grabbing content on social media by now, and even aware that an economy built around advanced technologies “treats human attention as a scarce commodity, as a United Nations-commissioned report says, ever seeking to maximise engagement. There are some means we can use to avoid particularly disturbing items online, but all we really have is good old self-restraint.

Controlling one’s own online behaviour – clicks, likes, and alike – is also one small step on a long and tedious road to protecting our privacy and personal data that we now know is what feeds multi-billion-dollar global businesses whose services we use ‘for free’.

But mindfulness shouldn’t be our best recourse when we use public services, surely?

Government institutions, agencies and authorities should run privacy-by-design operations, as they handle vast amounts of citizens’ data on a daily basis, providing no opt-out choice. We are obliged to lay out our personal data to them, and they are obliged to keep it safe, online or off.

Since August 2019, these operations in Serbia are required to comply with provisions of a new personal data protection law [passed nine months earlier, with a grace period for compliance], largely copy pasted from the appropriate piece of legislation in EU law on data protection, called the General Data Protection Regulation, GDPR. This EU regulation has set groundbreaking standards of data protection globally, its provisions applying to technical and organisational procedures, defining virtually all the ‘whys’ and ‘hows’ in handling citizens’ data, whether stored on a cloud system or in a paper file.

If the similar provisions from the Serbian 2018 law were applied, we would probably never see the tweet posted in June 2020.

Lack of transparency

Presdient of the Federal Office for the Protection of the Constitution, Hans-Georg Maassen, speaks at the Hasso-Plattner-Institute in Potsdam, Germany, 19 May 2014. Photo: EPA/RALF HIRSCHBERGER

The disturbing video of a car crash in front of a key government institution wasn’t taken on the street by an accidental witness. It is clearly marked as the video feed from a traffic surveillance camera. There are visible tags in the top corners of the feed, a date and time stamp in one and the camera’s number and location in other. But it wasn’t a leak either, at least not in the strict sense of a piece of original data leaking out of the system. Someone with physical access to the traffic monitoring room took their smartphone and recorded the broadcast from the computer screen. There’s another visible tag in the left upper corner, this one showing the name of the specific application, with the word ‘server’ in parentheses.

In Serbia, personal data governance often seems like an algorithmic ‘black box’ – a complex system whose inputs and inner workings are not visible or sometimes even comprehensible.

The internal processes are plagued with lack of transparency, while public access to information is thwarted. We manage to learn of the government’s data protection practices mostly by accident. Luckily, there are plenty. From the reckless disregard for legal obligations that exposed the personal data of almost the entire adult population of Serbia in 2014, to the intentional evading of protections laid out in the Constitution to access user communication data of four major telecommunication service providers.

To be fair, these things happened before the new data protection law replaced the old one, known among specialists as the legislation that had practically never been applied.

Times have changed, and expectations as well. Reading about fines issued by national privacy regulators and data protection officers, to both private and public organizations, somewhat shifted our perception. Knowing that we now have the same legal standards as those used to severely penalise an EU-member tax authority after it was hacked, for its deficient security practices, is bound to change procedures in Serbian public institutions too. Or is it?

Serbia does have “a relatively developed legal framework of personal data protection”, said Ana Toskic Cvetinovic, executive director of the Partners Serbia organisation, and an experienced privacy protection expert.

Besides specialising in the field, teaching at the National Academy of Public Administration, and producing a body of analysis and policy recommendations, Toskic Cvetinovic also took part in the working group that prepared a new government strategy for personal data protection. The public hearing on this key strategic document was recently concluded, “and it remains to be seen whether it will contribute to improving the situation,” Toskic Cvetinovic told BIRN.

“The main problem is that the 2018 law assumed some legal solutions from EU legislation – such as the GDPR and the so-called Police directive – that are not applicable in the Serbian legal framework.”

“In addition, although both the Law and the Action plan for Chapter 23 [Judiciary and Fundamental Rights] of the EU accession negotiations stipulate that all sectoral laws should be harmonised with the data protection law; this work has not even started yet. All this complicates applying the regulations, in both public and private sectors, and also leads to legal uncertainty for citizens.”

Who will have access?


Photo: Pixabay

Personal data protection is increasingly a topic of discussion in Serbia, at least in part thanks to the 2018 law, which has certainly improved the domestic normative framework, imposing new obligations on data controllers and processors, and introducing new rights for citizens whose data is processed. But these novelties have not fully taken root in practice, Toskic Cvetinovic said.

“There’s more awareness, in both private and public sectors, of their legal obligations,” she said. “Unfortunately, there are also those who knowingly violate the rules, deciding that the abuse of citizens’ data is more profitable than complying.”

Toskic Cvetinovic underlines that the sanctions provided under Serbian law “are lenient, and the criminal-legal protection is ineffective, thus sending a message to data controllers that non-compliance would not actually entail any serious consequences.”

In particularly, she points to the large systems of state administration that process massive volumes of personal data, while they have honest difficulties in applying protection measures. At the same time, politicians and decision-makers in the public sector keep pushing for rapid digitalisation of public services. Without adequate technical infrastructure and human capacities, this can only increase the risk to citizens’ rights, said Toskic Cvetinovic.

Global dilemmas and debates around increasingly intrusive technologies that expose human rights and civil liberties to grave risks, especially when using these technologies in critical areas such as policing, border control, judiciary, or healthcare, indicate the urgent need for additional regulation. And most definitely for stricter oversight.

But as I was pondering the introductory passage to this article, the latest clip from a traffic surveillance camera in Belgrade showing a car crash was launched into social media circulation. Again, the video feed was recorded with a smartphone from a screen in the traffic monitoring room.

A new round of consultation on the improved version of a draft law on police has been launched, after two failed attempts to legalise a smart video-surveillance system in public spaces. It would be the kind that is capable of automatically detecting and recognising faces, identifying people by their body postures, and tracking and recording their movement in real time. Certainly, far beyond the capabilities of a plain old traffic camera. Who will have access to such systems with their smartphone?

Journalists in Serbia Feel Undefended From Online Attacks, BIRN Report

Online threats against journalists are more intense and common than physical ones, but most newsrooms have not set up safety protocols to help them respond to these attacks, while laws do not provide efficient protection, BIRN and IJAS’s new report reveals.

Working in an environment that is becoming primarily digital has left journalists and media more exposed to online to attacks, insults and threats, but many newsrooms have not established mechanisms to deal with such cases and legislation does not provide adequate protection either.

These are some of the findings from the latest report, “Journalists’ Safety in the Digital Environment”, which BIRN Serbia and the Independent Journalists’ Association of Serbia, IJAS, published on July 18.

Online attacks and threats impact journalists’ mental health and private lives and affect relations in the newsrooms and commitment to professional standards. Online abuse is typically “normalised” and
considered as part of the job.

“The most striking finding is that hate speech, threats, insults, intimidation, pressure and other forms of digital violence against journalists are so widespread in Serbia that journalists believe that it has become a daily ‘normal’ environment in which they work and that it is the price they pay for their work.

“When faced with digital threats and insults, they generally do not report them because they know that, at the institutional level of protection, things are rarely undertaken and resolved,” says Aleksandra Krstic, associate professor at the Faculty of Political Sciences of the University of Belgrade, one of the report’s authors.

Endangerment of journalists’ safety may lead to self-censorship and journalists may even abandon stories of public interest. which then lowers the quality of information the public receives and puts at risk media independence and freedom of speech, the report notes.

The report says many journalists rarely report insults and threats, warning that “the lack of trust that journalists have in the institutional protection system, the competent prosecutor’s office or the courts, is alarming”.

Marija Babic, lawyer at IJAS and another author of the report, says it is necessary to harmonise laws with developments in the digital space in order to prosecute attacks.

“Competent authorities should process attacks and threats to journalists as quickly as possible. It is also very important that such attacks are condemned by high-ranking state officials, who should stop pressuring and targeting journalists and the media as this is only making them [journalists and media] targets of very serious attacks,” says Babic.

The report also notes the lack of professional solidarity with attacked journalists and the fact that journalists and editors mainly turn to the public – which is the only thing they still trust – hoping that publicising attacks and threats will save them from potential attackers.

“All these findings should be read in a general, social context that is not conducive to the development of free and independent media. Threats and pressures, intense public campaigns led by representatives of the highest state authorities, a culture of impunity and weak institutions lead to a situation where journalists and the media are legitimate ‘targets’.

“Apart from the need to strengthen the capacities of the newsrooms themselves, we should insist on more effective protection mechanisms through amendments to the laws and a stronger response from institutions,” says Tanja Maksic, program manager and researcher at BIRN and one of the authors of the report.

The full report in Serbian and English is available on BIRN Serbia’s website.

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now