Month: December 2024

The use of court orders to block online content in Turkey skyrocketed last year, according to Free Web Turkey, which was established by the Media and Law Studies Association, MLSA, to monitor online censorship in Turkey. [The author of this article is coordinator of Free Web Turkey.] The courts tend to cite violations of an individual’s rights, threats to national security and public order, or disinformation.

Soykan has become a regular target.

“If he hadn’t made it his mission to expose the dirty dealings of the government and power centres, he wouldn’t have faced any of these blocks,” said Turkish media ombudsman Faruk Bildirici.

“Soykan is making some people uncomfortable,” he told BIRN, and the courts “have become a weapon of political power to obtain access bans.”

Bildirici said courts appear to issue blanket bans without checking what they are banning.

“We sometimes see that dozens of access block requests are accepted in such a short time that it would be impossible to verify all the links.”

Court bribery exposed

A graduate in Radio, Television and Cinema from the Faculty of Communication, Marmara University, 49-year-old Soykan worked for the newspapers Yeni Yuzyil, Radikal and Posta and is currently a columnist for BirGun daily and a commentator on Halk TV.

For years he has focussed his attention on bribery, corruption and organised crime and their ties to the state, earning the 2021 Transparency Award from the International Transparency Association and the 2022 Press Freedom Award from the Turkish Press Council.

In 2020, his reporting exposed ties between a number of judiciary officials and international crime bosses; in 2022, he wrote about the case of a 14-year-old girl forced into marriage when she was just six years old with a 29-year-old member of a religious sect. His report led to the prosecution of three people, who were sentenced to a total of 72 years in prison in December 2023.

Then in October 2023, Soykan reported that judges and prosecutors at Istanbul’s Anatolian Courthouse had taken bribes; one of them, Judge Sidar Demiroglu, was later dismissed.

Soykan’s achievements, however, have not come without a cost, from death threats to lawsuits.

For his report on the six-year-old girl forced into marriage, Soykan was threatened by people affiliated with the sect. Its supporters launched a campaign calling for his arrest.

In September this year, while attending a hearing in the trial for the murder of Sinan Ates, leader of the ultra-nationalist Grey Wolves, the accused hitman, Eray Ozyagci, threatened Soykan in court, according to witnesses.

The Grey Wolves are affiliated with the far-right Nationalist Movement Party, MHP, a coalition partner of Turkey’s ruling Justice and Development Party, AKP. There was a flurry of speculation at the time of the Ates murder in December 2022 that he may have been killed by his own people after falling out with the MHP.

Addressing parliament on October 1, MHP leader Devlet Bahceli said in reference to Soykan and three other journalists: “Watch your step! We will not allow MHP to be interrogated by four clown reporters.”

Years of media repression

Despite the death threats and hostility, Soykan says what worries him most is the censorship, on top of years of intense media repression under Turkish President Recep Tayyip Erdogan.

Soykan’s story about bribery at the Anatolian Courthouse was blocked by court order just a few hours after it was published, at the request of Istanbul Justice Commission President Bekir Altun, one of those accused of taking bribes for favourable verdicts.

By extension, 77 reports by other outlets and which cited Soykan were also blocked.

Soykan said the court acted “on political orders”.

The judge who blocked Soykan’s reports, Demiroglu, was later dismissed for taking bribes in exchange for issuing such blocks.

Soykan said the authorities were trying to “destroy evidence-based news in a manner that completely disregards the law”.

Readers, however, still search out his work.

“They remove the reports from all platforms and many people reach out to us saying they can’t find our reports,” he said. “We then send the reports via WhatsApp or email, and that’s how they read them.”

Describing criminal court judges as “censorship officers,” Soykan said: “We are living through one of the darkest periods in Turkish press history. Censorship has now become institutionalised.”

In early 2020, headlines in Serbia lauded the creation of Serbia’s first database of mining waste, a 2.1 million-euro project 90 per cent funded by the European Union. The country’s mining and energy ministry said Serbia at last had “a clear picture of mining waste” as the first step to dealing with it and protecting the environment.

More than four years later, that picture does not look so clear.

Until recently, the online application presenting the Cadastre of Mining Waste to the public and published on the website of the Ministry of Mining and Energy contained only limited data on 41 abandoned mining waste dumps and nothing on active mining sites. The project was supposed to bring together data from hundreds of locations across the country.

A BIRN investigation found that more detailed data on far more dumps was available on the publicly accessible server of the ministry’s website in machine-readable format. This data showed that among the abandoned dumps are sites containing hazardous waste, some in areas currently at risk from landslides.

It is unclear whether this data was up to date and valid or if it was collected as part of the Cadastre project.

In December 2022, Serbia’s State Audit Institution put it bluntly: “The mining waste management system in Serbia is not effective,” it said in a report, adding that “a unified database on mining waste has not been established”.

Dragana Nisic, a professor at the Department of Occupational Safety and Environmental Protection at the Faculty of Mining in Belgrade, said the Cadastre of Mining Waste should be expanded, primarily to include active mining waste dumps, and brought into line with the regulation on waste management permits.

“Each dump should include data on the nature of the waste, the quantity of waste deposited, the ore from which the waste is generated, the risk of accidents, etc.,” Nisic told BIRN. In the interests of better public awareness, all data should be “fully transparent”, she said.

“In its current form, the Cadastre does not meet these needs.”

The German companies Plejades and DMT, which won the tender to create the cadastre, did not respond to requests for comment for this story. Neither did the ministry or the EU Delegation. After BIRN wrote to the ministry, all the data disappeared, both from the online application and from the server of the ministry website.

Data confusion

Mining waste has become a hot topic in Serbia since protests erupted in 2021-2022 over plans by mining giant Rio Tinto to mine for lithium in the country’s western Jadar valley.

In 2016, Plejades and DMT won the tender to create the Cadastre of Mining Waste, a project launched the following year when the Serbian government announced the risk assessment, characterisation and classification of mining waste at between 200 and 250 abandoned mining dumps and more than 200 active mines.

According to the EU’s website in Serbia, experts visited 250 abandoned mining waste sites and identified 150 dumps containing a total of some 24 million cubic metres of waste.

Forty-one dumps accounted for roughly 80 per cent of the total mapped waste; these were subjected to closer examination, with soil sampling, chemical analysis, testing of ground and surface water and stability assessments.

The EU said in a press release that the data obtained would be presented in the form of a web application and a book containing both the locations of active mines and locations of abandoned mining waste.

In late 2019, Peter Bayer, the project leader from Plejades, said that the results at that point showed that in most cases the dumps had had a negative impact on ground and surface water.

In 2024, however, the online application of the Cadastre of Mining Waste still contained only a fraction of the data that was collected – basic details about 41 abandoned dumps.

BIRN submitted a Freedom of Information request asking the ministry for all available data from the Cadastre. The ministry provided the same data that were until recently available on the site.

However, more comprehensive and detailed sets of data on waste dumps were present on the publicly accessible server of the ministry website.

This data included whether the site contains hazardous or non-hazardous waste, the amount of waste material, whether there is a landslide risk, and whether the dump has been reclaimed, i.e. brought to a state that allows for another use.

Additionally, unlike the web application, these data sets include information on active dumps.

When asked by BIRN how the data was obtained, whether it is valid and why it not available to users of the Cadastre app, the mining and energy ministry said it was unable to provide such information and that the link to the data set on their server supplied by BIRN was not on its website.

An analysis of the data from the server of ministry website shows some locations are marked as hazardous waste dumps

In terms of volume, the largest quantities of hazardous mining waste are located in the municipalities of Raska, Aleksinac, and Brus.

Several dump locations near Krupanj, Cajetina, Prijepolje, Raska, Boljevac and Majdanpek are noted as being at risk of landslides.

State Auditors: Data ‘incomplete’, often ‘incorrect’

The Law on Mining and Geological Research, passed in 2015, stipulates that the Ministry should maintain a cadastre of mining waste dumps and mining waste must be managed based on a permit; the regulation on issuing such permits was passed in 2017 and has been in force since January 1, 2020, with all legal entities required to align their operations with the law within two years of its implementation.

At the end of 2022, however, the State Audit Institution said that mining waste in Serbia continued to be disposed of without valid permits and that no unified database had been established.

“There is no electronic or other database on the total amounts of mining waste and mineral resources, nor on the amounts by types and categories,” the State Audit said in its Performance Audit Report: Hazardous Waste Management.

Instead, companies engaged in mining in Serbia submit data on mining waste to the ministry as part of their Annual Business Reports in paper form, which the ministry then scans. The auditors said this data is “incomplete” and that the ministry does not verify the reported quantities of waste.

“The data in the reports of the exploitation holders are incomplete, often with incorrect unit measures and numerical data,” the report states. “The reported quantities based on the given forms are not controlled, and there is no tracking and control of the quantities of excavated and deposited materials of all exploitation products.”

“Of the 674 approved exploitation fields, data on the generated quantities of mining waste were provided to the competent authorities from 193 exploitation fields, which creates a risk that data on the total quantity of mining waste are not comprehensive.”

In the report document, the auditors cite legal provisions requiring the ministry to maintain a Cadastre of Mining Waste Fields and that, “according to the statement of the responsible person at the Ministry, the mining waste fields cadastre is available at https://gis.mre.gov.rs/jkro/.”

However, at the time of publication of this text, the web address displays only a server error message.

No waste management permits in effect

At the time the State Audit Institution published its report, only one operator was managing and disposing mining waste based on a permit issued by the ministry – Serbia Zijin Mining d.o.o. for its Cukari Peki gold and copper mine near Bor.

The Zijin permit was issued in 2021 but, when the company asked to update the permit in 2023, the ministry refused, saying Zijin had failed to submit the necessary documentation.

The ministry told BIRN that, “currently, there are no valid permits for the disposal of mining waste”.

Nisic, from the Faculty of Mining, said that, to her knowledge, most operators had requested permits.

“Some have been waiting for more than two years for a response from the ministry,” Nisic told BIRN.

According to the audit report, at least 20 operators are “disposing of and managing potentially hazardous mining waste without a permit for managing mining waste”.

“Certain types of waste may contain hazardous substances,” the report adds, and “excess excavated rock mass or tailings can be stored in heaps and reservoirs surrounded by dams, which, in the event of collapse, could have significant environmental, health, and economic consequences”.

The ministry told BIRN that operators dispose of mining waste “in accordance with the approved technical documentation issued in accordance with the provisions of the Law on Mining and Geological Exploration”.

When BIRN asked again, based on the Freedom of Information Act, what is the purpose of the permits if operators can manage waste without them, the ministry said BIRN was asking for an “opinion” rather than for information of public importance and said a response would require BIRN to pay a 2,010 dinar administrative fee. BIRN paid but the ministry had yet to answer by the time of publication.

Overall data per company: https://public.flourish.studio/visualisation/19747014/

Quantities of overburden per company: https://public.flourish.studio/visualisation/19746960/

Quantities of gangue per company: https://public.flourish.studio/visualisation/19747001/

Nisic stressed that the absence of permits does not mean mining waste is being handled irresponsibly.

“From my professional experience, I can assert that mining waste in Serbia is managed responsibly, as evidenced by the fact that Serbia is one of the countries with the lowest rate of incidents at mining waste disposal sites in Europe and beyond,” she said.

“Before the country adopted a regulation requiring permits, there was no practice or legal obligation to obtain a permit for managing mining waste,” Nisic told BIRN. At the time, the disposal of mining waste was carried out regularly, in a fully planned manner, in accordance with legal regulations; it’s just that the formal document called a ‘permit’ did not exist.”

“Those authoritarian regimes want to make these foreign agent laws to control media,” Mogens Blicher Bjerregard, a veteran Danish journalist and chair of the executive board of the ECPMF, told BIRN in Brussels.

According to human rights group Human Rights Watch, ‘foreign agent’ laws have become a preferred instrument for authoritarians to strengthen their hold on power. They are used to discredit critical voices by “equating them with promoting the interests of a foreign power”.

Democratic backsliding

Billionaire Bidzina Ivanishvili, founder of the ruling Georgian Dream party addresses a pre-election rally in Tbilisi, 23 October 2024. Photo: EPA-EFE/DAVID MDZINARISHVILI

While the United States has had a Foreign Agents Registration Act since 1938, requiring people lobbying or advocating for foreign powers to register, the model being emulated by countries like Georgia was developed in Russia much more recently, and is specifically used to muzzle dissent.

First enacted in 2012, the Russian law essentially requires any person or organisation receiving any form of financial support from outside the country to be declared a ‘foreign agent’ – a designation that has highly toxic connotations, dating back to the Soviet era – and to be subjected to additional controls, checks and regulations.

This idea has appealed to other governments who have been accused of democratic backsliding and are seeking to evade scrutiny – like the regime in Georgia, a country that was once seen as a bright example of democratic progress among post-Soviet countries.

“The government’s decisions that have been made in the last years have pointed a U-turn in the foreign policy vector. After Russia’s full-scale invasion of Ukraine, our government’s intention to forge closer ties with Russia, China and other autocratic regimes has become crystal clear,” Lia Chakhunashvili, executive director of the Georgian Chapter of Journalistic Ethics, told BIRN at the Media Freedom Rapid Response Summit.

Georgia’s ‘transparency of foreign influence’ law came into force was passed in June despite the mass protests against it.

“I believe that the government saw the law as an opportunity to silence critical voices, from corruption watchdogs to service providers, from community radios to investigative media, once and for good,” Chakhunashvili said.

The EU, which had granted Georgia membership candidate status in December 2023, froze the accession process in reaction to the adopted of the legislation. But the Georgian government insists that transparency about foreign funding for NGOs and media is necessary, so the public knows who is financing and influencing who.

Chakhunashvili explained that the government is targeting all NGOs, including privately-owned media outlets, which receive over 20 per cent of their funding from foreign sources. Many have said they will refuse to register in protest – but those that do not face punitive fines that could cripple them.

“If they decide to implement the law as written, some NGOs will be forced to self-liquidate and others will have to declare themselves insolvent,” she said.

In a relatively poor country, many non-government-backed or independent media rely on foreign grants for survival. If they are forced out of business, Chakhunashvili predicted, “the population will be left without reliable information coming from independent and critical media.”

She also warned that if oligarch Bidzina Ivanishvili’s ruling Georgian Dream party wins this weekend’s election, “the law will be a highly potent instrument that will help the government diverging the country from its Euro-Atlantic perspective to the Kremlin’s orbit”.

Escalating pressure

Georgia is the most prominent case because of the mass protests against the ‘foreign influence’ law, which continued despite a police crackdown on demonstrators on the main street of the capital, attracting international media coverage. But strongman leaders in other countries have, less dramatically, pursued similar initiatives.

In December 2023, Hungary’s parliament passed a package of ‘sovereignty protection’ laws to curb foreign influence, which critics said could be used by Prime Minister Viktor Orban’s government to target dissenters.

Orban’s Fidesz party argued that the laws were necessary to stop opposition parties receiving foreign funding. They include the creation of a ‘sovereignty protection office’, a government authority that can gather information about people or organisations that receive money from outside Hungary.

The European Commission announced this month that it is taking Hungary to the EU’s Court of Justice, arguing that the ‘sovereignty protection’ laws breach some of the bloc’s fundamental rights and freedoms.

“The broad powers and discretion of the [sovereignty protection] office will affect a wide range of persons and entities, including civil society organisations, media outlets and journalists in a disproportionate manner,” it said.

In another EU member state, Bulgaria, pro-Russian right-wing party Revival has pushed for a ‘foreign agents’ law that would effectively sanction certain NGOs and media outlets that are funded from abroad, but without success so far. However, Revival’s rising popularity ahead of Bulgaria’s parliamentary elections on Sunday has increased concerns that the party might try again if it gains more representation in parliament.

A similar law was also proposed in Republika Srpska, the Serb-led entity in Bosnia and Herzegovina, sparking criticism that it would limit freedom of expression. The legislation was intended to restrict non-profit organisations from engaging in “political activities”, mandate their enrolment in a special registry and subject them to increased legal oversight. Under the law, the Republika Srpska government could declare them “agents of foreign influence”.

However, the law was then withdrawn in May, citing the need for further harmonisation with European standards, although this was not clearly explained.

Meanwhile, the EU has also been considering whether to adopt a ‘foreign agents directive’ to address political interference by countries like Russia intended to subvert democracy in Europe. Civil rights organisations were highly critical of the idea, arguing that it could curb freedom of speech and undermine the EU’s credibility as a champion of democratic values.

“Ironically, this directive it was made to control third-party influence, specifically Russian influence, but when you read the directive and some of the requirements, it is very similar to the law that was proposed in [Republika Srpska],” Ena Bavcic, lead researcher at BIRN’s Digital Rights Programme, said at the Media Freedom Rapid Response Summit.

A similar law was put on the parliamentary agenda for discussion in Turkey in May. The planned ‘agents of foreign influence’ law threatened prison sentences for people involved in producing propaganda for a foreign actor. This would represent a further blow to the freedom of the country’s embattled media, as well as to civil society in general, experts argue.

“It is clear that the pressure targeting media and civil society in Turkey has been escalating for over a decade. The survival of these sectors has been under severe threat for a long time,” Gurkan Ozturan, media freedom monitoring officer at the European Centre for Press and Media Freedom, told BIRN.

The law was withdrawn following criticism, but then submitted to parliament again on October 18. This time, however, the proposal is back on the parliamentary agenda as part of a different legislative package.

“The unofficially labelled ‘agents of foreign influence’ law is now being taken into a legislative framework to officially criminalise the works of independent journalists or CSOs [civil society organisations] whenever they reveal major wrongs in society or governance,” Ozturan said.

“It will restrict the independent media and civil society even further, which is a very risky move when we consider it in the context of the wider process of democratisation,” he added.

Mark Dempsey, senior EU advocacy officer at UK-based media freedom organisation Article 19, said that some European parliamentarians have indulged illiberal tendencies among member states. He gave the example of Hungary and how it was tolerated by the powerful centre-right European People’s Party, EPP bloc in the European parliament when democratic backsliding started under Orban’s government in Budapest.

“I think we have a weak leadership at the centre of Europe. We have a parliament leaning to the right and we have an EPP party which has a history, in order to secure its power base and its numbers in the parliament, of allowing this gradual backsliding,” Dempsey told BIRN.

But in the long run, the adoption of laws labelling NGOs and independent media ‘foreign agents’ can damage EU aspirant countries’ hopes of joining the European bloc – as the example of Georgia has highlighted.

Campaign groups in these countries should do more to highlight what this means for the future, Dempsey urged: “I think in accession countries, there has to be mobilising on the ground among civil society organisations about what a future in Europe means versus what a future outside of Europe means.”

This month, police in Bosnia arrested eight minors on suspicion of sending hoax bomb alerts to schools; one minor sent 49 alerts in just 11 days. Despite being treated as minors, depending on their age, they could face potential prison terms of six months to three years.

Their parents also face criminal charges, while the authorities have the right to seek compensation for financial costs caused by the fake alerts.

But despite the latest arrests, hoax bomb alerts sent to Sarajevo schools have continued. In recent weeks, police in the Bosnian capital have been occupied with checking dozens of schools that have received threatening emails. In every case, the threat proved false.

“The threatening messages that the minors sent were shocking and we will not publish them. They are suspected of the crimes of endangering security and false reporting,” Azra Bavcic, from the Prosecutor’s Office of Sarajevo Canton, told BIRN.

Some hoaxes have had a major impact. Earlier in October, the Armed Forces of Bosnia and Herzegovina tightened security measures at barracks and other sites after receiving an email about a potential terrorist attack. According to media reports, the sender’s address was traced back to Bulgaria. An investigation is undergoing.

Hoax bomb threats have also forced Bosnian and Serbian authorities to evacuate main airports at Sarajevo and Belgrade, causing disruption to passengers.

In one incident targeting Belgrade airport as well as several schools and the Education Ministry in the Serbian capital, police identified a 12-year-old as the culprit and instigated action against the child’s parents.

Security expert Sasa Zivanovic, former head of the department for combating high-tech crime at Serbia’s Interior Ministry, lives in Belgrade, where more than 2,000 reports of falsely planted bombs were sent in 2023. Over 1,200 were sent to schools’ email addresses.

He explained why investigations in these cases are different from traditional ones. “In these cases, international legal assistance is requested, to collect evidence. That data is not located in Bosnia and Herzegovina, or in another country of the region, but on different servers around the world,” Zivanovic points out.

International legal assistance is needed to obtain data on the email address from which the threat has arrived. On that basis, data can be requested from the domestic providers on the device from which it was sent.

Signed agreements with large technology companies would speed up investigations into hoax bomb threats, he argues.

“Some countries have bilateral contracts or agreements with large Internet service providers such as Meta, X, or Google, which the police approach directly with a prosecutor’s order. This avoids the sluggishness that often characterizes international legal assistance,” Zivanovic notes.

Most threats sent by minors

In Montenegro, as in Bosnia and Herzegovina, police have established that most false bombs reports are sent by minors.

From 2022 to October 8, 2024, 170 bomb hoax threats were registered in Montenegro, according to data BIRN obtained from the police. All of them arrived via email. Most were sent to primary and secondary schools, but some also to courts.

Since 2022, police in Montenegro have solved 63 cases of false bomb reports and filed charges against seven minors and one adult for false reporting and causing panic. In the same period, police filed two misdemeanor charges against one minor and one adult.

Police said the false threats are often sent using email platforms that make it difficult to identify the users.

“Technology has advanced, especially with the use of AI. This complicates the collection of evidence, so a longer period of time is needed to identify and prosecute the perpetrators of these crimes,” police told BIRN.

Solving such cases, police added, requires exhaustive analyses and checks, which often require the involvement of international partner services and foreign companies. That is why they need additional time to solve those cases.

As most false threats are sent by minors, Zivanovic believes the remedy must include a proactive approach and conversations with youngsters.

“Some of the children who do this are not even aware of how much damage they are causing,” he says: “Certainly, their awareness has not been developed to that extent, and that is why we should discuss the consequences of those actions with them.”

Youngsters wanting to brag

Police in Montenegro say their investigations have revealed various different motives for sending false bomb reports.

“From the cases solved so far, it can be concluded that these are mostly minors who do this to avoid tests at educational institutions, and often for fun,” they stated.

Copycatting accounts for some of the hoaxes, Zivanovic says. Some youngsters send threats because they want to stand out. “When a child connects to the internet, he has a dilemma about whether to be like everyone else or to be different, so he can boast,” he says.

“You also have the motive that, if someone needs to answer for some [court] case, he sends a threat to avoid it,” he adds.

Meanwhile, as cases continue to mount, police in Montenegro say that they plan to introduce an improved procedure for assessing reports. “On receipt of the report, the report itself – its contents and all its components – will be analysed, and then further action will be taken in terms of risk assessment,” the police explained.

Azem Kurtic contributed reporting to this feature from Sarajevo.

Information security expert Branko Dzakula also called for clarification of their roles.

“The CIRT should be focused on protecting only state infrastructure, while the Agency could have a broader role in protecting the wider cyberspace, including the private sector,” Dzakula told BIRN. “Such a division could increase efficiency, strengthen coordination between these institutions and avoid conflicts of jurisdiction or duplication of tasks.”

He also questioned whether the law could be implemented in practice.

“Montenegro’s cyber security index significantly lags behind the European Union average and there are traditional problems with financial, technical, and human resources,” Dzakula said. “It’s debatable whether the public and private sectors can adequately implement the new requirements in practice.”

Draft law ‘aligned’ with 2022 EU directive

The 2024 Global Cybersecurity Index, published by the UN’s International Telecommunication Union, ranks Montenegro’s information security level as ‘establishing’, the third tier of five.

That puts it on a par with the likes of Bulgaria, North Macedonia and Ukraine but behind the ‘advancing’ countries such as Croatia, Albania, Israel and Switzerland. Fellow ex-Yugoslav republics Serbia and Slovenia are in the highest tier – ‘role-modelling’ – alongside Britain, Germany, France and others.

Montenegro’s vulnerability was exposed in August 2022, when the government server was hit with ransomware, which locks and encrypts the victim’s data and critical files and demands payment to unlock and decrypt them.

The attack took offline a number of ministries, the Property Administration, the Revenue and Customs Administration and courts.

A hacker group called Cuba-Ransomware claimed responsibility but authorities have never officially identified the perpetrator. A report by experts from the US Federal Bureau of Investigation, FBI, was submitted to Montenegrin police in January 2023 but it has yet to be published.

Since 2012, when it was established, the CIRT has operated under the Directorate for the Protection of Secret Data, whose head is nominated by the defence minister, and is responsible for all cyber security incidents in Montenegrin cyberspace.

Under the draft law, the CIRT will come under the Ministry of Public Administration and protect only the state administration’s information system from cyber threats.

Dusan Polovic, head of the state Directorate for Infrastructure, Information Security, Digitalisation and e-Services, told BIRN that the draft law is aligned as much as possible with the EU’s NIS2 Directive, adopted in November 2022 to raise the overall level of cybersecurity in the bloc, which Montenegro is seeking to join.

Montenegro needs to adopt the law, he said, to meet the demands of Chapter 10 accession negotiations with the EU concerning Information Society and Media.

“The focus of this law is on transposing as much as possible the NIS2 EU Directive that defines this area, taking into account Montenegro’s obligations in the accession process,” Polovic said. “This law also falls under Chapter 10, which Montenegro aims to close as soon as possible.”

Risk of undue political influence

Montenegro’s 2022-26 National Cybersecurity Strategy calls for a Cybersecurity Agency as an umbrella body responsible for state cybersecurity, within which the CIRT would operate.

The draft law is not completely aligned with the Strategy, Polovic said, in that it calls for the CIRT to be placed under the Ministry of Public Administration and to operate separate from the Cybersecurity Agency. Polovic said this was “absolutely necessary”, “rational” and “efficient”.

According to the draft, the head of the Cybersecurity Agency will be appointed by the agency’s Council, which will have a president and four members appointed by the government.

The Ministry of Public Administration will propose the president of the Council, while the University of Montenegro, the Chamber of Commerce, the Montenegrin Academy of Sciences and Arts, and the Agency will each nominate one member for approval by the government.

Dzakula warned that the process risked stuffing the agency with political appointees, given that all four institutions are considered close to the authorities and are dependent on public coffers for their funding.

“Given the crucial role the agency will play in protecting state infrastructure and the broader cyberspace, it is imperative that its composition is based on expertise, experience, and impartiality, not on political criteria,” Dzakula said.

He called for a “transparent and rigorous selection process” to ensure the appointment of experts “with proven cybersecurity experience”.

“Politically motivated appointments could undermine the credibility and efficiency of the agency,” he added.

Last year, during a public debate on the draft, IT experts and organisations called for the agency’s Council to include at least one member from the cybersecurity expert community but the ministry rejected this.

Polovic insisted the Cybersecurity Agency would have a “professional and well-paid staff” free of political influence.

Concerns over supervisory powers

Dzakula also raised concerns about data privacy under the new law, which, he said, introduces broad powers for supervisors at the Cybersecurity Agency in assessing IT security at a given body, which is obliged to give them access to IT equipment and requested data. Some experts are concerned that the draft has not been aligned with the Personal Data Protection Law, which stipulates that personal data cannot be processed in a greater scope than necessary for any given purpose.

“It is crucial to balance strengthening cybersecurity and preserving privacy rights,” Dzakula said. “It is necessary to ensure that supervisory powers are clearly defined to avoid potential abuse or excessive oversight.”

The Agency for Personal Data Protection and Free Access to Information told BIRN that it had not received the draft law for review and that it had not been officially contacted by the Ministry of Public Administration.

Polovic said: “Implementing information security standards prescribed by the law and expert supervision are very important. The obligation of two-way cooperation between inspectors and supervisors is clearly defined.”

According to a Ministry of Finance estimate, implementing the new law will cost 2.62 million euros.

Dzakula questioned the outlay, “in a country like Montenegro”, where human and financial resources are limited.

Forming new bodies like CIRT “could lead to unnecessary resource wastage,” he said.

“It would be more rational for the Cybersecurity Agency to integrate a special department dedicated to protecting state institutions, thereby achieving better coordination and resource savings.”

The idea of ‘electronic government’, or e-government, is to eradicate queues, reduce paperwork and provide users with quicker, more convenient access to public services, from health to taxation and schooling.

In the Balkans, however, the roll-out has only been partial and faces a range of challenges, according to BIRN’s report, Open Data and Digitalisation in the Western Balkans: The State of Play,

“There remains a significant gap in their capacity to fully leverage digitalization across various dimensions, including skills development, system integration, cybersecurity, and user-centric solutions,” said an Albanian digital security expert.

Limited services

BIRN’s report highlights how Balkan countries are performing badly in e-government development; the online offering of public services remains limited.

In 2022, Serbia ranked 40th on the UN’s E-Government Development Index, ahead of Albania, Montenegro and North Macedonia in 63rd, 71st and 80th place respectively. Bosnia and Herzegovina came in at 96. Kosovo was not listed.

The governments of all six Western Balkan countries covered by the BIRN report have specialised e-government websites and all e-government portals analysed by BIRN are active and up to date; new services are created on a regular basis.

Serbia launched ‘eUprava’ in 2010. A decade later, the portal was updated with a new design and functionality adapted for mobile and tablet devices. The address remained the same – euprava.gov.rs.

Serbia offers 186 unique e-government services, enabling users to access documents, certificates and services concerning education, family, healthcare, employment and urban planning.

Montenegro’s e-government system claims to provide over 500 services under the jurisdiction of 50 public institutions, but 349 of these are instructions on how to use government services.

North Macedonia’s offers services from 170 public institutions, out of a total of roughly 1,300.

Bosnia and Herzegovina has three separate e-government portals – one for each entity and a third for the autonomous district of Brcko. But there is no information on how many services these offer.

The e-Albania portal offers 1,237 online services and boasts a total of almost 3.2 million registered users. The portal, which is managed by the National Agency for Information Society, AKSHI, is accessible in web, iOS and Android mobile app versions, with more than 415,000 users also registered on the mobile app.

Kosovo’s portal, e-Kosova, offers more than 30 e-government services and also makes possible online payments.

Cybersecurity concerns

With increasing digitalisation comes greater scrutiny of digital security given the amount of sensitive, personal data carried on such portals.

“E-Kosova is managed by a private company which does not have a security clearance,” a civil society digital expert told BIRN. “There are no certified security officials because we have no laws that classify information, classify who got access, etc… the security behind e-Kosova has been the main problem.”

Montenegro has already paid dearly for lax security, after its e-government portal was one of the targets of a major ransomware attack in 2022. Services have not yet fully recovered.

In a report published in June, BIRN urged Montenegro to upgrade its cyber security institutions to tackle potential threats, as well as increase public awareness about private data protection, digital rights and online security.

The same year, Albanian government systems, albeit not on the e-Albania platform itself, were hit in July and September by large-scale cyber-attacks, which led to the temporary disruption of most online public services.

An FBI-aided investigation pointed the finger of blame at Iranian hackers, saying they had accessed the Albanian system 14 months earlier.

Lack of financial resources

Digitalisation and the accompanying security requirements do not come cheap. Balkan countries are particularly limited in how much they can invest.

“State budgets for digital transformation are often limited and insufficient to achieve comprehensive progress,” a representative of the institution in charge of e-government services in Bosnia and Herzegovina told BIRN. “Budgetary allocation priorities are not always focused on digitalisation, resulting in a lack of funds for digital transformation projects.”

EU and international actors such as the UNDP and German GIZ provide some financial support for e-government projects but one expert told BIRN that these are project-based and not long-term solutions.

Additional funds are required to promote e-government services once they are developed.

A 2023 survey by NALED in Serbia found that 61 per cent of Serbian citizens lack proper information on the eUprava portal and how it works.

Read the full report here.

It had also been integrated with the EU Open Data Portal, which offers data from EU institutions, agencies and other bodies.

At the request of the government, FBI experts and France’s National Agency for the Security of Information Systems, ANSSI, joined the investigation in September 2022. The FBI submitted a report on the cyberattacks to the Police Administration in January 2023. It has never been made public.

After the attack, it was still possible to register on the open data portal, but not to access the data and any information on it. The last update on the current portal was from May 2022.

The Ministry of Public Administration now says a new open data portal will be established by the end of this year.

“A company has been selected and work is underway to establish it [the portal]. The new portal will be set up by the end of December this year,” the ministry told BIRN.

The ministry told BIRN it issued the tender to select a company to establish the new portal in cooperation with the United Nations Development Programme, UNDP.

It did not explain how the site itself will function.

But UNDP told BIRN that public bodies will publish data in an open format on the portal, which will be under the jurisdiction of the Ministry of Public Administration and will “adhere to all principles of transparency, security, and accessibility”.

The value of the contract is $123,000, and the project is financed by the European Union, the UNDP added.

Open data is a concept in which specific public-sector data is made available for use and reuse by everyone on the Internet, so increasing the transparency of the public administration.

This reduces the number of requests for free access to information and increases the quantity and quality of information published by government bodies.

Montenegro’s open data portal (www.data.gov.me) was established to more efficiently enable the right to free access to information and allow data use for commercial and non-commercial purposes through a joint catalogue.

When launched in 2018, the Ministry of Public Administration said it would represent a central hub for datasets from all institutions, and for information sharing and communication between institutions and system users.

“Publishing data in machine-readable formats is an obligation prescribed by the Law on Free Access to Information, which is aligned with the European Union directive on public sector information,” it said at the time.

Portal never published enough data

Montenegro’s parliament ratified the Council of Europe’s Convention on Access to Official Documents in January 2012, and the legislative framework for the right to access information in Montenegro was established the same year.

To further strengthen transparency and government legitimacy, Montenegro’s legislation had also to be aligned with the new European Union Directive (2019/1024) on open data and re-use of public sector information.

A survey conducted jointly by the Ministry of Public Administration and UNDP in January 2022 showed that 165 datasets from 12 sectors were available on the portal. None was from the environmental protection, sustainable development or tourism sectors.

The survey said human resources and institutional capacities in the public sector needed strengthening to produce open data. It also said public institutions should be obliged by law to submit data to the portal.

Snezana Nikcevic, from 35mm, a Podgorica-based NGO that monitors public services, told BIRN that the open data portal was a good initiative, but it never published enough data.

“Initially, only a little over 100 datasets were published on the portal, and only by a few institutions,” Nikcevic told BIRN.

Muhamed Gjokaj, a member of the Council of the Agency for the Protection of Personal Data and Free Access to Information, AZLP, also said the initial portal was inadequate.

The AZLP decides on appeals regarding requests from individuals and companies for access to open data.

He said that if the state decides to make a wider range of open data available, it must establish special offices across Montenegro that scan the archival material, enter them into the system, and format them into machine-readable formats.

“After that, the data can be offered to the public and the market, most of it publicly, but some for commercial purposes,” he said.

“These initial investments are indeed large and would likely amount to several million euros. But the state would quickly recover these funds both from commercial use of the data and from improving the business environment, reducing the time for various administrative activities, and similar improvements,” Gjokaj added.

According to the 2023 Open Data Report for Europe, the Montenegrin government’s action plan included obligations to improve open data at national and local levels, including adopting mandatory annual open data plans and calendars for public institutions.

“However, stakeholders faced difficulties fulfilling open data obligations due to the need to recover data and restore IT infrastructure following the cyberattack [in 2022],” the report said.

“In the next action plan, the Ministry of Public Administration and the Open Data Management Council should focus on publishing key categories of data that Montenegro has been missing, such as air quality, administrative boundaries, election results and land ownership,” it advised.

Pavle Cupic, a coordinator at the Podgorica-based NGO Civic Alliance, emphasizes that greater transparency in public data often leads to greater accountability of public institutions.

“For example, the availability of budget data can reduce corruption and allow citizens and civil society organisations to better monitor public spending,” he said. “Digitalising services reduces bureaucratic barriers and speeds up processes for citizens and businesses,” Cupic told BIRN.

Public sector staff unaware of open data

Montenegro’s Public Administration Reform Strategy for 2022-2026, which was released in February 2022, noted that more than 84 per cent of public administration employees were not familiar even with the concept of open data.

It also said that 83 per cent of public sector employees had never heard of the term “machine-readable data”, and 93.5 per cent were unaware that they can use open data in their work.

Cupic believes Montenegro may not yet be at a level where citizens and civil society organisations can fully benefit from digitalization and open data.

“Not even all institutions understand the importance of this issue, nor do they contribute enough to … fully implement the digitalization process and realize the potential significance of open data,” Cupic said.

The Ministry of Public Administration and the UNDP survey from January 2022 also showed that the open data portal had not been sufficiently promoted to the public.

It said data should be better systematized and urged public institutions to designate contact person to handle open data issues.

Gjokaj, from the AZLP, maintains that a better open data system would attract foreign investment and cut corruption.

“Fully implementing open data reduces the need to visit different counters, and services required by citizens and businesses are expedited … it leads also to a significant reduction in corruption,” Gjokaj said. “The more data available, the less room there is for corruption.”

Nikcevic, of 35mm, suggests that the new open data portal should be more comprehensive but also involve more intensive work with people from the public administration to ensure a functional and regularly updated database.

“The open data that institutions are supposed to publish is especially important for journalists, civil society organisations and social enterprises because it enables the monitoring and highlighting of both negative and positive practices in public administration. It also helps to propose certain solutions and predict various trends,” she said.

“Data, especially today, when almost everything we do is data, is crucial for making informed decisions; at the end of the day, that’s the point of democratising processes – to have a society where individuals make informed decisions,” she concluded.