Month: December 2024

Asim Kadic shouldn’t be standing in a queue, but his bank needs paper confirmation of his identity and address.

“In the 21st century, we are still struggling with papers and stamps and it’s the age of modern technologies and the Internet,” he said.

Sixty-one years-old, Kadic had travelled back to his native Bosnia and Herzegovina from Slovenia, where he works as an electrician, in order to apply for a pension.

At the pension fund, they were able to confirm his identity via the digital form of his Citizen Identification Protection System certificate, or CIPS. But his bank said he had to provide it in printed form, hence why he was standing in a queue in the registry office of his hometown, Tuzla.

The CIPS certificate is proof of address and contains other personal information used for proof of identity.

Nearly a year ago, Bosnian state authorities declared the printed version almost obsolete.

“As of mid-2024, Federation residents will no longer have to bring a CIPS certificate to any bank,” state Transport and Communications Minister Edin Forto announced. Declaring “war on the CIPS certificate”, he said the same would be sought of the Republika Srpska entity.

But even today some institutions in Tuzla are still going through the digital transition. Banks also require the certificate on paper.

The Pension Fund has completed the process.

“I was positively surprised when they told me I did not have to obtain the standard paperwork to apply for pension,” Kadic said.

As for banks, Jasmin Mahmuzic, director of the Federation Banking Agency, said the banking system in the entity had access to the CIPS system a decade ago, but “certain banks” abused it for profit, resulting in a ban.

“Within the existing legal framework, we have tried to solve the problem, but no progress has been made for now,” Mahmuzic told BIRN. “Our proposal is that we carry out verification on behalf of banks, but to date it has not been approved.”

Graphic: BIRN.

Legal entities denied access to data

Bosnia’s Agency for Identification of Documents, Registers and Data Exchange, IDDEA, confirmed that banks are not allowed access.

“Unfortunately, access by legal entities, such as banks, telecom operators and the like, is not possible, given that the Agency for Personal Data Protection of Bosnia and Herzegovina prohibited access to legal entities by its decision in 2017,” said Amela Talic, a senior expert associate for administrative procedures and normative affairs at IDDEEA.

“IDDEEA is obliged to act in accordance with the Law on Personal Data Protection of Bosnia and Herzegovina, so it cannot provide legal entities access to the data.”

Tuzla is still going through the digital transition.

“That should make things much easier for the public, especially when it comes to city grants, for which CIPS has been required to date,” said the City Administration.

The procedure for those applying for pensions or disability allowance was made easier in May.

“Citizens will no longer be obliged to attach to their application a certificate of residence, i.e. CIPS certificate, birth certificate and certificate of citizenship,” said the Federation Institute for Pension and Disability Insurance.

It described the process as “a fight for an administration without paper and without waiting in lines”.

According to IDDEA, a significant number of institutions at all levels of government in Bosnia have gained permanent access to databases managed by the Agency, but it said it was difficult to know why others were not taking advantage of the system.

“IDDEEA has provided the preconditions for digitalisation and it is up to other institutions to ensure the possibility of submitting applications electronically, enabling citizens to more easily exercise their rights before those institutions,” said IDDEA director Almir Badnjevic.

“Although we do not have precise data on savings, it is obvious that digitalisation significantly saves time and money for citizens, reducing the need to physically go to institutions and wait in lines.”

“Unfortunately, we cannot say precisely why some institutions still do not use these opportunities,” Badnjevic told BIRN. “IDDEEA is doing everything in its power to point out to all institutions through direct calls as well as through the media, the advantages of constant access by institutions and benefits – both for institutions and citizens.”

Almir Badnjevic, director of IDDEEA, gives a speech at a ‘Digital Transition’ event in Sarajevo in May. Photo: IDDEEA.

Security questions

Digitalisation poses new challenges in terms of data security. Aleksandar Mastilovic, an expert in digital transformation, said cyber security needs to be improved in the country.

“There are examples of data leaks and successful attacks on digital systems of administrative bodies in Bosnia and Herzegovina, like, for example, data leakage from civil registry books of Centre Sarajevo Municipality, data leakage from the health information system of Republika Srpska and ‘ransomware’ attack on the Parliamentary Assembly of Bosnia and Herzegovina in September 2022, which put the institution out of operation for two weeks,” he told BIRN.

“As the digitalisation progresses, there will be more and more such examples, and the risk itself will grow proportionally.”

The IDDEA said it was alert to the threat but called for legislative solutions.

“Clear laws and policies are necessary to define the appropriate use and storage of data,” said Badnjevic.

When it comes to banks in Bosnia, the IDDEA said it plans to develop a system to digitalise the data exchange process, particularly in terms of occasional access, which may provide a solution for banks.

Currently, said Talic, the biggest users include the tax authority, pension funds, health insurance institutes, employment offices and civil registry offices, the Banking Agency of the Federation, inspections, courts, municipalities and city authorities.

Badnjevic said that complete digitalisation would require legislative changes as well as greater technical capacity within public bodies.

“There is a visible trend towards an increasing digitalisation, and we can expect the process to speed up in the coming years,” he said. “Additionally, it is important to note that successful digitalisation requires not only technical preconditions, but also the education of officials.”

This was just the latest in a series of government campaigns that involve people being detained for questioning due to their alleged calls for a violent change in the constitutional order.

The immediate trigger for such a harsh reaction from state agencies was the participation of citizens in protests against lithium mining, with consequences also affecting the administrators of the Facebook page “Activism”.

The past five years have witnessed various attempts by the Serbian state to prevent citizens from exercising their right to peaceful assembly.

This includes the excessive use of police force during protests against the announced curfew in 2020, for which no official was held accountable despite television cameras capturing scenes of police violence.

There was also the banning of the EuroPride march and the arrest of activists for allegedly calling for a violent change of the constitutional order.

Police violence was also recorded in December 2023 after the elections.

Serbia’s Ombudsman determined, albeit late, that there were failures in the actions of police officers during the road blockades in November 2021, whose duty was to protect citizens.

During these road blockades, hundreds of requests were filed to initiate misdemeanour proceedings against citizens who had peacefully protested, mostly under the Traffic Safety Act.

Vaguely worded law

Police clash with protesters outside the Serbian parliament building in Belgrade, July 2020. Photo: EPA-EFE/KOCA SULEJMANOVIC

The wording of the criminal offence of “calling for violent change of the constitutional order” says that whoever, with the intention of endangering the constitutional order or security of Serbia, calls for or incites the use of force to change it or overthrow the highest state bodies, or representatives of those bodies, shall be imprisoned for six months to five years.

The same law also regulates an aggravated form of the offence; whoever calls for a violent change of the constitutional order with the assistance of a foreign country faces up to eight years in prison.

A special form of the offence concerns the dissemination, production or duplication of material whose content calls for a violent change of the constitutional order, or the distribution and transfer of such material in large quantities with the intent of dissemination, commonly referred to as propaganda. For this offence, a penalty of up to three years in prison is prescribed.

But the law does not precisely define the act of the criminal offence. It merely refers to calling for, or inciting, the use of force to change the constitutional order, with a crucial element being the intent to endanger the constitutional order.

What exactly constitutes the offence is not defined by judicial practice either, as few criminal charges for this offence have been prosecuted. In the last three years, according to Serbia’s Statistical Office, nine adults, mostly from Belgrade, were reported for this offence.

The public is aware of the case of activist and journalist Bosko Savkovic, who was arrested in 2023 at the “Serbia against Violence” protests.

These were major rallies held in the wake of the two May 2023 mass shootings that shocked the country.

Arrested because of a banner and a doll hanging from the banner, resembling a hanged president, he was placed in detention for up to 30 days. Under the pressure of remaining in custody, he made a plea agreement with the public prosecutor, even though it was evident that no offence had occurred.

Sending a ‘message’ to activists

People gathered in Belgrade at a protest against a controversial lithium mine in Serbia, August 2024. Photo: BIRN

Such detentions, arrests and verdicts not only violate citizens’ rights to freedom of peaceful assembly, expression and association. They also send an extremely negative message to all citizens of Serbia who intend to engage in activism, signalling that they may be punished for it.

One of the cases that came before the European Court of Human Rights regarding freedom of expression was the case against Spain over photographs of the royal family burned at a public gathering in 2007, the case of Capllera vs. Spain.

The applicants were convicted of insulting the Spanish crown and were fined, with the penalties to be replaced by imprisonment if unpaid.

But the ECHR concluded that this violated the right to freedom of expression. The court stated that there was no insult to the king of Spain as a person, but to what he politically represents; it was not a genuine call to violence, but rather permitted political criticism through performance art.

Indeed, across European cities, we often see effigies of state officials being burned, but no one considers this to be an actual call to violence; in a democratic society, it is understood as permissible freedom of expression.

In the case against the Rio Tinto protesters in Serbia, the public is not aware of the specific actions that have been characterized as calling for a violent change of the constitutional order. Based on the numerous recordings made available to the public, it seems clear that there was no call to violence.

Alarmingly, these arrests were accompanied by a campaign by the pro-government tabloid Informer against activists and NGOs, which manipulated data about the finances received by NGOs, alleging that they were undermining the constitutional order or attempting to overthrow the president of the republic.

In this way, citizens who spoke out in defence of the right to a healthy environment not only suffered legal consequences; the long-standing stigmatization of the civil sector, which fights for the rule of law and respect for human rights in Serbia also continued.

Numerous NGOs have called for an end to what they have described as repression against citizens and hate speech against activists.

While Serbia’s criminal code protects government officials, the question is who protects citizens and activists from state repression?

Looking back over the past few years at all the attacks and pressures on activists, and the cases in which government officials have mainly been the ones who have been violating activists’ rights, we can rightfully ask why the criminal offence of calling for a violent change of the constitutional order even exists.

Does it protect the constitutional order – or does it protect the government from the citizens of Serbia?

Milena Vasic is a lawyer at the Lawyers’ Committee for Human Rights, YUCOM in Belgrade.

The opinions expressed are those of the author only and do not necessarily reflect the views of BIRN.

In February, Energy Minister Dubravka Djedovic Handanovic said only administrative functions were affected.

“Bills were slightly delayed by technical challenges due to the hacking attack, but the system has been brought back up bit by bit,” the daily Danas reported the minister as saying. “What is most important is that this attack did not compromise production, but was of an administrative nature and did not compromise security data.”

Cybersecurity expert and co-founder of the Bezbedni Balkan [Secure Balkan] forum Ivan Markovic told Insajder that, according to sources, the impact was greater than the authorities were letting on and that some members of the public received bills with “illogical values, which can also be a consequence of the attack”.

Official silence

On December 19, 2023, EPS said it had come under a “crypto-type” hacker attack and was in the process of recovery. Because of the attack, the company’s bill payment portal stopped working and bills for November were late in being sent.

EPS did not respond to a request for comment for this story. Nor did the Department of High-tech Crime within the High Prosecutor’s Office in Belgrade, which reportedly launched an investigation following the attack.

However, the impact of the cyber-attack is visible in the company’s own quarterly reports on its three-year business programme, including, for example, in the company’s ability to carry out maintenance work.

“Maintenance costs were realised in the amount of 20.1 billion dinars and are 4% lower than planned,” EPS said in one report from this year.

“One of the reasons for the lower maintenance realisation is the hacker attack on the ICT infrastructure of EPS AD, when the systems were seriously endangered and when continuous work was being done to upgrade them.”

In July, Radio Free Europe reported that business documentation from the previous few years, as well as the individual personal data of employees at Bajina Basta Hydroelectric Power Plant, part of EPS, in southwestern Serbia had been published online. The data included scanned ID cards and university diplomas.

Neither EPS nor the government confirmed or denied the report or offered any explanation as to what EPS data had been published on the dark web.

No public information

Serbia’s National Centre for the Prevention of Security Risks in ICT systems, CERT, declined to specify what data or documentation had been published by the hackers, telling BIRN: “Hacker groups trade various information on the Dark Web, but it remains an open question whether and how valid this data is. The National CERT, within its competencies, has no authority or ability to determine whether certain data belong to an institution.”

EPS reported the attack to the CERT, but CERT declined to go into details, citing the fact the information had been classified as TLP: AMBER.

TLP, or Traffic Light Protocol, is a set of international standards for sharing sensitive information in the event of a computer security incident.

“Bearing in mind that the obtained information is marked with the TLP: AMBER mark, it is not possible to share it with the general public, and we are unable to provide you with the requested information,” CERT told BIRN.

But Nevena Ruzic, an expert on personal data protection, said that regardless of international protocols, the state itself must rule such information confidential in accordance with domestic laws.

“There must be a decision on confidentiality and the degree of secrecy must be determined,” Ruzic told BIRN.

Ruzic said it is difficult to give an estimate of the scale of damage inflicted by the hack.

“That damage is not immediate, nor does it happen at the same time as the attack, regardless of whether the data refers to persons [customers or employees] or to business data.”

Too often, such incidents are forgotten, Ruzic said.

“After some commotion that arises and media coverage that is often sensational, we stop thinking about what systemic error was involved, whose responsibility it is and what lesson was learned.”

“If we remember the way EPS communicated after the attack, it was in such a way that the individual did not know what happened in the end.”

Earlier warnings

The office of Serbia’s Commissioner for Information of Public Importance and Personal Data Protection said it had looked into the attack and had not found any “publication of personal data about the users of the supervised entity’s services, nor EPS employees, as a result of the reported attack”.

Bezbedni Balkan had already warned about problems with EPS cybersecurity. Markovic said that in 2022 and the first seven months of 2023, email accounts related to EPS were compromised at least 15 times. EPS denied this.

Previous research by BIRN has highlighted the need for Balkan states to improve their defences against cybercrime because of a surge in cyberattacks, particularly phishing and ransomware.

The BIRN report cited a series of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, plus limited regional collaboration, have exacerbated the challenges Balkan countries face in combatting cybercrime, it said.

“Over the next two weeks … they saw everything. My child bathing, photos we shared with their grandparents – every detail. I was horrified,” the activist recounted.

This is just one of many cases where Serbia’s security agency over the past year illegally accessed activists’ phones, extracting data or installing spyware to track their activities.

BIRN interviewed several activists, including the Krokodil member, whose phones Amnesty International confirmed were compromised by the security services. 

The revelations were supported by technical findings of unauthorised data extractions and spyware installations.

Beyond these cases, more than 20 activists said they suspect their devices were infected. BIRN also consulted digital forensics experts and legal professionals, documenting widespread illegal practices involving the collection of personal data and the use of malicious software.

The BIRN investigation has uncovered a pattern of coercion: some activists were summoned for questioning; others were detained by force. 

These so-called “informative conversations” were often described as pointless, serving as a pretext to confiscate the phones, buying time to bypass security protections and extract sensitive information.

The confiscated devices behind closed doors were connected to Israeli company Cellebrite’s advanced digital forensic tools, known for unlocking phones. Some were then infected with NoviSpy, a spyware developed in Serbia.

Amnesty International’s forensic team had analysed over 20 devices belonging to Serbian civil society activists, mostly Android phones, by November 2024. 

Analysis confirmed four cases of NoviSpy installation between February and November, with evidence of failed installation attempts on other devices. In two instances, Cellebrite tools were used to unlock phones and install NoviSpy.

Technical evidence suggests a broader surveillance operation: in just one month, over 20 unique NoviSpy samples were generated and potentially installed.

Legal experts told BIRN that the BIA had no legal authority for these actions as Serbian law lacks any legal framework permitting spyware use.

“This severely impacts the privacy, freedom of expression and association not just of the targeted individuals but of the broader activist community,” Ana Toskic Cvetinovic, from Partners Serbia, an NGO, said. 

“The consequences for democracy are devastating. It gives the impression that there is zero oversight of the police and of BIA operations,” she added.

‘They even know when I go to the gym’

In December 2023, Ivan Bjelic, an environmental activist from the group Svice, became the target of a state operation that he describes as an unsettling violation of his basic human rights. 

Detained on the day of the Serbian parliamentary elections, on December 17, Bjelic spent two hours at a police station in the New Belgrade district of the capital while Ministry of Interior officers analysed his phone using Cellebrite UFED – Universal Forensics Extraction Device. 

According to Amnesty International, forensic logs show his phone was connected via USB to an external system at around 5:55 p.m. that day. 

The authorities gained access to all his personal data.

“They can literally know everything I do – what food I buy for my dog, when I go to the gym, how often I water the plants on my balcony,” Bjelic told BIRN. 

His greatest concern, he said, isn’t just the invasion of his own privacy but the message this sends to other activists.

When he was detained, he said plainclothes officers attempted to forcibly seize his phone. At the police station, he was presented with a written court order to search his device. After signing the document, Bjelic was asked to unlock his phone and provide his PIN, which he did, reluctantly. Officers then took the phone and kept it for several hours before returning it.

Bjelic, who has frequently clashed with the authorities over his activism against a planned lithium mine in western Serbia, had noticed irregularities with his phone before, as early as 2021. 

“It would turn on and off by itself, vibrate randomly and overheat during conversations with fellow activists so much that I couldn’t hold it. It was clear something was wrong,” he recalled. “In one month, I burned through 50GB of data, with 12 to 13GB unaccounted for.”

Phone taken by police and compromised

He received suspicious calls with untraceable numbers or numbers with too many digits to be legitimate. Amnesty International researchers warned that these could be indicators of spyware infections, potentially deployed remotely, such as Pegasus or Predator.

On the day of his arrest in 2023, the plainclothes officers who detained Bjelic cited an unpaid traffic fine as the reason. However, the interrogation quickly veered into different territory. 

“They asked me if I had bombs, if I was planning a terrorist attack, or if I’d searched how to buy guns. Later, I found out that Cellebrite software was used on my phone and they had a copy of everything; it’s terrifying,” Bjelic said.

His lawyer, Nikola Lakic, says such secret surveillance measures are only lawful in cases involving the most serious crimes. “Anything else constitutes a blatant violation of citizens’ rights,” Lakic said.

Bjelic’s story has other disturbing aspects. In July 2024, during German Chancellor Olaf Scholz’s visit to Serbia, Bjelic noticed a black car tailing him throughout Belgrade. 

“They knew where I was at every moment until I switched my phone to airplane mode. Then they lost track of me,” he said. 

Two days later, the same car stopped him on the street. “They flashed a badge and told me I couldn’t record them. They said they were following orders but I never found out why I was being targeted,” he added.

Amnesty International’s forensic analysis confirmed that Cellebrite UFED had been used to retrieve his messages, photos, contacts and other private information.

Despite the intimidation, Bjelic said the experience has only strengthened the resolve of many activists. 

“Some people were scared but most of us became even more determined in our fight,” he told BIRN. “Now, when we discuss sensitive information, we only do so in person, without phones or computers.”

Cellebrite ‘can clone everything on a phone’

Cellebrite’s digital forensic equipment is designed to penetrate deep into a device’s architecture. This advanced technology provides access to deleted data, cloud accounts and even some encrypted applications.

Leaked specification and official Cellebrite documentation reveal that it can recover deleted messages, hidden files, location history from cell towers, Bluetooth connections, Wi-Fi networks and more. 

Serbia’s security agencies reportedly also possess Cellebrite’s analytical modules. These enable data filtering, visualisation, mapping and processing using artificial intelligence, including facial recognition capabilities.

According to Amnesty International, Cellebrite’s tools have enabled Serbian security services to unlock phones, paving the way for the installation of spyware for surveillance purposes.

Cellebrite has denied knowledge of these activities. “If this is indeed the case, Serbia has breached its contract, and we will reevaluate whether it remains a country we will work with,” Cellebrite stated on December 12 in its response to BIRN’s inquiries.

The company provided a similar response to Amnesty International. In its letter to BIRN, Cellebrite also noted that its equipment is licensed solely for use with a court order by police investigating criminal acts.

Hadzib Salkic, a forensic IT expert who uses Cellebrite tools, told BIRN that this technology can automatically unlock almost all phones except some of the latest iPhone models.

“If you have the latest Cellebrite license, phones unlock automatically. There’s no protection against it. Once a phone is unlocked, Cellebrite is no longer necessary unless the goal is to speed up data extraction – like contact lists or social media communications. Essentially, the tool can clone everything on a phone,” Salkic explained. 

He added that Cellebrite extracts data from various services through partnerships with service providers, phone manufacturers, operating system developers and app creators.

Igor Franc, a digital forensics expert and professor at Belgrade’s Metropolitan University, told BIRN that the process of breaking encryption and extracting data depends on the amount of information stored on the device. It can take anything from a few hours to over 10 hours.

Itay Mack, an Israeli human rights lawyer, said repeated examples of misuse of its tools could make it more difficult for Cellebrite to claim ignorance. “In such cases, the company could be held legally responsible for enabling abuse,” Mack said.

BIA ‘uses Cellebrite to install NoviSpy’

According to Amnesty International, Serbia’s BIA has developed its own spyware to track activists, a sophisticated surveillance tool called NoviSpy. 

Unlike globally recognised spyware such as Pegasus and Predator, which operate remotely, NoviSpy requires physical access to an unlocked phone.

Amnesty International’s findings reveal that BIA operatives have used Cellebrite to unlock phones before installing the spyware that remains invisible to the user. 

Once installed, NoviSpy enables access to call logs, contacts and SMS messages. It tracks the phone’s location, captures screenshots and activates the device’s microphone and camera.

Software similar to NoviSpy was reportedly used to gather evidence against former police general Slobodan Malesic who was arrested in 2022 and charged with abuse of office.

As BIRN reported, hundreds of screenshots from Malesic’s phone were included in the indictment against him. These captured details ranging from his text messages to the music he listened to. The spyware reportedly photographed the phone’s screen up to 20 times per minute, generating more than 70,000 screenshots over time.

The development of NoviSpy dates back to 2018. Amnesty International’s analysis of IP addresses linked to the spyware found that it communicates with and stores data on a server housed within the BIA. 

The same server previously hosted the German surveillance software FinSpy. Registered under the name of a BIA operative, identified only as D.P., the server also played a role in negotiations to procure spyware from the Italian company Hacking Team.

The overlap between NoviSpy’s infrastructure and Telekom Srbija, the state-owned telecommunications provider, raises additional concerns. Previous reports have implicated Telekom Srbija in acquiring surveillance technologies such as FinSpy and Italian spyware proposed for military security agencies.

Google, alerted by Amnesty International, confirmed NoviSpy as malicious software and removed it from compromised devices. The tech giant also notified affected users of the spyware campaign targeting their phones.

“This discovery sheds light on the extensive digital surveillance in Serbia,” Amnesty International stated in its report. “The use of technology to target citizens echoes authoritarian practices that directly threaten fundamental freedoms.”

The BIA did not respond to BIRN’s request for comment. However, it did respond to Amnesty International’s report, dismissing it as “trivial sensationalism”. 

“The Security Information Agency operates exclusively in accordance with the laws of the Republic of Serbia and therefore we are not even able to comment on the meaningless statements in [Amnesty International’s] text,” it said in a statement.

Phone taken at police station and compromised

Nikola Ristic, one of the organisers of high-profile protests following the collapse of the outdoor roof canopy at Novi Sad railway station in November, which killed 15 people, had planned a simple but symbolic demonstration – painting Belgrade’s central Republic Square red, to highlight the government’s alleged responsibility. 

But plainclothes officers were waiting for him when he arrived. “We announced the gathering for 12pm but anyone familiar with our work knows we always arrive two hours early. The moment we stepped onto the square, I saw at least ten plainclothes officers, some of whom had arrested me before. While I was looking around to spot our people, I put the paint on a bench. That’s when a group of unfamiliar men approached, flashing badges briefly,” Ristic recalled.

“They said: ‘We’re inspectors, you need to come with us.’ I asked: ‘Where and why?’ One of them said: ‘Let’s check this paint of yours – what’s it for?’ I replied: ‘I’m repainting my apartment.’ He smirked: ‘We’ll discuss your apartment renovation at the station.’”

At that point, his partner, Darija, started filming. Ristic was placed in a car and taken to a police station in Belgrade’s Savski Venac district. On arrival, officers asked him to place all his belongings on the hood of a car. They collected the items in a bag, including his phone, which they later returned to him, asking him to call Darija and request the removal of her video of his detention. 

Ristic locked his phone and handed it over. The phone was taken out of the room and his data was compromised during this time.

The interrogation lasted two hours and 50 minutes. “It felt more like a persuasive attempt to get me to stop being an activist,” Ristic explained. When released, he was handed back all his belongings, including his phone.

However, according to Amnesty International’s report, during his detention, the authorities used Cellebrite to bypass the PIN code, access his phone and install NoviSpy spyware, granting them complete control over the device. 

The spyware enabled access to messages, contacts, and location data, and remote activation of the phone’s camera and microphone.

Ristic’s experience illustrates how activists in Serbia not only face physical intimidation but also invasive digital surveillance, raising questions about privacy, accountability and the misuse of advanced technology by the authorities.

‘Whole point of the meeting was to access my phone’

When Ivan “Buki” Milosavljevic, leader of an environmental campaign group called the Rangers of Eastern Serbia, entered the BIA office in the town of Pozarevac on August 22, 2024, he didn’t anticipate becoming the target of invasive surveillance technology. 

Summoned for an “informative interview” with the region’s new BIA operative, Milosavljevicquickly realised the true purpose of the meeting.

The three-hour interview, which Milosavljevic described as pointless and unnecessarily long, felt more like an awkward coffee chat than a formal interrogation. 

“They asked vague and unrelated questions. Phones were ringing constantly and the agent kept leaving the room,” Milosavljevic told BIRN. Early on, the agent asked him to leave his phone in a locker.

The pivotal moment came when the agent asked to see a video of a local water utility worker in the town of Zagubica attacking members of Rangers of Eastern Serbia. 

Although Milosavljevicsaid the video was publicly available online, the agent insisted he show it on his phone, which Milosavljevic retrieved and unlocked, playing the video for the agent.

“I gave him the locker key; he brought me the phone. I unlocked it and played the video, but he seemed uninterested,” he recalled. 

“He was scrolling through my phone while watching it, and then his desk phone rang. He left the room, with my phone in hand. About five minutes later, he came back with the locker key, claiming the phone was back in the locker. That’s when I realised the whole point of this meeting was to access my phone.”

The next day, Milosavljevic noticed unusual activity on his digital accounts. Concerned, he asked Amnesty International to conduct a forensic analysis of his phone. It found that the phone had been connected to a computer via a USB cable and the authorities had attempted to install NoviSpy.

Fortunately, the attempt failed due to Google Play Protect’s enhanced security measures. These require additional authentication through biometrics or a PIN code, which the agents didn’t have. But, during the three-hour interview, at least two unsuccessful installation attempts were recorded.

Milosavljevic believes the BIA’s actions were tied to his group’s ongoing activism against the controversial proposed Rio Tinto lithium mine. “They likely wanted access to our communications to see how connected we are, how we operate, and what we’re planning,” he suggested.

Other activists reported similar tactics to BIRN. Many refused to hand over unlocked phones, prompting the agents to use manipulative techniques to gain access. These incidents highlight a pattern of state surveillance aimed at silencing dissent and monitoring activists.

Activists ‘interviewed’ despite lack of court warrants 

None of the activists summoned for “informative interviews” during which the BIA extracted phone data or installed spyware was presented with a court warrant justifying these actions, according to the BIRN investigation.

“I was never given any warrant, and they deny that anything even happened,” said Ljubo Stefanovic of SlavijaInfo, an independent news website, who believes he was targeted with spyware. 

Milosavljevic from Rangers of Eastern Serbia described his interview as “completely informal”.

Legal experts assured BIRN that such actions lack any legal foundation. “The BIA cannot independently seize a mobile device, extract its data, or perform forensic analysis without proper authorisation from a prosecutor’s office and a court,” lawyer Nikola Lakic said. 

He emphasised that such actions violate human rights and could constitute criminal abuse of office.

In several cases, he said, activists were denied basic rights. “None of the activists detained fall under the BIA’s jurisdiction. Their detention and the confiscation of their phones constitute abuse of authority and several criminal offences,” Lakic asserted.

Lawyer Vladimir Marinkov highlights shortcomings in Serbia’s criminal procedure code, which grants very broad powers to the police and security services in pre-investigation proceedings. 

“There is no formalisation of these procedures, allowing individuals to become subjects of criminal processing without them even being aware of it,” he explained.

He said the BIA and the police exploit vague legal definitions to carry out activities that infringe on citizens’ privacy. 

“When actions are directed at an individual to uncover a crime, that individual ceases to be just a ‘citizen’ and becomes a suspect, even if they are not formally informed of their status,” Marinkov noted.

The BIA’s mandate grants it police powers in cases of organised crime and terrorism. However, Predrag Petrovic, of the Belgrade Centre for Security Policy, warns that these powers are often abused.

“Such powers can easily be abused for manipulating investigations, threatening legal action against government critics, or disciplining disobedient businesspeople,” Petrovic explained.

Blurred lines between the police and the BIA further complicate the situation. For years, the European Commission has urged Serbia to separate the two security services, to prevent abuses of power.

Unlike the BIA, some cases involving the Interior Ministry show greater adherence to basic standards. When the police detained Ivan Bjelic and others, they at least left written records. 

However, legal experts argue that even in these cases, privacy violations during the proceedings were unwarranted.

‘This is a wake-up call’

Surveillance of activists, journalists, and civil society representatives with spyware is not a recent phenomenon in Serbia. 

In October 2023, a coalition of international digital rights organisations revealed that members of Serbia’s civil society sector had been targeted by military-grade spyware, including Pegasus and Predator.

One civil society representative agreed to speak with BIRN under the condition of anonymity.

It all began in August 2023, during protests in Belgrade over the May mass shootings in Serbia. The activist received an unusual late-night WhatsApp call from a long, unfamiliar number originating from an African country. “I was asleep and didn’t answer. I had no idea it could be tied to something much bigger,” he recalled.

On October 30, 2023, he received an alert on his iPhone but didn’t understand its significance. “I asked an IT expert for advice and he told me the situation was serious and I should seek help. Around the same time, a colleague mentioned receiving the same message,” he said.

They contacted an international organisation that referred them to a local digital forensics partner, which confirmed that an attempt had been made to install Pegasus or a similar spyware. “I was shocked. The sense of vulnerability and exposure was overwhelming,” he recounted.

Pegasus is a tool officially used by governments to monitor criminals and terrorists. But increasingly, it has been misused to target journalists, activists and government opponents. 

It allows total access to the target’s cameras, microphones, messages and calls, without leaving a trace. 

“They told me Pegasus is a sophisticated ‘no-click’ spyware. You don’t need to click a link or answer a call; all it needs is a vulnerability in your phone,” the activist said. 

The attack on his phone occurred at a time when protests were ongoing in Belgrade over the May 2023 mass shootings, while his organisation was also running a programme to protect political dissidents who had fled Russia. “One of these two reasons must have been why they targeted me,” he suggested.

A Pegasus license reportedly costs between US $20,000 and $30,000 per target, and such attacks are often accompanied by other forms of monitoring, including physical surveillance.

The activist also noticed physical surveillance over the same period. “At meetings with foreign diplomats, people who didn’t seem to be there for themselves would approach us. They would film us and follow us. It happened several times,” he recalled.

Forensic analysis revealed that attempts to plant Pegasus on his phone had failed thanks to the updated software on his iPhone. “But the feeling that someone might try again never leaves me,” he said.

He began warning his colleagues in the civil society sector to check their phones. His organisation has upgraded its digital infrastructure and reinforced physical security. 

“This information has unsettled me further. I was convinced I was under observation, and that my close associates might be as well,” he said. “I didn’t want to scare my family. My son doesn’t know what happened, but one day I’ll tell him.”

Amnesty International and Access Now identified Serbia as a country where Pegasus has been active since 2021, with the most recent infection attempt recorded in 2023. 

It is not the only tool in the arsenal of digital surveillance used by authoritarian regimes, but its use against civil society members highlights severe shortcomings in Serbia in the protection of fundamental rights.

“Nothing we do is secret. All our activities are public, but it’s clear that this type of spyware is used to gather personal information to publicly discredit individuals,” the activist said. 

“I was certain I wasn’t the only one, and I wasn’t. It will take years to determine how many people were infected or targeted with Pegasus,” he warned. 

“This is a wake-up call for all of us: caution isn’t just advisable, it’s essential.”

She said that in 30 years of working in media organisations, she did not recall a time when journalists were as unsafe as they are now. “There are unprecedented attacks on the safety of journalists,” she said.

“I have been in the business for over 30 years and have never heard of such an amount of attacks against journalists in Europe, Turkey, or outside the EU, online but also physical attacks – from all kinds of different actors, but specifically also from political actors – as we have today,” Schroeder said.

Schroeder joined the International Federation of Journalists, IFJ, in 1993. She has been engaged with the EFJ since 2003.

Her workload as director at the EFJ’s Brussels office includes advocacy at the EU and Council of Europe level, presentation of EFJ views at international meetings, fact-finding media freedom missions, sitting on juries that award journalistic prizes, and work with EFJ expert groups on issues like freelance reporters, media literacy and digital journalism.

Schroeder obtained a bachelor’s degree in international relations and political science at Boston University in 1988 and a master’s degree in the same subject at Berlin’s Free University in 1992.

Before joining the EFJ and defending independent media and journalists, she worked at the United Nations in New York, at the research institute FAST in Berlin and at the Friedrich-Ebert Foundation in Brussels.

Information ‘warfare’ undermines trust in journalism

Schroeder said that illiberal governments’ warfare over information had damaged trust in the media worldwide.

“This information warfare, we can say, be it from Putin, from Trump and all the illiberal governments alike, has had an incredible impact on trust in journalism,” she said, underlining concerns about new laws designed to increase government controls over the media.

“We are very much concerned that governments misuse disinformation to censor journalism. We have seen attempts in Turkey, of course, and we’ve had attempts in Croatia and in several countries where they wanted to use ‘information laws’ to censor journalists, and we are always against that,” she said.

She added that Russian-style “foreign agent” laws will worsen the situation in countries like Turkey, Bosnia and Georgia.

“I think I don’t have to explain that this is completely against media freedom, and is being misused by Putin and the like,” she said.

In recent years, governments in a range of countries including Georgia, Turkey, Hungary and Republika Srpska in Bosnia, have increasingly tried to target “foreign influences”, proposing laws that many see as intended mainly to prevent public scrutiny and curb media freedom.

New technologies and social media companies managed by big tech companies have worsened the plight of the independent media, Schroeder asserted.

“The models of big tech almost always favour lies, disinformation, hatred and incitement – everything that we are fighting in journalism. Without regulation, we see what’s happening; I’d want to call it social networks and not social media, because for me this has nothing to do with media, because there are no standards and there are no judgments.

“Without regulation, it will get worse,” she said, stressing the importance in this context of the European Media Freedom Act.

“What we need now is enforcement, meaning transparency, dialogue with different stakeholders, but also more resources for civil society, because they play a very important act here, to balance this this completely imbalance of power,” she added.

Turkey now a ‘role model’ for violators

Schroeder told BIRN that media freedoms in the Balkans have deteriorated over all the years she has been following them at the head of Europe’s largest journalistic organisation.

“I think the situation has further deteriorated. I have followed the region for years, and, especially in Bosnia, Serbia and Turkey, the situation has deteriorated further,” she observed.

Turkey had become a “role model” for other countries when it comes to media rights violations, she warned.

“Turkey has been a role model for other countries for too long. I am almost speechless because it has been for such a long time, and I think we will not get any improvement. I can only hope that a new government [in Turkey] will have a different attitude towards the media,” she said.

“We have also seen from what’s happening in Poland and Hungary; once the media is captured It is very difficult to rebuild it. Turkey’s public broadcaster is a complete propaganda machine for [President Recep Tayyip] Erdogan and will take years to regain trust,” she said.

Schroeder urges journalists to take a “holistic” approach to the various struggles ahead.

“We see in those countries where you still have strong unions that the situation is better, like in the Nordic countries. Capacity-building of unions and associations is very important for us because they represent journalists. On the one hand, they have to fight for better working conditions and, on the other, they have to fight for this holistic approach of enabling an environment that allows journalists to work,” she said.

“We need a holistic approach. We need regulation, we need enforcement, but we also need an audience that’s still interested in journalism and is able to protect journalism. So we need media literacy; we need journalists going into classes, to explain to students what the difference between a journalist and an influencer is,” she concluded.