‘For the Right Price’: Email Credentials from Serbian State Bodies Sold Online

Late last year, reports surfaced in the online forum ‘Bezbedan Balkan’ [Secure Balkan] concerning the black market sale of email account credentials associated with a number of Serbian state institutions and public companies.

“Multiple sources” reported the phenomenon, said Ivan Markovic, a cybersecurity expert and co-founder of the forum.

“This means that someone, for the right price, was able to read through the official communication of the public enterprise Elektroprivreda Srbije [Serbia’s power utility] or [main gas distributor] Srbijagas, or send a message pretending to be from the National Employment Service,” Markovic told BIRN.

When Markovic and his colleagues dug deeper, they found that the email credentials of several public enterprises and state institutions had been compromised for more than a year and offered for sale for $100 or less.

The email accounts contained information on contracts, redundancy notices, bank statements, public procurement, and union meetings. Sale ads included screenshots of open email inboxes as proof for potential buyers.

Yet almost all of the bodies concerned told BIRN the reports were false.

According to Markovic and other cybersecurity experts, their failure to act only makes things worse.

“Black market platforms depend on their credibility and usually don’t sell fake data; those sellers who do quickly get sanctioned,” he said. “What’s more dangerous is that this data is sold multiple times to different malicious groups.”


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads selling addresses linked to public enterprise Beogradski vodovod i kanalizacija were the first to appear online. Since January 2022, at least four ads were posted, with their total value at $367,5. BIRN inquired about the incidents, but “Beogradski vodovod i kanalizacija” did not respond to our questions.


Ads for email accounts for Elektroprivreda Srbije appeared alongside other compromised addresses – Bezbedan Balkan (Screenshot)
First two ads offering access to email accounts related to Elektroprivreda Srbije, Serbia’s power utility, are posted on an online market. This, along with information on breaches for other public and private companies, was revealed in November on the Bezbedan Balkan forum, which analyses cybersecurity incidents.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads continued to pop up throughout the summer. In September, at least seven ads were published, the most of any previous month. Their total value was almost $700. The screenshots of inboxes posted by the sellers indicated the legitimacy of the ads. They contained information on bank statements, public procurement plans, and union meetings.


Cybersecurity site detects malicious activity – Bezbedan Balkan (Screenshot)
Spam messages were sent from an IP address linked to Elektroprivreda Srbije. The same IP address was reportedly abused again several months later, for other malicious activities. At the time,the National CERT, the state body dealing with the prevention of cybersecurity incidents, said it had informed the institutions whose email accounts were suspected of having been compromised


Four new ads appeared between January and March 2023 – Bezbedan Balkan (Screenshot)
Ads selling access to email accounts of Elektroprivreda Srbije continued appearing online. In total, at least fifteen ads were posted since they were first published in March last year, which is more than for any other public company whose email accounts were compromised.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Since December 2022, at least two ads offering accounts connected with state-owned Telekom were posted online. Their total value was $129. Telekom told BIRN it ran internal checks after information appeared online, but determined no accounts were compromised.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address linked to public utility company Infostan appeared. BIRN inquired about the incidents, but Infostan did not respond to our questions.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address related to the National Employment Service, was posted on the internet. The Service told BIRN it was not aware of email accounts being offered online, nor that it identified any incidents related to this. However, they said that email accounts of private citizens, not employees, on their platform did get compromised in the past.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $85, selling accounts related to grid operator Elektromreža Srbije was posted online. Previously, another ad appeared in January 2023, offering data for $14. Elektromreža Srbije told BIRN they identified the incident, which was a result of a phishing campaign. It received information on this from the National CERT.


Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
An ad, worth $10, selling email account linked to public gas company Srbijagas surfaced online. BIRN inquired about the incidents, but Srbijagas did not respond to our questions.


Conclusion in the Commissioner’s report on the oversight – Bezbedan Balkan (Screenshot)
After being informed of the incidents in early April, the Commissioner for Information of Public Importance and Personal Data Protection initiated a review of Elektroprivreda’s information security and safety protocols. Taking into consideration the technical limitations of the review, as well as measures the public enterprise has in place, the Commissioner was not able to identify any harm related to personal data handled by the company. Responding to BIRN, Elektroprivreda Srbije dismissed the claims concerning the breaches as inaccurate.

Reluctant to report

Since January last year, according to Markovic, email accounts related to Elektroprivreda Srbija, EPS, have been compromised at least 15 times.

But EPS told BIRN this was untrue.

State-owned telecoms provider Telekom Srbije also said the email accounts of its employees were secure, as did the National Employment Service. Srbijagas did not respond to a request for comment for this story.

Only grid operator Elektromreza Srbije confirmed an incident involving a compromised corporate email account.

Alerted by the state CERT – the regulatory authority for electronic communications and postal services – to a case of phishing, Elektromreza Srbije said it “blocked the account, examined the activities on the system of the compromised user, changed the passwords and initiated additional training on information security and potential threats”.

CERT, however, has no authority to monitor the implementation of such security measures. That rests with the Ministry of Information and Telecommunications, which has just one inspector dedicated to the task.

Last year, leading cybersecurity firm Kaspersky tracked posts on the dark net offering access to compromised corporate data and found some 260,000 passwords, PIN numbers and other biometric data belonging to users in Serbia, though without identifying specific companies.

According to Kaspersky, the mere appearance of a corporate email address on the dark net, even without a password, already puts the security of the organisation in question at risk.

“The attack surface within its infrastructure increases as the number of potentially vulnerable targets grows,” Kaspersky told BIRN. “The public availability of corporate email addresses can pique the interest of cybercriminals and trigger discussions on dark net resources such as forums, messengers, onion sites, and more, regarding potential attacks on the organisation. Additionally, a corporate email address is more likely to be used for phishing and social engineering purposes.”

Kaspersky’s investigation also revealed a worrying lack of corporate preparedness and a tendency to deny claims that their protections have been breached.

This was also documented by the Serbian State Audit, which reported in xxxx that public enterprises and the state administration are reluctant to report incidents to CERT. A lack of awareness about whom to turn to and a fear of the hit to a company’s reputation are among the reasons why.

This is worrying, said Bojan Perkov, digital policy coordinator at SHARE Foundation, which works to promote and protect digital rights.

“Unauthorised access to email accounts and their abuse can be an entry point for other, far more serious attacks,” Perkov told BIRN.

“If the same combination of credentials – let’s say email, username or password – was used for multiple accounts, of which some contain highly sensitive information such as a large database with the details of private citizens, this can be quite damaging. The attacker can also continue to abuse the email address for phishing schemes and social engineering in order to gain further access to the system.”

Phishing for employees

It’s not only companies that are reluctant to admit to cybersecurity breaches. Employees are also often unwilling to admit they may have unwittingly compromised their employer.

“A member of staff said that she received an email, but did not click on it. But her computer was blinking,” an employee in the IT department of a Serbian public company told BIRN, speaking on condition of anonymity.

The case in question was phishing. A bot introduced itself as an administrator to a staff member, and the email she received contained a link which allegedly led the person to change the password.

“It took us a month to solve the problem,” the IT employee said. “First, the Outlook file, where the emails were stored, started duplicating her emails. Once that was fixed, suddenly she couldn’t receive any emails, then the ports would get mixed up, the configuration I set up would turn off. I thought we could just repair the file, but ended up taking down the entire system of her computer.”

The use of an official email address for private purposes is one of the most common mistakes made by employees in public companies and institutions, CERT told BIRN.

“This leaves them particularly vulnerable to phishing attacks and social engineering. Also, sending sensitive and private data via instant messaging apps, such as Viber and WhatsApp, can have similar undesirable consequences.”

Most email accounts of Serbian public enterprises sold on the black market used Outlook’s Web App.

“The problem with this, or any other webmail app accessed through a browser, arises when the user chooses the option for remembering the password,” said another IT employee at a Serbian public institution, who also spoke on condition of anonymity.

“The browser on the computer or laptop doesn’t have any additional protection when someone accesses their account through remembered credentials,” he said. “Once the computer is infected with a virus, the data will become available. And since most institutions attempt to network all their computers, the virus spreads really fast within the system and can collect their accounts.”

In the case of EPS, Markovic informed authorities about the compromised emails, but only the Commissioner for Information of Public Importance and Personal Data Protection took any action, he said. Limited in the degree it can inspect, the Commissioner also failed to find any issue.

“Given this outcome, we can only say that this problem is being ignored,” Markovic said.

Chatty Machines: Can AI Language Models Pass the Turing Test?

As artificial intelligence, AI, continues its rapid advancement, language models are becoming increasingly sophisticated, capable of producing text that closely resembles human conversation.

Take the impressive GPT-3.5 architecture, which features models like ChatGPT, developed by OpenAI in San Francisco. However, as these models become more human-like, questions arise about their ability to pass the famed Turing test, proposed by the visionary mathematician Alan Turing, often hailed as the father of modern computer science.

Let us delve into the concept of applying the Turing test to Language Learning Models, LLMs, and explore the potential implications of this endeavor.

The Turing test, conceived in 1950, initially known as the “Imitation Game” serves as the gold standard for estimating a machine’s capacity for intelligent behaviour. In this evaluation, a human judge engages in a natural language conversation with both a machine and another human. If the judge is unable to reliably differentiate between the machine and the human, the machine is deemed to have passed the test.  The emergence of language models like GPT-3.5 has sparked discussions about their potential to pass the Turing test.


Photo: Pexels

On a hot summer day, in the Centre for the Promotion of Science in Belgrade, we applied the Turing test. Guided by Danica Despotovic, a data scientist, and an expert from the Serbian AI Society (SAIS), our experiment involved 14 participants who were tasked to determine whether the answers to specific questions were provided by a human or a machine.

Evaluating LLMs using the Turing test requires careful preparation. Models like ChatGPT are trained on vast amounts of (our) internet data labeled by workers in low-income countries to generate text that mimics human conversation, but they supposedly lack genuine understanding and consciousness. Instead, they rely on patterns and statistical associations. Assessing their performance on the Turing test demands a comprehensive examination of their contextual comprehension, empathetic capabilities, and proficiency in engaging in nuanced, natural conversations. We must evaluate not only the quality of their responses but also their capacity to exhibit authentic human-like understanding.

To put ChatGPT to the test, Danica, our SAIS expert, provided the guidance to participants with selected prompts designed to challenge its capabilities.  The following limitations that surround ChatGPT were considered:

  1. Time-sensitive information: ChatGPT’s knowledge is limited to data available up until September 2021. Therefore, questions concerning events or developments after that time are beyond its reach. For instance, it cannot answer questions about the winner of the 2022 Wimbledon tournament.
  2. Personal and subjective experiences: ChatGPT lacks personal experiences and emotions. It struggles to respond convincingly to questions asking for subjective opinions or personal perspectives. Questions like “How are you?” or “How does vanilla taste” or profound philosophical inquiries about the meaning of life or the nature of consciousness are challenging for ChatGPT.
  3. Highly specialized or technical knowledge: While ChatGPT is well-versed in a wide range of topics, there are specialized domains where its knowledge may be limited. Complex scientific, medical, or technical questions might require expertise beyond its capacity.
  4. Predictions and speculative questions: While ChatGPT can offer plausible outcomes based on available information, questions regarding future transportation dominance, the impact of AI on the job market, interstellar travel possibilities, and the outcome of conflicts and political disputes receive generalized responses. In all honesty, neither can humans provide better answers, but still…
  5. Time-related questions: Queries about future weather forecasts (What will the weather be like next week?) or the specific timing of job application responses are beyond ChatGPT’s abilities..
  6. Context: asking ChatGPT a question that requires it to be aware it is a part of the “imitation game” might lead to the chatbot to “hallucinate” in order to provide some answer.


Photo: Pexels

Armed with these and similar questions, the 14 human participants prepared for a tough battle. Amazingly, humanity emerged victorious –at least in that moment! In over 70 per cent of cases, our observing team members successfully distinguished between human and machine answers. Maybe it was a stroke of luck, but we had indeed equipped ourselves with every possible strategy to outsmart ChatGPT.

Now, let’s imagine a different scenario. What if we had asked less biased questions? Perhaps, in that case, ChatGPT would have passed the Turing test with flying colours. The implications of such an achievement are profound. It would blur the line between human and machine interactions, impacting fields such as customer service, journalism, and even interpersonal relationships. It will give rise to trust issues and ethical dilemmas, necessitating careful regulation and ethical considerations. Moreover, the widespread use of advanced language models will lead to the dissemination of misinformation and deepen societal divisions if not handled responsibly.

The application of the Turing test to language models opens up captivating discussions about the boundaries of machine intelligence and its potential impact on society. However, it is crucial to view the test as one evaluation metric among many, and a passing score should not be seen as an absolute measure of machine (non)intelligence.

As we navigate this technological frontier, we must approach the evaluation of LLMs with care, recognizing the complexities involved and placing ethical considerations at the forefront. By working toward responsible and ethical AI deployment, we can ensure that these powerful tools are developed and employed in ways that truly benefit society as a whole.

Branka Andjelkovic is co-founder and Programme Director of the Public Policy Research Center, a Belgrade-based think tank.

The opinions expressed are those of the author and do not necessarily reflect the views of BIRN.

Opening the Black Box of Govt Data Protection Practices in Serbia

Every now and then, I check a tweet posted in June 2020 just to see if it’s still online. It is. Featuring a 15-second video, its caption in Srebian reads: ‘Accident in front of the government of Serbia’.In the clip, a speeding passenger car crashes into a minivan, causing, it later emerged, multiple fatalities.

We should be used to attention-grabbing content on social media by now, and even aware that an economy built around advanced technologies “treats human attention as a scarce commodity, as a United Nations-commissioned report says, ever seeking to maximise engagement. There are some means we can use to avoid particularly disturbing items online, but all we really have is good old self-restraint.

Controlling one’s own online behaviour – clicks, likes, and alike – is also one small step on a long and tedious road to protecting our privacy and personal data that we now know is what feeds multi-billion-dollar global businesses whose services we use ‘for free’.

But mindfulness shouldn’t be our best recourse when we use public services, surely?

Government institutions, agencies and authorities should run privacy-by-design operations, as they handle vast amounts of citizens’ data on a daily basis, providing no opt-out choice. We are obliged to lay out our personal data to them, and they are obliged to keep it safe, online or off.

Since August 2019, these operations in Serbia are required to comply with provisions of a new personal data protection law [passed nine months earlier, with a grace period for compliance], largely copy pasted from the appropriate piece of legislation in EU law on data protection, called the General Data Protection Regulation, GDPR. This EU regulation has set groundbreaking standards of data protection globally, its provisions applying to technical and organisational procedures, defining virtually all the ‘whys’ and ‘hows’ in handling citizens’ data, whether stored on a cloud system or in a paper file.

If the similar provisions from the Serbian 2018 law were applied, we would probably never see the tweet posted in June 2020.

Lack of transparency

Presdient of the Federal Office for the Protection of the Constitution, Hans-Georg Maassen, speaks at the Hasso-Plattner-Institute in Potsdam, Germany, 19 May 2014. Photo: EPA/RALF HIRSCHBERGER

The disturbing video of a car crash in front of a key government institution wasn’t taken on the street by an accidental witness. It is clearly marked as the video feed from a traffic surveillance camera. There are visible tags in the top corners of the feed, a date and time stamp in one and the camera’s number and location in other. But it wasn’t a leak either, at least not in the strict sense of a piece of original data leaking out of the system. Someone with physical access to the traffic monitoring room took their smartphone and recorded the broadcast from the computer screen. There’s another visible tag in the left upper corner, this one showing the name of the specific application, with the word ‘server’ in parentheses.

In Serbia, personal data governance often seems like an algorithmic ‘black box’ – a complex system whose inputs and inner workings are not visible or sometimes even comprehensible.

The internal processes are plagued with lack of transparency, while public access to information is thwarted. We manage to learn of the government’s data protection practices mostly by accident. Luckily, there are plenty. From the reckless disregard for legal obligations that exposed the personal data of almost the entire adult population of Serbia in 2014, to the intentional evading of protections laid out in the Constitution to access user communication data of four major telecommunication service providers.

To be fair, these things happened before the new data protection law replaced the old one, known among specialists as the legislation that had practically never been applied.

Times have changed, and expectations as well. Reading about fines issued by national privacy regulators and data protection officers, to both private and public organizations, somewhat shifted our perception. Knowing that we now have the same legal standards as those used to severely penalise an EU-member tax authority after it was hacked, for its deficient security practices, is bound to change procedures in Serbian public institutions too. Or is it?

Serbia does have “a relatively developed legal framework of personal data protection”, said Ana Toskic Cvetinovic, executive director of the Partners Serbia organisation, and an experienced privacy protection expert.

Besides specialising in the field, teaching at the National Academy of Public Administration, and producing a body of analysis and policy recommendations, Toskic Cvetinovic also took part in the working group that prepared a new government strategy for personal data protection. The public hearing on this key strategic document was recently concluded, “and it remains to be seen whether it will contribute to improving the situation,” Toskic Cvetinovic told BIRN.

“The main problem is that the 2018 law assumed some legal solutions from EU legislation – such as the GDPR and the so-called Police directive – that are not applicable in the Serbian legal framework.”

“In addition, although both the Law and the Action plan for Chapter 23 [Judiciary and Fundamental Rights] of the EU accession negotiations stipulate that all sectoral laws should be harmonised with the data protection law; this work has not even started yet. All this complicates applying the regulations, in both public and private sectors, and also leads to legal uncertainty for citizens.”

Who will have access?


Photo: Pixabay

Personal data protection is increasingly a topic of discussion in Serbia, at least in part thanks to the 2018 law, which has certainly improved the domestic normative framework, imposing new obligations on data controllers and processors, and introducing new rights for citizens whose data is processed. But these novelties have not fully taken root in practice, Toskic Cvetinovic said.

“There’s more awareness, in both private and public sectors, of their legal obligations,” she said. “Unfortunately, there are also those who knowingly violate the rules, deciding that the abuse of citizens’ data is more profitable than complying.”

Toskic Cvetinovic underlines that the sanctions provided under Serbian law “are lenient, and the criminal-legal protection is ineffective, thus sending a message to data controllers that non-compliance would not actually entail any serious consequences.”

In particularly, she points to the large systems of state administration that process massive volumes of personal data, while they have honest difficulties in applying protection measures. At the same time, politicians and decision-makers in the public sector keep pushing for rapid digitalisation of public services. Without adequate technical infrastructure and human capacities, this can only increase the risk to citizens’ rights, said Toskic Cvetinovic.

Global dilemmas and debates around increasingly intrusive technologies that expose human rights and civil liberties to grave risks, especially when using these technologies in critical areas such as policing, border control, judiciary, or healthcare, indicate the urgent need for additional regulation. And most definitely for stricter oversight.

But as I was pondering the introductory passage to this article, the latest clip from a traffic surveillance camera in Belgrade showing a car crash was launched into social media circulation. Again, the video feed was recorded with a smartphone from a screen in the traffic monitoring room.

A new round of consultation on the improved version of a draft law on police has been launched, after two failed attempts to legalise a smart video-surveillance system in public spaces. It would be the kind that is capable of automatically detecting and recognising faces, identifying people by their body postures, and tracking and recording their movement in real time. Certainly, far beyond the capabilities of a plain old traffic camera. Who will have access to such systems with their smartphone?

Balkan Mobile Users Roam Freely – Unless They’re in Kosovo

During the second Western Balkans Digital Summit in the Serbian capital Belgrade in 2019, six Balkan nations committed themselves to providing their citizens with a consistent mobile internet experience throughout the region.

This commitment pledged equivalency in cost, quality and speed of mobile internet services with domestic services, with a clear stipulation of no surcharges. The ultimate goal was to render mobile data usage within the region effectively free of extra cost – essentially mirroring domestic retail rates for calls, messages, and data.

The Regional Roaming Agreement – a so-called ‘roam-like-at-home’ scheme like the one that operates within the European Union – is considered to be a significant achievement of the Digital Agenda for the Western Balkans, the EU-backed digital transformation project for the region, because it promotes regional cooperation and alignment with the EU’s regulatory framework on roaming.

But despite these progressive intentions, two years into this agreement, many Western Balkan consumers continue to face extra charges when using mobile data in other countries in the region.

While the initiative seems good for most of the Western Balkans, Kosovo’s mobile users cannot use their cellphones throughout Kosovo itself – although they can use them roaming in other Western Balkans countries.

Kosovo has a total of three telecommunications companies, but none of them can function properly throughout the country’s territory due to the ongoing conflict with Serbia.


Western Balkan Ministers for Telecommunications signing the agreement in Belgrade to gradually remove all roaming costs in the region. Photo: Information Society Ministry of North Macedonia.

Coverage limited in northern Kosovo

All telecoms operators from Serbia told BIRN that the implementation of the roam-like-at-home agreement functions in Kosovo similarly to the way it does in other countries. 

Usage rises after roaming deal begins

The Western Balkans Roaming Report by the Regional Cooperation Council, RCC analysed international roaming services in Albania, Bosnia and Herzegovina, Kosovo, Montenegro, North Macedonia and Serbia in 2021. It revealed that roaming users in the Western Balkans made outgoing calls lasting about eight times longer within the Western Balkans region compared to when they were the European Economic Area, EEA. Western Balkans users also consumed approximately seven times more data services within the region than while roaming within the EEA.

The report highlighted the countries with the highest inbound and outbound roaming usage and the differences in wholesale revenues and costs between EEA and Western Balkans operators. While EEA operators had higher average wholesale revenues per unit, the gap was narrower for SMS and data services due to high international mobile termination rates.

The implementation of the roam-like-at-home initiative on July 1, 2021 resulted in a significant increase in average consumption per Western Balkans user while roaming, highlighting the price sensitivity of Western Balkans roamers. 

Voice call duration and data consumption per user experienced substantial growth in the second half of 2021, except for Montenegro. Increases ranged from 45 per cent in Kosovo to 237 per cent in Serbia for call duration, and from 62 per cent in Albania to 459 per cent in Serbia for data consumption.

Western Balkans users utilised approximately eight times more outgoing call minutes while roaming within the Western Balkans region compared to the EEA. This ratio increased elevenfold in the fourth quarter. Data consumption per user while roaming in the region was about seven times higher than that of EEA users. 

Montenegro had the highest usage of roaming services among the Western Balkans countries.

Western Balkans users generated 3.4 million GB of data traffic while roaming in the Western Balkans region in 2021, a 45 per cent increase compared to the previous year and more than double the volumes of 2019. Data roaming consumption in the EEA reached 427,000 GB in 2021, 2.6 times higher than in 2020 and 40 per cent higher than in 2019.

However, Ipko Communications, a major mobile provider in Kosovo, only has an agreement with the A1 mobile provider in Serbia, while Telekom Kosovo, operating as Vala, has agreements with all operators in the Western Balkans except for Serbia, where it only has an agreement with Yettel. This means that when they are in Serbia, Vala or Ipko users can use their phone only when connected to the network of the one company with which Vala or Ipko have a contract.

Three companies operate in Kosovo — IPKO Communications, Vala (Telekom Kosovo), and MTS DOO, an affiliate of Telekom Srbija that operates in the northern part of Kosovo where the majority of the population are Serbs.

Kosovo’s Regulatory Authority of Electronic and Postal Communications, ARKEP, told BIRN that MTS DOO “has a temporary and limited authorisation to extend the infrastructure issued by ARKEP, based on the Telecommunications Agreement, and offers services only in certain areas where the Serbian community lives, and mainly in the north of the country”.

The Telecommunications Agreement referred to by ARKEP was first signed by Kosovo and Serbia in Brussels in 2013 as part of their EU-mediated dialogue to normalise relations, followed by an action plan on telecommunications that was signed in 2015.      

MTS however “has no right to expand/extend the mobile phone network”, ARKEP told BIRN.

Users of Kosovo’s telecommunications operators can use their phones in other Balkan countries in accordance with the roam-like-at-home agreement, in the same way that Serbian users can in Kosovo.

Northern Kosovo is an exception, however. Mobile operators in Kosovo, excluding MTS DOO, have limited coverage in the northern, Serb-majority municipalities, resulting in restricted or completely disabled telecommunications services. 

One man from Belgrade, Vuk V., who didn’t want his full name to be made public, said he spent several days in Kosovo last month, travelling from the north to Prizren and Pristina.     

“At no point was it possible to use Serbian MTS [the Serbian provider rather than the service for north Kosovo provided by MTS DOO], while Kosovo networks could be used but with a tariff that was not explained anywhere. In some parts of Kosovo, there was no signal for any of the networks,” he said. 

MTS DOO did not respond to BIRN’s questions. 

Kosovo citizens often face difficulties in the four Serb-majority municipalities in the north of the country due to the limited coverage offered there by Kosovo telecom companies Vala and Ipko. It is often not possible to connect to the MTS DOO network for those who have a mobile phone number from either Vala and Ipko. Because the area is within Kosovo, roaming does not function either. 

When a BIRN reporter visited the north of Kosovo, she had to purchase an MTS DOO simcard. However, whenever there are sudden escalations of tensions in the north of Kosovo, it becomes difficult to buy MTS DOO simcards or internet packages. 

Vala told BIRN that in the northern municipalities of Mitrovica e Veriut, Zvecan, Leposaviq/Leposavic and Zubin Potok, the Vala (Kosovo Telecom) mobile service does not work due to limited network coverage in these areas. 

Vala said that the following coverage is available in northern Kosovo:

  • Zubin Potok: Most parts of the city, Lake Ujmani and the road to the border crossing point in Bernjak have 3G coverage. The border point in Bernjak has 4G coverage. Internet and IPTV service are available at specific institutions in Bernjak, such as Kosovo Customs, the Post Office and Raiffeisen Bank. 
  • Leposaviq/Leposavic: The border point in Jarinje, a section of the Jarinje- Leposaviq/Leposavic road, and a section of the Mitrovica- Leposaviq/Leposavic road have 3G coverage. However, the town of Leposaviq/Leposavic itself does not have reliable 3G coverage, and 4G technology has not been implemented yet. Cable internet is not available in the municipality. 
  • Zvecan: Zvecan has partial coverage from base stations in Mitrovica, but the city itself does not have satisfactory coverage. There is no cable internet coverage in Zvecan. 
  • Mitrovica: The municipality is mostly covered by new technologies from base stations in South Mitrovica. However, one base station within the municipality only operates with 2G technology. There is partial cable network coverage and fixed services in certain areas and institutions, such as the neighbourhood of Boshnjakeve.

As Vala explained, Kosovo Telecom has an agreement with Serbian companies for international roaming, but this agreement only allows roaming services within Serbia, not within Kosovo. 

“Therefore, [users of] Vala numbers can only use mobile phone services via roaming in the territory of Serbia, where their roaming partner has network coverage,” the company said.

ARKEP told BIRN that “mobile operators Kosovo Telecom (Vala) and IPKO have the authorisation from ARKEP to extend the infrastructure and provide services throughout the territory of the Republic of Kosovo, including the northern municipalities”. 

In February 2023, ARKEP also gave additional capacities – 800MHz and 3.5GHz frequency bands – to Kosovo Telekom and IPKO.

Vala said that investments are being made by Kosovo Telecom to modernise its network and expand coverage to areas including the four Serb-majority municipalities in northern Kosovo.

ARKEP said that during the second part of 2022 and the beginning of 2023, “there has been an effort and a joint plan of operators with support from the Ministry of Economy and the Ministry of Internal Affairs, for investments in the northern part, for which several masts and base stations for providing services have been established”. 

“Also when it comes to the extension of the mobile phone infrastructure in the northern part of the country, operators also need additional security for their infrastructure, since at various times their telecommunications infrastructure has been deliberately damaged by unscrupulous persons,” ARKEP said. 

In 2010, some of IPKO’s infrastructure in the north of Kosovo was damaged. However, IPKO did not respond to BIRN’s questions regarding the current situation in the northern municipalities by the time of publication.


Illustration: Unsplash.com/Jackson David.

When ‘free’ doesn’t mean free

While the roam-like-at-home initiative says that the same package rates should apply when used at home or when when travelling to other Western Balkan countries, data usage is limited to amounts significantly lower than in the country of the mobile user’s origin. 

The Regional Roaming Agreement’s principles

Article 1 of the Agreement on the Reduction of Roaming Charges in Public Mobile Communication Networks in the Western Balkans region stipulates that the signatories commit to bringing the maximum retail price of roaming charges in line with the ‘roam-like-at-home’ principle, similar to the rules applicable in the European Union, by July 1, 2021. 

The agreement’s introductory provisions state that the terminology used in legislation in the six countries should align with the definitions provided in relevant EU regulations on roaming. These include definitions of fair use policy. 

According to Article 4 of the agreement, the regulatory bodies for electronic communications in the Western Balkans are responsible for implementing the agreement. Article 6 states that the signatory countries must make necessary amendments to their electronic communications laws and regulations to achieve the objectives outlined in the agreement, including aligning consumer protection policies with EU standards. 

During the EU-Western Balkans Summit in Tirana last December, telecommunications operators from both the EU and the Western Balkans signed a Declaration on Roaming. This declaration aims to reduce roaming prices between the EU and the Western Balkans and is scheduled to come into effect on October 1, 2023.

The roam-like-at-home initiative implemented in the Western Balkans from July 1, 2021, was envisaged as a pathway to making the region free of roaming charges. This step was part of a grander scheme to prepare the region for a similar arrangement with EU member countries in autumn 2023. 

The roam-like-at-home initiative limits a roaming call’s cost to a maximum of 19 euro cents per minute, the cost of an SMS to six euro cents, and data transmission to 18 euro cents (all prices excluding VAT). But these rules exist more on paper than in practice.

BIRN sought answers from national regulatory authorities and mobile operators in each Western Balkan country to decipher the reasons behind the persistent additional charges still plaguing many users while using roaming within the region.

Calls and SMS messages are treated the same when roaming as they are at home, and users can fully utilise the allocated amount within their tariff package, the regulatory authorities said. Once the allocated amount is exhausted, calls and text messages are charged according to their telecommunications operator’s domestic price list. 

However, when it comes to data transmission when roaming within the Western Balkans region, a different approach is implemented. Depending on their tariff package, users are granted a specific quota for data transmission within the region.

For example, if a user is in any of the Western Balkan countries and makes a call to a number in Montenegro, regardless of which Montenegrin mobile provider the number belongs to, the minutes used are deducted from the package allocated for calls to other networks. If those minutes are used up, the call is charged according to the price list for calls to other networks in Montenegro provided by its mobile operator. The same principle applies to SMS messages to numbers in Montenegro. 

When it comes to enjoying the benefits of ‘roam-like-at-home’ in Western Balkan countries, whichever foreign network is chosen when roaming, the same benefits apply because all operators comply with the Regional Roaming Agreement.


Illustration: Unsplash.com

The rules of the roam-like-at-home initiative also include a policy of appropriate use. Users should be aware of limitations regarding data transmission services in regional roaming for specific domestic tariff packages, where there is a specified amount of data that users can use in regional roaming. If this limit is exceeded, an additional roaming fee is incurred.

This mechanism aims to prevent misuse and inappropriate use of data transmission, the regulatory authorities said. The quota is defined based on the guidelines outlined in the Rulebook on the Application of the Appropriate Use Policy which was adopted as part of the Regional Roaming Agreement. 

For example, using roaming in another Western Balkans for at least four months, rather than starting to use the country’s own mobile providers, would be seen as inappropriate use. 

In such cases, the mobile operator warns the user and provides a 15-day deadline to change their usage pattern. After this period, the operator can start charging an additional roaming fee based on the domestic retail price of mobile communication network services. 

This fee is discontinued as soon as the user’s consumption no longer indicates any risk of misuse or inappropriate use of regional roaming services, based on indicators determined under the Regional Roaming Agreement by the Regulation on the Implementation of the Policy of Appropriate Use. 

The limits to roaming

The Montenegrin Agency for Electronic Communications and Postal Services said the Regional Roaming Agreement’s Fair Usage Policy should allow roaming service providers to prevent malicious or excessive use of roaming services, ensuring that roaming is used solely for periodic travel purposes.      

The Regional Roaming Agreement sets out pre-defined and binding rules for consumption, tariffing, terms and conditions and traffic volumes in the Western Balkans. All operators in the region must adjust their prices and terms for using roaming services in Western Balkan countries based on the prescribed prices and conditions outlined by the regulations adopted under the agreement. 

Bosnian mobile operator HT Eronet told BIRN that there are significant costs associated with roaming services, and the Bosnian regulator has defined the charging and cost structure that it can implement. 

If a user’s domestic tariff includes a specific amount of minutes, text messages or data traffic to other mobile networks in Bosnia and Herzegovina, those resources will be used up in the same way on roaming as at home. In all six countries, certain tariffs or options provide users with a defined quantity of data traffic for roaming in Western Balkan countries without additional roaming fees. 

Montenegrin mobile operator One Montenegro said that the national electronic communications service regulators in the countries signed up to the roam-like-at-home agreement are responsible for implementing and monitoring the agreement’s enforcement. 

The regulations of the Regional Roaming Agreement establish maximum prices and define formulas that operators must use when creating service packages which can be used in Western Balkan countries. 

The Serbian regulator, the Regulatory Agency for Electronic Communications and Postal Services, RATEL, said that the limit on the number of days during which customers can use roam-like-at-home services aligns with the fair usage policies of operators to prevent abusive or abnormal use of roaming services. 

That means mobile operators offer roaming services with packages at domestic prices only for occasional travels to other Western Balkan countries.

The Body of European Regulators for Electronic Communications, the umbrella body representing telecommunications regulators in EU states, said it is “regularly collecting data regarding the roaming market in [the Western Balkans] and publishing a monitoring report which is an analysis of the data received”.

It added that it has not received any complaints.

Share Your Experience: Social Media Company’s Content Removal During Turkish Elections

During Turkey’s key May elections, were your posts removed or restricted by Meta (Facebook and Instagram), Twitter or YouTube?

Were your posts marked as against community standards or was the decision taken due to Turkish court cases? Do you think that the assessment was fair?

We are looking for people, from media organisations to ordinary citizens, to share their experiences with us to help with a story that we are working on. Scroll down for information on how to take part.

The key things we want to know:

  • We would like to have insight into how many of your posts were removed, restricted, or flagged.
  • What was the reason for this?
  • We would like to have screenshots of your post/s, and social media companies’ assessment for their decision.
  • Was the assessment fair and well-explained?

How to take part?

To submit your experience, just fill out the form available here.

You can also contact us via email: readerstories@birn.eu.com

Or you can reach us on social media:

FB: @balkaninsight

TW: @balkaninsight

IG: @balkan_insight

Meagre Resources Leave Montenegro Exposed to Cyber Threats

First they blamed Russia, then a gang called Cuba Ransomware. Months later, authorities in Montenegro still have no definitive answer as to who was behind “unprecedented” cyber-attacks in August last year targeting a host of government services.

Whatever the answer, experts say Montenegro remains just as vulnerable to such attacks, citing a shortage of talent and a lack of investment in cybersecurity.

With more attacks likely, the country should take advantage of its status as a newly-minted member of NATO to enlist outside expertise, say some.

“Montenegro is a NATO member, and we should seize the opportunity to invite experienced experts from NATO countries,” said veteran IT system engineer Ivan Bulatovic.

“They can help us make a plan, acquire the necessary equipment and train personnel to successfully deal with the cyber-attacks that await us in the future.”

Perpetrator still unknown

The attacks of August 22 last year compromised a string of public services, including the websites of the government and the Revenue and Customs Administration.

According to the Ministry of Public Administration, 17 “information systems” in 10 institutions were infected, with 150 computer directly affected.

Four days later, the National Security Agency told reporters that Russia was to blame, but offered no evidence. Then, Public Administration Marash Dukaj told Montenegro’s public broadcaster that it was in fact the work of a cybercriminal extortion group by the name of Cuba Ransomware.


Cuba Ransomware group posted it hacked Montenegrin Parliament data. Photo: Printscreen/securityweek.com

“This group has created a special virus for this attack, a virus that cannot be created in a month, and perhaps not even in a year,” Dukaj said at the time. “These attacks were planned over a lengthy period of time; the very creation of the virus cost about $10 million and it has not been used anywhere so far.”

What is Cuba Ransomware?

Cuba Ransomware is recognised as a major hacker group, collecting more than $60 million in ransom since 2019.

However, the US Cybersecurity and Infrastructure Security Agency, CISA, says “there is no indication Cuba Ransomware actors have any connection or affiliation with the Republic of Cuba.”

More than six months later, the National Security Council announced that, “given the specific nature and complexity” of the attack, it had been unable to determine exactly who was the perpetrator, despite the assistance of the FBI in the United States and the French National Cybersecurity Agency, ANSSI.

Bulatovic said the confusion only reinforced a perception that the authorities are at a loss to respond.

“It has not yet been announced what exactly happened, which systems were or are still compromised, how much and which data was lost, and what is the plan to prevent this or similar attacks in the future,” he said.

“The impression was that there was no plan of how to deal with such an attack, even though this type of incident is far from unusual in today’s world and happens on a daily basis.”

The Ministry of Public Administration rejected the criticism, telling BIRN: “We informed the public on several occasions that we had backup data from information systems and that the data was recovered through the restore procedure.”


Timeline: BIRN/Igor Vujcic.

Shortage of expertise

Experts say the mixed messages and lack of answers reflect serious shortcomings in Montenegro’s system of cybersecurity.

The Computer Incident Response Team, CIRT, a state cybersecurity team, has just seven employees, while nine officials work in the Directorate for System and Information and Communication Infrastructure. That’s the extent of Montenegro’s cybersecurity manpower when it comes to general defence of the public administration.

Dusan Polovic, director general of the Directorate for Infrastructure, Information Security, Digitisation and e-Services in the Ministry of Public Administration, conceded there were issues with the hiring and retention of staff, in particular because of the pay disparity between the public and private sectors.

Polovic said that a government decision to hike the basic pay of IT professionals in the public sector by 30 per cent had helped “to a certain degree”.

Even then, a typical salary for an IT professional on the public payroll rarely exceeds 1,000 euros per month, compared with a starting rate of 1,300 euros offered by private companies.

“Depending on one’s experience and seniority level, the salary can go all the way to 5,000 or even 6,000 euros per month,” said Danilo Nikovic, owner of the recruitment and human resources consultancy Millennial Consulting.

Most find work abroad or work online for foreign clients, he said. “This profession is in short supply everywhere in the world and therefore very well paid.”

Marko Lakic, an expert witness for the IT sector, said that Montenegro has cybersecurity experts, but only a handful work in state institutions.

“People who work as public officials cannot cope with digital security challenges,” Lakic told BIRN. “The state simply cannot pay experts as much as they can earn in the private sector.”

‘Basic’ digital maturity

Montenegro’s own Cybersecurity Strategy for the period 2018-2021 cites an “insufficiently developed awareness of the importance of investing in cybersecurity at the highest management levels.”

While many countries struggle with a lack of cybersecurity experts, the strategy states, the problem is more acute in Montenegro, which has a population of just 630,000 people.

Last year, a report by the European Bank for Reconstruction and Development, EBRD, characterised Montenegro’s level of “digital maturity” as “basic”.

It recommended adjusting educational curricula and introducing testing and certification of all civil servants using digital systems; the country should also introduce cybersecurity requirements for all digital service providers, not only in the public sector, it said, and ensure close coordination on security controls and practices.

Indeed, experience in the region shows that such attacks are only becoming more common and severe.


Dusan Polovic is the Director General of the Directorate for Infrastructure, Information Security, Digitization and e-Services in the Ministry of Public Administration. Photo: Gov.me

In September last year, just after the attacks on Montenegro, the Slovenian defence ministry and police were also targeted, though no critical systems were affected after authorities scrambled to contain the incident. The same month there was an attack on the state-level parliament and several other institutions in Bosnia and Herzegovina, rendering thousands of civil servants unable to carry their work.

Then in January, multiple institutions in Serbia came under cyber-attack, including domains under the jurisdiction of the main intelligence body, BIA. The hacker group Anonymous claimed responsibility.

Cybersecurity Ventures, one of the world’s leading publishers in the field, predicts the annual cost of global cybercrime will reach $10.5 trillion by 2025, up from $3 trillion in 2015.

Ban on browsing?

Eight months after the attacks in Montenegro, some digital services are still not functioning.

Polovic told BIRN that the only system under the Ministry of Public Administration that remains affected is the Open Data Portal, where public administration bodies can publish data in an open format.

But BIRN was unable to access a number of others, including Covid Odgovor.me, the Government’s website in charge of publishing the latest news on COVID-19 and Vertical and oblique ortho shots at the Ministry of Ecology, Spatial Planning and Urbanism.

According to the National Security Council, reports on the August 2022 attacks “contain a large amount of data important for the improvement of cybersecurity in Montenegro.” It did not specify who authored the reports, though the Council received input from the FBI, ANSSI and Montenegro’s own Council for Information Security. 

The Ministry of Public Administration told BIRN that the reports were “classified in such a way that we do not have the authorisation to present their content, but that they can be used precisely for the purpose of improving security”.

The FBI declined to comment for this story, while ANSSI did not respond.

Bulatovic said that more attacks were “inevitable” and that Montenegro should look at bringing in private sector expertise, both local and international.

“They can train IT colleagues from the government and the ministries in how to apply the latest attack protection technologies,” he said. 

“In addition, it is important to organise security training for all employees in the public administration, so that they can acquire basic knowledge about cybersecurity and use it in their daily work. For example, they must know how to recognise a fake email.”

Polovic said that that several such sessions had already been organised through the EU’s Cyber Rapid Response project for Montenegro, North Macedonia and Albania, with a focus on incident management and risk analysis. 

He said that the Ministry of Public Administration had also launched multiple educational initiatives that will result “in the provision of expert training in this area.”

In March, the minister, Dukaj, said that the country would soon get a new addition to its cybersecurity infrastructure – the Agency for Cybersecurity. The agency should be founded once a new Law on Information Security is passed by parliament.

“This way, we establish a sustainable system for effective detection and defence against cyber threats and incidents of a high level of sophistication and ensure more efficient and safer functioning of the public administration and economy and contribute to public trust,” Maras said.

Lakic, however, identified a far simpler step – banning public servants and state officials from browsing web portals and watching YouTube content on state computers.

“Even with the existing infrastructure and employees – although I think they are not educated enough – it would greatly improve the security system,” he said. “We could solve over 80 per cent of threats just by making their behaviour more serious and responsible. We don’t even need money for this purpose, as we can do it without any additional investments.”

Bosnia Lacks Capacity to Fight Millions of Cyber Attacks Monthly, Report Warns

The first report on cyber threats in Bosnia and Herzegovina has said the country is facing millions of cyber attacks each month, while lacking the strategies, legislation and capacity to protect its citizens, institutions and companies. 

“During November 2022, a wide range of targets were subject to over 9.2 million distinct cyber attacks recorded in Bosnia and Herzegovina,” it was said on Friday during a presentation of the report compiled by the Center for Cybersecurity Excellence, CSEC, and BIRN. 

With the help and support of the United Kingdom, CSEC monitored the number of attacks using two devices that simulate a digital target.

The most common form of cyber attacks recorded were distributed denial-of-service attacks, or DDoS, which aim to disable or disrupt the functioning of IT systems by bombarding them simultaneously from many different sources. 

“This report also highlights the lack of adequate computer emergency response teams, CERTs, as a key problem in Bosnia, along with the prolonged absence of an effective legislative framework,” it was added during the presentation before the parliament of Bosnia and Herzegovina, whose systems were targeted in attacks in September last year, as well as IT experts and lawmakers. 

CSEC recorded 3.8 million DDoS attacks in Bosnia in November last year alone, with media outlets being frequent targets. In addition to DDoS attacks, attackers often attempted to control computers, as well as exploit various databases and devices with Android operating systems.

However, since only two devices were used to monitor the attacks, the coverage of this threat report is not comprehensive, and it is assumed that the total number of attacks is far higher.

An updated threat report will be published every six months, providing the latest assessment of trends in the field of cyber threats and practical advice on how to protect against them.

New Pegasus Target Identified in Poland

Jacek Karnowski, currently mayor of Sopot on Poland’s Baltic Sea coast, was monitored by state surveillance in 2018-2019 when he was one of the key politicians promoting an opposition alliance to win the Senate elections, according to Friday’s daily Gazeta Wyborcza. (The united opposition did win the Senate in 2019).

“This is a violation of privacy and human dignity,” Karnowski told Wyborcza in response to the revelations. “Those who monitored their political opponents should be brought before the Tribunal of the State.”

Wyborcza says it found Karnowski’s name on a list of monitored individuals made available to multiple media outlets that were part of the Pegasus Project consortium.

According to the paper, the Polish Central Anti-Corruption Bureau CBA tapped Karnowski’s phone 10 to 20 times between 2018 and 2019.

It is impossible to say what data the services took from Karnowski’s phone, Wyborcza reports, because the device was “cleaned up” of data.

In Poland, secret services are obliged to delete data they collect if they do not uncover or confirm a crime during the investigation.

Karnowski is currently head of an alliance of mayors that is a major actor in the coalition of liberal opposition parties confronting the ruling PiS in this year’s parliamentary elections, due in the autumn.

Polish intelligence services used Pegasus until November 2021, after which the Israeli company producing the software, NSO Group, did not renew its contracts with either Poland or Hungary.

This followed media revelations that these two governments used the spyware to monitor journalists and opposition politicians.

Albania Prosecutors Seek to Grill Five Officials Over Cyber-attacks

The Tirana Court has received a prosecution request to arrest and investigate five civil servants over the recent cyber attacks that disabled various state institutions.

Its response was an “investigative secret”, a press statement said on Wednesday.

The prosecution request, which reached the court earlier Wednesday, is related to the crime of “abuse of duty” and accuses the five employees of not implementing safety regulations.

“The IT staff at DAP (public administration) could and should have requested a report from the economic operator contracted by DAP for the implementation and maintenance of the system in time, regarding the state in which this system was located, despite the lack of knowledge about how to implement the contract for the implementation of the administrata.al system,” the prosecution office said.

Albania has been hit by cyber-attacks since July 15, when the governmental portal e-albania was attacked. Since then, the hackers, through their website and Telegram group, both called “Homeland Justice”, have been releasing information, mostly from the police and State Information Service.

The Tirana Prosecution banned domestic media from reporting the content of the leaks in September, a move that was widely condemned by journalists and media watchdogs in Albania as censorship.

The hackers are believed to be Iranian; Tirana hosts a group of exiled Iranian dissidents called the MEK – People’s Mujahedin of Iran. The staff of the Iranian embassy in Tirana were expelled on September 7 over the attacks.

Since then, the hackers have conducted other operations, targeting the Traveler Information Management System, TIMS, on September 19, which caused chaos on the borders.

They also released the emails of Gledis Nano, the former chief of police, on September 19. Data from various databases was released after that, including the personal data of Prime Minister Edi Rama and Helidon Bendo, director of the State Information Service, and his wife.

According to an FBI report, Iranian hackers first accessed Albanian systems 14 months before the first cyberattack was reported on July 15, when government services became unavailable for some days.

“An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack [in July], which included a ransomware-style file encryptor and disk wiping malware,” the report said.

Serbia Targets Purchase of Powerful Swedish Facial Recognition Software

Serbia’s interior ministry planned to buy Swedish-made facial recognition software last year and still might despite deep concern over the legality of such technology under the country’s current legislation, BIRN can report.

According to the manufacturer, Griffeye Analyze DI Pro has the capacity to recognise faces based only on the eyes and, under certain conditions, even when the eyes are not visible. Experts say it can also download large amounts of personal data from the internet and then search, sort, cross and process it based on metadata such as GPS coordinates, the time when an image was taken or phone serial numbers.

The software, which Europol has used since 2019, was on a ministry procurement wish-list for the third quarter of 2021. The purchase has not been made and the ministry did not respond to BIRN requests for comment. But Serbia’s Personal Data Protection Commissioner, Milan Marinovic, said police were unlikely to pass up the opportunity to acquire such technology.

“The idea was to get that technology by the end of 2021. I am convinced that the Ministry of Interior has not given up on it,” Marinovic told BIRN. “No police in the world would give up on such things because it suits them.”

He questioned the legality under current Serbian law, however.

“We are talking about a global threat that I do not like. The software can also physically track you,” said Marinovic. “In Serbia, we do not have the right to such a sophisticated type of data processing of citizens.”

In September 2020, the interior ministry announced a Draft Law on Internal Affairs containing contained provisions for the legalisation of an extensive biometric video surveillance system. It was withdrawn after public outcry.

“Once the system is in place, it means it will be very difficult to remove and it is an irreversible situation,” said Bojan Perkov of the Belgrade-based SHARE Foundation, which promotes human rights and freedoms online.

Griffeye did not respond to a request for comment, but its website says the software is intended to support investigators working on cases involving the sexual abuse of children. SHARE’s Filip Milosevic said it is a threat to privacy.

“Quick, easy and complete insight into the life of each individual,” Milosevic told BIRN.

“Such tools create very detailed profiles of individuals by crossing absolutely all their existing digital information. This can be information owned by the state, and the police can get access – traffic, cameras, financial system, health, social – complemented by data that citizens leave as a digital trace using devices and the Internet, such as Internet searches, site visits, applications, profiles on social networks, history of shopping, movements, interaction with other people.”

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now