From January 26 to May 26, BIRN collected information about 163 cases of breaches of digital rights in Bosnia and Herzegovina, Croatia, Hungary, North Macedonia, Romania and Serbia.
Sixty-eight of the cases related to the manipulation in digital environment, while 25 related to publishing falsehoods and unverified information with the intention to damage someone’s reputation.
BIRN’s monitoring of digital rights, developed together with the SHARE Foundation, has shown that ordinary people were the most affected by such violations, with members of the public being the target in 126 of the cases.
State institutions or state officials violated digital rights in a total of 37 cases, meanwhile.
States rarely addressed the abuses arising from these violations, and in 45 cases, the perpetrators were not identified, while 139 of the total of 163 cases were not resolved.
Eight cases were the result of pressure related to the publication of information, 12 were linked to insults and unfounded accusations and 11 were hate speech and discrimination.
Medical and personal data breaches featured in 18 cases, computer fraud was registered on 11 occasions, while the destruction and theft of data and programs happened in three cases.
Beyond the countries listed above, BIRN noticed an unprecedented rise of digital violations in Montenegro and Turkey, where there were arbitrary arrests and data breaches.
Hackers, data breaches and illegal processing
Infografic: BIRN
Leaked documents, fake websites and the publication of people’s personal and health data have been commonplaces during the ongoing pandemic, but the scale and consequences of the breaches and of the illegal processing of data has yet to be established.
Speculation about the number and identity of COVID-19-infected people led to the mass exposure of personal and private data on social media and messaging platforms. In some cases, the leaks were small in terms of data, but had potentially serious consequences, particularly in situations in which patients’ personal data was revealed.
The most serious cases were reported in Croatia, North Macedonia and Montenegro.
In March in Croatia, a message containing a list of infected patients was shared among people living on the island of Murter, mostly through messaging apps.
Illegal personal data processing and privacy breaches took place in North Macedonia as well. The country’s Agency for Personal Data Protection filed criminal charges against an unknown person for publishing the personal data of people living in the town of Kumanovo.
The public in Serbia became concerned when it was discovered that the login credentials for Serbia’s information system for analysis and storage of health data during the pandemic were publicly available on a health institution website for eight days.
Citizens of Montenegro suffered most from stigmatisation due to a number of leaks of COVID-19 patients’ records. The infected patients’ identities were revealed in posts on social media, sparking hate speech against them.
Individuals who were violated self-isolation measures were also targeted, and often, it was governments that were revealing their personal information.
In Bosnia’s Serb-dominated entity, Republika Srpska, authorities launched a website on which they published the names of people who did not follow the entity’s self-isolation measures. The list can still be found online.
As a measure against the spread of the coronavirus, Montenegro’s government published a list of individuals who were put in self-isolation after returning home from abroad. The lists, structured by municipalities, include the individuals’ names, surnames, the date when they were put into isolation, and their home addresses. The list was only removed a month after it was published.
People were also targeted by hacker attacks and fraudulent messages or emails, usually trying to collect their personal information or request payments to foreign banks or crypto-currency accounts, as cybercriminals took advantage of the public concerns and confusion created by the pandemic.
Scams, phishing campaigns and cyber-attacks exploiting people’s fear of COVID-19 were most common in Croatia, Serbia, Hungary, North Macedonia and Romania. The Romanian cybersecurity giant Bitdefender said in March that such attempts at fraud “have risen by 475 per cent in March as compared to the previous month”, and were expected to keep increasing.
Threats, hate speech and discrimination
Infographic: BIRN
While some countries limited the scope of the freedom of speech during the pandemic, some people used their online freedom to unleash threats, insults, discriminatory posts and hate campaigns.
BIRN’s overview looked at several categories of violations:
- Hate speech and discrimination
- Threatening content and the endangerment of security
- Insults and unfounded accusations
- Falsehoods and unverified information directed towards the damaging of reputations
In total, more than 15 per cent of all the cases that were monitored included one of these violations. The largest number –
This type of online behaviour was often combined with the use of fake accounts and the paid promotion of false content.
The people most commonly affected by the digital violations that were monitored were journalists, medical professionals and people in quarantine.
Discriminatory posts and acts were directed mostly towards refugees, Chinese and Jewish people, women and the Roma community, with the largest number of such cases occurring in Hungary.
Gender-based discrimination was reported in Serbia, where the victims were predominantly politically-engaged individuals and journalists who criticise the government.
Threats and calls for violence against the police in Serbia and Bosnia and Herzegovina were found on Facebook. In both cases, authorities reacted promptly and perpetrators were identified and detained. In North Macedonia two police officers were fined for having taunted and offended people on social networks.
Violations related to damaging reputation predominantly affected governments’ political opponents, independent media and journalists.
Serbia was the country with the largest number of posts aimed at damaging the reputation of independent journalists. In three of four cases of publishing falsehoods, the journalists who were targeted were women.
Journalists were also targeted in North Macedonia and Hungary.
Pressure and arrests for publishing information
Infographic: BIRN
Due to the highly controlled media landscape and poor level of media literacy in the countries that were monitored, the public was overwhelmed with contradictory information and had much more difficulty in recognising false and misleading information during the pandemic than usual. At the same time, the public’s need for timely and proper information had never been bigger.
While the flow of information continued to grow immensely, states started to arrest citizens for posts on social media over the accusation they caused panic and unrest. Some countries imposed authoritarian regulations that limited the flow of information.
Members of the public, media representatives and politicians were arrested and fined for their writings on social media, often without any clear criteria. Journalists were arrested in Serbia, Kosovo and Turkey.
Arrests and fines have become one of the main tactics to counter fake news and violations of restrictions imposed by all governments in the states that were monitored. In Hungary, Serbia, Bosnia, Croatia and North Macedonia, top state officials warned the public that they faced immediate sanctions for spreading fake news amid the pandemic.
From conspiracy theories to false measures
Illustration: BIRN
Out of 163 cases, the largest number, 68, were linked with the misuse or manipulation of information. They mostly concerned different fake news, the use of false identities online, the sharing of conspiracy theories, or posts classified by the authorities as causing panic and disorder.
Some of the topics that were misused in this way included:
- Medicines that can cure the coronavirus, vaccines and laboratory tests
- Disinfection procedures
- Tips and advices on how to cure the coronavirus
- The number of infected people
- Information about infected people
- Information on medical institutions and their work
- The start of the virus and how it developed
- State measures and actions that have never been declared nor taken
- Supermarkets and food shortages
- 5G
- Other conspiracy theories
- Online education and information relevant for students
- Offensive posts and videos about quarantined citizens and about people who arrived from a foreign country
- Disturbing announcements about the COVID-19 outbreak
In some countries, such as Serbia and Hungary, levels of media freedom are low, with mainstream media often spreading disinformation, while independent media are called fabricators of lies by the authorities.
Nearly 25 per cent of all cases of the misuse or manipulation of information were resolved in some way. The outcomes included:
- Website or content removal by the state
- A request for the removal of the problematic post
- Detention or arrest of a person
- Official statement about the incident or a public apology
In Romania, most cases in this category ended in content removal. In Serbia, Hungary and Croatia, arrest was the most common outcome.
Manipulated information, conspiracy theories and unfounded claims emerged en masse on social media platforms and news website when most of the countries introduced emergency measures.
Disinformation was most intensively distributed via YouTube, where content blamed the expansion of 5G technology for the COVID-19 outbreak, or blamed multinational companies or foreign governments for the pandemic. In Croatia, one person even destroyed WiFi equipment, thinking it was 5G infrastructure. Mentions of the alleged influence of 5G networks on the pandemic was noted in Romania and Serbia, both on news websites and on social media.
News websites in Serbia, Romania, Hungary and Croatia often published manipulative content that included false information.
April was the month with the largest number of cases reported in this category. Some 30 out of the total 68 cases of manipulations in the digital environment were registered that month.
Information circulating in April and May, which was manipulated or false, mainly referred to the curfew, the number of COVID-19 patients and tests, students’ exams, people in quarantined, 5G transmitters, enforced microchipping and the funding of religious communities. In almost all cases from this category, members of the public were ones affected.
The rise of ‘unknown’ attackers
Illustration: BIRN
In comparison to the cases of online violations reported before the COVID-19 outbreak, BIRN’s monitoring noted a significant rise in cases in which the perpetrators cannot be identified. The number of these cases increased tenfold on a monthly basis.
These unknown perpetrators have been creating Facebook pages, using the virus situation to persecute independent journalists and others, send fraudulent messages in order to destroy computer software systems or steal money, and creating fake website accounts to spread conspiracy theories or medical disinformation.
Unknown perpetrators have also been responsible for computer frauds, the destruction and theft of data and for making content unavailable using technical skills. Hungary had the most cases involving unknown perpetrators, mainly related to computer fraud.
Cases have also shown how states can be violators of digital rights and freedoms. The increased number of cases which ended in arrest or detention revealed the tendency of states to use more power than was necessary, particularly to arrest journalists and citizens for posts on social media.
From having double standards when it comes to reactions to fake news to using their authority to silence people, governments often acted against the interests of their own citizens. According to the monitoring findings, in almost 25 per cent of all cases, the state itself or a state official was described as the perpetrator of a violation of certain guaranteed rights or freedoms.
On the other hand, members of the public were the victims of violations in 126 cases.
Media regulations across the region have been tightened under states of emergency and journalists have been arrested on accusation of spreading misinformation about authorities’ responses to the spread of the coronavirus. Some countries, like Serbia, sought to centralise the dissemination of official information and banned certain media from regular briefings.
The first worrying legal initiative was noted in Croatia, where the government proposed a change to the Electronic Communications Act under which, in extraordinary situations, the health minister would ask telecommunications companies to provide data on the locations of users’ terminals. The legislative change is currently pending.
In Hungary, the Bill on Protection Against Coronavirus, giving the government almost total control of the flow of information about the pandemic, was adopted at the end of March. The Hungarian government also decided to limit the application of the EU’s General Data Protection Regulation, GDPR, and to extend the deadline for public institutions to provide data requested via freedom of information regulations from 15 to 45 days.
Romanian civil society organisations also drew attention to a lack of official transparency and the possibility of media freedoms being curbed by state-of-emergency provisions. Provisions enacted as part of the state of emergency to combat the spread of the coronavirus allowed the authorities to shut down websites that publish fake news and exempted the authorities from answering urgent inquiries from journalists. Access to a dozen websites has been blocked since then.
In North Macedonia, the media faced new procedures for the issue of work permits during coronavirus curfews. The government insisted that its pandemic measures would not affect the public’s right to information, but in practice, institutions were less responsive to freedom of information requests.
In general, there was a trend among many countries to suspend freedom of information requests.
Digital rights, and rights to privacy and freedom of expression on the internet have all faced serious limitations and breaches in South-East and Central Europe. In the semi-democracies of the region, dominated by regimes with elements of authoritarianism, there is legitimate concern about disproportionate interference in citizens’ personal data and concern that recently-imposed measures are not properly tailored to achieve their objectives while causing the least possible damage to guaranteed rights.
Many people’s lives during this period have completely shifted to the online world, where harmful behaviour usually remains unnoticed by authorities preoccupied by offline violations.
During BIRN’s monitoring period, the lack of a human rights-based approach towards people in the digital environment led to discrimination, hate speech and threats. Although protection of basic human rights and fundamental freedoms should be guaranteed on the internet in the same way as it is offline, in practice we have seen an increase in the number of cases of online violations. The forms that those violations take have been evolving as well.
A lack of knowledge and understanding of the online space, and the subsequent lack of internet governance have opened a Pandora’s Box, allowing various state institutions to arbitrarily, partially and unequally interpret people’s online behaviour.
The intense nature of the battle for control of the narrative about the coronavirus has made meaningful oversight of online life and practices, and establishing accountability for online actions, harder than ever.
To read the detailed overview of our digital rights monitoring click here. For individual cases, check our regional database, developed together with the SHARE Foundation.