Technical attacks again in the focus of digital rights violations


Monitoring of the state of digital rights and freedoms has shown that the primary position in this respect once again belongs to technical attacks on online content. SHARE Foundation registered 15 cases of violations of digital rights and freedoms between January and March 2018. Out of this number, there were six cases which involved disabling the access to content or endangering information security in some other manner. The trend of this increase shows that from the beginning of April, we have already registered three technical attacks. These attacks included: citizens-victims of fraud on Facebook regarding credit cards, technical attack on the website of the Committee of Human Rights Lawyers (YUCOM) which aimed at crashing the website and unauthorized access to accounts of organization “Da se zna” on Instagram and Twitter.

Technical attacks as a way of endangering digital rights and freedoms, mostly with a goal of making the media content unavailable, had their peak in mid-2014 because at the time there was the affair with PhD theses plagiarism and brought down the website of Peščanik on several occasions. Bringing down the website of Peščanik received a great attention of public and media, and it was interested to see that later on there were not as many cases of technical attacks on websites of online media and civil society organizations, apart from several sporadic examples.

The most prominent case occurred at the end of February when unknown actors took over the Facebook page of the Independent Association of Journalists of Serbia (NUNS), removed administrators managing the page and published inappropriate content. The SHARE Foundation team for the prevention of risks regarding information security SHARE CERT produced an analysis of incidents and contacted the representatives of Facebook for Central and East Europe which did not react in terms of this case, that is, they did not recover the administrators’ access to the NUNS employees. As a consequence of the unauthorized access, the NUNS Facebook page was shut down, and so the association had to make a new page.

The case of NUNS Facebook page also showed that it is rather risky to rely on posting content on platforms over which we do not have any control regarding hosting of data. All posts from many years, likes and followers you had can disappear in one moment, and we must also take into account the invested money for the promotion of posts so as to reach more users. The platforms owned by powerful companies located in California, such as Facebook and Google, can control the content and profiles of users under the terms of use which can be interpreted rather widely.

When it comes to other incidents related to information security being compromised by technical methods, it is important to say that in this period of time, the civil society organizations were the targets, unlike in the period of time before that when media websites had had seen most attacks. The websites of The Center for Europ-Atlantic Studies (CEAS), Foundation “Budi human” and news agency Tanjug were attacked. It is especially interesting that Tanjug made an announcement that the attacks were being lead from ‘over 50 IP addresses in Serbia’ with a goal of ‘crashing the information system of the agency’. The attacks of “flooding” of server were mostly coming from several tens of thousands of addresses from all over world, such as in the case of CEAS website – around 270000 IP addresses were used, and almost all came from the Netherlands. It remains unclear what security measures were applied if requesting an access to website from not more than 50 IP addresses could jeopardize the information system and media outlets must pay a special attention to this.

Although the monitoring over the first three months also included an important social event from the aspect of political activity on the Internet – local elections in Belgrade – it seems that this campaign did not have as many incidents in digital environment than some previous ones. However, we can still mention cases such as creating a fake profile of mayor of Belgrade Siniša Mali  and threats to the president of party “Dveri” Boško Obradović as Youtube comments to the program where he was a guest during the campaign.

Threats and calls to violence are the biggest category of digital rights and freedoms violations, and even though there was a certain decrease in this respect, there is still a problem of inefficient reaction of the authorities. Threats to journalist Dragan Janjić due to his statement that the murder of Oliver Ivanović had a political motive and background, were spread over sponsored posts on Facebook page “Srbija naša zemlja”. The First Basic Public Prosecutor’s Office in Belgrade discharged the criminal charges filed by NUNS on behalf of Janjić and stated that “there is no reasonable doubt that the criminal act which is to be criminally processed ex officio“.

The problems regarding personal data protection were not as prominent in previous periods of time of monitoring, but there were three cases between January and March, the most serious violation being publishing data of participants of the protest in Požega who were the social help users. There were correspondence, transactions from personal accounts of citizens, their requests and appeals to the Center for Social Work in Požega appearing on Facebook, as well as other data. The Commissioner for Information of Public Importance and Personal Data Protection initiated monitoring due to these events. However, this is not the only case of publishing data regarding those receiving social help, which are, according to Law on the Protection of Personal Data  particularly sensitive data. The Commissioner also initiated the monitoring process  at the Ministry of Labor, Employment, Veteran and Social Policy of the Republic of Serbia and the entrepreneur whose website published the data on domestic violence victims and those who receive social help.

Again we return to the issue of relation of the authorities in terms of human rights in digital environment, because it seems that every step forward regarding resolving the cases of threats, technical attacks and other violations is followed by (at least) two steps back.  The Agreement on Safety of Journalists signed between the Public Prosecutor’s Office and the Ministry of Internal Affairs and media and journalists associations at the end of 2016 clearly does not provide expected results especially in the context of dismissing criminal charges on the grounds of journalistic safety and court proceedings which take a lot of time to be completed.

In order for technical attacks to the websites of media, civil society and other subjects to be solved as quickly as possible, it is necessary to strengthen the capacities of the Prosecutor’s Office for High-Technological Crime of the VTK department of the Ministry of Internal Affairs, as well as to advance the relations with big foreign companies owning the most popular platforms. The Commissioner Rodoljub Šabić on many occasions in media indicated to an unacceptably bad relation of the state towards the citizens’ personal data protection, which is confirmed by recent cases.

The role of the civil society in solving the problems on the biggest, most popular online platforms must be raised to a higher level because when it comes to the content on Facebook, Twitter or Youtube, the main negotiating position belongs to private companies located outside Serbia and it is difficult for the police and other state bodies to conduct their requests on their own. SHARE Foundation will use SHARE CERT and the membership in the European Digital Rights Initiative – EDRI to continue establishing a direct contact with teams of platforms in charge of security, in order for the requests regarding users rights in Serbia to be considered and solved efficiently.

Monitoring database of SHARE Foundation