Serbia: Authorities use spyware to keep tabs on activists
The Serbian police, along with the country’s intelligence agency, have unlawfully spied on journalists and activists using surveillance software. A report published Monday by Amnesty International details the abuse. According to the group’s investigation, authorities used a suite of products to extract data from smartphones – and to install the spyware in secret.
Dinushika Dissanayake at Amnesty International said in a statement, “Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society.”
As the organization reports, Serbian authorities have developed their own novel spyware, called NoviSpy, to infect smartphones that run the Android operating system. Both the police and the Serbian intelligence agency, Bezbedonosno-informativna Agencija (BIA), have reportedly used the spyware.
According to the report, NoviSpy isn’t as technically sophisticated as the more well-known Pegasus spyware. Nevertheless, it has made it possible for authorities to gain access to sensitive personal data stored on individuals’ smartphones. Researchers at Amnesty’s Security Lab discovered for example that the software captures and transmits screenshots of chats. It also makes it possible for authorities to activate an infected smartphone’s camera and microphone remotely.
Officers circumvent passcode
While attackers can install spyware like Pegasus on a smartphone remotely, with no action required by the targeted user, the Serbian authorities seem to require physical access to a device in order to infect it with NoviSpy. In at least two cases Amnesty was able to reconstruct how exactly this was done.
The report relates for instance how in February 2024 officers arrested Serbian investigative journalist Slaviša Milanov under the pretense of asking him to take a test for driving under the influence of alcohol. “While in detention,” Amnesty reports, “Slaviša was questioned by plainclothes officers about his journalism work.” Before the sobriety test and the interrogation he had been asked to surrender his phone. The phone was off and he was not asked for the passcode. When the device was returned to him, however, he noticed that the settings had changed, and asked Amnesty for help.
The organization’s forensics experts were able to find evidence that his smartphone had been unlocked using a suite of Cellebrite products. The Israeli company sells hardware and software to government clients that make it possible to unlock and copy data stored on smartphones. After gaining access, the officers installed spyware on Milanov’s phone.
Amnesty’s investigators were able to show that the authorities used Cellebrite products to unlock activist Nikola Ristić’s smartphone as well. As they had on Milanov’s phone, the authorities installed spyware on Ristić’s device after unlocking it.
In November, Ristić had played a leading role in organizing protests in Belgrade after the collapse of a train station roof in Novi Sad. 14 people were killed and many more injured in the accident. Demonstrators suspected that corruption had been involved in the awarding of the contract to renovate the train station. When Ristić went to a demonstration at Belgrade’s Republic Square in early November, he was stopped by officers from the intelligence agency and taken in for interrogation; he was also made to surrender his phone.
Insufficient laws
Amnesty’s Dinushika Dissanayake said in a statement that the organization’s investigation “highlights how Cellebrite mobile forensic products – used widely by police and intelligence services worldwide – can pose an enormous risk to those advocating for human rights, the environment and freedom of speech, when used outside of strict legal control and oversight.”
Amnesty argues that the use of spyware and similar technologies is insufficiently regulated in Serbia. This leaves “too much space for potential abuse of such technologies for political purposes.”
Cellebrite released a statement on Monday in response to the Amnesty report and said that it was investigating the claims. The company claims to have stopped selling to certain customers in the past on ethical grounds. Prior to these most recent revelations, human rights organizations have accused Cellebrite of selling its products to repressive regimes – thus contributing to human rights abuses.
Activists surveilled
Evidence gathered by Amnesty suggested that Serbian authorities had used their NoviSpy surveillance software to spy on dozens of devices – but the number of victims in recent years may be even higher, reaching into the hundreds.
In one instance Amnesty’s experts were able to show that the spyware was installed on the smartphone of an activist while he was being questioned by BIA officers. The activist worked for Krokodil, an organization that promotes dialogue and reconciliation in the Western Balkans. The occasion for the interrogation was an attack on the organization’s Belgrade office. During questioning the activist left his smartphone in his jacket outside the interrogation room; afterwards he discovered suspicious notifications on the device.
Attempts were also made to install NoviSpy on a device belonging to an environmental activist. In other cases Cellebrite products were reportedly used to access data on smartphones belonging to individuals who had not been accused of any crime. In at least one case an activist was shown a court order; many were not. Regardless, Amnesty argues that such forensic tools should only used in cases where individuals are charged with serious crimes, like terrorism – not with merely expressing their opinion.
The Serbian interior ministry and the BIA intelligence agency refuted the charges in the report, calling them “nonsensical” and “false,” as reported by Serbian broadcaster RTS.
But this is not the first time that Serbian authorities have been tied to the use of spyware. In 2013, security experts at the University of Toronto’s Citizen Lab identified Serbia as a client of the now-bankrupt German software developer FinFisher.
Experts also assume that the BIA uses Predator spyware, the technology that is currently at the center of the Greek surveillance scandal.
And last year human rights groups and IT experts were able to prove that critics of the Serbian government had been targeted with spyware. Pegasus was likely used in the attacks – and Serbian authorities are suspected to have been behind them.
Constraints on freedom of expression
The attacks detailed in Amnesty’s latest report come against the backdrop of increasing state repression and increasing constraints on freedom of expression in Serbia. Since 2021 there have been numerous protests against the government – and the authorities have responded with harsh measures.
In the aftermath of protests against lithium mining and a raw materials agreement with the EU the government’s attacks against civil society have “dramatically escalated,” the report states. Activists have been arrested and charged with crimes – with some charges carrying potential sentences of up to eight years in prison.
As Amnesty argues in its report, “Digital surveillance does not only have a devastating impact on people’s right to privacy but also profoundly affects the rights to freedom of expression, association and peaceful assembly.” Serbian activists told the organization that they had changed their behavior after learning that they were being surveilled. “Some became more reluctant to speak out about controversial issues, while others decided to lower their profile or completely disengage from activism.” One activist described the situation as “a digital prison.”
Slaviša Milanov, the journalist spied on by authorities, also expressed concerns that his sources could have been compromised. “I can no longer use phone or email and have to find other ways to speak with people, including in person. I tend to do this only when we are in public places and in larger groups, which is obviously not ideal.”
Amnesty demands that the Serbian government “immediately stop using highly invasive spyware.” The government must also carry out “prompt, independent and impartial investigations” into unlawful surveillance. Finally, the government must ensure “that digital technologies are not misused to violate human rights” – for instance by establishing a legal framework for reviewing the use of such technology. Companies like Cellebrite must likewise ensure that their products do not contribute to human rights violations. (js)