The world organization for the protection of human rights, Amnesty International, published a report entitled "Digital Prison: Surveillance and Repression of Civil Society in Serbia", which describes how the authorities in Serbia, through the Security and Information Agency (BIA) and the police, illegally spied on the mobile phones of activists who organized protests, members of non-governmental organizations and independent journalists, reports Radar.
The report was submitted to the Government of Serbia before its publication, but it did not, as it says in the report, make any comments.
The findings reveal the pervasive and routine use of invasive spyware, including NSO Group's Pegasus spyware, along with the new homegrown NoviSpy spyware system for Android devices, first revealed in this report. They also note the widespread misuse of Cellebrite's UFED mobile forensics tool directed against environmental activists and protest leaders in Serbia.
The BIA and Serbian police reportedly used NoviSpy and mobile forensics tools from Cellebrite to target independent think-tank activists, peaceful protesters and independent journalists. "The authorities in Serbia use these tools systematically against peaceful demonstrators who are too often subjected to unjustified criminalization because of their activism. This illegal practice of digital surveillance and data collection directed against civil society violates the human right to privacy and protection of personal data, and deeply affects other rights and freedoms, including the right to freedom of expression, association and peaceful assembly".
Secret installation on mobile devices of three activists
The findings in the report are based on detailed interviews conducted with 13 people who were directly the subject of spyware or data extraction products from mobile devices, as well as 28 representatives of civil society from all over Serbia. It is added that "their testimonies are supported by a detailed forensic analysis of the mobile devices of twenty activists and journalists conducted by the Security Laboratory of Amnesty International".
The report provides what they say is a detailed overview of the history of the use or acquisition of highly invasive spyware by Serbian authorities over the past decade, including the systems of Finfisher, NSO Group and Intellexa.
The contamination occurred while the phones were temporarily taken from their owners and allegedly placed in lockers in police stations. Technical evidence suggests that dozens, if not hundreds, of unique devices have been targeted by NoviSpy spyware over the past few years.
Specific examples and expert reports are given. Research shows that the NoviSpy spyware was secretly installed on the mobile devices of three activists and one independent journalist during briefings with the Serbian police or BIA. The contamination occurred while the phones were temporarily taken from their owners and allegedly placed in lockers in police stations. Technical evidence suggests that dozens, if not hundreds, of unique devices have been targeted by NoviSpy spyware over the past few years.
It describes how in February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad, Serbia, who deals with topics of local importance, was taken to the police station after a seemingly routine traffic control. It is added that immediately after that he noticed that something was wrong with the phone, so he contacted the Security Laboratory of Amnesty. "Forensic analysis revealed that a Cellebrite product was used to unlock the device... Amnesty International discovered traces of a previously unknown spy software called NoviSpy that enables the collection of sensitive personal data after the desired phone is infected, as well as remote activation of the microphone or camera. Forensic evidence indicates that the spyware was installed using Cellebrite's device unlocking technology while Serbian police were in possession of Slavisa's device. The combination of these two extremely invasive technologies was used to target the device of an independent journalist, leaving almost his entire digital life available to the Serbian authorities".
It then describes how in October 2024, an activist from the Belgrade NGO Krokodil was called to the BIA office to provide information about the attack on that organization, adding: "During the conversation, her phone was left unattended outside the interrogation room." Subsequent forensic analysis carried out by the Amnesty Security Lab found evidence that the NoviSpy spyware for Android devices had been installed at that time."
The Ministry of Foreign Affairs of Norway states that it considers the possibility that digital forensic tools procured through a Norwegian-funded project to be misused to target representatives of civil society in Serbia to be worrisome.
It then states that the analysis of several samples of the NoviSpy spyware application found on the infected devices showed that they all communicated with servers in Serbia, in order to receive commands and track data. "Interestingly, one of these spyware samples was configured to connect directly to an IP address associated with the Security and Information Agency of Serbia. The investigation also found that configuration data embedded in the spyware sample led to a BIA employee who was previously involved in Serbia's efforts to obtain Android spyware from the now-defunct company Hacking Team."
Under surveillance by NGOs, activists and independent journalists
Amnesty International spoke, according to the report, to nine activists who were detained or interrogated between July and November 2024, and whose phones and computers were temporarily confiscated by the police and subjected to thorough searches. "Activists suspect that these intrusive investigative measures, which appear to be legitimate under Serbian law, were more a pretext for the police and intelligence services to learn more about their social networks and future plans, rather than an intention to prosecute." It is also noted that the report "is being published at a time when state repression is intensifying, and the state of freedom of expression and open dialogue in the country is increasingly unfavorable."
The investigation also found that configuration data embedded in the spyware sample led to a BIA employee previously involved in Serbia's efforts to obtain Android spyware from the now-defunct Hacking Team company.
"Since 2021, Serbia has experienced several large waves of protests against the government, and each of them has provoked increasingly harsh reactions - from continuous and violent campaigns against critical non-governmental organizations, media houses and journalists, to legal repression directed against citizens who peacefully organize and participate in political discontent".
In the chapter entitled "Inadequate legal and control framework of digital surveillance in Serbia", he describes what other problems non-governmental organizations, activists and independent journalists face.
The effect of intimidation on the activists is also described, and it is stated that they "stated to Amnesty International that knowing that they were targeted made them feel hurt, vulnerable and alone, and forced them to reconsider or change their behavior." Some have become more cautious when it comes to speaking publicly about contentious issues, while others have decided to speak out less or stop activism altogether."
Before its publication, the Ministry of Foreign Affairs of Norway, which donated the Cellebrite technology to UFED, and the United Nations Office for Project Services (UNOPS), which was in charge of the procurement for which Norwegian grant funds were used for the needs of the Ministry of the Interior, were aware of the report before its publication. The Norwegian Ministry gave an answer, unlike the Serbian Government, and if the report states that "they did not conduct an adequate in-depth analysis in order to assess and mitigate the potential risks of this technology for human rights, nor did they provide protective measures against its misuse regarding threats to civil society and independent to journalists. They are also criticizing: "the Norwegian government and UNOPS had the obligation to supervise and conduct an in-depth analysis during the acquisition of highly invasive technology and its transfer to Serbian institutions. Such an omission enabled and contributed to the violation of human rights to privacy, freedom of expression, association and peaceful assembly through the application of illegal digital surveillance".
An activist from the Belgrade NGO Krokodil was called to the BIA office to provide information about the attack on this organization, so it is added: "During the conversation, her phone was left unattended outside the interrogation room." Subsequent forensic analysis found evidence that the NoviSpy spyware for Android devices had been installed right then."
The response is then described: "The Ministry of Foreign Affairs of Norway states that it considers the possibility that digital forensic tools, procured through a project funded by Norway, have been misused to target representatives of civil society in Serbia, and adds that, if these allegations are true, [it] would represent a clear violation of the principles of Norwegian development assistance, as well as the agreed purposes of the support provided to the Serbian authorities at that time. The Ministry added that it is expected that UNOPS, which was responsible for all project activities, will conduct a thorough investigation of the alleged abuses".
The report concludes: "Serbia must commit to immediately stop using highly invasive spyware and conduct an immediate, independent and impartial investigation into all documented and reported cases of illegal digital surveillance."
Bonus video:
