Police, Military Security Agency (VBA) and Security Information Agency (BIA) have unhindered access to the customers of Internet Service Providers (ISP) and telecommunication companies in Serbia. It is hard to determine if that access is based on law.

Police and intelligence services are supposed to get a court decision to gain access to the private data of online users. But in Serbia, it isn’t clear that they bother to do so.
There is a law that regulates electronic communications. But not all internet service providers (ISPs) seem to understand what is meant by “retained data,” or how they should store or destroy it. And out of three ISPs that allow direct access to data, two of them say they don’t keep records about how often police and intelligence agencies gain direct access to customers’ private data.

What Your ISP Knows About You

Whenever you send an e-mail, your internet provider keeps a record of it: the time you sent information or a message, to whom, and so forth. This data, stored by the ISP, is called “retained data.”
Some ISPs provide phone and SMS services in addition to internet, and they can’t legally retain the content of your messages or phone calls unless they first get permission from a court. But they do retain data on when you make a call, who you called, how long the call lasted, when it ended and where you were when you placed the call, based on which mobile towers were used.
Serbian law sets restrictions on the circumstances under which state authorities such as police, security agency or military security agency can ask for data and the request must include a court order. But in reality, the situation is far different.
“State authorities have the de facto ability to access our private data without a court decision,” said Đorđe Krivokapić, legal and policy director of Share Foundation, a non-profit organization dedicated to protecting citizens’ Internet rights.

Privacy Protector

One office is charged with protecting personal data: the Commission for Information of Public Importance and Personal Data Protection, or Information Commission for short. The post of Information Commissioner is currently held by Rodoljub Šabić.
His office has done two reports: one in 2012, on landline and mobile telephone companies, and a second, released in June 2015, on ISPs.
The ISP report was the first ever produced by the Information Commissioner’s office and covered requests to share data that ISPs received from state authorities during 2014.
All active ISPs in Serbia were surveyed to determine their data-sharing practices. The second phase of the study included site visits to 26 operators, based on market share, type of Internet services offered, geographical coverage and so on.
For police or security personnel to see retained data, they need court approval. One method involves submitting a request which should spell out exactly what data the state institution wants to access, along with a determination of court order authorizing it. These requests were submitted by fax, email, phone or in person.
While in 2014 most ISPs had received fewer than 10 of these requests, others received significantly more. Telenor led the field, with 4,599 requests, followed by Telekom Serbia, 344; Vip, 109; and Serbia Broadband (SBB), 48. The total number of requests for 2014 was just over 5,000.
A similar survey in 2012 examined telephone data retention in Telekom Serbia, Telenor, Vip and Orion.
For the year ending in March 2012, 4,382 requests were submitted. For example, Telenor received 513 written requests from state institutions, with another 1,559 email requests from the Ministry of Interior. Telenor approved all of the MOI’s email requests, although none of them specified the legal basis on which they were made.
A quicker and easier way to get data is through direct access. State institutions can get user names and passwords to access the ISPs’ internal systems, allowing them to access retained data at any time. According to the report from 2012, it is unknown how many people use these user accounts or whether every access is based on a court order.
“When it comes to direct access, it’s online access, so you can’t know if the (user) has a judicial decision,” said Radoje Gvozdenović, who works in the Information Commissioner’s office. “The operator leaves it up to the state body, as to whether they have a court order or not.”
Such decisions, he says, “cannot be left (up) to the state bodies.”
Of the ISPs surveyed, only Telenor (one of the biggest) kept data on direct access.
In 2014 Telenor recorded 202,118 direct accesses to retained data. Most – 199,818 – were by Serbian police, followed by the Military Security Agency (VBA), 1,068; and Security Information Agency (BIA), 993. The state institutions examined data traffic for 29,333 telephone numbers and retained data for 18,020 different mobile devices.
Since other ISPs say they did not record access, “We can only guess what the real number is,” said Commissioner Šabić.
In 2012, Telenor was using an application called Info System which allowed police and both military and security intelligence agencies to access the databases whenever they wanted for whatever reason they wanted. Those three institutions together had 75 user accounts, used by an unknown number of persons. In one year, the accounts were used 272,327 times, or an average of 746 times per day. Telenor also used to automatically provide all metadata from the Mobile Switching Center daily to BIA.
The situation was similar at Vip Mobile, a subsidiary of Telekom Austria Group that started working in Serbia in 2006, which gave to police and intelligence microchip-equipped cards for data access. Vip says it did not track how many cards were issued nor how many times retained data was accessed.
The 2012 Information Commissioner’s report said that Orion Telekom Company, one of the biggest ISPs, routinely allowed police and intelligence services free access to a listing of the emails which passed through Orion’s server. This company also allowed the BIA free access to the system database, with permission to intercept traffic within the network.
The watchdog Share Foundation analyzed the Information Commissioner’s 2012 report, and drew some conclusions. Secretive methods of handling data retention implies the existence of a mass data collection, the foundation said. And while the law says retained data should be kept for no longer than 12 months, this may not apply to BIA, “because no authority monitors BIA for handling retained data,” the analysis said.
When it comes to ISPs, the Information Commissioner’s office believes the situation is better concerning access to data than it was with telecommunication companies earlier. But, beside problems with direct access, there are other misuses of retained data.
The commissioner’s 2014 report noted that in one place in Serbia, an ISP offers police data without even requiring an official request. Police officers in one police administration verbally ask for (and get) a list of all users of the Internet and cable television, as well as all documentation and lists of customers and suppliers of the ISP.

Retained data

According to Serbia’s Law on Electronic Communications, ISPs are to keep retained data for a year, after which they are required to erase it. The commission report said most ISPs don’t follow the law and, in fact, some don’t even know what retained data is.
“Supervision has confirmed the earlier Commissioner’s estimates about an unsatisfactory, very worrying state of personal data protection in electronic communications, especially in the ISPs,” said Commissioner Šabić.
When the commissioner’s office asked all ISPs how they destroyed retained data after 12 months, they got unexpected answers. One ISP said “by hammer” and another said that staffers “tear it up and throw away.”
This approach to retained data is unusual given its importance in modern society.
Says Krivokapić of the Share Foundation, “The importance of retained data in the modern information society is immeasurable.” He says it is possible to find analytical tools that can extract from mobile and internet retained data “insights” about individuals that should be protected by privacy laws. “In these circumstances the potential for abuse is great and protection capabilities are limited.”
By law, the Ministry of Trade, Tourism and Telecommunications is obliged to inspect the work of ISPs. Ministry officials told OCCRP reporters they completed nine inspections between January 2014 and April 2015, mainly related to the use of radio-frequency spectrum and quality of services.
“Inspectors haven’t found any problems,” Sava Savić, Deputy Minister, told OCCRP.

What data do providers collect and share?

According to the Commissioner’s report from 2012, the telephone companies share personal data of their users, including national ID numbers and addresses. Some also share data related to cell phone activity, including the caller’s number, the number called, the phone’s unique identifier (IMEI), details about which base station forwards a call, date and time of the call, duration of the call, type of service, details about the identity of both parties, list of all SIM cards that have been used in the current device for the last year.

Vladimir Kostic and Bojana Jovanovic