This turn of events follows the efforts of SHARE Foundation and its international partners to point out to representatives of Facebook the problem of Western Balkans countries being excluded from those where Facebook actively monitors political advertising. This issue is very important in light of the election campaigns in Serbia and North Macedonia, having in mind possible manipulations, the lack of transparency of funding of ads and using non-political pages to advertise for political purposes.
Facebook, Inc. will in this manner expand the transparency of political advertising on their main social networking platform and Instagram in the mentioned countries. Until now, such policies were implemented mainly because of suspicion of foreign interference into election processes during the US presidential elections and Brexit referendum in 2016. The Cambridge Analytica scandal, when data of tens of millions of citizens leaked and pressure from states followed, also pressured Facebook to improve the transparency of its platform.
Facebook Ad Library will provide access information on total advertising expenses, number of ads, as well as data about specific ads – demographic target group of the ad, geographic scope of the ad, etc. In order to analyse political advertising, Facebook will enable researchers, journalists and the public access to the Ad Library API. In addition, by the end of April, it will be possible to download a report for the new 32 countries with aggregated data on ads about elections and politics.
All actors, including political parties, candidates and other organisations wishing to post ads about elections or politics on Facebook and Instagram will be required to register as advertisers, so it can be seen who paid for advertisements. It is also necessary for advertisers to confirm the identity with official documents issued by the state where they wish to publish ads, as well as additional information such as local address, telephone number, email and website if they wish to use the name of a Facebook page or organisation in the disclaimer. In case they do not register, Facebook may restrict posting ads about politics and elections during the verification process.
During the past few years, Facebook has managed to connect virtually the whole world in a single social app, free of charge and available to anyone on the planet. It has become an inevitable part of social interactions, advertising and political campaigns. SHARE Lab investigated the Facebook Algorithm and uncovered the vast human profiling project in the background.
Featuring: Vladan Joler and Andrej Petrovski Directed and edited by: Nemanja Babić and Andrija Kovač Producers: Danilo Krivokapić and Andrej Petrovski Cinematographers: Andrija Kovač, Danilo Krivokapić and Vladimir Miladinović Audio: Filip Milošević and Nikola Cvijanović Production assistant: Milica Čubrilović
SHARE Foundation filed complaints to the Commissioner for Information of Public Importance and Personal Data Protection of Serbia against Facebook and Google for their non-compliance with the obligation to appoint representatives in Serbia for data protection issues. In May this year, before the start of application of the new Serbian Law on Personal Data Protection, SHARE Foundation sent letters to 20 international companies and called upon them to appoint representatives in Serbia, in accordance with the new legal obligations.
Appointing representatives of these companies is not a formality – it is essential to exercising the rights of Serbian citizens prescribed by Law. In the current circumstances, companies like Google and Facebook view Serbia, like many other developing countries, as a territory for unregulated exploitation of citizens’ private data, even though Serbia harmonized its rules with the EU Single Digital Market by adopting the new Law on Personal Data Protection. Namely, these companies recognise Serbia as a relevant market, offer their services to citizens of the Republic of Serbia and monitor their activities. In the course of doing business, these companies process a large amount of data of Serbian citizens and make huge profits. On the other hand, the new law guarantees numerous rights to citizens in relation to such data processing, but at the moment it seems that exercising these rights would face many difficulties.
Among other things, these companies do not provide clear contact points that our citizens can contact – they mostly have application forms available in a foreign language. Our experience has shown that such forms are not adequate because they require advanced knowledge of a foreign language by Serbian citizens, but also because this type of communication is mostly done by programs that send generic automated responses.
Although fines under the domestic Law on Personal Data Protection that the Commissioner may impose, in this case 100.000 Serbian dinars (around $940 or €850), wouldn’t have a major impact on the budgets of these gigantic companies, we believe that they would show that the competent authorities of the Republic of Serbia intend to protect our citizens and that these companies are not operating in accordance with domestic regulations.
The Impact assessment of video surveillance on human rights, conducted by the Ministry of Interior of Serbia, did not meet the legal requirements. Also, the installation of the system lacks basic transparency. Hence, the process should be suspended immediately and the authorities should engage in an inclusive public debate on the necessity, implications and conditionality of such a system.
The installation of smart video surveillance in Belgrade, with thousands of cameras and face recognition software, has raised public concern. Three civil society organisations (CSOs) – SHARE Foundation, Partners for Democratic Change Serbia (Partners Serbia) and Belgrade Center for Security Policy (BCSP) – published a detailed analysis of the MoI’s Data Protection Impact Assessment (DPIA) on the use of smart video surveillance and have reached a conclusion that the document does not meet the formal or material conditions required by the Law on Personal Data Protection in Serbia.
The Commissioner for Personal Data Protection of Serbia also published his opinion on the DPIA, confirming the findings of the aforementioned organisations. According to the Commissioner, the DPIA was not conducted in line with the requirements of the Law on Personal Data Protection.
The opportunity to address all issues of public interest through the MoI’s DPIA was missed, as well as the obligation to fulfill both formal and material terms required by the Personal Data Protection Law. The DPIA does not meet the minimum legal requirements, especially in relation to smart video surveillance, which is a source of most interest and concern of the domestic and foreign public. The methodology and structure of the DPIA do not comply with the requirements of the Personal Data Protection Law because The positive effects on crime reduction as described in the DPIA are overestimated, due to the fact that relevant research and comparative practices have been used selectively. It has not been established that the use of smart video surveillance is necessary for the sake of public safety, or that the use of such invasive technology is proportionate, considering the risks to citizens’ rights and freedoms.
The MoI should suspend further introduction of smart video surveillance systems. In addition, the MoI and the Commissioner should initiate an inclusive public debate on video surveillance legislation and practice that will be in line with a charter on the democratic application of video surveillance in the European Union.
The organizations below write today to encourage you, in no uncertain terms, to continue increasing the end-to-end security across Facebook’s messaging services.
We have seen requests from the United States, United Kingdom, and Australian governments asking you to suspend these plans “until [Facebook] can guarantee the added privacy does not reduce public safety”. We believe they have this entirely backwards: each day that platforms do not support strong end-to-end security is another day that this data can be breached, mishandled, or otherwise obtained by powerful entities or rogue actors to exploit it.
Given the remarkable reach of Facebook’s messaging services, ensuring default end-to-end security will provide a substantial boon to worldwide communications freedom, to public safety, and to democratic values, and we urge you to proceed with your plans to encrypt messaging through Facebook products and services. We encourage you to resist calls to create so-called “backdoors” or “exceptional access” to the content of users’ messages, which will fundamentally weaken encryption and the privacy and security of all users.
Sincerely,
AfroLeadership Access Now ACM US Technology Policy Committee American Civil Liberties Union Americans for Prosperity ARTICLE 19 Association for Progressive Communications (APC) Asociación por los Derechos Civiles (ADC), Argentina Bolo Bhi Canadian Internet Registration Authority Centro de Ensino e Pesquisa em Inovação (CEPI), FGV Direito SP, Brasil Center for Democracy & Technology Center for Studies on Freedom of Expression (CELE), Universidad de Palermo Defending Rights & Dissent Derechos Digitales, América Latina Digital Rights Watch Državljan D Electronic Frontier Foundation Electronic Privacy Information Center Engine epicenter.works – for digital rights Fight for the Future Free Press Freedom of the Press Foundation Fundación Karisma, Colombia Future of Privacy Forum Global Forum for Media Development Global Partners Digital Hiperderecho, Peru Human Rights Watch Index on Censorship Instituto de Referência em Internet e Sociedade (IRIS), Brazil Instituto de Tecnologia e Sociedade do Rio de Janeiro (ITS) International Media Support (IMS) Internet Society Internet Society – Bulgaria Internet Society UK England Chapter Internews ISUR, Universidad del Rosario, Colombia IT-Political Association of Denmark Iuridicum Remedium, z.s. LGBT Technology Partnership National Coalition Against Censorship New America’s Open Technology Institute Open Rights Group OpenMedia Paradigm Initiative PEN America Prostasia Foundation R3D: Red en Defensa de los Derechos Digitales Ranking Digital Rights Restore The Fourth, Inc. Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) SHARE Foundation SMEX S.T.O.P. – The Surveillance Technology Oversight Project TechFreedom Vrijschrift
In Southern and Eastern Europe, where online disinformation campaigns are increasingly endangering guaranteed individual freedoms and a notable decline in internet safety is ubiquitous, BIRN Hub will partner with SHARE Foundation to monitor digital threats and trends in their occurrence, raise awareness about violations of digital freedom and issue policy recommendations.
The organisations will identify the main players involved in
disinformation and propaganda by establishing a Digital Monitoring
database. The database will cover the state of digital rights in
targeted countries by documenting cases of violations of digital rights
and freedoms, with descriptions of cases and corresponding sources.
The project, supported by Civitates, will monitor digital freedom violations in Bosnia and Herzegovina, Croatia, Hungary, North Macedonia, Romania and Serbia.
The database will be part of the broader online BIRN Investigative
Resource Desk (BIRD), a new resource platform for investigative
journalists expected to launch this fall. The interactive database will
allow the general public to access data collected through the monitoring
system.
The use of SHARE Foundation’s expertise will result in the creation
of a detailed methodology and guidelines for monitoring violations of
digital rights and freedoms, as well as training for monitors to
successfully gather data and file them in the newly created database. A
three-day training for monitors will be held in the second half of July
in Perast, Montenegro.
In parallel, BIRN journalists will produce and publish five
investigations related to the topic. On the basis of monitoring
activities, a one-of-a-kind cross-regional report will be produced, to
be presented at the closing event.
The database will provide the data for periodical reports on the
state of digital rights and freedoms in targeted countries. In terms of
outcomes, the cross-regional report will compile collected data in order
to introduce public to trends in violations of digital freedoms.
Continuous monitoring and reporting on digital threats will
contribute to BIRN’s wider efforts to promote accurate and unbiased
information. It will strengthen the capacities and skills of the
network’s journalists, as well as exposing and countering threats that
journalists and other engaged individuals face on a regular basis.
Three months prior to the application of the new Law on Personal Data Protection, SHARE Foundation asked 20 companies from around the world – including Google and Facebook, to appoint their representatives in Serbia. Competent bodies and citizens of Serbia will thus be able to turn to these representatives regarding all the questions in terms of personal data processing.
Although the business models of these companies area already greatly based on monetization of personal data of their users, and therefore of the citizens of Serbia, too, it seems that they practically still do not have any way to enjoy their rights when it comes to data collected by the most famous companies.
However, the new Law on Personal Data Protection, modelled afterGeneral Data Protection Regulation (GDPR) stipulates the obligation of almost all big IT companies to appoint their representatives in Serbia. Namely, if a company offers products and services in Serbia or if it monitors the behavior of citizens, it must also appoint a representative, i.e. natural or legal entity to which citizens can address regarding their rights of persons to whom data refer. This entity will also cooperate with the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia. Having in mind that Google, Facebook, Amazon, Netflix and other IT giants process the data of Serbia’s citizens in order to provide services, they are obligated to appoint a local representative.
For example, Google recognized the local market as a significant one years ago, and so many services such as Gmail, YouTube, Google Chrome and Google Search have been adapted to our citizens and available in Serbian language, too. Additionally, Google targets the citizens of Serbia by using advertisements, and monitors their behavior through cookies, therefore, it is certainly obligated to appoint its representative in Serbia. Facebook is also available in Serbian and has about 3 million users in Serbia only on its main social networking site, and it also owns Instagram and WhatsApp. Facebook performs mass collection of users’ data so they could be profiled and shown targeted ads, as it is described in detail in SHARE Lab’s Facebook algorithmic factory research.
However, policies of these companies, most of which have their main headquarters in the USA, basically do not observe Serbia as a part of Europe, which results in a situation that the citizens of Serbia do not have their rights on personal data guaranteed at all. On the other hand, if Facebook or Google appoint their representatives in Serbia, it would be more likely for citizens to exercise their rights or initiate proceedings before competent Serbian authorities. Since the citizens of Serbia enter into agreements with the US companies regarding using the services, while the EU citizens do so with the European representatives, it is obvious that there are parallel systems of protection.
Letters have been sent to the following companies: Google, Facebook, Amazon, Twitter, Snap Inc – Snapchat, AliExpress, Viber, Yandex, Booking, Airbnb, Ryanair, Wizzair, eSky, Yahoo, Netflix, Twitch, Kupujem prodajem, Toptal, GoDaddy, Upwork.
EDIT (30th March, 2019, 9:29h): Not long after this text had been published, case study about cameras for video surveillance in Belgrade was removed from the official website of Huawei. You can read the archived version of the case study at the following link: https://archive.li/pZ9HO.
New generation surveillance cameras have already been installed in Belgrade, as stated in a case study published on the official website of Huawei.
Unlike the Ministry of Interior, whose representatives gave unclear and contradictory statements, to finally refuse a freedom of information request from SHARE Foundation, Huawei published a case study on their company website with detailed information about the installation of cameras for video surveillance in Belgrade and cooperation with the Ministry of Interior of Serbia (MOI).
The case study represents a detailed description of cooperation between Huawei and MOI, which largely contradicts information provided by the Ministry of Interior.
In the beginning, Huawei states that thanks to advanced video surveillance technology, the suspect who fled to China after causing a car accident with fatal consequences in 2015, better known as the “Countryman case” in Serbian public, was apprehended only three days after his photo was received from MOI of Serbia. Thanks to this rapid arrest, the Ministry of Interior initiated cooperation with Huawei through the “Safe Society” project, with the goal to install an advanced video surveillance system in Serbia. The company also points out that it has offered Intelligent Video Surveillance (IVS) systems, Intelligent Transportation Systems (ITS), eLTE broadband trunking technology, unified data centers, and converged command centers to the MOI. It also says that in the beginning, 9 test cameras have been installed in 5 locations, including the MOI headquarters, a sports arena, a commercial center, and a police station. Huawei states that in the first phase, cameras have successfully performed several functions, such as video retrieval, video compression, automatic license plate recognition, behavior analysis, facial recognition, and video quality diagnosis. After a successful test phase, a Strategic Partnership Agreement was achieved in 2017.
In the first phase of the project, 100 high-definition video cameras were installed in more than 60 key locations and the command and data center in Belgrade was remodeled, as pointed out in Huawei’s study. Also, a large number of advanced technologies and products were used, including infrared license plate recognition, 4k video solutions, H.265 HD encoding, cloud-based cluster networking and SafeVideo to ensure data security and virtual checkpoint system.
It should be noted that Huawei had stated that video materials and received data are kept on an advanced storage device called “OceanStore”, which provides a number of options, such as data analysis and big data analysis, and retention period of received data is limited to one year.
In the end, it is said that thanks to realisation of Phase 1, which had been implemented more than five months before the study case was published, many criminals cases were solved, and that the police is now able to find suspects based on the stored video materials thanks to Huawei intelligent technology. As Huawei stated, the Ministry of Interior will develop a comprehensive “Safe City” solution, which will cover the whole Belgrade area in the beginning, while the final goal is to implement such a solution on the whole territory of Serbia.
Finally, the most important question for the citizens of Serbia concerns possible consequences to their privacy, and also the reliability of this technology. It is important to underline that smart technologies which use cameras for video surveillance, like facial recognition and behaviour analysis, represent very intrusive methods for citizen’s privacy, while on the other hand, they are not completely reliable. The technology which may lead to serious personal data abuse is used for storage of data collected by video surveillance. For keeping data in a one year period on the “OceanStore” device, of crucial importance is to establish transparency as to who exactly can access the data, in which cases and so on, because on the contrary, huge amounts of personal information of Serbian citizens may be the target of different abuses.
As it is publicly known, the Minister of Interior announced the gradual installation of 1000 cameras in 800 locations during the next two years, and the Police Director explained that the future locations of stationary cameras were already known, and that before choosing the locations “significant research and analysis of events were made, foremost on the crimes on the territory of Belgrade”. However, in the reply to our FOI request, MOI stated that “the significant research and analysis” actually didn’t exist. On the other hand, by reading the detailed Huawei case study, it is possible to find information which may provide a better picture about what is actually happening with the process of installing cameras in Belgrade.
It is very concerning that we can hear completely different information from many different sides about questions that concern constitutional civil rights and freedoms of citizens of Serbia. We believe that relevant actors have to come out to the citizens with accurate and complete information, and to provide the explanation to the public how will a private company be able to access their personal data, in which cases and, most importantly, why weren’t information about cooperation with Huawei available to citizens in the initial phase of the project.
Leading Serbian law enforcement officials announced a new system of video-surveillance in Belgrade, the nation’s capital, which would be highly intrusive for citizens. It was revealed that the main partner of the Government of Serbia was Huawei, the Chinese tech giant recently involved in several scandals. In pursuit for transparency of deploying such privacy-invasive technology, SHARE Foundation submitted Freedom of Information (FOI) requests to the Ministry of Interior.
However, the Ministry responded that all documents regarding the public procurement of video surveillance equipment in Belgrade were protected as ‘Confidential’. The information about the new facial and vehicle license plate recognition system was not provided either.
Earlier this year, the Serbian Minister of Interior and the Police Director announced that in the next two years, 1.000 new generation cameras using facial and license plate recognition software will be installed in 800 locations in Belgrade. Minister of Interior Nebojša Stefanović made a statement for Fonet news agency and said that ‘patrol cars and police officers in the street will gradually become equipped with these cameras’, while the network of cameras will then spread to both the highway and regional roads. Police Director Vladimir Rebić made an appearance on Radio-Television of Serbia and stated that the ‘establishing the functionality of face recognition is in its final stage’, and that the locations intended for stationary cameras were already determined based on ‘a broad examination and analysis of events, referring primarily to the criminal offences in Belgrade’.
Camera location – “confidential”
Based on the Law on Free Access to Information of Public Importance, SHARE Foundation, requested the information on locations of the cameras, including the analysis based on which these locations were determined, and details on the public procurement and relevant procedures.
The official responses of the Ministry stated that all the documents regarding the public procurement of the video equipment are protected as ‘confidential’, and the information on locations and analysis were not provided in any document or any medium, which is the legal precondition to exercise the access to the public importance information. SHARE Foundation requested a copy of the data protection impact assessment (DPIA), and the Ministry responded that the new Law on Personal Data Protection is not being applied yet, and explained that registry and processing of personal data contained in the video surveillance were regulated by the Law on Registry and Processing of Data in Interior Affairs.
Considering the fact that the responses of a FOI officer of the Ministry were in direct contrast to the statements made by the Minister and the Police Director, this ambiguity must be clarified without any further delay, keeping in mind that this is a fundamental question of human rights and civil freedoms guaranteed by law and the Constitution of Serbia.
Huawei as the partner of police
SHARE Foundation also requested information on the public procurement of equipment and software to be used for video surveillance. The response of the Ministry was that they began discussing possibilities and improvements of information and telecommunications system with Chinese company Huawei in 2011, and that they drafted the decision regarding the increase of general security of citizens within the project titled ‘Safe Society’. This project falls under the Agreement on Economic and Technical Cooperation Regarding Infrastructure between the governments of Serbia and China, previously signed in Beijing in 2009.
Furthermore, the Ministry stated that in 2014 they signed the Memorandum of Understanding with Huawei, referring to necessary steps for the implementation of the above-mentioned project. Based on the Agreement and the Memorandum, in 2017, the Ministry and Huawei signed the Agreement on Strategic Partnership for Introducing eLTE technologies and solutions for a ‘safe city’ in public security systems. The Government of the Republic of Serbia signed this Agreement so that the Ministry of Interior took over the obligations stipulated in the Agreement regarding expenses and procurement of the video surveillance system based on the capital project ‘Video surveillance in traffic – phase II’.
Intrusive technologies in “uncharted waters”
Serbia adopted a new Law on Personal Data Protection which mostly follows the new standards of European regulations in this field, i.e. GDPR, but at the same time, it does not provide for instruments and mechanisms for the better implementation of the Law. Also, so far there have been no steps taken in terms of drafting a law regulating video surveillance in public space.
Software used for identification is the latest technological achievement which gravely violates rights and freedoms of citizens and is an important topic of public discussions in democratic societies. Chinese company Huawei has been accused on several occasions over the past few years by USA and some European countries of industrial and political espionage in cooperation with Chinese authorities.
In the upcoming months, it is necessary to determine which equipment for video surveillance has been purchased, where and how the personal data will be processed as well as whether the personal data protection impact assessment has been carried out adequately.
Today, on 4 December, eight digital rights organisations from across Europe sent a letter to the National Assembly of Serbia, asking for a transparent process of the selection of the country’s new Data Protection Commissioner. The mandate of the current Commissioner for Information of Public Importance and Personal Data Protection of Serbia is to expire soon, and given the fact that the newly adopted Law on Personal Data Protection starts being applied in August 2019 and that Law on Free Access to Information of Public Importance is being reformed, it is of high importance that the new Commissioner is appointed as soon as possible, through a transparent process in accordance with the law, and that the best candidate is given the position.
The letter invites the Culture and Information Committee of the National Assembly of Serbia to:
Start the procedure for the election of a new Commissioner, as soon as possible;
To make the procedure for selecting the best candidate for the position transparent;
To determine the legal conditions for selection, where, in addition to general expertise and experience in the protection and promotion of human rights, priority should be given to candidates with specific expertise and experience in freedom of information and personal data protection;
To conduct interviews with the best candidates at a session that will be open to the public, in order to deliver a reasoned decision on the proposal to the National Assembly;
To justify the proposal for a decision on the best candidate’s choice according to each of the set conditions.
The organisations called upon the National Assembly, which appoints the Commissioner, to ensure the highest standards in the selection and appointment of the new Commissioner in order to respect the foundations of a free, innovative and open digital society that delivers the best data protection standards in Serbia, in line with the European Union General Data Protection Regulation (GDPR) and the Convention 108 of the Council of Europe.
