As the government increases its capacities for surveillance in the interest of national security, experts are concerned that people’s right to privacy risks being violated.
As it builds up its national surveillance system, Kosovo should be alert to concerns about the risk to people’s privacy, cyber security experts warn.
The country adopted a law on the interception of electronic communications in 2015, to regulate the procedures and conditions for surveillance of electronic communications carried out for criminal procedures and security needs.
The law determines the rules for Network Operators and Service Providers in relation to processing of data as well as the obligations of state institutions to respect human rights and freedoms in terms of lawful surveillance.
Institutions lawfully permitted to perform surveillance in Kosovo include the police and the intelligence agency, acting on requests from the prosecution office.
Institutions allowed to propose such requests to the State Prosecution are the police, the Police Inspectorate, customs office and tax administration.
A court warrant is needed before surveillance of a person in Kosovo can be conducted.
But Nuredin Ibishi, a security expert in Kosovo, told BIRN that human rights are routinely violated when it comes to surveillance of persons suspected of being a national security threat, or of committing terrorism, for example – especially if no cases has been initiated by the prosecution, or the suspect has been acquitted by the court.
The prosecution and-or court “provide the content of the surveillance to the lawyer [of the suspect] who often publishes it in the media, violating their privacy”, Ibishi told BIRN, referring to several wiretaps leaked to the public that went viral over the years.
Ibishi added that the situation can be more complicated if the person placed under state surveillance is a member of a political group or comes from a discriminated-against community.
“A defence argument can be created that the person being wiretapped is a member of a political group or a discriminated social group and is not [being surveilled] for a potential criminal violation. This makes the surveillance process difficult,” he said.
Privacy vs national security concerns
Until June 2018, the EU Rule-of-Law body in Kosovo, EULEX, also had legal rights to conduct surveillance, deriving from its competencies under Kosovo’s legal framework.
It did not need an initiation by the prosecution to do this either, because EULEX has its own prosecutors and judges, recognized by Kosovo’s justice system. EULEX’s monitoring mandate in Kosovo expires in 2023.
As it is often the case in Kosovo, the law on communication interceptions is in line with human rights and fundamental freedoms recognized and guaranteed by the European Convention for Human Rights. However, its implementation can often be challenging.
Kosovo institutions have often had difficulty distinguishing between the right to privacy and the obligation to protect national security.
Experts complained to BIRN of a lack of proper updated legal framework and institutional skills to differentiate between them – and safeguard the right to privacy where it may overlap with national security.
Training on and foreign donations to surveillance in Kosovo have mainly focused on technical skills and technology, without addressing the issue of people’s privacy, or the subject’s political position.
Kosovo also has yet to put in place mechanisms of higher-level communication or proper safety mechanisms that would prevent hacking and illegal surveillance.
However, the latest annual European Commission Progress Report on Kosovo assessed that legislation on the destruction of data, adopted in January 2020, had contributed to the better implementation of the Law on Interception of Electronic Communications.
“The process of upgrading interception capacity in order to meet the evolving technological demands is under way. Legislation on cybercrime is generally in line with the EU acquis,” the report said.
The think tank Kosovo Center for Security Studies, KCSS, said in a report in 2011 that the nature and mandate of security institutions in Kosovo had altered several times during the past decade.
“Although the mandate to provide intelligence services and to take special investigation measures has over time gradually shifted from international security actors to local ones, especially after the  declaration of independence of Kosovo, interception of telecommunications continues to be troubling,” the report said.
KCSS said that the general public was not the only confused party in this muddle.
“The expression of suspicion by the Minister of Interior, whose mission is to build, preserve and increase the security of all citizens in Kosovo, of being intercepted by international organs in Kosovo, more specifically by EULEX, adds to this gloomy environment and extends the confusion over this issue to the institutional level,” it added.
Questions about deletion of surveilled material
An important problem, related to devices and surveillance and the police special surveillance unit, concerns conformity to the legal obligation to protect national security and prevent criminal acts and human rights violation, experts told BIRN.
Mentor Hoxhaj, a cyber security expert, told BIRN that despite trying to transpose European standards onto Kosovo laws, their implementation, especially when it comes to the overlap of wiretapping and cybersecurity with privacy, was poor.
Hoxhaj said each court order specifies the exact type of wiretapping that may be done. This means that if the court orders only the collection of data on who called whom, without any content, “the institution … cannot go beyond that”.
However, as Hoxhaj explained, often this is not the case in Kosovo. “In terms of what is accepted as proof in court, we always talk in a retrograde manner, meaning how much can you go back, meaning how much you have the right to survey someone,” Hoxhaj said, saying that everyone who has been subjected to surveillance should be notified about it after it comes to an end.
“If the prosecution doesn’t decide to initiate a case in court, it should notify the parties … If the procedure goes no further, the prosecutor needs to decide to delete or destroy the gathered material,” he added.
However, Hoxhaj said that he had “not heard of any case where a prosecutor has taken such a decision. In a case of taping a conversation, every material that has nothing to with the indictment should be deleted – but this has not happened and I do not see it as a practice”.
Ibishi goes further explaining violations of privacy, claiming: “There are cases when people have misused their power to use Kosovo Intelligence Agency, KIA; police or customs to wiretap someone for political purposes.”
The commissioner of the Kosovo Agency for Information and Privacy, AIP, the institution responsible for monitoring the implementation of the Law for the Protection of Personal Data, was elected only recently, after the AIP been functional for years.
The agency told BIRN it was “working on the full functionalization of AIP to exercise its competencies and full legal authorizations – and one of our priorities is also the processing of personal data in the security sector.”
“The Law on the Personal Data Protection predicts some limitations regarding the subjects of the data when it comes to national security. This limitation must be proportional and implemented only to fulfill an urgent need for a democratic society,” it said.
“Even though privacy is not an absolute right and can be limited legally for national security purposes, … the right to privacy remains a basic human right,” the agency told BIRN.