Update
Auditing the voter register: purpose, impact, and where we a...
CRTA+ Voter register audit: only 4 of 69 checks can be performed under current data access CRTA̵...
Serbia's Security Intelligence Agency (BIA) systematically extracted data from and installed spyware on the phones of civil society activists during informational interviews, according to a joint investigation by BIRN and Amnesty International. The agency used Cellebrite - Israeli forensic technology designed for use with a court order - to unlock devices, then installed a homegrown surveillance tool called NoviSpy, capable of recording calls, taking screenshots, tracking location, and remotely activating cameras and microphones. Amnesty International's Security Lab confirmed NoviSpy was installed on four devices between February and November 2024, with traces of failed installation attempts found on additional phones. In a single month, more than 20 unique NoviSpy samples were generated and potentially deployed.
The investigation documents five confirmed cases. Ivan Bjelić, an environmental activist detained on election day in December 2023, had his phone connected to a Cellebrite device without a valid warrant - ostensibly brought in over an unpaid traffic fine, he was questioned about bombs and terrorist attacks. Nenad Kovačević, who opposes Chinese mining company Zijin's operations near Majdanpek, had his phone taken during a home search; the search warrant made no mention of electronic devices, and no receipt was issued. Ivan Milosavljević Buki had a NoviSpy installation attempted during an interview in Požarevac - it failed because Google Play Protect required biometric authentication the agents did not have. An activist from cultural association Krokodil, who had voluntarily approached BIA to report an attack on their premises, discovered upon leaving that his contacts had been exported and two spy applications - NoviSpyAdmin and NoviSpyAccess - had been installed while his phone was left on a chair outside the interview room. Nikola Ristić, one of the organizers of protests following the Novi Sad train station collapse, had Cellebrite used to break into his locked phone and NoviSpy installed while he was being held.
Amnesty International's technical analysis links NoviSpy's server infrastructure to BIA, with development traces dating to 2018. The same server previously hosted German surveillance software FinSpy, and was registered to a BIA operative who participated in procurement negotiations with Italian spyware firm Hacking Team. NoviSpy's infrastructure also overlaps with that of Telekom Srbija, Serbia's largest state-owned telecommunications provider. Google, notified by Amnesty International, confirmed NoviSpy is malicious, removed it from affected devices, and notified all users targeted by the campaign.
Lawyers consulted by BIRN are unambiguous: BIA has no legal authority to seize phones, extract data, or conduct forensic analysis without a court order. Attorney Nikola Lakić states that covert surveillance measures can only be applied in cases involving the most serious criminal offenses, and that everything else constitutes a serious violation of citizens' rights. None of the activists received any judicial authorization for what was done to their devices.
The investigation documents five confirmed cases. Ivan Bjelić, an environmental activist detained on election day in December 2023, had his phone connected to a Cellebrite device without a valid warrant - ostensibly brought in over an unpaid traffic fine, he was questioned about bombs and terrorist attacks. Nenad Kovačević, who opposes Chinese mining company Zijin's operations near Majdanpek, had his phone taken during a home search; the search warrant made no mention of electronic devices, and no receipt was issued. Ivan Milosavljević Buki had a NoviSpy installation attempted during an interview in Požarevac - it failed because Google Play Protect required biometric authentication the agents did not have. An activist from cultural association Krokodil, who had voluntarily approached BIA to report an attack on their premises, discovered upon leaving that his contacts had been exported and two spy applications - NoviSpyAdmin and NoviSpyAccess - had been installed while his phone was left on a chair outside the interview room. Nikola Ristić, one of the organizers of protests following the Novi Sad train station collapse, had Cellebrite used to break into his locked phone and NoviSpy installed while he was being held.
Amnesty International's technical analysis links NoviSpy's server infrastructure to BIA, with development traces dating to 2018. The same server previously hosted German surveillance software FinSpy, and was registered to a BIA operative who participated in procurement negotiations with Italian spyware firm Hacking Team. NoviSpy's infrastructure also overlaps with that of Telekom Srbija, Serbia's largest state-owned telecommunications provider. Google, notified by Amnesty International, confirmed NoviSpy is malicious, removed it from affected devices, and notified all users targeted by the campaign.
Lawyers consulted by BIRN are unambiguous: BIA has no legal authority to seize phones, extract data, or conduct forensic analysis without a court order. Attorney Nikola Lakić states that covert surveillance measures can only be applied in cases involving the most serious criminal offenses, and that everything else constitutes a serious violation of citizens' rights. None of the activists received any judicial authorization for what was done to their devices.
