and online violations in Serbia.
METHODOLOGY
As part of the research process investigating the use of new technologies and their various impacts on society, SHARE Foundation launched an ongoing monitoring database of violations of the rights of citizens and organizations in Serbia in mid-2014. In addition to insight into trends in this area, the periodically published monitoring reports have enabled us to better direct pressure on responsible institutions to improve and apply the legal protection framework, as well as to contribute to the development of our society's awareness and knowledge of security and risks on the Internet. It is important to note that the cases entering the monitoring database are not only limited to the conventional top to bottom social structures such as government entities towards individuals, but also include violations from actors such as private companies and citizens themselves. The goal is for such cases to become and remain publicly available in order to bring their ubiquity closer to the public, but also to educate about the ways in which such violations can occur. Also, pointing out these violations can contribute to building the capacity of citizens, media and non-governmental organizations to adequately respond to them. While there is no universal way to protect against digital rights violations, awareness and good personal digital hygiene can help prevent or resolve such cases if they are to occur. The monitoring project is in line with SHARE Foundation's overall mission, which is: Control of the powerful and support of the underprivileged in digital spaces.
Compared to the previous versions, the categories, subcategories, but also the ways of collecting cases, as well as the recording and descriptions themselves have been changed. Since 2014, when the monitoring process was started by the SHARE Foundation, the methodology has changed a few times in order to better capture and describe the types of violations through subcategories, either by updating the names of subcategories or adding new ones. For example, in the 2.0 version of the methodology that was released in 2018, additional subcategories were added for several types of violations, a new means of attack (Confiscation and searches) but also a new category called Other violations in order to encapsulate violations that do not fall under any of the existing categories. The last updated version (v2.1) from 2019 underwent minor changes in the Manipulations and propaganda category for adjustment when taking into account violations across countries.
The development of both technical and legal tools, as well as the volume of registered cases, meanwhile posed an increasing challenge to our researchers when selecting and classifying injuries according to the old methodology. Therefore in 2022, we started a review of the existing case base, with the intention of radically reforming the digital rights monitoring system.
Criteria for entering cases
To begin with, we redefined the case selection criteria. The first criterion is always mandatory.
- The nature of the injury. The incident happened in the digital space, the damage was caused to digital assets and/or digital rights were violated.
Additionally, the case must meet at least one of the three qualifying criteria:
- The extent of the injury. The incident is massive, affecting a large number of citizens or other actors in the community.
- Social significance. The context and potential consequences of the injury affect the underlying values or relationships in society.
- Innovativeness. Technical means, methods, objectives or other elements of the incident are significantly more advanced than in previous cases.
Categories
A more precise definition of the criteria led to changes in the classification of cases, so they are now classified into one of three categories:
- Cyber attacks. Technical incidents, the primary goal of which is the intentional endangerment of computer infrastructure.
- Privacy and protection of personal data. This group includes cases of violations, i.e. non-fulfillment of measures prescribed by law, which result in the violation of these personal rights in the digital sphere.
- Fraud, threats and manipulations. This category includes various information disorders and manipulations of digital content for the purpose of deception, retaliation, attacks on personality, and prevention of the exercise of personal rights.
Each of these categories is further segmented by specific types of incidents. Also, for each category, possible means, i.e. methods of attack, are listed and, although detailed, due to the rapid development of new technologies, this list is not comprehensive. All three categories, as well as their subcategories, were conceived and named in accordance with the consequences of specific violations in the digital space.
Although at first glance these three categories may seem separate, it is important to take into account that due to the size and interconnectedness of the digital space, cases can often be found in several different subcategories or even categories. As already stated, each category has its own subcategories within which the cases are more closely defined as well as the list of means by which the attacks were carried out. However, there are some differences and that is why it was decided that each category processes its cases separately, because the means can differ in these three spheres of digital space. The actors in these spheres also differ, so for example, in the second category, the violators of rights are mostly states or companies, in the third category it would mostly be citizens or politicians.
Sources of information about incidents
The primary source of monitoring is the public sphere, i.e. traditional and social media. Relevant news and announcements about all potential cases are collected by researchers through an automated process through a defined set of keywords for each category.
Secondary sources consist of databases of injuries and related contents of organizations, associations and other actors that independently monitor incidents in their domain (databases of attacks on journalists, national CERT, commissioners and similar).
Processing of individual cases
A special methodological segment consists of guidelines for researchers, created for uniformity in the selection and processing of incidents during their mapping and entry into the database.
After a specific violation has been identified and verified, the case is entered into the database with a brief description, while the evidence of the violation is archived, whether it is a screenshot of a tweet, a comment or article in which it was published. If available, the time period of the injury is recorded as well as the actors, i.e. the perpetrators of the injury and the injured parties, and the means, i.e. the methods of committing the injury, are also listed.
Principles of work
The revision of the methodology confirmed the basic principles of monitoring digital rights and freedoms, which apply to all of SHARE Foundations’ activities since its establishment:
Transparency. Periodical reports are narrative and leave room for the subjective impressions of researchers, as well as pointing out certain phenomena in accordance with common values and beliefs. However, the monitoring data in raw, machine-readable format is freely available for further use and different interpretations.
Accuracy. As part of the monitoring, researchers carry out basic verification of individual cases based on primary sources of information, for which SHARE Foundation is not responsible. Due to the limited scope of the verification, a mechanism for external correction has been established through an easily accessible, direct channel of communication with the researchers, through which citizens and organizations can deny, correct or supplement the available information about the case. All corrections can be submitted via email to the monitoring team.
Ethics. Researchers respect the privacy of those injured in the incidents they process for the purposes of monitoring, applying special protection measures when the dignity of the person is threatened in the incidents. The integrity of the monitoring base is subject to internal and external checks, while cases are selected according to established criteria, regardless of the researcher's personal beliefs, affection or distaste for the actors of the incident.
I Cyber incidents
Any impact on the integrity or availability of an information system, network or device with the intention of taking control over them, disrupting or interrupting their operation, or changing, stealing, deleting or blocking data on them.
Compromised data
Endangerment of security, confidentiality or integrity of data on an information system or individual device due to unauthorized access, taking control or misuse of data.
Means of attack
Malware (malicious software, virus)
Scams (phishing, skimming)
Traffic interception (man in the middle)
Device theft
Illustrative case
Servers and data of a public company have been the target of a ransomware attack: the so-called ransomware that encrypts data for which decryption requires the payment of a ransom.
Disabled services
Interrupting or disabling the operation of an information system, network or device by maximum engagement of their resources.
Means of attack
DoS/DDoS
Illustrative case
The information infrastructure of an academic network was targeted by distributed denial of service (DDoS) attacks - simultaneous requests from tens of thousands of IP addresses were sent to the servers, which caused the interruption or difficulty of the websites on the network.
Online scams
Exploiting people's trust, naivety, compassion, vanity or greed to extort money or data from them, or to manipulate them into causing a cyber incident themselves.
Means of attack
Social engineering (phishing/vishing/smishing, impersonation)
Fake resources (fake website, email)
Illustrative case
From an address that looks like an authentic email, citizens received a notification about downloading new credentials for accessing the public services portal. An infected document was attached to the message.
Overtaking control
Theft of device access or accounts for online services, including accounts for email, social media, online stores, and the like.
Means of attack
Technical attacks
Social engineering
Unauthorized physical access
Illustrative case
A media association lost access to its Facebook page, where unknown perpetrators began posting inappropriate content. The page was shut down, and the media association was forced to create a new one.
Actors
Perpetrators
Known
Unknown
Injured party
Public sector
Private sector
Civilian sector
Media sector
The public
II Privacy and data protection
The category is dedicated to violations of privacy and personal data in the digital space, from the stage of data collection to their eventual destruction, including unauthorized use through publication, or inadequate protection that leads to their leaking to the public.
Disclosure of data
Publishing information about private life, ie. personal data, with the executors intention to make that information publicly available.
Means of attack
Website posting (including public registries and platforms)
Posting on a social network, blog, chat app
Publication in the media
Illustrative case
An online portal has published a document on its website that contains data on the basis of which several persons can be identified, whose identity should not be publicly available.
Data leakage
Leakage of personal data due to inadequate security measures.
Means of attack
Website leaks (including public registries and platforms)
Posting on a social network, blog, chat app
Leaks in the media
Illustrative case
Personal information from a private company's database became available on social media due to an incident that occurred due to the negligence of their employees.
Unauthorized collection of personal data
Unauthorized collection of personal data, i.e. collection, holding and use of data in violation of the law.
Means of attack
Violation of the principle of limitation in relation to the purpose of processing
Violation of the principle of legality (processing without a legal basis)
Violation of the principle of data minimization
Violation of the principle of limitation of storage period
Illustrative case
A government authority uses an online application that collects more personal data than is necessary to provide the service the application is intended to provide.
Eavesdropping and recording
Interception of electronic communications, eavesdropping and recording, against the law and/or without the knowledge of the person whose communication, voice or recording is in question.
Means of attack
Interception equipment
Wiretapping equipment
Recording equipment
Illustrative case
The state agency monitored email communications between journalists and their sources without authorization.
Actors
Perpetrators
Responsible person from the public sector
Responsible person from the media sector
Responsible person from the corporate sector
A responsible person from a political party
Responsible person from the civil sector
Private person
Injured party
Mass casualty
Individual casualty
III Fraud, threats and manipulations
This category is dedicated to various forms of harassment and retaliation due to expression and activity on the Internet, as well as various forms of content dissemination and manipulation that are carried out in order to achieve certain goals. This category includes cases that play out in all aspects of the digital sphere, including social media activity, algorithmic governance, as well as cases that end up in court.
Public misinformation
Dissemination of information that is intentionally false or fabricated and placed with the aim of harming a person, social group, organization or state (disinformation), as well as spreading information that is based on the truth, but is placed with the malicious intent to harm a person, organization or state in order to discredit, abuse or spread hate speech (misinformation).
Means of attack
Creating and sharing fake content
Content manipulation
Illustrative case
A public figure spread unverified information on social networks.
Self censorship
Editing or removal of politically sensitive or public interest content by the media that originally published it. Bearing in mind that it is very difficult to know exactly whether it is external or internal pressure on the media, i.e. whether it is censorship or self-censorship, this subcategory includes cases in which content was not removed after clear abuse of legal mechanisms.
Means of attack
Content removal
Content modification
Illustrative case
The media portal removed a previously published text that mentioned criticism of the government
Character assassination
Creating fake accounts and content with the aim of discrediting, i.e. endangering the reputation and causing damage to an individual, social group, organization or state.
Means of attack
Creating fake content and accounts
Content manipulation
Impersonation
Distribution of content without consent
Non-consensual distribution of intimate content
Organized attacks on networks targeting vulnerable communities (women, lgbtq+, ethnic minorities, refugees and migrants)
Verbal attacks
Illustrative case
False allegations about a political organization were shared on social media from a fake profile.
Endangering security
Endangering security means attacks on the personality that cause fear and insecurity, in a shorter or longer period, but with greater intensity. Acts such as cyber stalking, threats, calls to violence and publication of personal data (doxxing) fall into this subcategory. Dignity and reputation, as well as privacy, are the target here, and the goal is to force a change in behavior - withdrawal from public life, from social networks, avoiding certain topics and the like. This subcategory also includes unauthorized sharing of personal information, including non-consensual distribution of intimate images or divulging trade secrets.
Means of attack
Verbal attacks
Collection, manipulation, dissemination and misuse of personal data
Doxxing
Direct threats of violence, including threats of a sexual or physical nature
Attacks based on gender and sexual characteristics
Cyber-mobbing
Stalking
Organized attacks on networks targeting vulnerable communities (women, lgbtq+, ethnic minorities, refugees and migrants)
Content filtering and automated moderation
Illustrative case
Death threats and insults sent to journalists’ private addresses.
Discrimination and hate speech
Verbal attacks based on racial, religious, national, ethnic, sexual, political, union and other affiliation and personal characteristics, such as age or economic status, are considered hate speech. Mobbing is also a frequent means of spreading discrimination and hate speech on networks, as well as organized attacks.
Means of attack
Verbal attacks
Collection, manipulation, dissemination and misuse of personal data
Content manipulation
Attacks based on gender and sexual characteristics
Attacks based on racial, religious, national or ethnic affiliation
Cyber-mobbing
Organized attacks on networks targeting vulnerable communities (women, lgbtq+, ethnic minorities, refugees and migrants)
Content filtering and automated moderation
Illustrative case
Discriminatory and false allegations about alleged crimes conducted by migrants were spread in the media and on social networks.
Limiting freedom of expression
Pressures due to expression on the Internet and publication of information often affect members of activist and media society, as well as citizens. These pressures can be reflected in the organized reporting of content, while sometimes they can also include the abuse of legal mechanisms such as SLAPP lawsuits, that is, strategic lawsuits against public participation for journalists or lawsuits for criminal acts such as insult. This subcategory also includes cases where intermediaries (in most cases platforms) remove content or suspend accounts through automated processes due to alleged violations of their rules or terms of use. The most common reasons are inappropriate content and copyright infringement. Decisions are often non-transparent and final, but may also be temporary and revised (due to an error in the automation system or cases of organized reporting).
Means of attack
Organized reporting of accounts or content
Abuse of legal mechanisms
Content filtering and automated moderation
Verbal attacks
Retaliation
Illustrative case
Reporters received misdemeanor charges after attending the protests.
Actors
Perpetrators
Political subject
Authority figures
Big tech
Private companies
Media sector
Individual
Public figures
Injured party
Political subject
Civil society
Media sector
The public
Public figures
Gender based online violence
A form of violence that primarily affects women, girls and sexual minorities. Unlike the other three, this category is applied as an additional framework to all cases in the database in order to get a clearer picture of the prevalence of gender-based violence. The category consists of four subcategories in which funds are clearly defined and match funds from other categories.
Invasion of privacy
Collection, manipulation, dissemination and misuse of personal data
Doxxing
Non-consensual distribution of content (including intimate content)
Character assassination
Creating fake accounts
Identity theft
Content manipulation
Sharing false information and comments for the purpose of discreditation
Harassment
Direct threats of violence, including threats of a sexual or physical nature
Attacks based on gender and sexual characteristics
Cyber-mobbing
Stalking
Targeted and organized attacks on communitiesTargeted and organized attacks on
communities
Spreading fake news with malicious intent to discredit organizations and groups within certain communities
Organized attacks on networks targeting vulnerable communities (women, lgbtq+, ethnic minorities, refugees and migrants)
Surveillance
