W7y8w3

The Court reported some 8,345 requests for phoneand internet traffic surveillance filed during 2013by the police and DANS, with each request containingtens of phone numbers and IP addresses. 13The number appeared to have grown significantlycompared to 2011, when the requests were 6,918,although court refusals had also increased from12% in 2012 to 14.3% in 2013.The number of cases where law requirementswere neglected is on the rise, confirmed Atanas Chobanov,a Paris-based investigative journalist andco-publisher of BalkanLeaks.eu and whistleblowingonline journal Bivol.bg. He sees the genesis of theproblem in the fact that the secret services have accessto the technical possibilities for surveillanceand it is easier for them to use it, in spite of usingother methods for investigation which are supposedto be used first. As a WikiLeaks’ Bulgarian partner,Bivol.bg revealed in 2013 that Bulgaria’s governmentis among the clients of FinSpy – a softwareproduct by Dreamlab and Gamma International,specialised for internet and phone surveillance. 14Internet surveillance is as serious as it was inthe beginning of the previous government’s term,commented Delian Delchev, a senior networkingengineer and IT consultant based in Sofia. Delchev,who is the administrator of the Free and NeutralInternet Bulgarian language group on Facebook,assessed all recent attempts to reform surveillancemechanisms as incomplete, including the separationof DATO from MVR’s structure and allowingDANS, the military and customs to request surveillancerequests directly. Another reason for concernfor Delchev is the political appointment of DATO’schair, whose position is not subject to any public orcivic scrutiny and accountability.The increase in the number of requests was notthe only sign of policy zigzagging over e‐surveillance.In May 2014 state prosecutors suddenly burst into theoffices of DATO and DANS to investigate the legalityof their surveillance methods and practices. 15 Just amonth later DATO suddenly became eager to get ISPsto fulfil their surveillance obligations under ZES.13 Sofia News Agency. (2014, February 17). Number of SurveillanceRequests in Bulgaria on the Rise. Novinite.com. www.novinite.com/articles/158260/Number+of+Surveillance+Requests+in+Bulgaria+On+the+Rise14 Bivol. (2013, September 4). WIKILEAKS: БЪЛГАРИЯ РЕАЛНОИЗПОЛЗВА ШПИОНСКИЯ СОФТУЕР FINSPY [WikiLeaks:Bulgaria effectively uses FinSpy spying software]. Bivol.bg.https://bivol.bg/finspy-bulgaria.html15 Angarev, P., & Dachkova, D. (2014, May 16). Прокуратуратаизненадващо влезе в спецслужбите заради подслушването[Prosecutors surprisingly entered into special services because ofsurveillance]. Sega. www.segabg.com/article.php?id=698787Respecting laws and changing lawsIn spite of all this most ISPs fulfil their obligations underZES article 250a consciously and respect the law,said Assen Totin, a former ISP manager, now workingfor a small telecommunications operator. It is smaller“one-block LAN [network]”-type providers who turna blind eye to the law, not making any effort to complywith it. “Not because they embrace the EuropeanCharter for Human Rights, but because most Bulgariansthink that the laws apply for everyone else butthem – and it is a pity that no one can bring themback to shape,” Totin commented. The EU’s DataRetention Directive may be invalidated, but Bulgarianlaw provisions that comply with it are still validand no serious operator could unilaterally decide tostop complying with them, Totin explained. Failure todo so might lead to substantial fines of up to USD68,400 – a serious amount even for large players.Benefits from non-compliance are questionable, withsubstantial possibilities for negative consequencesin terms of bad public relations, said Totin.But as an industry insider he sees clearly howhard it is for providers to comply with e‐surveillanceobligations. Larger operators receive some tens ofrequests for data access every day. Handling themrequires a great resource of people, labour and soon, especially given that in order to “cover” a specificsubject of “operational interest”, much moreinformation is often required than actually needed.For example, instead of simply asking whether Xwas in area Y at a given point in time, a request arrivesthat information of all users who appeared inthe area should be handed over. And little of therequested information is acceptable as legitimateproof by Bulgarian courts, Totin explained. The Committeefor Protection of Personal Data (Комисиятаза защита на лични данни – KZLD) is the bodyauthorised under ZES to keep track of ISPs’ compliancewith this part of the law – namely, whether dataunder article 250a is accessible only for the appropriatepersons, whether it is destroyed afterwards andso on. ISPs account in front of KZLD on a yearly basis.Totin thinks that the committee did a lot to makethe life of ISPs easier, and listened to most recommendationsby larger operators and by the Societyof Electronic Communications – one of the professionalassociations in the sector – particularly withregard to legitimising refusals of access to informationwhereby a request did not meet the requisites ofthe law, and also in defending the ISPs’ position thatthey should not interpret the data provided.A representative of another trade association,the Society of Independent Internet Suppliers, wasquoted by Capital as saying that DATO’s requestsare unconstitutional and in breach of EU law andindividual privacy rights, and that ISPs might suethe state in the International Human Rights Court inStrasbourg over them. As former associate to the Sofia-based Centre forthe Study of Democracy, Totin believes that abidingby applicable law is a must in a democratic society,and that there are legitimate ways to change abad law. A couple of days after the EU court’s decisionwas announced, Totin sent a complaint to theOmbudsman’s Office as a private individual, askinghim to alert the Constitutional Court. OmbudsmanKonstantin Penchev was quick to act and a case isnow pending at the Constitutional Court for the cancellationof the ZES requirements affected by thecancelled directive. 16 There is a proposal to get anopinion from the Communications Regulation Committee(Комисия за регулиране на съобщенията– KRS) and all interested parties might send theiropinions to them. Eventual success in the ConstitutionalCourt might be of substantial importance fordemonstrating the superiority of public interest overapplicable law.ConclusionsFor 25 years since 1989, Bulgaria’s political and economiclandscape remains marked by power structureslinked to the security services of the former authoritarianregime. The style and methods of the former statesecurity persist in today’s unreformed security andenforcement agencies that tend to practise excessiveand often unnecessary internet surveillance. Internetsurveillance is over-regulated, with different regulationsappearing in various legal texts, and regulatedby different bodies. Policy zigzagging and conflictingsignals sent by different institutions and politicians– depending if they are in opposition or in power – createsthe sense that no significant motivation to limitinternet surveillance exists in Bulgaria’s governing circles.With business, politics, mass media and justicemarked by corruption, non-transparency and lack ofpublic accountability, civil society remains often themost viable guardian of privacy and human rightsonline. EU institutions, a few independent journalismpublications, and the few functioning democratic institutions,such as the Ombudsman, also play their part.The cancellation of the EU’s Data Retention Directiveby the European Court of Justice offers Bulgariaand all member states a great opportunity to redesigntheir national legislations so that internet surveillance16 Mihaylova, P. (2014, June 20). Op. cit.should not hamper fundamental rights of privacy andfreedom of expression. But the resistance of conservativestructures linked to the state security apparatusslows down and often reverses such changes. A paralysinglegal and administrative framework imposesnew technological and financial burdens on ISPs whoare willing to comply with data retention and surveillancerequirements. The idea of refusing to complywith the applicable law’s draconian requirement isnew to most ISPs, but there is already the thoughtof legally challenging the obsolete national law provisions.Conscious citizens and internet connectivityproprietors abide by the law, but are willing to take legalaction to remove the obsolete legal texts that forcethem to spy on internet and phone users.Action stepsSome steps that could lead Bulgaria to resolvingthe problems with excessive and sometimes illicitinternet surveillance include:• An in-depth assessment of the existing administrativeand legal framework to establishall norms and agencies that regulate internetsurveillance.• Conceptualising a complex set of changes thatwould lead to minimising the number of surveillancerequests and strengthening the abilityof both special services and ISPs to cooperateeffectively.• Having Ordinance 40 of MVR ultimately cancelled.• Raising public awareness of the negative implicationsof excessive internet surveillance andcreating political demand for limiting it; limitationsthat politicians need to comply with whenthey get elected.• Building broad coalitions of actors who are interestedin limiting internet surveillance, includingISPs, human rights advocates, pro-democracythink tanks and other groups that could participatein decision making when it comes to surveillance.• Removing the internet surveillance provisionsrelated to the former EU Data Retention Directivefrom ZES.• Concentrating efforts on policy advocacy at theEU level to obtain a favourable replacementfor the cancelled Data Retention Directive thatwould have a lasting impact over internet surveillancepolicies at national and EU level.88 / Global Information Society Watchbulgaria / 89