- Despite the requirements of existing legislation, the company failed to install the necessary software to log who accessed its systems, for what purpose, and what was monitored for eight years.
- Anyone with access could carry out “monitoring” without leaving a trace.
- COSMOTE pledged to resolve the issue in 2014 but had not done so by 2022.
- In 2021 and 2022, the Hellenic Authority for Communication, Security, and Privacy (ADAE) imposed a “triple” fine totaling €340,000.
- In 2024, the case finally went to court, but the ADAE was never called to testify.
By Vangelis Triantis
How secure are communications carried over mobile and fixed-line service providers? Investigative Data Journalists have addressed this question several times because it concerns millions of users. Although the issue justifiably attracts journalistic scrutiny, it does not appear to be treated with the seriousness it warrants.
For nearly eight years, COSMOTE lacked the necessary software to log access to the systems where its subscribers’ calls were handled.
According to existing legislation, the company should have installed software years ago that would record who accesses its systems, the purpose of the access, and what is being monitored. The absence of this software was first identified by the Plenary of the Hellenic Authority for Communication Security and Privacy (ADAE) in 2013. Specifically, the ADAE determined that COSMOTE did not maintain “access logs to communications data within the VMS system,” nor did it have the required system for prepaid mobile accounts—one that effectively records, in log files, who accesses the communications data of prepaid subscribers. In short, anyone with access could see who was communicating with whom without a record being kept.
Although COSMOTE committed to resolving the issue by 2014, the company failed to do so until 2022. Consequently, the Hellenic Authority for Communication, Security, and Privacy (ADAE) fined COSMOTE a total of €340,000 through three separate decisions issued in 2021 and 2022.
COSMOTE’s violations of communications privacy legislation were brought before the courts, not by the Hellenic Authority for Communication Security and Privacy (ADAE), which had identified them, but by businessman Giorgos Floras. For two of the three cases identified by the ADAE, the Public Prosecutor’s Office initiated criminal case files. However, they were closed because no criminal liability could be established on the part of COSMOTE executives. In the third case, criminal charges were brought against the responsible COSMOTE official, who was tried and acquitted in September 2024. No ADAE representative appeared at the trial because neither the court nor the prosecution deemed it necessary. The only witness examined was Mr. Floras, despite contrary recommendations by the Office of the Supreme Court Prosecutor.
The Absence of Logging in VMS Data
In February 2022, the plenary session of the Hellenic Authority for Communication Security and Privacy (ADAE) convened to examine a case involving a possible violation of existing communication confidentiality legislation by COSMOTE.
This followed a complaint filed by a private individual in January 2019. The ADAE then established an audit team to investigate the matter. The team carried out an on-site inspection at COSMOTE’s facilities. The audit revealed a shocking finding: COSMOTE had seemingly breached the regulation governing the protection of the confidentiality of electronic communications.
According to paragraph 6.2.6 of the Regulation, telecommunications companies must log how their employees and partners access subscribers’ or users’ communications data. In other words, “every access to the communications data of subscribers or users of the provided networks or services must be recorded and justified.” Additionally, paragraph 8.3.3.2 of the ADAE Regulation states that telecommunications companies must record and maintain logs of all actions performed in the operating systems and applications of the Information and Communication Systems (ICS).
However, this was not the case with COSMOTE. As the auditors found, and as the company itself admitted, “The access logs to communications data in the VMS system, as well as the logs of administrators’ actions in that system, are not maintained.” More striking is that the ADAE had already identified this omission during an on-site inspection. In a document sent to the ADAE on July 22, 2014, COSMOTE committed to resolving the “exception regarding the logging of accesses to the VMS system and accesses to communications data through the VMS system” by the end of 2014. This never happened, though.
In 2021, the ADAE summoned COSMOTE for a hearing. The company claimed that “…the new version of the VMS platform, scheduled to launch at the end of October 2021, would include a mechanism to log administrators’ actions within the system and their access to the system’s communications data…” This came nearly eight years after the company was found to be in violation of communications privacy legislation.
In this context, the ADAE Plenary decided by majority to impose a €40,000 fine on COSMOTE with Decision No. 51/2022. The minority consisted of the then-chair of the Authority, Christos Rammos, and regular members Stefanos Gritzalis and Aikaterini Papanikolaou. They voted to impose a €300,000 fine on COSMOTE instead. The minority reasoned that COSMOTE had placed the confidentiality of communications at risk through this violation. The minority noted that COSMOTE failed to fulfill its obligation to log accesses and actions in the system for a period exceeding six years by arguing that the new system it intended to adopt by the end of 2014 would remedy the identified shortcomings. COSMOTE did so without the knowledge of the ADAE, given that the company had informed the Authority otherwise.
ADAE Decision No. 51/2022
Two More Violations and Fines of €300,000
This was not the first time that the ADAE had convened to determine whether or not COSMOTE had violated the legislation governing the confidentiality of communications. On June 23, 2021, the ADAE’s plenary examined a 2019 complaint filed by an individual regarding a personal data breach. Specifically, COSMOTE was reported to have inadvertently sent “a detailed call record to the wrong recipient.” As part of the investigation, an ADAE audit team visited COSMOTE’s facilities. They found that COSMOTE lacked the necessary system for prepaid mobile accounts, which logs who accesses the communications data of prepaid subscribers. The ADAE described this system, called the Bill Print system, as “critical” since “it provides access to the communications data of all users of the company’s prepaid mobile services.”
As early as September 2013, the ADAE had determined that COSMOTE did not have the system in question. From 2014 on, the ADAE had “highlighted to the company the need to implement logging of user accesses and actions.” However, as of 2020, COSMOTE had still not complied.
In Decision 2014/2021, the ADAE notes that “the failure to implement this obligation for a period exceeding six years, while the Authority believed otherwise, due to the company’s statement in document No. ΑΔΑΕ ΑΠΡ 2390/22-07-2014, is considered particularly aggravating with regard to the protection of communications confidentiality and the methodical and effective enforcement of the prescribed security measures by the provider.”
In this context, the ADAE imposed a €150,000 fine on COSMOTE.
A similar case was addressed in ADAE Decision No. 215/2021, which was also issued on June 23, 2021. As in the previous decision, COSMOTE was penalized for failing to “maintain logs of accesses to the Bill Print system and the communications data accessed through it,” despite ADAE’s emphasis on the importance of logging user accesses and actions.
“Despite being aware from the time of the relevant audit that failing to log user accesses and actions in the system in question violates Articles 6.2.5 and 6.2.6 of the Authority’s Regulation, the company took no corrective action. Instead, approximately seven months later, in view of the incident in question, it continued to wrongly justify its noncompliance on the grounds that it did not maintain the relevant log files, contrary to the Authority’s explicit requirements,” the ADAE emphasizes.
In this case, the ADAE also imposed a fine of €150,000 on COSMOTE.
ADAE Decisions 214 and 215/2021
Two cases were dismissed and one trial was held
COSMOTE’s violations were also referred to the courts. Contrary to what one might have expected, this was not at the initiative of the ADAE, but rather at the initiative of a private individual—specifically, businessman Giorgos Floras. This raises the question of why the ADAE did not forward its decisions to the judiciary to examine any potential criminal liability of telecommunications executives. A Public Prosecutor undertook to investigate possible criminal responsibility following the complaints filed by Mr. Floras. However, a few months later, two of the three criminal case files opened—one based on ADAE Decision No. 51/2022 and the second on Decision No. 214/2021 of the independent authority—were dismissed. The dismissal was based on the grounds that no criminal liability arose because COSMOTE “had by then put into operation systems that meet the requirements of the legislation for safeguarding the confidentiality of communications.”
In other words, COSMOTE’s failure to protect the confidentiality of millions of mobile phone users’ communications for years was not deemed criminal because the company finally took the necessary measures eight years later.
The ADAE treated Decision No. 215/2021 differently. In this case, the prosecuting authority found that criminal offenses had been committed and brought charges against Megas Konstantinos, COSMOTE’s communications-privacy compliance officer, for violating the confidentiality of communications. Nevertheless, the prosecutor’s legal approach is striking.
Anyone reading ADAE Decisions Nos. 214 and 215/2021 will notice their near-identical content. Nevertheless, on July 4, 2023, the same prosecutor closed the case file based on Decision No. 214/2021. Then, on July 17, 2023, he brought criminal charges against Mr. Megas.
The ADAE was never summoned to court
In September 2024, the case against the COSMOTE official was heard in court. Mr. Floras testified as a witness. However, despite the fact that the Authority had identified the violations by COSMOTE and had imposed fines on the company, no one from the ADAE was called to testify. The issue of witnesses in this case even prompted an intervention by the Office of the Prosecutor of the Supreme Court. Following the information provided by Mr. Floras, the then-Deputy Prosecutor of the Supreme Court, Giorgos Skiadaresis, sent a letter on August 7, 2023, to the then-head of the Public Prosecutor’s Office. In the letter, Skiadaresis requested that a representative of the ADAE and Mr. Floras be summoned. Furthermore, Mr. Skiadaresis strongly criticized the decision to only summon the defendant to court, stating that it was “unusual” to not also summon “crucial evidentiary counterweights.”
“We are forwarding the report for your further action. Taking into account pages 7 and 8 of the report, among other matters, we request that the multitude of specifically referenced case files concerning violations of telephone confidentiality by telecommunications providers be identified. We also request that it be verified in each case file whether the complainant, the injured party, and a representative of the ADAE have been summoned. If not, we request that they be summoned. It is unusual for only the defendant to be summoned to court without crucial evidentiary counterweights, particularly in serious cases, which may predetermine their outcome,” emphasizes Mr. Skiadaresis in his letter.
The letter of the Deputy Prosecutor of the Supreme Court:
The letter from the Deputy Prosecutor of the Supreme Court turned out to be “prophetic.” Although the court was informed that no ADAE representative was present to testify, it showed complete indifference. Ultimately, Mr. Megas was acquitted, and the case ended. However, it is important to note that Mr. Megas’s position is far from ordinary. During the hearing, he stated that he is COSMOTE’s designated liaison with the National Intelligence Service (EYP) and is certified as a NATO partner. He also holds other significant roles that are inherently and directly linked to the protection of the confidentiality of communications.
Germany, the BND, and Reports of Surveillance in Greece
Protecting the confidentiality of communications is highly complex and by no means straightforward. Over the years, numerous cases of surveillance carried out through telecommunications providers’ systems have come to light. One such case involved the wiretapping uncovered in Greece through Vodafone in the 2000s. Specifically, from 2004 to 2005, approximately 100 phones in Greece were wiretapped using special software installed in Vodafone’s systems, along with 14 prepaid “shadow phones” that recorded conversations. The case was investigated by the Greek authorities and caused significant tremors in the domestic political scene. However, the case was closed and placed on file in the summer of 2008.
In 2014, the Greek newspaper Ta Nea published a report revealing that German intelligence services were monitoring electronic and telecommunications in Greece. The newspaper published a document submitted during a legal dispute between a German lawyer and the German Federal Intelligence Service (BND). According to the document, the BND was monitoring communications to combat international terrorism.
In 2017, VICE Greece released a documentary titled “The Targets of German Intelligence Services.” The documentary discussed communications surveillance in Greece by the BND at various points in time, with a focus on Greek individuals targeted by the agency. The documentary referenced a report published by the German magazine Der Spiegel in April 2016. According to the report, after 2002, the BND allegedly “monitored Interpol offices in multiple European countries, including Greece.”
In an interview with VICE, Martin Knobbe, the Spiegel journalist who uncovered the scandal, stated that the alleged BND surveillance list included Greek targets.
In any case, protecting the confidentiality of communications is a particularly serious issue, and perhaps the judiciary should treat such violations more strictly when they are identified.
