Above: Candles are seen in front of the Government of the Slovak Republic's building during march in honour of murdered Slovak investigative reporter Jan Kuciak and his girlfriend Martina Kusnirova in Bratislava, Slovakia, March 2, 2018. Credit: REUTERS/Radovan Stoklasa

As soon as journalists published the last investigation of their murdered colleague, Slovak reporter Jan Kuciak, they immediately focused on another important issue: Why was he killed? And how did his killers know that he was working on a story about them?

The first answer was straightforward. Kuciak and his fiancée were murdered in their home in late February by one or more professional hitmen. Police and his colleagues believe that this can only be because of a story he was working on or had worked on. Journalists and police have a number of suspects, and the investigation is ongoing.

The second question was far more problematic, and the probable answer is disturbing: The person or people who ordered Kuciak’s killing may have learned he was working on a story about them as a result of leaks by public officials. These may have come, his colleagues believe, as a result of his freedom of information requests – one of the most valuable tools reporters have.

Kuciak worked at Aktuality.sk, the leading news portal in Slovakia. In cooperation with the Organized Crime and Corruption Reporting Project (OCCRP), he was investigating whether and to what extent one of the world’s richest and most brutal Italian crime syndicates, the ‘Ndrangheta, had infiltrated into his country. He was following leads that hinted EU tax money may have ended up in the ‘Ndrangheta’s hands through agricultural subsidies Brussels gave to Slovakia. He also found a number of troubling links between Slovak officials at various levels, especially in the ruling SMER party, and Italian families with ties to the Calabrian mafia.

He also was looking at corruption issues involving other state agencies.

Kuciak obtained much of his information for all of these stories through freedom of information (FOI) requests. In fact, at the age of 27, he was considered one of his country’s most prolific and experienced reporters when it came to filing such requests. He was also experienced with mining public databases in Slovakia.

The basic function of freedom of information laws (FOI or access to information laws), which exist in most EU countries, is to ensure that citizens are informed about the doings of their government. This is considered vital to the functioning of a democratic society. But in order for journalists to make use of these laws, they often have to identify themselves to the government offices they are seeking information from.

Kuciak’s editor, Marek Vagovic, who heads the investigative department at Aktuality.sk, says that Jan was generally very good about handling sensitive information.

“I know how safely he worked,” he told OCCRP. “All his drafts, notes and evidence were encrypted. That’s why I think the information was leaked by the police, prosecutors, courts, or office workers he sent information requests to, stating his personal details, such as his home address,” Vagovic said.

To make it worse, when filing the requests, Kuciak tended to include a lot of background details about the stories he was working on. He believed this would increase the chances of getting the information he was seeking.

In Vagovic’s view, this might have made it even easier for the killers.

“The institutions that Jan was approaching could see from his FOI requests what he was interested in and moreover, what else he knew. They could deduce it and share it with the subject,” he said.

Kuciak filed dozens of FOI requests related to his last investigation with various state agencies such as land registries, agricultural agencies, prosecutors, and courts. He is known to have provided his name and home address on some of the requests, filing them in his own name as an individual, rather than from his company, which would have allowed him to leave his name off.

OCCRP has approached some of the agencies Jan had requested information from, namely Slovakia’s Agricultural Paying Agency, which handles the EU subsidies, the public prosecutor’s office in Trebisov, east of Bratislava, the regional court in Bratislava, and SEPAS, the Slovak energy agency.

All denied sharing information about journalist’s request with the subjects. However, though an OCCRP reporter only asked about general rules and procedures, most of the respondents immediately asked whether the questions were related to the Kuciak case. If so, they noted, they had nothing to do with it.

These denials do not convince Vagovic or other lawyers OCCRP talked to.

“They say that in the eastern part of Slovakia everything is unbelievably interlinked,” Vagovic said.

A Larger Problem

Kuciak is not the only person in Slovakia whose personal information may have been leaked to the subject of an investigation.

Those who use the law say targets of a FOI request have been known to find out about it. Boris Stancl, a lawyer based in Bratislava, says one of his FOI requests was shared with the person he has asking about and another had an even more unusual conclusion. After filing a FOI request, Stancl called the agency asking if they had received it. At the end of the call the agency actually asked him whether the information will be used in favor, or against the subject, an influential official. When Stancl replied ‘against,’ the agency official seemed relieved. “OK, good luck, and I’m sending you all the required info,” Stancl recalls.

Reporters say it’s a general problem in Europe and neighboring countries. Several OCCRP partners have received calls from the people they were investigating or from officials discouraging them from continuing their search for information.

For example, as a matter of course, Serbia’s Anti-Corruption Agency informs the subject of an investigation that a request for their information has been received and asks them to consent to giving out that information. According to Stevan Dojcinovic, the editor of KRIK (an OCCRP partner), the country’s business and land registries have leaked information to investigation subjects, compromising not only investigations but also the safety of the journalists.

Likewise, in Montenegro, OCCRP partner MANS was investigating the development of hotels in protected areas around the coastal city of Perast when they received a call from a person of interest asking why they were looking into his business dealings. He had obtained their information from the Ministry of Culture, which notified him that a request involving him had been filed.

In another instance, MANS investigators filed public record requests on individuals linked to cigarette smuggling. They then received calls from those individuals, who had gotten their personal information from the institutions where the requests were filed.

Even in EU countries, there are instances of personal data having been leaked to potentially dangerous individuals.

During an investigation by the Investigative Reporting Project in Italy (IRPI) on waste smuggling, reporters received intimidating phone calls from smugglers insisting they “stop nosing around their business.”

The smugglers had been given journalists’ phone numbers, addresses, dates of birth, and personal ID numbers by the offices where the information requests were made. In Italy, individuals have a right to appeal a decision to provide information that had been requested about them, though the offices can overrule it and provide the information anyway. However, if the public body is lax with data protection rules, by this stage the subjects of the investigation may already have journalists’ sensitive personal information.

Providing this information is wrong, say experts.

“Forcing those who request information to fully identify themselves undermines this fundamental right and clearly can put investigative journalists’ lives in danger,” said Helen Darbishire, the founder and executive director of Access Info Europe, a freedom of information watchdog.

“This must not be allowed to happen again,” she insisted. “The European Union has to set standards that ensure that requesters’ identities are safeguarded.”

There is no specific EU requirement that Member States adopt access to information laws. All EU countries except Luxembourg have such laws, but they vary hugely in quality, and most do not specifically address the issue of protecting the requester. Most require the requester’s name and often other identifying data to be provided when submitting a request. If requested information affects a third party, the public body may notify that person or company, but data protection laws should ensure that the name of the requester is protected. Nevertheless, the lack of explicit provisions protecting information requesters’ identities has resulted in individual agencies developing their own practices. A better way, say experts, is to allow anonymous requests.

For Jan Kuciak and his innocent fiancée, it is too late. However, his colleagues are demanding greater clarity and protections.

“It would be a real crime if some low-level bureaucrat got our colleague killed,” said Drew Sullivan, editor in chief of OCCRP. “That would be giving his information request to one of the most dangerous crime groups in the world – gift-wrapped in a package with his name and home address – that’s all a professional killer needs,” he said.