Tag: civil society

Litigating Pegasus in Azerbaijan: Addressing harms of the government-sponsored surveillance on civic groups in the absence of legal guarantees

Posted on by aiw_admin

In the following featured legal analysis, AIW looks at the litigation work carried out thus far in Azerbaijan on devices infected by Pegasus. Specifically, this legal analysis looks at how Pegasus spyware was deployed to monitor journalists, lawyers, and activists in Azerbaijan and the legal steps taken within the existing national legislative framework to mitigate the unlawfulness of the use of Pegasus against these groups and individuals.  

Background

Over the last few years, global-scale investigations carried out by international human rights organizations, investigative journalists, and/or whistleblowers have shown that the scale of the unlawful surveillance of individuals’ private lives through murky technology software has been pervasive, and widespread. Those findings also revealed the vulnerability of individuals’ fundamental rights and freedoms to private technology companies and the states deploying that technology for their personal interests.

This has certainly been the case in Azerbaijan, where platforms like Azerbaijan Internet Watch (AIW) and others, have documented government-sponsored surveillance and cyber espionage activities. Especially vulnerable are the social and political activists. Several human rights monitoring organizations note the increase in cyber attacks on these groups in recent years.

***

Since 2011, Freedom House analyzes the state of Internet freedom in Azerbaijan in its annual Freedom on the Net report. Until now, each report indicated continuing deterioration of internet freedoms in the country.

Increased interventions on the internet freedoms often constitute a violation of fundamental rights and freedoms stipulated in national and international human rights documents, as such making states obligated to provide effective legal protection and recovery mechanisms against such violations.

However, as documentation and reports from recent years indicate, Azerbaijan thus far, failed to provide effective legal guarantees in cases of privacy violations through cyber-attacks, illegal collection of personal data, wiretapping, and account compromise. Despite routine calls made to the Azerbaijani authorities to investigate and bring perpetrators of cyber-attacks to account, no steps have been taken.

As a result, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees.

***

In July 2021, an international collaborative reporting initiative #PegasusProject documented how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, politicians, and lawyers among others worldwide. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International Security Lab.

The investigation determined that Azerbaijan was among the top 10 countries deploying Pegasus spyware.

Organized Crime and Corruption Reporting Project (OCCRP), which was one of the partners in the global investigation, discovered that out of the 50,000 phone numbers that were leaked, 1000 were from Azerbaijan. OCCRP was able to identify 245 numbers and as a result, concluded that a fifth of these numbers belonged to journalists, lawyers, human rights and political activists, politicians, and their family members. OCCRP published a list of identified civil society activists whose devices were confirmed to have traces of Pegasus spyware.

***

Following the Pegasus Project leak, on July 22, 2021, on the National Press Day in Azerbaijan, journalists and human rights defenders gathered in a virtual round table discussion titled “New digital threats to critical voices” initiated by the Institute for Reporters’ Freedom and Safety. The group discussed the importance of protection mechanisms against such mass surveillance and stressed the need to join efforts and seek legal remedy through domestic and international courts. As such, an operative group of lawyers was assembled to develop applications and appeals to domestic authorities and the European Court of Human Rights (ECHR).

Since that meeting and at the time of writing this report a total of four groups were formed, led by different lawyers, representing in total of 62 applicants. It is worth noting that some victims hesitated to join these collective complaint groups due to safety concerns.

Complaints and lawsuits were lodged as early as August 2021. Lawyers and advocates representing all four groups, prepared complaints to the Prosecutor General’s Office of the Republic of Azerbaijan, claiming that their clients’ mobile devices were illegally infected by Pegasus spyware leading to violations of privacy, freedom of expression guaranteed under the national laws and European Convention on Human Rights, the right to effective remedies and the right not to be subjected to restrictions of Convention rights with improper motives or ulterior purposes (Article 18).

Applicants in the group of cases led by advocates and practicing lawyers requested the Prosecutor General’s Office to open a criminal investigation based on the evidence revealed as a result of the global investigation. Specifically, the lawyers noted that several articles of Azerbaijan’s Criminal Code – Article 156, “Violation of privacy”, 271, illegal access to a computer system, 272, illegal interception of computer data, and 302, “Violation of the legislation on operation-search activities”, were violated as a result of the committed criminal act.

According to Article 156 of the Criminal Code (“Violation of privacy”), actions that violate privacy are prohibited and are the basis for criminal liability. According to Article 156.1 of the Criminal Code, the distribution, sale, or giving to someone else, the illegal collection of information that is a secret of personal and family life, documents reflecting such information, video and photo recording materials, sound recordings, causes criminal liability. Article 156.1 of the Criminal Code aims to protect the information that constitutes the secret of personal life and is derived from the goal of protecting people’s constitutional right to privacy. The object of this crime is people’s personal life information.

According to Articles 271 (illegal access to a computer system) and 272 (illegal seizure of computer data) of the Criminal Code acts of deliberately entering a computer system or any part of it without the right to access it, by violating the security measures, or capturing computer data stored on a device, or with other personal intent are criminalized.

Article 302 of the Criminal Code (“Violation of the legislation on operation-search activities”) criminalizes unlawful measures by the persons authorized to carry out operational-search activities in the absence of the grounds established by legislation.

In all of the legal complaints submitted based on the list of violations mentioned in the paragraph above, the team of lawyers asserted that the findings of the Pegasus investigation, put their clients at risk of both secret surveillance and of having their communications data unlawfully intercepted by the authorities or third parties who own the software. None of the identified civil society representatives targeted by the spyware were under lawful investigation. As such lawyers demanded that the Prosecutor General’s Office of Azerbaijan launch a criminal investigation, including the possible role of the Azerbaijani law enforcement in the mass surveillance activities. The legal representatives of all clients said, the state is obligated to provide effective legal guarantees against the abuse of spyware tools against citizens as the latter may constitute unlawful interferences to the right to private life, freedom of expression, and in the case of failure to fully and duly investigate, violation of the right to an effective remedy.

Due to the lack of legal remedies in cases of severe privacy violations, within the Azerbaijani legislation, advocates and lawyers relied on Article 8 (right to respect for private and family life), Article 13 (right to an effective remedy), and Article 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights.

Between July 2021- July 2022, one of the advocates representing one of the four groups of applicants,  separately applied to the State Security Service [SSS], the Ministry of Internal Affairs [MIA], the Ministry of Digital Development and Transport [MDDT], as well as the Ombudsman office requesting an investigation, along with the Prosecutor General’s Office. None of the advocate’s appeals were successful. None of the institutions investigated the complaints or provided reasonable answers.

Overall, the lack of effective response on behalf of the law enforcement authorities, against complaints requesting to open a criminal investigation, indicates there were and still are significant flaws and delays in the investigation process, despite the evidence collected through forensic methodology by the international organizations. Nearly a year later, the law enforcement authorities are yet to take formal investigative actions, despite the complaints containing forensic evidence obtained from the examined mobile devices.

Court litigations

In all of the legal cases, the lawyers provided circumstantial evidence (contextual information) for how Pegasus infected the mobile devices of applicants. Specifically, the lawyers shared detailed information about the purpose of the Pegasus spyware and the potential state agencies that might use it. Relying on the existing national legislation the lawyers also established the legal grounds for using surveillance programs to intercept private communication or other private data from technological devices, including mobile phones.

Advocates representing the four groups submitted complaints to the local courts against the general prosecutor’s office for failing to explain why it sent lawyers’ Pegasus-related complaints to the State Security Services in the absence of justifications or notice. It was the responsibility of the General Prosecutor’s Office to investigate lawyers’ complaints, but instead, it sent them directly to State Security Services. This was unlawful and baseless. Yet, despite the unlawfulness of the act, the local courts did not satisfy these complaints and returned them without consideration (issued decisions in a similar text that they were considered inadmissible).

This explicitly demonstrates that the law enforcement authorities and domestic courts of Azerbaijan refused to effectively investigate the complaints and failed to provide any legitimate grounds for refusing the investigation in the first place.

One of the four groups involved in litigation procedure, includes activists, human rights defenders, journalists, and other public figures, who were previously subjected to different legal harassment by the government. Advocates and lawyers representing this group are demanding that the Prosecutor General’s Office investigate the possible role of the law enforcement authorities on the grounds that the use of spyware tools breached the defendants’ rights guaranteed under both the Constitution of Azerbaijan and the international treaties Azerbaijan is a party to. 

The complaint consists of the summary of the complaint itself, information about the applicant, and information on the use of Pegasus to track the defendants, including applicants’ claims and petitions based on the substantial and procedural grounds of the complaint.

In their fifteen-page complaint, the applicants referred to the findings of Pegasus investigations, alleging that their phones were tapped and infected with Pegasus. The complaint also stated that listening and monitoring of the complainant through the use of Pegasus violated Articles 32, “Right to inviolability of private life” and 47, “Freedom of thought and speech” of the Constitution of Azerbaijan, and Articles 8, 10 and 18 of the European Convention on Human Rights (ECHR) as the breach was politically motivated. Lawyers also claimed that the surveillance was in violation of Articles 18 and 19 of the UN International Covenant on Civil and Political Rights, as well as the jurisdiction of the Human Rights Committee on the implementation of that Covenant.

In addition, 11 petitions were attached by the lawyers, to the submitted complaints, requesting certain actions from the Prosecutor General’s Office that was necessary for an impartial and comprehensive investigation. These petitions included:

  • Obtaining testimonies of applicants;
  • Submitting official requests to Amnesty International Forensics team and the OCCRP for forensic investigation of identified devices;
  • requesting the Ministry of Internal Affairs and the State Security Service to obtain a list of persons who carried out the interception of the devices;
  • obtaining information on the purchasing of the spyware from the “NSO Group” company;
  • requesting information from the Ministry of Internal Affairs, the State Security Service, and the State Special Protection Service of the Republic of Azerbaijan about any relevant instructions on preventing human rights violations during the use of the Pegasus or similar programs;
  • obtaining information on whether the officials at the Ministry of Internal Affairs and the State Security Services, authorized to carry out an operation-search measure, were involved in training on legislation and human rights standards.

It was also noted that the applicants, were law-abiding citizens, engaged in public and political activities, and were not engaged in criminal activities. As such the targeting of these individuals with Pegasus, was politically motivated and criminal given the absence of any mandatory, investigative, or judicial acts, within the scope of the Code of Criminal Procedure (CPrC) Article 177.3.5, and as a result, the use of Pegasus on their devices was in violation of targeted users’ rights and freedoms.

According to Article 443.1 of the CPrC, investigative actions over mobile phones and other communication devices are usually carried out on the basis of a judicial act. In the cases where these investigative actions are carried out without a court decision, on the basis of the investigator’s reasoned decision, after the completion of the corresponding investigative action, the investigator must inform the court conducting the judicial control and the prosecutor conducting the procedural management of the preliminary investigation within 24 hours and verify the legality of the investigative action carried out within 48 hours.

According to Article 215.1 of the CPrC, it is mandatory to conduct a preliminary investigation in all criminal cases, except for the investigation conducted in the form of simplified pre-trial proceedings for crimes that do not cause a great public danger.

Moreover, when responding to the lawyers’ complaints, the Prosecutor General’s Office, determined that the applicants’ complaints had to be sent to the Investigative Directorate of the SSS. Which is contrary to Article 215 of the CPrC and was contested by the lawyers who submitted a complaint to a local district court. The lawyers argued that it was illegal and unreasonable for the General Prosecutor’s Office to forward the complaint to the SSS for further investigation without any justification. At the same time, the transfer of the pre-trial investigation to the SSS, which is (potentially) a party of interest in the case, violates the procedural rights of the applicant on the personal life and freedom of expression, as well as the right to the effective remedy provided by Article 13 of the ECHR (taken together with Articles 8 and 10), because SSS will not be able to carry out the work related to the alleged illegal actions of its employees in accordance with the principle of objective impartiality. In addition, there are no normative legal grounds that could demonstrate the objective independence of the Investigative General Department of the SSS from other structural divisions of the Security Service.

Explainer: Lawyers reasoned that Pegasus was provided to the police and security agencies. From this point of view, based on the circumstances of the case, there are sufficient grounds to assume that the listening and online monitoring of the complainant was carried out by an employee (colleagues) of the police and (or) security agencies. In such a case, the prosecutor’s office cannot hand over the case of the preliminary investigation to the investigative body of the institution that carried out such hearing and monitoring. Otherwise, such an investigation would be subject to a conflict of interest in the case. In this regard, the elimination of conflict of interest in the investigation of a criminal case is one of the requirements of the criminal procedural legislation. Summarizing the above, it becomes clear: a) referral of the complaint to the State Criminal Court is a violation of the investigative responsibility defined in Article 215.2 of the Criminal Procedure Code; b) referral of the complaint to the DTC contradicts the principle of conflict of interests contained in Article 1.1 of the CPrC; c) referral of the complaint to the DTC is a violation of the human rights of potential victims (interested persons) defined by Article 1.4 of the CPrC, in this case, the right to request an effective procedural investigation; d) the referral of the complaint to the State Prosecutor’s Office is a contradictory decision and gives the impression that legal proceedings have been initiated to listen and monitor the complainant, as well as this referral was carried out by the wrong structural unit of the General Prosecutor’s Office.

Responses of law enforcement authorities

The General Prosecutor’s Office’s response to complaints was to forward the complaints to the State Security Service (SSS) for further investigation, without informing the applicants and without providing any explanation for the reasons for doing so.

The SSS, in all four groups of cases, refused to give an official written answer to the applicants about the investigation of their complaints (although they are required to do so by law). Officials from SSS informed lawyers verbally, that SSS did not monitor the applicants through Pegasus and therefore no written responses would be given.

As a result, advocates representing all four groups filed lawsuits against the General Prosecutor’s Office and the SSS for inaction and refusal to launch a criminal investigation.

It was not until August 2022, that the SSS started to summon a number of civil society members and journalists (applicants) to obtain their testimonies in regard to allegations of the tracking of their phones by the Pegasus software. Reflecting on the delayed response, one of the targeted civil society activists, and the chairperson of Election Monitoring and Democracy Studies Center, Anar Mammadli, said this was simply a sign of lack of action. 

In their responses to some of these complaints, the General Prosecutor’s Office and the Ministry of Internal Affairs said it was not possible to conduct an investigation on the complaint. Moreover, in relation to some of the applicants, in their response, the General Prosecutor’s Office, said, “the information on the features of capturing and tracking personal secret information was not determined by means of the Pegasus spy program,” but stopped short of explaining how then the information was obtained if it was not through Pegasus.

Since the engagement of advocates in pursuing these cases in domestic courts, the proceedings in all four groups are pending at different instances. Only 15 applicants were sent to the Strasbourg Court thus far. Advocates are currently seeking to exhaust domestic remedies to apply to the ECHR in the remaining cases.

Conclusion and next steps in taking the Pegasus cases to the European Court of Human Rights

In addition to the Constitution and other national laws of the Republic of Azerbaijan, the right to privacy is recognized as an international human right in numerous international treaties to which Azerbaijan is a party. As a signatory of the European Convention on Human Rights and the International Covenant on Civil and Political Rights, Azerbaijan has binding obligations to protect rights to private life, including private communication and other private data, from infringements, including unlawful search-operation and surveillance activities of law enforcement authorities and any interference by third parties.

On September 20, 2009, Azerbaijan ratified the Council of Europe Convention of 1981 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) for the protection of personal data which also falls within the scope of private life as protected by Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) making its application in Azerbaijan compulsory.

The ECHR reiterates that any interference can only be justified under Article 8, paragraph 2, if it is in accordance with the law, pursues one or more of the legitimate aims to which paragraph 2 of Article 8 refers, and is necessary in a democratic society in order to achieve any such aim (see Kennedy v. the UK, paragraph 130). 

In the context of handling complaints related to Pegasus cases by Azerbaijan’s law enforcement agencies and courts, the lawyers demonstrated, that the applicants were subjected to interferences to their right to private life contrary to the adopted national and international human rights documents. The lawyers’ subsequent complaints were related to the law enforcement and judicial authorities’ refusal to investigate complaints about those interferences, including secret surveillance without providing any explanations and sound reasons.

In all four groups of Pegasus litigations, the secret surveillance of mobile devices had no basis in domestic law as none of the applicants were declared as suspects or accused persons in any criminal investigations.

The Strasbourg Court has delivered many rulings on the protection of privacy and personal data against government-sponsored surveillance or state responsibility to protect individuals from violence by third parties (Guide on Article 8 of the European Convention on Human Rights. Right to respect for private and family life, home, and correspondence. Updated on 31 August 2021. Para 107.) In order for surveillance to be in line with the Convention, certain legal safeguards should be provided both in legislation and practice, according to the case law of the ECHR.

Explainer: the law must be precise and clear as to the offences, activities and people subjected to surveillance, and must set out strict limits on its duration, as well as rules on the disclosure and destruction of surveillance data. Rigorous procedures should be in place to order the examination, use and storage of the data obtained, and those subjected to surveillance should be given a chance to exercise their right to an effective remedy. The bodies supervising the use of surveillance should be independent, and appointed by and accountable to parliament, rather than the executive.

At the moment, advocates and lawyers, are in the process of developing their clients’ applications to the ECHR alleging that the laws governing the matters of secret surveillance, as applied in practice, and also the refusal of the law enforcement authorities and courts to investigate allegations of surveillance, do not provide sufficient safeguards against arbitrary or abusive secret surveillance and/or accessing of private communications data. Lawyers also complained they had no effective remedy – domestically – in respect of those breaches which can be achieved through national legislation that strictly abides by the case law of the ECHR. The lawyers alleged that no effective remedy was available under Azerbaijani law and that SSS’s investigation could not be rendered effective since it is not an impartial and objective institution to review allegations of possible abuses and arbitrariness of its own officials. As regards the surveillance, a State could arguably be liable in respect of whatever system of surveillance without offering adequate and effective guarantees against abuse according to the well-established case law of ECHR.

According to Azerbaijan’s criminal law system, there are two judicial procedures that may be used by an individual wishing to complain about the acts of the investigative authorities:

  • complaint to supervisory-review and
  • judiciary (first and appeal court instances) under the CPrC.

However, as seen throughout the domestic litigation process in the course of the last year, the domestic courts stated clearly that the General Prosecutor’s Office forwarding the complaints to the SSS were not subject to judicial review, and the SSS’s lack of action was also not viewed as a sufficient ground to allow judiciary review. This makes it unacceptable that an individual cannot lodge such a complaint without having at least the concrete decision of the investigative authorities, which in fact, constitutes de-facto rejection to investigate the complaint containing allegation about a criminal act committed against him/her. In the absence of domestic remedies against potential surveillance measures under Azerbaijani law, an individual would hardly ever be able to have his/her right to effective remedies, respected and ensured. 

Explainer: In this connection, the case law of the ECHR notes that ‘In the sphere of secret surveillance, where abuses are potentially easy and could have harmful consequences for a democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge, judicial oversight offering the best guarantees of independence, impartiality and a proper procedure (Roman Zakharov v. Russia [GC], § 233; İrfan Güzel v. Turkey, § 96).’ The absence at the national level of a judicial review of the law enforcement authorities reactions (inaction or refusal to investigate without a decision) to the complaints of individuals containing alleged unlawful surveillance and other infringements of the right to privacy excludes the state’s obligation to strike a fair balance between the competing public and private interests.

Therefore, Article 8 of the ECHR likely be found as violated without the opportunity for judicial review of the inaction of law enforcement authorities constituting de-facto rejection to investigate the complaint containing allegations of violation of the privacy of individuals as they had not benefitted from the minimum degree of protection against abuses and arbitrariness. According to the case law of the ECHR, the absence of a judicial review of the overall covert surveillance system which was entrusted solely to the state body which was directly involved in requests for the use of special surveillance means amounted to a violation of Article 13 in the light of Article 8 owing to the lack of an effective remedy (see: Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, 2007, §§ 98-103).

As such these litigations expose that surveillance software not only harms individuals unlawfully targeted but also raises the question of insufficient legal guarantees in place to protect generally all individuals against possible unlawful surveillance and other kinds of privacy violations.

Finally, these litigations highlight the insufficient legal guarantees both in national legislation and practice, by creating significant legal precedent at ECHR, and by publicly uncovering and highlighting the inadequate national legislation which potentially can lead to gross human rights violations. Therefore, there is a greater need to challenge both national laws and the practice of state authorities’ system of secret surveillance, as the current system constitutes potential risks for interference with the rights of all users of telecommunication services guaranteed by the Convention and national laws.

Meta’s quarterly adversarial report confirms suspicions of government sponsored targeting

Posted on by aiw_admin

This month, Meta released its pilot quarterly Adversarial Threat Report. Among the countries mentioned in the report, is Azerbaijan where the platform said it has identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

To pundits familiar with Azerbaijan as well as this platform, it was not all surprising to see the country’s name on the list. This is also not the first time, Azerbaijan’s name appears in Facebook reports on CIB either.

Ample evidence collected over the recent years indicated how a thriving community of government-sponsored [in]authentic accounts targeted independent and opposition media pages and accounts; political activists and rights defenders’ profiles; and have done so over extended periods of time, causing reputational damage to the owners of targeted accounts, spreading false information, distorting facts, and engaging openly in harassment. These and other forms of content/user manipulation on social networks have also become more explicit, and brazen.

So, while it is great that Meta has taken notice and taken measures, it is too little, too late. And here is why. 

Pre-surveillance era 

Azerbaijan users embraced Facebook when it finally expanded beyond its limited geographical scope in 2006. By 2011 the number of Facebook users in Azerbaijan was 7percent. Fast forward eleven years, and according to Azerbaijan Press Agency, this number is around 58.4percent. Since the early years of Facebook, the platform quickly became a popular tool in the hands of activists and more broadly speaking civil society. Used to organize public events and workshops, and share information, Facebook also turned into a platform for political organizing. This continues to be the case to this day. But the platform’s popularity also attracted the attention of the ruling government. Nervous, of spillover from the Arab uprisings, monitoring of the platform became a norm. Scores of activists would get whisked from the streets, for questioning over the following years for public posts calling for protests or criticizing the authorities and government institutions, and politicians. 

It was only a matter of time, before a counter-narrative, sponsored and organized by the state institutions would appear on the platform. First in the form of youth movements sympathetic to the regime, and their members who meticulously searched for any criticism of the ruling government only to argue the opposite. And then gradually transitioning into a more systematic trolling, targeting, and harassment. Facebook profiles, were replaced with Facebook pages which were created to look like profiles but in reality, were facades for hundreds of inauthentic accounts. Gradually distorting facts and targeting users by “brigading” was combined with aggressive “cyber espionage.” The latter is perhaps the most common emergency, AzNet Watch has documented in recent years. 

But back at the headquarters of Facebook, nobody knew how much of a role the platform played in Azerbaijan and in many other countries across the world where the platform was utilized as a tool for information sharing, organizing, as well a political stage of some sort that opposition activists used and continue to use for their political messaging. I once, attempted to explain that to Zuckerberg but he did not want to listen, after all, he was on his honeymoon, touring Europe and the last thing he wanted to hear was the political, and social significance of his company in countries like Azerbaijan. 

Terminology worth knowing

Before diving any deeper let me explain some of the key terms for the sake of clarity. 

Coordinated Inauthentic Behavior

Coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation. There are two tiers of these activities that we work to stop: 1) coordinated inauthentic behavior in the context of domestic, non-government campaigns and 2) coordinated inauthentic behavior on behalf of a foreign or government actor.

Coordinated Inauthentic Behavior (CIB) – domestic

When we find domestic, non-government campaigns that include groups of accounts and Pages seeking to mislead people about who they are and what they are doing while relying on fake accounts, we remove both inauthentic and authentic accounts, Pages, and Groups directly involved in this activity.

Foreign or Government Interference (FGI)

If we find any instances of CIB conducted on behalf of a government entity or by a foreign actor, we apply the broadest enforcement measures including the removal of every on-platform property connected to the operation itself and the people and organizations behind it.

Brigading: adversarial networks where people work together to mass comment, mass post, or engage in other types of repetitive mass behaviors to harass others or silence them.

Mass Reporting: adversarial networks where people work together to mass-report an account or content to get it incorrectly taken down from our platform.

Cyber espionage: when actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts.

Now that the terminology is out of the way, what has been Azerbaijan’s performance in Facebook/Meta’s previous reports? Not good to say the least. 

Previously, Azerbaijan was mentioned in two CIB reports both published in October 2020. “We removed 589 Facebook accounts, 7,665 Pages, and 437 accounts on Instagram linked to the Youth Union of New Azerbaijani Party. This network originated in Azerbaijan and focused primarily on domestic audiences. We identified this network through an internal investigation into suspected fake engagement activity in the region,” read the report [New Azerbaijan Party is the ruling party of Azerbaijan that’s been in power since the early years of the country’s independence.]

“While the individuals behind this activity used fake accounts — some of which had been already detected and disabled by our automated systems, they primarily relied on authentic accounts to create Pages designed to look like user profiles — using false names and stock images — to comment and artificially boost the popularity of particular pro-government content. This network appeared to engage individuals in Azerbaijan to manage Pages with the sole purpose of leaving supportive and critical commentary on Pages of international and local media, public figures including opposition and the ruling party of Azerbaijan, to create a perception of wide-spread criticism of some views and wide-spread support of others. From what we’ve seen, it appears that most of the engagement these comments received were from within this network of Pages themselves. Our analysis shows that these comments were posted in what appears to be regular shifts during working hours in Azerbaijan on weekdays.”

Here the biggest credit goes to Facebook whistleblower Sophie Zhang who was the first person to flag these inauthentic accounts and pages to her management as early as 2018 [the year of the presidential election in Azerbaijan] who only took notice after she published an internal memo detailing, how the company was ignoring manipulation of its platform by political parties and heads of government not only in Azerbaijan but in a number of other countries. Zhang was fired after leaking the memo, allegedly over “poor performance.” By then, it was clear the company had to do something. They took notice and removed hundreds of accounts and thousands of pages, reported BuzzFeedNews. 

In April 2021, Facebook said it has removed another “124 Facebook accounts, 15 Pages, six Groups and 30 Instagram accounts from Azerbaijan that targeted primarily Azerbaijan and to a much lesser extent Armenia.” The “April 2021 Coordinated Inauthentic Behavior Report” said, that the network of accounts was discovered “as a result of [Facebook’s] internal investigation.” The report identified “third-party Android applications — Postegro and Nunu,” misleading users “into giving away their Instagram credentials.” At the time [the report was published in May 2021] the company said, its CIB investigation discovered links between the accounts “to individuals associated with the Defense Ministry of Azerbaijan.”

A month before this report was published, AzNet Watch investigated brigading against Meydan TV, an independent and now exiled online newsroom: 

What does art, shopping retail, web design, sports, cosmetics, and e-commerce website have in common? Absolutely nothing, except these, are all various categories available on Facebook when setting up pages. Since 2019, Facebook removed the limit on the number of pages a user can set up. Unfortunately, Facebook did not take into account, how this innocent feature update, if in the wrong hands, can do harm. In the case of Azerbaijan, this is exactly what happened, when Meydan TV, an independent Berlin-based news platform, shared a call for applications for a program, held in partnership with Brussels-based human rights organization, International Partnership for Human Rights in February 2021.

Also in April, The Guardian published this story explaining how Facebook allowed state-backed harassment campaigns, target-independent news outlets, and opposition politicians on its platform.  The story in The Guardian looked at another case of Azerbaijani online news platform – Azad Soz (Free Speech). Its Facebook account was flooded with over 1.5k comments over a post about two men sentenced to eight months. The Guardian investigation analyzed the top 300 comments and discovers that 294 out of 300 comments were inauthentic Facebook pages.  Just like in the case of Meydan TV. 

But it was not just Meydan TV and Azad Soz that were targeted. Mikroskop Media, an independent online news platform based in Riga, too experienced similar targeting. And so did Azadliq Radio, Azerbaijan language service for Radio Liberty.

Now a year later, the new report said it, “disrupted a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior. It primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad. This campaign was prolific but low in sophistication and was run by the Azeri Ministry of Internal Affairs. It combined a range of tactics — from phishing, social engineering, and hacking to coordinated inauthentic behavior.” The list of tactics, techniques, and procedures (TTPs) used included: compromised and spoofed websites; malware and other malicious tools; credential phishing; and finally the CIB. 

Nothing illustrates the extent of control over the platform like real examples. Last month, AzNet Watch successfully helped restore access to a popular page on Facebook, called “Humans of Azerbaijan.” It was compromised in 2017 and remained inactive until fall last year when its new admins [suspected of being the state security services] started posting compromising content targeting various civil society activists. Eventually, the account was returned to its original owner, Mehman Huseynov. But its comeback was short. Earlier this month, the account was compromised yet again. The perpetrators argued with Facebook that Huseynov was in fact not who he said he was, and instead, sent Huseynov’s ID to the company to confirm their “real” identity. The perpetrator claimed that Huseynov hacked the page. Shortly after, all of the pages managed by Huseynov received multiple complaints making the same claims – that Huseynov was not the real Huseynov. Facebook responded by blocking all of Huseynov’s accounts. Including his own profile. The state security services have access to citizens’ private information – including copies of National IDs, phone numbers and other personal information. 

At the end of the day, what platforms like Meta must understand is that these are not some isolated cases but regular, targeted measures deployed by the government institutions and that to really tackle this kind of brazen behavior and prevent the damage inflicted on the platforms’ active users, the company must adopt measures that offer better protection to users, especially from certain civic groups who are often the main targets. Above all, understanding the political contexts and the role platforms like Facebook play in these contexts would be a step in the right direction. So will Meta take notice?  

Alert: an uptick in online attacks

Posted on by aiw_admin

In recent weeks AIW has documented an uptick in digital attacks against civil society activists in Azerbaijan. On February 17, AIW reported a targeted wave of attacks on political activist Abulfaz Gurbanli. Although he was able to restore access to his Facebook account, more hacking attempts were documented on February 23. At the time of writing this post, access to his Gmail has not been restored.

There were others too. At least two lawyers faced similar attacks although not as pervasive and deliberate as in the case of Gurbanli. Hackers attempted to compromise their Facebook and Telegram accounts. One lawyer said, he was receiving a barrage of phone calls and text messages from unknown numbers. Another activist, Narmin Shahmarzade said that her Facebook account was targeted too. A bug on the platform also prevented Shahmarzade’s followers from leaving comments on a post she wrote and shared in February. Since then, it was possible to fix the bug thanks to Facebook’s intervention and the post is back online. Shahmarzade originally reported that after sharing the post, her followers lost the ability to post comments. There were also attempts to hack email accounts. 

It is hard to pin down any specific reason for an uptick in digital attacks. One likely explanation is the upcoming International Women’s Day. AIW documented how last year a number of activists were targeted. Narmin Shahmarzade, said she lost access to her Facebook profile on March 9, 2021, in what looked like an attempt to discredit the activist. Shahmarzade, was among scores of women who took the streets on March 8, marking International Women’s day in the capital of Baku, and was detained by the police who prevented women from marching peacefully. In an interview with AIW, Shahmarzade said, the hacker, removed her email and changed her user name. Ahead of March 8, another activist, Gulnara Mehdiyeva was targeted by a page, that leaked her sensitive personal audio messages on Facebook. 

In 2020, AIW documented how Mehdiyeva was targeted as well. On March 8, 2020, women’s rights activist and head of the Feminist Movement of Azerbaijan Gulnara Mehdiyeva and one of the main organizers of the march, realized, someone was trying to break into her Telegram account. Then her Gmail was hacked and much of her archive including photographs and documents were “downloaded” by the attacker. In less than 48 hours Mehdiyeva’s personal Facebook account was hacked. She was removed from several Facebook groups that focus on LGBTQI and women’s rights in Azerbaijan, where she was an “admin”. Then, these groups were compromised, suspended and one was deactivated. Both groups lost thousands of subscribers and content that were shared via the Facebook group page. Next in line was Mehdiyeva’s Protonmail.

Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Posted on by aiw_admin

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan. 

Here is a list of new cases: 

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant. 

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: 

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts. 

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account. 

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts. 

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting. 

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack. 

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.  

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked. 

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.  

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan. 

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.  

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest. 

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society. 

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page. 

journalists, rights defenders, activists targeted with Pegasus – a global investigation

Posted on by aiw_admin

An international collaborative reporting on the #PegasusProject released simultaneously by a number of international media, including The Guardian, the Wire India, the Washington Post, and OCCRP among 12 others, the global investigation documents how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, and lawyers across the world based on an investigation into a massive data leak. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International.

Among the countries revealed to be using Pegasus was also Azerbaijan.

Ever since traces of surveillance technology were revealed to be in use to targeted civil society in Azerbaijan, there were suspicions that among the technology deployed, was also Pegasus. The most recent investigation, confirms these suspicions.

The data leak, containing some 50,000 phone numbers also showed that some of the people identified as owners of the targeted phone numbers were people of interest by clients of NSO since 2016.

According to OCCRP, at least 1000 of those numbers are from Azerbaijan.

“Reporters spent months establishing the identity of the people behind the numbers, and succeeded in verifying nearly a quarter. While NSO Group describes itself as a company that helps governments detect and prevent terrorism and crime, the list of Azerbaijanis selected for targeting shows how the tool was systematically abused. All but a few of the numbers identified by reporters belonged to journalists, activists, lawyers, and members of the country’s beleaguered opposition.

Of the 245 Azerbaijani phone numbers on the list that were identified, a fifth belonged to reporters, editors, or media company owners.”

In its response, NSO Group, “claimed the data used by reporters was misinterpreted and that it does not allow its clients to abuse its software, which, it reiterated, is meant only to surveil criminals and terrorists,” while not responding to specific questions about Azerbaijan.

“NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.”

Among identified journalists and activists on the list are:

  • Khadija Ismayilova, journalist
  • Sevinc Vagifgizi, journalist, Meydan TV
  • Fatima Movlamli, activist/journalist
  • Ilkin Rustamzade, activist, and his former wife Amina
  • Nine current and former journalists from Azadliq.info
  • Bahaddin Haziyev, editor, “Bizim Yol” newspaper
  • Elkhan Shukurlu, editor-in-chief of Strateq.az
  • Avaz Zeynalli, editor-in-chief of Khural
  • Anar Orujov, founder of Kanal 13
  • Aziz Orujov, director of Kanal 13
  • Rauf Arifoglu, editor in chief of Musavat newspaper
  • Mehman Huseynov, former political prisoner, and citizen journalist
  • Bayram Mammadov (who died in Istanbul earlier this year) and Giyas Ibrahimov – the graffiti prisoners (Mammadov, his father, and Ibrahimov’s mother are all on the list

According to OCCRP, the list also includes “more than 40 Azerbaijani activists and their family members on the list. Their presence on the list begins in 2019.”

In its report, the Washington Post writes, “the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.”

“The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministersalso appeared on the list.

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”

How does Pegasus work

According to Access Now, since 2016, some 46 countries were identified where NSO Group’s Pegasus has been in use. “Reports from Access NowCitizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries.”

In March of this year, AIW reported on a France-based blogger, whose phone too may have potentially been infected with Pegasus. At the time, there was only suspicion and no conclusive evidence. While this still may be the case, three months later, it is now confirmed, that not only the government in Azerbaijan has been using various methods, to crack down on dissent with arrests, intimidation, and physical threats against civil society, but that it has been doing so using authoritarian technology including Pegasus.

attention: phishing attack detected

Posted on by aiw_admin

On July 8, Azerbaijan Internet Watch received a notification that an email sent on behalf of Human Rights Watch reached a number of prominent Azerbaijani civil society activists. The email contained an attachment “Human Rights Invoice Form Document – 2021.docx” prompting the recipient to download the attached file.

AIW, reached out to partners at Qurium to analyze the attachment. The forensics confirmed the suspicions that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Screenshot from the original email that was sent.

Phishing incidents targeting civil society activists are common in Azerbaijan.

Numerous reports, including several by AIW, in partnership with Qurium, documented and investigated these attacks, over the recent years [see below].

A detailed report by Qurium presents an analysis of the malware and explains how it was built, its capabilities, and where it was hosted. Among the findings were:

desktoprecord
webcamrecord
download
implant
makepersistent
massdownload
stopimplant
upload
uploadexec
wmicexec
aueval

In addition to taking screen captures and webcam recording, there was another interesting detail – insufficient knowledge or lack of an auto-correct program run on a computer or the user, developing the malware. As captured by Qurium, there were several grammatical mistakes in the pop-up window informing the owner of the device who downloaded the email “Unsopported Microsoft Word version!” & @CRLF & “File corrupted. Error numer: 0x65415681.”

Qurium forensics report.

Qurium also released its report titled “A decade of efforts to keep Azerbaijani media online” that sums up the assistance the platform has provided since 2010 including monitoring and mitigating a wide range of cyberattacks against the websites in Azerbaijan and since 2016, releasing no less than twenty forensics reports to document their findings.

Further, read:

Azerbaijan’s desire to regulate online hate speech: What problems should Azerbaijan fix first?

Posted on by aiw_admin

This is part two in a series of detailed reports and analyses on existing legal amendments and new legislation affecting freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

Background

On September 17, 2020, Zahid Oruc, member of the parliament and the head of the Human Rights Committee at the National Parliament, suggested parliament adopts a new law on hate speech. At the time, Oruc said the main goal was to prevent hate speech in the information space, possibly with the inclusion of social media platforms [several members of the parliament and government representatives have stressed that social networks should be regulated by law in Azerbaijan in recent years]. While stressing the urgency in adopting such a law, Oruc failed to address the exact nature of this urgency. In addition, likely in response to a possible backlash from the independent lawyers and civil society in Azerbaijan the MP said, the new bill, cannot be viewed “as a document against freedom of speech and expression”. Nevertheless, much of the responses that came following this announcement, were critical of the proposal especially in light of the legal context where plenty of other existing laws and procedures already address hate speech in one form or another.

In January 2020, the discussion on adopting the bill on hate speech was back on the agenda. Speaking at the first meeting of the spring session of the Parliamentary Committee on Human Rights the chairman of the committee Zahid Oruj noted that the spring session will focus on the analysis of world experience in the field of defamation and “hate speech” legislation.

But what about the analysis of Azerbaijan’s experience in the field of defamation? 

In Azerbaijan, a number of conceptual elements of hate speech are envisaged in the different normative legal acts, including in the Code of Administrative Offences, Criminal Code, the law on Information, informatization and protection of information and Law on Mass-Media.  In other words, several Azerbaijani laws include measures that are designed to address unacceptable online content (including hate speech), ranging from removing content, and making content temporarily inaccessible on the information-telecommunication network.

According to Article 47 of the Constitution of the Republic of Azerbaijan, everyone has the right to freedom of thought and speech. Agitation and propaganda, inciting racial, national, religious, social discord and animosity, or relying on any other criteria is inadmissible. Azerbaijan has also ratified the European Convention on Human Rights (hereinafter “ECHR”) where Article 10 provides that everyone has the right to freedom of expression.

Azerbaijan’s history is rich with examples where existing laws, were abused to restrict freedom of expression, and the national legislation so far failed to comply with international human rights standards with respect to the safety of the media workers or citizens who exercise their right to freedom of expression. That and the lack of independent judicial oversight over the restrictions to freedom of expression and thought post additional challenges in a current environment.

In 2017, when changes were made to the law on combating religious extremism, two prominent members of the Popular Front Party were arrested relying on the existing legislation, even though it was clear, it was a setup, as neither of the activists had any religious affiliation. In January 2017, a Baku court convicted senior opposition Popular Front member Fuad Gahramanli to 10 years in jail for inciting religious and ethnic hatred. Gahramanli was known for his criticisms of the government on Facebook. In July 2017 a court convicted Faig Amirli, another Popular Front member and financial director of the now-closed pro-opposition Azadlig newspaper, on bogus charges of inciting religious hatred and tax evasion. Amirli was handed a suspended sentence.

Four out of seven alerts in 2019 related to detention. Despite the March 2019 release of some wrongfully imprisoned journalists, including anti-corruption blogger Mehman Huseynov, the detention and harassment of journalists continue to this day.

During the height of the pandemic in Azerbaijan, the parliament introduced a series of amendments to existing laws that were then used to prosecute activists. Scores of activists were rounded up, including members of the opposition Popular Front [some of these arrests were captured here]. 

The government of Azerbaijan has consistently ignored the international calls, including the judgments of the European Court of Human Rights (ECtHR) requiring Azerbaijan to reform its domestic legislation with respect to freedom of expression and media rights in order to ensure that it is in line with the international standards. Instead of reforms, the government of Azerbaijan has aggravated the criminal liability for defamation and expanded the scope of the criminal liability to the online spaces (2016 amendments to the Criminal Code), adopted a criminal liability for extremist views on vague grounds, and established administrative liability for spreading false information.

These developments were contrary to the ECtHR’s findings in the Fatullayev, Mahmudov, and Agazade v. Azerbaijan cases (2008) where the Court found that application of provisions of the criminal law on defamation had been contrary to Article 10 of the Convention and the Council of Europe calls to the Member States that prison sentences for defamation should be abolished without further delay [Resolution 1577 (2007) of the Parliamentary Assembly, Towards decriminalization of defamation, to which the Strasbourg Court has referred on a number of occasions].

The country’s poor ranking on most of the rights and freedoms indexes attest to the grave reality in the country. It was also reflected in a statement issued following the Council of Europe Commissioner for Human Rights Dunja Mijatović’s visit to Azerbaijan in July 2019 where the Commissioner said, “Freedom of expression in Azerbaijan continued to be under threat”.

The key state obligations while regulating the online hate speech and general concerns for the Azerbaijani context

Despite the term “hate speech” widely used in legal, policy-making, and academic circles, there is often disagreement about its scope and about how it can best be countered [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 3.]

There is no international legal definition of hate speech, and the characterization of what is ‘hateful’ is controversial and disputed. However, in 1997 the Committee of Ministers of the Council of Europe adopted a Recommendation (No. R (97) 20) on hate speech which stated the term (non-binding) “shall be understood as covering all forms of expression which spread, incite, promote or justify racial hatred, xenophobia, anti-Semitism or other forms of hatred based on intolerance, including intolerance expressed by aggressive nationalism and ethnocentrism, discrimination and hostility against minorities, migrants and people of immigrant origin”. 

In its case law the European Court of Human Rights, without adopting a precise definition, has regularly applied this term to forms of expression that spread, incite, promote or justify hatred founded on intolerance, including religious intolerance.

Key concerns for the abusive application of the hate-speech regulations

There have been growing concerns in many countries that hate speech regulations (both online and offline) are often misused or result in a violation of freedom of thought and expression. To this end, many international human rights organizations have often emphasized raising concerns on this matter and issued general recommendations, and developed standards for the regulation of hate speech to ensure that such regulations are in line with international human rights standards.

As noted, hate speech has threatened freedom of expression in many countries. Despite the importance “to prevent all forms of expression which spread, incite, promote or justify hatred based on intolerance …,” [Erbakan v. Turkey judgment of 6 July 2006, § 56] the presence of hate speech constitutes a serious threat for the freedom of expression in the process of potentially limiting the expression as such.

On May 13, 2020, Freedom of expression organization ARTICLE 19 has warned that France’s new “Avia” Law, will threaten freedom of speech in France. When a draft bill on hate speech was discussed in France, the French government has ignored the concerns raised by digital rights and free speech groups, and the result will be a chilling effect on online freedom of expression in France”. Consequently, on June 18, 2020, the French Constitutional Council (Conseil constitutionnel) the highest constitutional authority in France, declared that the majority of the Law on Countering Online Hatred, more commonly known as the Avia Law, was unconstitutional. This declaration rendered the key provisions in the law invalid. In its decision, the Constitutional Council held that certain provisions infringe “on freedom of speech and communication, and are not necessary, appropriate and proportionate to the aim pursued”.

The international human rights law provides that states may restrict freedom of expression (only) where provided by law with the condition to meet the principles of legality or necessity and proportionality.

Alongside these principles, an effective judicial review is needed to prevent any abuses of laws capable to restrict freedom of expression. The judicial review of such a measure, based on a weighing-up of the competing interests at stake and designed to strike a balance between them, is inconceivable without a framework establishing precise and specific rules regarding the application of preventive restrictions on freedom of expression [Ahmet Yıldırım v. Turkey, § 64; Cengiz and Others v. Turkey, § 62, which concerns the freedom to receive and impart information and ideas; see also OOO Flavus and Others v. Russia, §§ 40-43]. Furthermore, in some cases, for determining the proportionality, the ECtHR assesses the quality of the parliamentary and judicial review of the necessity of the measure [Animal Defenders International v. the United Kingdom [GC], §§ 108-109].

The First and foremost among these safeguards is the guarantee of review by an impartial decision-making body that separate from the executive and other interested parties.

The UN Special Rapporteur notes that “any restriction imposed must be applied by a body that is independent of political, commercial or other unwarranted influences in a manner that is neither arbitrary nor discriminatory, and with adequate safeguards against abuse” (A/67/357, para. 42).

This is not the case in Azerbaijan. For instance, the Ministry of Communications and Information Technologies is the main body regulating the internet in Azerbaijan, something that experts have called to change and share this role with an organization that is not under state control. The ICT market is also fairly concentrated in the hands of the government.

In its report (A/74/486, 9 October 2019), the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression evaluates the human rights law that applies to the regulation of online “hate speech” and notes that any restriction – and any action taken against speech should meet the conditions of legality, necessity, and proportionality, and legitimacy [Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/74/486, 9 October 2019), para. 20] and to establish or strengthen independent judicial mechanisms to ensure that individuals may have access to justice and remedies in case of restrictions. The Special Rapporteur further notes that “as a first principle, States should not use Internet companies as tools to limit expression that they themselves would be precluded from limiting under international human rights law. [para, 29]. In the meantime, the same Recommendation envisages a principle [third principle] that requires from the governments that interference with freedom of expression, in the context of combating hate speech, are narrowly circumscribed and applied in a lawful and non-arbitrary manner on the basis of objective criteria and must be subject to independent judicial control.

In addition to discussions on adopting the law on Hate Speech, there are also plans to adopt a new law on Media at the moment. The consistent view of the government to regulate social networks with the “hate speech” law poses an additional risk to the systematically undermined freedom of expression in Azerbaijan. There is no guarantee that Azerbaijan’s government will not use lex ferenda regulations as a tool of oppression against its political opponents and civil society.

Without genuine consultations with civil society organizations, independent journalists, disregarding the constant calls of the human rights organizations and ECtHR judgments to reform the domestic laws to remove irrelevant and restrictive frameworks over freedom of expression, new hate speech, and media laws should be taken into account as a serious concern [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 29].

Instead of addressing the systematic shortcomings, in particular, rendering the restrictive legal frameworks in the sphere of freedom of conscience, freedom of expression and thought, and internet freedom, the government of Azerbaijan continues to add more restrictive regulations into its legislation that is likely to undermine last remnants of the freedom of expression – the online spaces.

In addition, while in a hurry to pass restrictive legislation against freedom of expression, the government of Azerbaijan remains inactive when it comes to the effective investigation of the smear campaigns and hateful attacks against minority groups, such as LGBTQ- communities, and feminists

Finally, having reviewed the current environment of repression and crackdown, and specifically, in the absence of effective judicial oversight and a fully independent regulatory body accountable to the public, it can be concluded that there is no urgency for any new regulations at the moment in Azerbaijan.

zoom calls between senior opposition figures leaked online

Posted on by aiw_admin

Between May 13 through 17, four different video clips from private Zoom calls were leaked online. The videos were taken from calls that took place between senior members of the National Council of Democratic Forces (NCDF), an alliance representing several opposition parties in Azerbaijan.  The members of the council called the leak a cybercrime committed on behalf of the ruling government. Some have called on the authorities to investigate as this is a breach of privacy according to national legislation, while others, claimed authorities were using NSO Group’s Pegasus spyware.

Until now, no clear evidence emerged indicating that indeed, Pegasus is being used in Azerbaijan. And while AIW continues its investigation into the recent leak, here is a detailed look at other available surveillance and disruption technology the government of Azerbaijan has purchased over the recent years that have the potential of eavesdropping on users’ devices. That, combined with the recent numerous reports about the Zoom app’s security vulnerabilities may provide at least some answers.

What spyware technology Azerbaijan has purchased until now

The interest in snooping on Azerbaijani nationals is not something new for a country that has been criticized by international human rights watchdogs for years over its poor record on human rights and freedoms.

In 2012, an investigative documentary film revealed how companies owned by Teliasonera [namely Azercell in Azerbaijan at the time] “allowed for “black box” probes to be fitted with their telecommunication networks. These boxes allowed for security services and police to monitor in real-time and without any judicial oversight all communication passing through, including texts, internet traffic, and phone calls.”

Two years later, Azerbaijan investigative journalist Khadija Ismayilova revealed that the country’s largest telco had ties to the ruling family, namely to the two daughters of President Ilham Aliyev, raising questions about Internet surveillance and communications security.

The same year, Citizen Lab, identified Azerbaijan, among potential customers of Milan based Hacking Team that sold surveillance equipment called Remote Control System (RCS) to Azerbaijan as well as many other countries whose rights and freedoms record been marred with violations.

“The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone.”

Source: New traces of Hacking Team in the wild

Among significant features of RCS are:

  • capture data that is stored on a target’s computer, even if the target never sends the information over the Internet;

  • enable government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap;

  • copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser;

  • turn on a device’s webcam and microphone to spy on the target

Moreover, the same CitizenLab report identified an active endpoint in Azerbaijan that was active between June and November 2013 – the year, when Azerbaijan had its presidential election [October] and accidentally announced the results of the election over an app before the voting even began.

In 2015, Organized Crime and Corruption Reporting Project (OCCRP) confirmed that the Azerbaijan government was indeed a customer of the Hacking Team. Pointing at records showing the country’s Ministry of Defense among the company’s clients.

Also in 2015, the Azerbaijan government expressed interest in purchasing Dataminr technology for its ability to “explore an individual’s past digital activity on social media and discover an individual’s interconnectivity and interactions with others on social media.”

The company’s 2015 marketing material, […] suggests that identifying individual users was a key part of Dataminr’s pitch to foreign governments by allowing users to quickly locate the “original source” behind a breaking news alert, and then find that person’s most popular tweets, what hashtags they have used in the past, and who has shared their tweets.

AIW reached out to Dataminr to confirm whether the transaction took place and received the following response:

“We currently do not have any relationship with the Government of Azerbaijan nor do we intend to do so in the future.”

The same year, the government purchased specialized security equipment – Deep Packet Inspection (DPI) to be used to monitor and block social media during the first European Games, Baku was hosting. The equipment was purchased for 3millionUSD from an Israeli company Allot Communications.

In 2016 before access to independent online news platforms is blocked, evidence shows, how the government was behind generating artificial internet network congestion within Azerbaijan to prevent access to RFERL Azerbaijan Service; VoA; and Meydan TV. The same year, first mass, spear-phishing attack targets prominent rights defender and former political prisoner Rasul Jafar.

In March 2017, the same DPI technology that purchased in 2015, is used to block some of the main independent media platforms in the country.

Also in 2017, Azerbaijan purchased another Israeli surveillance product, Verint Systems which was used in targeting of LGBTW+ on Facebook.

“I was training [clients on the use of Verint software] in Azerbaijan,” related Tal. “One day, the pupils came to me during a break and asked how they could [use the software to] determine someone’s sexual preference on Facebook. It was only later, when I read about the issue, that I discovered the country is notorious for persecuting the [LGBT] community. Suddenly things came together,” said one former Verint employee in an interview.

In general, the volume of digital attacks on representatives of civil society in Azerbaijan has been on the rise in recent years and especially since 2018. This was also highlighted in 2018 by Access Now, Digital Security Helpline. Many of these and other cases were covered here and here.

Meanwhile, AIW also looked into the possibility of Pegasus software being used in Azerbaijan following the claims made by some of the civil society representatives in the country. So far, AIW found no evidence for this to be the case. However, there is plenty of other technology available that can help the ruling government to eavesdrop and snoop around.

Taking into account Zoom vulnerabilities

Over the recent months, a number of reports on Zoom’s security vulnerabilities have also made it clear, that without E2E (end to end corruption) and with several other security-related shortcomings, Zoom does not offer, fully secure communication platform and that potential loopholes within the program may have made the leak reported in Azerbaijan possible.

  1. according to researchers at Morphisec Labs there is a Zoom app bug that can enable malicious actors to record Zoom sessions and capture chat text without any of the meeting participants’ knowledge. The malware also prevents any users in a meeting from being made aware of the recording;
  2. malicious actors can assume control of a Zoom user’s microphone or webcam;
  3. Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online;

The last point, is especially important, as unlike companies like Google, Facebook an Twitter, Zoom is yet to release information about whether there have been cases of government requests for data it gets, and how many of those requests it complies with. The company was encouraged to do so following an open letter and Zoom promised to publish a transparency report.

Back to Azerbaijan

Taking into account the history of surveillance and equipment purchased by government vendors over the last decade, the consistent crackdown against activists during COVID, it is likely that combined with Zoom’s security vulnerabilities, the leaked video calls were recorded by a third actor, and later leaked online for the purpose of sowing discord among opposition groups.

mass phishing attack against Azerbaijan civil society [updated]

Posted on by aiw_admin

On January 6, veteran human rights lawyer Intigam Aliyev received an email from another human rights lawyer Rasul Jafarov. Aliyev, spotted something was not right and forwarded the email he received to Javarov’s real email.  This is not the first time, Jafarov is targeted. In 2017, the case was captured in detail by Amnesty International.  Unlike Jafarov’s first experience, this time, the email was sent only to a handful of people (at least from what Jafarov was able to collect).

Based on the contents of the phishing email, together with Qurium , it was possible to identify the following information:

  • malware inside the WeTransfer link is written in python and compiled for windows;
  • the malware has been built using a software called technowlogger (more here);
  • The malware records keystrokes, passwords and sends them to a Gmail account after deactivating the antivirus program on your device;
  • In their forensic investigation, Qurium team was able to identify the email address: man474019 [ @ ] gmail.com. This user, has expressed interest in pen-testing tools, penetration testing and other forms of attacks in hacking forums. Including one attack against criminal.az (website currently blocked and it’s editor facing criminal prosecution).
The picture in the avatar displayed belongs to Alibay Mammadov. Together with Qurium, Azerbaijan Internet Watch suspects the attacker has stolen the identity of Mammadov.

According to this TEDx bio, Alibay Mammadov is based in Japan. He is the head of the Azerbaijan Japan Collaboration Association founded in Tokyo in 2016. The association aims to promote bilateral business relations between Japan and Azerbaijan. He is also the President of Azepro Co., Ltd. Azerbaijan Internet Watch has reached out to Mammadov, warning him of the situation however received no response in return.

The attacker seems to continue his research, as his most recent appearance in the forum was on January 14, 2020:

This, however, was not the last phishing attack.

On January 10, an independent online news platform HamamTimes was targeted with a similar phishing attack. The email came through a Gmail account that belongs to journalist Aziz Karimov.

A similar phishing attack was carried out against Azadliq Radio, Azerbaijan Service for Radio Free Europe Radio Liberty team.

On January 11, a larger group of civil society representatives received another WeTransfer link from Roberto Fasino. Fasino is the Head of the Secretariat, PACE Committee on Culture, Science, Education, and Media.

WeTransfer does not verify emails for validity when inserted in the sender or recipient box – you can insert anyone’s email. As a result, any email can be used, including that of Roberto Fasino in the sender box [see below].  

According to Qurium forensics, the virus sent to HamamTimes and from Roberto Fasino is “powershell” exploit that can gain full access to a windows machine. It connects to an intermediary server where the attacker can connect to control the victim’s device. This is how the attack looks when broken down into steps:

  • The attacker prepared the “powershell” attack;
  •  Obfuscate the code using HTML Guardian (HTA file);
  • Upload the file to We-transfer and mail to several victims [how the contact list has been obtained is still unclear – one scenario is that the sender’s email, in this case, roberto.fasino@coe.int was compromised;
  • Once the victim’s device is infected the attacker then continues to perform the attack performing “Reflective DLL” injection into the infected device and uploads the “merterpreter” code;
  • The final step, allows the attacker to have full access to a victim’s device, running commands remotely;

The forensics report also identified that the attacker has set up an account in ngrok.com service to hide his computer.

Once the virus is inside the infected device, it connects to the ngrok.com address 3.17.202.129 and port number 16885.

So far, attempts to reach ngrok.com founder Alan Shreve for a comment and assistance yield no results:

On January 14, new evidence showed the attacker was also using Facebook messenger to infect devices. The new evidence, as well as further investigations of the IP address of the attacker, revealed man474019 to be connected to the government of Azerbaijan and that this was the same location from where DDoS attacks against several independent and opposition websites were coordinated in 2017. The new report also shows that this network includes several ministries, as well as the presence of several firewalls with digital certificates signed by the national cert (cert.az)

Orkhan Shabanov, whose name and email appear in Hacking Team leaks indicated in Qurium’s report, is an employee at the Ministry of the Interior. In his capacity, Shabanov was among participants at the Open-ended intergovernmental expert group meeting to conduct a comprehensive study of the problem of cybercrime that took place in Vienna in March 2019.

What is phishing:

It is when you receive an email from someone who pretends to be someone you know, and phishes for your private information by asking you to download the attachment, or click on a link that would take you to a different page where you are prompted to enter some of your personal sensitive information, including passwords.

In 2019, Amnesty Tech released a detailed report on common phishing attacks used against journalists and rights defenders in MENA. Many of these conclusions apply to other countries as well.

The report describes the following most common types of phishing attempts:

  1. “Reset your password” email – attacker impersonating Google alerts the owner of the account of an alleged unsuccessful login attempt. It then offers to secure the account. Once clicked on the provided link, it redirects you to a page that may look like your Gmail login page, but in fact, it is a fake;
  2. “OAuth Phishing” – is a Web standard used to allow authentication over third-party services without the need of sharing passwords. It is used by companies like Google, Facebook, and Microsoft. According to Amnesty report, this type of phishing allows “attackers use the same architecture but in order to create malicious third-party applications and attempt to lure the targets into granting the applications access to their accounts (such as emails)”;
  3. Google phishing abusing legitimate third-party applications – using the method, attackers abuse the authentication procedure employed by legitimate and verified third-party applications;

This post is based on the research of Azerbaijan Internet Watch and Qurium Media Foundation. A full forensic report by Quriu is available here.

Since the release of this and Qurium’s forensic report, man474019 seem to have removed some of the information from https://forum.antichat.ru/

You can see the difference from how the user profile looks now and from Wayback machine capture (July 2019). The picture is gone too.

How profile looks now.
How profile looked July 2019