The State of Internet Freedom in Azerbaijan – 2022 legal overview

In this final installment of legal analysis, we offer an overview of some of the key developments covered over the last year with relevant updates within what is seemingly becoming a restrictive internet freedom environment.

Summary

From gradually declining space for online media, the visible pattern of offline persecution for online speech, to the lack of protection mechanisms against personal data infringements, and the ineffectiveness of legal remedies against targeted cyber-attacks and harassment,  the research and documentation carried out by Azerbaijan Internet Watch throughout 2022, has shown that over the past year, there has been a significant negative impact, on internet freedoms.

It’s been especially tough for independent media practitioners who are facing the potential prospects of fines, complete closures, and further measures of control and intimidation. The signs of the deteriorating situation were already sown in January 2021 when the government of Azerbaijan announced the establishment of a new media body – the Media Development Agency [MEDIA] and the drafting of a new Media Law. This law which was passed in December 2021, effectively authorized the MEDIA to impose a number of restrictions on media subjects, including a requirement for mandatory registration of journalists with the authorities. As a result, the Law on Media further consolidated the state control over independent and online media.

Over the course of the past year, the general prosecutor’s office continued to persecute online speech by excessively relying on the Law on Information, Informatization, and Protection of Information combined with existing national legislation empowering the Prosecutor’s Office to take measures where it deems necessary. As a result, as documented in this but also prior reports, there have been numerous cases of social media users and media professionals facing fines, and other arbitrary punishments for exercising their right to freedom of speech, all on vaguely defined legal grounds.   

AIW also identified that the government of Azerbaijan continuously failed to protect personal data effectively, either as a result of outdated laws, lack of technical capacity, or political will to address the issue. This is evident in numerous examples of hacked databases over the decade, where obtained personal data was shared or transferred to third parties, without consent, leaving countless users vulnerable. To make matters worse, the unlimited access by law enforcement and special service agencies to users’ personal data, leaves users at risk not to mention, the absence of privacy protection. The research carried out by AIW also showed there are no proper safeguard mechanisms against the abuse of personal data especially when this information is sold for commercial purposes, with subscribers left deprived of their right to know where their data is sent or sold.

Meanwhile, law enforcement authorities failed to offer an effective response to addressing complaints requesting a criminal investigation into the personal data infringements despite there being ample evidence proving that the personal data in question was indeed obtained through stolen or hacked accounts and later unlawfully distributed online.  

The Pegasus litigations, including the targeted cyber-attacks on social media accounts of media professionals and activists, have also proved ineffective as a result of significant flaws and delays in the investigation process. The domestic litigations regarding the use of surveillance software (Pegasus) led to legal applications to the European Court of Human Rights (ECHR), exposing ill-intended practices of state secret surveillance agencies and inadequate national legislation, which has failed to ensure the protection of the rights of all users of telecommunication services as guaranteed by the Convention and the national laws.

Above mentioned domestic litigations also exposed the lack of adequate protective measures for privacy rights, especially in cases of covert surveillance and state-sponsored cyberattacks. Judicial remedies in place have been insufficient, and the existing civil and administrative avenues, require a heavy burden of proof on claimants.

As such, the European Court of Human Rights (ECtHR) remains the most effective international avenue for legal remedies against violations of internet freedoms in Azerbaijan, despite the systematic delays in executing ECtHR judgments. The legal overview carried out throughout the past year indicates that bringing more applications before international tribunals, including the ECtHR and the Human Rights Committee, is essential for protecting privacy rights and countering violations.

Meanwhile, the government of Azerbaijan must adopt effective legal remedies and procedural safeguards against unlawful access to personal data and covert surveillance.

Restricting the Media: Implications for Online Media. Post-March 2022 developments  

Online media in Azerbaijan faces significant challenges with respect to freedom of expression and internet freedoms. There are a growing number of restrictive laws regulating the internet and online content. In addition, the government of Azerbaijan systematically blocks websites, throttles internet connectivity, and carries out cyberattacks and surveillance on human rights and political activists, independent media outlets, and their staff.

On March 24, 2022, Azerbaijan Internet Watch, in its comprehensive legal opinion “New Media Law: implications for online media/journalism in Azerbaijan”, highlighted the adverse implications of the new Media law specifically for on online media and journalistic activities online in Azerbaijan.

On February 8, 2022, the president of Azerbaijan, Ilham Aliyev approved the new Media Law. The law was adopted by Parliament on December 30, 2021. It was heavily criticized by local and international rights organizations who made repeated calls on the government to refrain from adopting the new Law given its restrictive nature. Critics of the draft law worried the new legal document would seriously threaten media freedom, including online media, as it contained provisions granting discretionary powers to the state authorities, including excessive media regulation, especially of online media platforms, as well as further restrictions on the work of practicing journalists, media companies, and relevant entities. Critics were also vocal about the absence of a broad and meaningful public consultation of the law prior to its adoption. The government of Azerbaijan strongly rejected any criticism.

And yet, AIW’s legal analysis, illustrated how the new law empowered media regulatory authorities to issue sanctions, further consolidating government control over the online media environment and journalistic activity, and imposing numerous requirements and regulations on audiovisual media, print media, online media subjects, news agencies, and journalist activities in Azerbaijan. The main concerns included the poorly worded definitions, excessive requirements, and restrictions for online media content, including registration requirements within the newly set up Media Registry for online media subjects, their staff, and freelance journalists working for online media.

The Media environment was already marred with violations and censorship in Azerbaijan prior to the adoption of the law. Numerous news websites were blocked while media practitioners affiliated with independent or opposition media platforms faced persecution and widespread intimidation. The most recent World Press Freedom Index by Reporters Without Borders ranked Azerbaijan 167th out of 180 countries in 2022.

Unlike previous media regulations implemented before 2009 which were mostly indirect restrictions and failed to meet satisfactory international human rights standards, laws that were adopted, amended, or implemented in the following years focused on more formal-legal measures. The new Media Law was the culmination of these measures.

Pre-2009 restrictions mainly consisted of de facto limitations (such as the imprisonment of journalists on bogus charges that were often unrelated to the media legislation) and financial “support” (one-time financial assistance packages, individual scholarships, various orders, medals, free housing after 2011).

Ahead of its adoption in the parliament, the new Media Law was drafted behind closed doors, without public discussions. Even after the draft law was revealed to the public, recommendations and proposals offered by media experts were not taken into account. Several international human rights organizations criticized the new Media Law and urged the Government not to enact the Law.

Among some of the problematic areas of the law are:

*Article 14:

This specific article and its paragraphs require that information published and (or) disseminated in the media (including online media) must meet at least 14 requirements. The law also requires that content published by media outlets should meet the requirements of the Law on Protection of Children from Harmful Information and the Law on Information, Informatization, and Protection of Information which provides an exhaustive list of requirements criticized for vagueness.

*Article 60:

Article 60 paragraph 5, requires online media to publish at least 20 articles per day to qualify as an online media platform.

This is the first time a law defines what constitutes online media. But the rationale behind these measures is unclear. The article does not mention for instance, how newsrooms with smaller teams are meant to produce twenty articles per day. Independent journalists who have voiced concern over this specific article say, this creates an environment of news pollution with platforms focused on producing poorer stories aimed at simply meeting the imposed quota.

It also requires that online media outlets disclose their organizational information on their respective websites;

It also requires online media to register with the tax authorities, identify and appoint a person responsible for editorial;

*Article 62:

Article 62.1 reads that permission from state bodies is not required for setting up online media. But Article 62.2 requires that an online media entity must apply to the relevant executive authority (Media Registry) 7 days prior to the publication or dissemination of the relevant media material.  In other words, while there is no need to apply for creating an online media platform, there is a requirement to apply for a permit once the online resource becomes operational and starts publishing.

Article 62.4 requires an additional opinion issued by the State Committee for Work with Religious Organizations before an online media focusing on religion and religious content is set up.

*Article 74 and Media Registry

The Media Registry system became operational in October 2022. The “rules for maintaining a media registry” — are a set of regulations determining the requirements and procedures journalists must meet in order to be eligible for inclusion as well as exclusion.

The Media Registry itself is an electronic information resource managed by the Media Development Agency, which is managed by the Supervisory Board consisting of a Chairman and 6 (six) members appointed by the President of the Republic of Azerbaijan.

Article 74.2 reads that in order for journalists to be included in the registry they must prove a degree in higher education as well as a number of other merit-based criteria.

Article 74.2.5 requires that journalists obtain and provide an employment contract with a media entity which must be registered with the Media Registry.

*Article 78

According to Article 78.3 of the Media Law (transitive provisions) both print and online media shall apply to the Media Agency within six months after the media registry is established. If an application for a media platform’s registration is denied, then the applicant is not considered a legal entity. Since journalists cannot be “legal entities,” it is unclear what happens to journalists whose registration is denied. 

There is no option to opt out from the registry as it is mandatory as per Article 78.3 of the Media Law.


Already, 200 media outlets and 180 journalists applied to the media registry according to the statement by the Media Agency. The Agency claims that approximately 160 media outlets were registered already. Independent media watchdogs, say around 40 media outlets were denied registration.

On January 12, 2023, the Executive Director of the Media Development Agency, Ahmed Ismayilov said, “media entities have six months to register, those who fail to do so, will be taken to court by the agency. It will be up to the court to decide whether to continue their activities or not.”

Following this statement, a group of independent and opposition journalists and media platforms have come together under a campaign “We do not want a licensed media.” They have been organizing round table discussions both online and offline calling on the government to cancel the registry and reform the bill on Media. In January, the group also issued a statement in which signatories claimed, “the new law will have very serious negative effects on the freedom of the media and journalists, and on their freedom of movement and activity.”  The signatories of the statement also said, the law was unconstitutional and was against the European Convention on Human Rights. As such, they intend to apply to the Constitutional Court and continue onwards with the European Court of Human Rights.

The campaign led to Ismayilov’s backing from previously made statements about court proceedings. Instead, Ismayilov reportedly said, the registration was on a voluntary basis. However, it remains to be seen whether this claim holds true.

Even some pro-governmental journalists criticized the media registry based on rigid regulation and arbitrary application.

Several media organizations challenged the application to the media registry in domestic courts. Among them is 24saat.org LLC (an online media outlet), which has submitted a claim against Media Agency. The news site, was one of the first news platforms denied registration on the grounds its content was not sustainable (referring to the requirement of publishing a minimum of 20 news items on daily basis). The site raised the issues of the illegality of that decision, and its incompatibility with the Constitution and international agreements, asking instead that the agency registers the site and recognizes the violation of the right to freedom of expression. On  January 9, 2023, the Baku Administrative Court held a preparatory hearing on the claim of 24saat.org LLC against the Media Agency. The court case continues.


The increased role of law enforcement & abuse of power in prosecuting online speech: post-May 2022 developments

There are two legislative acts that regulate internet freedom: 

In addition, the Code of Administrative Offences (Articles 388 and 388-1) determines administrative offenses for violations of the above-mentioned laws (the punishment includes fines and administrative detention).

Some Articles of the Criminal Code may be applied to the violations of the above-mentioned laws (such as Article 283 – incitement to hatred and enmity). As well as, the Law on Prosecutur’s Office which allows the respective prosecutor’s offices to issue warning to persons who might breach the law, inter alia, with their statements (Article 22).

The parliament amended the Law on Information, Informatization, and Protection of Information in December 2021 broadening the responsibility of the website owners – previously owner was obligated to remove content, but as per recent amendments he/she must also block access to relevant content (article). 

In general, both laws mentioned above can be described as online content regulation. Article 13.2 of the Law on Information and Article 14 of the Media Law regulate prohibited content and website owners as well as online media outlets must comply with these regulations. Otherwise, they would be subjected to blocking, suspension, administrative punishment, or warnings. Both legislative pieces prescribe a list of prohibited information. These lists are not exhaustive and very extensive. Moreover, the language of these lists is vague and open to arbitrary interference. 

In recent months, the Office of General Prosecutor (OGP) embarked on a spree, of resorting to official warnings and legislation on administrative offenses against online media. The Law on Prosecutor’s Office authorizes the OGP and subordinate prosecutor’s offices to issue official warnings. Also, the Code of Administrative Offenses (Article 54.2) gives unlimited power to the Prosecutor’s office to initiate administrative offense cases for any other case envisaged in the Code. Thus, the prosecutor’s office has the authority to take measures of responsibility and deterrence against the dissemination of prohibited information on the Internet under the existing legislation on administrative offenses and the law of the prosecutor’s office.

AIW’s legal analysis titled “Who regulates content online in Azerbaijan. Legal analysis,” published in May 2022, shared the increased pattern of prosecuting authorities’ inclination to intervene and persecute online media speech.

Since then, OGP continued to issue warnings and leveling administrative offenses in the following cases:

*On July 27, 2022, social media users Fikret Faramez oglu, the head of the “jamaz.info” website, Agil Alishov, the head of the “miq.az” website and Facebook users – Elchin Ismayil, Ali Jabbarli, and Nurana Fataliyeva were warned by the OGP as per Article 22 of the Law “On the Prosecutor’s Office”, not to allow for such negative circumstances in the future (on the grounds of dissemination of false information to undermine the business reputation of the Azerbaijan Army, create artificial agitation among citizens, as well as overshadow the work done in the direction of strengthening the state’s defense capabilities);

*The same day, Tofiq Shahmuradov (military journalist) was accused under Article 388-1.1.1 of the Code of Administrative Offenses by the OGP, and the Nizami District Court found him guilty and sentenced the journalist to one month of administrative detention (on the grounds of disseminating false information to undermine the business reputation of the Azerbaijan Army, create artificial agitation among citizens, as well as overshadow the work done in the direction of strengthening the state’s defense capabilities);

*On July 30, 2022, the Prosecutor General’s Office of Azerbaijan warned social network users Sakhavat Mammadov, Rovshan Mammadov, Zulfugar Alasgarov, Elgun Rahimov, Fuzuli Kahramani, Zeynal Bakhshiyev, and Ruslan Izzatli within the scope of the Law on Prosecution’s Office (on the grounds – the requirements to present facts and events impartially and objectively, and not to allow one-sidedness, were not observed during the publication of information in the media);

*On August 3, 2022, the OGP warned Facebook users – Tayyar Huseynli, Mubariz Sadigli, Nijat Dadashov, and Irshad Muradov over violating relevant online content regulation (incitement to hatred, privacy violation, and defamation);

*On August 4, 2022, the OGP warned Rustam Ismayilbayli (activist) over a social media post, based on Article 22 of the Law on Prosecutor’s Office;

*On September 16, 2022, Taleh Khasmmadov (human rights defender) was warned by the OGP based on Article 22 of the Law on Prosecutor’s Office (dissemination of unspecified information about the Azerbaijani army). The rights defender was warned not to violate laws.

None of these warnings and/or administrative offense cases meet the requirements of the freedom of expression and access to a fair trial envisaged within the international human rights standards or the constitutional obligations of the Republic of Azerbaijan.

Continued targeted cyber attacks against critics: post-November 2022 developments

 In November 2022, AIW published a lengthy legal opinion, “In Azerbaijan, hasty legislative measures in response to cyber threats, leave the protection of personal data on the back burner,” providing a comprehensive analysis of the domestic legislation and the government’s use of those laws and its adverse effects for the personal data protection in Azerbaijan.

Among identified gaps, the report noted that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

Azerbaijan although joined Convention 108, also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, in 2009, has not ratified Additional Protocol to Convention 108 which requires each party to establish an independent body to ensure compliance with data protection principles and lays down rules on trans-border data flows.

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

There is also the Law on Personal Data, adopted in May 2010 which regulates personal data through different normation legal acts, and the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted in September 2010. However, previously published analyses on the matter, point out a number of shortcomings.

The weakness of Azerbaijani safeguard mechanisms was acknowledged by Global Cybersecurity Index, which placed Azerbaijan in 40th  place among 194 countries ranked by the index. The European Union’s EU4Digital Initiative also criticized the weakness of Azerbaijani mechanisms. According to the findings, Azerbaijani legislation was described as outdated and unable to protect personal data effectively while the government of Azerbaijan demonstrated no political will to overcome this problem.

Even the intra-country public cybersecurity assessment report found flaws in protection mechanisms (a lack of cybersecurity benchmarks for digital web providers).

The government-issued national strategy for overcoming the problem has not indicated positive results yet. Cyber-attacks increased following the second Karabakh war and peaked again during the September border clashes in 2022. Large-scale cybersecurity attacks were committed against several state institutions and banks in April 2022 and August 2022 the authorities refrained from explaining the extent of the damage and did not publicize the results of counteracting measures.

Gaps in legal remedies addressing government-sponsored cyber attacks

 In February 2023, AIW, published the report “Legal overview legal remedies (or lack thereof) in cases of online targeting,” showing how Azerbaijan does not effectively protect digital rights. The report focused on two types of violations – cyber-attacks, and covert surveillance, which occur frequently but is not prevented due to inadequate legal remedies.

For instance, there is no automatic notification system for covert surveillance, and there is no independent internal review body. Additionally, there are no rules against prosecutorial discretion, no mechanism to address conflicts of interest between law enforcement and state security bodies, and challenges concerning judicial avenues.

Within existing legislation, the country’s criminal law is one that addresses cyberattacks and breaches of privacy. According to the Criminal Code (Articles 155, 156, and 271-273), cyberattacks and violations of privacy and correspondence rights are prohibited and shall be punished. According to these legal norms in case such an act is committed by law enforcement officials, they are categorized as aggravated circumstances. In these cases, the investigative authority is the prosecutor’s office.

There are civil legal remedies under tort law. However, tort law remedies are effective in practice if the relevant breaches are found in the criminal case. Domestic law in a substantive manner also contains constraints against covert surveillance.

According to domestic procedural law (Code of Criminal Procedure), initial inquiries must be conducted based on reports from victims or others. If the initial inquiry finds, reasonable suspicion on allegations it must remit its preliminary investigation. If the prosecutor’s office dismisses the allegations and refuses to initiate a criminal case, interested parties have the right to apply to district courts. District courts have the authority to remit the case back. Moreover, the relevant official bodies shall conduct disciplinary proceedings about the allegations about their officials on cyberattacks and illegal covert surveillance.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities. However, it doest not have the legal power to conduct an investigation itself nor can it be considered independent.

In its February report, AIW shared recent cases demonstrating the lack of interest by the law enforcement authorities to offer protection in cases of digital rights violations despite having an ex officio power to conduct criminal investigations. Since then attacks have continued.

The most recent state-sponsored attack was against imprisoned political activist Bakhtiyar Hajiyev. Prior to his arrest, Hajiyev criticized the Government, especially the activities of the Ministry of Internal Affairs. Last year, he was abducted by unknown persons and was forced to delete posts about the Minister of Internal Affairs. Up until today, it remains unclear who abducted Hajiyev. The activist was also subjected to a nasty blackmail campaign.

In December 2022, following his return to Azerbaijan from a trip abroad, Hajiyev was summoned by the Baku General Police Department. He was charged with hooliganism and contempt of court. Based on these charges Khatai District Court applied for a remand in custody, the decision was extended until April 28, 2023. Hajiyev went on a hunger strike twice during his detention. After more than 50 days, he stopped at the end of February 2023.

At the end of December 2022, some anonymous social media accounts shared private correspondence between Hajiyev and the media editor (Vusala Mahirgizi). The leaked conversations alleged Hajiyev was a marionette of one of the clans. Hajiyev published a statement in which the activist said, the correspondence was leaked as a result of hacking of his private communication and that the allegations of Hajiyev being marionette were false.

It is worth noting that this correspondence was leaked during calls for the activist’s release. The leak was largely viewed as an attempt to weaken the advocacy campaign for the release of Hajiyev.

Since February 22, 2023, however, Hajiyev has been the target of another blackmail campaign. A number of anonymous users on Telegram under different channels [‘Exposure of Bakhtiyar Hajiyev’] have been disseminating some of Hajiyev’s private information as well as other women the activist has corresponded with were leaked. Currently, one of the Telegram accounts has 4681 subscribers. Similar information was leaked by fake Facebook accounts. In addition to leaked correspondence, sexually explicit photos of several women who appear with Hajiyev were shared by these accounts. As a result, at least two women were forced to leave their homes and hide from their families, fearing reprisals for ‘immorality’ from their families.

It has been identified, that some parts of the correspondence were probably photoshopped according to media professionals. However, there are others that may be authentic.

These anonymous users also published the names of activists threatening to leak their conversations with Hajiyev as well. Some of these activists are advocates calling for Hajiyev’s release. Some activists whose private communications were leaked said, they would submit a complaint about it.

In the meantime, the Ministry of Internal Affairs said these leaks had nothing to do with them and that during Hajiyev’s arrest, they did not seize any of his devices. However, according to Hajiyev’s lawyers, Hajiyev arrived at the Baku General Police Department in his car and left his phone in the car. The car stayed there for three days and it is likely his phone was compromised during this period.

Meanwhile, the Telegram channels are still active. Hajiyev submitted a complaint to the Prosecutor’s Office about the first incident of cyberattacks. According to his lawyers, they will add a second incident also.

What is next?

The overall analysis and reports indicate that domestic legal remedies in the substantive and procedural law do not protect privacy rights up to satisfactory levels in Azerbaijan. While substantive law at the formal level safeguards digital rights, in practice, these safeguards have no real effects. Judicial remedies are insufficient because criminal procedural avenues in some circumstances are insufficient, and in other circumstances, the district courts cannot force for initiation of the criminal case against officials as the latter still depends on investigative bodies like the prosecutor’s office who decide whether or not to open a criminal case.

Moreover, civil and administrative judicial avenues are also not operational because the heavy burden of proof lies on claimants. In addition, internal disciplinary proceedings are not effective due to a lack of independent oversight bodies. Also, Cyber Security Service lacks real mandatory power in cyberattack cases in addition to independence issues. Therefore, in the cases of covert surveillance and cyberattacks by state authorities, domestic remedies are not effective. It should be added that other aspects of domestic remedies concerning internet freedoms also have challenges. For example, blocking access and official warnings by the prosecutor’s office are especially problematic. 

It is well established by the ECtHR in several cases against Azerbaijan that the domestic courts consistently fail to conduct effective judicial oversight in politically motivated cases and instead merely uphold the position of the executive authorities (see, among others, Aliyev v Azerbaijan, appl. No. 68762/14, 71200/14, 20/09/2018, para. 224).  Consequently, it may be concluded that procedural law and its safeguards against internet freedom violations have serious flaws. Moreover, practical case studies further furnish that the relevant investigative authorities and domestic courts are not interested in pursuing criminal investigation cyberattacks, covert surveillance, and upholding internet freedoms in the cases of access blocking and official warnings. 

The European Court of Human Rights (ECtHR) might be considered one of the most effective international avenues in terms of providing legal remedies for violations of internet freedoms. The effectiveness of the ECtHR lies in its ability to issue binding judgments against member states (namely, Azerbaijan) which can result in the provision of legal remedies for the victims of rights violations. However, there are systematic delays in the execution of the ECtHR judgments by Azerbaijan*, the Committee of Ministers of the Council of Europe continuously supervises the execution of judgments of the ECtHR by the member states and urges states to obey the judgments.


 *The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.


Given the existing environment, the likelihood of further cyber threats and attacks continuing is high.

The Telegram channels targeting Hajiyev remain. Unidentified persons with ties to the law enforcement authorities have access to Hajiyev’s personal data, and their goal to continue abusing this access is likely. Moreover, the state authorities have broad opportunities to compromise other activists’ accounts and to disseminate their private communications. Therefore, cyber threats currently create a difficult challenge for civil society activists. It should be added that the Government does not commit to changing personal data protection laws and taking practical steps to prevent state-oriented or third-party cyber attacks.

International human rights mechanisms, especially international tribunals are the main source of protection against violations of privacy rights and cyberattacks. Especially bringing more applications before the ECtHR and the Human Rights Committee is very important. Currently, there is no case law of the relevant international human rights mechanisms concerning cyberattacks and privacy violations against Azerbaijan. Despite Azerbaijan not adhering to the judgments of international tribunals on violations of rights, such kind of implementation procedure might help improve the situation.

Due to the current problematic situation within the legal profession (lack of lawyers, lack of interest, and fear among lawyers to take up human rights cases), many cases cannot be brought before international tribunals. Most human rights lawyers are already overwhelmed with the volume of cases they represent. Therefore, international assistance in bringing these applications before international courts is a useful tool for counteracting violations. International human rights organizations must assist local human rights lawyers in bringing cases of personal data infringements to international courts (ECtHR, UN).

In the meantime, the government of Azerbaijan must be urged to adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and broad discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and practical review of interception orders; (iii) the precautions to be taken when communicating the data to other parties.

An independent regulatory authority should be established to supervise and review complaints about personal data breaches. The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

International advocacy campaigning is a useful instrument for getting attention to the problem. New campaigns may bring the attention of international public bodies to the issue.

Finally, capacity-building activities on internet security issues should be continued and potentially targeted groups should be equipped with more information and tools in this area.

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year. 

Introduction 

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.  

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent. 

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022]. 

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. 

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages). 

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account. 

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism. 

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy. 

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include: 

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware. 

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan. 

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents. 

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions. 

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. 

Conclusion 

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well. 

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media. 

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms. 

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties. 

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics.