harassment – Azerbaijan Internet Watch

Legal overview: legal remedies (or lack thereof) in cases of online targeting

Posted on February 8, 2023 by aiw_admin

In the last decade, the rise of the repressive policy by the government of Azerbaijan against digital rights necessitates the discussion of the legislation and legal remedy aspects of it. As such, in our following legal review, together with a legal expert, we chose to focus on how the state has been resorting to unlawful persecution measures against critics online, in particular, human rights defenders, activists, journalists, and lawyers.

In the analysis presented below, we look at the general trends of online targeting, the existing legal remedies in domestic law, and their effectiveness.

Background information

During 2022, Azerbaijan Internet Watch documented numerous cases of prison sentences handed out on charges of defamation, the arbitrary application of provisions of the Administrative Penalty Code and the Law “On information, informatization and information protection” to limit freedom of expression on the internet, including increased reports of cyber-attacks against activists and media professionals.

In its recent annual report published on 16 December 2022, AIW indicated that overall, 2022 has been no different than recent years in terms of online attacks and internet censorship. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

Domestic remedies against cybercrimes often committed against HRDs, activists, and media

In recent years, scores of human rights defenders, civic activists, journalists, and politicians in Azerbaijan have been complaining about hacking attempts (or hacking) into their personal and professional e-mails, social media accounts, and instant messaging (WhatsApp) accounts. Other complaints include impersonating social media accounts, disseminating false information on their behalf, and publishing their private correspondence, intimate photos, and videos, breaching privacy resulting from intrusion in the intimate life of individuals through illegal tapping. Furthermore, political activists sometimes face pressure from local police to share their phone passwords during arrests.

Once personal information is unlawfully seized at least several constitutional rights and freedoms, such as the right to privacy (Article 32 of the Constitution), the right to honor and dignity (Article 46 of the Constitution), and the right to freedom of thought and speech (Article 47 of the Constitution) are at stake.

Lawyers in Azerbaijan mostly use various available legal mechanisms to protect the rights of targeted individuals. Illegal interception of personal data, violation of the confidentiality of correspondence and other information, and violation of privacy, including certain cybercrimes such as illegal intrusion, illegal acquisition, and unlawful interference with computer systems are criminalized by the criminal law of Azerbaijan. As such, lawyers rely on existing criminal law when submitting complaints to law enforcement authorities, requesting to conduct a criminal investigation regarding the alleged committed act prohibited by the criminal law.

What remedies are available to counter online harassment? To what extent are they effective?

Lawyers with extensive experience defending human rights defenders and activists targeted by cybercrimes say that the Azerbaijani law enforcement authorities and the judiciary are systematically rejecting investigations of cybercrimes committed against government critics.

So in which circumstances and conditions legal safeguards and remedies are functioning and to what extent they are effective? We take a look.

General overview of the relevant legislation

Digital security rights, in a general manner, are safeguarded by the Azerbaijani legal framework. The Azerbaijani legal system enshrines the following legal regime concerning digital security.

General constitutional protection and incorporation of international law

The Constitution provides, inter alia, order public conditions on digital security. According to Article 32 of the Constitution, privacy rights are secured. The privacy rights that the Constitution prescribed are negative and positive in nature – these rights protect against possible governmental interference (negative aspect) and possible trespass by third parties. Constitutional privacy protection not only provides preservation against off-line intrusion but also implies online targeting according to its meaning. Therefore, Article 32 of the Constitution plays a role as a key to digital security rights. In addition, Article 68 of the Constitution determines the prohibition of arbitrary actions of state authorities and recognizes the right to compensation.

The Constitution also incorporates international human rights obligations of the Republic of Azerbaijan. The Azerbaijani Constitution adopts a monist type of international law implementation which means direct integration of international law rules concerning human rights regulation.

The Republic of Azerbaijan has ratified the International Covenant on Civil and Political Rights (1966) (ICCPR) and European Convention on Human Rights (1950) (ECHR). Both ICCPR (Article 19) and ECHR (Article 8), as well as, the jurisprudence of the implementation bodies (in the case of the ICCPR is the Human Rights Committee (HRC) and in the case of the ECHR is the European Court of Human Rights (ECtHR)) safeguard digital security rights as a part of privacy rights. Moreover, the Convention on Cybercrime (a.k.a. the Budapest Convention) (2001) of the Council of Europe – seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations – was ratified by Azerbaijan in 2009.

Both ICCPR and ECHR honor contracting states with two types of obligations – negative and positive. This means, that the state authorities shall not directly involve the right to privacy including digital security rights against the requirements of domestic law, without legitimate aims and against the requirement of democratic necessity, and with violation of proportionality (tripartite requirement of interference of qualified civil rights). In addition, the state authorities have a positive obligation to protect digital security under privacy rights from third parties, also to initiate effective procedural safeguards.

As such, Azerbaijani legislation prescribes constitutional (order public) protection for digital security and harmonizes international law protection with domestic law. However, mere general constitutional protection is not enough for the effective implementation of human rights. The next level is ordinary legislation.

Substantive law

The substantive legal norms concerning digital privacy rights are mainly set out in criminal law and, in nature, prohibitory sanction rules.

Criminal law provisions are arranged in the Criminal Code. Criminal Code prescribes both general privacy rights violations and specific cybercrimes. General privacy rights violations are Articles 155 (violations of correspondence privilege) and 156 of the Criminal Code (violations of privacy rights). Specific cybercrimes are set out in Articles 271-273 of the Criminal Code (Article 271 prohibits illegal intrusion, Article 272 bans illegal acquisition, and Article 273 forbids unlawful interference). In addition, Criminal Code also proscribes violation of operational-search activity by law-enforcement bodies concerning privacy and digital rights. Both state and non-state actors are liable for violations of the above-mentioned criminal law sanctions. According to Criminal Code (Articles 156.2.1, 271.2.3, 272.2.3, 273.3.3 of the Code), the commission by the state officials of the above-mentioned criminal law rules is considered an aggravated circumstance.

In addition to criminal law, civil law/code provisions also offer protection against the violations of privacy and digital rights. codes prescribe protection for digital security. Criminal code safeguards are general protections and not specified for purposes of digital security. Article 1096 of the Civil Code sets general criminal code rules for delictual (civil wrong) liability. On the other hand, Article 1100 of the Civil Code specifies delictual liability for state authorities.

It must be noted that different codes of conduct for state officials and law enforcement bodies also enshrine the protection of privacy rights (which also implies digital security) and require disciplinary sanctions against the perpetrators.

The substantive law also contains relevant remedies for covert surveillance. The state control over compliance of the covert surveillance-related-obligations of the telecommunication operators and providers is regulated largely via the Law “On Telecommunications”, the Law on “On Personal Data”, the Law on “On Operational Search Activities”, the Criminal Procedure Code and Decrees of the President of the Republic of Azerbaijan and Decisions of the Cabinet of Ministers of the Republic of Azerbaijan.

AIW’s legal analysis on the State of Internet Freedom in Azerbaijan, a legal overview (July 29, 2021) reveals the gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of covert surveillance.

Article 11 of the Decision of the Cabinet of Ministers No. 174 dated November 7, 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”[2] requires the telecommunication service providers to install special-purpose equipment, determined by the State Security Service (SSS) and the Ministry of Internal Affairs. This equipment allows the security services and the ministry of the interior to access data and information across all types of telecommunication networks for the purpose of ensuring national security. And legislation requires the installment of the special equipment as an additional requirement for granting special consent (license) for the cellular (mobile) communication services/companies. In case of a refusal to install this equipment, companies/services are refused operational licenses.

Procedural law and jurisdiction

Pursuant to Articles 215.2, 215.3, and 215.5 of the Code of Criminal Procedure, if it is identified that the privacy (digital) rights violations are conducted by third parties (non-state actors), then the jurisdiction to investigable falls within the Ministry of Internal Affairs or the State Security Service (depending on their competence).

According to Articles 204-207 and 215 of the Code of Criminal Procedure, the local or qualified body of the ministry of the interior or the state security services shall initiate the criminal case based on reports of the victim or others. If the initial inquiry finds more evidence of a breach of rights, then a preliminary investigation has to be conducted. Based on the results of the preliminary investigation, perpetrators might be identified and brought to trial. Violations of privacy rights (including digital security) are considered less serious crimes by Criminal Code and therefore, the trial jurisdiction lies on ordinary district courts.

It is identified that the privacy (digital) rights violations are conducted by state officials (including law enforcement officials), then investigative jurisdiction falls within the Office of the General Prosecutor. The subordinate prosecutor’s offices or qualified bodies of the prosecutor’s office shall initiate the criminal case against officials or based on the fact, shall conduct a preliminary investigation. Based on the conclusions of the preliminary investigation, relevant official (officials) might be held accountable and brought to trial. The trial jurisdiction again belongs to the ordinary district courts.

If the relevant investigatory bodies fail to initiate the criminal case, interested parties have the right to challenge the decision or action on non-initiation of the criminal case under judicial review procedure pursuant to Articles 122 and 449 of the Code of Criminal Procedure.

Criminal Code procedures shall be conducted with ordinary district courts or administrative courts. If the statement of claim is directed against a third party, then it is accepted as a civil case and should be heard by an ordinary civil court. The relevant trial procedures are prescribed by the Code of Civil Procedure. If the statement of claim is directed against state bodies, then it is an administrative law dispute and must be heard by an administrative court following the trial procedures based on the Code of Administrative Procedure.

Disciplinary actions are initiated based on complaints or ex officio, by relevant state bodies and follow procedures that prescribe the codes of conduct or internal disciplinary reviews.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities.

Specifics of the criminal law sanctions and operational-search remedies

According to Article 156 (violation of the inviolability of private life) of the Criminal Code, actions that breach the inviolability of private life are prohibited and subject to criminal liability. According to Article 156.1 of the Code, the dissemination, illegal sale or transfer, and illegal collection of information that constitutes a secret of private and family life, as well as the documents, video and photographic materials, and audio recordings containing such information, are all subject to criminal liability.

It should be noted that private life information may be collected on legal grounds and conditions in the manner prescribed by law. Relevant state bodies can do this on the grounds provided by law. However, there are no such grounds provided by law in the complainant’s case. Therefore, the collection of information about the complainant in this manner should be considered as the acts provided for in Article 156.1 of the Criminal Code, that is, the collection of information or an attempt to collect such information, which is a secret of private and family life.

According to Article 271.1 of the Criminal Code, accessing a computer system or any part of it without the right to access it or any part of it by breaching security measures in order to collect computer information stored there or with other personal intent calls for criminal liability. It should be noted that Articles 271 and 272 of the Criminal Code pertain to cybercrime and are primarily concerned with computer information. However, smartphone devices already have the potential to contain all or part of traditional computer data. In this regard, part of the complainant’s computer data is contained in the relevant parts of his/her smartphone. So when scores of civil society activists in Azerbaijan were targeted with Pegasus spyware, the perpetrators thus illegally infiltrated the complainant’s computer system and illegally acquired computer information. This action demonstrates the commission of a criminal offense under Article 271.1 of the Criminal Code.

In the case the latter offense was committed by an official while abusing his/her official interests, the act is then considered an aggravating circumstance according to Article 271.2.3 of the Criminal Code.

According to Article 272.1 of the Criminal Code, the intentional gathering of computer information not intended for public use, transmitted to the computer system, from the computer system, or within the system, including electromagnetic radiation from the computer systems, which are carriers of such computer information, using technical means by a person not entitled thereto, causes criminal liability. The above-mentioned legal analysis of Article 271.1 of the Criminal Code also applies to Article 272.1 of the Criminal Code.

Article 302 of the Criminal Code (“Violation of the legislation on operational search activities”) criminalizes violation of the law on operational search activities. According to Article 302.1 of the Criminal Code, among other things, the implementation of such activities by authorized persons in the absence of any ground established by law, entails criminal liability, if it causes a significant violation of the rights and legally protected interests of the person. According to Article 302.2 of the Criminal Code, the violation of the law on operational search activity with the intent to secretly obtain information using technical means is considered an aggravating circumstance.

The Operational-Search Activity Act (OSA) and Code of Criminal Procedure allow targeted persons to raise complaints concerning covert surveillance.

Art 4(4) of the OSA stipulates, “[a]ny person, whose rights and liberties have been violated as a result of the actions of the agents of the operative search activity, shall be entitled to complain to the head of the authority – higher in rank to the agents of the operative search activity, prosecutor or the court.”

The first type of claims available under Azerbaijani law is ‘internal claims’ – claims against the head of the alleged authority that conducted the surveillance.
The second type of claim is a claim to a prosecutor.
A third type of claim is a claim to a Court.

Effectiveness of legal remedies in the light of international human rights obligations

Legal remedies concerning covert surveillance

The available remedies shared above, concerning covert surveillance are not effective in practice due to the following reasons:

Firstly, given that there is no method of notification as to whether they were under surveillance or not, no domestic remedies are available to challenge and investigate instances of covert surveillance by authorities, given their inextricable link (Zakharov v Russia at [234]; see also Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App No. 62540/00, 28.06.07 at [91]; Szabo and Vissy v Hungary App No. 37138/14, 12.01.16 at [86]).

As mentioned above Art 4(4) OSA sets out relevant remedies. However, this provision does not establish a freestanding claim under the OSA – rather it merely reflects that claims are available under other procedures.

‘Internal claims’ remedies (the first type of remedy) are claims against the head of the alleged authority that conducted the surveillance. The ECtHR has found that such complaints are ineffective as they “do not meet the requisite standards of independence needed to constitute sufficient protection against the abuse of authority” (Zakharov at [292]). As such, any available internal remedies are ineffective.

Prosecutorial review is the second type of remedy. This remedy is not effective either, because it is based on prosecutorial discretion. Once the prosecutor refuses jurisdiction over a complaint or initiates a criminal case, this remedy becomes ineffective.

In the Pegasus spyware case prosecutor general’s refusal of jurisdiction over complaints, challenged the potential victims’ procedural rights. The prosecutor general remitted the complaints to the state security services which in the case of Pegasus, were a party of interest, and therefore, constituted a conflict of interest. By passing the investigation to the state security services, the investigation lost the requisite degree of independence given the same body was involved in carrying out the covert surveillance, which is contrary to the case-law standards (c.f. Kennedy v UK at [167-8]) of the European Court of Human Rights.

Judicial claim avenues are a third type of legal remedy. Azerbaijani legislation offers no bespoke judicial remedy for illegal surveillance (c.f. the IPT in Kennedy v UK). Instead, there are only general methods of judicial review either under the criminal procedural code or under civil or administrative law. These are ineffective remedies as well:

Whilst it is theoretically possible to judicially review a judicial order authorizing covert surveillance, it is impossible in practice. The decision to authorize covert surveillance is done via the closed court in the absence of the target (CPC Art 447.3.3), and targets of surveillance do not have the right to receive the judge’s decision implementing the operational-search measure (CPC Art 448.6). Whilst a decision of the judge implementing operative-search measures may be appealed within three days after the announcement of the court decision (Arts 452-54 CPC), given that the target neither has the right to be present at the hearing nor receive the decision, this right has no practical value in cases of covert surveillance;
A claim in the civil courts is impossible. Applicants bear the burden of proof (Code of Civil Procedure Art 77), and given that proper notification of covert surveillance is unavailable, it is impossible to meet this burden to bring a claim against an authority that also contradicts the views of the European Court of Human Rights (Zakharov at [296]);
While a claim under the administrative courts is theoretically possible, it is equally ineffective. Whilst an administrative court is obliged to undertake an objective investigation on their own motion (Art 24 Code of Administrative Procedure (CAP)), in practice this is not observed and a de facto burden of proof is placed on an applicant to provide prima facie evidence of the improper administrative act. Without any evidence of the body conducting alleged covert surveillance, it is impossible to lodge an administrative complaint against authorities. Further, the administrative courts have no jurisdiction over criminal procedures (CAP Art 3.2.1), and if an authority claims that an individual is under criminal investigation the administrative courts will not accept the jurisdiction. Further, the administrative court may refuse to hear cases involving an administrative act in connection with the prevention or elimination of the threat that may cause damage to public or state interests (CAP Art 21.3.2);
Finally, a complaint to the Constitutional Court of Azerbaijan is not an effective remedy either (Ismayilov v. Azerbaijan No 4439/04, 17 January 2008).

Remedies against cyber attacks

The above-mentioned conclusion, mutatis mutandis, is effective for cyberattacks also. For cyberattacks, the main relevant remedy is a criminal complaint to law enforcement bodies. However, due to technical issues, many people do not have the information about whom they were targeted. Under normal circumstances, such kind of technical issues should be tackled by an investigation. However, due to prosecutorial discretion and lack of effective investigation against state officials, the criminal complaint mechanism is not effective in practice. In addition, the Cyber Security Center is not an effective remedy in practice. Because this body also is not independent and has no relevant legal powers to conduct an investigation. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to burden of proof issues (see above).

Specific case studies

There are several case studies that demonstrate that law enforcement authorities are not interested in protecting digital privacy rights despite having an ex officio power to conduct a criminal investigation:

On May 4, 2021, a well-known lawyer Fuad Aghayev said there was an attempt to hack into his Facebook account. Lawyer said that an unknown person wrote to him from Ilham Huseyn’s (active member of Azerbaijani Popular Front Party) account and asked him to download a program similar to “Zoom”, but “safer” for an interview. The lawyer after refusing to download the “unknown app”, called Ilham Huseyn’s phone and realized that Huseyn’s account was hacked and that the message sent to the lawyer was from the perpetrator behind the hacking.
On March 1, 2021, a well-known lawyer Elchin Sadigov, said that smear campaigns against activists were not investigated properly and despite lodged complaints about targeted online attacks, in many cases, the courts do not investigate these complaints.
On May 15, 2020, the opposition Azerbaijani Popular Front Party (APFP) accused the government of cyberattacks against party activists’ social media accounts. In a statement, the Party noted that as a result of hacker attacks, the Facebook accounts of Emil Selim, Ilham Huseyn, Orkhan Selimzade, and Emin Maniyev were hijacked. In addition, fake social media accounts were created impersonating members of the party’s presidium – Fuad Kahramanli, Asif Yusifli, and Mammad Ibrahim, with the intention to harm their reputation and create chaos in society from these accounts.
On March 17, 2021, Bakhtiyar Hajiyev and Narmin Shahmarzade accused the Azerbaijani authorities and law enforcement agencies of the cyber-attacks they were facing. Shahmarzade’s Facebook profile was hacked and her personal images and correspondence were disseminated without her consent. One of the unlawfully disseminated correspondence was Shahmarzade’s conversation with social activist Bakhtiyar Hajiyev.
Another activist, Gulnara Mehdiyeva, was also targeted online. Her social media accounts, email, and communication apps were compromised. So were her backups (archives were backed on Google drive to which she lost access after her personal email was compromised). Although Mehdiyeva regained access to her accounts the damage was extensive. From the account logs, the activist discovered that the perpetrator prepared large bundles of data for download – likely including her email and social media archives, photographs, and other data. The hacker also deleted three Facebook groups dedicated to LGBTQI+ and women’s rights, which Mehdiyeva administered. The attack also exposed the identities of those in the private groups – placing many people, including minors and other vulnerable individuals, at potential risk. Forensics investigation identified two IP addresses from where the attack was carried out. One was previously used in other attacks against independent media in Azerbaijan and was connected to the internet infrastructure of the Ministry of Interior.

In Gulnara Mehdiyeva’s case, the applicant’s lawyer appealed to the Yasamal District Police, where the latter refused to launch a criminal investigation on October 6, 2022. The lawyer appealed the decision of the Yasamal district police to the Yasamal District Court. The applicant’s lawyer referred to the legal grounds that the applicant’s account on social networks was illegally hacked and her personal information was seized, making a claim that this event creates the constituent elements of Articles 155, 156, 272, and 273 of the Criminal Code.

Dismissing the applicant’s appeal, the District Court considered that the criminal act in Article 272 of the Criminal Code is related to the interception of computer data but not the data of the social media accounts noting that computer data and social network data are different from each other.

Furthermore, the Court also considered that the criminal acts in Articles 155 and 156 of the Criminal Code are related to breaching the confidentiality of correspondence, telephone conversations, mail, telegraph, and other information and illegal gathering of confidential information of personal and family life which is not relevant to the applicant’s case.

Interestingly the Court concluded that since the hacking was of the activist’s social media account, the information shared there, was public, and thus could not be considered a secret, and that “social network was not a place where information considered “secret” was protected.”

Lawyers appealed these conclusions of the District Court, which were wrong and were a narrow interpretation of the national and international legislation in this field. The lawyer, in the appeal complaint, explained in detail, how the District Court’s misinterpretation of the national legislation contradicted the relevant international law by referring to the respective provision (Article 271.2) of the Criminal Code and article 1 of the Convention “On Cybercrime”.

The lawyer also claimed that the applicant’s information on the social network such as her personal photos, videos, and personal email correspondence were also intercepted and that all this information constituted private information, therefore, the Court’s conclusion was unfounded. The applicant’s appeals were dismissed by the Appeal and Supreme Courts and the applicant submitted a complaint to the European Court of Human Rights.

On November 3, 2021, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including a discussion with an opposition politician Ali Karimli. The hacker(s) accessed the page through another founder’s Facebook account, deleted videos, and page likes, and changed the name of the page.
The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.[3]

The cases illustrated here, are by no means exhaustive. These and other examples previously documented by Azerbaijan Internet Watch and elsewhere illustrate that the legal remedies for cyber-attacks and covert surveillance are not effective in practice. In all of the cyber-attack and covert surveillance cases that have been brought before the courts in Azerbaijan, the prosecuting authorities failed to initiate a criminal case and the district courts backed prosecuting authorities’ decisions even in cases where evidence exposed state authorities and/or related persons/entities being behind the attacks.

Conclusions

Our goal in putting together this legal overview was to demonstrate that digital security rights are not protected effectively in Azerbaijan. As we illustrate, violations of digital security rights occur on two levels: cyber-attacks and covert surveillance. Both types of violations are sophisticated and require contemporary preventive and procedural safeguards. However, existing legal remedies are not effective.

Most remedies set out in the legislation have shortcomings: there is no automatic notification system concerning covert surveillance; there is no independent internal review body; lack of rules against prosecutorial discretion; no mechanism in place addressing the conflict of interest between law enforcement and state security bodies; and challenges regarding judicial avenues.

Moreover, on cyber-attack issues the relevant qualified body-the Cyber Security Center-lacks proper legal power to conduct an investigation and is not independent. The issue of independence is important when attacks, as findings of independent digital security rights watchdogs demonstrate, are carried out by state authorities or related entities.

Practical case studies show that despite the scale of cyber-attacks, prosecuting authorities did not initiate even a single criminal case concerning attacks. This creates a culture of impunity regarding violations of digital security rights and has a chilling effect on activists’ right to freedom of expression and other political rights. Similar problems also exist in cases concerning covert surveillance – the lack of progress on Pegasus spyware investigations attests to the prosecuting authorities having no interest in initiating criminal cases.

Consequently, digital security rights and their human rights protection both in a preventive and procedural manner and negative and positive obligations dimension have profound problems in Azerbaijan. Available domestic legal remedies are not effective both in legislation and practice to tackle the current problems.

[1] Paragraph 1 of article 39 of the Law on Telecommunications states that “operators, providers are obliged to create conditions for conducting search operations, intelligence, and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues; and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states that “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[2] The Decision of the Cabinet of Ministers No. 174 of 7 November 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”, https://e-qanun.az/framework/946

[3] Case Description: Khadija Ismayilova (App. 65286/13). The shortcomings identified in the Court’s judgment need to be remedied, in particular:

to investigate the potential link between the applicant’s professional activity and the receipt of a threatening letter;
to properly question an important witness, Mr. N.J., an employee of Baktelekom, who could shed light on the identity of the possible authors of the crime regarding the installment of a hidden camera in the applicant’s flat;
to investigate the identity of the person who sent the threatening letter to the applicant from Moscow;
to investigate the websites where the intimate videos of the applicant were posted;
to investigate the words “SesTV Player” on the video and its potential connection with the Ses newspaper.
- https://hudoc.exec.coe.int/eng?i=004-52409

Journalist from an online TV channel beaten

Posted on September 30, 2021 by aiw_admin

On September 28, Avaz Hafizli, a journalist from an online news platform Kanal13 was harassed and beaten by the local security guards while covering the opening of a new restaurant in the capital of Baku.

Hafizli, arrived at the opening of Deyirman restaurant but was quickly stopped by the security guards. According to reporting by Turan News Agency, Hafizli asked the security guards to confirm whether the newly opened restaurant indeed belonged to the head of Yasamal administrative district, a government official and why ordinary citizens were not allowed in

Hafizli was live-streaming the encounter but the stream ended abruptly after the security guard resorted to violence.

The journalist told Turan News Agency that he was taken inside the garden of the restaurant where after guards’ attempt to bribe him, the exchange turned violent.

Hafizli called for help and managed to call the police. At the police station, the two sides wrote their individual statements but even there, Hafizli told Turan News Agency the restaurant representative kept threatening the journalist.

The following day, Hafizli went to a hospital where after a medical check-up he was told that his arm was broken.

The journalist complained to the Ministry of the Interior asking for an investigation and due punishment in the case of the perpetrators of the attack and the subsequent injury.

Kanal 13 is an online video news platform broadcasting from its YouTube channel to its close to a million subscribers. The channel was created in 2008.

In 2014, Kanal 13 was subject to a government launched an investigation that was targeting all independent, international, and opposition civil society organizations, including organizations as IREX and Kanal 13. At the time, the manager and founder of the channel Anar Orucov (brother of Aziz Orucov) were in charge of the office and the channel.

As part of the country-wide crackdown, Kanal 13 office was searched, documents confiscated. Fearing persecution, Anar Orucov fled the country with his family with the support of an international organization while Aziz Orucov stayed behind to continue managing the channel and the projects.

Kanal 13 has also been subject to online attacks. In March of 2017, a report released by Amnesty International, “False Friends- how fake accounts and crude malware targeted dissidents in Azerbaijan” detailed how Kanal 13 was among those targeted when its internal communications were accessed for over a week.

Two months later, the channel’s director Aziz Orucov was detained and later rearrested while the office of the channel was searched and equipment was confiscated.

On February 11, 2020, a suspended sentence against Aziz Orucov, editor of the platform, was dropped by the Baku Court of Appeal.

Orucov was arrested during the criminal investigations against non-governmental organizations in Azerbaijan. He was arrested in 2017, but released in 2018 on a suspended sentence. The sentence was until February 2021.

Orucov took over the managing of the platform after his brother Anar Orucov fled the country in 2014 amid threats of persecution.

The platform’s website kanal13.tv is on the list of blocked websites according to the most recent OONI measurements.

Earlier in September Hafizli reportedly chained himself to the gate of the Prosecutor General’s Office. The action was taken in protest of government inaction against homophobic incitement by blogger Sevinj Huseynova, whose recent videos in which the blogger openly calls for violence against trans community members have gone viral. Hafizli who is a member of the LGBTQI+ community in Azerbaijan attempted suicide on September 5 as a result of Huseynova’s videos.

Amnesty International statement calls to stop gender-based reprisals in Azerbaijan

Posted on May 13, 2021 by aiw_admin

On May 12, Amnesty International released a statement calling to stop gender-based reprisals in Azerbaijan.

“Women human rights defenders have faced threats, coercion, violations of their right to privacy and smear campaigns that are gender-specific and target them as women. This type of gender-based violence and discrimination aims to silence their critical voices and discredit their work. It also seeks to punish them for speaking out as women,” reads the statement.

The statement documents the recent attacks and harassment women activists have faced for their work, outspokenness, or for simply being family members of government critics.

AIW reported on these attacks previously:

February 26, 2021 – Activist’s personal messages leaked after hacking [update March 9];

March 9, 2021 – Targeted harassment via telegram channels and hacked Facebook accounts [updated March 15];

March 16, 2021 – Coordinated digital attacks against Feminist movement members and LGBT rights activists;

March 25, 2021 – Exiled blogger continues to receive threats [updated March 31];

March 28, 2021 – Facebook page, advertising telegram channel, targeting a woman activist [update March 30];

April 14, 2021 – Activists trolled for exposing child abuse in Azerbaijan;

The report concludes that:

Azerbaijan has an obligation under international human rights law to take all appropriate measures to prevent gender-based violence and other human rights violations against women, including violations of their right to privacy. The Azerbaijani authorities must conduct a prompt, impartial and effective investigation into each and every reported incident of such violence, as well as of instances of reported discrimination or harassment of women, in order to identify and bring to justice in fair proceedings anyone reasonably suspected of being culpable or complicit in such acts, whether they are private individuals or members of security services or other state officials. Women who have suffered these violations should be provided with effective remedies and reparations including restitution, compensation, rehabilitation and guarantees of non-repetition. Azerbaijan must ensure that every person’s rights to freedom of expression and peaceful assembly are respected and that women are able to fully enjoy these rights, including in the form of women’s marches.

activists trolled for exposing child abuse in Azerbaijan

Posted on April 14, 2021 by aiw_admin

Vafa Nagi, an activist who recently exposed systemic abuse of young girls in one region of Azerbaijan has herself become a target of harassment as a result.

Writing about the harassment on her Facebook account, Nagi explained that ever since she shared the story of a 14-year-old girl, a resident of a small village subject to sexual abuse and the involvement of one police officer in this abuse, Nagi and her family members have faced targeting from the officer and his family members.

On Facebook Nagi has been targeted with slurs by users related to the police officer.

In the meantime, according to this BBC Azerbaijan service story, the victim was relocated to a shelter in the capital Baku, where she is receiving psychological help.

In their statement issued earlier, the Ministry of the Interior said they are investigating the case but so far, have not taken any measures against the police officer involved.

***

Vafa Nagi is an elected member of the local municipality of the region where this abuse has taken place. Recently Nagi was targeted in March of this year after taking part in a women’s march organized to mark International Women’s Day in Baku.

in Azerbaijan a telegram channel mobilising a movement, to target LGBTQI

Posted on March 29, 2021 by aiw_admin

According to Minority Magazine reporting, a new movement calling itself “Pure Blood” is mobilizing via the Telegram channel to target members of the LTBTQI community in Azerbaijan.

The magazine, sharing screenshots from the channel called on the relevant government institutions in Azerbaijan to investigate.

“Hurray, they should be burned,” wrote one user in the chat. Another user wrote the fight against people with “untraditional sexual orientation” must be carried out on the government level, just like in Poland and Hungary.

The last time someone shared a text in the group was March 19, at least according telemetr.io.

While it is the first time, news of such a “movement” are making headlines in Azerbaijan, it is certainly not the first time, the community is targeted.

Since 2000s, Azerbaijani government has been deploying spyware purchased from Israeli Verint. Verint supplied Azerbaijan with a system that allowed the government to collect information from social media. One of Verint’s former employees who traveled to Azerbaijan to train the client was asked how to use the system, “to check sexual inclinations via Facebook.” This technology was likely to be used in 2017, when the government of Azerbaijan went on a witch hunt on gay and transgender people.

targeted harassment via telegram channels and hacked Facebook accounts [updated March 15]

Posted on March 9, 2021March 15, 2021 by aiw_admin

[Updated] The targeting of women on telegram channels continues. On March 15, AIW was informed that the new target is the girlfriend of student activist Rustam Ismayilbeyli. Ismayilbeyli was targeted in September 2020 when a fake profile that belonged to the state security services informed Ismayilbeyli that personal information including intimate photos of Ismayilbeyli and his girlfriend will be sent to his friends and acquaintances unless he steps down from being an organizer of an upcoming rally and starts collaborating with them. Ismayilbeyli told AIW that those photos are now being circulated on the same telegram channels that earlier targeted journalist Fatima Movlamli, activists Gulnara Mehdiyeva and Narmin Shahmarzade.

On March 14, Hikmat Hajiyev, assistant to President Ilham Aliyev said the local law enforcement is investigating the complaint by the activist Narmin Shahmarzade on the invasion of her privacy.

On March 13, activist, Vafa Nagi reported about her Facebook profile being compromised. Nagi, challenged local municipal authorities when she decided to run for the election in 2019 and won. For the first time, in Azerbaijan’s history of municipal elections [first municipal elections were held in December 1999] a representative of the feminist movement (or any activist) was elected. But her victory came at a cost. After attending one of the first meetings in her new role, Nagi realized there were inaccuracies in financial reports. When she asked that the head of the local municipality shared the full report she became a problem. This problem, needed a solution and so in an attempt to humiliate Nagi in her village, someone started posting her pictures from her Instagram across the village. There she was enjoying the sun on the beach, or elsewhere, smiling, looking happy. But that is not how the village community interpreted these photos. Azerbaijan has a complicated relationship with women’s rights, as evidence suggests especially from a recent wave of attacks against feminists who organized and attended the March 8th protest in the capital Baku. When the “picture campaign” ended with a fiasco, more serious measures were taken against Nagi. She was accused of defamation by an official and an employee of the rural house of culture. The two men claimed Nagi’s Facebook posts had damaged their business reputation. Although charges were dropped, the municipality did not stop there. The long battle ended when Nagi’s status as elected municipal official was taken from her. According to OC Media Nagi was deprived of her position in a vote by the municipal council on 20 August 2020, at the time, when she was receiving medical treatment abroad. Finally, Nagi was among the women who participated in a protest organized on March 8, 2021.

In addition, journalist Aysel Umudova, wrote on her Facebook profile, that police been visiting homes of all women identified during the rally including hers, except at the wrong address.

Another women’s rights activist targeted was Rabiyya Mammadova. After her interview with VoA Azerbaijan Service aired on March 13, she became a target of trolls accusing Mammadova of lying. In her interview, Mammadova explained how plainclothed officers stopped the taxi she was in, on her way to meet other women activists. The officer grabbed her by her throat and started suffocating her. She also received several blows to her head. As a result, she lost partial hearing in her right ear and her arm broken previously by the police was also injured. Mammadova was also among independent candidates who ran for municipal elections in 2019. But due to election fraud, she did not win and in January 2020 she was accused of defamation while the evidence of fraud Mammadova documented was dismissed. On the day of the election, she spotted a group of women, who were engaged in carousel voting, a common vote-rigging tactic. Mammadova called the group of women dishonest, which angered one of the women who demanded an apology and 1000AZN [600USD] in compensation. Her complaint was rejected in a court hearing. But this did not stop Mammadova from running in the snap parliamentary election in February 2020. She did not win. Nor did many of the independent candidates who ran for the national assembly. Defiant, Mammadova stood outside the Central Election Committee protesting election fraud. Other candidates joined Mammadova outside the CEC. By the evening, the police cordoned off the protesters and used violence to disperse the crowd. During the police intervention, scores of candidates, activists, and journalists were injured. Mammadova had her arm broken. Police denied anyone was injured despite reports and evidence.

***

In recent days, at least three telegram channels were reported for sharing profane content targeting women in Azerbaijan. One channel called “Wretched men club” shared sensitive videos of journalist Fatima Movlamli, and exiled dissident blogger Mahammad Mirzali’s sister. Another group called “Expose bad-mannered girls” has targeted other women activists. A third one, targeted specifically one woman whose Facebook account was hacked shortly after the International Women’s Day march in Baku.

In the past, other women journalists and activists were targeted in an online harassment campaign.

Most recently activist Gulnara Mehdiyeva was targeted in a video shared via Facebook, containing a series of leaked private audio messages, that were stolen when Mehdiyeva’s social media accounts and emails were hacked last year.

On March 9, Activist Narmin Shahmarzade’s Facebook profile was hacked, her name changed alluding to her interference with people’s private lives. The hackers flooded her Facebook feed with private messages, some of which were fake, and shared nude photographs of her, including at least one edited photo and audio. Several hours later, a Telegram channel was set up, sharing Shahmarzade’s intimate photos. In an interview with VoA Azerbaijan service, Shahmarzade said, “When my account was hacked, video footage and other posts with criticism of the ruling government were deleted. Then, my personal messages on Facebook messenger were compromised. Some of them were shared after being edited and taken out of context. My personal phone number was exposed and as a result, I received numerous calls and messages of threatening nature.” Shahmarzade said, she has informed the Ministry of the Interior and the State Security Services and describes what happened to her, a crime and that she will be going to court. Shahmarzade also pointed out to AIW that the hacker who compromised her Facebook profile is likely the same person or member of the same group that targeted activist Gulnara Mehdiyeva last year because at least one of the audio that was shared via Shahmarzade’s hacked Facebook account targeting her, does not even belong to the activist and that she never had access to. Contrary, it was among material hijacked from Gulnara Mehdiyeva.

Among the women targeted, is also dissident blogger Mahammad Mirzali’s sister. Mirzali told AIW that the intimate video of his sister was leaked to harm him. “On February 15 my family members and I received several messages from a US number threatening me to stop my work. Otherwise, they told me they would release the videos of my sister. They told me they were not joking. They leaked the video on March 5. Later they shared the video on telegram channels. The same video was also sent to our relatives,” explained Mirzali. Mirzali suspects the authorities are behind this nasty campaign against his family. On March 14, Mirzali was reportedly stabbed by a group of unknown men. Mirzali is currently at the hospital.

In September 2020, activist Rustam Ismayilbeyli was intimidated by someone who presented himself as an employee of state security that unless Ismayilbeyli did not stop his activism, intimate pictures of his girlfriend would be leaked online.

In 2019, journalist Sevinc Osmangizi was the target of a smear campaign that variously accused her of being a double agent and working as a spy selling government secrets.

The same year, journalist Fatima Movlamli was once again targeted with a fake Facebook page created under her name, sharing intimate photos and videos of her in her bed

In 2012, journalist Khadija Ismayilova was targeted in a similar campaign after receiving a package containing photos and videos of intimate nature all taken at her apartment.

In 2010, at least two male journalists were targeted with sex tapes that were leaked and aired on prime-time television.

So far, only one journalist secured legal victory – Khadija Ismayilova. In January 2019, the European Court of Human Rights ruled that the government of Azerbaijan must compensate Ismayilova for its failure to investigate attempts to blackmail her.

In all of the incidents mentioned here, the targets voiced their suspicion of the government involvement behind these attacks. Meanwhile, the authorities either refute or remain silent about these allegations.

Finally, according to the definitions of online harassment as noted in this PEN America manual on online abuse in the last few days, it is safe to say the following forms of harassment have been documented:

Cross-Platform Harassment: coordinated and deliberately deployed across multiple social media and communications platforms, taking advantage of the fact that most platforms only moderate content on their own sites;

Dogpiling (cyber-mob attacks): When a large group of abusers collectively attacks a target through a barrage of threats, slurs, insults, and other abusive tactics.

Outrage/Shame Mobs: A form of mob justice focused on publicly exposing, humiliating, and punishing a target, often for expressing opinions on politically charged topics or ideas the outrage mob disagrees with and/or has taken out of context in order to promote a particular agenda.

Cyberstalking: In a legal context, “cyberstalking” is the prolonged and repeated use of abusive behaviors online (a “course of conduct”) intended “to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate” a target.

Dog Whistling: Using words or symbols with a double (or coded) meaning that is abusive or harmful, sometimes to signal a group of online abusers to attack a specific target.

Doxxing: The publishing of sensitive personal information online—including home address, email, phone number, social security number, photos, etc.—to harass, intimidate, extort, stalk, or steal the identity of a target.

Hacking: The unauthorized intrusion into a device or network, hacking is often carried out with the intention to attack, harm, or incriminate another individual by stealing their data, violating their privacy, or infecting their devices with viruses. When hacking is used to perform illegal activities or intimidate a target, it is a cybercrime.

Nonconsensual intimate images (aka revenge port): Nonconsensual pornography is “the distribution of private, sexually-explicit images [or videos] of individuals without their consent”.

Online Sexual Harassment (aka, Cybersexual Abuse, Gender-Based Harassment):

Sextortion: A form of black mail in which an abuser threatens “to expose a nude or sexually explicit image in order to get a person to do something.”

Unsolicited Pornography: Sending sexually explicit or violent images and videos to a target.

Unwanted Sexualization: Sending “unwelcome sexual requests, comments and content” to a target.

activist’s personal messages leaked after hacking [update March 9]

Posted on February 26, 2021March 9, 2021 by aiw_admin

[Update] On March 1, in response to a legal complaint filed by Gulnara Mehdiyeva’s lawyers the Ministry of Internal Affairs informed the defender that the opening of a criminal case on her claim is not planned.

Last year, ahead of International Women’s Day March, one of the activists and organizers of the March in Baku had her Facebook, Gmail, Protonmail, and Telegram accounts compromised.

At the time, Gulnara Mehdiyeva reported that a hacker who got access to her Gmail account, downloaded her achieve of documents and photographs some of which were sensitive. Mehdiyeva offers support to victims of domestic violence and abuse, and is an advocate for gender equality in Azerbaijan.

In the course of the next 48 hours, Mehdiyeva’s Facebook account was hacked and her admin privileges at some of the Facebook groups that focus on women’s rights and LGBTQI were revoked. These groups were suspended and one was deactivated. Not to mention, thousands of subscribers and content were lost as a result.

A year later, on February 25, Mehdiyeva was targeted in a different online campaign. The private audio messages obtained from Mehdiyeva’s Facebook account that was hacked last year, were leaked online by one Facebook page, Tənqidçi [translation Critic]. The group that leaked the audio recording, accused Mehdiyeva of being emotionally unstable, questioning her ability to help victims of abuse as well as her alleged involvement in a recent suicide of a young girl. In another post, the page admin shared a post from a Facebook user, humiliating Mehdiyeva and her work.

The Facebook page in question, shares posts from their readers, and other content they find interesting. In one recent post, the admins shared how a group of Azerbaijani men have been exchanging pictures and private information about their former girlfriends. The admins of the page, claim, the men are violating several articles of criminal code by doing this, and yet, in a post that is targeting Mehdiyeva, the admins were doing just that. Deliberate online targeting

facebook page affiliated with opposition hacked, again

Posted on September 16, 2020 by aiw_admin

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan.

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted.

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017.

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.”

activist blackmailed online [updated September 9]

Posted on September 8, 2020September 14, 2020 by aiw_admin

Rustam Ismayilbeyli is an 18-year-old activist from Azerbaijan who was arrested earlier this summer for staging a protest outside the Ministry of Education. Together with a group of students, he was demanding that the Ministry cancels tuition fees and exams for the academic semester as a result of Covid19. After three of the organizers including Ismayilbeyli were admitted to the ministry police dispersed the crowd and arrested Ismayilbeyli as soon as he exited the government building.

Ismayilbely was sentenced to 15 days in administrative detention on charges of allegedly disobeying police and violating the quarantine requirements.

During his detention, his social media accounts and email were hacked. Although he was able to restore access, he was among targets on June 15 when someone with access to his National ID requested a password reset from the social media platform Facebook. It took Ismayilbeyli two months to recover his account.

On September 7, a fake profile that belonged to the state security informed Ismayilbeyli that unless he steps down from being an organizer of an upcoming rally and starts collaborating with them, personal information including intimate photos of Ismayilbeyli and his girlfriend will be sent to his friends and acquaintances.

The first account that threatened Ismayilbeyli had since been removed, the second account that did post personal information has removed the post. Instead, Ismayilbeyli told AzNetWatch, the same information is sent around via Whatsapp messenger, with the US number. His email and cloud were compromised during his arrest and Ismayilbeyli suspects, this is when these images were acquired.

Using burner numbers on WhatsApp targeting activists is not new in Azerbaijan. There are plenty of resources online that actually share tips on how to create a secondary line on WhatsApp. What is problematic however is up until now, it was not possible to identify the perpetrators.

On September 9, Ismayilbeyli also reported an attempted break-in into his Telegram account. In a tweet Ismayilbeyli said he keeps receiving verification codes via SMS on his mobile but because he had 2FA in place the account was not compromised.

Telegram hesablarımıza müdaxilə var. Əsas Telegram accountuma girməyə çalışdılar, indi də digər işlətmədiyim nömrəmlə yeni Telegram accountu açıblar, niyə bilmirəm.

— Rüstəm İsmayılbəyli (@demokratelebe) September 9, 2020

Translation: There is an attempt to break in my telegram account. They tried taking over my main Telegram account. Now, using a number that I normally don’t use, they have opened a new account. Not sure why.

Bu dəqiqə mənə gələn smsləri oxuyub verification code’la telegram’a girməyə çalışırlar, amma two step’i keçə bilmirlər.

— Rüstəm İsmayılbəyli (@demokratelebe) September 9, 2020

Translation: Right now, reading the verification codes I am receiving via SMS, they are trying to break into my Telegram account, but they can’t get past the 2FA.