activist taken from his home after a social media post

Activist Latif Mammadov was reportedly taken from his home, after posting on social media a critical post, about President Ilham Aliyev’s comments on recent protests in the village of Soyudlu

Mammadov is the third civic activist to be detained/questioned by law enforcement over online commentary about the village protests. 

On June 22, political activist and former political prisoner Giyas Ibrahimov was arrested and sentenced to 30 days in administrative detention on bogus charges of resisting police. On June 24, new charges were leveled against the activist, accusing Ibrahimov of spreading prohibited information on the Internet (Article 388.1 of the Code of Administrative Offenses). The former was handed down to the activist after Ibrahimov voiced criticism against the state over its mishandling of popular unrest in one of the villages in western Azerbaijan. The latter is related to the former accusation, punishing Ibrahimov over his social media post.  

On June 21, police arrested another activist and board member of the opposition NIDA Youth Movement, Elmir Abbasov. He was sentenced to 20 days in administrative detention for disobeying police. The movement said, the charges leveled against Abbasov were bogus, and the real reason behind the activist’s arrest was his Facebook post about the protests and the state’s violent response to the residents of the village. Abbasov was released on July 11. 

In recent years, scores of activists, rights defenders, and journalists have been called into questioning, detained or sentenced, or held accountable over activity on social media platforms. 

Legal overview: legal remedies (or lack thereof) in cases of online targeting

In the last decade, the rise of the repressive policy by the government of Azerbaijan against digital rights necessitates the discussion of the legislation and legal remedy aspects of it. As such, in our following legal review, together with a legal expert, we chose to focus on how the state has been resorting to unlawful persecution measures against critics online, in particular, human rights defenders, activists, journalists, and lawyers. 

In the analysis presented below, we look at the general trends of online targeting, the existing legal remedies in domestic law, and their effectiveness.

Background information

During 2022, Azerbaijan Internet Watch documented numerous cases of prison sentences handed out on charges of defamation, the arbitrary application of provisions of the Administrative Penalty Code and the Law “On information, informatization and information protection” to limit freedom of expression on the internet, including increased reports of cyber-attacks against activists and media professionals.

In its recent annual report published on 16 December 2022, AIW indicated that overall, 2022 has been no different than recent years in terms of online attacks and internet censorship. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

Domestic remedies against cybercrimes often committed against HRDs, activists, and media

In recent years, scores of human rights defenders, civic activists, journalists, and politicians in Azerbaijan have been complaining about hacking attempts (or hacking) into their personal and professional e-mails, social media accounts, and instant messaging (WhatsApp) accounts. Other complaints include impersonating social media accounts, disseminating false information on their behalf, and publishing their private correspondence, intimate photos, and videos, breaching privacy resulting from intrusion in the intimate life of individuals through illegal tapping. Furthermore, political activists sometimes face pressure from local police to share their phone passwords during arrests.

Once personal information is unlawfully seized at least several constitutional rights and freedoms, such as the right to privacy (Article 32 of the Constitution), the right to honor and dignity (Article 46 of the Constitution), and the right to freedom of thought and speech (Article 47 of the Constitution) are at stake.

Lawyers in Azerbaijan mostly use various available legal mechanisms to protect the rights of targeted individuals. Illegal interception of personal data, violation of the confidentiality of correspondence and other information, and violation of privacy, including certain cybercrimes such as illegal intrusion, illegal acquisition, and unlawful interference with computer systems are criminalized by the criminal law of Azerbaijan. As such, lawyers rely on existing criminal law when submitting complaints to law enforcement authorities, requesting to conduct a criminal investigation regarding the alleged committed act prohibited by the criminal law.

What remedies are available to counter online harassment? To what extent are they effective?

Lawyers with extensive experience defending human rights defenders and activists targeted by cybercrimes say that the Azerbaijani law enforcement authorities and the judiciary are systematically rejecting investigations of cybercrimes committed against government critics.

So in which circumstances and conditions legal safeguards and remedies are functioning and to what extent they are effective? We take a look.

General overview of the relevant legislation

Digital security rights, in a general manner, are safeguarded by the Azerbaijani legal framework. The Azerbaijani legal system enshrines the following legal regime concerning digital security.

General constitutional protection and incorporation of international law

The Constitution provides, inter alia, order public conditions on digital security. According to Article 32 of the Constitution, privacy rights are secured. The privacy rights that the Constitution prescribed are negative and positive in nature – these rights protect against possible governmental interference (negative aspect) and possible trespass by third parties. Constitutional privacy protection not only provides preservation against off-line intrusion but also implies online targeting according to its meaning. Therefore, Article 32 of the Constitution plays a role as a key to digital security rights. In addition, Article 68 of the Constitution determines the prohibition of arbitrary actions of state authorities and recognizes the right to compensation.

The Constitution also incorporates international human rights obligations of the Republic of Azerbaijan. The Azerbaijani Constitution adopts a monist type of international law implementation which means direct integration of international law rules concerning human rights regulation.

The Republic of Azerbaijan has ratified the International Covenant on Civil and Political Rights (1966) (ICCPR) and European Convention on Human Rights (1950) (ECHR). Both ICCPR (Article 19) and ECHR (Article 8), as well as, the jurisprudence of the implementation bodies (in the case of the ICCPR is the Human Rights Committee (HRC) and in the case of the ECHR is the European Court of Human Rights (ECtHR)) safeguard digital security rights as a part of privacy rights. Moreover, the Convention on Cybercrime (a.k.a. the Budapest Convention) (2001) of the Council of Europe – seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations – was ratified by Azerbaijan in 2009.

Both ICCPR and ECHR honor contracting states with two types of obligations – negative and positive. This means, that the state authorities shall not directly involve the right to privacy including digital security rights against the requirements of domestic law, without legitimate aims and against the requirement of democratic necessity, and with violation of proportionality (tripartite requirement of interference of qualified civil rights). In addition, the state authorities have a positive obligation to protect digital security under privacy rights from third parties, also to initiate effective procedural safeguards.  

As such, Azerbaijani legislation prescribes constitutional (order public) protection for digital security and harmonizes international law protection with domestic law. However, mere general constitutional protection is not enough for the effective implementation of human rights. The next level is ordinary legislation.

Substantive law

The substantive legal norms concerning digital privacy rights are mainly set out in criminal law and, in nature, prohibitory sanction rules.

Criminal law provisions are arranged in the Criminal Code. Criminal Code prescribes both general privacy rights violations and specific cybercrimes. General privacy rights violations are Articles 155 (violations of correspondence privilege) and 156 of the Criminal Code (violations of privacy rights). Specific cybercrimes are set out in Articles 271-273 of the Criminal Code (Article 271 prohibits illegal intrusion, Article 272 bans illegal acquisition, and Article 273 forbids unlawful interference). In addition, Criminal Code also proscribes violation of operational-search activity by law-enforcement bodies concerning privacy and digital rights. Both state and non-state actors are liable for violations of the above-mentioned criminal law sanctions. According to Criminal Code (Articles 156.2.1, 271.2.3, 272.2.3, 273.3.3 of the Code), the commission by the state officials of the above-mentioned criminal law rules is considered an aggravated circumstance.

In addition to criminal law, civil law/code provisions also offer protection against the violations of privacy and digital rights. codes prescribe protection for digital security. Criminal code safeguards are general protections and not specified for purposes of digital security. Article 1096 of the Civil Code sets general criminal code rules for delictual (civil wrong) liability. On the other hand, Article 1100 of the Civil Code specifies delictual liability for state authorities.

It must be noted that different codes of conduct for state officials and law enforcement bodies also enshrine the protection of privacy rights (which also implies digital security) and require disciplinary sanctions against the perpetrators.

The substantive law also contains relevant remedies for covert surveillance. The state control over compliance of the covert surveillance-related-obligations of the telecommunication operators and providers is regulated largely via the Law “On Telecommunications”, the Law on “On Personal Data”, the Law on “On Operational Search Activities”, the Criminal Procedure Code and Decrees of the President of the Republic of Azerbaijan and Decisions of the Cabinet of Ministers of the Republic of Azerbaijan.

AIW’s legal analysis on the State of Internet Freedom in Azerbaijan, a legal overview (July 29, 2021) reveals the gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of covert surveillance.

Article 11 of the Decision of the Cabinet of Ministers No. 174 dated November 7, 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”[2] requires the telecommunication service providers to install special-purpose equipment, determined by the State Security Service (SSS) and the Ministry of Internal Affairs. This equipment allows the security services and the ministry of the interior to access data and information across all types of telecommunication networks for the purpose of ensuring national security. And legislation requires the installment of the special equipment as an additional requirement for granting special consent (license) for the cellular (mobile) communication services/companies. In case of a refusal to install this equipment, companies/services are refused operational licenses.

Procedural law and jurisdiction

Pursuant to Articles 215.2, 215.3, and 215.5 of the Code of Criminal Procedure, if it is identified that the privacy (digital) rights violations are conducted by third parties (non-state actors), then the jurisdiction to investigable falls within the Ministry of Internal Affairs or the State Security Service (depending on their competence).

According to Articles 204-207 and 215 of the Code of Criminal Procedure, the local or qualified body of the ministry of the interior or the state security services shall initiate the criminal case based on reports of the victim or others. If the initial inquiry finds more evidence of a breach of rights, then a preliminary investigation has to be conducted. Based on the results of the preliminary investigation, perpetrators might be identified and brought to trial. Violations of privacy rights (including digital security) are considered less serious crimes by Criminal Code and therefore, the trial jurisdiction lies on ordinary district courts.

It is identified that the privacy (digital) rights violations are conducted by state officials (including law enforcement officials), then investigative jurisdiction falls within the Office of the General Prosecutor. The subordinate prosecutor’s offices or qualified bodies of the prosecutor’s office shall initiate the criminal case against officials or based on the fact, shall conduct a preliminary investigation. Based on the conclusions of the preliminary investigation, relevant official (officials) might be held accountable and brought to trial. The trial jurisdiction again belongs to the ordinary district courts.

If the relevant investigatory bodies fail to initiate the criminal case, interested parties have the right to challenge the decision or action on non-initiation of the criminal case under judicial review procedure pursuant to Articles 122 and 449 of the Code of Criminal Procedure.

Criminal Code procedures shall be conducted with ordinary district courts or administrative courts. If the statement of claim is directed against a third party, then it is accepted as a civil case and should be heard by an ordinary civil court. The relevant trial procedures are prescribed by the Code of Civil Procedure. If the statement of claim is directed against state bodies, then it is an administrative law dispute and must be heard by an administrative court following the trial procedures based on the Code of Administrative Procedure.

Disciplinary actions are initiated based on complaints or ex officio, by relevant state bodies and follow procedures that prescribe the codes of conduct or internal disciplinary reviews.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities.

Specifics of the criminal law sanctions and operational-search remedies

According to Article 156 (violation of the inviolability of private life) of the Criminal Code, actions that breach the inviolability of private life are prohibited and subject to criminal liability. According to Article 156.1 of the Code, the dissemination, illegal sale or transfer, and illegal collection of information that constitutes a secret of private and family life, as well as the documents, video and photographic materials, and audio recordings containing such information, are all subject to criminal liability.

It should be noted that private life information may be collected on legal grounds and conditions in the manner prescribed by law. Relevant state bodies can do this on the grounds provided by law. However, there are no such grounds provided by law in the complainant’s case. Therefore, the collection of information about the complainant in this manner should be considered as the acts provided for in Article 156.1 of the Criminal Code, that is, the collection of information or an attempt to collect such information, which is a secret of private and family life.

According to Article 271.1 of the Criminal Code, accessing a computer system or any part of it without the right to access it or any part of it by breaching security measures in order to collect computer information stored there or with other personal intent calls for criminal liability. It should be noted that Articles 271 and 272 of the Criminal Code pertain to cybercrime and are primarily concerned with computer information. However, smartphone devices already have the potential to contain all or part of traditional computer data. In this regard, part of the complainant’s computer data is contained in the relevant parts of his/her smartphone. So when scores of civil society activists in Azerbaijan were targeted with Pegasus spyware, the perpetrators thus illegally infiltrated the complainant’s computer system and illegally acquired computer information. This action demonstrates the commission of a criminal offense under Article 271.1 of the Criminal Code.

In the case the latter offense was committed by an official while abusing his/her official interests, the act is then considered an aggravating circumstance according to Article 271.2.3 of the Criminal Code.

According to Article 272.1 of the Criminal Code, the intentional gathering of computer information not intended for public use, transmitted to the computer system, from the computer system, or within the system, including electromagnetic radiation from the computer systems, which are carriers of such computer information, using technical means by a person not entitled thereto, causes criminal liability. The above-mentioned legal analysis of Article 271.1 of the Criminal Code also applies to Article 272.1 of the Criminal Code.

Article 302 of the Criminal Code (“Violation of the legislation on operational search activities”) criminalizes violation of the law on operational search activities. According to Article 302.1 of the Criminal Code, among other things, the implementation of such activities by authorized persons in the absence of any ground established by law, entails criminal liability, if it causes a significant violation of the rights and legally protected interests of the person. According to Article 302.2 of the Criminal Code, the violation of the law on operational search activity with the intent to secretly obtain information using technical means is considered an aggravating circumstance.

The Operational-Search Activity Act (OSA) and Code of Criminal Procedure allow targeted persons to raise complaints concerning covert surveillance.

Art 4(4) of the OSA stipulates, “[a]ny person, whose rights and liberties have been violated as a result of the actions of the agents of the operative search activity, shall be entitled to complain to the head of the authority – higher in rank to the agents of the operative search activity, prosecutor or the court.”

  • The first type of claims available under Azerbaijani law is ‘internal claims’ – claims against the head of the alleged authority that conducted the surveillance.
  • The second type of claim is a claim to a prosecutor.
  • A third type of claim is a claim to a Court.

Effectiveness of legal remedies in the light of international human rights obligations

Legal remedies concerning covert surveillance

The available remedies shared above, concerning covert surveillance are not effective in practice due to the following reasons:

Firstly, given that there is no method of notification as to whether they were under surveillance or not, no domestic remedies are available to challenge and investigate instances of covert surveillance by authorities, given their inextricable link (Zakharov v Russia at [234]; see also Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App No. 62540/00, 28.06.07 at [91]; Szabo and Vissy v Hungary App No. 37138/14, 12.01.16 at [86]).

As mentioned above Art 4(4) OSA sets out relevant remedies. However, this provision does not establish a freestanding claim under the OSA – rather it merely reflects that claims are available under other procedures.

‘Internal claims’ remedies (the first type of remedy) are claims against the head of the alleged authority that conducted the surveillance. The ECtHR has found that such complaints are ineffective as they “do not meet the requisite standards of independence needed to constitute sufficient protection against the abuse of authority” (Zakharov at [292]). As such, any available internal remedies are ineffective.

Prosecutorial review is the second type of remedy. This remedy is not effective either, because it is based on prosecutorial discretion. Once the prosecutor refuses jurisdiction over a complaint or initiates a criminal case,  this remedy becomes ineffective.

In the Pegasus spyware case prosecutor general’s refusal of jurisdiction over complaints, challenged the potential victims’ procedural rights. The prosecutor general remitted the complaints to the state security services which in the case of Pegasus, were a party of interest,  and therefore, constituted a conflict of interest. By passing the investigation to the state security services, the investigation lost the requisite degree of independence given the same body was involved in carrying out the covert surveillance, which is contrary to the case-law standards (c.f. Kennedy v UK at [167-8]) of the European Court of Human Rights.

Judicial claim avenues are a third type of legal remedy. Azerbaijani legislation offers no bespoke judicial remedy for illegal surveillance (c.f. the IPT in Kennedy v UK). Instead, there are only general methods of judicial review either under the criminal procedural code or under civil or administrative law. These are ineffective remedies as well:

  • Whilst it is theoretically possible to judicially review a judicial order authorizing covert surveillance, it is impossible in practice. The decision to authorize covert surveillance is done via the closed court in the absence of the target (CPC Art 447.3.3), and targets of surveillance do not have the right to receive the judge’s decision implementing the operational-search measure (CPC Art 448.6). Whilst a decision of the judge implementing operative-search measures may be appealed within three days after the announcement of the court decision (Arts 452-54 CPC), given that the target neither has the right to be present at the hearing nor receive the decision, this right has no practical value in cases of covert surveillance;
  • A claim in the civil courts is impossible. Applicants bear the burden of proof (Code of Civil Procedure Art 77), and given that proper notification of covert surveillance is unavailable, it is impossible to meet this burden to bring a claim against an authority that also contradicts the views of the European Court of Human Rights (Zakharov at [296]);
  • While a claim under the administrative courts is theoretically possible, it is equally ineffective. Whilst an administrative court is obliged to undertake an objective investigation on their own motion (Art 24 Code of Administrative Procedure (CAP)), in practice this is not observed and a de facto burden of proof is placed on an applicant to provide prima facie evidence of the improper administrative act. Without any evidence of the body conducting alleged covert surveillance, it is impossible to lodge an administrative complaint against authorities. Further, the administrative courts have no jurisdiction over criminal procedures (CAP Art 3.2.1), and if an authority claims that an individual is under criminal investigation the administrative courts will not accept the jurisdiction. Further, the administrative court may refuse to hear cases involving an administrative act in connection with the prevention or elimination of the threat that may cause damage to public or state interests (CAP Art 21.3.2);
  • Finally, a complaint to the Constitutional Court of Azerbaijan is not an effective remedy either (Ismayilov v. Azerbaijan No 4439/04, 17 January 2008).

Remedies against cyber attacks

The above-mentioned conclusion, mutatis mutandis, is effective for cyberattacks also. For cyberattacks, the main relevant remedy is a criminal complaint to law enforcement bodies. However, due to technical issues, many people do not have the information about whom they were targeted. Under normal circumstances, such kind of technical issues should be tackled by an investigation. However, due to prosecutorial discretion and lack of effective investigation against state officials, the criminal complaint mechanism is not effective in practice. In addition, the Cyber Security Center is not an effective remedy in practice. Because this body also is not independent and has no relevant legal powers to conduct an investigation. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to burden of proof issues (see above).

Specific case studies

There are several case studies that demonstrate that law enforcement authorities are not interested in protecting digital privacy rights despite having an ex officio power to conduct a criminal investigation:

  • On May 4, 2021, a well-known lawyer Fuad Aghayev said there was an attempt to hack into his Facebook account. Lawyer said that an unknown person wrote to him from Ilham Huseyn’s (active member of Azerbaijani Popular Front Party) account and asked him to download a program similar to “Zoom”, but “safer” for an interview. The lawyer after refusing to download the “unknown app”, called Ilham Huseyn’s phone and realized that Huseyn’s account was hacked and that the message sent to the lawyer was from the perpetrator behind the hacking.
  • On March 1, 2021, a well-known lawyer Elchin Sadigov, said that smear campaigns against activists were not investigated properly and despite lodged complaints about targeted online attacks, in many cases, the courts do not investigate these complaints.
  • On May 15, 2020, the opposition Azerbaijani Popular Front Party (APFP) accused the government of cyberattacks against party activists’ social media accounts. In a statement, the Party noted that as a result of hacker attacks, the Facebook accounts of Emil Selim, Ilham Huseyn, Orkhan Selimzade, and Emin Maniyev were hijacked. In addition, fake social media accounts were created impersonating members of the party’s presidium – Fuad Kahramanli, Asif Yusifli, and Mammad Ibrahim, with the intention to harm their reputation and create chaos in society from these accounts.
  • On March 17, 2021, Bakhtiyar Hajiyev and Narmin Shahmarzade accused the Azerbaijani authorities and law enforcement agencies of the cyber-attacks they were facing. Shahmarzade’s Facebook profile was hacked and her personal images and correspondence were disseminated without her consent. One of the unlawfully disseminated correspondence was Shahmarzade’s conversation with social activist Bakhtiyar Hajiyev.
  • Another activist, Gulnara Mehdiyeva, was also targeted online. Her social media accounts, email, and communication apps were compromised. So were her backups (archives were backed on Google drive to which she lost access after her personal email was compromised). Although Mehdiyeva regained access to her accounts the damage was extensive. From the account logs, the activist discovered that the perpetrator prepared large bundles of data for download – likely including her email and social media archives, photographs, and other data. The hacker also deleted three Facebook groups dedicated to LGBTQI+ and women’s rights, which Mehdiyeva administered. The attack also exposed the identities of those in the private groups – placing many people, including minors and other vulnerable individuals, at potential risk. Forensics investigation identified two IP addresses from where the attack was carried out. One was previously used in other attacks against independent media in Azerbaijan and was connected to the internet infrastructure of the Ministry of Interior.

In Gulnara Mehdiyeva’s case, the applicant’s lawyer appealed to the Yasamal District Police, where the latter refused to launch a criminal investigation on  October 6, 2022. The lawyer appealed the decision of the Yasamal district police to the Yasamal District Court. The applicant’s lawyer referred to the legal grounds that the applicant’s account on social networks was illegally hacked and her personal information was seized, making a claim that this event creates the constituent elements of Articles 155, 156, 272, and 273 of the Criminal Code.

Dismissing the applicant’s appeal, the District Court considered that the criminal act in Article 272 of the Criminal Code is related to the interception of computer data but not the data of the social media accounts noting that computer data and social network data are different from each other.

Furthermore, the Court also considered that the criminal acts in Articles 155 and 156 of the Criminal Code are related to breaching the confidentiality of correspondence, telephone conversations, mail, telegraph, and other information and illegal gathering of confidential information of personal and family life which is not relevant to the applicant’s case.

Interestingly the Court concluded that since the hacking was of the activist’s social media account, the information shared there, was public, and thus could not be considered a secret, and that “social network was not a place where information considered “secret” was protected.”

Lawyers appealed these conclusions of the District Court, which were wrong and were a narrow interpretation of the national and international legislation in this field. The lawyer, in the appeal complaint, explained in detail, how the District Court’s misinterpretation of the national legislation contradicted the relevant international law by referring to the respective provision (Article 271.2) of the Criminal Code and article 1 of the Convention “On Cybercrime”.

The lawyer also claimed that the applicant’s information on the social network such as her personal photos, videos, and personal email correspondence were also intercepted and that all this information constituted private information, therefore, the Court’s conclusion was unfounded. The applicant’s appeals were dismissed by the Appeal and Supreme Courts and the applicant submitted a complaint to the European Court of Human Rights.

  • On November 3, 2021, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including a discussion with an opposition politician Ali Karimli. The hacker(s) accessed the page through another founder’s Facebook account, deleted videos, and page likes, and changed the name of the page.
  • The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.[3]

The cases illustrated here, are by no means exhaustive. These and other examples previously documented by Azerbaijan Internet Watch and elsewhere illustrate that the legal remedies for cyber-attacks and covert surveillance are not effective in practice. In all of the cyber-attack and covert surveillance cases that have been brought before the courts in Azerbaijan, the prosecuting authorities failed to initiate a criminal case and the district courts backed prosecuting authorities’ decisions even in cases where evidence exposed state authorities and/or related persons/entities being behind the attacks.

Conclusions

Our goal in putting together this legal overview was to demonstrate that digital security rights are not protected effectively in Azerbaijan. As we illustrate, violations of digital security rights occur on two levels: cyber-attacks and covert surveillance. Both types of violations are sophisticated and require contemporary preventive and procedural safeguards. However, existing legal remedies are not effective.

Most remedies set out in the legislation have shortcomings: there is no automatic notification system concerning covert surveillance; there is no independent internal review body; lack of rules against prosecutorial discretion; no mechanism in place addressing the conflict of interest between law enforcement and state security bodies; and challenges regarding judicial avenues.

Moreover, on cyber-attack issues the relevant qualified body-the Cyber Security Center-lacks proper legal power to conduct an investigation and is not independent. The issue of independence is important when attacks, as findings of independent digital security rights watchdogs demonstrate, are carried out by state authorities or related entities.

Practical case studies show that despite the scale of cyber-attacks, prosecuting authorities did not initiate even a single criminal case concerning attacks. This creates a culture of impunity regarding violations of digital security rights and has a chilling effect on activists’ right to freedom of expression and other political rights. Similar problems also exist in cases concerning covert surveillance – the lack of progress on Pegasus spyware investigations attests to the prosecuting authorities having no interest in initiating criminal cases.  

Consequently, digital security rights and their human rights protection both in a preventive and procedural manner and negative and positive obligations dimension have profound problems in Azerbaijan. Available domestic legal remedies are not effective both in legislation and practice to tackle the current problems.

[1] Paragraph 1 of article 39 of the Law on Telecommunications states that “operators, providers are obliged to create conditions for conducting search operations, intelligence, and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues; and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states that “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[2] The Decision of the Cabinet of Ministers No. 174 of 7 November 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”, https://e-qanun.az/framework/946

[3] Case Description: Khadija Ismayilova (App. 65286/13). The shortcomings identified in the Court’s judgment need to be remedied, in particular:

  • to investigate the potential link between the applicant’s professional activity and the receipt of a threatening letter;
  • to properly question an important witness, Mr. N.J., an employee of Baktelekom, who could shed light on the identity of the possible authors of the crime regarding the installment of a hidden camera in the applicant’s flat;
  • to investigate the identity of the person who sent the threatening letter to the applicant from Moscow;
  • to investigate the websites where the intimate videos of the applicant were posted;
  • to investigate the words “SesTV Player” on the video and its potential connection with the Ses newspaper.
    • https://hudoc.exec.coe.int/eng?i=004-52409

political activist arrested over a question asked during live online discussion

Magsud Aliyev, a political activist, was arrested on August 16 and sentenced to 30 days in administrative detention on charges of disobeying police according to local media reports. Speaking to Turan News Agency, Aliyev’s father, Faig Aliyev, said the family was not aware of their son’s arrest until they heard it from his friends, days later. 

Aliyev, reportedly asked a question during a live debate on August 12 with the leader of an opposition political party Popular Front, Ali Karimli about Ilham Aliyev and his general intentions. “If you have noticed, Aliyev most recently has been using terms like ‘foreign powers’ similar to the narrative often used by President Erdogan. He has also changed his style, wearing more tight clothes like President Zelensky. What do you think Aliyev is trying to do?” asked Aliyev during the Q&A session. 

A human rights organization, “Line of Defense” condemned the arrest of the activist. The managing director of the organization, Rufat Safarov said there is no doubt Aliyev was arrested because of the question he asked during the debate. “We suspect he was humiliated, beaten, and subjected to ill-treatment during detention. We will have more details soon once the lawyer, visits Aliyev,” Safarov told Meydan TV. 

Aliyev is known to share critical of the government posts on social media platforms according to Meydan TV reporting. 

Meanwhile, the Ministry of Internal Affairs dismissed the claims that the activist was arrested for the question. 

The Pegasus Project and Azerbaijan – what does domestic legislation tell us about privacy of users in Azerbaijan

This is part four in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  We dedicate this report to the recent Pegasus Project investigations.  

Background

Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.

This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.

In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.[1]

By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.  

The Pegasus Project

On July 18, 2021, an international consortium of more than 80 journalists from 17 media outlets revealed the Pegasus Project. Spearheaded by Forbidden Stories, a Paris-based journalism non-for-profit, with technical support of Amnesty International Security Lab, the Pegasus Project is a global investigation into an Israeli surveillance company, the NSO Group, and it’s most sought after hacking software called Pegasus.

According to the investigation, the NSO Group sold Pegasus to at least ten government clients including in Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Azerbaijan, Rwanda, Saudi Arabia, and the UAE. Among the targets were journalists, human rights defenders, political opponents, business people, and heads of state.

“Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance,” wrote Forbidden Stories sharing the findings of the investigation.

On the leaked phone records, at least 1000 were identified as belonging to users from Azerbaijan. One of the media partners in the investigation, the Organized Crime and Corruption Reporting Project (OCCRP) took on to investigate numbers that belonged to users in Azerbaijan, Kazakhstan, and Rwanda.

So far, OCCRP was able to identify 250 phone numbers targeted, which belonged to reporters, [2] editors, media company owners, activists, human rights defenders, and their family members. As of July 27, OCCRP confirmed at least 80 cases of the alleged surveillance.[3]

Following the release of the investigations, international organizations, such as Reporters Without Borders, said they will pursue legal action against those responsible for this massive surveillance.[4] In Azerbaijan, some of the targeted individuals intend to appeal to local courts and then to the European Court of Human Rights, on the grounds of infringements of their right to private life.[5]

While law enforcement authorities in Hungary[6], Israel[7], France[8], the USA[9], and Algeria[10] have launched probes into suspected unlawful surveillance via Pegasus spyware, the Azerbaijani law enforcement agencies are yet to respond.

What chance do those targeted in Azerbaijan stand in pursuing legal action against the government of Azerbaijan? To answer this question, we look at the national legislation enabling the government to carry out surveillance en masse and citizens’ rights to privacy. Read the PDF report here.

Domestic framework

The right to private life is under the protection of comprehensive constitutional provisions, namely Article 32 of the Azerbaijani Constitution which guarantees that everyone has the right to the inviolability of private[11] and family life, including with respect to correspondence, telephone communications, post, telegraph messages and information sent by other means of communication. Article 32 further states that gaining, storing, using, and spreading information about the person’s private life without his/her consent is not permitted. These rights may be restricted, as prescribed by law, in order to prevent crime or to determine the truth in the course of the investigation of a criminal case. Section eight of article 32 also indicates that the scope of the personal information, as well as the conditions of their processing, collection, sharing, use, and protection, is prescribed by law.

In addition, there are normative legal acts recognizing the right to private life, including regulating the restrictions of private life in telecommunications networks.

While mentioning a catalog of rights for individuals in respect to the right to privacy[12], article 3 of the basic law on private data – the Law on Private Information,[13] stipulates that the rules for the collection and processing of personal data, concerning intelligence and counterintelligence, and operation-search activities are regulated by other respective legal acts (discussed below).

The Law on Private Information obligates the operators, to create necessary conditions for intelligence, counterintelligence, and search operations in accordance with the legislation, to guarantee relevant organizational and technical issues, and comply with the confidentiality of the methods used to conduct these activities.[14]

Along with the Law on Personal Data, the Law on Telecommunication also determines the powers of state bodies, notably subjects of intelligence and counterintelligence search operations, to collect or intercept personal data from the telecommunication channels and networks.[15]

In Azerbaijan there are two types of oversight over citizens:

  1. Extraction of information from telecom channels, i.e., interception; and
  2. Surveillance

The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels.[16]  Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.  

In other words, anyone in Azerbaijan can be subject to such a form of oversight.

The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks[17] enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.

The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on  June 14, 2016.[18] The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.

The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.

The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.[19]

However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.

Further, when analyzing the national legislation, it becomes clear, that a number of rules about the organization of search operations by law enforcement agencies, as well as the placement of surveillance and tapping devices within the telecommunication infrastructure have not been published. For example, the “Rules for ensuring information security in the implementation of search operations in communications networks” approved by Presidential Decree No. 638 on October 2, 2015, is not disclosed.[20]

As mentioned, earlier, interference with the right to personal data within telecommunication networks is carried out by the representatives of the search and operation, intelligence, and counterintelligence authorities. The technical and organizational conditions for the provision of the search operation, intelligence, and counterintelligence activities within communication networks are determined by the State Security, and in cases where relevant to the Ministry of Internal Affairs, together with the Special State Protection Service of Azerbaijan.

Infringement of privacy is prohibited under the Criminal Code (Article 156). Illegal collection of information, documents containing such information, visual materials, audio recordings, as well as their sale or transfer to another person is punishable by a fine in the amount of 1,000 to 2,000 AZN (approximately 600-1200USD); by public works ranging from 240 to 480 hours; or by correctional labor for up to one year. In cases where the same offense was/is committed by an official using his/her official status, the crime is punishable by restriction of liberty for a period of up to two years or by imprisonment for a term of up to two years with or without deprivation of the right to hold a certain position or engage in certain activities for up to three years.[21]

The Criminal Procedural Code provides that the investigation of the infringement of privacy is carried out in the form of a public-private prosecution upon the complaint of the victim or by the initiative of the prosecutor when the committed crime affects the interests of the state or society.[22]

Compliance with international standards

The right to protection of personal data is not an autonomous right among various rights and freedoms covered by the Convention. The Court has nevertheless acknowledged that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

According to the Court’s established case-law, the requirement that any interference must be “in accordance with the law” will only be met when three conditions are satisfied: the impugned measure must have some basis in domestic law and, with regard to the quality of the law at issue, it must be accessible to the person concerned and have foreseeable consequences.[23]

Non-availability of any official information or confirmation on the scope and form of the surveillance and interception of mobile devices through the Pegasus spyware may also raise specific issues concerning the difficulties on recognizing the victims’ status within the framework of national laws. 

However, the relevant case-law of the ECtHR is relatively flexible on the subject of recognition of the victim’s status. The ECtHR, therefore, accepts that an individual could, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures had been in fact applied to him or her.[24]

Further, considering that domestic legislation does not require any judicial act or does not provide any independent oversight over the interferences to the right to privacy, there is little information about the form and scope of the interception and surveillance of individuals’ privacy within telecommunications networks in Azerbaijan. This is also contrary to the well-established standards of the ECtHR concerning the issue of personal data collected by means of various methods of secret surveillance. The fact that various government institutions are vested with powers and authority – as provided by domestic laws — to listen to anyone at any time on telecommunication networks, in itself does not meet the requirements of the qualitative law enshrined in the case-law of the European Court.

The ECtHR considers the requirements of the Convention, notably in regard to foreseeability, to not be exactly the same, in the special context of interception of communications for the purpose of police investigations.

According to the ECtHR case law,  the Convention’s “quality of law” concept, requires, that domestic laws – notably those allowing state interference with rights and freedoms – satisfy the requirements that domestic laws, should be sufficiently accessible and foreseeable.

The requirement of foreseeability means that the national law must be sufficiently clear in its terms, in order to give citizens an adequate indication of the circumstances and conditions for which public authorities were empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, and to give the individual adequate protection against arbitrary interference (Malone v. the United Kingdom, 2 August 1984, §§ 67 and 68, Series A no. 82. See also Kennedy v. the United Kingdom, op. cit., § 152).[25]

In this regard, within the framework of the European Court’s supervision function under the Convention’s standards, the ECtHR’s authority to verify the compliance of online surveillance regimes with the Convention’s standards would provide effective protection.

In recent Grand Chamber judgment in the case of Big Brother Watch and Others v. the United Kingdom (application nos. 58170/13, 62322/14 and 24969/15) the ECtHR held unanimously, that there had been a violation of Article 8 of the European Convention (right to respect for private and family life/communications) in respect of the regime for obtaining communications data from communication service providers noting that assessment of interceptions and obtaining of private information from the telecommunications networks should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto review.

We conclude, that based on the above analysis of the loose interpretation and at times overt national legislation, it is important to take these cases of surveillance and interception to the ECtHR for the purpose of assessing the country’s legal framework and its (in)applicability with the ECtHR’s case law.  

[1] Internal company documents show Azerbaijan’s Ministry of National Security purchased Hacking Team’s Remote Control System (RCS) surveillance spyware via a California-based intermediary called Horizon Global Group in 2013 for an initial payment of €320,000. https://www.occrp.org/en/daily/4136-azerbaijan-bought-hacking-team-s-surveillance-spyware-leaks-reveal

[2] Turan, Pegasus has been spying on Azerbaijani journalists and activists over years, July 19, 2021, https://www.turan.az/ext/news/2021/7/free/politics_news/en/5975.htm/001 

[3] OCCRp, People Selected for Targeting by Azerbaijan,

https://cdn.occrp.org/projects/project-p/?_gl=1*rnxzxn*_ga*MjEyNTY0MTgzMS4xNjI3NDE1OTE1*_ga_NHCZV5EYYY*MTYyNzQxNTkxMy4xLjEuMTYyNzQxNTkyNy40Ng..#/countries/AZ

[4] Turan, The organization in defense of press freedom “Reporters without Borders” is outraged by the fact that 200 journalists from 20 countries are being spied on with the help of the Israeli spy system Pegasus, July 2021, http://www.turan.az/ext/news/2021/7/free/politics_news/en/6042.htm/001

[5] Voice of America, Interview with Bakhtiyar Hajiyev, July 20, 2021, https://www.amerikaninsesi.org/a/bəxtiyar-hacıyev-avtoritar-rejimlər-hətta-ən-yaxın-çevrəsinə-güvənmir/5972455.html

[6] Al Jazeera, Hungary prosecutors open investigation into Pegasus spying claims, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/hungary-prosecutors-open-investigation-into-pegasus-spying-claims

[7] Al Jazeera, Israel launches commission to probe Pegasus spyware: Legislator, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/israel-launches-commission-to-probe-pegasus-spyware-legislator

[8] Euractive, France launches investigation into Pegasus spying allegations, July 22, 2021, https://www.euractiv.com/section/cybersecurity/news/france-launches-investigation-into-pegasus-spying-allegations/

[9] Reuters, FBI probes use of Israeli firm’s spyware in personal and government hacks – sources, July 22, 2021,  https://www.reuters.com/article/us-usa-cyber-nso-exclusive-idUSKBN1ZT38B

[10] The Star, Algeria launches probe into Pegasus spyware claim, July 22, 2021, https://www.thestar.com.my/tech/tech-news/2021/07/23/algeria-launches-probe-into-pegasus-spyware-claim

[11] Constitution of the Republic of Azerbaijan, https://static2.president.az/media/W1siZiIsIjIwMTgvMDMvMDkvNHQzMWNrcGppYV9Lb25zdGl0dXNpeWFfRU5HLnBkZiJdXQ?sha=c440b7c5f80d645b

[12] According to article 7 of the Law on Personal Data, individuals have the right to require a legal justification for the collection, processing, and transfer of their personal information to third parties, and information on the legal consequences for the subject of the collection, processing, and transfer of such information to third parties; to get acquainted with the content of personal information collected about himself/herself in the information system; to learn the purpose, the period and methods of collecting and processing personal information about himself/herself; to demand clarification and destruction of personal data collected and processed in the information system, except for the cases established by the legislation; to demand a ban on the collection and processing of personal data about himself/herself and etc.

[13] Law on Private Data, http://e-qanun.az/framework/19675

[14] Article 10.5, Law on Personal Data

[15] Article 39, Law on Telecommunication (article 10.5 of the Personal Data is repeated in article 39 of the Law on Telecommunication)

[16] Article 10, Law on Operation-Search Activity, http://e-qanun.az/framework/2938

[17] Under the Telecoms Law and the conditions of telecom licensing and registration, telecom operators and providers must cooperate with the law enforcement authorities and install special equipment and software programmes allowing them access to information under the undisclosed technical rules adopted by the Presidential order on October 2, 2015. The Law on Telecommunication, article 39., Paragraph 1 of the article states: “operators, providers are obliged to create conditions for conducting search operations, intelligence and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues, and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states: “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[18] http://e-qanun.az/framework/33275

[19] Article 1.5.7. “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities”, issued by the Ministry of Transport, Communications and High Technologies,   June 14, 2016

[20] The Presidential Decree No. 638, October 2, 2015, http://e-qanun.az/framework/30840

[21] The Criminal Code of Azerbaijan, http://e-qanun.az/framework/46947

[22] The Criminal Procedure Code of Azerbaijan, http://e-qanun.az/framework/46950

[23] Kennedy v. the United Kingdom, op. cit., § 151; Rotaru v. Romania, op. cit., §52; Amann v. Switzerland, op. cit., § 50; Iordachi and Others v. Moldova, op. cit.; Kruslin v. France, § 27; Huvig v. France, § 26; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, op. cit., § 71; Liberty and Others v. the United Kingdom, op. cit., § 59, etc.

[24] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, para., 9., https://rm.coe.int/168067d214

[25] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, page 2,  https://rm.coe.int/168067d214

forced posts removal from Facebook continue in Azerbaijan

On January 13, Elmir Abbasov, a member of NIDA movement, was taken against his will to local police station in the city of Sumgayit where he was questioned over his Facebook post about president Ilham Aliyev.

In his interview with Azadliq Radio, Abbasov said, he was on his way to a shop when a man told Abbasov to get into the car for a chat at the police station. Abbasov, who said without a warrant he won’t be going anywhere, was then shuved into the car and taken to the station by force.

Abbasow spent the next two hours at the police station, where he was informed that the reason for his interrogation was a Facebook post, he wrote about the President. He was told to immediately delete the post. 

AIW spoke with Abbasov about the content of the post which is no longer available on the social media platform.

Under normal circumstances this post would not be considered critical but in Azerbaijan, the sensitivity around certain personalities as in the case of the president are common and not tolerated. 

In the case of Abbasov’s post, it was a comment about an economic system heavily reliant on hydrocarbons. This has been voiced by international financial institutions, experts and pundits alike for a long time.

Similarly, Abbasov’s post stressed the country’s economy, over reliance to fluctuating oil price as a result of its dependence and recommended that the president takes recommendations by independent economists seriously rather than dismiss them. 

Three days before Abbasov was taken to the police and ordered to delete his post from Facebok, one freelance journalist [name omitted due to safety concerns] was told to delete a Facebook post, that was critical of the local law enforcement. Namely, the journalist desrcibed seeing one officer, take a bribe from a man stopped on the street as part of the COVID measures in place. The source told AIW, the measure was taken in an attempt to keep the reputation of the local agency clean.