legal remedies – Azerbaijan Internet Watch

Legal overview: legal remedies (or lack thereof) in cases of online targeting

Posted on February 8, 2023 by aiw_admin

In the last decade, the rise of the repressive policy by the government of Azerbaijan against digital rights necessitates the discussion of the legislation and legal remedy aspects of it. As such, in our following legal review, together with a legal expert, we chose to focus on how the state has been resorting to unlawful persecution measures against critics online, in particular, human rights defenders, activists, journalists, and lawyers.

In the analysis presented below, we look at the general trends of online targeting, the existing legal remedies in domestic law, and their effectiveness.

Background information

During 2022, Azerbaijan Internet Watch documented numerous cases of prison sentences handed out on charges of defamation, the arbitrary application of provisions of the Administrative Penalty Code and the Law “On information, informatization and information protection” to limit freedom of expression on the internet, including increased reports of cyber-attacks against activists and media professionals.

In its recent annual report published on 16 December 2022, AIW indicated that overall, 2022 has been no different than recent years in terms of online attacks and internet censorship. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

Domestic remedies against cybercrimes often committed against HRDs, activists, and media

In recent years, scores of human rights defenders, civic activists, journalists, and politicians in Azerbaijan have been complaining about hacking attempts (or hacking) into their personal and professional e-mails, social media accounts, and instant messaging (WhatsApp) accounts. Other complaints include impersonating social media accounts, disseminating false information on their behalf, and publishing their private correspondence, intimate photos, and videos, breaching privacy resulting from intrusion in the intimate life of individuals through illegal tapping. Furthermore, political activists sometimes face pressure from local police to share their phone passwords during arrests.

Once personal information is unlawfully seized at least several constitutional rights and freedoms, such as the right to privacy (Article 32 of the Constitution), the right to honor and dignity (Article 46 of the Constitution), and the right to freedom of thought and speech (Article 47 of the Constitution) are at stake.

Lawyers in Azerbaijan mostly use various available legal mechanisms to protect the rights of targeted individuals. Illegal interception of personal data, violation of the confidentiality of correspondence and other information, and violation of privacy, including certain cybercrimes such as illegal intrusion, illegal acquisition, and unlawful interference with computer systems are criminalized by the criminal law of Azerbaijan. As such, lawyers rely on existing criminal law when submitting complaints to law enforcement authorities, requesting to conduct a criminal investigation regarding the alleged committed act prohibited by the criminal law.

What remedies are available to counter online harassment? To what extent are they effective?

Lawyers with extensive experience defending human rights defenders and activists targeted by cybercrimes say that the Azerbaijani law enforcement authorities and the judiciary are systematically rejecting investigations of cybercrimes committed against government critics.

So in which circumstances and conditions legal safeguards and remedies are functioning and to what extent they are effective? We take a look.

General overview of the relevant legislation

Digital security rights, in a general manner, are safeguarded by the Azerbaijani legal framework. The Azerbaijani legal system enshrines the following legal regime concerning digital security.

General constitutional protection and incorporation of international law

The Constitution provides, inter alia, order public conditions on digital security. According to Article 32 of the Constitution, privacy rights are secured. The privacy rights that the Constitution prescribed are negative and positive in nature – these rights protect against possible governmental interference (negative aspect) and possible trespass by third parties. Constitutional privacy protection not only provides preservation against off-line intrusion but also implies online targeting according to its meaning. Therefore, Article 32 of the Constitution plays a role as a key to digital security rights. In addition, Article 68 of the Constitution determines the prohibition of arbitrary actions of state authorities and recognizes the right to compensation.

The Constitution also incorporates international human rights obligations of the Republic of Azerbaijan. The Azerbaijani Constitution adopts a monist type of international law implementation which means direct integration of international law rules concerning human rights regulation.

The Republic of Azerbaijan has ratified the International Covenant on Civil and Political Rights (1966) (ICCPR) and European Convention on Human Rights (1950) (ECHR). Both ICCPR (Article 19) and ECHR (Article 8), as well as, the jurisprudence of the implementation bodies (in the case of the ICCPR is the Human Rights Committee (HRC) and in the case of the ECHR is the European Court of Human Rights (ECtHR)) safeguard digital security rights as a part of privacy rights. Moreover, the Convention on Cybercrime (a.k.a. the Budapest Convention) (2001) of the Council of Europe – seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations – was ratified by Azerbaijan in 2009.

Both ICCPR and ECHR honor contracting states with two types of obligations – negative and positive. This means, that the state authorities shall not directly involve the right to privacy including digital security rights against the requirements of domestic law, without legitimate aims and against the requirement of democratic necessity, and with violation of proportionality (tripartite requirement of interference of qualified civil rights). In addition, the state authorities have a positive obligation to protect digital security under privacy rights from third parties, also to initiate effective procedural safeguards.

As such, Azerbaijani legislation prescribes constitutional (order public) protection for digital security and harmonizes international law protection with domestic law. However, mere general constitutional protection is not enough for the effective implementation of human rights. The next level is ordinary legislation.

Substantive law

The substantive legal norms concerning digital privacy rights are mainly set out in criminal law and, in nature, prohibitory sanction rules.

Criminal law provisions are arranged in the Criminal Code. Criminal Code prescribes both general privacy rights violations and specific cybercrimes. General privacy rights violations are Articles 155 (violations of correspondence privilege) and 156 of the Criminal Code (violations of privacy rights). Specific cybercrimes are set out in Articles 271-273 of the Criminal Code (Article 271 prohibits illegal intrusion, Article 272 bans illegal acquisition, and Article 273 forbids unlawful interference). In addition, Criminal Code also proscribes violation of operational-search activity by law-enforcement bodies concerning privacy and digital rights. Both state and non-state actors are liable for violations of the above-mentioned criminal law sanctions. According to Criminal Code (Articles 156.2.1, 271.2.3, 272.2.3, 273.3.3 of the Code), the commission by the state officials of the above-mentioned criminal law rules is considered an aggravated circumstance.

In addition to criminal law, civil law/code provisions also offer protection against the violations of privacy and digital rights. codes prescribe protection for digital security. Criminal code safeguards are general protections and not specified for purposes of digital security. Article 1096 of the Civil Code sets general criminal code rules for delictual (civil wrong) liability. On the other hand, Article 1100 of the Civil Code specifies delictual liability for state authorities.

It must be noted that different codes of conduct for state officials and law enforcement bodies also enshrine the protection of privacy rights (which also implies digital security) and require disciplinary sanctions against the perpetrators.

The substantive law also contains relevant remedies for covert surveillance. The state control over compliance of the covert surveillance-related-obligations of the telecommunication operators and providers is regulated largely via the Law “On Telecommunications”, the Law on “On Personal Data”, the Law on “On Operational Search Activities”, the Criminal Procedure Code and Decrees of the President of the Republic of Azerbaijan and Decisions of the Cabinet of Ministers of the Republic of Azerbaijan.

AIW’s legal analysis on the State of Internet Freedom in Azerbaijan, a legal overview (July 29, 2021) reveals the gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of covert surveillance.

Article 11 of the Decision of the Cabinet of Ministers No. 174 dated November 7, 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”[2] requires the telecommunication service providers to install special-purpose equipment, determined by the State Security Service (SSS) and the Ministry of Internal Affairs. This equipment allows the security services and the ministry of the interior to access data and information across all types of telecommunication networks for the purpose of ensuring national security. And legislation requires the installment of the special equipment as an additional requirement for granting special consent (license) for the cellular (mobile) communication services/companies. In case of a refusal to install this equipment, companies/services are refused operational licenses.

Procedural law and jurisdiction

Pursuant to Articles 215.2, 215.3, and 215.5 of the Code of Criminal Procedure, if it is identified that the privacy (digital) rights violations are conducted by third parties (non-state actors), then the jurisdiction to investigable falls within the Ministry of Internal Affairs or the State Security Service (depending on their competence).

According to Articles 204-207 and 215 of the Code of Criminal Procedure, the local or qualified body of the ministry of the interior or the state security services shall initiate the criminal case based on reports of the victim or others. If the initial inquiry finds more evidence of a breach of rights, then a preliminary investigation has to be conducted. Based on the results of the preliminary investigation, perpetrators might be identified and brought to trial. Violations of privacy rights (including digital security) are considered less serious crimes by Criminal Code and therefore, the trial jurisdiction lies on ordinary district courts.

It is identified that the privacy (digital) rights violations are conducted by state officials (including law enforcement officials), then investigative jurisdiction falls within the Office of the General Prosecutor. The subordinate prosecutor’s offices or qualified bodies of the prosecutor’s office shall initiate the criminal case against officials or based on the fact, shall conduct a preliminary investigation. Based on the conclusions of the preliminary investigation, relevant official (officials) might be held accountable and brought to trial. The trial jurisdiction again belongs to the ordinary district courts.

If the relevant investigatory bodies fail to initiate the criminal case, interested parties have the right to challenge the decision or action on non-initiation of the criminal case under judicial review procedure pursuant to Articles 122 and 449 of the Code of Criminal Procedure.

Criminal Code procedures shall be conducted with ordinary district courts or administrative courts. If the statement of claim is directed against a third party, then it is accepted as a civil case and should be heard by an ordinary civil court. The relevant trial procedures are prescribed by the Code of Civil Procedure. If the statement of claim is directed against state bodies, then it is an administrative law dispute and must be heard by an administrative court following the trial procedures based on the Code of Administrative Procedure.

Disciplinary actions are initiated based on complaints or ex officio, by relevant state bodies and follow procedures that prescribe the codes of conduct or internal disciplinary reviews.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities.

Specifics of the criminal law sanctions and operational-search remedies

According to Article 156 (violation of the inviolability of private life) of the Criminal Code, actions that breach the inviolability of private life are prohibited and subject to criminal liability. According to Article 156.1 of the Code, the dissemination, illegal sale or transfer, and illegal collection of information that constitutes a secret of private and family life, as well as the documents, video and photographic materials, and audio recordings containing such information, are all subject to criminal liability.

It should be noted that private life information may be collected on legal grounds and conditions in the manner prescribed by law. Relevant state bodies can do this on the grounds provided by law. However, there are no such grounds provided by law in the complainant’s case. Therefore, the collection of information about the complainant in this manner should be considered as the acts provided for in Article 156.1 of the Criminal Code, that is, the collection of information or an attempt to collect such information, which is a secret of private and family life.

According to Article 271.1 of the Criminal Code, accessing a computer system or any part of it without the right to access it or any part of it by breaching security measures in order to collect computer information stored there or with other personal intent calls for criminal liability. It should be noted that Articles 271 and 272 of the Criminal Code pertain to cybercrime and are primarily concerned with computer information. However, smartphone devices already have the potential to contain all or part of traditional computer data. In this regard, part of the complainant’s computer data is contained in the relevant parts of his/her smartphone. So when scores of civil society activists in Azerbaijan were targeted with Pegasus spyware, the perpetrators thus illegally infiltrated the complainant’s computer system and illegally acquired computer information. This action demonstrates the commission of a criminal offense under Article 271.1 of the Criminal Code.

In the case the latter offense was committed by an official while abusing his/her official interests, the act is then considered an aggravating circumstance according to Article 271.2.3 of the Criminal Code.

According to Article 272.1 of the Criminal Code, the intentional gathering of computer information not intended for public use, transmitted to the computer system, from the computer system, or within the system, including electromagnetic radiation from the computer systems, which are carriers of such computer information, using technical means by a person not entitled thereto, causes criminal liability. The above-mentioned legal analysis of Article 271.1 of the Criminal Code also applies to Article 272.1 of the Criminal Code.

Article 302 of the Criminal Code (“Violation of the legislation on operational search activities”) criminalizes violation of the law on operational search activities. According to Article 302.1 of the Criminal Code, among other things, the implementation of such activities by authorized persons in the absence of any ground established by law, entails criminal liability, if it causes a significant violation of the rights and legally protected interests of the person. According to Article 302.2 of the Criminal Code, the violation of the law on operational search activity with the intent to secretly obtain information using technical means is considered an aggravating circumstance.

The Operational-Search Activity Act (OSA) and Code of Criminal Procedure allow targeted persons to raise complaints concerning covert surveillance.

Art 4(4) of the OSA stipulates, “[a]ny person, whose rights and liberties have been violated as a result of the actions of the agents of the operative search activity, shall be entitled to complain to the head of the authority – higher in rank to the agents of the operative search activity, prosecutor or the court.”

The first type of claims available under Azerbaijani law is ‘internal claims’ – claims against the head of the alleged authority that conducted the surveillance.
The second type of claim is a claim to a prosecutor.
A third type of claim is a claim to a Court.

Effectiveness of legal remedies in the light of international human rights obligations

Legal remedies concerning covert surveillance

The available remedies shared above, concerning covert surveillance are not effective in practice due to the following reasons:

Firstly, given that there is no method of notification as to whether they were under surveillance or not, no domestic remedies are available to challenge and investigate instances of covert surveillance by authorities, given their inextricable link (Zakharov v Russia at [234]; see also Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App No. 62540/00, 28.06.07 at [91]; Szabo and Vissy v Hungary App No. 37138/14, 12.01.16 at [86]).

As mentioned above Art 4(4) OSA sets out relevant remedies. However, this provision does not establish a freestanding claim under the OSA – rather it merely reflects that claims are available under other procedures.

‘Internal claims’ remedies (the first type of remedy) are claims against the head of the alleged authority that conducted the surveillance. The ECtHR has found that such complaints are ineffective as they “do not meet the requisite standards of independence needed to constitute sufficient protection against the abuse of authority” (Zakharov at [292]). As such, any available internal remedies are ineffective.

Prosecutorial review is the second type of remedy. This remedy is not effective either, because it is based on prosecutorial discretion. Once the prosecutor refuses jurisdiction over a complaint or initiates a criminal case, this remedy becomes ineffective.

In the Pegasus spyware case prosecutor general’s refusal of jurisdiction over complaints, challenged the potential victims’ procedural rights. The prosecutor general remitted the complaints to the state security services which in the case of Pegasus, were a party of interest, and therefore, constituted a conflict of interest. By passing the investigation to the state security services, the investigation lost the requisite degree of independence given the same body was involved in carrying out the covert surveillance, which is contrary to the case-law standards (c.f. Kennedy v UK at [167-8]) of the European Court of Human Rights.

Judicial claim avenues are a third type of legal remedy. Azerbaijani legislation offers no bespoke judicial remedy for illegal surveillance (c.f. the IPT in Kennedy v UK). Instead, there are only general methods of judicial review either under the criminal procedural code or under civil or administrative law. These are ineffective remedies as well:

Whilst it is theoretically possible to judicially review a judicial order authorizing covert surveillance, it is impossible in practice. The decision to authorize covert surveillance is done via the closed court in the absence of the target (CPC Art 447.3.3), and targets of surveillance do not have the right to receive the judge’s decision implementing the operational-search measure (CPC Art 448.6). Whilst a decision of the judge implementing operative-search measures may be appealed within three days after the announcement of the court decision (Arts 452-54 CPC), given that the target neither has the right to be present at the hearing nor receive the decision, this right has no practical value in cases of covert surveillance;
A claim in the civil courts is impossible. Applicants bear the burden of proof (Code of Civil Procedure Art 77), and given that proper notification of covert surveillance is unavailable, it is impossible to meet this burden to bring a claim against an authority that also contradicts the views of the European Court of Human Rights (Zakharov at [296]);
While a claim under the administrative courts is theoretically possible, it is equally ineffective. Whilst an administrative court is obliged to undertake an objective investigation on their own motion (Art 24 Code of Administrative Procedure (CAP)), in practice this is not observed and a de facto burden of proof is placed on an applicant to provide prima facie evidence of the improper administrative act. Without any evidence of the body conducting alleged covert surveillance, it is impossible to lodge an administrative complaint against authorities. Further, the administrative courts have no jurisdiction over criminal procedures (CAP Art 3.2.1), and if an authority claims that an individual is under criminal investigation the administrative courts will not accept the jurisdiction. Further, the administrative court may refuse to hear cases involving an administrative act in connection with the prevention or elimination of the threat that may cause damage to public or state interests (CAP Art 21.3.2);
Finally, a complaint to the Constitutional Court of Azerbaijan is not an effective remedy either (Ismayilov v. Azerbaijan No 4439/04, 17 January 2008).

Remedies against cyber attacks

The above-mentioned conclusion, mutatis mutandis, is effective for cyberattacks also. For cyberattacks, the main relevant remedy is a criminal complaint to law enforcement bodies. However, due to technical issues, many people do not have the information about whom they were targeted. Under normal circumstances, such kind of technical issues should be tackled by an investigation. However, due to prosecutorial discretion and lack of effective investigation against state officials, the criminal complaint mechanism is not effective in practice. In addition, the Cyber Security Center is not an effective remedy in practice. Because this body also is not independent and has no relevant legal powers to conduct an investigation. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to burden of proof issues (see above).

Specific case studies

There are several case studies that demonstrate that law enforcement authorities are not interested in protecting digital privacy rights despite having an ex officio power to conduct a criminal investigation:

On May 4, 2021, a well-known lawyer Fuad Aghayev said there was an attempt to hack into his Facebook account. Lawyer said that an unknown person wrote to him from Ilham Huseyn’s (active member of Azerbaijani Popular Front Party) account and asked him to download a program similar to “Zoom”, but “safer” for an interview. The lawyer after refusing to download the “unknown app”, called Ilham Huseyn’s phone and realized that Huseyn’s account was hacked and that the message sent to the lawyer was from the perpetrator behind the hacking.
On March 1, 2021, a well-known lawyer Elchin Sadigov, said that smear campaigns against activists were not investigated properly and despite lodged complaints about targeted online attacks, in many cases, the courts do not investigate these complaints.
On May 15, 2020, the opposition Azerbaijani Popular Front Party (APFP) accused the government of cyberattacks against party activists’ social media accounts. In a statement, the Party noted that as a result of hacker attacks, the Facebook accounts of Emil Selim, Ilham Huseyn, Orkhan Selimzade, and Emin Maniyev were hijacked. In addition, fake social media accounts were created impersonating members of the party’s presidium – Fuad Kahramanli, Asif Yusifli, and Mammad Ibrahim, with the intention to harm their reputation and create chaos in society from these accounts.
On March 17, 2021, Bakhtiyar Hajiyev and Narmin Shahmarzade accused the Azerbaijani authorities and law enforcement agencies of the cyber-attacks they were facing. Shahmarzade’s Facebook profile was hacked and her personal images and correspondence were disseminated without her consent. One of the unlawfully disseminated correspondence was Shahmarzade’s conversation with social activist Bakhtiyar Hajiyev.
Another activist, Gulnara Mehdiyeva, was also targeted online. Her social media accounts, email, and communication apps were compromised. So were her backups (archives were backed on Google drive to which she lost access after her personal email was compromised). Although Mehdiyeva regained access to her accounts the damage was extensive. From the account logs, the activist discovered that the perpetrator prepared large bundles of data for download – likely including her email and social media archives, photographs, and other data. The hacker also deleted three Facebook groups dedicated to LGBTQI+ and women’s rights, which Mehdiyeva administered. The attack also exposed the identities of those in the private groups – placing many people, including minors and other vulnerable individuals, at potential risk. Forensics investigation identified two IP addresses from where the attack was carried out. One was previously used in other attacks against independent media in Azerbaijan and was connected to the internet infrastructure of the Ministry of Interior.

In Gulnara Mehdiyeva’s case, the applicant’s lawyer appealed to the Yasamal District Police, where the latter refused to launch a criminal investigation on October 6, 2022. The lawyer appealed the decision of the Yasamal district police to the Yasamal District Court. The applicant’s lawyer referred to the legal grounds that the applicant’s account on social networks was illegally hacked and her personal information was seized, making a claim that this event creates the constituent elements of Articles 155, 156, 272, and 273 of the Criminal Code.

Dismissing the applicant’s appeal, the District Court considered that the criminal act in Article 272 of the Criminal Code is related to the interception of computer data but not the data of the social media accounts noting that computer data and social network data are different from each other.

Furthermore, the Court also considered that the criminal acts in Articles 155 and 156 of the Criminal Code are related to breaching the confidentiality of correspondence, telephone conversations, mail, telegraph, and other information and illegal gathering of confidential information of personal and family life which is not relevant to the applicant’s case.

Interestingly the Court concluded that since the hacking was of the activist’s social media account, the information shared there, was public, and thus could not be considered a secret, and that “social network was not a place where information considered “secret” was protected.”

Lawyers appealed these conclusions of the District Court, which were wrong and were a narrow interpretation of the national and international legislation in this field. The lawyer, in the appeal complaint, explained in detail, how the District Court’s misinterpretation of the national legislation contradicted the relevant international law by referring to the respective provision (Article 271.2) of the Criminal Code and article 1 of the Convention “On Cybercrime”.

The lawyer also claimed that the applicant’s information on the social network such as her personal photos, videos, and personal email correspondence were also intercepted and that all this information constituted private information, therefore, the Court’s conclusion was unfounded. The applicant’s appeals were dismissed by the Appeal and Supreme Courts and the applicant submitted a complaint to the European Court of Human Rights.

On November 3, 2021, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including a discussion with an opposition politician Ali Karimli. The hacker(s) accessed the page through another founder’s Facebook account, deleted videos, and page likes, and changed the name of the page.
The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.[3]

The cases illustrated here, are by no means exhaustive. These and other examples previously documented by Azerbaijan Internet Watch and elsewhere illustrate that the legal remedies for cyber-attacks and covert surveillance are not effective in practice. In all of the cyber-attack and covert surveillance cases that have been brought before the courts in Azerbaijan, the prosecuting authorities failed to initiate a criminal case and the district courts backed prosecuting authorities’ decisions even in cases where evidence exposed state authorities and/or related persons/entities being behind the attacks.

Conclusions

Our goal in putting together this legal overview was to demonstrate that digital security rights are not protected effectively in Azerbaijan. As we illustrate, violations of digital security rights occur on two levels: cyber-attacks and covert surveillance. Both types of violations are sophisticated and require contemporary preventive and procedural safeguards. However, existing legal remedies are not effective.

Most remedies set out in the legislation have shortcomings: there is no automatic notification system concerning covert surveillance; there is no independent internal review body; lack of rules against prosecutorial discretion; no mechanism in place addressing the conflict of interest between law enforcement and state security bodies; and challenges regarding judicial avenues.

Moreover, on cyber-attack issues the relevant qualified body-the Cyber Security Center-lacks proper legal power to conduct an investigation and is not independent. The issue of independence is important when attacks, as findings of independent digital security rights watchdogs demonstrate, are carried out by state authorities or related entities.

Practical case studies show that despite the scale of cyber-attacks, prosecuting authorities did not initiate even a single criminal case concerning attacks. This creates a culture of impunity regarding violations of digital security rights and has a chilling effect on activists’ right to freedom of expression and other political rights. Similar problems also exist in cases concerning covert surveillance – the lack of progress on Pegasus spyware investigations attests to the prosecuting authorities having no interest in initiating criminal cases.

Consequently, digital security rights and their human rights protection both in a preventive and procedural manner and negative and positive obligations dimension have profound problems in Azerbaijan. Available domestic legal remedies are not effective both in legislation and practice to tackle the current problems.

[1] Paragraph 1 of article 39 of the Law on Telecommunications states that “operators, providers are obliged to create conditions for conducting search operations, intelligence, and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues; and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states that “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[2] The Decision of the Cabinet of Ministers No. 174 of 7 November 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”, https://e-qanun.az/framework/946

[3] Case Description: Khadija Ismayilova (App. 65286/13). The shortcomings identified in the Court’s judgment need to be remedied, in particular:

to investigate the potential link between the applicant’s professional activity and the receipt of a threatening letter;
to properly question an important witness, Mr. N.J., an employee of Baktelekom, who could shed light on the identity of the possible authors of the crime regarding the installment of a hidden camera in the applicant’s flat;
to investigate the identity of the person who sent the threatening letter to the applicant from Moscow;
to investigate the websites where the intimate videos of the applicant were posted;
to investigate the words “SesTV Player” on the video and its potential connection with the Ses newspaper.
- https://hudoc.exec.coe.int/eng?i=004-52409

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

Posted on December 16, 2022January 3, 2023 by aiw_admin

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year.

Introduction

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent.

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022].

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts.

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages).

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account.

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism.

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents.

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy.

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include:

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious.

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware.

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan.

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents.

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions.

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order.

Conclusion

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well.

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media.

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms.

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties.

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics.