Toplum TV Facebook page hacked via SMS interception

On November 3, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including one Toplum TV shared yesterday, which was a discussion with an opposition politician Ali Karimli. According to the founders who spoke to AIW, the hacker(s) accessed the page through another founder’s Facebook account, deleted videos, page likes, and changed the name of the page. At the time of reporting this story, the Facebook page was recovered.

In a Facebook post, Alasgar Mammadli, one of the founders of the platform explained in detail how the hacker(s) accessed Toplum TV’s Facebook page by compromising his personal account first.

Translation: This morning at 8.54AM local time, my Facebook account was compromised. The compromise was made possible using my personal mobile phone number. The hacker acquired access to personal information illegally. I only learned about what happened half hour later as I was stuck in city traffic, and had limited access both to my mobile phone and personal computer.  The compromise was made possible by intercepting an SMS sent to my mobile sim card. Meaning, messages sent to my mobile number, were used in parallel by technical supervisors overseeing the telecommunication system in accordance with telecommunication law. Having accessed my personal account [the hacker(s)] were able to access Toplum TV Facebook page, changing its name, [only] deleting archived videos of live debates with Popular Front and Musavat party leaders, and removing several thousand Page likes. Clearly, the reason behind what happened is political intervention. The absolute lack of tolerance to public debates on Toplum TV’s platform has reached such a level, that the perpetrators unafraid, have committed a criminal act prohibited by Articles 271, 272, and 273 of the Criminal Code. This compromise is an act of crime and a grave violation of freedom of speech, privacy, and security of personal data. I demand that serious investigation and preventive action be taken by relevant authorities working within the information security space.

Toplum TV encouraged its readers and followers in a tweet to support their page after hacking:

Translation: Toplum TV’s Facebook page was compromised and its name changed to their name “toplan”. To support independent media, like our Facebook page, and help restore deleted followers.

SMS interceptions are commonly used in Azerbaijan. Below, are a few excerpts from a recent report published by AIW in partnership with International Partnership for Human Rights on the topic: 

The interception of SMS exchanges remains an acute problem in Azerbaijan. In recent years, scores of political activists, journalists, rights defenders, and independent media platforms have had their social media accounts compromised. In many of these cases, those affected have had SMS notification enabled as two-step verification (2FA) procedure for accessing their Facebook accounts. As a result, when their accounts were compromised, they were unable to restore access to the accounts relying on traditional troubleshooting steps offered by social media platforms such as Facebook. Thus, they were unable to retrieve password reset codes sent by Facebook by SMS as their messages were intercepted by the operators, only to be passed on to the relevant government bodies. This experience shows that mobile companies have been involved in many of these attacks. However, none of the operators have taken the blame, so far. The earliest example of SMS surveillance goes back to 2009 when 43 Azerbaijanis voted for Armenia’s entry in the Eurovision Song Contest through votes cast by SMS. A number of these people were summoned and questioned by the security services. In an interview with Azadliq Radio (the Azerbaijani service of Radio Free Europe/Radio Liberty), one of these televoters, Rovshan Nasirli said that the authorities demanded an “explanation” for his vote and told him it was a “matter of national security”. He told the service: “They were trying to put psychological pressure on me, saying things like: ‘You have no sense of ethnic pride. How come you voted for Armenia?’ They made me write out an explanation, and then they let me go.” The authorities did not deny that they had identified and summoned people who voted for Armenia, and argued that they were merely trying to understand the motives of these people.

Three years after the Eurovision scandal, an investigative documentary aired on Swedish TV called ‘’Mission: Investigate” revealed how the Swedish telecommunications giant TeliaSonera, which at the time owned a majority stake of Azercell, allowed “black boxes” to be installed within their telecommunications networks in Azerbaijan from as early as 2008. These boxes enabled security services and police to monitor all network communication, including internet traffic and phone calls in real-time without any judicial oversight. The exposure of these black boxes explains the type of technology the government was deploying already at the time of Eurovision in 2009. The investigation aired by Swedish TV also confirmed that wiretaps were used as evidence in politically motivated cases.

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. In a country where the government enjoys unprecedented control over the ICT industry and where some of the key players in the market such as mobile operators and ISPs are affiliated with the government or its officials, the findings of the investigation were not at all surprising. The 2014 investigation quoted the director of the Media Rights Institute, Rashid Hajili as saying that both mobile companies and ISPs were obliged to provide special facilities to the Ministry of National Security (MNS)91 for surveillance purposes in accordance with existing legal provisions as explained earlier. In the case of mobile companies, no court approval was sought to eavesdrop on the conversations and SMS exchanges of their customers – a common practice to this day. One of the first accounts of collaboration between mobile companies and the government is that of journalist Agil Khalil. In 2008, Khalil was working on a story about the alleged involvement of MNS employees in corrupt land deals. After taking photographs for the story, he was approached by MNS agents and beaten. The journalist escaped from his attackers and managed to take photos of them. Khalil filed a complaint with the police, and an investigation was opened but eventually dropped, without the perpetrators having been prosecuted or even identified. Soon after turning to the police, the journalist realized that he was being followed. When he filed another complaint with the police about the surveillance, police again failed to follow up. A few days later, Khalil was subjected to a new attack: this time, an unknown assailant stabbed and injured him. Khalil again turned to the police, accusing both the MNS and the mobile operator Azercell (whose services he was using ) of being responsible for the attack. He argued that the operator had helped the MNS to track down his whereabouts, thereby facilitating the attack. The involvement of Azercell in the case became more evident when the operator provided a local court, which examined the journalist’s complaint, with alleged SMS exchanges between Khalil and a man named Sergey Strekalin, who the MNS claimed was Khalil’s lover and had stabbed the journalist out of jealousy. When Khalil’s lawyer requested access to these SMS exchanges, Azercell refused, which called into question the authenticity of these messages. Khalil left Azerbaijan the same year after another attempted attack against him and the continued failure of the authorities to hold his assailants accountable. He took his case to the ECtHR, as a result of which the Azerbaijani government made a so-called unilateral declaration (an official admission) before this court in 2015 that it had violated Khalil’s right to life, freedom from ill-treatment, and freedom of expression and agreed to pay 28 000 EUR in compensation to him. As the government made this admission, there was no ECtHR ruling on the case.

In September, Toplum TV reported it lost 16k followers on its Facebook page. Facebook failed to explain how and why this took place. 

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

in Azerbaijan a COVID tracing app draws much suspicion over privacy issues [updated]

In July, authorities in Azerbaijan released it’s very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues. 

e-Tebib is just one of the deluge of apps that have been unveiled in recent months by various governments, promising to detect COVID-19 exposure and not only. According to this detailed MIT review, some of these apps are “lightweight and temporary, while others are pervasive and invasive” like the Chinese version which attains access to user’s identity, location, online payment history “so that police can watch for those who break quarantine rules”. 

In Azerbaijan, the police were already on the watch, with a mandatory SMS mechanism that required citizens to receive permission slips via SMS before going outside.  So why ask citizens to install an app, that technically does nothing new or does it?

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Currently, the official data is available here and the numbers are updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27). It is unlikely the app will be providing real-time indicators when the main body in charge only shares the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly states that any information, obtained through the app, may not be precise, correct, or trusted. 

And yet, the app also claims to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claims it does not collect any personal data aside from user’s phone number the article 5.3 of the license agreement states, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collects users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location. Article 5.4 mentions the center sharing of this information with third parties. These third parties may analyze collected information including users’ browsing history [The center does claim that it does not allow third-parties, to use the obtained information for other purposes]. Article 5.5.1 states the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Article 5.6 states that users’ information may be shared with third parties in other countries for security purposes. Article 5.10 states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have accessed users’ information.

The application is developed by A2Z Advisors LLC and the app’s privacy policy is linked to the company’s website. The landing page, however, does not provide any information on the app’s privacy policy. When reached out for a comment, AIW was recommended to send an email which at the time of writing this post remains unanswered. Similarly, in the App Store for IOs when clicking on “App Support” tab, the page once again leads to A2Z company website but does not actually provide any information related to the App. Instead, the privacy policy is accessible via this link that a user can access only after downloading and launching the app. 

According to the app’s version history at App Store, the application was released a month ago. The latest “update” was done 2 days ago [July 7].

The app’s further transparency criticism comes from the fact that it is not an open-source code and its license belongs to the Ministry of Communication, Transportation, and High Technologies. 

The biggest concern – the location of the data storage; the duration of the data storage; and who has access to this data.    

In Azerbaijan however, other concerns have also been voiced – that the application is only available for native speakers and that ex-pats living in the country are unable to use the application. It is also not catered to people with disabilities. 

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib is not designed in accordance with national legislation on data privacy.

On July 10, following widespread privacy concerns and questions over the app’s transparency, changes were made to its terms of the agreement. Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without individual’s permission. The convention, on the other hand, refers to respect to privacy. 

The new license agreement now says that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Although this last point was later addressed by Fuad Niftaliyev – the head of the app development project. Niftaliyev explained that the third parties referred to in the agreement are: Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. According to Niftaliyev, the collected information is stored on the servers operated by the Ministry of Communication and Information. The last point is itself problematic, as the transparency of government institutions in Azerbaijan is problematic especially as surveillance technology is widely used by the ministries alike. 

For potential users of the app, this remains problematic, especially when there is no option “B” if one disagrees with terms of service.