The State of Internet Freedom in Azerbaijan, a legal overview

This is part five and the final installment, in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

This final report, “The State of Internet Freedom in Azerbaijan, a legal overview” was prepared in partnership with human rights lawyer, Emin Abbasov. It is a comprehensive overview, of the existing legal framework in Azerbaijan on internet freedoms.

The following report identifies gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of internet freedoms.

As such, the aim of the report is to:

  • identify and report key developments concerning internet freedoms covering the period between 2020-2021;
  • analyze and review legislation, policies, and practices in line with international standards;
  • provide recommendations to strengthen and develop legislation, policies, and practices already in place;

Executive Summary

Azerbaijan’s track record on freedom of expression and freedom of the media has been on a steady decline according to a number of key reports by international media freedom watchdogs. This has been the case especially since 2014.

The most recent rankings by the Reporters Without Borders’ Press Freedom Index in 2020, place Azerbaijan at the bottom of the index, where the country ranks 169 out of 180 countries monitored. Freedom House’s annual Freedom on the Net report ranked Azerbaijan in 2020 as “Not Free.”  

From a legal perspective, despite routine calls on the government of Azerbaijan to ensure the domestic legislation and its application comply with international standards, particularly in line with the ECtHR case-law requirements on freedom of expression, media, and internet rights, the legislative authority, continues to adopt restrictive new bills that further deteriorate fundamental rights and freedoms.

During the reporting period, the parliament in Azerbaijan adopted several amendments to existing national legislation, imposing further restrictions and increasing state control over the internet.  In the meantime, relevant authorities failed to carry out effective and prompt investigations and prosecution into the cases of blackmailing and online sexual harassment against activists and politicians. Further, the government prepared a draft law on the media, with proposals to license Internet televisions and radios, and a new media registry with strict requirements for journalists, media owners, and media platforms. 

The report also identifies the government’s failure to present, sufficient mitigation policies to remove the infrastructural barriers related to internet access when switching to online education during country-wide restrictions imposed in March of last year as a result of COVID19. These barriers were more profound in remote areas of the country where access to the internet is poor due to inadequate infrastructure and among economically vulnerable populations.      

Finally, this report concludes that domestic legislation in Azerbaijan does not provide effective safeguards for the protection of the rights and freedoms of people online. On the contrary, it gives law enforcement a wide range of powers while failing to provide an independent review mechanism neither by the courts nor by other independent institutions over the exercise of those unlimited powers.

In response to these challenges, the report offers a number of recommendations for the government to improve its domestic legislation in line with international standards with the view of better protection of individuals’ rights and freedoms online. The full PDF report can be accessed here. Below are some of the key findings.

Key Developments between January 1, 2020June 31, 2021

  • The Cabinet of Ministers adopted a decision No.22 on January 29, 2020, approving the “Rules of the organization of operation of the information system on activity against foreign technical intelligence,” and “Level of access of information resources of state bodies within the information system on activity against foreign technical intelligence.” However, the specifics of these rules and what they entail were not disclosed;
  • Azerbaijan tightened control over online content, specifically the definition of “prohibited information”. On March 17, 2020, the parliament amended the Law of the Republic of Azerbaijan On Information, Informatization and Protection of Information (30-VIQD). According to the amendment, “prohibited information” includes false information endangering human life and health; causing significant property damage; mass violation of public safety; disruption of life support services; and of financial, transportation, communication, industrial, energy, and social infrastructure facilities; or leading to other socially dangerous consequences.”
  • During the reporting period, the number of attacks and direct targeting against activists, politicians, and their family members with intimate photos, videos, and personal messages that were leaked online, increased significantly;[1]
  • On June 29, 2020, the Parliament adopted amendments to the Law on Telecommunications and appointed the Ministry of Transport, Communications and High Technologies as an administrator of domain name registration in Azerbaijan;[2]
  • On September 27, 2020, authorities in Azerbaijan imposed restrictions on access to the internet by limiting the speed of the internet, blocking access to social media platforms and messenger services such as WhatsApp, Telegram, and others during the second Karabakh war;[3]
  • On January 13, 2021, the government established Azerbaijan State Agency for Media Development, according to the Presidential decree “On deepening media reforms in the Republic of Azerbaijan” [signed on January 12, 2020]. The agency was given broad powers to control the online media landscape;[4]
  • The Government announced a new draft law on media with provisions to license Internet TV channels;
  • Azerbaijan parliament members announced plans to draft a new law on Hate Speech.

Key findings

  • The regulation of the internet in Azerbaijan is controlled by the Ministry of Transport, Communications and High Technologies, (MTCHT). The MTCHT is a government agency, in charge of regulating communications and the development of information technologies. It also controls the internet telecommunications infrastructure.
  • Despite the Law on Telecommunication obligating the state, to ensure healthy competition and antimonopoly activity in the field of telecommunications[7], the import and distribution of the internet in the country is mainly distributed through state companies or private companies under strict government control.[8] According to the Law on Telecommunication (Article 6) regulation of telecommunication activity in Azerbaijan is carried out by the state through broad powers, notably, through the licensing and certification of telecommunication activity, the application of tariffs for the use of telecommunication services, and radiofrequency, and etc.
  • The activities of internet service providers (ISPs) and operators are required to register with the MTCHT. According to the “Rules of registration of operators and providers of Internet telecommunication services” approved by the Resolution of the Cabinet of Ministers of the Republic of Azerbaijan [No. 427] and dated October 12, 2017, operators and providers of internet telecommunication services must register for a license by applying through the MTCHT, within 15 (fifteen) days of the start of the service.[9]  The Rule further states that in accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” ISPs are required to have a copy of the guarantee, on the installation of special equipment that provides access to information, for search operations.[10] The Rule also requires that the operators and providers submit, approved copy (copies) of the agreement (contracts) concluded with the first subscriber (subscribers), to the registration authority namely the MTCHT.[11]
  • The State Security Service and the Ministry of Internal Affairs are authorized for the organization of search operations within the communication networks in accordance with the Rule approved by the Presidential Decree № 638 dated October 2, 2015 “On approval of the Rules on information security during search operation activities on communication networks”.[12] This respective rule was never published. According to the Constitutional Law “On normative legal acts” laws and presidential decrees signed by the President must be officially published within 72 hours after the signing.[13] The Constitutional Law also allows that certain provisions of normative legal acts reflecting state secrets are not published.[14]
  • On June 17, 2021, the National Television and Radio Council (NTRC) announced the provisions in the draft law “On Media” concerning television and radio broadcasting.[18] According to the draft law a number of restrictions on freedom of expression and information, as well as regulation of media activities is envisioned. For the purpose of this report, only those restrictions that concern and impact freedom on the internet are considered here.
  • The Council of Europe’s Committee of Ministers recommendation CM/Rec(2007)16 to its member States to promote the public service value of the Internet[19] indicates the importance of diversification of competitive market structures in internet resources and ICTs. According to the Recommendations, member states should develop, in co-operation with the private sector and civil society, strategies that promote sustainable, economic growth via competitive market structures in order to stimulate investment, particularly from local capital, into critical Internet resources and ICTs, with particular reference to: developing strategies which promote affordable access to ICT infrastructure, including the Internet, promoting technical interoperability, open standards and cultural diversity in ICT policy covering telecommunications, broadcasting and the Internet. Azerbaijan has so far, failed to meet these recommendations.
  • In the context of its Recommendation CM/Rec(2018)1 to member States on media pluralism and transparency of media ownership, the Council of Europe’s Committee of Ministers refers to the term “online media” and stresses its importance for media pluralism.  It further notes that states have a positive obligation to foster a favorable environment for freedom of expression, offline and online, in which everyone can exercise their right to freedom of expression and participate in public debate effectively, irrespective of whether their views are received favorably by the State or others.[25] Moreover, in 2012, the UN Human Rights Council adopted a key resolution on the promotion, protection, and enjoyment of human rights on the Internet, “calling upon all States to promote and facilitate access to the Internet and international cooperation aimed at the development of media and information and communications facilities in all countries.”[26]
    • So far, the relevant government institutions have failed to offer such assurances in Azerbaijan. The extent of government control and monopoly, as well as poor internet infrastructure, are reflected in numerous international reports. The 2021 Inclusive Internet Index, ranked Azerbaijan 84th globally in the “readiness category,”[27] and the country’s overall performance scores have deteriorated year on year.[28] According to June Speedtest Global Index, (results are updated mid-month for the previous month), Azerbaijan ranked 122nd out of 181 countries in the category of fixed internet speed. The country’s score improved in the category of mobile internet speed, scoring 66th place out of 137 countries ranked in this category.[29]
  • The Guiding Principles on Business and Human Rights also recognize the responsibility of business enterprises to respect human rights, independent of State obligations or the implementation of those obligations (see A/HRC/17/31, annex; and A/HRC/32/38, paragraphs 9- 10). They provide a minimum baseline for corporate human rights accountability, urging companies to adopt public statements of commitment to respect the human rights endorsed by senior or executive-level management; conduct due diligence processes that meaningfully “identify, prevent, mitigate and account for” actual and potential human rights impacts throughout the company’s operations; and provide for or cooperate in the remediation of adverse human rights impacts (see A/HRC/17/31, annex, principles 16-24).[35]
    • These internationally recognized standard-setting instruments are usually not legally binding but elaborated from different binding human rights treaties and standards. Such documents set out a number of recommendations, standards, and commitments on the regulation of Internet infrastructure, as well as the regulatory role of states in accessing the Internet. However, none are implemented in the context of Azerbaijan.
  • During the period of martial law, access to the Internet remained blocked to the public, in the absence of any administrative decisions or justifications, the guarantees associated with the decision, and clearly stated reasons for such restrictions in place.
  • Azerbaijan signed the Budapest Convention – the Council of Europe Convention against Cybercrime – in 2008 and has ratified it, in 2010.[58] The Budapest Convention is a treaty on crimes committed on the internet and on computer networks. In Azerbaijan, regulation of intelligence services and online policing online, including investigation and prosecution of offenses committed online, are regulated by the Criminal Code, Criminal Procedure Code, Law on Search and Operation, Law on Police, and Law on Prosecutors office, including other normative legal acts of the Republic of Azerbaijan. However, there is no dedicated strategy or other specific policy documents on cybercrime currently available or being developed in Azerbaijan.[59]
    • In the absence of such policies, the law enforcement agencies, especially the police, which do not have significant capacity to investigate and prosecute crimes committed online, often interferes with the freedom of expression of the social network users.
    • In recent years, the police increasingly play the role of an arbitrator in resolving public conflicts and disputes between internet users. By complaining to the police, individuals can force others (whom they are in conflict with) to delete their status and comments from social network accounts. In return, police promptly identify those who complained about/against or people who criticize the government, and especially the law enforcement agencies on social networks, forcing them to apologize to the public on camera. Police then share the apology videos with the media.[60]
  • Local civil society activists suggest that during the quarantine period, a large number of people who were held administratively or who were criminally liable for organizing and/or participating in wedding or funeral ceremonies were brought to the police stations, where their forced confessions of repentance were filmed and later broadcasted on national television channels. According to credible reports received by the Election Monitoring and Democracy Studies Center, an Azerbaijani NGO, most people did not give consent to such video recordings. As such, the broadcast of the videos took place against Article 51 of the Code of the Administrative Offenses, which prohibits the dissemination of materials (audio, video, photo) in the mass media without the consent of the person against whom the administrative proceedings are conducted.[62]
  • Such practice was also used against LGBTQI+ people at least on one occasion. In July 2020, police shared the testimonies of two persons, who were accused of allegedly promoting drug use via their TikTok accounts. The video of their forced confession was shown on state media (Azertag), to discredit LGBTQI+ people and to create a negative public image.[63]  
  • Council of Europe Committee of Ministers Declaration on Freedom of Communication on the Internet (Adopted by the Committee of Ministers on May 28, 2003 at the 840th meeting of the Ministers’ Deputies), contains ten principles. According to the seventh principle, “In order to ensure protection against online surveillance and to enhance the free expression of information and ideas, member states should respect the will of users of the Internet not to disclose their identity. This does not prevent member states from taking measures and co-operating in order to trace those responsible for criminal acts, in accordance with national law, the Convention for the Protection of Human Rights and Fundamental Freedoms, and other international agreements in the fields of justice and the police.”[68]
    • But in the case of Azerbaijan, and following the decree on amendments, no such measures were taken into account. Moreover, at the time of writing of this report, there is no information on whether this mechanism was finalized.

 Conclusions & Recommendations

The analysis of the domestic legal framework shared in this report demonstrates that the current legal framework provides law enforcement authorities with unlimited powers to operate in online spaces. The analysis also explains, how this framework empowers the state to exercise full and unchecked control over telecommunication infrastructure.

In such an environment, internet and mobile operators as well as the ISPs have no power or independence to challenge the unlimited powers of the state. Further, our analysis indicates that the legal national framework is designed in such a way, that it fully disregards or undervalues the rights of individuals online while granting authorities ambiguous powers to control everything online in the absence of an independent review of the regulatory authorities’ decisions and actions.

The most striking example of such unlimited powers is an obligation placed on the ISPs to allow law enforcement authorities to set up special technical devices on the ISP’s infrastructure, in order to monitor users online and collect information about them. This is done in the absence of explicit legal provisions which normally would require a court order to carry out such activity, as well as in the absence of independent oversight by a regulatory body, that Azerbaijan failed to establish since 2016. As a result, the lack of an independent regulatory body in the field of telecommunications, as well as the lack of an independent judiciary that is capable of providing effective protection and independent judicial review against the government’s interferences, leaves citizens without any remedies to pursue.

Finally, this report also illustrates the weakness of the legislation on emergency powers, which at the moment fails to indicate the exact limits of government bodies during a state of emergency or war. Such loopholes allow the state authorities to exercise their exclusive powers in a way that can exceed the needs created as a result of such circumstances.

Based on the overview presented above, the following set of recommendations can help improve the overall environment of internet freedom in Azerbaijan:

  • Amend the legislation, notably the law On Information, Informatization, and Protection of Information, including the Code of Administrative Offences and Criminal Code to remove restrictions on content, such as false information, insult, and slander. Consult with the independent civil society groups to amend the legislation on content regulation in order to strengthen the national legislation and make it in line with international standards. Provide self-regulation opportunities for providers and private companies to regulate inapplicable content in online spaces;
  • Consider wider consultation and public discussions when reviewing new legislation and policy to ensure the voices of all key stakeholders are heard;
  • Avoid adopting the draft law on media, that currently requires licensing of the Internet TVs and radios. Instead, ensure the provisions of journalistic activity online is not subject to specific authorization;
  • Establish an independent National Regulatory Authority in line with international standards including, civil society organizations and other relevant stakeholders;
  • Provide effective and prompt investigation and prosecution of online harassment, and blackmailing against activists, politicians, and/or their family members;
  • Amend the Law on Telecommunications, the law on Information, Informatization and Protection of Information and Law on Private Information, including other normative legal acts to indicate what specific measures and in what circumstances the government is undertaking to exclude the anonymity of the internet users, including installing special software and hardware systems for the provision of blanket surveillance in online spaces.
  • Amend the legislation to provide effective safeguards against abuse of power of law enforcement authorities, notably, amend article 10 of the Law of The Republic Of Azerbaijan On Operational-Search Activity to ensure that a respective court decree is required for conducting online tracking, interception, and seizure of private information from the telecommunication channels about individuals;
  • Ensure that the Martial Law and the Law on Emergency Situations contain explicit provisions, notably safeguards, against the abusive application of emergency powers online. In doing so, amend the respective laws to include clear procedures of imposing any limitation over the internet and provide that such decisions are subject to effective safeguards;

[1] Azerbaijan Internet Watch, Targeted harassment via telegram channels and hacked Facebook accounts, March 9, 2021, https://www.az-netwatch.org/news/targeted-harassment-via-telegram-channels/

[2] The law on amendments to the Law of the Republic of Azerbaijan “On Telecommunications”, 29 June 2020, available (in Azerbaijani) at: http://e-qanun.az/framework/45676

[3] Azerbaijan limits internet access to prevent Armenia’s large-scale acts of provocation – short notice from the Ministry of Transport, Communications and High Technologies, available (in English) at: https://mincom.gov.az/en/view/news/990/azerbaijan-limits-internet-access-to-prevent-armenias-large-scale-acts-of-provocation-

[4] Presidential decree on deepening media reforms in the Republic of Azerbaijan, 12 January 2021, available (in Azerbaijani) at: http://e-qanun.az/framework/46675

[7] Article 11.1 of the Telecommunication law. “Operators, providers, other legal and physical persons operating in the field of telecommunication, as well device producers and suppliers are equal subjects in the creation and development of telecommunication services.”

[8] Article 3.1.8, article 11.2, and article 11.2.1 of the Law on Telecommunication

[9] The Rules of registration of operators and providers of Internet telecommunication services Available (in Azerbaijani) at: http://e-qanun.az/framework/36773

[10] Presidential Decree On the division of powers of search operations entities in the implementation of search operations, June 19, 2001, available (in Azerbaijani) at: http://e-qanun.az/framework/3569

[11] Article 3.3.3 of the Rule of registration of operators and providers of Internet telecommunication services.

[12] Presidential Decree “On approval of the” Rules for ensuring information security in the implementation of search operations in communications networks ” 2 October 2005, available (in Azerbaijani) at: http://e-qanun.az/framework/30840

[13] Article 83.1 of the Constitutional Law (№ 21-IVKQ) “On normative legal acts” dated 21 December 2010. Available (in Azerbaijani) at: http://www.e-qanun.az/framework/21300

[14] Article 82.7 of the Constitutional Law (№ 21-IVKQ) “On normative legal acts”

[18] Azadliq Radio, Internet TV channels may require a license, June 17, 2021, https://www.azadliq.org/a/internet-tv-lisenziya/31313244.html

[19] Adopted by the Committee of Ministers on November 7, 2007, at the 1010th meeting of the Ministers’ Deputies, https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805d4a39

[25] The Council of Europe’s Committee of Ministers Recommendation CM/Rec(2018)1[1] to member States on media pluralism and transparency of media ownership,  (Adopted by the Committee of Ministers on 7 March 2018 at the 1309th meeting of the Ministers’ Deputies), https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=0900001680790e13

[26] The promotion, protection, and enjoyment of human rights on the Internet: resolution / adopted by the Human Rights Council, https://digitallibrary.un.org/record/731540?ln=en

[27] The Readiness category examines the capacity to access the Internet, including skills, cultural acceptance, and supporting policy.

[28] The Inclusive Internet Index, https://theinclusiveinternet.eiu.com/explore/countries/AZ/

[29] The Speed Test global Index,  https://www.speedtest.net/global-index/azerbaijan#fixed

[35] Report by the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, para., 45.

https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2017/06/Kaye-Report-March-2017-AHRC3522.pdf

[58] The Law on Ratification of the Budapest Convention, available (in Azerbaijani) at: http://e-qanun.az/framework/18619

[59] Council of Europe, the status of the ratification of the Budapest Convention concerning to Azerbaijan, https://www.coe.int/en/web/octopus/country-wiki-ap/-/asset_publisher/CmDb7M4RGb4Z/content/azerbaijan?_101_INSTANCE_CmDb7M4RGb4Z_viewMode=view/

[60] On June 3, 2020, Baku residents Tatyana Ulankina, Ramin Bakhishov, Allahverdi Imanguliyev, Shirzad Shirzadov, and Taleh Bakhshiyev were detained in the Baku Metro for allegedly resisting police. Police asked that the detained individuals comply with the lawful demands relating to the rules of the special quarantine regime. A video was shot and broadcast on the website of the Ministry of Internal Affairs in which each of the detainees apologized and regretted their actions to the police department. Afterward, a criminal case was launched under Articles 139-1 (violation of anti-epidemic, sanitary-hygienic or quarantine regimes when there is a real threat of the spreading of the disease or the actual spreading of the disease) and 221 (hooliganism) of the Criminal Code, and the investigation was launched. The CCTV footage from the subway that appeared on social media showed there was a minor dispute between one person and two police officers over the wearing of a protective mask, which the person in the video claimed he had and others joined to support him, https://www.youtube.com/watch?v=EBC-l9EuiCQ&t=136s

[62] Election Monitoring and Democracy Studies Center (EMDS), Briefing Document, Measures against the COVID-19 pandemic in Azerbaijan: Deepening pressure on freedoms and Political Crisis, https://smdtaz.org/wp-content/uploads/2020/09/EMDS-briefing-22.09.20.pdf

[63] Azertag,az, People who registered on the social network “Tik-Tok” under the names “Maya” and “Banu” and posted videos promoting drug use were detained, July 23, 2020, https://video.azertag.az/video/98901

[68] Council of Europe Committee of Ministers Declaration on freedom of communication on the Internet, Adopted by the Committee of Ministers on  May 28, 2003, during the 840th meeting of the Ministers’ Deputies, https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805dfbd5

The Pegasus Project and Azerbaijan – what does domestic legislation tell us about privacy of users in Azerbaijan

This is part four in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  We dedicate this report to the recent Pegasus Project investigations.  

Background

Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.

This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.

In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.[1]

By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.  

The Pegasus Project

On July 18, 2021, an international consortium of more than 80 journalists from 17 media outlets revealed the Pegasus Project. Spearheaded by Forbidden Stories, a Paris-based journalism non-for-profit, with technical support of Amnesty International Security Lab, the Pegasus Project is a global investigation into an Israeli surveillance company, the NSO Group, and it’s most sought after hacking software called Pegasus.

According to the investigation, the NSO Group sold Pegasus to at least ten government clients including in Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Azerbaijan, Rwanda, Saudi Arabia, and the UAE. Among the targets were journalists, human rights defenders, political opponents, business people, and heads of state.

“Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance,” wrote Forbidden Stories sharing the findings of the investigation.

On the leaked phone records, at least 1000 were identified as belonging to users from Azerbaijan. One of the media partners in the investigation, the Organized Crime and Corruption Reporting Project (OCCRP) took on to investigate numbers that belonged to users in Azerbaijan, Kazakhstan, and Rwanda.

So far, OCCRP was able to identify 250 phone numbers targeted, which belonged to reporters, [2] editors, media company owners, activists, human rights defenders, and their family members. As of July 27, OCCRP confirmed at least 80 cases of the alleged surveillance.[3]

Following the release of the investigations, international organizations, such as Reporters Without Borders, said they will pursue legal action against those responsible for this massive surveillance.[4] In Azerbaijan, some of the targeted individuals intend to appeal to local courts and then to the European Court of Human Rights, on the grounds of infringements of their right to private life.[5]

While law enforcement authorities in Hungary[6], Israel[7], France[8], the USA[9], and Algeria[10] have launched probes into suspected unlawful surveillance via Pegasus spyware, the Azerbaijani law enforcement agencies are yet to respond.

What chance do those targeted in Azerbaijan stand in pursuing legal action against the government of Azerbaijan? To answer this question, we look at the national legislation enabling the government to carry out surveillance en masse and citizens’ rights to privacy. Read the PDF report here.

Domestic framework

The right to private life is under the protection of comprehensive constitutional provisions, namely Article 32 of the Azerbaijani Constitution which guarantees that everyone has the right to the inviolability of private[11] and family life, including with respect to correspondence, telephone communications, post, telegraph messages and information sent by other means of communication. Article 32 further states that gaining, storing, using, and spreading information about the person’s private life without his/her consent is not permitted. These rights may be restricted, as prescribed by law, in order to prevent crime or to determine the truth in the course of the investigation of a criminal case. Section eight of article 32 also indicates that the scope of the personal information, as well as the conditions of their processing, collection, sharing, use, and protection, is prescribed by law.

In addition, there are normative legal acts recognizing the right to private life, including regulating the restrictions of private life in telecommunications networks.

While mentioning a catalog of rights for individuals in respect to the right to privacy[12], article 3 of the basic law on private data – the Law on Private Information,[13] stipulates that the rules for the collection and processing of personal data, concerning intelligence and counterintelligence, and operation-search activities are regulated by other respective legal acts (discussed below).

The Law on Private Information obligates the operators, to create necessary conditions for intelligence, counterintelligence, and search operations in accordance with the legislation, to guarantee relevant organizational and technical issues, and comply with the confidentiality of the methods used to conduct these activities.[14]

Along with the Law on Personal Data, the Law on Telecommunication also determines the powers of state bodies, notably subjects of intelligence and counterintelligence search operations, to collect or intercept personal data from the telecommunication channels and networks.[15]

In Azerbaijan there are two types of oversight over citizens:

  1. Extraction of information from telecom channels, i.e., interception; and
  2. Surveillance

The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels.[16]  Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.  

In other words, anyone in Azerbaijan can be subject to such a form of oversight.

The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks[17] enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.

The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on  June 14, 2016.[18] The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.

The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.

The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.[19]

However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.

Further, when analyzing the national legislation, it becomes clear, that a number of rules about the organization of search operations by law enforcement agencies, as well as the placement of surveillance and tapping devices within the telecommunication infrastructure have not been published. For example, the “Rules for ensuring information security in the implementation of search operations in communications networks” approved by Presidential Decree No. 638 on October 2, 2015, is not disclosed.[20]

As mentioned, earlier, interference with the right to personal data within telecommunication networks is carried out by the representatives of the search and operation, intelligence, and counterintelligence authorities. The technical and organizational conditions for the provision of the search operation, intelligence, and counterintelligence activities within communication networks are determined by the State Security, and in cases where relevant to the Ministry of Internal Affairs, together with the Special State Protection Service of Azerbaijan.

Infringement of privacy is prohibited under the Criminal Code (Article 156). Illegal collection of information, documents containing such information, visual materials, audio recordings, as well as their sale or transfer to another person is punishable by a fine in the amount of 1,000 to 2,000 AZN (approximately 600-1200USD); by public works ranging from 240 to 480 hours; or by correctional labor for up to one year. In cases where the same offense was/is committed by an official using his/her official status, the crime is punishable by restriction of liberty for a period of up to two years or by imprisonment for a term of up to two years with or without deprivation of the right to hold a certain position or engage in certain activities for up to three years.[21]

The Criminal Procedural Code provides that the investigation of the infringement of privacy is carried out in the form of a public-private prosecution upon the complaint of the victim or by the initiative of the prosecutor when the committed crime affects the interests of the state or society.[22]

Compliance with international standards

The right to protection of personal data is not an autonomous right among various rights and freedoms covered by the Convention. The Court has nevertheless acknowledged that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

According to the Court’s established case-law, the requirement that any interference must be “in accordance with the law” will only be met when three conditions are satisfied: the impugned measure must have some basis in domestic law and, with regard to the quality of the law at issue, it must be accessible to the person concerned and have foreseeable consequences.[23]

Non-availability of any official information or confirmation on the scope and form of the surveillance and interception of mobile devices through the Pegasus spyware may also raise specific issues concerning the difficulties on recognizing the victims’ status within the framework of national laws. 

However, the relevant case-law of the ECtHR is relatively flexible on the subject of recognition of the victim’s status. The ECtHR, therefore, accepts that an individual could, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures had been in fact applied to him or her.[24]

Further, considering that domestic legislation does not require any judicial act or does not provide any independent oversight over the interferences to the right to privacy, there is little information about the form and scope of the interception and surveillance of individuals’ privacy within telecommunications networks in Azerbaijan. This is also contrary to the well-established standards of the ECtHR concerning the issue of personal data collected by means of various methods of secret surveillance. The fact that various government institutions are vested with powers and authority – as provided by domestic laws — to listen to anyone at any time on telecommunication networks, in itself does not meet the requirements of the qualitative law enshrined in the case-law of the European Court.

The ECtHR considers the requirements of the Convention, notably in regard to foreseeability, to not be exactly the same, in the special context of interception of communications for the purpose of police investigations.

According to the ECtHR case law,  the Convention’s “quality of law” concept, requires, that domestic laws – notably those allowing state interference with rights and freedoms – satisfy the requirements that domestic laws, should be sufficiently accessible and foreseeable.

The requirement of foreseeability means that the national law must be sufficiently clear in its terms, in order to give citizens an adequate indication of the circumstances and conditions for which public authorities were empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, and to give the individual adequate protection against arbitrary interference (Malone v. the United Kingdom, 2 August 1984, §§ 67 and 68, Series A no. 82. See also Kennedy v. the United Kingdom, op. cit., § 152).[25]

In this regard, within the framework of the European Court’s supervision function under the Convention’s standards, the ECtHR’s authority to verify the compliance of online surveillance regimes with the Convention’s standards would provide effective protection.

In recent Grand Chamber judgment in the case of Big Brother Watch and Others v. the United Kingdom (application nos. 58170/13, 62322/14 and 24969/15) the ECtHR held unanimously, that there had been a violation of Article 8 of the European Convention (right to respect for private and family life/communications) in respect of the regime for obtaining communications data from communication service providers noting that assessment of interceptions and obtaining of private information from the telecommunications networks should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto review.

We conclude, that based on the above analysis of the loose interpretation and at times overt national legislation, it is important to take these cases of surveillance and interception to the ECtHR for the purpose of assessing the country’s legal framework and its (in)applicability with the ECtHR’s case law.  

[1] Internal company documents show Azerbaijan’s Ministry of National Security purchased Hacking Team’s Remote Control System (RCS) surveillance spyware via a California-based intermediary called Horizon Global Group in 2013 for an initial payment of €320,000. https://www.occrp.org/en/daily/4136-azerbaijan-bought-hacking-team-s-surveillance-spyware-leaks-reveal

[2] Turan, Pegasus has been spying on Azerbaijani journalists and activists over years, July 19, 2021, https://www.turan.az/ext/news/2021/7/free/politics_news/en/5975.htm/001 

[3] OCCRp, People Selected for Targeting by Azerbaijan,

https://cdn.occrp.org/projects/project-p/?_gl=1*rnxzxn*_ga*MjEyNTY0MTgzMS4xNjI3NDE1OTE1*_ga_NHCZV5EYYY*MTYyNzQxNTkxMy4xLjEuMTYyNzQxNTkyNy40Ng..#/countries/AZ

[4] Turan, The organization in defense of press freedom “Reporters without Borders” is outraged by the fact that 200 journalists from 20 countries are being spied on with the help of the Israeli spy system Pegasus, July 2021, http://www.turan.az/ext/news/2021/7/free/politics_news/en/6042.htm/001

[5] Voice of America, Interview with Bakhtiyar Hajiyev, July 20, 2021, https://www.amerikaninsesi.org/a/bəxtiyar-hacıyev-avtoritar-rejimlər-hətta-ən-yaxın-çevrəsinə-güvənmir/5972455.html

[6] Al Jazeera, Hungary prosecutors open investigation into Pegasus spying claims, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/hungary-prosecutors-open-investigation-into-pegasus-spying-claims

[7] Al Jazeera, Israel launches commission to probe Pegasus spyware: Legislator, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/israel-launches-commission-to-probe-pegasus-spyware-legislator

[8] Euractive, France launches investigation into Pegasus spying allegations, July 22, 2021, https://www.euractiv.com/section/cybersecurity/news/france-launches-investigation-into-pegasus-spying-allegations/

[9] Reuters, FBI probes use of Israeli firm’s spyware in personal and government hacks – sources, July 22, 2021,  https://www.reuters.com/article/us-usa-cyber-nso-exclusive-idUSKBN1ZT38B

[10] The Star, Algeria launches probe into Pegasus spyware claim, July 22, 2021, https://www.thestar.com.my/tech/tech-news/2021/07/23/algeria-launches-probe-into-pegasus-spyware-claim

[11] Constitution of the Republic of Azerbaijan, https://static2.president.az/media/W1siZiIsIjIwMTgvMDMvMDkvNHQzMWNrcGppYV9Lb25zdGl0dXNpeWFfRU5HLnBkZiJdXQ?sha=c440b7c5f80d645b

[12] According to article 7 of the Law on Personal Data, individuals have the right to require a legal justification for the collection, processing, and transfer of their personal information to third parties, and information on the legal consequences for the subject of the collection, processing, and transfer of such information to third parties; to get acquainted with the content of personal information collected about himself/herself in the information system; to learn the purpose, the period and methods of collecting and processing personal information about himself/herself; to demand clarification and destruction of personal data collected and processed in the information system, except for the cases established by the legislation; to demand a ban on the collection and processing of personal data about himself/herself and etc.

[13] Law on Private Data, http://e-qanun.az/framework/19675

[14] Article 10.5, Law on Personal Data

[15] Article 39, Law on Telecommunication (article 10.5 of the Personal Data is repeated in article 39 of the Law on Telecommunication)

[16] Article 10, Law on Operation-Search Activity, http://e-qanun.az/framework/2938

[17] Under the Telecoms Law and the conditions of telecom licensing and registration, telecom operators and providers must cooperate with the law enforcement authorities and install special equipment and software programmes allowing them access to information under the undisclosed technical rules adopted by the Presidential order on October 2, 2015. The Law on Telecommunication, article 39., Paragraph 1 of the article states: “operators, providers are obliged to create conditions for conducting search operations, intelligence and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues, and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states: “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[18] http://e-qanun.az/framework/33275

[19] Article 1.5.7. “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities”, issued by the Ministry of Transport, Communications and High Technologies,   June 14, 2016

[20] The Presidential Decree No. 638, October 2, 2015, http://e-qanun.az/framework/30840

[21] The Criminal Code of Azerbaijan, http://e-qanun.az/framework/46947

[22] The Criminal Procedure Code of Azerbaijan, http://e-qanun.az/framework/46950

[23] Kennedy v. the United Kingdom, op. cit., § 151; Rotaru v. Romania, op. cit., §52; Amann v. Switzerland, op. cit., § 50; Iordachi and Others v. Moldova, op. cit.; Kruslin v. France, § 27; Huvig v. France, § 26; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, op. cit., § 71; Liberty and Others v. the United Kingdom, op. cit., § 59, etc.

[24] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, para., 9., https://rm.coe.int/168067d214

[25] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, page 2,  https://rm.coe.int/168067d214

new report documents a decade of censorship in Azerbaijan

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”. 

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed. 

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI. 

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

Azerbaijan among 29 countries where internet shutdowns documented

On March 1, Access Now released the #KeepItOn report that documents incidents of internet shutdowns globally for the year 2020. 

According to the findings of the report:

  • there were 155 Internet shutdowns documented across 29 countries;
  • there were 28 complete internet blackouts; 
  • out of the 155 internet shutdowns, six incidents were bandwidth throttling;
  • there were at least 26 attempts to deny people access to social media and communication platforms such as Facebook, Twitter, WhatsApp, Instagram, Telegram, and other platforms;
  • new countries that have never shut down the internet before, like Tanzania, Cuba, and others, joined the internet shutdown shame list;

This year, Azerbaijan was also included among countries experiencing internet shutdowns.

According to the #KeepItOn FAQ,

“an internet shutdown is ‘an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.’ An internet shutdown happens when someone — usually a government — intentionally disrupts the internet or mobile apps to control what people say or do.”

In this context, the report notes that one trend in 2020 was how governments deployed internet shutdowns “in response to ongoing violence — particularly in active conflict zones.” But this decision comes at a great cost. “Amid conflict, shutdowns can hide human rights violations or war crimes, thwart journalism, and put people’s lives in danger.” In Azerbaijan during the armed conflict with Armenia, the government of Azerbaijan announced it would disrupt internet access across the country. This decision, prevented numerous online news platforms, from publishing news, and their readers, from accessing news. The authorities encouraged the Azerbaijani people to only use and rely on government media platforms, and updates from the government institutions. None of which, experienced the same difficulties and challenges with access as did the normal users. 

Although the government in Azerbaijan did not ban the use of VPNs which became the top most downloaded apps during the war, it did encourage users not to rely on virtual private networks. Some of the companies refused to offer their services to customers using VPNs on their devices. When confronted, they refuted the claims this was the case. 

The new report also mentioned the role tech companies play in internet shutdowns globally, chief among them Sandvine and Allot. Azerbaijan has used the technology by both companies on different occasions and for different purposes. During the 44-day war, Sandine worked with Delta Telecom – Azerbaijan’s backbone internet provider, which is owned by the government to block access to live stream videos from YouTube, Facebook and Instagram. 

Given Azerbaijan has purchased both technologies, the chances of both of them being deployed during the most recent internet shutdown are high.  

*Sandvine provides Deep Packet Inspection (DPI) equipment that enabled shutdowns and website blocking. 

*Allot‘s DPI equipment can track applications in use, what is done while using these apps, the locations of users, the video content viewed, and contacts. It can also shut down entire networks, websites, services, slow down internet traffic so that people cannot transmit videos or photos, or block traffic altogether.

forced posts removal from Facebook continue in Azerbaijan

On January 13, Elmir Abbasov, a member of NIDA movement, was taken against his will to local police station in the city of Sumgayit where he was questioned over his Facebook post about president Ilham Aliyev.

In his interview with Azadliq Radio, Abbasov said, he was on his way to a shop when a man told Abbasov to get into the car for a chat at the police station. Abbasov, who said without a warrant he won’t be going anywhere, was then shuved into the car and taken to the station by force.

Abbasow spent the next two hours at the police station, where he was informed that the reason for his interrogation was a Facebook post, he wrote about the President. He was told to immediately delete the post. 

AIW spoke with Abbasov about the content of the post which is no longer available on the social media platform.

Under normal circumstances this post would not be considered critical but in Azerbaijan, the sensitivity around certain personalities as in the case of the president are common and not tolerated. 

In the case of Abbasov’s post, it was a comment about an economic system heavily reliant on hydrocarbons. This has been voiced by international financial institutions, experts and pundits alike for a long time.

Similarly, Abbasov’s post stressed the country’s economy, over reliance to fluctuating oil price as a result of its dependence and recommended that the president takes recommendations by independent economists seriously rather than dismiss them. 

Three days before Abbasov was taken to the police and ordered to delete his post from Facebok, one freelance journalist [name omitted due to safety concerns] was told to delete a Facebook post, that was critical of the local law enforcement. Namely, the journalist desrcibed seeing one officer, take a bribe from a man stopped on the street as part of the COVID measures in place. The source told AIW, the measure was taken in an attempt to keep the reputation of the local agency clean.

opposition party boss seeks justice at the European Court of Human Rights

Ali Karimli, the head of the opposition Popular Front Party, and his spouse Samara Seyidova said they are preparing for the European Court of Human Rights, having received no response from domestic courts concerning their home internet connections being cut off since April of last year.  

AIW was documenting Karimli’s case since April 13 when the opposition boss encountered connection issues before a live interview with journalist Sevinc Osmangizi [for the detailed timeline please visit here]. 

Since then, despite numerous attempts, the leader of the Popular Front failed to resolve the problem through domestic courts. Most recently, the ruling of the Baku Appeal Court confirmed previous court decisions, thus ruling against the party head. The court of appeal is the final legal entity to accept and deal with similar complaints. “In such cases, the appeal to the Supreme Court is not expected. This is why we intend to take our complaint to the European Court,” said one of the lawyers defending Karimli in an interview with Azadliq Radio. 

The defendants are the Ministry of Transportation, Communication and High Technologies, Azercell mobile operator, AzQTEL internet provider, the Ministry of the Interior, State Security Service, and the Special State Protection Service. According to Karimli his rights were violated under Articles 6 (right to a fair trial), 8 (right to respect of family and private life), 10 (freedom of expression), 14 (prohibition of discrimination), and 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights

Karimli’s access to the internet was restored twice since April. Once on January 12 and in May but only briefly, for few hours. Karimli is certain the decision to cut him and his familly off internet is political. Government supporters think otherwise. Siyavush Novruzov, a parliament member, blamed Karimli for not paying his bills on time and laying the responsibility on the government. In the meantime, Azercell, the mobile operator [with ties to the government], said in a statement it does not discreminate among its customers based on their political views. 

But while government representatives and affiliated companies claim otherwise, Karimli and his family members had their rights violated. According to a fact checking platform FaktYoxla Karimli’s case, goes against severeal articles and guarantees specieifed by the national constitution and can be described as an unlawful interference. Specifically, it is against the right to equality and freedom of expression, right to live in safety and privacy. In addition, actions against Karimly contradict the provisions of the Law on Telecommunications, Access to Information and Personal Information and are criminalized by criminal law.

AIW will continue documenting developments in the case of Ali Karimli and the family. 

Azerbaijan not free in Freedom on the Net annual report

Azerbaijan ranked “not free” in this year’s Freedom House, Freedom on the Net report. Among key factors are the overall infrastructural challenges, a monopoly over ISPs, and distributed Internet traffic, state control over the information and communication technology, blocked access to most websites that host unfavorable news coverage, and new forms of restrictions introduced during COVID-19. 

According to the report, there is an overall decline in internet freedoms across the world:

Global internet freedom has declined for the 10th consecutive year: 26 countries’ scores worsened during this year’s coverage period, while 22 countries registered net gains. The largest declines occurred in Myanmar and Kyrgyzstan, followed by IndiaEcuador, and Nigeria. A record number of countries featured deliberate disruptions to internet service.

On the bright side, countries like Sudan and Ukraine experienced the largest improvements, followed by Zimbabwe find the report. And while Iceland was the top performer China was found to have the worst conditions for internet freedom. 

The report highlighted some new trends that have emerged globally: 

[…] this year Freedom on the Net observed intentional disruptions to connectivity in a record 22 out of 65 countries. Many of these disruptions, including Iran’s November 2019 countrywide blackout and shutdowns in Moscow in August and September 2019, were directly precipitated by protests. Such practices are an ultimate expression of contempt for freedoms of association and assembly, as well as for the right to access information.

Azerbaijan was ranked partly free last year. 

spotted: sandvine back at it, this time, in Azerbaijan

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.” 

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

 

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.  

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg. 

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked. 

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.

in Azerbaijan a COVID tracing app draws much suspicion over privacy issues [updated]

In July, authorities in Azerbaijan released it’s very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues. 

e-Tebib is just one of the deluge of apps that have been unveiled in recent months by various governments, promising to detect COVID-19 exposure and not only. According to this detailed MIT review, some of these apps are “lightweight and temporary, while others are pervasive and invasive” like the Chinese version which attains access to user’s identity, location, online payment history “so that police can watch for those who break quarantine rules”. 

In Azerbaijan, the police were already on the watch, with a mandatory SMS mechanism that required citizens to receive permission slips via SMS before going outside.  So why ask citizens to install an app, that technically does nothing new or does it?

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Currently, the official data is available here and the numbers are updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27). It is unlikely the app will be providing real-time indicators when the main body in charge only shares the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly states that any information, obtained through the app, may not be precise, correct, or trusted. 

And yet, the app also claims to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claims it does not collect any personal data aside from user’s phone number the article 5.3 of the license agreement states, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collects users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location. Article 5.4 mentions the center sharing of this information with third parties. These third parties may analyze collected information including users’ browsing history [The center does claim that it does not allow third-parties, to use the obtained information for other purposes]. Article 5.5.1 states the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Article 5.6 states that users’ information may be shared with third parties in other countries for security purposes. Article 5.10 states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have accessed users’ information.

The application is developed by A2Z Advisors LLC and the app’s privacy policy is linked to the company’s website. The landing page, however, does not provide any information on the app’s privacy policy. When reached out for a comment, AIW was recommended to send an email which at the time of writing this post remains unanswered. Similarly, in the App Store for IOs when clicking on “App Support” tab, the page once again leads to A2Z company website but does not actually provide any information related to the App. Instead, the privacy policy is accessible via this link that a user can access only after downloading and launching the app. 

According to the app’s version history at App Store, the application was released a month ago. The latest “update” was done 2 days ago [July 7].

The app’s further transparency criticism comes from the fact that it is not an open-source code and its license belongs to the Ministry of Communication, Transportation, and High Technologies. 

The biggest concern – the location of the data storage; the duration of the data storage; and who has access to this data.    

In Azerbaijan however, other concerns have also been voiced – that the application is only available for native speakers and that ex-pats living in the country are unable to use the application. It is also not catered to people with disabilities. 

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib is not designed in accordance with national legislation on data privacy.

On July 10, following widespread privacy concerns and questions over the app’s transparency, changes were made to its terms of the agreement. Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without individual’s permission. The convention, on the other hand, refers to respect to privacy. 

The new license agreement now says that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Although this last point was later addressed by Fuad Niftaliyev – the head of the app development project. Niftaliyev explained that the third parties referred to in the agreement are: Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. According to Niftaliyev, the collected information is stored on the servers operated by the Ministry of Communication and Information. The last point is itself problematic, as the transparency of government institutions in Azerbaijan is problematic especially as surveillance technology is widely used by the ministries alike. 

For potential users of the app, this remains problematic, especially when there is no option “B” if one disagrees with terms of service.