new report documents a decade of censorship in Azerbaijan

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”. 

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed. 

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI. 

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

Azerbaijan among 29 countries where internet shutdowns documented

On March 1, Access Now released the #KeepItOn report that documents incidents of internet shutdowns globally for the year 2020. 

According to the findings of the report:

  • there were 155 Internet shutdowns documented across 29 countries;
  • there were 28 complete internet blackouts; 
  • out of the 155 internet shutdowns, six incidents were bandwidth throttling;
  • there were at least 26 attempts to deny people access to social media and communication platforms such as Facebook, Twitter, WhatsApp, Instagram, Telegram, and other platforms;
  • new countries that have never shut down the internet before, like Tanzania, Cuba, and others, joined the internet shutdown shame list;

This year, Azerbaijan was also included among countries experiencing internet shutdowns.

According to the #KeepItOn FAQ,

“an internet shutdown is ‘an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.’ An internet shutdown happens when someone — usually a government — intentionally disrupts the internet or mobile apps to control what people say or do.”

In this context, the report notes that one trend in 2020 was how governments deployed internet shutdowns “in response to ongoing violence — particularly in active conflict zones.” But this decision comes at a great cost. “Amid conflict, shutdowns can hide human rights violations or war crimes, thwart journalism, and put people’s lives in danger.” In Azerbaijan during the armed conflict with Armenia, the government of Azerbaijan announced it would disrupt internet access across the country. This decision, prevented numerous online news platforms, from publishing news, and their readers, from accessing news. The authorities encouraged the Azerbaijani people to only use and rely on government media platforms, and updates from the government institutions. None of which, experienced the same difficulties and challenges with access as did the normal users. 

Although the government in Azerbaijan did not ban the use of VPNs which became the top most downloaded apps during the war, it did encourage users not to rely on virtual private networks. Some of the companies refused to offer their services to customers using VPNs on their devices. When confronted, they refuted the claims this was the case. 

The new report also mentioned the role tech companies play in internet shutdowns globally, chief among them Sandvine and Allot. Azerbaijan has used the technology by both companies on different occasions and for different purposes. During the 44-day war, Sandine worked with Delta Telecom – Azerbaijan’s backbone internet provider, which is owned by the government to block access to live stream videos from YouTube, Facebook and Instagram. 

Given Azerbaijan has purchased both technologies, the chances of both of them being deployed during the most recent internet shutdown are high.  

*Sandvine provides Deep Packet Inspection (DPI) equipment that enabled shutdowns and website blocking. 

*Allot‘s DPI equipment can track applications in use, what is done while using these apps, the locations of users, the video content viewed, and contacts. It can also shut down entire networks, websites, services, slow down internet traffic so that people cannot transmit videos or photos, or block traffic altogether.

forced posts removal from Facebook continue in Azerbaijan

On January 13, Elmir Abbasov, a member of NIDA movement, was taken against his will to local police station in the city of Sumgayit where he was questioned over his Facebook post about president Ilham Aliyev.

In his interview with Azadliq Radio, Abbasov said, he was on his way to a shop when a man told Abbasov to get into the car for a chat at the police station. Abbasov, who said without a warrant he won’t be going anywhere, was then shuved into the car and taken to the station by force.

Abbasow spent the next two hours at the police station, where he was informed that the reason for his interrogation was a Facebook post, he wrote about the President. He was told to immediately delete the post. 

AIW spoke with Abbasov about the content of the post which is no longer available on the social media platform.

Under normal circumstances this post would not be considered critical but in Azerbaijan, the sensitivity around certain personalities as in the case of the president are common and not tolerated. 

In the case of Abbasov’s post, it was a comment about an economic system heavily reliant on hydrocarbons. This has been voiced by international financial institutions, experts and pundits alike for a long time.

Similarly, Abbasov’s post stressed the country’s economy, over reliance to fluctuating oil price as a result of its dependence and recommended that the president takes recommendations by independent economists seriously rather than dismiss them. 

Three days before Abbasov was taken to the police and ordered to delete his post from Facebok, one freelance journalist [name omitted due to safety concerns] was told to delete a Facebook post, that was critical of the local law enforcement. Namely, the journalist desrcibed seeing one officer, take a bribe from a man stopped on the street as part of the COVID measures in place. The source told AIW, the measure was taken in an attempt to keep the reputation of the local agency clean.

opposition party boss seeks justice at the European Court of Human Rights

Ali Karimli, the head of the opposition Popular Front Party, and his spouse Samara Seyidova said they are preparing for the European Court of Human Rights, having received no response from domestic courts concerning their home internet connections being cut off since April of last year.  

AIW was documenting Karimli’s case since April 13 when the opposition boss encountered connection issues before a live interview with journalist Sevinc Osmangizi [for the detailed timeline please visit here]. 

Since then, despite numerous attempts, the leader of the Popular Front failed to resolve the problem through domestic courts. Most recently, the ruling of the Baku Appeal Court confirmed previous court decisions, thus ruling against the party head. The court of appeal is the final legal entity to accept and deal with similar complaints. “In such cases, the appeal to the Supreme Court is not expected. This is why we intend to take our complaint to the European Court,” said one of the lawyers defending Karimli in an interview with Azadliq Radio. 

The defendants are the Ministry of Transportation, Communication and High Technologies, Azercell mobile operator, AzQTEL internet provider, the Ministry of the Interior, State Security Service, and the Special State Protection Service. According to Karimli his rights were violated under Articles 6 (right to a fair trial), 8 (right to respect of family and private life), 10 (freedom of expression), 14 (prohibition of discrimination), and 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights

Karimli’s access to the internet was restored twice since April. Once on January 12 and in May but only briefly, for few hours. Karimli is certain the decision to cut him and his familly off internet is political. Government supporters think otherwise. Siyavush Novruzov, a parliament member, blamed Karimli for not paying his bills on time and laying the responsibility on the government. In the meantime, Azercell, the mobile operator [with ties to the government], said in a statement it does not discreminate among its customers based on their political views. 

But while government representatives and affiliated companies claim otherwise, Karimli and his family members had their rights violated. According to a fact checking platform FaktYoxla Karimli’s case, goes against severeal articles and guarantees specieifed by the national constitution and can be described as an unlawful interference. Specifically, it is against the right to equality and freedom of expression, right to live in safety and privacy. In addition, actions against Karimly contradict the provisions of the Law on Telecommunications, Access to Information and Personal Information and are criminalized by criminal law.

AIW will continue documenting developments in the case of Ali Karimli and the family. 

Azerbaijan not free in Freedom on the Net annual report

Azerbaijan ranked “not free” in this year’s Freedom House, Freedom on the Net report. Among key factors are the overall infrastructural challenges, a monopoly over ISPs, and distributed Internet traffic, state control over the information and communication technology, blocked access to most websites that host unfavorable news coverage, and new forms of restrictions introduced during COVID-19. 

According to the report, there is an overall decline in internet freedoms across the world:

Global internet freedom has declined for the 10th consecutive year: 26 countries’ scores worsened during this year’s coverage period, while 22 countries registered net gains. The largest declines occurred in Myanmar and Kyrgyzstan, followed by IndiaEcuador, and Nigeria. A record number of countries featured deliberate disruptions to internet service.

On the bright side, countries like Sudan and Ukraine experienced the largest improvements, followed by Zimbabwe find the report. And while Iceland was the top performer China was found to have the worst conditions for internet freedom. 

The report highlighted some new trends that have emerged globally: 

[…] this year Freedom on the Net observed intentional disruptions to connectivity in a record 22 out of 65 countries. Many of these disruptions, including Iran’s November 2019 countrywide blackout and shutdowns in Moscow in August and September 2019, were directly precipitated by protests. Such practices are an ultimate expression of contempt for freedoms of association and assembly, as well as for the right to access information.

Azerbaijan was ranked partly free last year. 

spotted: sandvine back at it, this time, in Azerbaijan

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.” 

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

 

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.  

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg. 

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked. 

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.

in Azerbaijan a COVID tracing app draws much suspicion over privacy issues [updated]

In July, authorities in Azerbaijan released it’s very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues. 

e-Tebib is just one of the deluge of apps that have been unveiled in recent months by various governments, promising to detect COVID-19 exposure and not only. According to this detailed MIT review, some of these apps are “lightweight and temporary, while others are pervasive and invasive” like the Chinese version which attains access to user’s identity, location, online payment history “so that police can watch for those who break quarantine rules”. 

In Azerbaijan, the police were already on the watch, with a mandatory SMS mechanism that required citizens to receive permission slips via SMS before going outside.  So why ask citizens to install an app, that technically does nothing new or does it?

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Currently, the official data is available here and the numbers are updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27). It is unlikely the app will be providing real-time indicators when the main body in charge only shares the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly states that any information, obtained through the app, may not be precise, correct, or trusted. 

And yet, the app also claims to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claims it does not collect any personal data aside from user’s phone number the article 5.3 of the license agreement states, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collects users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location. Article 5.4 mentions the center sharing of this information with third parties. These third parties may analyze collected information including users’ browsing history [The center does claim that it does not allow third-parties, to use the obtained information for other purposes]. Article 5.5.1 states the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Article 5.6 states that users’ information may be shared with third parties in other countries for security purposes. Article 5.10 states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have accessed users’ information.

The application is developed by A2Z Advisors LLC and the app’s privacy policy is linked to the company’s website. The landing page, however, does not provide any information on the app’s privacy policy. When reached out for a comment, AIW was recommended to send an email which at the time of writing this post remains unanswered. Similarly, in the App Store for IOs when clicking on “App Support” tab, the page once again leads to A2Z company website but does not actually provide any information related to the App. Instead, the privacy policy is accessible via this link that a user can access only after downloading and launching the app. 

According to the app’s version history at App Store, the application was released a month ago. The latest “update” was done 2 days ago [July 7].

The app’s further transparency criticism comes from the fact that it is not an open-source code and its license belongs to the Ministry of Communication, Transportation, and High Technologies. 

The biggest concern – the location of the data storage; the duration of the data storage; and who has access to this data.    

In Azerbaijan however, other concerns have also been voiced – that the application is only available for native speakers and that ex-pats living in the country are unable to use the application. It is also not catered to people with disabilities. 

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib is not designed in accordance with national legislation on data privacy.

On July 10, following widespread privacy concerns and questions over the app’s transparency, changes were made to its terms of the agreement. Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without individual’s permission. The convention, on the other hand, refers to respect to privacy. 

The new license agreement now says that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Although this last point was later addressed by Fuad Niftaliyev – the head of the app development project. Niftaliyev explained that the third parties referred to in the agreement are: Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. According to Niftaliyev, the collected information is stored on the servers operated by the Ministry of Communication and Information. The last point is itself problematic, as the transparency of government institutions in Azerbaijan is problematic especially as surveillance technology is widely used by the ministries alike. 

For potential users of the app, this remains problematic, especially when there is no option “B” if one disagrees with terms of service.

zoom calls between senior opposition figures leaked online

Between May 13 through 17, four different video clips from private Zoom calls were leaked online. The videos were taken from calls that took place between senior members of the National Council of Democratic Forces (NCDF), an alliance representing several opposition parties in Azerbaijan.  The members of the council called the leak a cybercrime committed on behalf of the ruling government. Some have called on the authorities to investigate as this is a breach of privacy according to national legislation, while others, claimed authorities were using NSO Group’s Pegasus spyware.

Until now, no clear evidence emerged indicating that indeed, Pegasus is being used in Azerbaijan. And while AIW continues its investigation into the recent leak, here is a detailed look at other available surveillance and disruption technology the government of Azerbaijan has purchased over the recent years that have the potential of eavesdropping on users’ devices. That, combined with the recent numerous reports about the Zoom app’s security vulnerabilities may provide at least some answers.

What spyware technology Azerbaijan has purchased until now

The interest in snooping on Azerbaijani nationals is not something new for a country that has been criticized by international human rights watchdogs for years over its poor record on human rights and freedoms.

In 2012, an investigative documentary film revealed how companies owned by Teliasonera [namely Azercell in Azerbaijan at the time] “allowed for “black box” probes to be fitted with their telecommunication networks. These boxes allowed for security services and police to monitor in real-time and without any judicial oversight all communication passing through, including texts, internet traffic, and phone calls.”

Two years later, Azerbaijan investigative journalist Khadija Ismayilova revealed that the country’s largest telco had ties to the ruling family, namely to the two daughters of President Ilham Aliyev, raising questions about Internet surveillance and communications security.

The same year, Citizen Lab, identified Azerbaijan, among potential customers of Milan based Hacking Team that sold surveillance equipment called Remote Control System (RCS) to Azerbaijan as well as many other countries whose rights and freedoms record been marred with violations.

“The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone.”

Source: New traces of Hacking Team in the wild

Among significant features of RCS are:

  • capture data that is stored on a target’s computer, even if the target never sends the information over the Internet;
  • enable government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap;

  • copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser;

  • turn on a device’s webcam and microphone to spy on the target

Moreover, the same CitizenLab report identified an active endpoint in Azerbaijan that was active between June and November 2013 – the year, when Azerbaijan had its presidential election [October] and accidentally announced the results of the election over an app before the voting even began.

In 2015, Organized Crime and Corruption Reporting Project (OCCRP) confirmed that the Azerbaijan government was indeed a customer of the Hacking Team. Pointing at records showing the country’s Ministry of Defense among the company’s clients.

Also in 2015, the Azerbaijan government expressed interest in purchasing Dataminr technology for its ability to “explore an individual’s past digital activity on social media and discover an individual’s interconnectivity and interactions with others on social media.”

The company’s 2015 marketing material, […] suggests that identifying individual users was a key part of Dataminr’s pitch to foreign governments by allowing users to quickly locate the “original source” behind a breaking news alert, and then find that person’s most popular tweets, what hashtags they have used in the past, and who has shared their tweets.

AIW reached out to Dataminr to confirm whether the transaction took place and received the following response:

“We currently do not have any relationship with the Government of Azerbaijan nor do we intend to do so in the future.”

The same year, the government purchased specialized security equipment – Deep Packet Inspection (DPI) to be used to monitor and block social media during the first European Games, Baku was hosting. The equipment was purchased for 3millionUSD from an Israeli company Allot Communications.

In 2016 before access to independent online news platforms is blocked, evidence shows, how the government was behind generating artificial internet network congestion within Azerbaijan to prevent access to RFERL Azerbaijan Service; VoA; and Meydan TV. The same year, first mass, spear-phishing attack targets prominent rights defender and former political prisoner Rasul Jafar.

In March 2017, the same DPI technology that purchased in 2015, is used to block some of the main independent media platforms in the country.

Also in 2017, Azerbaijan purchased another Israeli surveillance product, Verint Systems which was used in targeting of LGBTW+ on Facebook.

“I was training [clients on the use of Verint software] in Azerbaijan,” related Tal. “One day, the pupils came to me during a break and asked how they could [use the software to] determine someone’s sexual preference on Facebook. It was only later, when I read about the issue, that I discovered the country is notorious for persecuting the [LGBT] community. Suddenly things came together,” said one former Verint employee in an interview.

In general, the volume of digital attacks on representatives of civil society in Azerbaijan has been on the rise in recent years and especially since 2018. This was also highlighted in 2018 by Access Now, Digital Security Helpline. Many of these and other cases were covered here and here.

Meanwhile, AIW also looked into the possibility of Pegasus software being used in Azerbaijan following the claims made by some of the civil society representatives in the country. So far, AIW found no evidence for this to be the case. However, there is plenty of other technology available that can help the ruling government to eavesdrop and snoop around.

Taking into account Zoom vulnerabilities

Over the recent months, a number of reports on Zoom’s security vulnerabilities have also made it clear, that without E2E (end to end corruption) and with several other security-related shortcomings, Zoom does not offer, fully secure communication platform and that potential loopholes within the program may have made the leak reported in Azerbaijan possible.

  1. according to researchers at Morphisec Labs there is a Zoom app bug that can enable malicious actors to record Zoom sessions and capture chat text without any of the meeting participants’ knowledge. The malware also prevents any users in a meeting from being made aware of the recording;
  2. malicious actors can assume control of a Zoom user’s microphone or webcam;
  3. Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online;

The last point, is especially important, as unlike companies like Google, Facebook an Twitter, Zoom is yet to release information about whether there have been cases of government requests for data it gets, and how many of those requests it complies with. The company was encouraged to do so following an open letter and Zoom promised to publish a transparency report.

Back to Azerbaijan

Taking into account the history of surveillance and equipment purchased by government vendors over the last decade, the consistent crackdown against activists during COVID, it is likely that combined with Zoom’s security vulnerabilities, the leaked video calls were recorded by a third actor, and later leaked online for the purpose of sowing discord among opposition groups.

in Azerbaijan SMS notification system grants permission to leave homes [updated]

As of April 5, residents across Azerbaijan can only leave their apartments having informed local law enforcement via SMS, a phone call or if in possession of a special certificate of employment.

Azerbaijan remains among countries, which haven’t declared a “state of emergency”. Instead, they are referring to new restrictions as part of the “strict quarantine regime”.

How SMS notification system works

Permission to go outside is granted for the following reasons:

  • receiving medical treatment;
  • buying medication or groceries;
  • visiting a bank or a post office;
  • attending a funeral of a close relative

Before leaving, SMS is sent out with a national ID number indicating the reason for going outside. The sender then gets an SMS in response with a code, which can then be used when stopped by the police officers.

There is no further information about the tracking mechanism, its transparency, and whether authorities have developed or relying on a special tracking application to monitor its citizens.

So far, the new restriction has proven to serve the financial interests of the authorities.

Hebib Muntezir, Azerbaijan journalist wrote,


Translation: Yesterday (April 6), a total of 456thousand SMS was sent from 223thousand phone numbers. Of these 284thousand SMS (approximately 62%) were of irrelevant nature. Some received responses immediately, others in half hour, and some in an hour. 6 nationals who have violated the quarantine regime were arrested, 3800 were fined. If we take AZN100 per person that makes AZN380,000 [of collected fines] in just one day. #stayhome

The new fines were introduced on April 3. The fines range from AZN100-200 (USD60-USD120) and include up to a one month administrative arrest.

To understand the potential surveillance implications of this new restriction, AIW spoke to legal expert Emin Abbasov.

“Based on what we know so far, the goal is reportedly to limit freedom of the movement via permission regime relaying users’ requests via mobile devices. However, without knowing whether an SMS can be used to start tracking a mobile device (current assessment indicates that the mechanism in place isn’t used in tracking mobile devices) the notifications are only used to limit freedom of the movement. It is not an application. It is more like an information resource or a system. But the collection of information here is done on compulsory basis, not voluntarily. As a result, this should fall under special legal regime. That is, the issue is very complicated and still unclear. What is clear, however is that when there are limitations on rights and freedoms these limitations fall within the scope of the law on rights and freedoms. What becomes important under these circumstances, is that the emergency decrees issued by the executive authorities that interfere with the rights and freedoms envisaged in the Constitution or International treaties, are required to have a constitutional basis. Another issue is that there are noclear assurances as to whether the information resource (currently in use by the law enforcement) will be destroyed when there is no further need for it. We are yet to see these assurances. And overall, all of the currently adopted decisions are seemingly taken outside of the constitution.

It is indisputable that restrictive measures aimed at combating COVID19 pandemic have a legitimate purpose such as protection of health. However, respect for the rule of law and democratic principles in times of emergency requires that states respect the principle of legality even in an emergency situation. Compliance with the rule of law and democratic principles determines that the restriction of rights and freedoms enshrined in the constitution and international treaties may be limited either by laws (adopted by parliament) or by emergency decisions issued as a result of the extraordinary powers vested in the executive branch by the parliament. However, it is not clear that power of the Cabinet of Ministers in Azerbaijan to issue an emergency decrees that are restricting rights and freedoms are carried out in accordance with those principles.”

So far authorities have warned of further restrictive measures taken if the number of infected cases keeps growing and citizens do not follow through with imposed restrictions.
[Updated] On April 9, Azadliq Radio featured a story where political activist Izzatli Ruslan and investigative reporter Khadija Ismayilova said, requesting permission to leave via SMS, is against the national constitution, article 28 and that together with other representatives of civil society, they intend to take the matter to domestic courts. The right may only be limited in case of the state of emergency, which was not declared in Azerbaijan during the fight against C19.
Izzatli himself was fined in a total amount of 100AZN on the grounds of violating quarantine regimes when he did not provide the permission upon police request. Izzatli was headed to donate blood.
As of May 18, the compulsory requirement has been lifted as Azerbaijan joins the list of countries, slowly opening up.