Litigating Pegasus in Azerbaijan: Addressing harms of the government-sponsored surveillance on civic groups in the absence of legal guarantees

In the following featured legal analysis, AIW looks at the litigation work carried out thus far in Azerbaijan on devices infected by Pegasus. Specifically, this legal analysis looks at how Pegasus spyware was deployed to monitor journalists, lawyers, and activists in Azerbaijan and the legal steps taken within the existing national legislative framework to mitigate the unlawfulness of the use of Pegasus against these groups and individuals.  

Background

Over the last few years, global-scale investigations carried out by international human rights organizations, investigative journalists, and/or whistleblowers have shown that the scale of the unlawful surveillance of individuals’ private lives through murky technology software has been pervasive, and widespread. Those findings also revealed the vulnerability of individuals’ fundamental rights and freedoms to private technology companies and the states deploying that technology for their personal interests.

This has certainly been the case in Azerbaijan, where platforms like Azerbaijan Internet Watch (AIW) and others, have documented government-sponsored surveillance and cyber espionage activities. Especially vulnerable are the social and political activists. Several human rights monitoring organizations note the increase in cyber attacks on these groups in recent years.

***

Since 2011, Freedom House analyzes the state of Internet freedom in Azerbaijan in its annual Freedom on the Net report. Until now, each report indicated continuing deterioration of internet freedoms in the country.

Increased interventions on the internet freedoms often constitute a violation of fundamental rights and freedoms stipulated in national and international human rights documents, as such making states obligated to provide effective legal protection and recovery mechanisms against such violations.

However, as documentation and reports from recent years indicate, Azerbaijan thus far, failed to provide effective legal guarantees in cases of privacy violations through cyber-attacks, illegal collection of personal data, wiretapping, and account compromise. Despite routine calls made to the Azerbaijani authorities to investigate and bring perpetrators of cyber-attacks to account, no steps have been taken.

As a result, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees.

***

In July 2021, an international collaborative reporting initiative #PegasusProject documented how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, politicians, and lawyers among others worldwide. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International Security Lab.

The investigation determined that Azerbaijan was among the top 10 countries deploying Pegasus spyware.

Organized Crime and Corruption Reporting Project (OCCRP), which was one of the partners in the global investigation, discovered that out of the 50,000 phone numbers that were leaked, 1000 were from Azerbaijan. OCCRP was able to identify 245 numbers and as a result, concluded that a fifth of these numbers belonged to journalists, lawyers, human rights and political activists, politicians, and their family members. OCCRP published a list of identified civil society activists whose devices were confirmed to have traces of Pegasus spyware.

***

Following the Pegasus Project leak, on July 22, 2021, on the National Press Day in Azerbaijan, journalists and human rights defenders gathered in a virtual round table discussion titled “New digital threats to critical voices” initiated by the Institute for Reporters’ Freedom and Safety. The group discussed the importance of protection mechanisms against such mass surveillance and stressed the need to join efforts and seek legal remedy through domestic and international courts. As such, an operative group of lawyers was assembled to develop applications and appeals to domestic authorities and the European Court of Human Rights (ECHR).

Since that meeting and at the time of writing this report a total of four groups were formed, led by different lawyers, representing in total of 62 applicants. It is worth noting that some victims hesitated to join these collective complaint groups due to safety concerns.

Complaints and lawsuits were lodged as early as August 2021. Lawyers and advocates representing all four groups, prepared complaints to the Prosecutor General’s Office of the Republic of Azerbaijan, claiming that their clients’ mobile devices were illegally infected by Pegasus spyware leading to violations of privacy, freedom of expression guaranteed under the national laws and European Convention on Human Rights, the right to effective remedies and the right not to be subjected to restrictions of Convention rights with improper motives or ulterior purposes (Article 18).

Applicants in the group of cases led by advocates and practicing lawyers requested the Prosecutor General’s Office to open a criminal investigation based on the evidence revealed as a result of the global investigation. Specifically, the lawyers noted that several articles of Azerbaijan’s Criminal Code – Article 156, “Violation of privacy”, 271, illegal access to a computer system, 272, illegal interception of computer data, and 302, “Violation of the legislation on operation-search activities”, were violated as a result of the committed criminal act.

According to Article 156 of the Criminal Code (“Violation of privacy”), actions that violate privacy are prohibited and are the basis for criminal liability. According to Article 156.1 of the Criminal Code, the distribution, sale, or giving to someone else, the illegal collection of information that is a secret of personal and family life, documents reflecting such information, video and photo recording materials, sound recordings, causes criminal liability. Article 156.1 of the Criminal Code aims to protect the information that constitutes the secret of personal life and is derived from the goal of protecting people’s constitutional right to privacy. The object of this crime is people’s personal life information.

According to Articles 271 (illegal access to a computer system) and 272 (illegal seizure of computer data) of the Criminal Code acts of deliberately entering a computer system or any part of it without the right to access it, by violating the security measures, or capturing computer data stored on a device, or with other personal intent are criminalized.

Article 302 of the Criminal Code (“Violation of the legislation on operation-search activities”) criminalizes unlawful measures by the persons authorized to carry out operational-search activities in the absence of the grounds established by legislation.

In all of the legal complaints submitted based on the list of violations mentioned in the paragraph above, the team of lawyers asserted that the findings of the Pegasus investigation, put their clients at risk of both secret surveillance and of having their communications data unlawfully intercepted by the authorities or third parties who own the software. None of the identified civil society representatives targeted by the spyware were under lawful investigation. As such lawyers demanded that the Prosecutor General’s Office of Azerbaijan launch a criminal investigation, including the possible role of the Azerbaijani law enforcement in the mass surveillance activities. The legal representatives of all clients said, the state is obligated to provide effective legal guarantees against the abuse of spyware tools against citizens as the latter may constitute unlawful interferences to the right to private life, freedom of expression, and in the case of failure to fully and duly investigate, violation of the right to an effective remedy.

Due to the lack of legal remedies in cases of severe privacy violations, within the Azerbaijani legislation, advocates and lawyers relied on Article 8 (right to respect for private and family life), Article 13 (right to an effective remedy), and Article 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights.

Between July 2021- July 2022, one of the advocates representing one of the four groups of applicants,  separately applied to the State Security Service [SSS], the Ministry of Internal Affairs [MIA], the Ministry of Digital Development and Transport [MDDT], as well as the Ombudsman office requesting an investigation, along with the Prosecutor General’s Office. None of the advocate’s appeals were successful. None of the institutions investigated the complaints or provided reasonable answers.

Overall, the lack of effective response on behalf of the law enforcement authorities, against complaints requesting to open a criminal investigation, indicates there were and still are significant flaws and delays in the investigation process, despite the evidence collected through forensic methodology by the international organizations. Nearly a year later, the law enforcement authorities are yet to take formal investigative actions, despite the complaints containing forensic evidence obtained from the examined mobile devices.

Court litigations

In all of the legal cases, the lawyers provided circumstantial evidence (contextual information) for how Pegasus infected the mobile devices of applicants. Specifically, the lawyers shared detailed information about the purpose of the Pegasus spyware and the potential state agencies that might use it. Relying on the existing national legislation the lawyers also established the legal grounds for using surveillance programs to intercept private communication or other private data from technological devices, including mobile phones.

Advocates representing the four groups submitted complaints to the local courts against the general prosecutor’s office for failing to explain why it sent lawyers’ Pegasus-related complaints to the State Security Services in the absence of justifications or notice. It was the responsibility of the General Prosecutor’s Office to investigate lawyers’ complaints, but instead, it sent them directly to State Security Services. This was unlawful and baseless. Yet, despite the unlawfulness of the act, the local courts did not satisfy these complaints and returned them without consideration (issued decisions in a similar text that they were considered inadmissible).

This explicitly demonstrates that the law enforcement authorities and domestic courts of Azerbaijan refused to effectively investigate the complaints and failed to provide any legitimate grounds for refusing the investigation in the first place.

One of the four groups involved in litigation procedure, includes activists, human rights defenders, journalists, and other public figures, who were previously subjected to different legal harassment by the government. Advocates and lawyers representing this group are demanding that the Prosecutor General’s Office investigate the possible role of the law enforcement authorities on the grounds that the use of spyware tools breached the defendants’ rights guaranteed under both the Constitution of Azerbaijan and the international treaties Azerbaijan is a party to. 

The complaint consists of the summary of the complaint itself, information about the applicant, and information on the use of Pegasus to track the defendants, including applicants’ claims and petitions based on the substantial and procedural grounds of the complaint.

In their fifteen-page complaint, the applicants referred to the findings of Pegasus investigations, alleging that their phones were tapped and infected with Pegasus. The complaint also stated that listening and monitoring of the complainant through the use of Pegasus violated Articles 32, “Right to inviolability of private life” and 47, “Freedom of thought and speech” of the Constitution of Azerbaijan, and Articles 8, 10 and 18 of the European Convention on Human Rights (ECHR) as the breach was politically motivated. Lawyers also claimed that the surveillance was in violation of Articles 18 and 19 of the UN International Covenant on Civil and Political Rights, as well as the jurisdiction of the Human Rights Committee on the implementation of that Covenant.

In addition, 11 petitions were attached by the lawyers, to the submitted complaints, requesting certain actions from the Prosecutor General’s Office that was necessary for an impartial and comprehensive investigation. These petitions included:

  • Obtaining testimonies of applicants;
  • Submitting official requests to Amnesty International Forensics team and the OCCRP for forensic investigation of identified devices;
  • requesting the Ministry of Internal Affairs and the State Security Service to obtain a list of persons who carried out the interception of the devices;
  • obtaining information on the purchasing of the spyware from the “NSO Group” company;
  • requesting information from the Ministry of Internal Affairs, the State Security Service, and the State Special Protection Service of the Republic of Azerbaijan about any relevant instructions on preventing human rights violations during the use of the Pegasus or similar programs;
  • obtaining information on whether the officials at the Ministry of Internal Affairs and the State Security Services, authorized to carry out an operation-search measure, were involved in training on legislation and human rights standards.

It was also noted that the applicants, were law-abiding citizens, engaged in public and political activities, and were not engaged in criminal activities. As such the targeting of these individuals with Pegasus, was politically motivated and criminal given the absence of any mandatory, investigative, or judicial acts, within the scope of the Code of Criminal Procedure (CPrC) Article 177.3.5, and as a result, the use of Pegasus on their devices was in violation of targeted users’ rights and freedoms.

According to Article 443.1 of the CPrC, investigative actions over mobile phones and other communication devices are usually carried out on the basis of a judicial act. In the cases where these investigative actions are carried out without a court decision, on the basis of the investigator’s reasoned decision, after the completion of the corresponding investigative action, the investigator must inform the court conducting the judicial control and the prosecutor conducting the procedural management of the preliminary investigation within 24 hours and verify the legality of the investigative action carried out within 48 hours.

According to Article 215.1 of the CPrC, it is mandatory to conduct a preliminary investigation in all criminal cases, except for the investigation conducted in the form of simplified pre-trial proceedings for crimes that do not cause a great public danger.

Moreover, when responding to the lawyers’ complaints, the Prosecutor General’s Office, determined that the applicants’ complaints had to be sent to the Investigative Directorate of the SSS. Which is contrary to Article 215 of the CPrC and was contested by the lawyers who submitted a complaint to a local district court. The lawyers argued that it was illegal and unreasonable for the General Prosecutor’s Office to forward the complaint to the SSS for further investigation without any justification. At the same time, the transfer of the pre-trial investigation to the SSS, which is (potentially) a party of interest in the case, violates the procedural rights of the applicant on the personal life and freedom of expression, as well as the right to the effective remedy provided by Article 13 of the ECHR (taken together with Articles 8 and 10), because SSS will not be able to carry out the work related to the alleged illegal actions of its employees in accordance with the principle of objective impartiality. In addition, there are no normative legal grounds that could demonstrate the objective independence of the Investigative General Department of the SSS from other structural divisions of the Security Service.

Explainer: Lawyers reasoned that Pegasus was provided to the police and security agencies. From this point of view, based on the circumstances of the case, there are sufficient grounds to assume that the listening and online monitoring of the complainant was carried out by an employee (colleagues) of the police and (or) security agencies. In such a case, the prosecutor’s office cannot hand over the case of the preliminary investigation to the investigative body of the institution that carried out such hearing and monitoring. Otherwise, such an investigation would be subject to a conflict of interest in the case. In this regard, the elimination of conflict of interest in the investigation of a criminal case is one of the requirements of the criminal procedural legislation. Summarizing the above, it becomes clear: a) referral of the complaint to the State Criminal Court is a violation of the investigative responsibility defined in Article 215.2 of the Criminal Procedure Code; b) referral of the complaint to the DTC contradicts the principle of conflict of interests contained in Article 1.1 of the CPrC; c) referral of the complaint to the DTC is a violation of the human rights of potential victims (interested persons) defined by Article 1.4 of the CPrC, in this case, the right to request an effective procedural investigation; d) the referral of the complaint to the State Prosecutor’s Office is a contradictory decision and gives the impression that legal proceedings have been initiated to listen and monitor the complainant, as well as this referral was carried out by the wrong structural unit of the General Prosecutor’s Office.

Responses of law enforcement authorities

The General Prosecutor’s Office’s response to complaints was to forward the complaints to the State Security Service (SSS) for further investigation, without informing the applicants and without providing any explanation for the reasons for doing so.

The SSS, in all four groups of cases, refused to give an official written answer to the applicants about the investigation of their complaints (although they are required to do so by law). Officials from SSS informed lawyers verbally, that SSS did not monitor the applicants through Pegasus and therefore no written responses would be given.

As a result, advocates representing all four groups filed lawsuits against the General Prosecutor’s Office and the SSS for inaction and refusal to launch a criminal investigation.

It was not until August 2022, that the SSS started to summon a number of civil society members and journalists (applicants) to obtain their testimonies in regard to allegations of the tracking of their phones by the Pegasus software. Reflecting on the delayed response, one of the targeted civil society activists, and the chairperson of Election Monitoring and Democracy Studies Center, Anar Mammadli, said this was simply a sign of lack of action. 

In their responses to some of these complaints, the General Prosecutor’s Office and the Ministry of Internal Affairs said it was not possible to conduct an investigation on the complaint. Moreover, in relation to some of the applicants, in their response, the General Prosecutor’s Office, said, “the information on the features of capturing and tracking personal secret information was not determined by means of the Pegasus spy program,” but stopped short of explaining how then the information was obtained if it was not through Pegasus.

Since the engagement of advocates in pursuing these cases in domestic courts, the proceedings in all four groups are pending at different instances. Only 15 applicants were sent to the Strasbourg Court thus far. Advocates are currently seeking to exhaust domestic remedies to apply to the ECHR in the remaining cases.

Conclusion and next steps in taking the Pegasus cases to the European Court of Human Rights

In addition to the Constitution and other national laws of the Republic of Azerbaijan, the right to privacy is recognized as an international human right in numerous international treaties to which Azerbaijan is a party. As a signatory of the European Convention on Human Rights and the International Covenant on Civil and Political Rights, Azerbaijan has binding obligations to protect rights to private life, including private communication and other private data, from infringements, including unlawful search-operation and surveillance activities of law enforcement authorities and any interference by third parties.

On September 20, 2009, Azerbaijan ratified the Council of Europe Convention of 1981 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) for the protection of personal data which also falls within the scope of private life as protected by Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) making its application in Azerbaijan compulsory.

The ECHR reiterates that any interference can only be justified under Article 8, paragraph 2, if it is in accordance with the law, pursues one or more of the legitimate aims to which paragraph 2 of Article 8 refers, and is necessary in a democratic society in order to achieve any such aim (see Kennedy v. the UK, paragraph 130). 

In the context of handling complaints related to Pegasus cases by Azerbaijan’s law enforcement agencies and courts, the lawyers demonstrated, that the applicants were subjected to interferences to their right to private life contrary to the adopted national and international human rights documents. The lawyers’ subsequent complaints were related to the law enforcement and judicial authorities’ refusal to investigate complaints about those interferences, including secret surveillance without providing any explanations and sound reasons.

In all four groups of Pegasus litigations, the secret surveillance of mobile devices had no basis in domestic law as none of the applicants were declared as suspects or accused persons in any criminal investigations.

The Strasbourg Court has delivered many rulings on the protection of privacy and personal data against government-sponsored surveillance or state responsibility to protect individuals from violence by third parties (Guide on Article 8 of the European Convention on Human Rights. Right to respect for private and family life, home, and correspondence. Updated on 31 August 2021. Para 107.) In order for surveillance to be in line with the Convention, certain legal safeguards should be provided both in legislation and practice, according to the case law of the ECHR.

Explainer: the law must be precise and clear as to the offences, activities and people subjected to surveillance, and must set out strict limits on its duration, as well as rules on the disclosure and destruction of surveillance data. Rigorous procedures should be in place to order the examination, use and storage of the data obtained, and those subjected to surveillance should be given a chance to exercise their right to an effective remedy. The bodies supervising the use of surveillance should be independent, and appointed by and accountable to parliament, rather than the executive.

At the moment, advocates and lawyers, are in the process of developing their clients’ applications to the ECHR alleging that the laws governing the matters of secret surveillance, as applied in practice, and also the refusal of the law enforcement authorities and courts to investigate allegations of surveillance, do not provide sufficient safeguards against arbitrary or abusive secret surveillance and/or accessing of private communications data. Lawyers also complained they had no effective remedy – domestically – in respect of those breaches which can be achieved through national legislation that strictly abides by the case law of the ECHR. The lawyers alleged that no effective remedy was available under Azerbaijani law and that SSS’s investigation could not be rendered effective since it is not an impartial and objective institution to review allegations of possible abuses and arbitrariness of its own officials. As regards the surveillance, a State could arguably be liable in respect of whatever system of surveillance without offering adequate and effective guarantees against abuse according to the well-established case law of ECHR.

According to Azerbaijan’s criminal law system, there are two judicial procedures that may be used by an individual wishing to complain about the acts of the investigative authorities:

  • complaint to supervisory-review and
  • judiciary (first and appeal court instances) under the CPrC.

However, as seen throughout the domestic litigation process in the course of the last year, the domestic courts stated clearly that the General Prosecutor’s Office forwarding the complaints to the SSS were not subject to judicial review, and the SSS’s lack of action was also not viewed as a sufficient ground to allow judiciary review. This makes it unacceptable that an individual cannot lodge such a complaint without having at least the concrete decision of the investigative authorities, which in fact, constitutes de-facto rejection to investigate the complaint containing allegation about a criminal act committed against him/her. In the absence of domestic remedies against potential surveillance measures under Azerbaijani law, an individual would hardly ever be able to have his/her right to effective remedies, respected and ensured. 

Explainer: In this connection, the case law of the ECHR notes that ‘In the sphere of secret surveillance, where abuses are potentially easy and could have harmful consequences for a democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge, judicial oversight offering the best guarantees of independence, impartiality and a proper procedure (Roman Zakharov v. Russia [GC], § 233; İrfan Güzel v. Turkey, § 96).’ The absence at the national level of a judicial review of the law enforcement authorities reactions (inaction or refusal to investigate without a decision) to the complaints of individuals containing alleged unlawful surveillance and other infringements of the right to privacy excludes the state’s obligation to strike a fair balance between the competing public and private interests.

Therefore, Article 8 of the ECHR likely be found as violated without the opportunity for judicial review of the inaction of law enforcement authorities constituting de-facto rejection to investigate the complaint containing allegations of violation of the privacy of individuals as they had not benefitted from the minimum degree of protection against abuses and arbitrariness. According to the case law of the ECHR, the absence of a judicial review of the overall covert surveillance system which was entrusted solely to the state body which was directly involved in requests for the use of special surveillance means amounted to a violation of Article 13 in the light of Article 8 owing to the lack of an effective remedy (see: Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, 2007, §§ 98-103).

As such these litigations expose that surveillance software not only harms individuals unlawfully targeted but also raises the question of insufficient legal guarantees in place to protect generally all individuals against possible unlawful surveillance and other kinds of privacy violations.

Finally, these litigations highlight the insufficient legal guarantees both in national legislation and practice, by creating significant legal precedent at ECHR, and by publicly uncovering and highlighting the inadequate national legislation which potentially can lead to gross human rights violations. Therefore, there is a greater need to challenge both national laws and the practice of state authorities’ system of secret surveillance, as the current system constitutes potential risks for interference with the rights of all users of telecommunication services guaranteed by the Convention and national laws.

The State of Internet Freedom in Azerbaijan, a legal overview

This is part five and the final installment, in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

This final report, “The State of Internet Freedom in Azerbaijan, a legal overview” was prepared in partnership with human rights lawyer, Emin Abbasov. It is a comprehensive overview, of the existing legal framework in Azerbaijan on internet freedoms.

The following report identifies gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of internet freedoms.

As such, the aim of the report is to:

  • identify and report key developments concerning internet freedoms covering the period between 2020-2021;
  • analyze and review legislation, policies, and practices in line with international standards;
  • provide recommendations to strengthen and develop legislation, policies, and practices already in place;

Executive Summary

Azerbaijan’s track record on freedom of expression and freedom of the media has been on a steady decline according to a number of key reports by international media freedom watchdogs. This has been the case especially since 2014.

The most recent rankings by the Reporters Without Borders’ Press Freedom Index in 2020, place Azerbaijan at the bottom of the index, where the country ranks 169 out of 180 countries monitored. Freedom House’s annual Freedom on the Net report ranked Azerbaijan in 2020 as “Not Free.”  

From a legal perspective, despite routine calls on the government of Azerbaijan to ensure the domestic legislation and its application comply with international standards, particularly in line with the ECtHR case-law requirements on freedom of expression, media, and internet rights, the legislative authority, continues to adopt restrictive new bills that further deteriorate fundamental rights and freedoms.

During the reporting period, the parliament in Azerbaijan adopted several amendments to existing national legislation, imposing further restrictions and increasing state control over the internet.  In the meantime, relevant authorities failed to carry out effective and prompt investigations and prosecution into the cases of blackmailing and online sexual harassment against activists and politicians. Further, the government prepared a draft law on the media, with proposals to license Internet televisions and radios, and a new media registry with strict requirements for journalists, media owners, and media platforms. 

The report also identifies the government’s failure to present, sufficient mitigation policies to remove the infrastructural barriers related to internet access when switching to online education during country-wide restrictions imposed in March of last year as a result of COVID19. These barriers were more profound in remote areas of the country where access to the internet is poor due to inadequate infrastructure and among economically vulnerable populations.      

Finally, this report concludes that domestic legislation in Azerbaijan does not provide effective safeguards for the protection of the rights and freedoms of people online. On the contrary, it gives law enforcement a wide range of powers while failing to provide an independent review mechanism neither by the courts nor by other independent institutions over the exercise of those unlimited powers.

In response to these challenges, the report offers a number of recommendations for the government to improve its domestic legislation in line with international standards with the view of better protection of individuals’ rights and freedoms online. The full PDF report can be accessed here. Below are some of the key findings.

Key Developments between January 1, 2020June 31, 2021

  • The Cabinet of Ministers adopted a decision No.22 on January 29, 2020, approving the “Rules of the organization of operation of the information system on activity against foreign technical intelligence,” and “Level of access of information resources of state bodies within the information system on activity against foreign technical intelligence.” However, the specifics of these rules and what they entail were not disclosed;
  • Azerbaijan tightened control over online content, specifically the definition of “prohibited information”. On March 17, 2020, the parliament amended the Law of the Republic of Azerbaijan On Information, Informatization and Protection of Information (30-VIQD). According to the amendment, “prohibited information” includes false information endangering human life and health; causing significant property damage; mass violation of public safety; disruption of life support services; and of financial, transportation, communication, industrial, energy, and social infrastructure facilities; or leading to other socially dangerous consequences.”
  • During the reporting period, the number of attacks and direct targeting against activists, politicians, and their family members with intimate photos, videos, and personal messages that were leaked online, increased significantly;[1]
  • On June 29, 2020, the Parliament adopted amendments to the Law on Telecommunications and appointed the Ministry of Transport, Communications and High Technologies as an administrator of domain name registration in Azerbaijan;[2]
  • On September 27, 2020, authorities in Azerbaijan imposed restrictions on access to the internet by limiting the speed of the internet, blocking access to social media platforms and messenger services such as WhatsApp, Telegram, and others during the second Karabakh war;[3]
  • On January 13, 2021, the government established Azerbaijan State Agency for Media Development, according to the Presidential decree “On deepening media reforms in the Republic of Azerbaijan” [signed on January 12, 2020]. The agency was given broad powers to control the online media landscape;[4]
  • The Government announced a new draft law on media with provisions to license Internet TV channels;
  • Azerbaijan parliament members announced plans to draft a new law on Hate Speech.

Key findings

  • The regulation of the internet in Azerbaijan is controlled by the Ministry of Transport, Communications and High Technologies, (MTCHT). The MTCHT is a government agency, in charge of regulating communications and the development of information technologies. It also controls the internet telecommunications infrastructure.
  • Despite the Law on Telecommunication obligating the state, to ensure healthy competition and antimonopoly activity in the field of telecommunications[7], the import and distribution of the internet in the country is mainly distributed through state companies or private companies under strict government control.[8] According to the Law on Telecommunication (Article 6) regulation of telecommunication activity in Azerbaijan is carried out by the state through broad powers, notably, through the licensing and certification of telecommunication activity, the application of tariffs for the use of telecommunication services, and radiofrequency, and etc.
  • The activities of internet service providers (ISPs) and operators are required to register with the MTCHT. According to the “Rules of registration of operators and providers of Internet telecommunication services” approved by the Resolution of the Cabinet of Ministers of the Republic of Azerbaijan [No. 427] and dated October 12, 2017, operators and providers of internet telecommunication services must register for a license by applying through the MTCHT, within 15 (fifteen) days of the start of the service.[9]  The Rule further states that in accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” ISPs are required to have a copy of the guarantee, on the installation of special equipment that provides access to information, for search operations.[10] The Rule also requires that the operators and providers submit, approved copy (copies) of the agreement (contracts) concluded with the first subscriber (subscribers), to the registration authority namely the MTCHT.[11]
  • The State Security Service and the Ministry of Internal Affairs are authorized for the organization of search operations within the communication networks in accordance with the Rule approved by the Presidential Decree № 638 dated October 2, 2015 “On approval of the Rules on information security during search operation activities on communication networks”.[12] This respective rule was never published. According to the Constitutional Law “On normative legal acts” laws and presidential decrees signed by the President must be officially published within 72 hours after the signing.[13] The Constitutional Law also allows that certain provisions of normative legal acts reflecting state secrets are not published.[14]
  • On June 17, 2021, the National Television and Radio Council (NTRC) announced the provisions in the draft law “On Media” concerning television and radio broadcasting.[18] According to the draft law a number of restrictions on freedom of expression and information, as well as regulation of media activities is envisioned. For the purpose of this report, only those restrictions that concern and impact freedom on the internet are considered here.
  • The Council of Europe’s Committee of Ministers recommendation CM/Rec(2007)16 to its member States to promote the public service value of the Internet[19] indicates the importance of diversification of competitive market structures in internet resources and ICTs. According to the Recommendations, member states should develop, in co-operation with the private sector and civil society, strategies that promote sustainable, economic growth via competitive market structures in order to stimulate investment, particularly from local capital, into critical Internet resources and ICTs, with particular reference to: developing strategies which promote affordable access to ICT infrastructure, including the Internet, promoting technical interoperability, open standards and cultural diversity in ICT policy covering telecommunications, broadcasting and the Internet. Azerbaijan has so far, failed to meet these recommendations.
  • In the context of its Recommendation CM/Rec(2018)1 to member States on media pluralism and transparency of media ownership, the Council of Europe’s Committee of Ministers refers to the term “online media” and stresses its importance for media pluralism.  It further notes that states have a positive obligation to foster a favorable environment for freedom of expression, offline and online, in which everyone can exercise their right to freedom of expression and participate in public debate effectively, irrespective of whether their views are received favorably by the State or others.[25] Moreover, in 2012, the UN Human Rights Council adopted a key resolution on the promotion, protection, and enjoyment of human rights on the Internet, “calling upon all States to promote and facilitate access to the Internet and international cooperation aimed at the development of media and information and communications facilities in all countries.”[26]
    • So far, the relevant government institutions have failed to offer such assurances in Azerbaijan. The extent of government control and monopoly, as well as poor internet infrastructure, are reflected in numerous international reports. The 2021 Inclusive Internet Index, ranked Azerbaijan 84th globally in the “readiness category,”[27] and the country’s overall performance scores have deteriorated year on year.[28] According to June Speedtest Global Index, (results are updated mid-month for the previous month), Azerbaijan ranked 122nd out of 181 countries in the category of fixed internet speed. The country’s score improved in the category of mobile internet speed, scoring 66th place out of 137 countries ranked in this category.[29]
  • The Guiding Principles on Business and Human Rights also recognize the responsibility of business enterprises to respect human rights, independent of State obligations or the implementation of those obligations (see A/HRC/17/31, annex; and A/HRC/32/38, paragraphs 9- 10). They provide a minimum baseline for corporate human rights accountability, urging companies to adopt public statements of commitment to respect the human rights endorsed by senior or executive-level management; conduct due diligence processes that meaningfully “identify, prevent, mitigate and account for” actual and potential human rights impacts throughout the company’s operations; and provide for or cooperate in the remediation of adverse human rights impacts (see A/HRC/17/31, annex, principles 16-24).[35]
    • These internationally recognized standard-setting instruments are usually not legally binding but elaborated from different binding human rights treaties and standards. Such documents set out a number of recommendations, standards, and commitments on the regulation of Internet infrastructure, as well as the regulatory role of states in accessing the Internet. However, none are implemented in the context of Azerbaijan.
  • During the period of martial law, access to the Internet remained blocked to the public, in the absence of any administrative decisions or justifications, the guarantees associated with the decision, and clearly stated reasons for such restrictions in place.
  • Azerbaijan signed the Budapest Convention – the Council of Europe Convention against Cybercrime – in 2008 and has ratified it, in 2010.[58] The Budapest Convention is a treaty on crimes committed on the internet and on computer networks. In Azerbaijan, regulation of intelligence services and online policing online, including investigation and prosecution of offenses committed online, are regulated by the Criminal Code, Criminal Procedure Code, Law on Search and Operation, Law on Police, and Law on Prosecutors office, including other normative legal acts of the Republic of Azerbaijan. However, there is no dedicated strategy or other specific policy documents on cybercrime currently available or being developed in Azerbaijan.[59]
    • In the absence of such policies, the law enforcement agencies, especially the police, which do not have significant capacity to investigate and prosecute crimes committed online, often interferes with the freedom of expression of the social network users.
    • In recent years, the police increasingly play the role of an arbitrator in resolving public conflicts and disputes between internet users. By complaining to the police, individuals can force others (whom they are in conflict with) to delete their status and comments from social network accounts. In return, police promptly identify those who complained about/against or people who criticize the government, and especially the law enforcement agencies on social networks, forcing them to apologize to the public on camera. Police then share the apology videos with the media.[60]
  • Local civil society activists suggest that during the quarantine period, a large number of people who were held administratively or who were criminally liable for organizing and/or participating in wedding or funeral ceremonies were brought to the police stations, where their forced confessions of repentance were filmed and later broadcasted on national television channels. According to credible reports received by the Election Monitoring and Democracy Studies Center, an Azerbaijani NGO, most people did not give consent to such video recordings. As such, the broadcast of the videos took place against Article 51 of the Code of the Administrative Offenses, which prohibits the dissemination of materials (audio, video, photo) in the mass media without the consent of the person against whom the administrative proceedings are conducted.[62]
  • Such practice was also used against LGBTQI+ people at least on one occasion. In July 2020, police shared the testimonies of two persons, who were accused of allegedly promoting drug use via their TikTok accounts. The video of their forced confession was shown on state media (Azertag), to discredit LGBTQI+ people and to create a negative public image.[63]  
  • Council of Europe Committee of Ministers Declaration on Freedom of Communication on the Internet (Adopted by the Committee of Ministers on May 28, 2003 at the 840th meeting of the Ministers’ Deputies), contains ten principles. According to the seventh principle, “In order to ensure protection against online surveillance and to enhance the free expression of information and ideas, member states should respect the will of users of the Internet not to disclose their identity. This does not prevent member states from taking measures and co-operating in order to trace those responsible for criminal acts, in accordance with national law, the Convention for the Protection of Human Rights and Fundamental Freedoms, and other international agreements in the fields of justice and the police.”[68]
    • But in the case of Azerbaijan, and following the decree on amendments, no such measures were taken into account. Moreover, at the time of writing of this report, there is no information on whether this mechanism was finalized.

 Conclusions & Recommendations

The analysis of the domestic legal framework shared in this report demonstrates that the current legal framework provides law enforcement authorities with unlimited powers to operate in online spaces. The analysis also explains, how this framework empowers the state to exercise full and unchecked control over telecommunication infrastructure.

In such an environment, internet and mobile operators as well as the ISPs have no power or independence to challenge the unlimited powers of the state. Further, our analysis indicates that the legal national framework is designed in such a way, that it fully disregards or undervalues the rights of individuals online while granting authorities ambiguous powers to control everything online in the absence of an independent review of the regulatory authorities’ decisions and actions.

The most striking example of such unlimited powers is an obligation placed on the ISPs to allow law enforcement authorities to set up special technical devices on the ISP’s infrastructure, in order to monitor users online and collect information about them. This is done in the absence of explicit legal provisions which normally would require a court order to carry out such activity, as well as in the absence of independent oversight by a regulatory body, that Azerbaijan failed to establish since 2016. As a result, the lack of an independent regulatory body in the field of telecommunications, as well as the lack of an independent judiciary that is capable of providing effective protection and independent judicial review against the government’s interferences, leaves citizens without any remedies to pursue.

Finally, this report also illustrates the weakness of the legislation on emergency powers, which at the moment fails to indicate the exact limits of government bodies during a state of emergency or war. Such loopholes allow the state authorities to exercise their exclusive powers in a way that can exceed the needs created as a result of such circumstances.

Based on the overview presented above, the following set of recommendations can help improve the overall environment of internet freedom in Azerbaijan:

  • Amend the legislation, notably the law On Information, Informatization, and Protection of Information, including the Code of Administrative Offences and Criminal Code to remove restrictions on content, such as false information, insult, and slander. Consult with the independent civil society groups to amend the legislation on content regulation in order to strengthen the national legislation and make it in line with international standards. Provide self-regulation opportunities for providers and private companies to regulate inapplicable content in online spaces;
  • Consider wider consultation and public discussions when reviewing new legislation and policy to ensure the voices of all key stakeholders are heard;
  • Avoid adopting the draft law on media, that currently requires licensing of the Internet TVs and radios. Instead, ensure the provisions of journalistic activity online is not subject to specific authorization;
  • Establish an independent National Regulatory Authority in line with international standards including, civil society organizations and other relevant stakeholders;
  • Provide effective and prompt investigation and prosecution of online harassment, and blackmailing against activists, politicians, and/or their family members;
  • Amend the Law on Telecommunications, the law on Information, Informatization and Protection of Information and Law on Private Information, including other normative legal acts to indicate what specific measures and in what circumstances the government is undertaking to exclude the anonymity of the internet users, including installing special software and hardware systems for the provision of blanket surveillance in online spaces.
  • Amend the legislation to provide effective safeguards against abuse of power of law enforcement authorities, notably, amend article 10 of the Law of The Republic Of Azerbaijan On Operational-Search Activity to ensure that a respective court decree is required for conducting online tracking, interception, and seizure of private information from the telecommunication channels about individuals;
  • Ensure that the Martial Law and the Law on Emergency Situations contain explicit provisions, notably safeguards, against the abusive application of emergency powers online. In doing so, amend the respective laws to include clear procedures of imposing any limitation over the internet and provide that such decisions are subject to effective safeguards;

[1] Azerbaijan Internet Watch, Targeted harassment via telegram channels and hacked Facebook accounts, March 9, 2021, https://www.az-netwatch.org/news/targeted-harassment-via-telegram-channels/

[2] The law on amendments to the Law of the Republic of Azerbaijan “On Telecommunications”, 29 June 2020, available (in Azerbaijani) at: http://e-qanun.az/framework/45676

[3] Azerbaijan limits internet access to prevent Armenia’s large-scale acts of provocation – short notice from the Ministry of Transport, Communications and High Technologies, available (in English) at: https://mincom.gov.az/en/view/news/990/azerbaijan-limits-internet-access-to-prevent-armenias-large-scale-acts-of-provocation-

[4] Presidential decree on deepening media reforms in the Republic of Azerbaijan, 12 January 2021, available (in Azerbaijani) at: http://e-qanun.az/framework/46675

[7] Article 11.1 of the Telecommunication law. “Operators, providers, other legal and physical persons operating in the field of telecommunication, as well device producers and suppliers are equal subjects in the creation and development of telecommunication services.”

[8] Article 3.1.8, article 11.2, and article 11.2.1 of the Law on Telecommunication

[9] The Rules of registration of operators and providers of Internet telecommunication services Available (in Azerbaijani) at: http://e-qanun.az/framework/36773

[10] Presidential Decree On the division of powers of search operations entities in the implementation of search operations, June 19, 2001, available (in Azerbaijani) at: http://e-qanun.az/framework/3569

[11] Article 3.3.3 of the Rule of registration of operators and providers of Internet telecommunication services.

[12] Presidential Decree “On approval of the” Rules for ensuring information security in the implementation of search operations in communications networks ” 2 October 2005, available (in Azerbaijani) at: http://e-qanun.az/framework/30840

[13] Article 83.1 of the Constitutional Law (№ 21-IVKQ) “On normative legal acts” dated 21 December 2010. Available (in Azerbaijani) at: http://www.e-qanun.az/framework/21300

[14] Article 82.7 of the Constitutional Law (№ 21-IVKQ) “On normative legal acts”

[18] Azadliq Radio, Internet TV channels may require a license, June 17, 2021, https://www.azadliq.org/a/internet-tv-lisenziya/31313244.html

[19] Adopted by the Committee of Ministers on November 7, 2007, at the 1010th meeting of the Ministers’ Deputies, https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805d4a39

[25] The Council of Europe’s Committee of Ministers Recommendation CM/Rec(2018)1[1] to member States on media pluralism and transparency of media ownership,  (Adopted by the Committee of Ministers on 7 March 2018 at the 1309th meeting of the Ministers’ Deputies), https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=0900001680790e13

[26] The promotion, protection, and enjoyment of human rights on the Internet: resolution / adopted by the Human Rights Council, https://digitallibrary.un.org/record/731540?ln=en

[27] The Readiness category examines the capacity to access the Internet, including skills, cultural acceptance, and supporting policy.

[28] The Inclusive Internet Index, https://theinclusiveinternet.eiu.com/explore/countries/AZ/

[29] The Speed Test global Index,  https://www.speedtest.net/global-index/azerbaijan#fixed

[35] Report by the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, para., 45.

https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2017/06/Kaye-Report-March-2017-AHRC3522.pdf

[58] The Law on Ratification of the Budapest Convention, available (in Azerbaijani) at: http://e-qanun.az/framework/18619

[59] Council of Europe, the status of the ratification of the Budapest Convention concerning to Azerbaijan, https://www.coe.int/en/web/octopus/country-wiki-ap/-/asset_publisher/CmDb7M4RGb4Z/content/azerbaijan?_101_INSTANCE_CmDb7M4RGb4Z_viewMode=view/

[60] On June 3, 2020, Baku residents Tatyana Ulankina, Ramin Bakhishov, Allahverdi Imanguliyev, Shirzad Shirzadov, and Taleh Bakhshiyev were detained in the Baku Metro for allegedly resisting police. Police asked that the detained individuals comply with the lawful demands relating to the rules of the special quarantine regime. A video was shot and broadcast on the website of the Ministry of Internal Affairs in which each of the detainees apologized and regretted their actions to the police department. Afterward, a criminal case was launched under Articles 139-1 (violation of anti-epidemic, sanitary-hygienic or quarantine regimes when there is a real threat of the spreading of the disease or the actual spreading of the disease) and 221 (hooliganism) of the Criminal Code, and the investigation was launched. The CCTV footage from the subway that appeared on social media showed there was a minor dispute between one person and two police officers over the wearing of a protective mask, which the person in the video claimed he had and others joined to support him, https://www.youtube.com/watch?v=EBC-l9EuiCQ&t=136s

[62] Election Monitoring and Democracy Studies Center (EMDS), Briefing Document, Measures against the COVID-19 pandemic in Azerbaijan: Deepening pressure on freedoms and Political Crisis, https://smdtaz.org/wp-content/uploads/2020/09/EMDS-briefing-22.09.20.pdf

[63] Azertag,az, People who registered on the social network “Tik-Tok” under the names “Maya” and “Banu” and posted videos promoting drug use were detained, July 23, 2020, https://video.azertag.az/video/98901

[68] Council of Europe Committee of Ministers Declaration on freedom of communication on the Internet, Adopted by the Committee of Ministers on  May 28, 2003, during the 840th meeting of the Ministers’ Deputies, https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805dfbd5

The Pegasus Project and Azerbaijan – what does domestic legislation tell us about privacy of users in Azerbaijan

This is part four in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  We dedicate this report to the recent Pegasus Project investigations.  

Background

Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.

This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.

In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.[1]

By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.  

The Pegasus Project

On July 18, 2021, an international consortium of more than 80 journalists from 17 media outlets revealed the Pegasus Project. Spearheaded by Forbidden Stories, a Paris-based journalism non-for-profit, with technical support of Amnesty International Security Lab, the Pegasus Project is a global investigation into an Israeli surveillance company, the NSO Group, and it’s most sought after hacking software called Pegasus.

According to the investigation, the NSO Group sold Pegasus to at least ten government clients including in Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Azerbaijan, Rwanda, Saudi Arabia, and the UAE. Among the targets were journalists, human rights defenders, political opponents, business people, and heads of state.

“Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance,” wrote Forbidden Stories sharing the findings of the investigation.

On the leaked phone records, at least 1000 were identified as belonging to users from Azerbaijan. One of the media partners in the investigation, the Organized Crime and Corruption Reporting Project (OCCRP) took on to investigate numbers that belonged to users in Azerbaijan, Kazakhstan, and Rwanda.

So far, OCCRP was able to identify 250 phone numbers targeted, which belonged to reporters, [2] editors, media company owners, activists, human rights defenders, and their family members. As of July 27, OCCRP confirmed at least 80 cases of the alleged surveillance.[3]

Following the release of the investigations, international organizations, such as Reporters Without Borders, said they will pursue legal action against those responsible for this massive surveillance.[4] In Azerbaijan, some of the targeted individuals intend to appeal to local courts and then to the European Court of Human Rights, on the grounds of infringements of their right to private life.[5]

While law enforcement authorities in Hungary[6], Israel[7], France[8], the USA[9], and Algeria[10] have launched probes into suspected unlawful surveillance via Pegasus spyware, the Azerbaijani law enforcement agencies are yet to respond.

What chance do those targeted in Azerbaijan stand in pursuing legal action against the government of Azerbaijan? To answer this question, we look at the national legislation enabling the government to carry out surveillance en masse and citizens’ rights to privacy. Read the PDF report here.

Domestic framework

The right to private life is under the protection of comprehensive constitutional provisions, namely Article 32 of the Azerbaijani Constitution which guarantees that everyone has the right to the inviolability of private[11] and family life, including with respect to correspondence, telephone communications, post, telegraph messages and information sent by other means of communication. Article 32 further states that gaining, storing, using, and spreading information about the person’s private life without his/her consent is not permitted. These rights may be restricted, as prescribed by law, in order to prevent crime or to determine the truth in the course of the investigation of a criminal case. Section eight of article 32 also indicates that the scope of the personal information, as well as the conditions of their processing, collection, sharing, use, and protection, is prescribed by law.

In addition, there are normative legal acts recognizing the right to private life, including regulating the restrictions of private life in telecommunications networks.

While mentioning a catalog of rights for individuals in respect to the right to privacy[12], article 3 of the basic law on private data – the Law on Private Information,[13] stipulates that the rules for the collection and processing of personal data, concerning intelligence and counterintelligence, and operation-search activities are regulated by other respective legal acts (discussed below).

The Law on Private Information obligates the operators, to create necessary conditions for intelligence, counterintelligence, and search operations in accordance with the legislation, to guarantee relevant organizational and technical issues, and comply with the confidentiality of the methods used to conduct these activities.[14]

Along with the Law on Personal Data, the Law on Telecommunication also determines the powers of state bodies, notably subjects of intelligence and counterintelligence search operations, to collect or intercept personal data from the telecommunication channels and networks.[15]

In Azerbaijan there are two types of oversight over citizens:

  1. Extraction of information from telecom channels, i.e., interception; and
  2. Surveillance

The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels.[16]  Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.  

In other words, anyone in Azerbaijan can be subject to such a form of oversight.

The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks[17] enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.

The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on  June 14, 2016.[18] The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.

The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.

The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.[19]

However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.

Further, when analyzing the national legislation, it becomes clear, that a number of rules about the organization of search operations by law enforcement agencies, as well as the placement of surveillance and tapping devices within the telecommunication infrastructure have not been published. For example, the “Rules for ensuring information security in the implementation of search operations in communications networks” approved by Presidential Decree No. 638 on October 2, 2015, is not disclosed.[20]

As mentioned, earlier, interference with the right to personal data within telecommunication networks is carried out by the representatives of the search and operation, intelligence, and counterintelligence authorities. The technical and organizational conditions for the provision of the search operation, intelligence, and counterintelligence activities within communication networks are determined by the State Security, and in cases where relevant to the Ministry of Internal Affairs, together with the Special State Protection Service of Azerbaijan.

Infringement of privacy is prohibited under the Criminal Code (Article 156). Illegal collection of information, documents containing such information, visual materials, audio recordings, as well as their sale or transfer to another person is punishable by a fine in the amount of 1,000 to 2,000 AZN (approximately 600-1200USD); by public works ranging from 240 to 480 hours; or by correctional labor for up to one year. In cases where the same offense was/is committed by an official using his/her official status, the crime is punishable by restriction of liberty for a period of up to two years or by imprisonment for a term of up to two years with or without deprivation of the right to hold a certain position or engage in certain activities for up to three years.[21]

The Criminal Procedural Code provides that the investigation of the infringement of privacy is carried out in the form of a public-private prosecution upon the complaint of the victim or by the initiative of the prosecutor when the committed crime affects the interests of the state or society.[22]

Compliance with international standards

The right to protection of personal data is not an autonomous right among various rights and freedoms covered by the Convention. The Court has nevertheless acknowledged that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

According to the Court’s established case-law, the requirement that any interference must be “in accordance with the law” will only be met when three conditions are satisfied: the impugned measure must have some basis in domestic law and, with regard to the quality of the law at issue, it must be accessible to the person concerned and have foreseeable consequences.[23]

Non-availability of any official information or confirmation on the scope and form of the surveillance and interception of mobile devices through the Pegasus spyware may also raise specific issues concerning the difficulties on recognizing the victims’ status within the framework of national laws. 

However, the relevant case-law of the ECtHR is relatively flexible on the subject of recognition of the victim’s status. The ECtHR, therefore, accepts that an individual could, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures had been in fact applied to him or her.[24]

Further, considering that domestic legislation does not require any judicial act or does not provide any independent oversight over the interferences to the right to privacy, there is little information about the form and scope of the interception and surveillance of individuals’ privacy within telecommunications networks in Azerbaijan. This is also contrary to the well-established standards of the ECtHR concerning the issue of personal data collected by means of various methods of secret surveillance. The fact that various government institutions are vested with powers and authority – as provided by domestic laws — to listen to anyone at any time on telecommunication networks, in itself does not meet the requirements of the qualitative law enshrined in the case-law of the European Court.

The ECtHR considers the requirements of the Convention, notably in regard to foreseeability, to not be exactly the same, in the special context of interception of communications for the purpose of police investigations.

According to the ECtHR case law,  the Convention’s “quality of law” concept, requires, that domestic laws – notably those allowing state interference with rights and freedoms – satisfy the requirements that domestic laws, should be sufficiently accessible and foreseeable.

The requirement of foreseeability means that the national law must be sufficiently clear in its terms, in order to give citizens an adequate indication of the circumstances and conditions for which public authorities were empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, and to give the individual adequate protection against arbitrary interference (Malone v. the United Kingdom, 2 August 1984, §§ 67 and 68, Series A no. 82. See also Kennedy v. the United Kingdom, op. cit., § 152).[25]

In this regard, within the framework of the European Court’s supervision function under the Convention’s standards, the ECtHR’s authority to verify the compliance of online surveillance regimes with the Convention’s standards would provide effective protection.

In recent Grand Chamber judgment in the case of Big Brother Watch and Others v. the United Kingdom (application nos. 58170/13, 62322/14 and 24969/15) the ECtHR held unanimously, that there had been a violation of Article 8 of the European Convention (right to respect for private and family life/communications) in respect of the regime for obtaining communications data from communication service providers noting that assessment of interceptions and obtaining of private information from the telecommunications networks should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto review.

We conclude, that based on the above analysis of the loose interpretation and at times overt national legislation, it is important to take these cases of surveillance and interception to the ECtHR for the purpose of assessing the country’s legal framework and its (in)applicability with the ECtHR’s case law.  

[1] Internal company documents show Azerbaijan’s Ministry of National Security purchased Hacking Team’s Remote Control System (RCS) surveillance spyware via a California-based intermediary called Horizon Global Group in 2013 for an initial payment of €320,000. https://www.occrp.org/en/daily/4136-azerbaijan-bought-hacking-team-s-surveillance-spyware-leaks-reveal

[2] Turan, Pegasus has been spying on Azerbaijani journalists and activists over years, July 19, 2021, https://www.turan.az/ext/news/2021/7/free/politics_news/en/5975.htm/001 

[3] OCCRp, People Selected for Targeting by Azerbaijan,

https://cdn.occrp.org/projects/project-p/?_gl=1*rnxzxn*_ga*MjEyNTY0MTgzMS4xNjI3NDE1OTE1*_ga_NHCZV5EYYY*MTYyNzQxNTkxMy4xLjEuMTYyNzQxNTkyNy40Ng..#/countries/AZ

[4] Turan, The organization in defense of press freedom “Reporters without Borders” is outraged by the fact that 200 journalists from 20 countries are being spied on with the help of the Israeli spy system Pegasus, July 2021, http://www.turan.az/ext/news/2021/7/free/politics_news/en/6042.htm/001

[5] Voice of America, Interview with Bakhtiyar Hajiyev, July 20, 2021, https://www.amerikaninsesi.org/a/bəxtiyar-hacıyev-avtoritar-rejimlər-hətta-ən-yaxın-çevrəsinə-güvənmir/5972455.html

[6] Al Jazeera, Hungary prosecutors open investigation into Pegasus spying claims, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/hungary-prosecutors-open-investigation-into-pegasus-spying-claims

[7] Al Jazeera, Israel launches commission to probe Pegasus spyware: Legislator, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/israel-launches-commission-to-probe-pegasus-spyware-legislator

[8] Euractive, France launches investigation into Pegasus spying allegations, July 22, 2021, https://www.euractiv.com/section/cybersecurity/news/france-launches-investigation-into-pegasus-spying-allegations/

[9] Reuters, FBI probes use of Israeli firm’s spyware in personal and government hacks – sources, July 22, 2021,  https://www.reuters.com/article/us-usa-cyber-nso-exclusive-idUSKBN1ZT38B

[10] The Star, Algeria launches probe into Pegasus spyware claim, July 22, 2021, https://www.thestar.com.my/tech/tech-news/2021/07/23/algeria-launches-probe-into-pegasus-spyware-claim

[11] Constitution of the Republic of Azerbaijan, https://static2.president.az/media/W1siZiIsIjIwMTgvMDMvMDkvNHQzMWNrcGppYV9Lb25zdGl0dXNpeWFfRU5HLnBkZiJdXQ?sha=c440b7c5f80d645b

[12] According to article 7 of the Law on Personal Data, individuals have the right to require a legal justification for the collection, processing, and transfer of their personal information to third parties, and information on the legal consequences for the subject of the collection, processing, and transfer of such information to third parties; to get acquainted with the content of personal information collected about himself/herself in the information system; to learn the purpose, the period and methods of collecting and processing personal information about himself/herself; to demand clarification and destruction of personal data collected and processed in the information system, except for the cases established by the legislation; to demand a ban on the collection and processing of personal data about himself/herself and etc.

[13] Law on Private Data, http://e-qanun.az/framework/19675

[14] Article 10.5, Law on Personal Data

[15] Article 39, Law on Telecommunication (article 10.5 of the Personal Data is repeated in article 39 of the Law on Telecommunication)

[16] Article 10, Law on Operation-Search Activity, http://e-qanun.az/framework/2938

[17] Under the Telecoms Law and the conditions of telecom licensing and registration, telecom operators and providers must cooperate with the law enforcement authorities and install special equipment and software programmes allowing them access to information under the undisclosed technical rules adopted by the Presidential order on October 2, 2015. The Law on Telecommunication, article 39., Paragraph 1 of the article states: “operators, providers are obliged to create conditions for conducting search operations, intelligence and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues, and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states: “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[18] http://e-qanun.az/framework/33275

[19] Article 1.5.7. “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities”, issued by the Ministry of Transport, Communications and High Technologies,   June 14, 2016

[20] The Presidential Decree No. 638, October 2, 2015, http://e-qanun.az/framework/30840

[21] The Criminal Code of Azerbaijan, http://e-qanun.az/framework/46947

[22] The Criminal Procedure Code of Azerbaijan, http://e-qanun.az/framework/46950

[23] Kennedy v. the United Kingdom, op. cit., § 151; Rotaru v. Romania, op. cit., §52; Amann v. Switzerland, op. cit., § 50; Iordachi and Others v. Moldova, op. cit.; Kruslin v. France, § 27; Huvig v. France, § 26; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, op. cit., § 71; Liberty and Others v. the United Kingdom, op. cit., § 59, etc.

[24] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, para., 9., https://rm.coe.int/168067d214

[25] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, page 2,  https://rm.coe.int/168067d214

new report documents a decade of censorship in Azerbaijan

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”. 

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed. 

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI. 

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

Azerbaijan among 29 countries where internet shutdowns documented

On March 1, Access Now released the #KeepItOn report that documents incidents of internet shutdowns globally for the year 2020. 

According to the findings of the report:

  • there were 155 Internet shutdowns documented across 29 countries;
  • there were 28 complete internet blackouts; 
  • out of the 155 internet shutdowns, six incidents were bandwidth throttling;
  • there were at least 26 attempts to deny people access to social media and communication platforms such as Facebook, Twitter, WhatsApp, Instagram, Telegram, and other platforms;
  • new countries that have never shut down the internet before, like Tanzania, Cuba, and others, joined the internet shutdown shame list;

This year, Azerbaijan was also included among countries experiencing internet shutdowns.

According to the #KeepItOn FAQ,

“an internet shutdown is ‘an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.’ An internet shutdown happens when someone — usually a government — intentionally disrupts the internet or mobile apps to control what people say or do.”

In this context, the report notes that one trend in 2020 was how governments deployed internet shutdowns “in response to ongoing violence — particularly in active conflict zones.” But this decision comes at a great cost. “Amid conflict, shutdowns can hide human rights violations or war crimes, thwart journalism, and put people’s lives in danger.” In Azerbaijan during the armed conflict with Armenia, the government of Azerbaijan announced it would disrupt internet access across the country. This decision, prevented numerous online news platforms, from publishing news, and their readers, from accessing news. The authorities encouraged the Azerbaijani people to only use and rely on government media platforms, and updates from the government institutions. None of which, experienced the same difficulties and challenges with access as did the normal users. 

Although the government in Azerbaijan did not ban the use of VPNs which became the top most downloaded apps during the war, it did encourage users not to rely on virtual private networks. Some of the companies refused to offer their services to customers using VPNs on their devices. When confronted, they refuted the claims this was the case. 

The new report also mentioned the role tech companies play in internet shutdowns globally, chief among them Sandvine and Allot. Azerbaijan has used the technology by both companies on different occasions and for different purposes. During the 44-day war, Sandine worked with Delta Telecom – Azerbaijan’s backbone internet provider, which is owned by the government to block access to live stream videos from YouTube, Facebook and Instagram. 

Given Azerbaijan has purchased both technologies, the chances of both of them being deployed during the most recent internet shutdown are high.  

*Sandvine provides Deep Packet Inspection (DPI) equipment that enabled shutdowns and website blocking. 

*Allot‘s DPI equipment can track applications in use, what is done while using these apps, the locations of users, the video content viewed, and contacts. It can also shut down entire networks, websites, services, slow down internet traffic so that people cannot transmit videos or photos, or block traffic altogether.

forced posts removal from Facebook continue in Azerbaijan

On January 13, Elmir Abbasov, a member of NIDA movement, was taken against his will to local police station in the city of Sumgayit where he was questioned over his Facebook post about president Ilham Aliyev.

In his interview with Azadliq Radio, Abbasov said, he was on his way to a shop when a man told Abbasov to get into the car for a chat at the police station. Abbasov, who said without a warrant he won’t be going anywhere, was then shuved into the car and taken to the station by force.

Abbasow spent the next two hours at the police station, where he was informed that the reason for his interrogation was a Facebook post, he wrote about the President. He was told to immediately delete the post. 

AIW spoke with Abbasov about the content of the post which is no longer available on the social media platform.

Under normal circumstances this post would not be considered critical but in Azerbaijan, the sensitivity around certain personalities as in the case of the president are common and not tolerated. 

In the case of Abbasov’s post, it was a comment about an economic system heavily reliant on hydrocarbons. This has been voiced by international financial institutions, experts and pundits alike for a long time.

Similarly, Abbasov’s post stressed the country’s economy, over reliance to fluctuating oil price as a result of its dependence and recommended that the president takes recommendations by independent economists seriously rather than dismiss them. 

Three days before Abbasov was taken to the police and ordered to delete his post from Facebok, one freelance journalist [name omitted due to safety concerns] was told to delete a Facebook post, that was critical of the local law enforcement. Namely, the journalist desrcibed seeing one officer, take a bribe from a man stopped on the street as part of the COVID measures in place. The source told AIW, the measure was taken in an attempt to keep the reputation of the local agency clean.

opposition party boss seeks justice at the European Court of Human Rights

Ali Karimli, the head of the opposition Popular Front Party, and his spouse Samara Seyidova said they are preparing for the European Court of Human Rights, having received no response from domestic courts concerning their home internet connections being cut off since April of last year.  

AIW was documenting Karimli’s case since April 13 when the opposition boss encountered connection issues before a live interview with journalist Sevinc Osmangizi [for the detailed timeline please visit here]. 

Since then, despite numerous attempts, the leader of the Popular Front failed to resolve the problem through domestic courts. Most recently, the ruling of the Baku Appeal Court confirmed previous court decisions, thus ruling against the party head. The court of appeal is the final legal entity to accept and deal with similar complaints. “In such cases, the appeal to the Supreme Court is not expected. This is why we intend to take our complaint to the European Court,” said one of the lawyers defending Karimli in an interview with Azadliq Radio. 

The defendants are the Ministry of Transportation, Communication and High Technologies, Azercell mobile operator, AzQTEL internet provider, the Ministry of the Interior, State Security Service, and the Special State Protection Service. According to Karimli his rights were violated under Articles 6 (right to a fair trial), 8 (right to respect of family and private life), 10 (freedom of expression), 14 (prohibition of discrimination), and 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights

Karimli’s access to the internet was restored twice since April. Once on January 12 and in May but only briefly, for few hours. Karimli is certain the decision to cut him and his familly off internet is political. Government supporters think otherwise. Siyavush Novruzov, a parliament member, blamed Karimli for not paying his bills on time and laying the responsibility on the government. In the meantime, Azercell, the mobile operator [with ties to the government], said in a statement it does not discreminate among its customers based on their political views. 

But while government representatives and affiliated companies claim otherwise, Karimli and his family members had their rights violated. According to a fact checking platform FaktYoxla Karimli’s case, goes against severeal articles and guarantees specieifed by the national constitution and can be described as an unlawful interference. Specifically, it is against the right to equality and freedom of expression, right to live in safety and privacy. In addition, actions against Karimly contradict the provisions of the Law on Telecommunications, Access to Information and Personal Information and are criminalized by criminal law.

AIW will continue documenting developments in the case of Ali Karimli and the family. 

Azerbaijan not free in Freedom on the Net annual report

Azerbaijan ranked “not free” in this year’s Freedom House, Freedom on the Net report. Among key factors are the overall infrastructural challenges, a monopoly over ISPs, and distributed Internet traffic, state control over the information and communication technology, blocked access to most websites that host unfavorable news coverage, and new forms of restrictions introduced during COVID-19. 

According to the report, there is an overall decline in internet freedoms across the world:

Global internet freedom has declined for the 10th consecutive year: 26 countries’ scores worsened during this year’s coverage period, while 22 countries registered net gains. The largest declines occurred in Myanmar and Kyrgyzstan, followed by IndiaEcuador, and Nigeria. A record number of countries featured deliberate disruptions to internet service.

On the bright side, countries like Sudan and Ukraine experienced the largest improvements, followed by Zimbabwe find the report. And while Iceland was the top performer China was found to have the worst conditions for internet freedom. 

The report highlighted some new trends that have emerged globally: 

[…] this year Freedom on the Net observed intentional disruptions to connectivity in a record 22 out of 65 countries. Many of these disruptions, including Iran’s November 2019 countrywide blackout and shutdowns in Moscow in August and September 2019, were directly precipitated by protests. Such practices are an ultimate expression of contempt for freedoms of association and assembly, as well as for the right to access information.

Azerbaijan was ranked partly free last year. 

spotted: sandvine back at it, this time, in Azerbaijan

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.” 

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

 

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.  

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg. 

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked. 

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.