in Azerbaijan a COVID tracing app draws much suspicion over privacy issues [updated]

In July, authorities in Azerbaijan released it’s very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues. 

e-Tebib is just one of the deluge of apps that have been unveiled in recent months by various governments, promising to detect COVID-19 exposure and not only. According to this detailed MIT review, some of these apps are “lightweight and temporary, while others are pervasive and invasive” like the Chinese version which attains access to user’s identity, location, online payment history “so that police can watch for those who break quarantine rules”. 

In Azerbaijan, the police were already on the watch, with a mandatory SMS mechanism that required citizens to receive permission slips via SMS before going outside.  So why ask citizens to install an app, that technically does nothing new or does it?

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Currently, the official data is available here and the numbers are updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27). It is unlikely the app will be providing real-time indicators when the main body in charge only shares the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly states that any information, obtained through the app, may not be precise, correct, or trusted. 

And yet, the app also claims to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claims it does not collect any personal data aside from user’s phone number the article 5.3 of the license agreement states, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collects users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location. Article 5.4 mentions the center sharing of this information with third parties. These third parties may analyze collected information including users’ browsing history [The center does claim that it does not allow third-parties, to use the obtained information for other purposes]. Article 5.5.1 states the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Article 5.6 states that users’ information may be shared with third parties in other countries for security purposes. Article 5.10 states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have accessed users’ information.

The application is developed by A2Z Advisors LLC and the app’s privacy policy is linked to the company’s website. The landing page, however, does not provide any information on the app’s privacy policy. When reached out for a comment, AIW was recommended to send an email which at the time of writing this post remains unanswered. Similarly, in the App Store for IOs when clicking on “App Support” tab, the page once again leads to A2Z company website but does not actually provide any information related to the App. Instead, the privacy policy is accessible via this link that a user can access only after downloading and launching the app. 

According to the app’s version history at App Store, the application was released a month ago. The latest “update” was done 2 days ago [July 7].

The app’s further transparency criticism comes from the fact that it is not an open-source code and its license belongs to the Ministry of Communication, Transportation, and High Technologies. 

The biggest concern – the location of the data storage; the duration of the data storage; and who has access to this data.    

In Azerbaijan however, other concerns have also been voiced – that the application is only available for native speakers and that ex-pats living in the country are unable to use the application. It is also not catered to people with disabilities. 

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib is not designed in accordance with national legislation on data privacy.

On July 10, following widespread privacy concerns and questions over the app’s transparency, changes were made to its terms of the agreement. Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without individual’s permission. The convention, on the other hand, refers to respect to privacy. 

The new license agreement now says that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Although this last point was later addressed by Fuad Niftaliyev – the head of the app development project. Niftaliyev explained that the third parties referred to in the agreement are: Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. According to Niftaliyev, the collected information is stored on the servers operated by the Ministry of Communication and Information. The last point is itself problematic, as the transparency of government institutions in Azerbaijan is problematic especially as surveillance technology is widely used by the ministries alike. 

For potential users of the app, this remains problematic, especially when there is no option “B” if one disagrees with terms of service.

zoom calls between senior opposition figures leaked online

Between May 13 through 17, four different video clips from private Zoom calls were leaked online. The videos were taken from calls that took place between senior members of the National Council of Democratic Forces (NCDF), an alliance representing several opposition parties in Azerbaijan.  The members of the council called the leak a cybercrime committed on behalf of the ruling government. Some have called on the authorities to investigate as this is a breach of privacy according to national legislation, while others, claimed authorities were using NSO Group’s Pegasus spyware.

Until now, no clear evidence emerged indicating that indeed, Pegasus is being used in Azerbaijan. And while AIW continues its investigation into the recent leak, here is a detailed look at other available surveillance and disruption technology the government of Azerbaijan has purchased over the recent years that have the potential of eavesdropping on users’ devices. That, combined with the recent numerous reports about the Zoom app’s security vulnerabilities may provide at least some answers.

What spyware technology Azerbaijan has purchased until now

The interest in snooping on Azerbaijani nationals is not something new for a country that has been criticized by international human rights watchdogs for years over its poor record on human rights and freedoms.

In 2012, an investigative documentary film revealed how companies owned by Teliasonera [namely Azercell in Azerbaijan at the time] “allowed for “black box” probes to be fitted with their telecommunication networks. These boxes allowed for security services and police to monitor in real-time and without any judicial oversight all communication passing through, including texts, internet traffic, and phone calls.”

Two years later, Azerbaijan investigative journalist Khadija Ismayilova revealed that the country’s largest telco had ties to the ruling family, namely to the two daughters of President Ilham Aliyev, raising questions about Internet surveillance and communications security.

The same year, Citizen Lab, identified Azerbaijan, among potential customers of Milan based Hacking Team that sold surveillance equipment called Remote Control System (RCS) to Azerbaijan as well as many other countries whose rights and freedoms record been marred with violations.

“The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone.”

Source: New traces of Hacking Team in the wild

Among significant features of RCS are:

  • capture data that is stored on a target’s computer, even if the target never sends the information over the Internet;
  • enable government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap;

  • copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser;

  • turn on a device’s webcam and microphone to spy on the target

Moreover, the same CitizenLab report identified an active endpoint in Azerbaijan that was active between June and November 2013 – the year, when Azerbaijan had its presidential election [October] and accidentally announced the results of the election over an app before the voting even began.

In 2015, Organized Crime and Corruption Reporting Project (OCCRP) confirmed that the Azerbaijan government was indeed a customer of the Hacking Team. Pointing at records showing the country’s Ministry of Defense among the company’s clients.

Also in 2015, the Azerbaijan government expressed interest in purchasing Dataminr technology for its ability to “explore an individual’s past digital activity on social media and discover an individual’s interconnectivity and interactions with others on social media.”

The company’s 2015 marketing material, […] suggests that identifying individual users was a key part of Dataminr’s pitch to foreign governments by allowing users to quickly locate the “original source” behind a breaking news alert, and then find that person’s most popular tweets, what hashtags they have used in the past, and who has shared their tweets.

AIW reached out to Dataminr to confirm whether the transaction took place and received the following response:

“We currently do not have any relationship with the Government of Azerbaijan nor do we intend to do so in the future.”

The same year, the government purchased specialized security equipment – Deep Packet Inspection (DPI) to be used to monitor and block social media during the first European Games, Baku was hosting. The equipment was purchased for 3millionUSD from an Israeli company Allot Communications.

In 2016 before access to independent online news platforms is blocked, evidence shows, how the government was behind generating artificial internet network congestion within Azerbaijan to prevent access to RFERL Azerbaijan Service; VoA; and Meydan TV. The same year, first mass, spear-phishing attack targets prominent rights defender and former political prisoner Rasul Jafar.

In March 2017, the same DPI technology that purchased in 2015, is used to block some of the main independent media platforms in the country.

Also in 2017, Azerbaijan purchased another Israeli surveillance product, Verint Systems which was used in targeting of LGBTW+ on Facebook.

“I was training [clients on the use of Verint software] in Azerbaijan,” related Tal. “One day, the pupils came to me during a break and asked how they could [use the software to] determine someone’s sexual preference on Facebook. It was only later, when I read about the issue, that I discovered the country is notorious for persecuting the [LGBT] community. Suddenly things came together,” said one former Verint employee in an interview.

In general, the volume of digital attacks on representatives of civil society in Azerbaijan has been on the rise in recent years and especially since 2018. This was also highlighted in 2018 by Access Now, Digital Security Helpline. Many of these and other cases were covered here and here.

Meanwhile, AIW also looked into the possibility of Pegasus software being used in Azerbaijan following the claims made by some of the civil society representatives in the country. So far, AIW found no evidence for this to be the case. However, there is plenty of other technology available that can help the ruling government to eavesdrop and snoop around.

Taking into account Zoom vulnerabilities

Over the recent months, a number of reports on Zoom’s security vulnerabilities have also made it clear, that without E2E (end to end corruption) and with several other security-related shortcomings, Zoom does not offer, fully secure communication platform and that potential loopholes within the program may have made the leak reported in Azerbaijan possible.

  1. according to researchers at Morphisec Labs there is a Zoom app bug that can enable malicious actors to record Zoom sessions and capture chat text without any of the meeting participants’ knowledge. The malware also prevents any users in a meeting from being made aware of the recording;
  2. malicious actors can assume control of a Zoom user’s microphone or webcam;
  3. Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online;

The last point, is especially important, as unlike companies like Google, Facebook an Twitter, Zoom is yet to release information about whether there have been cases of government requests for data it gets, and how many of those requests it complies with. The company was encouraged to do so following an open letter and Zoom promised to publish a transparency report.

Back to Azerbaijan

Taking into account the history of surveillance and equipment purchased by government vendors over the last decade, the consistent crackdown against activists during COVID, it is likely that combined with Zoom’s security vulnerabilities, the leaked video calls were recorded by a third actor, and later leaked online for the purpose of sowing discord among opposition groups.

in Azerbaijan SMS notification system grants permission to leave homes [updated]

As of April 5, residents across Azerbaijan can only leave their apartments having informed local law enforcement via SMS, a phone call or if in possession of a special certificate of employment.

Azerbaijan remains among countries, which haven’t declared a “state of emergency”. Instead, they are referring to new restrictions as part of the “strict quarantine regime”.

How SMS notification system works

Permission to go outside is granted for the following reasons:

  • receiving medical treatment;
  • buying medication or groceries;
  • visiting a bank or a post office;
  • attending a funeral of a close relative

Before leaving, SMS is sent out with a national ID number indicating the reason for going outside. The sender then gets an SMS in response with a code, which can then be used when stopped by the police officers.

There is no further information about the tracking mechanism, its transparency, and whether authorities have developed or relying on a special tracking application to monitor its citizens.

So far, the new restriction has proven to serve the financial interests of the authorities.

Hebib Muntezir, Azerbaijan journalist wrote,


Translation: Yesterday (April 6), a total of 456thousand SMS was sent from 223thousand phone numbers. Of these 284thousand SMS (approximately 62%) were of irrelevant nature. Some received responses immediately, others in half hour, and some in an hour. 6 nationals who have violated the quarantine regime were arrested, 3800 were fined. If we take AZN100 per person that makes AZN380,000 [of collected fines] in just one day. #stayhome

The new fines were introduced on April 3. The fines range from AZN100-200 (USD60-USD120) and include up to a one month administrative arrest.

To understand the potential surveillance implications of this new restriction, AIW spoke to legal expert Emin Abbasov.

“Based on what we know so far, the goal is reportedly to limit freedom of the movement via permission regime relaying users’ requests via mobile devices. However, without knowing whether an SMS can be used to start tracking a mobile device (current assessment indicates that the mechanism in place isn’t used in tracking mobile devices) the notifications are only used to limit freedom of the movement. It is not an application. It is more like an information resource or a system. But the collection of information here is done on compulsory basis, not voluntarily. As a result, this should fall under special legal regime. That is, the issue is very complicated and still unclear. What is clear, however is that when there are limitations on rights and freedoms these limitations fall within the scope of the law on rights and freedoms. What becomes important under these circumstances, is that the emergency decrees issued by the executive authorities that interfere with the rights and freedoms envisaged in the Constitution or International treaties, are required to have a constitutional basis. Another issue is that there are noclear assurances as to whether the information resource (currently in use by the law enforcement) will be destroyed when there is no further need for it. We are yet to see these assurances. And overall, all of the currently adopted decisions are seemingly taken outside of the constitution.

It is indisputable that restrictive measures aimed at combating COVID19 pandemic have a legitimate purpose such as protection of health. However, respect for the rule of law and democratic principles in times of emergency requires that states respect the principle of legality even in an emergency situation. Compliance with the rule of law and democratic principles determines that the restriction of rights and freedoms enshrined in the constitution and international treaties may be limited either by laws (adopted by parliament) or by emergency decisions issued as a result of the extraordinary powers vested in the executive branch by the parliament. However, it is not clear that power of the Cabinet of Ministers in Azerbaijan to issue an emergency decrees that are restricting rights and freedoms are carried out in accordance with those principles.”

So far authorities have warned of further restrictive measures taken if the number of infected cases keeps growing and citizens do not follow through with imposed restrictions.
[Updated] On April 9, Azadliq Radio featured a story where political activist Izzatli Ruslan and investigative reporter Khadija Ismayilova said, requesting permission to leave via SMS, is against the national constitution, article 28 and that together with other representatives of civil society, they intend to take the matter to domestic courts. The right may only be limited in case of the state of emergency, which was not declared in Azerbaijan during the fight against C19.
Izzatli himself was fined in a total amount of 100AZN on the grounds of violating quarantine regimes when he did not provide the permission upon police request. Izzatli was headed to donate blood.
As of May 18, the compulsory requirement has been lifted as Azerbaijan joins the list of countries, slowly opening up.

Azerbaijan using FindFace technology (Qurium Forensics)

On December 4, Qurium released a report documenting how Azerbaijan may have been using FindFace technology. In its analysis, Qurium was able to identify that a server in Azertelecom – backbone internet provider – runs Find Face version 4.0.2.

Find Face made the news in 2016 when its developer NTech lab announced the app as a consumer-oriented facial recognition service, intended for mining data from VKontakte. But the publicity storm ended with NTech Lab announced its decision to withdraw the service from public access and redirect it towards global projects in security and retail (used for instance to identify emotions of customers).

Azerbaijan is already among the customers of Huwai’s facial recognition technology. And in April, Zakir Karimzade, the head of Audatex Azerbaijan said in an interview with a local paper, there was interest in creating a local facial recognition system.

Also in June 2019, Baku was host to the World Customs Organisations (WCO) conference. Among many new technologies discussed and presented at the event, was facial recognition technology.