The Armenian legislation quite clearly defines the surveillance of phone and electronic communication. Only a few structures, including the RA National Security Service, the Police, and the Anti-Corruption Committee, have extensive wiretapping capabilities.
On the other hand, there are no clear-cut mechanisms that would allow to make this sector transparent and accountable to the public.
The latest developments suggest that things are changing in the country, and apart from the traditional wiretapping of phones, more sophisticated, digital tools are emerging, making the control over citizens deeper and more comprehensive. This, in turn, raises concerns on whether these tools will be used within the law, in line with the requirements of democracy and civil liberties.
Legislative and institutional regulations
The main legislative regulation is carried out within the framework of the law ON OPERATIONAL INTELLIGENCE ACTIVITIES, which was adopted in 2007 and has been revised and supplemented several times since then[i].
The law determines the state bodies that have the right to monitor phone communication. According to Article 14 of the Law (Types of operational intelligence measures), these are the Police, National Security Bodies, and the Anti-Corruption Committee. Apart from that, the bodies of the penitentiary service have the right to conduct wiretapping, but only in the premises of the penitentiary institutions of the RA Ministry of Justice.
It should be noted that the RA Anti-Corruption Committee is a newly established structure in the law enforcement system: it was established and has been operating since October 23, 2021.
Until January 2020, the Police did not have either the opportunity to conduct wiretapping on their own. They used the capacities of the National Security Service, which made the NSS extremely influential in the field of wiretapping. Moreover, the data collected for the Police actually appeared at the disposal of the NSS as well. The RA National Assembly initiated changes in the Law “On Operational Intelligence Activity”, which turned the Police into an independent structure in this matter, creating some counterbalance to the NSS. However, during the discussions at the National Assembly it became clear that the Government had a completely different approach to this issue – to create a separate independent organization and transfer the right of wiretapping to it[ii].
According to Article 26 of the Law, digital, including telephone communication surveillance embraces the following:
1. in the case of a fixed or mobile telephone network the content of telephone conversation, text, image, audio, video and other messages, the subscriber’s incoming and outgoing calls, the telephone numbers indirectly related to the subscriber, the time of starting and ending the telephone communication, and in case of call forwarding or transferring, the phone number to which the call was transferred;
2. in the case of Internet communication, including telephone communication via Internet and electronic messages transferred via Internet, the content of the communication, incoming and outgoing calls via Internet (each data in such a form that allows or may allow to identify the communicator);
3. when implementing the operational intelligence measures envisaged by this Article, the telecommunication organizations are obliged, upon the request of competent authorities, to provide technical facilities and create other conditions necessary for the conduct of operational intelligence measures.
According to Article 9 of the Law, the implementation of digital, including operational intelligence measure of wiretapping is ensured only by the general operational technical department functioning within the system of the Republican National Security Body of the Republic of Armenia. That body is directly managed by the head of the NSS. And the head of the General Department is appointed and dismissed from the position by the Prime Minister.
The General Department ensures the necessary operational and technical conditions for telecommunication operator.
The surveillance of digital and telephone communication by the police, penitentiary service or the Anti-Corruption Committee is carried out by creating operational and technical conditions, including the provision of channels and resources by the General Department. At the same time, the law requires that the National Security Service excludes the supervision and corroboration of these data, information and reports, if the wiretapping party is not the NSS itself.
Wiretapping can be carried out only in cases where there are apparent grounds to suspect that the person to whom they are to be applied has committed a serious or particularly serious crime, and it is reasonably impossible for the body conducting the operational intelligence measure as assigned by the Law to obtain the necessary information in any other way.
It is noteworthy that the collection of such data is prohibited when the targeted person is communicating with his/her lawyer, representative or legal representative. If such data are obtained for any independent reason, then the information containing legal secret is subject to immediate destruction.
Article 32 of the Law states that wiretapping is carried out on the basis of a court decision. In cases when delay in implementing an operational intelligence measure such as digital, phone communication surveillance, may result in an act of terrorism or in events or actions threatening the state, military or environmental security of the Republic of Armenia, the General Department ensures the implementation of these measures. However, the body that applies to the General Department must within 48 hours submit to the General Department the excerpt of the decision of the court on permitting or denying permission to undertake those measures.
Article 39 reads that the term for the decision to conduct an operational intelligence measure is calculated starting from the day of its adoption and cannot exceed 2 months. The decision period may be extended. Moreover, each court’s permission can be given for a period not exceeding two months. And the overall term cannot last more than 12 months.
The developments in Armenia
In recent years, along with the increase in the possibilities of digital surveillance, there has also been an increase in cases that may be considered as abuses of law.
In 2020, under the circumstances of the COVID-19 pandemic, the RA government made several attempts to oversee people’s social connections and movement through phones.
On March 31, 2020, the RA National Assembly adopted the proposal to amend the draft laws “On the Legal Regime of the State of Emergency” and “On Electronic Communications.”[iii] According to those amendments, the Government was awarded the right to receive from all mobile operators, collect and process in one place information on all the residents of the country, namely the metadata of phone calls and short messages and the location data collected by mobile operators. Based on those data, a system was created that was supposed to identify the possible circle of people infected with coronavirus. The NSS was appointed as the coordinator of the project, and the technical implementer was an undisclosed private company. On September 25, when the state of emergency was lifted, all collected data were destroyed in the presence of the mobile operators’ representatives.[iv]
A number of issues, however, lacked transparency:
a. No public oversight mechanism was created. No guarantee was given that the system had not been used for other purposes, such as identifying specific people and their connections.
b. It remained unclear who created the system.
c. According to the law, the data collected by the system were to be destroyed at the end of the state of emergency. Since there was no independent supervision over the system, there is no guarantee that the data were indeed fully destroyed, and moreover that the system is any longer functioning.
On November 24, 2021, several dozen people in Armenia received emails from Apple, which alerted that they had been allegedly attacked by a state-sponsored hacking group. CyberHUB-AM is aware of more than twenty such cases in Armenia. This was global in nature: the alert disseminated by Apple did not refer only to Armenia. It is worth reminding that a few hours before receiving the emails, Apple had announced that it was suing the Israeli NSO Group, which creates and sells spyware to government agencies for intelligence operations. The program’s name is Pegasus, and most probably the email was addressed to the potential victims of this program.
Some announced publicly that they had received similar emails. Artur Vanetsyan, former head of the National Security Service, currently one of the leaders of “With Honor” opposition parliamentary bloc, was one of them[v]. The other one was Davit Sanasaryan[vi]. Later, lawyer Anna Karapetyan informed about a similar thing[vii]. The Minister of High-Tech Industry Vahagn Khachatryan (currently the President of Armenia) also told journalists about receiving an email from Apple[viii]. According to cyber security expert Ruben Muradyan, he had discovered Pegasus on Vanetsyan’s and his relatives’ phones 2 months earlier[ix]. It should be noted that before that Armenia had never appeared on the list of countries that use Pegasus at the state level. There is also an assumption that it was used by the special services of a third country. Given the list of possible infected users and the fact that everyone received the email with an alert at the same time, it can be assumed that Apple could have included several waves of attacks in one phase of warning campaign. It is quite possible that we are dealing with several cases where the infections, for example, could be conditioned by external and internal political reasons, since all the users infected with the spyware could hardly be of interest to one party that carried out an attack.
If in the case of Pegasus there were doubts that some of those who received notifications could be a target of a domestic attack, but there were no real clues, the situation changed at the end of the year. On December 16, 2021, for the first time, Armenia as a state directly appeared on the list of countries that use spyware to infect and spy on people’s phones within the country. This was discovered by Facebook[x] and CitizenLab[xi]. The target were politicians and people related to media. Spyware for Android and iPhones produced by Macedonian company Cytrox was used. The virus was disseminated through fake links mimicking real websites, for example, youtu-be[.]net. There were also cases of infection attempts through SMS and messages sent via messengers. Later, Google, referring to this topic, clearly stated that, in their view, this had been carried out by the state structures of the Republic of Armenia: “Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.”[xii]
Of course, there is no clear evidence on the use of Pegasus by Armenian state structures. The beneficiary of the use of Predator is not clearly known either. On the other hand, according to Point 3 of Article 7 of the Law “On Operational Intelligence Activity”:
“The use of special technical and other means envisaged (developed, planned, adjusted) for obtaining confidential information and implementation of operational intelligence measures by state authorities, subdivisions or natural and legal persons not authorized under this Law shall be prohibited.” This implies that there has been published a report on a crime, on the basis of which a criminal case should have been initiated. Nevertheless, the Police or NSS have not disseminated such information.
It turns out that one of the major problems today is the lack of any mechanism of public oversight in this field. There is no possibility to oversee the activities of power structures, as all the work is basically a state secret. According to the Law ON OPERATIONAL AND INTELLIGENCE ACTIVITIES, during the entire implementation period of operational intelligence measures the information with regard to forces, means and resources, methods, plans, results of those measures, financing thereof, as well as secret staff members of bodies carrying out operational intelligence activity, including persons cooperating or having cooperated, on a confidential basis, is deemed to be a state secret. And Armenia, in fact, has no efficient public oversight mechanisms that would allow to make accountable those structures that operate under the umbrella of state secrecy. Thus, civil society has no toolkit to monitor the situation or influence it.
[i] https://www.arlis.am/documentView.aspx?docid=128809
[ii] The police have been allowed to tap phone conversations, https://www.irazek.am/hy/news/14110
[iii] Armenia: Parliament Passes Bills to Access Mobile Phone Data to Identify Covid-19 “Contact Circles”, https://hetq.am/en/article/115353
[iv] “Statement on destruction of information and storage devices [in Armenian],” Government of Armenia, September 25, 2020, https://www.gov.am/u_files/file/Haytararutyunner/Ardzanagrutyun.pdf
[v] Artur Vanetsyan’s post – https://www.facebook.com/avav111/posts/4128774197228456
[vi] Davit Sanasaryan’s post – https://www.facebook.com/sanasaryan/posts/10226843862500815
[vii] Anna Karapetyan’s post – https://www.facebook.com/anna.karapetyan.1238/posts/4762248813827737
[viii] The video of Vahagn Khachatryan’s statement – https://www.facebook.com/Yerkirmedia/videos/1328478160938430/
[ix] Ruben Muradyan’s post – https://www.facebook.com/ruben.muradyan/posts/4521469627973414
[x] Threat Report on the Surveillance-for-Hire Industry, December, 2021, https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf
[xi] Pegasus vs. Predator, 16 December, 2021, https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/
[xii] Protecting Android users from 0-Day attacks, May 19, 2022, https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/