Azerbaijan’s presidential website has briefly published, then quietly removed, a detailed regulation outlining how the State Security Service would collect and access personal data on citizens and residents through a new centralised system.
The document, titled the Charter for the Centralised Information and Digital Analytics System (MIRAS), appeared on the presidential website on Friday. It detailed the technical architecture, data sources, and access protocols for the system. The document was published at 16:14 Baku time through the following link — by 17:23, it was gone, returning a ‘Error 404 — Not found’ message.
Presidential Decree No. 533, which formally establishes the system and orders government agencies to integrate their databases, remains publicly accessible. Several other government announcements published the same day also remain online. Only the technical charter detailing surveillance capabilities was deleted.
The document outlined vast swathes of data that will be uploaded to the security service’s database, either automatically or manually, including people’s identification info, location data from surveillance systems, family, health conditions, including mental health history, and more.
The deleted charter (available here), organised into eight articles with multiple subsections, specified that the State Security Service would serve as both owner and operator of the system.
Article 1 established the legal framework and stated that ‘information and electronic documents created, obtained, and collected in the system are the property of the Republic of Azerbaijan’.
Article 3, subsection 2 enumerated 35 specific categories of personal information the State Security Service would obtain from other government databases through the Electronic Government Information System. These include:
- Identity and movement: Complete identification data from identity cards and passports including photographs, full residential registration histories, driver’s licences, vehicle ownership records with registration plates, border crossing records, travel restrictions, and real-time video surveillance feeds from the Safe City system.
- Family and personal status: Family composition with identification details and photographs of all family members, birth and death records, marriage and divorce records, paternity determinations, nationality declarations, and any changes to names or surnames.
- Citizenship and immigration: Citizenship acquisition, restoration, and termination of citizenship, identification data for stateless persons including country of origin, foreign residence, and work permits (with specific attention to Karabakh and Eastern Zangezur economic regions), extensions of temporary stays, and databases of foreigners banned from entry or restricted from leaving.
- Criminal justice: Individuals subject to arrest as a preventive measure, convicts, arrest and sentence execution status, court verdicts and final decisions, wanted persons, criminal cases, and payments related to sentence execution.
- Health information: Health status information and specific identification of individuals registered for narcological or psychiatric treatment.
- Financial and economic: Employment status including electronically signed labour contracts, pension and social benefit payments, utility subscriptions for electricity, water, and natural gas, tax registration, business activities and addresses, legal entity registration details, and information about company directors.
- Education and professional: Educational credentials and state education certificates, and for civil servants specifically, comprehensive professional histories including employment activities, state service records, scientific activities, foreign language skills, conference participation, honours and awards, and disciplinary measures.
- Private details: Registration of civilian weapons and related permits and certificates, religious organisation registration, tourism service providers including hotels and tour operators, passenger and crew data from aircraft operators, radio frequency allocation decisions, and civilian drone registration including operational permits and pilot licenses.
The prior article, Article 2, detailed the system's technical architecture across eight subsections. The infrastructure included software and hardware, dedicated telecommunications channels managed jointly by the State Security Service and the Special State Protection Service for Communications and Information Security, backup data storage in the State Security Service’s data centre, and pre-production testing environments.
The charter specified that data would flow in real-time where possible through integration with the Electronic Government Information System. When real-time transfer proved impossible, documents would be submitted through electronic dashboards authenticated with enhanced qualified electronic signatures.
Article 4 described access protocols. Government agencies with their own databases would connect through automatic integration with the Electronic Government Information System. Organisations without such systems would access through electronic dashboards, with responsible persons designated by organisational leadership. Individual citizens would receive automatically generated electronic dashboards after authenticating through the government’s Unified Login system.
Articles 5 and 6 listed 19 duties and four rights for the system’s owner, and 17 duties and six rights for the operator, both roles assigned to the State Security Service. The duties focused on maintaining system integrity, ensuring information security in cooperation with the Special State Protection Service, and reporting security threats to the Ministry of Digital Development and Transport.
Subsection 5.1.4 required the State Security Service to provide the Ministry of Digital Development and Transport with access to assess the system’s operations and monitor compliance with legal requirements.
Article 8 granted users seven rights, including accessing open information, reviewing information about themselves, requesting corrections, using electronic services, and complaining administratively or to the courts about rights violations. The State Security Service retained authority to accept or reject correction requests.
Contrasting statements and a pattern of deletions
The surveillance system’s establishment contrasts with public statements made weeks earlier about data protection. On 9 October, Farid Zeynalov, head of the Electronic Security Service under the Ministry of Digital Development and Transport, announced at the Critical Infrastructure Defence Competition conference that his agency had prepared a draft law on the protection of personal data.
‘Any innovation must be implemented in a balanced manner with security, and these innovations must also serve to protect people's rights’, Zeynalov said, as reported by the Report news agency.
‘For this, it is essential to have an appropriate legislative base. We hope that the prepared new draft law will respond to modern challenges and serve to reliably protect citizens’ rights’.
Zeynalov also discussed privacy challenges posed by technology, including smart city infrastructure and mobile phones, which he said collect massive amounts of identity, behavioural, and biometric data. He warned that vulnerabilities in equipment could lead to infrastructure compromise and personal data theft.
The data protection law Zeynalov described has not been published. The surveillance system charter appeared six weeks after his remarks.
This is also not the first time documents have disappeared from Azerbaijan’s presidential website. An announcement from October 2019 showing Azerbaijani President Ilham Aliyev awarding the Heydar Aliyev Order to Ramiz Mehdiyev, the then-head of the Presidential Administration, was removed from the site after Mehdiyev fell from grace. The article, including photographs of the ceremony, can now only be found through internet archives.
Removing the detailed charter while keeping the decree establishing the system could suggest deliberate decision-making about what technical information should remain public.
Presidential Decree No. 533, dated the same day, remains accessible on the presidential website. The decree orders the creation of the Centralised Information and Digital Analytics System and requires government agencies to integrate their databases, but does not specify the categories of data to be collected or the technical architecture.
Other legal announcements published on Friday, including decrees about awards, personnel matters, and unrelated legislation, also remain available.
Nate Ostiller
