Executive Summary

Many people who are politically active in Bahrain conceal their true identity online to avoid reprisals or prosecution for criticizing the Government. Unsurprisingly, the Government wants to unmask these anonymous netizens. Since September 2011 or earlier, Bahrain’s Government has been targeting anonymous social media accounts, apparently in an effort to identify their operators. The Government targets accounts using malicious links and social engineering. It appears that the Ministry of Interior’s Cyber Crime Unit is orchestrating the attack. Victims receive malicious links from dozens of online accounts designed to appear legitimate: for example, an account named @Ali_Salman_, which impersonates the Secretary General of Bahrain’s largest licensed opposition party Al-Wefaq, and an account named @QamrAlKhalifa, a fake member of the Al-Khalifa ruling family. In some cases, the accounts are designed to impersonate the friends of a target: for example they created an account @aIboflasa to impersonate @alboflasa, a former army officer who became Bahrain’s first political prisoner after speaking at the Pearl Roundabout. The Government also sends malicious links through Facebook, e-mail, and likely via other services including YouTube, InstaMessage, and mobile messaging services including BlackBerry Messenger and WhatsApp. This attack puts the Cyber Crime Unit in the position of advising against “trusting strangers on social media networks,” while at the same time apparently exploiting this trust to compromise users.

Some of the malicious links sent by the Government are phishing links, as well as links to what appears to be spyware. However, the vast majority of the links are designed to reveal the IP address of the internet connection used to open the link. When an individual connects to the internet on his computer or phone, they are temporarily assigned an IP address by the phone company or internet provider whose service they are using (e.g., Batelco, Zain, Menatelecom, etc). Bahraini law requires that every time an IP address is assigned, the internet service provider must record the name of the subscriber of the internet connection, as well as the date and time. This information must be preserved for at least one year, and the security forces must be able to directly access this information at any time.

The Government apparently discovers an IP address by using various freely available IP Spy services. The services provide an easy three-step process for “locat[ing] your target:” first, you generate a link, then, you send it to your “victim,” who clicks on it, and finally, you receive an IP address via e-mail.

These are the freely available IP Spy services that the Government apparently uses to unmask activists.

Typically, each anonymous account is targeted with a unique IP spy link. When someone clicks on one of these links, the Government receives the IP address of the internet connection used to open the link, and can request the name and address of the internet subscriber. However, this process does not reliably identify the author of an anonymous message. The author is correctly identified only if (1) the individual who clicked is the author of the anonymous message, and (2) the author clicked on the link while using an internet connection registered in their name (e.g., their personal 3G or home DSL service). However, these assumptions are not necessarily valid. Often, the attackers send links using mentions on Twitter; a user is alerted when they are mentioned in a Tweet, but that Tweet is also publicly visible. The attackers likely use this strategy because they do not have access to accounts that are friends of their desired targets; Twitter only allows an account to send private messages to its followers. Because Twitter mentions are public, people other than the intended target can see the IP spy links, and may click on them. Thus, the Government may receive the IP addresses of these people, who are not associated with the anonymous Tweet or the targeted account. We identify more than 120 cases where a Government account targeted a Twitter account with an IP spy link using a public mention. In these cases, an individual not associated with the targeted account may have clicked on the link. Even if an operator of the account clicks on the link, he may not be the author of the anonymous message; many targeted accounts have multiple operators.

Our report shows that in some cases, the Government infiltrates activist social networks by secretly accessing Twitter accounts while their operators are in prison. This allows the Government to privately target any of these accounts’ friends or followers without arousing suspicion. However, even if the Government’s targeting is perfect and the author of the message clicks on the link, they may do so while using a friend’s internet connection, or a public wi-fi access point. In this case, the Government would receive an IP address of someone not associated with the targeted account. In fact, the Cyber Crime Unit issued a recent warning that public wi-fi access points could be used to blackmail their operators. They remarked that this type of wi-fi is prevalent all across the island: “There are scores of open wireless connections from Manama to Riffa.”

Despite the unreliability of this IP Spy method in identifying the authors of anonymous messages, the Government appears to be relying on it to persecute and prosecute. Some anonymous users who have clicked on these links have been subjected to house raids, beatings, arrests, account hacking, and dismissal from their jobs. Some have been convicted in court and sentenced to jail for Tweeting. In many cases, the consequences that these individuals have suffered are apparently a direct result of them having clicked on IP spy links. Some who have been arrested in these cases report that during interrogation, they saw or were shown papers from their internet service provider. Several technically savvy individuals described the papers as showing an IP address and a date and time. Others claim interrogators explained that the papers proved they were guilty of operating their anonymous accounts, and demanded their confession on that basis.

In at least one case, an operator of an anonymous Twitter account clicked on an IP spy link using someone else’s internet connection; the subscriber of the connection was jailed for operating the account despite having no connection to it.

The Government’s IP spy attack has targeted journalists, labor unions, human rights groups, activists, licensed opposition groups, parody accounts, whistleblowers, Sunni groups, vigilantes, and even residents opposed to the seizure of their homes to build a government housing project. We highlight several cases of victims of this attack:

• Ali Faisal Al-Shufa is a 17 year old student currently serving one year in prison for allegedly insulting the King using the @alkawarahnews account. The Public Prosecution claims it linked his IP address to the account on 9 December 2012. Around this time, the Facebook account linked to the Twitter account was targeted with an IP spy link via private message.
• Ammar Makki Mohammed Al-Aali is a teacher currently serving one year in prison for allegedly insulting the King through the @14Feb_Tube account. During cross-examination at trial, Fawaz Al-Sumaim of the Cyber Crime Unit stated that Unit had obtained Ammar’s IP address through “a private way I cannot reveal.” It appeared as though the Government might be operating account after his arrest.
• M was one of the operators of an anonymous village news account on Twitter. M received and clicked on an IP spy link in the Facebook account linked to the Twitter account, while connected through wi-fi belonging to one of the houses in the village. That house was raided three months later by police. Police failed to find a phone or laptop with the account open, and arrested the eldest son in the house, even though he was not associated with the account.
• Salman Darwish was arrested from his home in East Riffa on 16 October 2012, and served one month in prison for allegedly insulting the King using an anonymous Twitter account. His family reported that police extracted a confession from him after a 27-hour interrogation during which they prevented him from drinking, eating, or using the bathroom. The Government apparently took an interest in his account two months prior to his arrest, and may have targeted him via direct message.
• Mahdi al-Basri is a lawyer whose internet connection was used to send Tweets that the Government viewed as insulting to the King from the @karranah14 account. One of the account operators recalled receiving and clicking on a suspicious link in the past while using an internet connection registered to Mahdi. Mahdi was convicted of sending the Tweets, and is currently serving one year in prison.
• Sami Abdulaziz Hassan is the leader of a trade union at Japanese engineering firm Yokogawa Middle East. He was sacked from his job in early 2013 after he was identified as the author of anonymous Tweets exposing alleged labor law violations by his employer. His Twitter account was targeted with IP spy links sent publicly via mentions. His company had filed a complaint about the Twitter account with Bahrain’s police.

We also highlight the following interesting cases of Twitter accounts that were targeted, even though we are unaware of any real-world consequences thus far:

• Twitter accounts advocating for labor issues, including @Garamco_dismisse, and @BAS_OPPRESSED.
• Parody accounts for high-ranking Government officials, including @SheikhKhalifaPM, @RashedKhalifa, @TariqAlHassan, and @Samorarajab.
• An account instrumental in challenging dubious official government stories about individuals killed by security forces, @BAHRAINDOCTOR. She was threatened with arrest, after a friend clicked on an IP spy link sent to her.
• A prominent translator of news from Bahrain into French, with connections in the French media, @BrokenAngel077. An IP spy account said that he had obtained her information, and threatened to “break” her “part by part” unless she agreed to stop Tweeting.
• An account that Tweeted information about Government surveillance programs, and the names of policemen allegedly responsible for abusing detainees in custody, @The_Cheaters1. He noticed initial attempts to target him, but may have eventually been identified.
• An anti-Government account, @mn9oreen_bh. An IP spy account allegedly sent him a link; after @mn9oreen_bh opened it from his phone, the account requested that he open it from his laptop, because it was not possible to spy on his phone.
• Pro-Government residents whose homes may be seized to develop a Government housing project, including @DR3_AL7OORA, @hoora318, and @FYOUSIF00.
• A member of the Saudi ruling family and the wife of a son of Bahrain’s King, @SahabAbdullah8, may have been targeted. An IP spy account appeared to stop a cyber blackmail attempt against Sahab, and then requested her help via direct message.
• Sunni activists and Groups, including the 30 December Movement, and a member of the Al-Fateh Youth Coalition.
• A notorious vigilante account allegedly operated by a member of Bahrain’s ruling family, @mnarfezhom. The Cyber Crime Unit confirmed it had opened an investigation into the account after a complaint was filed accusing @mnarfezhom of defaming high-ranking politicians.

We also issue urgent guidelines to operators of anonymous accounts on how to minimize the chance of their identity being revealed via this type of attack.

Twitter Arrests

In the past year, at least 11 people have been imprisoned and charged with insulting the King on Twitter, according to media reports. They have been sentenced to periods ranging from 1-12 months for violating Article 214 of the Penal Code, which proscribes offending the King. We have compiled the following partial list of those convicted in such cases.

We looked at the legal documents for some of these cases, and talked to the lawyers involved. Some of the lawyers who we contacted were unwilling to publish the legal documents, fearing retribution. We make the following broad observations from the documents:

• It appears the accusations are referring to Tweets made via anonymous accounts.
• At trial, the Public Prosecution’s case rests on “secret evidence” used by the Cyber Crime Unit to link the defendant’s IP address to the anonymous account. The defense argued that this does not constitute proof that the defendant authored the tweets in question. This argument was rejected.
• When the defense requested information on how the IP address was obtained by the Ministry of Interior, the requests were declined.
• The defense argued that a warrant is required to obtain the personally identifying information associated with an IP address.
• In several cases, the defense noted that the anonymous account allegedly operated by the defendant remained active even while they were in prison. The defense argued that the continued activity implied that others could have published the offensive Tweets. This argument was rejected.
• Lawyers requested copies of communications between the Ministry of Interior and internet service providers, as well as copies of search warrants, but often did not receive these items.

We received further information that two of the defendants were allegedly mistreated to extract confessions. For example, Ammar Makki says he was taken to a room with dogs and threatened with torture if he did not sign a paper affirming that he ran the account.

We provide an overview of some of these cases in more detail.

Case: Ali Faisal Al-Shufa

Ali Faisal Al-Shufa is a 17 year old student currently serving one year in prison for allegedly insulting the King using the @alkawarahnews account. We obtained the files for Ali’s court case, and publish selected excerpts below.

A letter from the Ministry of Interior describes how Ali was linked to the account:

Investigations were conducted into a number of Twitter users who are insulting His Majesty the King by spreading insulting terms through their accounts that are followed by a large number of Twitter users. Through these investigations we came across one of those individuals and it is the user of (@alkawarahnews) using protocol number 89.148.xxx.xxx from Batelco on [9 December 2012]. After receiving permission from the Public Prosecutor to gain information about the user of the protocol number, we found that the user is registered under the name of Faisal Ali Ibrahim Mohammed Al Shufa. Through the investigations that we conducted it is clear that the person running the account is the named person’s son Ali Faisal Ali Ibrahim Al Shufa. The individual is spreading tweets insulting His Majesty the King, such as “Al Kawarah/ Burning images of the dictator Hamad…” and “the mercenaries of the fallen Hamad are violently suppressing now…”

The Public Prosecution ordered that Ali be detained after his arrest. During this time Ali’s lawyer attempted to argue that Ali’s detention would negatively affect his studies, because of his young age. The Public Prosecution also ordered Ali’s electronic devices seized and sent to the Ministry of Interior for testing. The reason given for the detention and seizure was that Ali had “publicly insulted the country’s King through publishing terms through the social networking site Twitter,” from 2011 to 2012. The equipment seized included a Blackberry 9900 and a HP laptop. The Interior Ministry obtained the following information from Ali’s phone and laptop:

• Internet search history
• Twitter and Facebook login information
• Images
• Email addresses
• Contacts and text messages

The Ministry of Interior Cyber Crime Unit interrogated Ali, and when asked about his charges, Ali responded:

I would like to inform you that I opened the Twitter account (@alkawarahnews) to spread news of events in the village (Kawarah) and the situation in Bahrain, I began to spread Tweets on the clashes that occurred there…I was tricked by the revolution and believed the rumors of bringing mercenaries from the outside to suppress protesters, kill them and torture them, however I found out that these are untrue.

The Public Prosecution also interrogated Ali. The following is the transcript:

Q: What are the details of your confession?
A: I opened the Twitter account (@alkawarahnews) in March 2011 and in the beginning was spreading news about events that occurred in Kawarah such as weddings and religious festivities and after that I began to spread news of protests that occurred in Bahrain. I also took Tweets from other accounts and Tweeted them myself including terms like (trickster Hamad, dictator Hamad). I did not write these terms myself but copied them from other accounts and pasted them through my own account on Twitter.

Q: When did this occur?
A: I do not remember exactly but I think it was around July 2012.

Q: How were you arrested and summoned?
A: The police came to my house on [12 March 2013] around 2AM and they took me to be investigated, recorded what I said and bringing me to you today.

Q: How long have you been connected to the Internet?
A: I have been using the Internet for a long time, using my personal laptop for personal things and also using my phone to run my personal Twitter account.

Q: What is the display image shown in the account?
A: It is the body of the Pearl Roundabout with wings and a red background with Arabic writing on it saying “Al Kawarah Media Network,” and I made this image.

Q: How many people follow your account?
A: Around 9 thousand, I don’t know.

Q: What is your relationship to them?
A: I don’t know any of them.

Q: How many tweets did your account publish?
A: I don’t remember exactly, around 10 thousand.

Q: What are the terms used in those tweets?
A: Like I said the Tweets were about news from Al Kawarah village but then I published tweets about the demonstrations that were taking place in Bahrain, specifically in Al Kawarah, and some of those Tweets insulted his majesty the King such as (dictator Hamad, the fallen Hamad).

Q: And whom did you mean by those terms?
A: His Majesty the King Hamad Bin Isa.

Q: How do you publish these tweets?
A: I use my mobile phone where I copy them from other accounts and publish them through my own.

Q: What is the reason of using # in those tweets?
A: I use this symbol so the news can be published in accounts such as #bahrain, #14feb.

Q: How many tweets used those terms?
A: I don’t remember exactly, around 5 or 6 tweets.

We contacted @alkawarahnews, who reported receiving two suspicious links around December 2012. One link was from “Red Sky” (https://facebook.com/red.sky.446), and one was from “Save Bah” (https://facebook.com/save.bah.1).

Case: Ammar Makki Mohammed Al-Aali

Ammar Makki Mohammed Al-Aali is a teacher currently serving one year in prison for allegedly insulting the King using the @14Feb_Tube account. Bahrain Watch obtained a portion of the defense’s cross-examination of Lieutenant Fawaz Al-Sumaim of the Cyber Crime Unit. We translate the relevant portion below.

Defense: What information do you have about the case?
Fawaz: Through our daily work monitoring social media and Twitter, we discovered an account that was making verbal defamations against His Majesty the King. Based on this, we carried out the necessary investigation to ascertain the identity of the owner of the account. Our investigation uncovered that the owner is Ammar Al-Aali. We then opened a case file with this information and sent it to the Public Prosecution to get an arrest warrant and a warrant to search his house to obtain the equipment that was used to carry out this crime. After obtaining permission, a police force unit was sent to arrest the defendant and his equipment from his house, who were then accompanied to the department, and a case file was opened to record his statements and confession that he registered the account in question, and that he insulted the King, and that he registered other accounts not mentioned in the file, which were used for the same purposes, to insult the King, in the way described in the file.

Defense: What kind of investigation did you carry out?
Fawaz: It is a secret investigation.

Defense: What was the content of the investigation?
Fawaz: The investigation is a way to get to the user of the account used to insult the King, by finding out the IP address, which determines the identity of the person using the internet line to open the account.

Defense: How do you get the IP address?
Fawaz: Through a private methods of our department that cannot be disclosed.

Defense: Did the defendant write the tweet insulting the King?
Fawaz: Yes.

Defense: Did you continue monitoring the account after the defendant was arrested to see that it was continuing to post tweets that were insulting to his Majesty, the King? Fawaz: That issue isn’t my specialisation.

The Facebook page linked to @14Feb_Tube was friends with a Government account, Amal Al-Shareef (https://facebook.com/Amalalshareeef).

On 13 May 2013 -- more than two months after his arrest -- the account Ammar was accused of operating retweeted this video. The tweet no longer appears on his account.

While monitoring @14Feb_Tube, Bahrain Watch noticed that the account appeared to suddenly become active again in early July 2013. Bahrain Watch reported the account to Twitter as a possible victim of account hacking. Bahrain Watch noticed that the account had been suspended on 16 July 2013.

Case: M

M was one of the operators of a Twitter account that spreads information, pictures, and videos about protests in a specific village (a “village news account”), and its associated Facebook account. In December 2012, the account received an IP spy link from “Red Sky” (http://facebook.com/red.sky.446) in a Facebook private message. M clicked on the link while connected to the internet through a wi-fi connection of one of the houses in the village.

The link that M received in the village news Facebook account

On 12 March 2013, that house was raided around 2 AM by police. According to the family living there, police searched their home, confiscated all computers, and asked family members to unlock their phones. Police looked for open Facebook or Twitter accounts on the phones, seemingly in an effort to find a device with the targeted village news account. The family described how police used a device wrapped in an orange bag to detect the whereabouts of phones hidden in different locations around the house. Police failed to find any device with the village news account open, however, and arrested the eldest son in the house even though he was not associated with the account.

During interrogation, police urged him to confess that he was the operator of the account. Police said they had concrete evidence that he had insulted the King, and told him that they knew that the IP address of his house’s connection operated the account. They showed him printouts of Tweets from the account, as well as a paper from Batelco. The paper from Batelco allegedly displayed the IP address of their house’s connection along with a date and time, details of the connection’s subscriber, and web history logs showing that the internet connection was used to access twitter.com. The police released him after interrogation and did not pursue charges against him.

Case: Salman Darwish

Salman Darwish was arrested from his home in East Riffa on 16 October 2012 and accused of insulting the King on Twitter using the @JehadAbdulla account. He was sentenced to one month in jail on 5 November 2012. Salman and his family deny the allegations that he insulted the King and claim that he has no connection to @JehadAbdulla.

Salman's father demands his release.

According to Salman’s father, Abdulla (@A_darwishh), interrogators extracted a false confession from Salman under duress. Abdulla claims:

• Salman was interrogated for a continuous 27 hour period where he was denied food, drink and use of a bathroom.
• After police threatened that they would summon his mother and sisters for interrogation, Salman confessed to the charges.
• While Salman was in detention he was denied adequate healthcare for a rare illness he has which makes him suffer chronic kidney stones.
• Before his arrest, a doctor warned Salman he had 15 stones which required close medical attention.
• Due to mistreatment in custody, Salman caught an infection and his health deteriorated, necessitating his transfer to the prison clinic.

Abdulla thinks that the real reason behind his son’s arrest was to silence dissent and limit freedom of expression. Abdulla suggests that his son may have been used as a scapegoat by the Government for political reasons. After his release, Salman opened a personal twitter account @darwish_salman, which although critical of the Government, does not contain any direct criticism of the King. Commenting on his ordeal, Salman tweets: “When I was arrested with the accusation of insulting the King, some people got scared of opposing the shortcomings of the Government which has nothing to do with why I was arrested. Your silence makes them more willing to oppress you.”

Salman commented on his ordeal from his personal Twitter account.

The @JehadAbdulla account was an anti-Shia and anti-opposition account that also openly Tweeted criticism of the Government for being un-Islamic and not applying Sharia Law. On occasion, the account levelled criticism directly at the King, though we do not have any information about which Tweets the Government viewed as offensive to the King:

Our investigation shows that the Government took an interest in @JehadAbdulla in mid-August 2012, and may have targeted him then:

A fake Ali Salman account associated with the IP spy campaign tells @JehadAbdulla that Sunni and Shia are brothers. Salman Darwish joined his Shia brothers in prison several months later.

@JehadAbdulla says hello to an IP spy account.

Case: Mahdi Al-Basri

N is one of several people who operate the @karranah14 Twitter account and a linked Facebook account. These accounts disseminate the latest news about the uprising in the Bahraini village of Karrana. N recalls clicking on a suspicious link by mistake in the past, while using an internet connection registered to Mahdi Al-Basri. However, N does not have the old link, as he says that the group periodically deletes all old messages from their Facebook and e-mail accounts. The Facebook account was targeted with an IP spy link recently, on 25 July 2013.

Amal Al-Shareef targets the account. We reported the link to is.gd for an abuse of their terms of service, and they disabled it.

Mahdi Al-Basri, a lawyer, was accused of operating @karranah14 and jailed. However, Mahdi is not associated with @karranah14, as confirmed by N. Mahdi’s personal account @MahdiAlbasri1, while generally sympathetic to the pro-democracy movement in Bahrain, does not seem to contain any Tweets that the Government might view as insulting to the King.

According to Mahdi's family, police raided their house at around 3AM on 12th March 2013. Police searched the house, confiscated computers, and inspected phones. No device was found with @karranah14 or the linked Facebook account. Police allegedly damaged some belongings in Mahdi’s room during the course of the search. Mahdi asked to see the search/arrest warrant but the police did not provide one, and allegedly laughed at his request. During his interrogation and trial, Mahdi consistently denied the charges against him.

The @karranah14 account mainly focuses on documenting the daily anti-government protests in the village, and general events related to the uprising. While we do not have any information about which specific Tweets the Government deemed offensive to the King, Tweets from @karranah14 display anger towards the King:

Case: Sami Abdulaziz Hassan

Sami Abdulaziz Hassan was the leader of the “Yokogawa Labor Union of Bahrain,” a trade union at the Middle East division of Japanese engineering firm Yokogawa. He was sacked from his job in early 2013 after he was identified as the author of anonymous Tweets exposing alleged labor law violations by his employer. His Twitter account was targeted with IP spy links sent publicly via Twitter mentions. His company had filed a complaint about the Twitter account with Bahrain’s police. Yokogawa Middle East claimed that Sami was sacked for failing to inform the company about the police investigation.

The @YLUBH account does not criticize the Government; it sends out pro-union messages, and criticizes Yokogawa Middle East for allegedly flouting local labor laws:

@YLUBH claims Yokogawa is not abiding by various local labor laws, including those that mandate annual leave and sick leave.

The @YLUBH account was publicly targeted by Government-linked accounts, who sent IP spy links:

Several IP spy accounts targeted @YLUBH in November and December 2012.

@YLUBH also may have been targeted via e-mail. While monitoring IP spy accounts, we noticed that two accounts messaged @YLUBH, asking to talk in private. In both cases, @YLUBH publicly responded with its e-mail address.

@YLUBH gives its e-mail address to an IP spy account.

A fake journalist may have contacted @YLUBH with a malicious link.

Another IP spy account, @sabreeena30, contacted @YLUBH on November 18, posing as an ex-employee.

@sabreeena30 claims to be an ex-employee.

The General Federation of Bahrain Trade Unions, Bahrain’s made trade union coalition, criticized the sacking of Sami Abdulaziz, and demanded his reinstatement.

Gulf Daily News article on Sami Abdulaziz’s dismissal.

This photo published by @SAIDYOUSIF shows Sami Abdulaziz at the GFBTU’s 2013 May Day rally in support of sacked workers in Bahrain.

Types of IP Spy Accounts

This section looks in more depth at the types of accounts that the Government uses to send IP spy links. The Government’s goal in designing an IP spy account is to trick users into trusting the account.

Impersonation accounts:

These accounts attempt to impersonate a well-known individual.

This Government account impersonates Al-Wefaq Secretary General Ali Salman (@WefaqGS), and occasionally Tweets fake political statements in addition to IP Spy links

Impersonation accounts:

These accounts represent fake people, usually attractive women or fake members of prominent families.

Moonbahr is an Instagram profile for a fake, attractive woman. The profile solicits targets to chat on InstaMessage, a service for sending messages using Instagram.

Facebook account Amal Al-Shareef uses the same picture.

These Twitter accounts for fake members of the Al-Buainain and Al-Khalifa families targeted Sunni and pro-Government groups.

Typo impersonation accounts:

The most common type of IP spy account exploits Twitter’s sans-serif font, which renders a capital “I” and lowercase “l” in exactly the same way. These accounts have the same display picture, name, and description as trusted accounts, except they use a capital “I” instead of a lowercase “l” in the account’s username. These accounts will typically send IP spy links using public mentions, as they have very few followers. The Tweets are deleted soon after the links are clicked on, and the accounts are frequently renamed. The following image from Topsy shows a small sample of such targeting. Topsy occasionally archives deleted Tweets, and renders all usernames in lowercase.

Being fooled by these impersonators may have disastrous consequences.

In some cases, IP spy accounts are very clever in their targeting. For example, they may impersonate one of the participants in a Twitter conversation, and send a malicious link.

This conversation has three participants: @saudi44, @AlBinSanad, and @AIBinSanad. Can you spot the imposter?

Typo impersonation accounts use several other naming tricks besides substituting “I” for “l.” Sometimes, a vowel is substituted, e.g., “a” instead of “e.”

@slows77, a pro-Government Twitter user critical of the Muharraq Council might have thought that notorious pro-Government vigilante @7areghum was sharing a link with him if he didn’t look closely at the spelling of the username.

In other cases, two vowels are permuted, or an additional copy of a vowel is added.

The letters "ai" are permuted to "ia" in "Alshaikh."

An extra "o" is added to "maloood."

Legitimate accounts surreptitiously operated by the Government

The biggest potential risk to netizens comes when the Government gains credentials to access a trusted account.

On 12 March 2013, two brothers were arrested for allegedly operating the @Abu_Haider and @AboHamzah_BH accounts. After their arrest, both accounts showed activity: they regularly posted stories from major news outlets. We received information that this continued activity was the work of legitimate account operators. On 4 July 2013, while the brothers were still in prison, we observed that both accounts began to exhibit different behavior. The behavior seemed to be part of a Government effort to target or infiltrate the Tamarrod Bahrain movement, which calls for protests on 14 August 2013.

@AboHamzah_BH followed two accounts on 4 July 2013.

On 4 July 2013, @AboHamzah_BH followed two new accounts. The first was @Buhassan23, an account that had been repeatedly targeted by IP spy accounts in the previous few days. @Buhassan23 is an apparent key supporter of the Tamarrod Bahrain movement. The second was a known IP spy account account, @AlToobIi, which had only three other followers. The account was designed to impersonate @AlToobli. The new follows by @AboHamzah_BH were not follow-backs, and @AboHamzah_BH did not exhibit other follow-back behavior. According to our observations, @AlToobIi never mentioned @Abo_HamzahBH. It is worth noting that when an account blocks a follower, the follower automatically unfollows the account; unblocking this individual does not cause them to automatically re-follow you. Based on all of these factors, it seems likely that @AboHamzah_BH following @AlToobIi is an indication that the Government had access to this account.

@AlToobIi had three other followers, two of which are IP spy accounts.

While @AboHamzah_BH was apparently being operated by the Government, legitimate operation continued as well. This raises an alarming possibility: the Government may surreptitiously operate accounts, while the legitimate operators believe they are still in control.

@Abu_Haider followed three accounts on 4 July 2013.

On 4 July 2013, @Abu_Haider followed three new accounts. Two were common Government targets at the time: @tamarrodbh and @TamarrodBahrain, anonymous accounts that originated the Tamarrod Bahrain movement. The third account was @alaashehabi, the account of Bahrain Watch member Ala’a Shehabi, who had contemporaneously tweeted a warning that the Cyber Crime Unit was sending malicious links to identify and arrest anonymous users. In addition to following these three accounts, @Abu_Haider changed its profile picture to the Tamarrod Bahrain logo, and retweeted a number of tweets in support of Tamarrod, as well as Ala’a’s warning. This unusual activity by @Abu_Haider did not go unnoticed among his followers.

A concerned Twitter user was apparently suspicious about @Abu_Haider’s change in activity, and warned his followers.

Another account whose operator is allegedly in prison, @14Feb_Tube, began tweeting messages from “unfalert” a few days after 4 July 2013. The “unfalert” service sends tweets from an account when a user unfollows that account.

We reported @Abu_Haider, @AboHamzah_BH, and @14Feb_Tube to Twitter as possible victims of account hacking. We checked these accounts on 16 July 2013, and noticed that they were suspended.

Hacked Accounts?

On 24 November 2012, Reda al-Fardan, a member of Bahrain Watch based in France, was targeted by @RedSky446 with an IP spy link sent via direct message.

The IP spy link that Reda received from @RedSky446. The full name of the account is cut off in the image due to screen size constraints.

The redirect chain of the link was:

http://t.co/tQNnOkOc
http://bit.ly/XNSdXS
http://iplogger.org/2zSX
http://www.ip-spy.com/howi.php?to=bW9vbi5vZi5iYWhyYWluQGdtYWlsLmNvbQ==&an=goog

The attacker used two different IP Spy services: iplogger.org and ip-spy.com. The ip-spy.com link contains a parameter “to,” which contains a Base64-encoded string. Decoding this string reveals an e-mail address: [email protected] We went to ip-spy.com and registered with our own e-mail address to test. The site gave us a link that had a “to” parameter containing a Base64 representation of the e-mail address that we provided. We clicked on our link and received an e-mail containing our IP address. This indicates that the “to” parameter represents the e-mail address that the IP spy data is sent to.

Checking the statistics for the bit.ly link (https://bitly.com/XNSdXS+) shows us that the link was created by a bit.ly user known as “al9mood” (https://bitly.com/u/al9mood), who is associated with hundreds of other links.

Reda clicked on the link, revealing to the attacker that his IP address was in France. After he clicked, he received a suspicious message through YouTube:

Moon Bahrain contacts Reda.

At this time, we did not realize that the IP spy attack was associated with the Government. We finally reported @RedSky446 to Twitter on 6 May 2013. On 15 May 2013, we noted that the account was suspended. An examination of @RedSky446’s Twitter timeline reveals that his behavior changed on 17 October 2012. It is possible that his account was hacked, or he was arrested on this date. His last tweets mentioned the arrest of Twitter users on 16 October 2012, and contained advice on how to safely operate anonymous accounts using the TOR browser and VPNs. It also appears that @RedSky446’s Facebook account was taken over around the same time (http://facebook.com/red.sky.446).

We were unable to find anyone who knew @RedSky446 in real life. Several individuals who did not know him suspected that he lived in London.

Types of IP Spy Links

This section looks at the types of IP spy links we have observed. Broadly, there are four types of these links. All types capture the IP address of the user who clicks on them. The first type of link is designed to alert users to the fact that they have been targeted. We saw one instance of this type of link used, which displayed the following page.

This link alerts users that their IP address information has been captured. (IP Spy service: whatstheirip.com)

The second type of link is designed to fool users into think that no malicious behavior has occurred by showing them an error page.

Links to www.hondachat.com bring up a fake vBulletin error message while recording your IP. (IP Spy service: www.whatstheirip.com)

Links to www.bvog.com bring up a 404 page while recording your IP. (IP Spy service: www.whatstheirip.com)

Links to ip-spy.com direct the user to google.com/notfound, which does not exist. (IP Spy service: www.ip-spy.com)

The third type of link is designed to convince users that no malicious activity has occurred by redirecting them to a legitimate website. These links behave like bit.ly or goo.gl URLs. The only way to detect them is by expanding the entire URL chain. A service like longurl.org can help identify this.

A link sent to human rights monitor @SAIDYOUSIF shows a redirect involving IP Spy service 2no.co (iplogger.org)

The fourth type of link is designed to convince users that no malicious activity has occurred by redirecting them to an innocuous-looking website. Instead of capturing the user’s IP in a hop of the redirect chain, the page they are redirected to embeds an IP spy image. One service called “Richtweets” allows a tweeter to embed remote images into Tweets posted on the service. The attackers leveraged this capability to embed an image that captures the IP address of everyone who views a specific Tweet on Richtweets.

Embedded HTML in the Tweet captures the IP address of the clicker

The IP spy campaign also made use of Webs, a service for designing and hosting free websites. For example, we saw links to the following page, which contains text copied from Wikipedia, as well as an embedded IP spy image.

IP spy page hosted by free web hosting company Webs.

Other Malicious Links

Besides IP spy links, accounts linked to the Government sent out a number of other types of links. In one case, we found a link http://tinyurl.com/feb142012, which pointed to what appeared to be a Twitter phishing page. The phishing page contained a message “Confirm Your Account to Continue,” and a place for a user to enter a username and password. The page also showed a map of Bahrain with a marker at the Pearl Roundabout, the center of mass protests in 2011. We do not know who was sent this link, or how they were targeted, but the use of the term “feb14” -- the date of the start of protests in 2011 -- and the map of the Pearl Roundabout -- indicates politically-motivated targeting.

Twitter Phishing Page that contains a map showing the Pearl Roundabout.

The username and password are presumably e-mailed to the operator of the site when the “Submit” button is pressed. Webs, the free platform that hosts this site, has a feature that allows website creators to designate certain pages on their site “members only.” This means that a user must “sign up” with Webs before they can see the pages. When we reached the above link, the page was designated members only. We believe that initially, the page was publicly accessible, as there would be no advantage to making it members only. We suspect that once this particular phishing operation was concluded, the creator of the website made the page members only because he thought it would be private. However, we were able to register with Webs and access the members only area. Note that the members only area did not allow us to see who had been phished. In addition to the above page, we were also able to see details about the operator of the website, who identified himself as “moon-of-bahrain:”

The site owner, moon-of-bahrain.

We also noted that Government-linked accounts sent several links to files hosted on MediaFire. We suspect that these files contained spyware. However, we have been unable to locate any of these files to verify this hypothesis. The uploader appears to have taken down the first file, and marked the latter two as private. Please search your computers for these file names, and contact Bahrain Watch if you have them.

IP spy accounts sent documents to activists shared by “Ahmed Supra.” We suspect that these documents contain spyware.

Connection to Bahrain Government

This section provides an overview of our evidence that the Government is behind the IP spy campaign. One of the earliest IP spy services used in the campaign was MyIPTest.com. The service is designed so that anyone who receives an IP spy link can view the IP addresses of all users who have clicked on that link. Bahrain Watch found several of these links and looked up the IP address data. We noticed that an IP within Bahrain’s Internet Exchange clicked on at least seven different links that were sent to various accounts. MyIPTest recorded the address as:

The links on which this address appears are the following:

The IP address is a private address, which is not routed on the public internet. This address was likely gleaned from some information sent by a proxy server, such as the X-FORWARDED-FOR header. Since 85.158.131.194 is a Cisco router, it seems likely that the proxy exists behind the router, and NAT is active on the router. This setup would produce a request apparently forwarded via the router from the private address. Traceroutes show that several websites for Bahrain’s security forces are associated with the 85.158.131.194 router:

The following address click on several other links, according to data from MyIPTest.com:

The appearance of the same private IP address suggets that this is perhaps the same actor as above, and suggests that 80.95.212.74 is another router used by the security forces in Bahrain. We did not see any other instances where an IP address clicked on more than one link.

We also uncovered evidence linking the network of Facebook and Twitter accounts used in the IP spy attack to the Government. One account in the network, sabreeena30, shared the first and only post on a blog entitled “Cyber Crime Unit:”

Sabreena Ahmed (sabreeena30) shared a blog post from the Cyber Crime Unit on her Facebook page.

The post was shared at 6:01PM GMT-7 on 6 July 2011. Inspection of the post reveals that it was blogged at exactly the same time that sabreeena30 shared it on Facebook: 6:01PM GMT-7 on 6 July 2011. This suggests that the author of the blog is also the operator of sabreeena30:

Usman Fazal posted at exactly the same time Sabreena Ahmed shared.

The post was written by a user called “Usman Fazal.” Inspection of the author’s Blogger profile revealed the following:

Usman Fazal says he works in the military as a Computer Forensic Examiner.

His e-mail is given as [email protected] Furthermore, a search on LinkedIn for his name revealed these profiles:

Usman Fazal’s LinkedIn profiles say he works at the MoI or Cyber Crime Unit.

Further inspection of Sabreeena Ahmed’s Facebook page reveals that she likes a page called “MY OWN STUDY.”

Sabreena Ahmed likes a page called MY OWN STUDY.

The page is associated with Bahrain, as well as the e-mail address [email protected] The posts and pictures on the page mostly consist of information about computer forensics.

MY OWN STUDY is located in Bahrain, and uses a contact e-mail apparently belonging to Usman Fazal.

Target: Labor Groups

In addition to @YLUBH, we noted that several other labor accounts were targeted, including an account for politically sacked GARMCO employees, @Garmco_dismisse, and an account Tweeting about issues at Bahrain Airport Services, @BAS_OPPRESSED.

Using a similar modus operandi to the attack on @YLUBH, IP spy account @CrazyFrogBH poses as an employee sacked for political reasons from Bahraini company GARMCO.

@BAS_OPPRESSED was targeted at least six times, including these four.

Target: Parody Accounts

We noticed that several parody accounts for high-ranking Government officials were targeted by IP spy accounts.

@SheikhKhalifaPM, a parody of Bahrain’s Prime Minister, was solicited to receive images and documents by IP spy account @sabreeena30.

@RashedKhalifa, a parody of Bahrain’s Interior Minister, was sent links, and possibly spyware.

@TariqAlHassan, a parody of Bahrain’s Chief of Police may have been sent spyware.

@Samorarajab, a parody of Bahrain Minister of State for Information Affairs, Sameera Rajab, was sent an IP spy link.

We also noted that parody accounts for religious leader Isa Qassim, and former MP Mohammed Khalid were targeted.

Target: @BAHRAINDOCTOR

@BAHRAINDOCTOR is an anonymous account, apparently operated by a doctor inside a public hospital in Bahrain. During martial law in 2011, the account revealed details about physical and verbal abuse perpetrated by security forces against doctors both at Salmaniya Medical Complex, and the Ministry of Health. @BAHRAINDOCTOR has also been instrumental in challenging dubious Government stories about individuals killed by security forces. Since the account uses as its avatar a stock photo of a female doctor, we refer to the doctor using the female pronouns “she” and “her.”

@BAHRAINDOCTOR’s account has been targeted several times. On 14 June 2012, she issued a warning about @Zbroadcaster, one of the IP spy accounts. @BAHRAINDOCTOR recalls that the account was attempting to ask her questions in an apparent attempt to figure out her identity.

@BAHRAINDOCTOR advises her followers to not reveal any information about themselves to @Zbroadcaster.

On or around 15 November 2012, @BAHRAINDOCTOR received an IP spy link, apparently from the Twitter account @HusainSayadAli, which appears to have been an impersonation account for @HusainSayedAli. The link and redirect chain are shown below:

http://goo.gl/UpFy1
http://iplogger.org/2LFX
http://www.ip-spy.com/howi.php?an=goog&to=bW9vbi1vZi1iYWhyYWluQGxpdmUuY29t&an=goog

The attacker uses two different IP Spy services: iplogger.org and ip-spy.com. The e-mail address associated with the ip-spy.com link is [email protected]

The doctor reported that she did not click on the link, but instead sent it to a friend who clicked on the link from inside the UK. @HusainSayadAli then apparently tweeted that he had discovered @BAHRAINDOCTOR was in London. This erroneous claim was presumably in reference to the information he had received from the IP Spy link. @mnarfezhom, widely believed to be a member of the ruling Al-Khalifa family, apparently quoted this tweet, and threatened the doctor:

@mnarfezhom promises @BAHRAINDOCTOR’s arrest.

After the threats, @BAHRAINDOCTOR reported that she lived in a state of anxiety.

Target: @BrokenAngel077

Broken Angel received an IP Spy link from @NaderAbduIEmam, an impersonation account for @NaderAbdulEmam. Her account was hijacked and renamed to @brokenangeI. Meanwhile, the attackers registered a new account with the name @BrokenAngel077. A Government account, @ghostofbahrain, apparently claimed credit for hacking her account, and threatened her:

@ghostofbahrain threatens @BrokenAngel077.

According to the Cyber Crime Unit, their investigations follow a protocol, which “includes first and foremost a complaint from the victim.” The Unit states that in most cases, they “warn the person and the issue is amicably solved, but if the violation is serious then the culprit could face two years' imprisonment and fines.”

Target: @The_Cheaters1

@The_Cheaters1 apparently Tweeted information about various Government spy programs, as well as the names of police officers allegedly responsible for abusing detainees in custody. We noticed that his account was targeted with IP spy links.

@The_Cheaters1 noticed initial attempts to target him, and warned his followers.

Even though @The_Cheaters1 noticed initial attempts to target him, the attackers persisted. IP spy account @RedSky446 appeared to come to the aid of @The_Cheaters1 by imploring his followers to follow and retweet @The_Cheaters1, who he described as a victim of spam. He then asked @The_Cheaters1 to talk in private, “in service of the revolution.”

@RedSky446 invites @The_Cheaters1 to talk in private.

@The_Cheaters1’s trust of @RedSky446 might have done him in.

Meanwhile, two other Twitter accounts seem to have cooperated in targeting @The_Cheaters1, using links to the Richtweets service, which allows Tweets of more than 140 characters, and also allows remote images to be embedded into tweets.

These two tweets seem designed to figure out the identity of @The_Cheaters1 -- the only user mentioned in common -- while not looking like a targeted attack

The inactivity of @The_Cheaters1 since January 2013 suggests that he was eventually tricked into opening malicious links, and was identified. This suggests that even technically savvy users may be vulnerable to targeting.

Target: @mn9oreen_bh

While we were searching for individuals who had been targeted by IP spy accounts, we noticed that an anti-Government account named @mn9oreen_bh had Tweeted images of direct messages he allegedly exchanged with an IP spy account @kashfalmastor. The IP spy account apparently sent @mn9oreen_bh a link, which he opened from his phone. The IP spy account then asked @mn9oreen_bh to please open the link from a laptop, as it was not possible to spy on @mn9oreen_bh’s phone.

@mn9oreen_bh posted these images of direct messages apparently exchanged with an attacker.

@sabreeena30 also solicited @mn9oreen_bh to receive files via e-mail.

@mn9oreen_bh’s account is inactive. We have been unable to reach him to find out more details about the link he clicked.

Target: Hoora Residents

To make way for a new Government housing project, hundreds of residents of Block 318 of Hoora were to have their houses taken and demolished. Many of these residents supported the concept of new housing, but opposed the seizure of their homes to build it. The accounts @DR3_AL7OORA, @hoora318, and @FYOUSIF00 apparently belonged to residents of Block 318 whose homes were to be taken. The accounts were otherwise pro-Government, but Tweeted criticisms of the Government’s handling of the project.

A banner created by Hoora residents expresses support for housing projects, but opposition to the taking of their homes.

@DR3_AL7OORA and @hoora318 were targeted with IP spy links that showed them maps of Hoora.

An IP spy account tried to solicit direct messages from @FYOUSIF00.

Target: Sahab Bint Abdullah Al-Saud?

An account named @anaok6 (ID# 1533646338) tweeted a video entitled “Sahab bint Abdullah Drunk on Camera” directly at the Twitter account of Sahab Bint Abdulla Al-Saud, @SahabAbdullah8. Sahab is a member of the Saudi Royal family, and is married to Khalid bin Hamad Al-Khalifa, son of the King of Bahrain. The account @anaok6 was not following any accounts, and had only one follower -- an IP spy account. By the time we noticed the tweets, the video had been deleted, and it was unclear which YouTube account the video was associated with.

Two IP spy accounts, @CrazyFrogBH and @Bint_BuSalman, then targeted @anaok6 with two IP Spy links. One of the links was to the following page.

While conveying an innocuous message, an embedded image records the IP address of the user viewing this page.

The account @CrazyFrogBH then tweeted “TE Data Egypt” at @anaok6 -- presumably the implication being that @anaok6 was using that internet service provider. One of the Government accounts, @CrazyFrogBH, then told @SahabAbdullah8 “I need to talk to u if u allow me please … I need your help as I helped you twice now,” asking Sahab to look at @CrazyFrogBH’s previous tweets. Usually when the attackers ask for a direct message in this way, they send the recipient a malicious link.

Of course, we cannot be certain that Sahab was the target. Indeed, this could be a case of cyber blackmail against Sahab. However, it does appear suspicious that @CrazyFrogBH attempted to engage Sahab via direct message. As far as we could tell, Sahab never followed @CrazyFrogBH.

Target: Sunni Groups

We noticed that several Sunni activists and groups were targeted in the IP spy attack, including a member of the Al-Fateh Youth Coalition.

A sampling of Sunni groups targeted. Bahrain’s Bahrain’s Chief of Police (@Talhassan) was also apparently targeted.

The “30 December Movement” @7araka30dec, an account that called for a “Sunni day of rage” on 30 December 2012 to demand reforms, was also targeted several times.

@7araka30dec was targeted with IP spy links sent by at least two different accounts.

Target: @mnarfezhom

The @mnarfezhom account is allegedly operated by a member of the ruling Al-Khalifa family, and functions as a cyber vigilante, mobilizing his followers against those seen as opposing the Government. He was targeted several times by IP spy accounts. On 7 January 2013, the Cyber Crime Unit confirmed that an investigation against @mnarfezhom was underway, after members of the Sunni community claimed he was slandering top politicians by associating them with the December 30 movement.

One of many instances where an IP spy account targeted @mnarfezhom.

The IP spy links may have been successful in revealing @mnarfezhom’s identity.

@ghostofbahrain brags to @mnarfezhom nemesis @7araka30dec that he has “electronic data linking @mnarfezhom to Mohammed Salman Al-Khalifa”

Other Targets

We briefly mention a few other interesting targets we noticed.

Anonymous #OPBahrain

Around the April 2013 Grand Prix, Anonymous launched #OPBahrain, an operation to raise awareness of the human rights situation in Bahrain by widely disseminating pictures, videos, and articles, and hacking into Bahrain Government and Formula 1 websites. IP spy accounts targeted the Twitter users who organized this operation. The Gulf Daily News reported that “experts” from the Cyber Crime Unit were monitoring #OPBahrain, and were ready to respond.

An IP spy account offers content for #OPBahrain. The link redirects through an IP spy service.

The same IP spy account also targeted the popular @YourAnonNews account.

IP spy account @RedSky446 voiced his support for the operation.

We contacted the account @OpBahrain_, who claimed to have chatted privately with @Ba7raaania. Bahrain Watch asked @OpBahrain_ to share links that he received from @Ba7raaania, but he declined to do so.

@boammar (ex-MP Mohammed Khalid)

We also noticed that former Member of Parliament Mohammed Khalid was targeted by IP spy accounts on several occasions.

An IP spy account targets @boammar.

IP Spy in Other Countries

Bahrain Watch has received reports that activists operating anonymous Twitter accounts in the United Arab Emirates were sent links to the website a7rarelemarat.com via direct message from Twitter accounts of their friends who had been hacked. Activists who clicked on these links were later arrested.

Bahrain Watch has also received reports that anonymous Twitter users in Kuwait have been arrested. It is not clear how they were identified.

Commentary on Relevant Law

This section provides some commentary on relevant Bahraini and international law pertaining to freedom of expression.

Relevant Bahraini Law

• Directorate for Combating Corruption and for Electronic and Economic Security
• National Security Apparatus (NSA)
• E-Government Authority
• Ministry of Interior Cyber-Crime Directorate
• Telecommunications Regulatory Authority

Relevant Bodies

1. The King
2. National flag or emblem
3. The Army
4. Judicial Courts
5. National Assembly
6. Constitutional institutions
7. Government agencies
8. Foreign countries
9. International organizations

Bahrain Penal Code, 1976

Article 214
A prison sentence shall be the penalty for any person who offends the Amir of the country, the national flag or emblem.

Article 215
A punishment of imprisonment for a period of no more than two years or a fine of no more than BD 200 shall be inflicted upon any person who offends in public a foreign country or an international organization based in the State of Bahrain or its president or representative. The same penalty shall apply to a person who offends such organization’s flag or official emblem. Legal action in respect of such crime shall not be brought except upon the written request of the Justice Minister.

Article 216
A person shall be liable for imprisonment or payment of a fine if he offends, by any method of expression the National Assembly, or other constitutional institutions, the army, law courts, authorities or government agencies.

The Cabinet has approved amendments to Article 214, which provide for a maximum prison sentence of 5 years and a fine up to 10,000 Bahraini Dinars, for offending the King. There are no clear guidelines in the law that explain what constitutes an offence, and the law is vague enough to be used against anyone who voices criticism towards the regime.

Resolution No. (8) of the Year 2009 Promulgating a Regulation Requiring Licensees to Implement Lawful Access - The Telecommunications Regulatory Authority

The Telecommunications Regulatory Authority (TRA) is established through Legislative Decree No. 48 of 2002 promulgating the Telecommunications Law. Although classified as an independent body, Section 2(C) of the Decree states, “the Authority shall enjoy all advantages enjoyed by ministries, governmental entities, and official public sector organisations in the Kingdom.” This would classify the TRA as a public body cable of producing secondary legislation.

Under the Lawful Access Regulation (LAR), licensees providing technical resources including “communications links, telecommunications equipment and systems” are required to provide “lawful access” of such services to security organs including call content and other related information sent through the telecommunications network “for purposes of fulfilling the requirements of national security.” Information that should be readily available for access by security bodies includes Internet web pages, the content of an SMS, or the content of a phone call.

In addition to the specific content of communications, Article 3 of the Regulation also stipulates that licensees must provide subscriber identification numbers through calls, the IP address of the subscriber and “any other means of uniquely identifying the subscriber.” The same article also requires licensees to identify the specific locations of communications subscribers.

Unless licensees undertake to implement lawful access, they will be prohibited from operating any telecommunications services under Article 4.

“Access related information” which can be collected by security organs are identified under Article 8 of the Regulation and are as follows:

Access Related Information means all data, including messages, sounds, visual images or signals, which pass through the Telecommunications Network of a Licensee as a result of the provision of a Telecommunications service, excluding Call Content, and such Information shall be identified as follows:

a) Access Related Information for fixed and mobile voice Calls:

1. All numbers, including identifiers associated with a voice Call for all parties of a voice Call, including local, international or other CLI numbers, other identifications that could be used for CLI, information of the wireless phone used including IMEI and IMSI numbers, and forwarded numbers.
2. Date and time of the start and end of the voice Call.
3. Call duration.
4. The type of voice Call, if any, such as video, voice or other type of Call.
5. The Call parties’ location when starting and ending the Call in the form of address in case of fixed services or longitude and latitude numbers in case of mobile Telecommunications services.
6. Telecommunications base stations used.

b) Access Related Information for data Calls, such as 3G and GPRS:

1. Date and time of the Call.
2. Caller IMSI number.
3. IP or other relevant address used;
4. Mobile phone traffic data exchanged with Licensees in other countries.

c) Access Related Information for SMS, EMS and MMS:

1. Caller number.
2. Caller IMEI number.
3. Sender and receiver number.
4. Receiver IMEI number.
5. Date and time of the Call.
6. Message delivery report, if any.
7. The call parties’ physical locations when sending or receiving the call.

d) Access Related Information for e-mail only provided by a Licensee:

1. E-mail access data, including authentication username, date and time of login and log out and IP address logged in from.
2. Data of the e-mail sent, including authentication username, e-mail addresses used in all the fields (From/To/CC/BCC) and date and time of sending the e-mail.
3. Data of the e-mail received, including authentication username, e-mail addresses used in all the fields (From/To/CC) and date and time of receiving the e-mail.

e) Access Related Information for Internet Service Providers in general:

1. Authentication username.
2. Date and time of login and logout.
3. IP address used.
4. Telephone number used.
5. Call termination point and, for ADSL subscribers, Media Access Control (MAC) Address.

f) Access Related Information for Internet browsing: Proxies record data, including time, date, IP addresses used by all parties, website addresses visited, services used and the type of protocol used.

Press Rules & Regulations Decree No. (47) 2002

Bahrain's press and libel laws offer a significant disadvantage to the freedom of expression, applying both to electronic and paper print. An example of the limitation is provided under Article 68 of the 2002 Press Regulations which imposes year jail terms of up to five years for publishing anything that involves “criticizing the king or holding him responsible for any of the government's actions” or “instigation the overthrowing of regime or its change.” This is in conflict with the rights assigned by the same law under Article 30 which states that “any opinion or true information revealed by a journalist shall not pose a threat to his safety.” Such a law severely limits the conduct of net citizens and online journalists whom have assumed anonymity as protection. Prominent anonymous accounts continue to be targeted online, perhaps to identify users for future arrests.

The Code of Criminal Procedures (Decree No. 46 of 2002)

The 2002 Decree offers an example of primary legislation of the powers vested upon the State to seize, censor, or monitor the private information of citizens. Below is an example of the powers assigned to the Public Prosecution through the decree. Although many of these laws require a Court assigned warrant, the dates of the action taken by the State representative in question and those of the warrants assigned cannot be determined to coincide as on many occasions the documents are not made available until trial.

Article 93

The Public Prosecution may seize in post offices all letters, mail, newspapers, publications and parcels and in telegraph offices all telegrams. It shall be empowered to censor telecommunications conversations and correspondence or order the recording of conversations that occurred in a special place where this is useful in revealing the truth in a felony or misdemeanour punishable by imprisonment.
For taking any of the above actions, a prior permission shall be obtained from the Lower Court judge. The judge shall issue such permission upon reviewing the documents. In all cases, the seizure, censorship or recording shall take place upon a substantiated order for a period not exceeding 30 days which is renewable for another similar period(s).

Article 95
A Public Prosecution member shall be exclusively empowered to have access to the seized letters, mail and other documents, provided that their review shall take place in the presence of the accused, person in possession thereof or addressee and shall note down his comments thereon. Depending upon the results of the review, he shall be empowered to include such documents in the case file or to return them to the person in possession thereof or to the addressee.

Article 96
A Public Prosecution member shall be empowered to order the person in possession of a thing which he decides to seize or inspect it to produce such thing. The provision of Article (123) of this Law shall be applicable to anyone who violates this order unless he is in an event where the law authorizes him to refrain from giving his testimony.

Article 97
The seized letters and mail shall be delivered to the accused or addressee or shall be given a copy thereof as soon as possible unless this is detrimental to the investigation. Every person who has a claim against the seized things shall be entitled to request the Public Prosecution member to deliver them to him. In case of refusal, he may file an appeal with the Lower Court and plead for hearing his statements by the said Court.

Law No. 58 Of 2006 with Respect to the Protection of the Community Against Terrorist Acts

It is important to consider Bahrain’s laws concerning terrorism as the term “terrorist” has found itself manifesting within State narratives of events. Terrorism laws allow significant derogations from international freedoms and formalities of proceedings that are designed to ensure fair trials. During the 2011 uprising, opposition activists have found themselves judged and branded “terrorists” through State media before a trial date has even been set. More often than not, those targeted publicly through State media have not even been officially charged yet. State media has also been used as a vehicle to determine future arrests, by libelling activists and protesters. Additionally, similar actions are also taking place on social media networks through State accounts issuing manhunts for activists.

Article 28
Information submitted by the security sources for obtaining an extension of the detention period provided for the first Paragraph of Article 27 of this Law shall remain confidential with the Public Prosecution. Such information shall not be disclosed nor shall the names of their providers be divulged without prejudice to the provisions of Article 61 of the Criminal Procedure Law.

Article 29
The Attorney General or whoever acts for him shall be empowered to order the seizure of mail of all kinds, publications, parcels and telegrams, the surveillance of communications by all methods and recording everything that takes place in public or private premises where this is useful for uncovering the truth in crimes to which the provisions of this Law applies.

In all cases, the seizure, surveillance or recording order shall be substantiated and for a period not exceeding sixty days. Such period shall not be extended except by an order of the High Court.

Article 30 The Public Prosecution shall order proceeding with access or obtaining any data or information related to the accounts, deposits, trusts or safe deposit boxes with banks or other financial institutions or the transactions related thereto if this is deemed necessary for revealing the truth in any of the crimes provided for in this Law. For taking such action, a prior permission shall be obtained from the High Court judge.

A recent National Assembly session agreed on a set of amendments to terrorism laws to specifically target dissent. The vague use of the term “terrorism” paves way for the use of these recommendations -- if implemented in law -- against civil liberties and the pursuit of self-determination. Additionally, the express mention of social media use within these recommendations is a worrying example of how the law is being used and amended to target social (online) dissent. Below are a few of the Assembly’s recommendations:

Rec No. 10: Granting the security bodies all required and appropriate powers to protect society from terror incidents and prevent spreading them

Rec No. 15: Direct relevant state bodies to activate the necessary legal action against those who use social networks in an illegal way, and toughening penalties against those who use those networks to disseminate false information to foreign sides which plot against the country’s security and stability.

Rec No. 16: Basic liberties, particularly freedom of opinion, should be affected so as to strike a balance between law enforcement and human rights protection.

Further Commentaries on the Law

• Privacy International
• Reporters Without Borders
• Movements.org
• Freedom House
• Index on Censorship

International Legal Standards/Guidance

Bahrain has signed 8 out of the 9 major international human rights conventions. As part of its obligations under these conventions, Bahrain must ratify international obligations within domestic law. Bahrain is yet to draft a State report (due one year from ratification) in order to be assessed by the relevant treaty bodies. To put this into context, by signing the International Covenant on Civil and Political Rights in 2006, Bahrain has bound itself to send a State report to the Human Rights Council in 2007 and then one every four years. Bahrain is yet to submit its first report making it two reports behind schedule. It is a grave breach of international standards to target individuals based on their political or religious views.

As a result of the upsurge in controversy amongst international surveillance programmes, and in the absence of specific international legal doctrines governing these programmes, there has been a rise in legal guidance linking existing international legal rules – mainly the right to privacy and freedom of expression - to online monitoring. Some of this guidance is available below.

Universal Declaration of Human Rights

Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Article 19
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Article 29(2)
In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.

International Covenant on Civil and Political Rights

Article 19
1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order (ordre public), or of public health or morals.

United Nations Special Rapporteur on the Protection and Promotion of the Right to Freedom of Opinion and Expression Special Rapporteur for Freedom of Expression of the Inter-American Commission on Human Rights – Joint Declaration on Surveillance Programs and their Impact on Freedom of Expression

The need to place limits on surveillance programs:

• International rights treaties expressly provide the rights to freedom of thought and information and “prohibit arbitrary or abusive interference in private life, including communications, setting forth as well the right to state protection from such interference.”
• Any limitation upon these rights must “be clearly authorized by law” to prevent arbitrary interferences with privacy. The law must also “establish limits with regard to the nature, scope and duration of these types of measures; the reasons for ordering them; the authorities with power to authorize, execute and monitor them; and the legal mechanisms by which they may be challenged.”
• The access to communications and personal information must only be undertaken “under the most exceptional circumstances defined by legislation.”
• “When national security is invoked as a reason for the surveillance of correspondence and personal information, the law must clearly specify the criteria to be used for determining the cases in which such surveillance is legitimate…the law must authorize access to communications and personal information only under the most exceptional circumstances defined by legislation. The collection of this information shall be monitored by an independent oversight body and governed by sufficient due process guarantees and judicial oversight, within the limitations permissible in a democratic society.”
• “Any surveillance of communications and interference with privacy that exceeds what is stipulated by law, has ends that differ from those which the law permits, or is carried out clandestinely must be harshly punished. Such illegitimate interference includes actions taken for political reasons against journalists and independent media.”
• “Companies that provide Internet services, advertising or related services must make an effort to ensure that the rights of their clients to the protection of their data is respected, along with their right to use the Internet without arbitrary interference. These companies are encouraged to work together to resist attempts to implement mass surveillance programs in contravention of the principles established herein.”

Duties of public accountability and transparency:

• “All persons have the right to access information held by the state, including information having to do with national security. The law may establish specific exceptions as long as those exceptions are necessary in a democratic society. Specifically, the law must ensure that the public can access information on private communications surveillance programs, including their scope and any regulation that may be in place to guarantee that they cannot be used arbitrarily. Consequently, states should, at the very least, make public information regarding the regulatory framework of surveillance programs; the entities in charge of their implementation and oversight; the procedures for authorizing, choosing targets, and using the data collected; and the use of these techniques, including aggregate information on their scope. At all times, the state must maintain independent oversight mechanisms that are capable of ensuring program transparency and accountability.”
• “The state must allow service providers to inform their customers about the procedures that they implement in response to state surveillance requests. They must provide customers as soon as possible with aggregated information on the number and scope of the requests they receive. In this context, states must make efforts to raise people’s awareness over their rights and the operation of new communication technologies such they can determine, manage, mitigate and make informed decisions on using such technologies.”
• “The state has the obligation to divulge information regarding the existence of illegal programs of surveillance of private communication broadly. This duty must be satisfied given due consideration to the rights of the persons affected. In every case, states must carry out exhaustive investigations to identify and punish those who pursue these types of practices and report in a timely fashion to those who may have been victims of them.”

Other Guidance

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, Human Rights Council 23rd Session, 17 April 2013

Safely Operating Your Anonymous Account

Bahrain Watch has released a simple guide on safely operating anonymous accounts. The guide is available in English and Arabic on our website.

Special Thanks

This report would not have been possible without the contributions of John Doe. Thanks to Eva Galperin from the Electronic Frontier Foundation, Maryam Al-Khawaja from the Bahrain Center for Human Rights, Yousif Ahmed from Bahrain Youth Society for Human Rights, F.B., M. J. and many who we do not wish to put in danger by naming. Thanks to Nick Weaver, Morgan Marquis-Boire, and John Scott-Railton.

Appendix A: IP Spy Services Used

URL to create IP spy links: http://whatstheirip.com
IP spy domains:

• bvog.com
• hondachat.com
• youramonkey.com

URL to create IP spy links: http://iplogger.org
IP spy domains:

• iplogger.org
• 2no.co

URL to create IP spy links: http://iplogger.ru
IP spy domains:

• iplis.ru

URL to create IP spy links: http://www.fuglekos.com/ip-grabber/index.html
Associated IP spy domains:

• fuglekos.com

URL to create IP spy links: http://www.shivampatel.net/trace/
Associated IP spy domains:

• acmepeers.com

URL to create IP spy links: http://ip-spy.com/
Associated IP spy domains:

• ip-spy.com

URL to create IP spy links: http://www.myiptest.com/staticpages/index.php/how-about-you
Associated IP spy domains:

• myiptest.com

In some cases, we were able to verify that e-mails associated with the attacks had been registered with the IP spy services:

Appendix B: Response from IP Spy Services

Bahrain Watch contacted the services: iplogger.org, whatstheirip.com, shivampatel.net, and whatstheirip.com. In some cases, we contacted the services anonymously. We received responses from two services: iplogger.org, and whatstheirip.com. Bahrain Watch did not contact ip-spy.com, because the site was unavailable, and we did not contact fuglekos.com, because their service did not appear to be abused on an ongoing basis.

iplogger.org

We forwarded iplogger.org two links sent by the attackers. iplogger.org told us that they have no political agenda, and reserve the right to block anyone’s access to their service for any reason at any time. They told us that they had disabled access to the links we forwarded, as well as “hundreds of other” related links that we did not forward. They had also blocked several ranges responsible for these hundreds of links from creating any new links or viewing any IP addresses of those who had clicked on links. However, they noted that the attackers could access their service from different IP addresses, thus evading the blocks instituted by iplogger.org. This appears to be the case, as we have since seen IP spy accounts send new links from this service

whatstheirip.com

Despite claiming on their webpage that their mission is “to ... [keep] the internet safe,” whatstheirip.com disclaimed responsibility for the misuse of their service, and told us that there were “many other ways” for the Bahraini Government to obtain IP addresses associated with anonymous online accounts.

Appendix C: Recommendations to Twitter

Bahrain Watch contacted Twitter and suggested the following modifications to their service to help defend against the IP spy attack.

Impersonation accounts:

• Implement safeguards for accounts that change usernames with high frequency. In the cases we’ve observed, usernames are often changed very quickly. In the most extreme case, an account took 21 different usernames over a 3 month period.
  • Accounts showing this behavior this could be flagged, or an upper limit could be introduced on the number of username changes.
  • A cooling-off period on the ability to publicly mention or DM users after a rename.
  • Display mentions and DMs from new or recently renamed accounts in a different visual style or color along with a warning.
• Change the default font to visually distinguish lowercase “l” from uppercase “I.”
• Run a similarity search through account usernames when accounts are created or profiles updated. For any similar names, check to see if the picture, description, and name are the same with any accounts of similar username. If so, then prohibit this name change. If Twitter only has a hash index on username, this might make similarity search difficult. However, it might be possible to do a limited number of hash lookups on similar account names (e.g., swapping any one lowercase “l” and uppercase “I”, or any one a/e e/a, or so on).

"IP Spy" links:

• Blacklist domains used for IP Spy attacks. Twitter could: (1) ban the links (2) ban accounts that post them (3) warn users who receive them (4) or warn users who receive these links in certain countries. It seems like these options would be consistent with the "Twitter Rules" on Spam and Abuse, which prohibit use of the service to "compromise a user's privacy."

Appendix D: Malicious Accounts

Twitter Accounts

* An inspection of @RedSky446’s timeline indicated that he probably began participating in the attack starting from 17 Oct 2012.

Facebook Accounts

* Warning: contains sexual content
** We believe that Red Sky began participating in the attack starting from 17 Oct 2012.

E-Mail Accounts

Appendix E: Contents of bit.ly/u/al9mood

Appendix F: Twitter Accounts Targeted in Mentions

@10Nazha, @14feb, @14feb_tv, @14FebFree, @14febsatrawi, @7araka30dec, @7bitha, @a_binsafar, @abo_homod, @ahmedal_saeed, @aj_alfaris, @Al_Raqib, @alabqare, @alboflasa, @Alfateh_News, @Ali_Alaynati, @aljood13, @AlrashedBh, @ALSHAF3EE, @altariq86, @ALWEFAQ, @AlWefaqEN, @ANasserelhaq, @Anti_Traitors, @Arabcaricature, @AwalVolcano, @bahrainangle, @BahrainMirror, @bahrainmomo, @Bahrainspring, @Bahran_natio, @Bahranya, @BAS_OPPRESSED, @boammar, @boammarr, @boammarrr, @brokenangel077, @BUKHMAIS, @ciostaff, @COALITION14, @DR3_AL7OORA, @DrRajaaa, @ebtisamalmanaey, @el_khelid, @el9aqer, @esa300gs, @essaa_qasim, @Fathe7hum, @fatimaalhawaj, @fatoooma92, @free4ever1, @gulf_alkarar, @haaq77, @hbmad, @hfareed10, @HHSheikhRashid, @HJHDhaif, @hoora318, @HzeemRahma, @Ibn_Samaheej, @iMagabi, @izynb, @J_Ashabi, @jamry22, @kadhim30, @khubail, @klefaa, @LAFI_ALDHAFEER2, @majedyalali, @Malshurouki, @ManOfBahrain, @MariaSelba, @Maryam271, @MaSsSyY1, @MHeroshima, @mhmood_almotawa, @Milanello14FEB, @mmohd_khalil, @mnarfezhom, @mnarfezhom01, @MrDurazi, @mshkes, @muharraqawinet, @musty1619, @NaderAbdulEmam, @nayemoo, @noor_ali_ahmed, @orgbahraini, @qa7ba_girl1, @qalb_asad, @Qasim_Alhashmi, @Rafedy4ever, @Redha_Farhan, @Roo7Althawrah, @S_AlMerbati, @SAIDYOUSIF, @salmannaserbh, @samedoon14feb, @Samorarajab, @saraairaq, @saudi44, @saw_you_running, @Serat2015, @Sh_Alkashami, @slows77, @Starbh7, @sun_jassim, @Takrooz, @Talhassan, @tariqalhassan, @the_cheaters1, @theladyispyon, @UmAli107, @unknownkiller65, @wadeea11, @YakYakii, @YLUBH, @zahoralaali, @zahrasammak, @ZAlshaikh_BH, @zayani1, @zaynabalhawraa