Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

The COVID-19 pandemic saw the authorities prosecute users for spreading rumors online and launch several initiatives aimed at stopping the spread of the disease, including an app that monitors individuals in mandatory isolation, that infringe upon users’ privacy rights. Online journalists continued to face extralegal retaliation for their work. Cyberattacks remain a regular occurrence, affecting government and nongovernment targets alike.

C1 1.00-6.00 pts0-6 pts

Do the constitution or other laws fail to protect rights such as freedom of expression, access to 3.003 information, and press freedom, including on the internet, and are they enforced by a judiciary that 6.006 lacks independence?

The right to free speech is granted to all citizens of Ukraine under Article 34 of the constitution, but the state may restrict this right in the interests of national security or public order, and it is sometimes restricted in practice. Article 15 of the constitution prohibits censorship.132

Ukrainian courts are hampered by corruption and political interference, and public trust in the judiciary remains low.133

Serious crimes against journalists often remain unresolved (see C7). President Zelenskyy’s administration has at times denied reporters access to information (see B5). The IMI recorded 21 COVID-19–related restrictions on the work of journalists from mid-March 2020 until the end of April 2020, including cases in which journalists were prohibited from attending government meetings or prevented from reporting.134

C2 1.00-4.00 pts0-4 pts

Are there laws that assign criminal penalties or civil liability for online activities? 2.002 4.004

No dedicated law mandates criminal penalties or civil liability specifically for online activities. However, the criminal code penalizes extremism, separatism, and terrorism, including through online activities. Article 109(2) of the criminal code prescribes prison sentences of three to five years for public calls for the violent overthrow of the constitutional order. Article 110 criminalizes public calls for the infringement of Ukraine’s territorial integrity,

1 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

including those made online, with a maximum penalty of five years in prison. Article 161 prohibits “inciting national, racial or religious enmity and hatred” and assigns a maximum penalty of five years in prison.135

Article 173-1 of the code of administrative offenses prescribes fines for spreading false rumors that sow panic, and was invoked many times during the COVID-19 pandemic (see C3).136 Since January 2019, the code of administrative offences penalizes any form of bullying, including by using means of electronic communication (under Article 173-4). Individuals found guilty of bullying may be fined or given community service obligations. Individuals who fail to report bullying are also subject to fines. In February 2019, the first court decision for bullying on social media was rendered.137

Neither defamation nor insult are criminally penalized in Ukraine.138 The disinformation bill introduced during the coverage period envisions criminal liability for disseminating disinformation (see C3).

C3 1.00-6.00 pts0-6 pts

Are individuals penalized for online activities? 2.002 6.006

Multiple internet users in Ukraine have been arrested and fined or sentenced to prison in recent years for activities that may be protected under international human rights standards.

The COVID-19 pandemic led the state to penalize dozens of users for spreading false information online. As of the beginning of June 2020, the SSU identified 18 individuals that allegedly received instructions from to spread false information about COVID-19 and opened criminal proceedings against them under Articles 109 and 110 of the criminal code. Furthermore, according to the SSU, by June 2020, “administrative measures,” i.e., fines, had been imposed on 160 people under Article 173-1 of the code of administrative offenses for spreading false information that could provoke panic or public order violations.139

However, this figure appears inconsistent with data reported by the judiciary. From March 12 to May 18, 2020, the courts examined 89 police protocols under Article 173-1 of the code of administrative offenses related to the dissemination of COVID-19-related disinformation. The courts fined 30 users, issued warnings to nine others, and either closed the remaining cases for lack of evidence or sent them back to the police for clarifications. In 80 percent of these cases, disinformation was disseminated via , Instagram, or Viber.140 In at least some cases, users were found guilty of sharing false information jokingly or unknowingly.

Additionally, in March and early April 2020, the Cyber Police recorded 267 cases of COVID-19-related “fake news,” identifying 152 individuals responsible.141

In May 2020, for the first time since armed conflict erupted in eastern Ukraine, a court found a social media user (specifically, a VK user) guilty under Article 436 of the criminal code (penalizing “public calls to an aggressive war or an armed conflict”). The user was also found guilty under Article 110 of the criminal code, receiving a 3.25-year prison

2 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

sentence.142

That month, blogger Serhiy Poyarkov was indicted under Article 346 of the criminal code (penalizing among other things “threats of murder, impairment of health, destruction or impairment of property, kidnapping or confinement made in respect of the ”) for allegedly threatening President Zelenskyy in a YouTube video uploaded in October 2019. The charge carries a maximum sentence of five years in prison. Poyarkov claims the video was a parody.143

The SSU regularly reports the unmasking of alleged Russian agents involved in disseminating online content in violation of Articles 109 and 110 of the criminal code.144 In 2019, the SSU opened 34 cases under Articles 109 and 110 of the criminal code for crimes against national security via the dissemination of allegedly anti-Ukrainian propaganda or other illegal content (a decrease from 49 cases in 2018). The SSU also banned 280 foreign nationals from entering Ukraine for spreading separatist materials online.145

Journalists who work online occasionally face civil defamation lawsuits from public and private actors who object to their reporting. In August 2019, former chief of staff Andriy Bohdan filed a defamation lawsuit against three journalists from the investigative journalism outfit Schemes.146 That month, online media outlet Hromadske TV was fined by a court for allegedly defaming the far-right group C14 in a tweet (see B4). In March 2020, Iryna Venediktova, then the interim head of the State Bureau of Investigation (SBI) and now the prosecutor general, announced that she has filed a lawsuit against Anti-Corruption Action Center, an NGO, and Ukrayinska Pravda, an online media outlet, for claiming that her husband influenced the process of appointing SBI employees.147

In May 2018, Kirill Vyshinsky, a journalist for the Russian state-run media service RIA Novosti, was detained and charged with treason for “subversive” reporting on and working with separatist groups. The SSU pointed to opinion pieces published on RIA Novosti Ukraine’s webpage as evidence for the charges. In August 2019, Vyshinsky was released from detention; the next month, he returned to Russia as part of a prisoner exchange.148

C4 1.00-4.00 pts0-4 pts

Does the government place restrictions on anonymous communication or encryption? 4.004 4.004

There is currently no obligatory registration for either internet users or prepaid mobile device subscribers. Users can purchase prepaid SIM cards anonymously and comment anonymously on many websites. During the coverage period, President Zelenskyy’s administration attempted to introduce a requirement to present a passport in order to purchase SIM cards, sending a proposal to this effect to the parliament.149 However, the proposal generated stiff resistance and was withdrawn just a few days after it was formally registered.150

At present, there are no restrictions related to encryption tools, though the commercial provision of these tools is subject to licensing.151

3 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

The disinformation bill proposed in January 2020 would oblige all individuals and legal entities to provide contact and other identifying information every time they share “mass information” online (see B3).152 Moreover, it would empower the government to identify the administrators of websites, web pages, social media accounts, channels, chats, or “other communities” with more than 5,000 subscribers or unique daily users.153

In January 2020, several regional media outlets received letters purportedly from regional offices of the Cyber Police of Ukraine suggesting that they embed code in their websites that would enable the identification of anonymous users.154 The Cyber Police denied that its offices had sent the letters.155

C5 1.00-6.00 pts0-6 pts

Does state surveillance of internet activities infringe on users’ right to privacy? 3.003 6.006

Little information about surveillance or communications interception in Ukraine is publicly available. There is a lack of comprehensive legislation to protect privacy and prevent abuse of surveillance powers. The SSU and police can initiate criminal investigations and use wiretapping devices on communication technologies, but existing legislation, such as the Law on Operative Investigative Activity,156 does not specify the circumstances that justify these measures or the timeframe or scope of their implementation. In September 2019, a bill (draft law 1129) was registered in the parliament that would permit investigative authorities to hack into and retrieve information from electronic systems as well as monitor correspondence without a court order in urgent cases. The bill would require a court’s approval to be obtained within 48 hours of the start of surveillance in such cases.157 At the end of the coverage period, the bill had not advanced.

Previous governments had purchased equipment compliant with the Russian-designed System for Operational Investigative Measures (SORM) surveillance architecture.158 It is believed that Ukrainian intelligence law enforcement and intelligence services currently make use of an analogous architecture, requiring operators to install equipment that facilitates the lawful interception of user data.159 In April 2019, announced that it had purchased a Deep Packet Inspection (DPI) system, ostensibly to allocate resources more effectively, analyze subscribers’ preferences, and serve targeted advertisements. Kyivstar claims its system handles depersonalized data. Another mobile operator, , installed a DPI system around five years ago for similar purposes, while , the third major mobile operator, has not disclosed whether it has a DPI system.160

DPI technology can be used to filter traffic and surveil users. Authorities have repeatedly tried to oblige providers to install DPI for these purposes, but their efforts have been unsuccessful. Draft law 3080, introduced to the parliament during the coverage period, would authorize the SSU to install DPI systems on ISPs’ networks, give the SSU control over ISPs’ connections to IXPs, and expand its ability to censor online content. Industry representatives criticized the bill, calling it a copy of restrictive Russian legislation. In May 2020, the parliament’s Committee on National Security, Defense, and Intelligence recommended against its adoption.161

In a March 2020 interview, Minister of Internal Affairs Arsen Avakov stated that Ukrainian law enforcement services

4 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

were technically ready to monitor users’ movements in compliance with COVID-19 quarantine measures, although legally this can be done only after a declaration of a state of emergency—which was not imposed during the coverage period.162

In April 2020, the Ministry of Digital Transformation used data from Kyivstar, Lifecell, and Vodafone Ukraine to create a map monitoring whether individuals who had returned from abroad since March 17, 2020, comply with quarantine measures.163 It shows the number of people who have returned from abroad and the countries from which they arrived as well as the number of people who have violated quarantine measures (along with the number of people who have been in contact with these violators). Reportedly, the data do not contain enough identifying information to conduct surveillance. At the end of the coverage period, 1.5 million individuals’ data had been transferred to the Ministry of Digital Transformation. The map was used by the Ministry of Health and the National Security and Defense Council to adjust the state’s response to the pandemic. The Ministry of Digital Transformation also claims the map was designed to help citizens “assess the degree of risk of danger in their region.”164 According to the Law on , operators must ensure the integrity of their subscribers’ data, which can be disclosed after subscribers have given explicit consent (with some exceptions).165 This requirement was not satisfied prior to the creation of the map, raising questions as to its lawfulness. Later, in May 2020, the government set up another map using data from Apple, Kyivstar, and various banks.166

Several municipal and regional administrations created maps of COVID-19 cases in April 2020 using data from local health care providers and the National Police. Controversially, one map, in the Zhytomyr Region, identified the streets on which infected people lived.167 Another, in the city of , highlighted areas infected people had visited.168

That month, the parliament adopted amendments to the Law of Ukraine on Protection of the Population from Infectious Diseases,169 establishing new rules for processing personal data in order to prevent COVID-19 dissemination. This data may be processed without consent solely for epidemiological purposes during the official COVID-19 quarantine period and 30 days following its abolition.170 The lawful processors of this data include medical personnel, various state health care and social protection institutions, the Ministry of Digital Transformation, the National Police, and the National Guard of Ukraine.171 It is not clear who is responsible for ensuring the eventual depersonalization or deletion of this data. It is also not clear what the consequences of failing to do so are. The amendments do not guarantee that only infected individuals will have their personal data processed without consent. This could deter people in need of medical treatment who wish to preserve their privacy.172 The amendments also envision a procedure for recording, registering, and exchanging information on new cases as they arise during the COVID-19 quarantine period. They do not clarify what information might be processed under this procedure. The amendments mention liability for the unlawful disclosure of personal data, although without offering any further details.

Notably, under the Law on Data Protection, the processing of personal data without consent is permissible to protect users’ “vital interests,” but once circumstances permit, consent must be immediately obtained.173

COVID-19 surveillance was especially strict at Ukraine’s borders. In March 2020, Deputy Minister of Interior Anton

5 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

Geraschenko said that the Border Guard Service automatically transferred personal data of Ukrainians who had returned from abroad to the National Police, who could use it to check whether these people were isolating themselves for 14 days, as required by law.174

In April 2020, the Ministry of Digital Transformation debuted an application called "Act at Home." Everyone arriving from abroad who did not opt to undergo a 14-day quarantine in a hospital or sanatorium was obliged to install the app and to provide their phone number and the address where they planned to isolate themselves. Using facial recognition systems and location services, the app requires users to log their location and photograph themselves as many as 10 times per day, with a failure to do so potentially resulting in visits by the National Police to check if quarantine measures are being observed;175 those found in violation could face fines or jail time.176 Data collected by the app is held by the Ministry of Digital Transformation, while the Ministry of Internal Affairs and the National Police are recognized as third parties to whom such data can be lawfully transferred. This data must be destroyed 30 days following the abolition of the official COVID-19 quarantine period.177

Initially, the Border Guard Service forced individuals to register in the app at the border. In these cases, the app recorded the border as the address where the individuals were isolating themselves. When the individuals moved on from the border, they were unable to confirm their location with the app.178 People crossing into government- controlled Ukraine from separatist-controlled areas are not given the option of undergoing a 14-day quarantine in a hospital or sanatorium; thus, they had to install “Act at Home.” Those without smartphones could not do so and were thus not allowed to cross, according to a report from Human Rights Watch.179

By the beginning of May 2020, the app had been installed by nearly 28,000 individuals, and had notified the National Police of more than 16,000 violations. Meanwhile, the Ministry of Digital Transformation had received over 144,000 requests from the Ministry of Internal Affairs for users’ data. Some human rights advocates criticized the app for infringing upon privacy rights.180 Many users complained that “Act at Home” inaccurately identified the address where they were isolating themselves, sent notifications without audio cues, and failed to process their selfies, leading to unnecessary interventions by the National Police.181

Other attempts to acquire advanced surveillance tools as part of the state’s response to COVID-19 were unsuccessful. The government earmarked 50 million hryvnia ($2.1 million) for the SSU to purchase a technology called NowForce from the American-Israeli company Verint, a purveyor of spyware, but canceled the plan after coming under widespread criticism.182 City administrators in sought to buy 400 cameras with facial-recognition and temperature-detection capabilities from the Chinese company Hikvision for 65 million hryvnia ($2.7 million), but the purchase was canceled because the cameras were not included on a list of government-approval goods for stopping the spread of COVID-19.183

C6 1.00-6.00 pts0-6 pts

Are service providers and other technology companies required to aid the government in monitoring 4.004 the communications of their users? 6.006

6 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

At present, providers are not legally required to aid the government in monitoring the communications of their users in the absence of a court order. The extent to which providers store user data is difficult to ascertain.

According to the Law on Telecommunications (Article 39), operators are obliged to install in their networks and at their own cost all technical means necessary for performing operative and investigative activities by respective authorities.184 There is no information available on the extent to which these provisions have been implemented.

Operators appear to have voluntarily handed over users’ data to the government as part of the latter’s efforts to stop the spread of COVID-19, including through maps showing violations of quarantine measures (see C5).

C7 1.00-5.00 pts0-5 pts

Are individuals subject to extralegal intimidation or physical violence by state authorities or any other 2.002 actor in retribution for their online activities? 5.005

Users, and in particular journalists who work online, are frequently subject to extralegal retaliation for their online activities. The IMI recorded 243 “violations of freedom of speech” in 2019, a slight increase compared to 235 in 2018. Most of the recorded violations (172) involved physical aggression against journalists.185 In the first quarter of 2020, the IMI recorded 62 violations, out of which 43 involved physical aggression against journalists.186 However, not all of these violations involved journalists or other actors who work online. Another NGO, Human Rights Platform, recorded just six physical attacks on journalists who work online between May and September 2019.187

For the first time in three years, a journalist—Vadym Komarov—was killed. He was beaten unconscious in May 2019, shortly before he planned to publish a story about local corruption. Komarov succumbed to his wounds in June 2019.188

In 2018, activist Kateryna Handziuk died of injuries she sustained in an acid attack. Handziuk used social media platforms and the local citizen journalism website MOST to expose corruption. In April 2020, the Prosecutor General’s Office and the SSU announced that the much-delayed investigation into her murder, which has seen five people jailed for carrying out the acid attack189 and three implicated in its organization, was complete. However, human rights advocates contested the decision, claiming that the authorities had sent the case to court prematurely as a publicity stunt.190

In 2016, , a journalist working for the online newspaper Ukrayinska Pravda, was killed in a car bomb in Kyiv.191 In December 2019, the Prosecutor General’s Office, the Ministry of Internal Affairs, and the police announced that the case was almost closed, detaining five suspects. However, a month later, the Prosecutor General’s Office admitted that it lacked enough evidence to find the suspects guilty.192 In May 2020, new prosecutors were assigned to the case,193 and subsequently, three suspects were sent to trial,194 while an investigation into unidentified people involved in organizing the killing remains ongoing.195

7 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

Fair and timely investigations of attacks against journalists who work online and other users are exceptions rather than the rule.

Nonphysical acts of retaliation are common. For example, at least four Kyiv Post journalists received threatening SMS messages from pro-Russian fighters from the occupied areas of the region shortly after submitting accreditation documents to the Ukrainian military in September 2019.196 In July 2019, blogging platform Enigma.ua was blocked after it published an article exposing connections between law enforcement and organized crime groups in targeting human rights defenders in Ukraine (see B1).197

In May 2020, Anna Babinets, editor in chief of the independent news website Slidstvo.info, was summoned for questioning by the National Police based on her information request to Oleksandr Dubinskyy, a lawmaker from the ruling Servant of the People party, regarding his connections with Rudolph Giuliani, US President Donald Trump’s personal attorney. Officials implied that Babinets could face prosecution for violating the secrecy of correspondence under Article 163 of the criminal code. The move was widely seen as an act of intimidation against Babinets, who is known for her investigative work.198

Doxing occurs sporadically and remains a problem. In May 2020, the phone numbers of a few high-profile investigative journalists were leaked online, apparently in connection with the publication of an article claiming a former official has plagiarized his PhD dissertation. The same former official doxed members of the investigative journalism outfit Schemes in October 2019.199

An online group of Ukrainian nationalist activists calling themselves Myrotvorets (Peacemaker) continues to harass and dox journalists and others they perceive as anti-Ukrainian.200 In October 2019, President Zelenskyy said that shutting down not just Myrotvorets’s website but any website is beyond his mandate.201 Around the same time, the UN Human Rights Monitoring Mission to Ukraine reiterated concerns regarding the safety of those shamed by Myrotvorets, and called for its blocking.202 In November 2019, the chair of the parliament’s Committee on Freedom of Expression asked the SSU to investigate the group’s activities.203

LGBT+ individuals frequently face online harassment. During the 2019 parliamentary election campaign numerous cases of "pink-black PR," attempts to discredit some politicians via their alleged association with the LGBT+ community, were observed.204 In 2019, at least 50 gay men fell victim to extortion schemes after being catfished on dating apps.205

C8 1.00-3.00 pts0-3 pts

Are websites, governmental and private entities, service providers, or individual users subject to 1.001 widespread hacking and other forms of cyberattack? 3.003

Score Change: The score improved from 0 to 1 because no large-scale or nationwide cyberattacks occurred during the coverage period (as was the case in years prior).

8 of 9 11/3/2020, 10:09 AM Ukraine https://freedomhouse.org/country/ukraine/freedom-net/2020

While public and private actors, including journalists and human rights defenders, are frequently subject to cyberattacks, there is no indication that the Ukrainian state is involved in these attacks. The IMI identified 18 cyberattacks against journalists in 2019.206 Cyberattacks against online resources belonging to LGBT+ organizations were also observed.207

During the first quarter of 2020, the SSU neutralized 103 cyberattacks on public authorities’ websites. Since March, institutions engaged in responding to COVID-19 have been targeted more intensively. Overall, between January and March 2020, the SSU blocked almost 2,000 websites that were used for cyberattacks.208

In May 2020, Ukrainian Ombudsperson Liudmyla Denisova called on the SSU to identify the culprits behind persistent cyberattacks on her official website. She stated that the attacks usually follow the publication of statements related to Ukrainian political detainees in Russia, occupied Crimea, and the separatist-controlled areas of the Donetsk and Luhansk regions. They usually entailed disabling the website or removing content from it.209

In April 2020, the administration of the city of Kyiv reported a massive distributed denial-of-service (DDoS) attack in which 1.5 million IP addresses were used to disrupt the functioning of municipal e-services.210

In December 2019, 1+1 media group was targeted by a DDoS attack.211 At different times in 2019, various online media outlets, including Black Sea TV, Delo, Gordon, and Hromadske TV, and Black Sea TV, faced similar attacks.212

In July 2019, the customer relationship management (CRM) service of the Holos political party, containing personal data of registered volunteers and supporters, was hacked.213

In June 2019, the National Bank of Ukraine was buffered by DDoS attacks which disabled its website.214

The government has stepped up its policing of cybercrime. At the end of 2019, authorities arrested a cybercriminal group comprising three Ukrainians and one foreign national that hacked private organizations in Ukraine and around the globe.215 In another case, police arrested a 16-year-old Odesa resident for carrying out a DDoS attack to take down an ISPs’ network.216

Cyberattacks from Russia, sometimes sponsored by the Russian government, continue to menace Ukraine. In December 2019, hackers believed to be sponsored by the Russian government targeted Ukrainian diplomats, government officials, military officers, law enforcement officials, journalists, and NGOs in a spear-phishing campaign. In January 2020, a Russian hacking group infiltrated Burisma, a Ukrainian energy company which has featured prominently in the debate around the impeachment of US President Donald Trump.217 A February 2020 report identified another Russian hacking group involved in spying on military institutions in Ukraine.218

9 of 9 11/3/2020, 10:09 AM