Executive Summary
Censorship and state control over the Internet in Iran is changing: it is becoming more systemic and less detectable, posing an ever-greater threat to Iranian users. Increasingly, the state is focusing on developing the technological infrastructure to effectively control access to the Internet inside Iran and covertly monitor its use. In effect, the state is attempting to create a wall around the Internet, and to serve as its sole gatekeeper, allowing or denying entry at will and gaining full access to the accounts of those whom it allows in.
The intensification of state efforts reflects the fact that the Internet has increasingly emerged as one of the central battlegrounds between hardliners anxious to control all expression and access to information in Iran, and the majority of the population, who voiced their desire for greater openness and freedom with the election of the centrist Hassan Rouhani to the presidency in June 2013.
Keenly aware of the Iranian citizenry’s embrace of the Internet, hardliners ensconced in the judicial, intelligence and security arms of the state and backed by Supreme Leader Ali Khamenei have ensured that the country’s Internet policies remain under their control, immune from electoral politics.
Keenly aware of the Iranian citizenry’s embrace of the Internet, hardliners ensconced in the judicial, intelligence and security arms of the state and backed by Supreme Leader Ali Khamenei have ensured that the country’s Internet policies remain under their control, immune from electoral politics.
The highest body responsible for overseeing the Internet is the Supreme Cyberspace Council. In charge of general policies, it was formed in 2012 under the direct orders of Khamenei, who views the Internet as a corrupting influence that must be strictly censored and controlled.
The body that monitors cyberspace and is responsible for indexing the web- sites and mobile applications that are to be blocked by the Telecommunications Ministry, is the Working Group to Determine Instances of Criminal Content on the Internet. Formed in 2009, it works under the supervision of the Prosecutor General, and has 13 members. Six of these are members of the president’s cabinet. The remaining seven are comprised of representatives of the Intelligence Ministry, Guidance Ministry, the Islamic Republic of Iran Broadcasting (IRIB) agency, and other state organizations who are vetted and controlled by Khamenei. The members representing the elected administration are thus a permanent minority and not able to have a definitive impact on the decisions of the group.
The Working Group has criminalized content that is supposedly contrary to “public chastity and morality,” “sacred Islamic principles,” “security and public peace,” and “government officials and public institutions.” These highly subjective and potentially all-encompassing determinations have given the hardliners free reign to take sweeping action based on their own interpretations and political proclivities.
The state’s efforts to achieve control over digital communications in Iran have focused on three main areas. First, authorities are developing the technical infrastructure that will give various state agencies full control over Internet access inside Iran. This includes developing the Iranian National Information Network (or “National Internet”), which will allow the state to be the sole “gatekeeper” to the Internet inside Iran; providing government-issued SSL security certificates, which will enable undetected government access into accounts; and developing a national browser and operating system, which will ensure use of the government SSL certificates. Second, authorities are continuing their filtering activities, with a focus on mobile phone applications, which have become an increasingly central platform for Internet use in Iran. Third, hardliners in the Judiciary and the intelligence and security services are strengthening the state’s ability to target and prosecute online activists.
The development of Iran’s National Information Network will exponentially increase the state’s control over Internet access and use in Iran. Planning for the National Internet began in 2006, but it has yet to be fully implemented and it is not clear when it will become operational. According to the government’s five-year development plan (2011-2015, or 1390-1394 in the Persian calendar), the network is designated to be up and running by early 2016, but the project has experienced repeated delays. Yet work on the project has continued steadily and once it is fully implemented, all Internet access in Iran will take place through channels accessible to the state, state agencies will have access to all communications inside Iran on the National Internet, the authorities will be able to cut off access to the global Internet at will, and they will also be able to deny or limit access by Internet users abroad to content in Iran’s domestic Network.
In order to launch the National Information Network, the central government is setting up “National Data Centers” in Tehran and other cities across Iran,where the various telecommunications and storage systems will be housed. This will provide authorities with full access to the servers used by—and thus any content flowing across—the National Network.
Government-issued SSL security certificates will further facilitate government control over and access to Internet communications in Iran. SSL certificates ensure that the connection used in any Internet transmission is encrypted and thus secure. When they are issued by a legitimate source, they do indeed ensure security. The government is discouraging the use of valid certificates (by occasionally demonstrating their capability to block international SSL certificates, as was done during the disputed 2009 presidential elections, when Iranian users were prevented secure access to sites such as Gmail, Facebook, and Twitter), and developing its own national SSL security certificates, which will give the user the illusion of security online, but which will actually give the government full access to the content.
SSL certificates that are issued by the Iranian government, non-governmental or private sector organizations controlled by the state, or Iranian security or military agencies will allow those (issuing) organizations to have full access to the online activities of the users. Critically, it will become difficult for users to recognize whether they are using an Iranian government SSL certificate or an international one; while most operating systems and browsers will recognize and alert the user that a SSL certificate is not from a trusted source, if an untrusted SSL certificate is used by enough (unsuspecting) users, these certificates become “trusted” certificates which means that they are no longer tagged as untrusted, eventually leading to “root” certification, which means they are considered completely safe. Achieving root certification for the national certificates through their repeated use is the strategy pursued by the authorities.
The government has employed two means to promote widespread usage of its SSL certificates: it has built the certificates into the national Iranian web browser, Saina, and into the national operating system, Zamin, which are both provided by state agencies. The browser and operating system will not recognize Iran’s SSL certificates as “untrusted,” facilitating their steady use until they gain root certification.
In order to ensure widespread use of the national browser and operating system, the government banned the use of the Windows operating system in state offices in 2013, specifying a six-month implementation period in which all executive branch computers must switch their software from Microsoft to Linux, which would carry the new systems.9 However, the logistics of such a transition are onerous and to date there has been no report regarding its progress. Iranian officials had also promised to launch the Zamin (Earth) national operating system with cloud data processing compatibility and an operating system for hand-held devices by spring 2013, but implementation has been behind schedule on this as well.10
Nevertheless, these initiatives reveal a concerted effort by the authorities to ensure that all Internet communications take place in a state-controlled environment. The successful launch of such a system, in the absence of a legal framework to protect individual privacy, will mean that Internet users in Iran will be sharing their information with the country’s security, intelligence, and judicial agencies.
The successful launch of the National Internet, in the absence of a legal framework to protect individual privacy, will mean that Internet users in Iran will be sharing their information with the country’s security, intelligence, and judicial agencies.
In parallel with the development of the National Information Network, the authorities have also tried to limit Iranian users’ access to the global Internet. One of the principal ways that Iranians have been able to maintain access to the Internet has been through the use of Virtual Private Networks (VPNs). These allow users to circumvent government filters by providing encrypted links to networks based abroad, effectively enabling a computer to function as if it is based in another country and thus able to directly connect to the global Internet. As a result, the authorities have increasingly moved to shut down VPN ports. In March 2013, Mehdi Akhavan Behabadi, the director of the Supreme Cyberspace Council, announced the closure of VPN ports, and since then a number of ports have been shut down. Success on this front, however, has been intermittent; frequently users are able to establish new VPN ports to replace those that have been lost.
In addition, Behabadi called for their replacement with “legal VPNs,” and in recent months officials have encouraged the use of VPNs provided by the government. Unsurprisingly, this latter effort has met with little success; there has been scant interest in using government-issued VPNs where filtered sites remain filtered, since the purpose of using VPNs is to access filtered sites.
Along with blocking VPNs, government agencies have also permanently blocked access to popular filter-breaker services (Internet censorship circumvention tools) such as Psiphon, TOR, and Browsec.
While the development of this new infrastructure has been central to the state’s current efforts, filtering has not been ignored. Previously, the authorities focused on the filtering of websites. While there is no official information regarding the number of filtered sites, in 2008, the last time an official statement regarding filtered sites was made, Abdolsamad Khorramabadi, a judiciary adviser at the time, stated that five million websites had been filtered. However, filtering has now also been applied towards mobile applications, in recognition of the increasing primacy of mobile devices in Iran.
In 2008, the last time an official statement regarding filtered sites was made, Abdolsamad Khorramabadi, a judiciary adviser at the time, stated that five million websites had been filtered.
In the past six months, the Working Group to Determine Instances of Criminal Content on the Internet has ordered the blocking of mobile applications such as WeChat, WhatsApp, Tango, and Viber. While WeChat, filtered in January 2014, remained blocked at the time of this writing, WhatsApp, widely used in Iran, was eventually unblocked at the request of President Rouhani, reflecting the tug of war between the administration and hardliners over the Internet. Viber and Instagram have been unblocked as well.
In addition to these areas, the authorities have aggressively pursued the prosecution of online activists. With the government fully in control of all print and broadcast media, the Internet has emerged as the principal forum where independent and dissident voices can be heard. Recognizing this, the Iranian Cyber Police, also known as FATA, was established in 2011 as the cybercrime unit of the Iranian national police force. One of FATA’s activities is to monitor the activities of civil and political activists, and pursue citizens who express dissenting views online. FATA’s arrest of Sattar Beheshti, the 35-year-old blogger who died under torture while in FATA’s custody in November 2012, is indicative of the vehemence with which they intend to stamp out online dissent.
The cyber police have also pressured Internet providers to provide them with evidence they can use to pursue online activists. One company, Bayan, disclosed publicly that FATA had tried to illegally obtain information about one of its online customers (which the company resisted), and published copies of four letters exchanged with FATA, including one in April 2014 in which FATA demanded that the company immediately hand over the activity records of a user for further investigation.
Iran also relies on its Cyber Army, a unit of the Revolutionary Guards, whose central role is to monitor, hack, and bring down any (domestic or foreign) website that is perceived to pose a potential challenge to the authority of the state. The opaque nature of the Cyber Army’s reporting structure and organization is critical to its ability to function extra-judicially, carrying out disabling attacks on websites and removing these voices of perceived dissent, without court order or any responsible official that a citizen or organization can point to, question, or hold accountable.
Iran relies on its Cyber Army, a unit of the Revolutionary Guards, whose central role is to monitor, hack, and bring down any (domestic or foreign) website that is perceived to pose a potential challenge to the authority of the state.
Other state organizations have pursued those active in cyberspace as well. The December 2013 arrest by units of the Revolutionary Guard of members of the Narenji (Orange) website staff reflects the intensification of these efforts currently underway. The Narenji site was focused on the latest developments in technology tools. In June 2014, eleven information technology professionals working for the Narenji website were sentenced to between one and eleven years imprisonment. The sentencing of eight young Facebook users in July 2014 to prison terms that ranged from 8 to 21 years for content posted on their Facebook pages, even though they have since been released on bail, reflects the Judiciary’s active collusion in the repression of social media users, as well.
Taken together then, the development of the National Internet, the filtering of mobile applications and websites, and the intensified prosecution of online activists, indicate that the state has significantly increased intent—and capability—to stamp out online dissent.
Officials in Iran have claimed their National Internet is aimed at delivering faster speeds, cheaper service, and greater online security to Iranian users, as well as facilitating Iranians’ access to tools and services that are unavailable to them due to the international sanctions against the country. Yet these alleged benefits, even if they were accurate, are meaningless in the absence of a structured legal framework that respects the rights and privacy of citizens. The principal result of these activities has been to make Iranian citizens profoundly vulnerable to security and judicial institutions that seek to gather information about online communications in order to harass, control, and detain users.
While the June 2013 election of Hassan Rouhani ushered in hopes for a change in the government’s Internet policies, the reality that state control over the Internet is increasing is a sober reminder that key centers of power in Iran remain committed to online repression.
Rouhani has rhetorically promoted Internet freedom; it is part and parcel of his overriding policy objective, namely, the economic revitalization and modernization of the country.
To be sure, Rouhani has rhetorically promoted Internet freedom; it is part and parcel of his overriding policy objective, namely, the economic revitalization and modernization of the country. Moreover, he has had some notable achievements. His unblocking of the WhatsApp mobile application in May 2014, and his granting of licenses to provide 3G and 4G services in the country, were both significant. Indeed, hardliners had long railed against fast Internet speeds (and the access to content not controlled by the State that such speeds would allow), and had relied on the practice of slowing down Internet speeds to the point where its use was rendered effectively impossible.
Nevertheless, such support has translated into relatively few tangible policies, and hardliners in the intelligence, security and judicial branches and supported by Khamenei have been able to pursue their intensified control over the Internet.
It is imperative that the evolving nature of this control—and the dangers it poses, especially to those engaged in social or political activism—be revealed and understood. Civil society groups inside and outside Iran should continue to urge the Rouhani administration to honor its pledges of greater Internet freedom. Yet until the domestic context in Iran allows positive change in this regard, the international community must make every effort to alert Iranian civil society to existing and emerging vulnerabilities online, assist them in the development of technologies and tools that will counter such repression, and publicly defend the universal right to freedom of expression and access to information in Iran.