Iran’s Snapp Taxi App Violates User Privacy Rights by Spying on Users’ Phone Data
On November 21, 2017, the users of an Iranian transportation app known as Snapp received a notification that they would no longer be able to use the app unless they deleted the Waze navigation app from their phone.
The ban on Waze, ordered by Iran’s Prosecutor General Mohammad Jafar Montazeri, is a major violation of personal privacy rights because the Snapp app searched its users phones without consent for the presence of banned apps.
If during the search a banned app was discovered, Snapp would be disabled until the banned app was removed from the device.
The internet and social media apps are heavily restricted and censored in Iran. Some 44 percent of the country’s 80-plus million people had access to the internet in 2016, according to the UN’s International Telecommunication Union. As a result, Iranian state policies and technical initiatives have increasingly focused on strengthening state control over the internet.
Snapp’s ability to spy on its users after being ordered to by the authorities is an indication of the intensification of these efforts.
Iranians reacted to the ban and violation of their personal privacy rights by creating a campaign on social media networks with the Farsi hashtag, #حذف_اسنپ (“delete Snapp”).
Did Snapp Break the Law?
Launched as a private company in Iran in 2015, Snapp claims to be the largest transportation service app in the country. In November 2016, it reported having 28,000 participant drivers and 580,000 users.
On November 22, Snapp posted a statement online denying that it had violated its users’ privacy rights.
“We need to explain that violating user privacy has never been part of Snapp’s agenda and our actions are only in accordance with the laws of the Islamic Republic of Iran,” said the statement. “At the same time, Snapp users have agreed to comply with all Islamic laws as well as the ethical and social norms of the Islamic Republic of Iran.”
“As of midnight, November 21, the judiciary has required all internet transportation apps to enforce its ruling and terminate service to users who have the Waze app on their device,” added the statement. “All [Iranian] vehicle calling apps must comply with this order.”
The statement explained that Snapp had searched its users’ devices as per the prosecutor general’s order: “The legal authorities have required the transportation apps to carry out the ruling and as such, our service to users will be based on compliance.”
However, according to Iranian law, only judicial authorities can enforce the law.
As attorney Saleh Nikbakht explained during an interview with a state news agency on October 8, 2017, “The Criminal Procedures Regulations describes judicial enforcement authorities as individuals who are trained and monitored by the judiciary for the purposes of collecting criminal evidence and carrying out preliminary investigations to prevent suspects from hiding and escaping justice. They are also in charge of delivering judicial documents and rulings.”
Snapp is not a judicial enforcement authority and is therefore not required to enforce the law or judicial rulings.
Snapp’s November 22 statement also failed to specify which private data was collected and handed over to the judicial authorities without the user’s knowledge.
Based on Section B of Article 3 of Iran’s Computer Crimes Law, gaining unauthorized access to digital data or communications is punishable with up to 10 years in prison.
Waze was filtered in Iran via a judicial order on March 6, 2017, but the app was unblocked on October 3.
“This app [Waze] was initially blocked because it was owned by the Zionist regime [Israel], but now the owners are American,” said Abdolsamad Khorramabadi, the secretary of the Taskforce to Determine Instances of Criminal Content, on November 22, 2017.
“The reason why the app was blocked was because of its ownership,” he added. “This software makes use of private information gathered from users.”
Khorramabadi made no mention of the private data that is currently being collected without consent by domestically produced apps.