Tech Giants Are Failing Iranians In Their Struggle Against A National Internet

Profit-chasing, sanctions over-compliance, and poor transparency policies are three tech company failings that bolster Iran’s efforts to cut users off from the global Internet.

Profit-chasing, sanctions over-compliance, and poor transparency policies are three tech company failings that bolster Iran’s efforts to cut users off from the global Internet.

On Tuesday 2 July The German Federal Office of Justice announced that it had issued a fine of €2 million to Facebook as a result of omissions in its 2018 transparency report. This ruling is an important reminder that as internet companies continue to accumulate even more power, and become further integrated in our daily lives, statutory transparency requirements can play a crucial role in facilitating public scrutiny of their work.

Although the German court ruling is significant for accountability in Europe and North America, such cases do not necessarily address the needs of internet users in the Global South — and particularly in politically closed or semi-closed contexts such as Iran.

Over the last five years Small Media has been documenting Iran’s efforts to localise the internet, epitomised by its moves to create the National Information Network (SHOMA). Ever since it was first proposed, SHOMA has been touted by Iranian political leaders as a means for defending the country’s culture, economy, and national security from online threats. Originally dismissed by many commentators as undeliverable, six years of heavy investment by Rouhani’s administration has seen SHOMA expand rapidly. By centralising Iranian internet infrastructure and developing online services with the aim to limit engagement with global platforms it has emerged as a real threat to digital rights in the country.

Despite a common focus on the domestic aspects of the network’s construction, the fact remains that foreign tech companies play a significant role in Iran’s localisation of the internet. Iran’s administration has at multiple times relied on engagement with foreign platforms to help make SHOMA a reality. At the same time, strict adherence by tech giants to US-imposed sanctions has been a gift to Iranian authorities in their attempts to nudge netizens onto domestic services.

In this edition of Filterwatch we seek to highlight the need for tech companies to take greater responsibility for the isolation of Iranian internet users, and suggest how they can start to play an active role in working with Iranians to resist the localisation of the country’s internet.

Deciding to Talk — The Early Days of Engagement

Rouhani’s 2013 election marked a significant shift in Iran’s policy towards foreign technology companies. Whilst his predecessors were unwilling to deal with foreign app-makers altogether, Rouhani’s administration has claimed to actively engage with a number of them — and made a show of it. Although we cannot be certain whether this engagement has translated into influence over these companies’ policies in the last six years, there is enough evidence that some dialogue took place to justify further scrutiny from the digital rights community.

The very fact that the administration has sought to engage with foreign technology companies is important, as it requires the approval of the Supreme Council of Cyberspace (SCC).Thus by extension, Rouhani’s actions must have received approval from the Supreme Leader, who directly oversees appointments to the SCC. A wider consensus within the upper echelons of Iran’s political system has also been indicated through an announcement in 2016 that Telegram had received a license to start using Content Delivery Networks (CDNs) based in Iran.

Also, over the last few years we have seen some formal and informal engagement from Iranian authorities with foreign companies on issues of content moderation. According to the Google Transparency Report, prior to Jan 2016 Iran only demanded the removal of a single Item from Google-run services. This was a request made by 19 other countries to limit access to the YouTube video “Innocence of Muslims”, However since January 2016, Iran’s executive branch has so far made only two requests to remove a total of six items.

Iran’s new approach which has been shaped over the last six years is cause for revisiting the response of foreign companies, as Iran may be testing the water for intensified engagements in the coming years. As a result, it’s essential to examine how companies might be able to better support and safeguard Iranian users’ digital rights in such an environemnt.

In this report we have identified three categories of failures by foreign technology companies which have been capitalised on by Iranian authorities in recent years:

  • #1 — Compromise For Market Access — Some companies have sought to claim a larger slice of the Iranian market, even if this has involved negotiating compromises with Iranian authorities;
  • #2 — Sanctions Over-Compliance — A number of companies have closed their doors to all internet users from inside Iran, citing US-imposed sanctions while denying Iranian users and policy advocates detailed documentation on the matter;
  • #3 — Weaknesses in Reporting — In many cases, current transparency reporting requirements have proven unfit for purpose when deployed within closed and semi-closed political contexts.

These three failures have had significant and notable impacts in favour of Iran. These failures have helped the government to justify the political and economic isolationist case for SHOMA, as well as having forced Iranians to switch over to the questionable domestic services championed by the authorities.

#1 — Compromise For Market Access

The reimposition of US sanctions means that many global technology companies are unable to maintain direct commercial links with Iranian authorities. This is particularly true of social networking sites, who face the dual complications of Western sanctions and Iran’s filtering regime.

However, this has not prevented Iran itself from engaging to a limited extent with foreign companies. In July 2017, then-ICT Minister Mahmoud Vaezi claimed that talks with Telegram had already resulted in a number of the company’s servers moving to Iran, stating that their Content Delivery Networks (CDNs) would soon follow suit.

This is despite the fact that a few days earlier on 22 July, Telegram’s founder and CEO Pavel Durov claimed — in a carefully worded tweet — that “no Telegram servers (or any other servers with the private data of our users) will be moved to Iran or installed there.” In a follow-up statements, Telegram clarified that CDNs , however, be moved to the country. Further confirmation of cooperation came about just days before Telegram’s permanent ban, when on 26 April 2018 SCC Secretary Abolhassan Firouzabadi announced that Telegram’s CDN license had been revoked.

Throughout the entire episode (and in the period since), Telegram has failed to produce any transparency reports regarding negotiations they undertook to attempt to retain their CDN licence, nor have they explained what agreements were reached in order for a license to be granted in the first place.

In the absence of any form of transparency by Iranian authorities, Telegram’s refusal to publicly discuss this process resulted in Iranian civil society being left in the dark completely, denying advocates the opportunity to hold the Iranian government (or Telegram) to account for their positions on user privacy.

The Iranian government claimed repeatedly that it was engaged in a dialogue with the messenger app Telegram, before it was finally filtered in April 2018.

#2 — Sanctions Over-Compliance

In recent years, US foreign policy has played a significant role in shaping Iran’s relationship with the internet. Confusion over how global tech companies should adhere to US sanctions has bolstered Iran’s case for supporting the creation of a host of local services that can meet Iranians’ online needs — services that often offer non-existent user privacy protections.

Iranian internet user Ali Borhani has maintained a list on GitHub of 282 companies that have blocked their services to Iran-based IP addresses. Even free services are not spared — in recent months, GitHub sent emails to Iran-based users with free student accounts, stating that they would terminate their access to services in order to comply with US sanctions.

Widespread over-compliance with sanctions has also negatively affected some users  of Iran. In December 2018, a number of Iranian Slack users based outside Iran received an email claiming that their accounts would be closed in order to comply with US sanctions. Slack later apologised for this, and claimed that they had restored access to blocked accounts. According to Slack this was a technical error in updating their sanctions compliance system.

Similarly, in January 2019 the Amercian cloud infrastructure provider DigitalOcean emailed many of its Iranian clients stating that compliance with US sanctions would cause them to suspend their accounts within 72 hours. Deputy ICT Minister Amir Nazemi took to Twitter within hours to advertise Iranian domestic hosting services that had offered to host Iranian DigitalOcean clients free-of-charge for a 72-hour grace period in order to protect their businesses. This was a gift to Iranian authorities, with these companies’ data being transferred wholesale to local domestic servers.

The DigitalOcean email notifying a number of Iranian users that their accounts would be closed. (via @pharzan)

DigitalOcean’s interpretation of the existing sanctions may not be over-compliance, and could indeed be a correct interpretation of the current regime. But in the absence of releasing details about the specific legal instruments that prevented DigitalOcean providing services to Iran, Iranian activists and civil society advocates are unable to lobby the United States to modify the existing sanctions framework, or to hold DigitalOcean accountable for over-compliance. Indeed, in 2012 the US government released a document clarifying the digital services that US companies were permitted to provide to Iranians in light of the sanctions regime, in an effort to prevent situations such as this.

There are other examples that demonstrate the fact that communication with Iranian users is not a priority for many digital service providers. In April 2019, shortly after the US government listed the IRGC as a terrorist organisation, Instagram began removing the pages of senior Iranian officials, including the English-language page of the Supreme Leader. This was undertaken without any notice, and Iranian journalists based outside of Iran were left chasing the company for a response.

Regardless of how Iranians feel about whether IRGC-affiliated figures should be permitted an online platform or not, removing the pages of high-ranking Iranian officials without an explanation is exceptional. Facebook has previously published lengthy justifications about its decisions to remove far-right and white supremacist user content from its platforms. The fact that it feels the need to provide transparency on these decisions, and yet none relating to the removal of content from high-profile Iranian political figures indicates that the company views their obligation to be accountable to Iranian users as an afterthought.

Tech companies could meaningfully empower civil society advocates to contribute positively to policy discussions around the impact of sanctions on freedom of expression and privacy online. To this end, we would urgently call on global digital service providers to offer comprehensive and meaningful explanations of the policy decisions they make relating to either the denial of services, or content removal relating to Iranian citizens.

#3 — Weaknesses in Reporting

It appears that in recent years Iran has increased its efforts to engage with platforms and seek the removal of content. This reflects broader policy initiatives adopted by the SCC, which have mandated Iranian government representatives to step up their levels of engagement with foreign tech companies.

For example, the SCC has even started to publicly announce when they have made contact with foreign tech companies relating to content take-downs, including with Instagram and Telegram. In November 2017, SCC Secretary Hasan Firouzabadi claimed that Iran was in negotiation with Telegram and Instagram representatives about how to make cyberspace more secure for Iranians. Even as recently as December 2018, Firouzabadi publicly claimed that Iran has requested to meet with Instagram. He also claimed that some preliminary communications had taken place.

These claims have so far gone unchallenged by the companies in question. By failing to comment on these announcements, foreign tech companies are contributing to the an air of suspicion around their complicity, or lack thereof, and are therefore playing into the hands of Iranian authorities. For example, even though we are able to see Iran’s requests to Google in the company’s annual transparency report, we are yet to secure either disclosure or outright denial about meetings with representatives of other platforms, including Instagram. This lack of transparency in some cases may just be due to platforms not being aware of public statements by Iranian policymakers’, this silence still has an important effect.

Indeed, this lack of clarity has the potential to undermine trust in foreign platforms among Iranian internet users, who have no means of confirming whether or not companies are colluding with authorities. As a consequence, we risk seeing higher levels of self-censorship in an already heavily censored society. Further clarity about these engagements, including what was requested and how it was handled, would give Iranian netizens the freedom to choose those platforms that they feel respect their rights and protects their privacy.

Opaque Dealings — Where Things Stand

For most platforms, transparency reporting processes are rooted in the dynamics of the relationship the platform has with either its country of origin, or else the governments of the states that they have extensive business dealings with. Essentially, reporting is designed to meet the legal and societal needs of host countries, or those countries that constitute companies’ largest markets.

This means that the needs of civil society in closed and semi-closed societies are largely ignored, resulting in a problematic design that offers an inadequate level of transparency.

The case for the development of SHOMA has been built on political arguments around national security, economic protectionism, and cultural and political sovereignty. Poor communication by foreign tech companies has provided a number of opportunities for the Iranian government to build a case for SHOMA and domestic platforms, by arguing that Iranian users have no meaningful ability to hold foreign platforms to account for their decisions.

But it is not just in making the theoretical and moral case for SHOMA that a lack of clarity has been a gift to the government. Issues including the denial of hosting services to Iranian businesses with little to no notice may leave Iranian small businesses reluctant to use foreign services and in turn pushes them towards the use of domestic services; a move that plays directly into the hands of Iran’s filtering regime.

Opening a Window — How Things Can Change

Global technology companies must make greater efforts to introduce greater transparency into their dealings with Iranian authorities, in order to equip Iranian internet users and advocates with a clearer understanding of their relationship and decision-making processes. These companies must also take a more proactive role in understanding Iran’s policymaking, and recognise that deficiencies in transparency reporting are in many ways abetting authorities’ efforts to create a localised internet that threatens Iranian users’ human rights online.

Companies must also work to explain the effects of governments’ foreign policies on their operations, and particularly the wider impact of US sanctions on their ability to provide safe and effective services to Iranian users. Providing detailed documentation would help companies to avoid over-compliance, and enable Iranian civil society to demand the removal of sanctions where they have negative impacts on the human rights of Iranian internet users.

Our Recommendations

As Iranian authorities have been doubling down on their efforts to deliver SHOMA and data localisation, Iranian internet users have been adopting new ways of resisting this threat to the internet. However, as outlined in this report international tech companies and platforms have not always been an effective ally to Iranians. Based on the arguments made in this report, we have several recommendations for foreign tech companies:

On Commercial Dealings with Iran

Platforms and content distribution companies which enter talks and negotiations with Iran must inform the Iranian public of the details of negotiations and the terms agreed. In the absence of an effective Freedom of Information (FOI) mechanism in Iran, such disclosures would allow activists, citizens, and local business to scrutinise plans and seek ways to safeguard digital rights in Iran.

On Sanctions

It is imperative that tech companies and service providers stand up to any measures that make the localisation of internet services more likely. The absence of detailed examinations of sanctions from tech companies and the failure to pinpoint specific sanctions that prevent them from providing services to Iranians has resulted in a lack of information for Iranian activists and civil society to act on.

Companies must prove that they are avoiding over-compliance by providing civil society and the general public with the documentation that informs their sanctions procedures.

On Transparency Reporting

In reassessing the relevance and effectiveness of transparency reporting companies must consider the different degrees of political openness in different countries.

Current transparency reporting is often designed to cater to the needs of campaigners and the public in the host countries of companies. Thus, companies must engage with a wide range of civil society and other stakeholders from closed and semi-closed societies to accommodate their needs in making transparency reporting work more effectively for those with the greatest needs.

For example in the Iranian context, transparency reports should take steps to clarify or dismiss Iran’s claims regarding exchanges of communications and possible meetings with the Iranian authorities. Similarly, tech companies must take steps to clarify the policy demands of Iranian government in order to allow civic society and stakeholders to engage in proper scrutiny.